Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Added Netskope Solution

This commit is contained in:
nipun-crestdatasystem 2024-04-03 19:42:29 +05:30
Родитель 744e6cba24
Коммит 9bbbb4257c
115 изменённых файлов: 24585 добавлений и 2 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

641
.script/tests/KqlvalidationsTests/CustomTables/NetskopeWebtxData_CL.json Normal file
Просмотреть файл

@ -0,0 +1,641 @@
{
"Name": "NetskopeWebtxData_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "cs_uri_query_g",
"Type": "string"
},
{
"Name": "date_s",
"Type": "string"
},
{
"Name": "time_s",
"Type": "string"
},
{
"Name": "time_taken_s",
"Type": "string"
},
{
"Name": "cs_bytes_s",
"Type": "string"
},
{
"Name": "sc_bytes_s",
"Type": "string"
},
{
"Name": "bytes_s",
"Type": "string"
},
{
"Name": "c_ip_s",
"Type": "string"
},
{
"Name": "s_ip_s",
"Type": "string"
},
{
"Name": "cs_username_s",
"Type": "string"
},
{
"Name": "cs_method_s",
"Type": "string"
},
{
"Name": "cs_uri_scheme_s",
"Type": "string"
},
{
"Name": "cs_uri_query_s",
"Type": "string"
},
{
"Name": "cs_user_agent_s",
"Type": "string"
},
{
"Name": "cs_content_type_s",
"Type": "string"
},
{
"Name": "sc_status_s",
"Type": "string"
},
{
"Name": "sc_content_type_s",
"Type": "string"
},
{
"Name": "cs_dns_s",
"Type": "string"
},
{
"Name": "cs_host_s",
"Type": "string"
},
{
"Name": "cs_uri_s",
"Type": "string"
},
{
"Name": "cs_uri_port_s",
"Type": "string"
},
{
"Name": "cs_referer_s",
"Type": "string"
},
{
"Name": "x_cs_session_id_s",
"Type": "string"
},
{
"Name": "x_cs_access_method_s",
"Type": "string"
},
{
"Name": "x_cs_app_s",
"Type": "string"
},
{
"Name": "x_s_country_s",
"Type": "string"
},
{
"Name": "x_s_latitude_s",
"Type": "string"
},
{
"Name": "x_s_longitude_s",
"Type": "string"
},
{
"Name": "x_s_location_s",
"Type": "string"
},
{
"Name": "x_s_region_s",
"Type": "string"
},
{
"Name": "x_s_zipcode_s",
"Type": "string"
},
{
"Name": "x_c_country_s",
"Type": "string"
},
{
"Name": "x_c_latitude_s",
"Type": "string"
},
{
"Name": "x_c_longitude_s",
"Type": "string"
},
{
"Name": "x_c_location_s",
"Type": "string"
},
{
"Name": "x_c_region_s",
"Type": "string"
},
{
"Name": "x_c_zipcode_s",
"Type": "string"
},
{
"Name": "x_c_os_s",
"Type": "string"
},
{
"Name": "x_c_browser_s",
"Type": "string"
},
{
"Name": "x_c_browser_version_s",
"Type": "string"
},
{
"Name": "x_c_device_s",
"Type": "string"
},
{
"Name": "x_cs_site_s",
"Type": "string"
},
{
"Name": "x_cs_timestamp_s",
"Type": "string"
},
{
"Name": "x_cs_page_id_s",
"Type": "string"
},
{
"Name": "x_cs_userip_s",
"Type": "string"
},
{
"Name": "x_cs_traffic_type_s",
"Type": "string"
},
{
"Name": "x_cs_tunnel_id_s",
"Type": "string"
},
{
"Name": "x_category_s",
"Type": "string"
},
{
"Name": "x_other_category_s",
"Type": "string"
},
{
"Name": "x_type_s",
"Type": "string"
},
{
"Name": "x_server_ssl_err_s",
"Type": "string"
},
{
"Name": "x_client_ssl_err_s",
"Type": "string"
},
{
"Name": "x_transaction_id_s",
"Type": "string"
},
{
"Name": "x_request_id_s",
"Type": "string"
},
{
"Name": "x_cs_sni_s",
"Type": "string"
},
{
"Name": "x_cs_domain_fronted_sni_s",
"Type": "string"
},
{
"Name": "x_category_id_s",
"Type": "string"
},
{
"Name": "x_other_category_id_s",
"Type": "string"
},
{
"Name": "x_sr_headers_name_s",
"Type": "string"
},
{
"Name": "x_sr_headers_value_s",
"Type": "string"
},
{
"Name": "x_cs_ssl_ja3_g",
"Type": "string"
},
{
"Name": "x_sr_ssl_ja3s_s",
"Type": "string"
},
{
"Name": "x_ssl_bypass_s",
"Type": "string"
},
{
"Name": "x_ssl_bypass_reason_s",
"Type": "string"
},
{
"Name": "x_r_cert_subject_cn_s",
"Type": "string"
},
{
"Name": "x_r_cert_issuer_cn_s",
"Type": "string"
},
{
"Name": "x_r_cert_startdate_s",
"Type": "string"
},
{
"Name": "x_r_cert_enddate_s",
"Type": "string"
},
{
"Name": "x_r_cert_valid_s",
"Type": "string"
},
{
"Name": "x_r_cert_expired_s",
"Type": "string"
},
{
"Name": "x_r_cert_untrusted_root_s",
"Type": "string"
},
{
"Name": "x_r_cert_incomplete_chain_s",
"Type": "string"
},
{
"Name": "x_r_cert_self_signed_s",
"Type": "string"
},
{
"Name": "x_r_cert_revoked_s",
"Type": "string"
},
{
"Name": "x_r_cert_revocation_check_s",
"Type": "string"
},
{
"Name": "x_r_cert_mismatch_s",
"Type": "string"
},
{
"Name": "x_cs_ssl_fronting_error_s",
"Type": "string"
},
{
"Name": "x_cs_ssl_handshake_error_s",
"Type": "string"
},
{
"Name": "x_sr_ssl_handshake_error_s",
"Type": "string"
},
{
"Name": "x_sr_ssl_client_certificate_error_s",
"Type": "string"
},
{
"Name": "x_sr_ssl_malformed_ssl_s",
"Type": "string"
},
{
"Name": "x_s_custom_signing_ca_error_s",
"Type": "string"
},
{
"Name": "x_cs_ssl_engine_action_s",
"Type": "string"
},
{
"Name": "x_cs_ssl_engine_action_reason_s",
"Type": "string"
},
{
"Name": "x_sr_ssl_engine_action_s",
"Type": "string"
},
{
"Name": "x_sr_ssl_engine_action_reason_s",
"Type": "string"
},
{
"Name": "x_ssl_policy_src_ip_s",
"Type": "string"
},
{
"Name": "x_ssl_policy_dst_ip_s",
"Type": "string"
},
{
"Name": "x_ssl_policy_dst_host_s",
"Type": "string"
},
{
"Name": "x_ssl_policy_dst_host_source_s",
"Type": "string"
},
{
"Name": "x_ssl_policy_categories_s",
"Type": "string"
},
{
"Name": "x_ssl_policy_action_s",
"Type": "string"
},
{
"Name": "x_ssl_policy_name_s",
"Type": "string"
},
{
"Name": "x_cs_ssl_version_s",
"Type": "string"
},
{
"Name": "x_cs_ssl_cipher_s",
"Type": "string"
},
{
"Name": "x_sr_ssl_version_s",
"Type": "string"
},
{
"Name": "x_sr_ssl_cipher_s",
"Type": "string"
},
{
"Name": "x_cs_src_ip_egress_s",
"Type": "string"
},
{
"Name": "x_s_dp_name_s",
"Type": "string"
},
{
"Name": "x_cs_src_ip_s",
"Type": "string"
},
{
"Name": "x_cs_src_port_s",
"Type": "string"
},
{
"Name": "x_cs_dst_ip_s",
"Type": "string"
},
{
"Name": "x_cs_dst_port_s",
"Type": "string"
},
{
"Name": "x_sr_src_ip_s",
"Type": "string"
},
{
"Name": "x_sr_src_port_s",
"Type": "string"
},
{
"Name": "x_sr_dst_ip_s",
"Type": "string"
},
{
"Name": "x_sr_dst_port_s",
"Type": "string"
},
{
"Name": "x_cs_ip_connect_xff_s",
"Type": "string"
},
{
"Name": "x_cs_ip_xff_s",
"Type": "string"
},
{
"Name": "x_cs_connect_host_s",
"Type": "string"
},
{
"Name": "x_cs_connect_port_s",
"Type": "string"
},
{
"Name": "x_cs_connect_user_agent_s",
"Type": "string"
},
{
"Name": "x_cs_url_s",
"Type": "string"
},
{
"Name": "x_cs_uri_path_s",
"Type": "string"
},
{
"Name": "x_cs_http_version_s",
"Type": "string"
},
{
"Name": "rs_status_s",
"Type": "string"
},
{
"Name": "x_cs_app_category_s",
"Type": "string"
},
{
"Name": "x_cs_app_cci_s",
"Type": "string"
},
{
"Name": "x_cs_app_ccl_s",
"Type": "string"
},
{
"Name": "x_cs_app_tags_s",
"Type": "string"
},
{
"Name": "x_cs_app_suite_s",
"Type": "string"
},
{
"Name": "x_cs_app_instance_id_s",
"Type": "string"
},
{
"Name": "x_cs_app_instance_name_s",
"Type": "string"
},
{
"Name": "x_cs_app_instance_tag_s",
"Type": "string"
},
{
"Name": "x_cs_app_activity_s",
"Type": "string"
},
{
"Name": "x_cs_app_from_user_s",
"Type": "string"
},
{
"Name": "x_cs_app_to_user_s",
"Type": "string"
},
{
"Name": "x_cs_app_object_type_s",
"Type": "string"
},
{
"Name": "x_cs_app_object_name_s",
"Type": "string"
},
{
"Name": "x_cs_app_object_id_s",
"Type": "string"
},
{
"Name": "x_rs_file_type_s",
"Type": "string"
},
{
"Name": "x_rs_file_category_s",
"Type": "string"
},
{
"Name": "x_rs_file_language_s",
"Type": "string"
},
{
"Name": "x_rs_file_size_s",
"Type": "string"
},
{
"Name": "x_rs_file_md5_s",
"Type": "string"
},
{
"Name": "x_rs_file_sha256_s",
"Type": "string"
},
{
"Name": "x_error_s",
"Type": "string"
},
{
"Name": "x_c_local_time_s",
"Type": "string"
},
{
"Name": "x_policy_action_s",
"Type": "string"
},
{
"Name": "x_policy_name_s",
"Type": "string"
},
{
"Name": "x_policy_src_ip_s",
"Type": "string"
},
{
"Name": "x_policy_dst_ip_s",
"Type": "string"
},
{
"Name": "x_policy_dst_host_s",
"Type": "string"
},
{
"Name": "x_policy_dst_host_source_s",
"Type": "string"
},
{
"Name": "x_policy_justification_type_s",
"Type": "string"
},
{
"Name": "x_policy_justification_reason_s",
"Type": "string"
},
{
"Name": "x_sc_notification_name_s",
"Type": "string"
},
{
"Name": "netskope_api_host_name_s",
"Type": "string"
},
{
"Name": "x_cs_ssl_ja3_s",
"Type": "string"
},
{
"Name": "x_rs_file_md5_g",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

45
.script/tests/KqlvalidationsTests/CustomTables/NetskopeWebtxErrors_CL.json Normal file
Просмотреть файл

@ -0,0 +1,45 @@
{
"Name": "NetskopeWebtxErrors_CL",
"Properties":[
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "error_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

53
.script/tests/KqlvalidationsTests/CustomTables/Netskope_WebTx_metrics_CL.json Normal file
Просмотреть файл

@ -0,0 +1,53 @@
{
"Name": "Netskope_WebTx_metrics_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "timestamp_t",
"Type": "datetime"
},
{
"Name": "backlog_message_count_d",
"Type": "real"
},
{
"Name": "oldest_unacked_message_age_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

181
.script/tests/KqlvalidationsTests/CustomTables/alertscompromisedcredentialdata_CL.json Normal file
Просмотреть файл

@ -0,0 +1,181 @@
{
"Name": "alertscompromisedcredentialdata_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "_id_s",
"Type": "string"
},
{
"Name": "acked_s",
"Type": "string"
},
{
"Name": "alert_s",
"Type": "string"
},
{
"Name": "alert_name_s",
"Type": "string"
},
{
"Name": "alert_type_s",
"Type": "string"
},
{
"Name": "app_s",
"Type": "string"
},
{
"Name": "Category",
"Type": "string"
},
{
"Name": "cci_s",
"Type": "string"
},
{
"Name": "ccl_s",
"Type": "string"
},
{
"Name": "count_d",
"Type": "real"
},
{
"Name": "organization_unit_s",
"Type": "string"
},
{
"Name": "timestamp_d",
"Type": "real"
},
{
"Name": "type_s",
"Type": "string"
},
{
"Name": "ur_normalized_s",
"Type": "string"
},
{
"Name": "user_s",
"Type": "string"
},
{
"Name": "userkey_s",
"Type": "string"
},
{
"Name": "sAMAccountName_s",
"Type": "string"
},
{
"Name": "breach_id_s",
"Type": "string"
},
{
"Name": "employeeType_s",
"Type": "string"
},
{
"Name": "userPrincipalName_s",
"Type": "string"
},
{
"Name": "breach_media_references_s",
"Type": "string"
},
{
"Name": "breach_date_d",
"Type": "real"
},
{
"Name": "password_type_s",
"Type": "string"
},
{
"Name": "department_s",
"Type": "string"
},
{
"Name": "distinguishedName_s",
"Type": "string"
},
{
"Name": "breach_description_s",
"Type": "string"
},
{
"Name": "breach_score_s",
"Type": "string"
},
{
"Name": "mail_s",
"Type": "string"
},
{
"Name": "breach_target_references_s",
"Type": "string"
},
{
"Name": "matched_username_s",
"Type": "string"
},
{
"Name": "division_s",
"Type": "string"
},
{
"Name": "sAMAccountType_s",
"Type": "string"
},
{
"Name": "email_source_s",
"Type": "string"
},
{
"Name": "external_email_d",
"Type": "real"
},
{
"Name": "cci_d",
"Type": "real"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

285
.script/tests/KqlvalidationsTests/CustomTables/alertsctepdata_CL.json Normal file
Просмотреть файл

@ -0,0 +1,285 @@
{
"Name": "alertsctepdata_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "_id_s",
"Type": "string"
},
{
"Name": "acked_s",
"Type": "string"
},
{
"Name": "action_s",
"Type": "string"
},
{
"Name": "alert_s",
"Type": "string"
},
{
"Name": "alert_name_s",
"Type": "string"
},
{
"Name": "alert_type_s",
"Type": "string"
},
{
"Name": "app_s",
"Type": "string"
},
{
"Name": "Category",
"Type": "string"
},
{
"Name": "cci_d",
"Type": "real"
},
{
"Name": "ccl_s",
"Type": "string"
},
{
"Name": "count_d",
"Type": "real"
},
{
"Name": "device_s",
"Type": "string"
},
{
"Name": "dst_country_s",
"Type": "string"
},
{
"Name": "dst_geoip_src_d",
"Type": "real"
},
{
"Name": "dst_latitude_d",
"Type": "real"
},
{
"Name": "dst_location_s",
"Type": "string"
},
{
"Name": "dst_longitude_d",
"Type": "real"
},
{
"Name": "dst_region_s",
"Type": "string"
},
{
"Name": "dst_zipcode_s",
"Type": "string"
},
{
"Name": "dstip_s",
"Type": "string"
},
{
"Name": "organization_unit_s",
"Type": "string"
},
{
"Name": "os_s",
"Type": "string"
},
{
"Name": "other_categories_s",
"Type": "string"
},
{
"Name": "site_s",
"Type": "string"
},
{
"Name": "src_country_s",
"Type": "string"
},
{
"Name": "src_geoip_src_d",
"Type": "real"
},
{
"Name": "src_latitude_d",
"Type": "real"
},
{
"Name": "src_location_s",
"Type": "string"
},
{
"Name": "src_longitude_d",
"Type": "real"
},
{
"Name": "src_region_s",
"Type": "string"
},
{
"Name": "src_zipcode_s",
"Type": "string"
},
{
"Name": "srcip_s",
"Type": "string"
},
{
"Name": "timestamp_d",
"Type": "real"
},
{
"Name": "traffic_type_s",
"Type": "string"
},
{
"Name": "type_s",
"Type": "string"
},
{
"Name": "ur_normalized_s",
"Type": "string"
},
{
"Name": "url_s",
"Type": "string"
},
{
"Name": "user_s",
"Type": "string"
},
{
"Name": "userkey_s",
"Type": "string"
},
{
"Name": "signature_s",
"Type": "string"
},
{
"Name": "transaction_id_d",
"Type": "real"
},
{
"Name": "home_pop_s",
"Type": "string"
},
{
"Name": "tunnel_id_s",
"Type": "string"
},
{
"Name": "ip_protocol_s",
"Type": "string"
},
{
"Name": "userPrincipalName_s",
"Type": "string"
},
{
"Name": "company_s",
"Type": "string"
},
{
"Name": "http_method_s",
"Type": "string"
},
{
"Name": "manager_s",
"Type": "string"
},
{
"Name": "deviceClassification_s",
"Type": "string"
},
{
"Name": "gid_d",
"Type": "real"
},
{
"Name": "profile_id_s",
"Type": "string"
},
{
"Name": "referer_s",
"Type": "string"
},
{
"Name": "dstport_d",
"Type": "real"
},
{
"Name": "netskope_pop_s",
"Type": "string"
},
{
"Name": "userip_s",
"Type": "string"
},
{
"Name": "department_s",
"Type": "string"
},
{
"Name": "signature_id_d",
"Type": "real"
},
{
"Name": "srcport_d",
"Type": "real"
},
{
"Name": "hostname_s",
"Type": "string"
},
{
"Name": "http_port_d",
"Type": "real"
},
{
"Name": "cci_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

613
.script/tests/KqlvalidationsTests/CustomTables/alertsdlpdata_CL.json Normal file
Просмотреть файл

@ -0,0 +1,613 @@
{
"Name": "alertsdlpdata_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "_id_s",
"Type": "string"
},
{
"Name": "access_method_s",
"Type": "string"
},
{
"Name": "acked_s",
"Type": "string"
},
{
"Name": "action_s",
"Type": "string"
},
{
"Name": "activity_s",
"Type": "string"
},
{
"Name": "alert_s",
"Type": "string"
},
{
"Name": "alert_name_s",
"Type": "string"
},
{
"Name": "alert_type_s",
"Type": "string"
},
{
"Name": "app_s",
"Type": "string"
},
{
"Name": "appcategory_s",
"Type": "string"
},
{
"Name": "browser_s",
"Type": "string"
},
{
"Name": "Category",
"Type": "string"
},
{
"Name": "ccl_s",
"Type": "string"
},
{
"Name": "device_s",
"Type": "string"
},
{
"Name": "dst_country_s",
"Type": "string"
},
{
"Name": "dst_geoip_src_d",
"Type": "real"
},
{
"Name": "dst_latitude_d",
"Type": "real"
},
{
"Name": "dst_location_s",
"Type": "string"
},
{
"Name": "dst_longitude_d",
"Type": "real"
},
{
"Name": "dst_region_s",
"Type": "string"
},
{
"Name": "dst_zipcode_s",
"Type": "string"
},
{
"Name": "dstip_s",
"Type": "string"
},
{
"Name": "exposure_s",
"Type": "string"
},
{
"Name": "file_lang_s",
"Type": "string"
},
{
"Name": "file_path_s",
"Type": "string"
},
{
"Name": "file_size_d",
"Type": "real"
},
{
"Name": "file_type_s",
"Type": "string"
},
{
"Name": "instance_s",
"Type": "string"
},
{
"Name": "instance_id_s",
"Type": "string"
},
{
"Name": "local_sha256_s",
"Type": "string"
},
{
"Name": "md5_g",
"Type": "string"
},
{
"Name": "mime_type_s",
"Type": "string"
},
{
"Name": "modified_d",
"Type": "real"
},
{
"Name": "object_s",
"Type": "string"
},
{
"Name": "object_id_s",
"Type": "string"
},
{
"Name": "object_type_s",
"Type": "string"
},
{
"Name": "organization_unit_s",
"Type": "string"
},
{
"Name": "os_s",
"Type": "string"
},
{
"Name": "owner_s",
"Type": "string"
},
{
"Name": "policy_s",
"Type": "string"
},
{
"Name": "request_id_s",
"Type": "string"
},
{
"Name": "scan_type_s",
"Type": "string"
},
{
"Name": "site_s",
"Type": "string"
},
{
"Name": "src_country_s",
"Type": "string"
},
{
"Name": "src_geoip_src_d",
"Type": "real"
},
{
"Name": "src_latitude_d",
"Type": "real"
},
{
"Name": "src_location_s",
"Type": "string"
},
{
"Name": "src_longitude_d",
"Type": "real"
},
{
"Name": "src_region_s",
"Type": "string"
},
{
"Name": "src_zipcode_s",
"Type": "string"
},
{
"Name": "srcip_s",
"Type": "string"
},
{
"Name": "suppression_key_s",
"Type": "string"
},
{
"Name": "timestamp_d",
"Type": "real"
},
{
"Name": "traffic_type_s",
"Type": "string"
},
{
"Name": "type_s",
"Type": "string"
},
{
"Name": "ur_normalized_s",
"Type": "string"
},
{
"Name": "url_s",
"Type": "string"
},
{
"Name": "user_s",
"Type": "string"
},
{
"Name": "userkey_s",
"Type": "string"
},
{
"Name": "user_id_s",
"Type": "string"
},
{
"Name": "channel_s",
"Type": "string"
},
{
"Name": "dlp_rule_s",
"Type": "string"
},
{
"Name": "file_password_protected_s",
"Type": "string"
},
{
"Name": "tss_mode_s",
"Type": "string"
},
{
"Name": "dlp_rule_count_d",
"Type": "real"
},
{
"Name": "appsuite_s",
"Type": "string"
},
{
"Name": "web_universal_connector_s",
"Type": "string"
},
{
"Name": "outer_doc_type_d",
"Type": "real"
},
{
"Name": "shared_with_s",
"Type": "string"
},
{
"Name": "dlp_is_unique_count_s",
"Type": "string"
},
{
"Name": "dynamic_classification_s",
"Type": "string"
},
{
"Name": "classification_name_s",
"Type": "string"
},
{
"Name": "app_session_id_d",
"Type": "real"
},
{
"Name": "true_type_id_d",
"Type": "real"
},
{
"Name": "page_site_s",
"Type": "string"
},
{
"Name": "file_category_s",
"Type": "string"
},
{
"Name": "data_type_s",
"Type": "string"
},
{
"Name": "universal_connector_s",
"Type": "string"
},
{
"Name": "sanctioned_instance_s",
"Type": "string"
},
{
"Name": "protocol_s",
"Type": "string"
},
{
"Name": "dlp_mail_parent_id_s",
"Type": "string"
},
{
"Name": "violating_user_type_s",
"Type": "string"
},
{
"Name": "sub_type_s",
"Type": "string"
},
{
"Name": "os_version_s",
"Type": "string"
},
{
"Name": "smtp_to_s",
"Type": "string"
},
{
"Name": "incident_id_d",
"Type": "real"
},
{
"Name": "group_s",
"Type": "string"
},
{
"Name": "sha256_s",
"Type": "string"
},
{
"Name": "act_user_s",
"Type": "string"
},
{
"Name": "displayName_s",
"Type": "string"
},
{
"Name": "message_id_s",
"Type": "string"
},
{
"Name": "file_cls_encrypted_b",
"Type": "bool"
},
{
"Name": "hostname_s",
"Type": "string"
},
{
"Name": "shared_domains_s",
"Type": "string"
},
{
"Name": "managed_app_s",
"Type": "string"
},
{
"Name": "from_storage_s",
"Type": "string"
},
{
"Name": "managementID_s",
"Type": "string"
},
{
"Name": "mail_s",
"Type": "string"
},
{
"Name": "title_s",
"Type": "string"
},
{
"Name": "dlp_file_s",
"Type": "string"
},
{
"Name": "from_user_s",
"Type": "string"
},
{
"Name": "dlp_fingerprint_classification_s",
"Type": "string"
},
{
"Name": "owner_pdl_s",
"Type": "string"
},
{
"Name": "violating_user_s",
"Type": "string"
},
{
"Name": "manager_s",
"Type": "string"
},
{
"Name": "to_user_s",
"Type": "string"
},
{
"Name": "parent_id_s",
"Type": "string"
},
{
"Name": "app_activity_s",
"Type": "string"
},
{
"Name": "dlp_incident_id_d",
"Type": "real"
},
{
"Name": "device_classification_s",
"Type": "string"
},
{
"Name": "browser_version_s",
"Type": "string"
},
{
"Name": "src_time_s",
"Type": "string"
},
{
"Name": "to_storage_s",
"Type": "string"
},
{
"Name": "dst_timezone_s",
"Type": "string"
},
{
"Name": "dlp_rule_severity_s",
"Type": "string"
},
{
"Name": "src_timezone_s",
"Type": "string"
},
{
"Name": "total_collaborator_count_d",
"Type": "real"
},
{
"Name": "userCountry_s",
"Type": "string"
},
{
"Name": "dlp_profile_s",
"Type": "string"
},
{
"Name": "true_obj_type_s",
"Type": "string"
},
{
"Name": "transaction_id_d",
"Type": "real"
},
{
"Name": "true_obj_category_s",
"Type": "string"
},
{
"Name": "userPrincipalName_s",
"Type": "string"
},
{
"Name": "orignal_file_path_s",
"Type": "string"
},
{
"Name": "collaborated_s",
"Type": "string"
},
{
"Name": "connection_id_d",
"Type": "real"
},
{
"Name": "bcc_s",
"Type": "string"
},
{
"Name": "userip_s",
"Type": "string"
},
{
"Name": "referer_s",
"Type": "string"
},
{
"Name": "sAMAccountName_s",
"Type": "string"
},
{
"Name": "message_size_d",
"Type": "real"
},
{
"Name": "dlp_parent_id_d",
"Type": "real"
},
{
"Name": "external_collaborator_count_d",
"Type": "real"
},
{
"Name": "retro_scan_name_s",
"Type": "string"
},
{
"Name": "dlp_unique_count_d",
"Type": "real"
},
{
"Name": "browser_session_id_d",
"Type": "real"
},
{
"Name": "dlp_fingerprint_match_s",
"Type": "string"
},
{
"Name": "severity_s",
"Type": "string"
},
{
"Name": "dlp_fingerprint_score_d",
"Type": "real"
},
{
"Name": "page_s",
"Type": "string"
},
{
"Name": "true_filetype_s",
"Type": "string"
},
{
"Name": "policy_id_s",
"Type": "string"
},
{
"Name": "dlp_rule_score_d",
"Type": "real"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

501
.script/tests/KqlvalidationsTests/CustomTables/alertsmalsitedata_CL.json Normal file
Просмотреть файл

@ -0,0 +1,501 @@
{
"Name": "alertsmalsitedata_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "_id_s",
"Type": "string"
},
{
"Name": "access_method_s",
"Type": "string"
},
{
"Name": "acked_s",
"Type": "string"
},
{
"Name": "action_s",
"Type": "string"
},
{
"Name": "alert_s",
"Type": "string"
},
{
"Name": "alert_name_s",
"Type": "string"
},
{
"Name": "alert_type_s",
"Type": "string"
},
{
"Name": "app_s",
"Type": "string"
},
{
"Name": "appcategory_s",
"Type": "string"
},
{
"Name": "browser_s",
"Type": "string"
},
{
"Name": "Category",
"Type": "string"
},
{
"Name": "cci_d",
"Type": "real"
},
{
"Name": "ccl_s",
"Type": "string"
},
{
"Name": "count_d",
"Type": "real"
},
{
"Name": "device_s",
"Type": "string"
},
{
"Name": "dst_country_s",
"Type": "string"
},
{
"Name": "dst_geoip_src_d",
"Type": "real"
},
{
"Name": "dst_latitude_d",
"Type": "real"
},
{
"Name": "dst_location_s",
"Type": "string"
},
{
"Name": "dst_longitude_d",
"Type": "real"
},
{
"Name": "dst_region_s",
"Type": "string"
},
{
"Name": "dst_zipcode_s",
"Type": "string"
},
{
"Name": "dstip_s",
"Type": "string"
},
{
"Name": "object_s",
"Type": "string"
},
{
"Name": "object_type_s",
"Type": "string"
},
{
"Name": "organization_unit_s",
"Type": "string"
},
{
"Name": "os_s",
"Type": "string"
},
{
"Name": "other_categories_s",
"Type": "string"
},
{
"Name": "policy_s",
"Type": "string"
},
{
"Name": "request_id_s",
"Type": "string"
},
{
"Name": "site_s",
"Type": "string"
},
{
"Name": "src_country_s",
"Type": "string"
},
{
"Name": "src_geoip_src_d",
"Type": "real"
},
{
"Name": "src_latitude_d",
"Type": "real"
},
{
"Name": "src_location_s",
"Type": "string"
},
{
"Name": "src_longitude_d",
"Type": "real"
},
{
"Name": "src_region_s",
"Type": "string"
},
{
"Name": "src_zipcode_s",
"Type": "string"
},
{
"Name": "srcip_s",
"Type": "string"
},
{
"Name": "timestamp_d",
"Type": "real"
},
{
"Name": "traffic_type_s",
"Type": "string"
},
{
"Name": "type_s",
"Type": "string"
},
{
"Name": "ur_normalized_s",
"Type": "string"
},
{
"Name": "url_s",
"Type": "string"
},
{
"Name": "user_s",
"Type": "string"
},
{
"Name": "src_time_s",
"Type": "string"
},
{
"Name": "serial_s",
"Type": "string"
},
{
"Name": "browser_version_s",
"Type": "string"
},
{
"Name": "page_s",
"Type": "string"
},
{
"Name": "severity_level_s",
"Type": "string"
},
{
"Name": "malsite_hostility_s",
"Type": "string"
},
{
"Name": "hostname_s",
"Type": "string"
},
{
"Name": "malsite_region_s",
"Type": "string"
},
{
"Name": "telemetry_app_s",
"Type": "string"
},
{
"Name": "ja3_s",
"Type": "string"
},
{
"Name": "gateway_s",
"Type": "string"
},
{
"Name": "transaction_id_d",
"Type": "real"
},
{
"Name": "suppression_start_time_d",
"Type": "real"
},
{
"Name": "malsite_category_s",
"Type": "string"
},
{
"Name": "malsite_confidence_d",
"Type": "real"
},
{
"Name": "malsite_latitude_d",
"Type": "real"
},
{
"Name": "userip_s",
"Type": "string"
},
{
"Name": "malsite_longitude_d",
"Type": "real"
},
{
"Name": "malsite_active_s",
"Type": "string"
},
{
"Name": "malsite_last_seen_d",
"Type": "real"
},
{
"Name": "numbytes_d",
"Type": "real"
},
{
"Name": "req_cnt_d",
"Type": "real"
},
{
"Name": "dst_timezone_s",
"Type": "string"
},
{
"Name": "managed_app_s",
"Type": "string"
},
{
"Name": "malsite_id_s",
"Type": "string"
},
{
"Name": "protocol_s",
"Type": "string"
},
{
"Name": "threat_match_field_s",
"Type": "string"
},
{
"Name": "browser_session_id_d",
"Type": "real"
},
{
"Name": "suppression_end_time_d",
"Type": "real"
},
{
"Name": "ja3s_s",
"Type": "string"
},
{
"Name": "incident_id_d",
"Type": "real"
},
{
"Name": "notify_template_s",
"Type": "string"
},
{
"Name": "appsuite_s",
"Type": "string"
},
{
"Name": "log_file_name_s",
"Type": "string"
},
{
"Name": "referer_s",
"Type": "string"
},
{
"Name": "fromlogs_s",
"Type": "string"
},
{
"Name": "sAMAccountName_s",
"Type": "string"
},
{
"Name": "threat_source_id_d",
"Type": "real"
},
{
"Name": "server_bytes_d",
"Type": "real"
},
{
"Name": "universal_connector_s",
"Type": "string"
},
{
"Name": "aggregated_user_s",
"Type": "string"
},
{
"Name": "device_classification_s",
"Type": "string"
},
{
"Name": "org_s",
"Type": "string"
},
{
"Name": "policy_id_s",
"Type": "string"
},
{
"Name": "page_site_s",
"Type": "string"
},
{
"Name": "useragent_s",
"Type": "string"
},
{
"Name": "malsite_ip_host_s",
"Type": "string"
},
{
"Name": "os_version_s",
"Type": "string"
},
{
"Name": "malicious_s",
"Type": "string"
},
{
"Name": "from_user_s",
"Type": "string"
},
{
"Name": "severity_s",
"Type": "string"
},
{
"Name": "department_s",
"Type": "string"
},
{
"Name": "malsite_reputation_s",
"Type": "string"
},
{
"Name": "connection_id_d",
"Type": "real"
},
{
"Name": "dsthost_s",
"Type": "string"
},
{
"Name": "sfwder_s",
"Type": "string"
},
{
"Name": "malsite_first_seen_d",
"Type": "real"
},
{
"Name": "severity_level_id_d",
"Type": "real"
},
{
"Name": "co_s",
"Type": "string"
},
{
"Name": "malsite_country_s",
"Type": "string"
},
{
"Name": "src_timezone_s",
"Type": "string"
},
{
"Name": "division_s",
"Type": "string"
},
{
"Name": "threat_match_value_s",
"Type": "string"
},
{
"Name": "app_session_id_d",
"Type": "real"
},
{
"Name": "resp_cnt_d",
"Type": "real"
},
{
"Name": "malsite_consecutive_s",
"Type": "string"
},
{
"Name": "conn_duration_d",
"Type": "real"
},
{
"Name": "client_bytes_d",
"Type": "real"
},
{
"Name": "dstport_d",
"Type": "real"
},
{
"Name": "cci_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

553
.script/tests/KqlvalidationsTests/CustomTables/alertsmalwaredata_CL.json Normal file
Просмотреть файл

@ -0,0 +1,553 @@
{
"Name": "alertsmalwaredata_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "_id_s",
"Type": "string"
},
{
"Name": "access_method_s",
"Type": "string"
},
{
"Name": "acked_s",
"Type": "string"
},
{
"Name": "action_s",
"Type": "string"
},
{
"Name": "activity_s",
"Type": "string"
},
{
"Name": "alert_s",
"Type": "string"
},
{
"Name": "alert_name_s",
"Type": "string"
},
{
"Name": "alert_type_s",
"Type": "string"
},
{
"Name": "app_s",
"Type": "string"
},
{
"Name": "appcategory_s",
"Type": "string"
},
{
"Name": "browser_s",
"Type": "string"
},
{
"Name": "Category",
"Type": "string"
},
{
"Name": "cci_s",
"Type": "string"
},
{
"Name": "ccl_s",
"Type": "string"
},
{
"Name": "count_d",
"Type": "real"
},
{
"Name": "device_s",
"Type": "string"
},
{
"Name": "dst_country_s",
"Type": "string"
},
{
"Name": "dst_geoip_src_d",
"Type": "real"
},
{
"Name": "dst_latitude_d",
"Type": "real"
},
{
"Name": "dst_location_s",
"Type": "string"
},
{
"Name": "dst_longitude_d",
"Type": "real"
},
{
"Name": "dst_region_s",
"Type": "string"
},
{
"Name": "dst_zipcode_s",
"Type": "string"
},
{
"Name": "dstip_s",
"Type": "string"
},
{
"Name": "file_path_s",
"Type": "string"
},
{
"Name": "file_size_d",
"Type": "real"
},
{
"Name": "file_type_s",
"Type": "string"
},
{
"Name": "instance_s",
"Type": "string"
},
{
"Name": "instance_id_s",
"Type": "string"
},
{
"Name": "local_sha256_s",
"Type": "string"
},
{
"Name": "md5_g",
"Type": "string"
},
{
"Name": "mime_type_s",
"Type": "string"
},
{
"Name": "object_s",
"Type": "string"
},
{
"Name": "object_id_s",
"Type": "string"
},
{
"Name": "object_type_s",
"Type": "string"
},
{
"Name": "organization_unit_s",
"Type": "string"
},
{
"Name": "os_s",
"Type": "string"
},
{
"Name": "policy_s",
"Type": "string"
},
{
"Name": "request_id_s",
"Type": "string"
},
{
"Name": "scan_type_s",
"Type": "string"
},
{
"Name": "site_s",
"Type": "string"
},
{
"Name": "src_country_s",
"Type": "string"
},
{
"Name": "src_geoip_src_d",
"Type": "real"
},
{
"Name": "src_latitude_d",
"Type": "real"
},
{
"Name": "src_location_s",
"Type": "string"
},
{
"Name": "src_longitude_d",
"Type": "real"
},
{
"Name": "src_region_s",
"Type": "string"
},
{
"Name": "src_zipcode_s",
"Type": "string"
},
{
"Name": "srcip_s",
"Type": "string"
},
{
"Name": "timestamp_d",
"Type": "real"
},
{
"Name": "traffic_type_s",
"Type": "string"
},
{
"Name": "type_s",
"Type": "string"
},
{
"Name": "ur_normalized_s",
"Type": "string"
},
{
"Name": "url_s",
"Type": "string"
},
{
"Name": "user_s",
"Type": "string"
},
{
"Name": "user_id_s",
"Type": "string"
},
{
"Name": "file_category_s",
"Type": "string"
},
{
"Name": "app_session_id_d",
"Type": "real"
},
{
"Name": "created_date_d",
"Type": "real"
},
{
"Name": "policy_id_s",
"Type": "string"
},
{
"Name": "transaction_id_d",
"Type": "real"
},
{
"Name": "usr_udf_employeeid_s",
"Type": "string"
},
{
"Name": "managementID_s",
"Type": "string"
},
{
"Name": "malware_name_s",
"Type": "string"
},
{
"Name": "company_s",
"Type": "string"
},
{
"Name": "usr_status_s",
"Type": "string"
},
{
"Name": "usr_udf_businesssegmentlevel4_s",
"Type": "string"
},
{
"Name": "dst_timezone_s",
"Type": "string"
},
{
"Name": "parent_id_s",
"Type": "string"
},
{
"Name": "file_name_s",
"Type": "string"
},
{
"Name": "tss_license_s",
"Type": "string"
},
{
"Name": "manager_s",
"Type": "string"
},
{
"Name": "modified_date_d",
"Type": "real"
},
{
"Name": "page_site_s",
"Type": "string"
},
{
"Name": "nsdeviceuid_s",
"Type": "string"
},
{
"Name": "usr_udf_businesssegmentlevel1_s",
"Type": "string"
},
{
"Name": "usr_udf_companyname_s",
"Type": "string"
},
{
"Name": "malware_profile_s",
"Type": "string"
},
{
"Name": "true_filetype_s",
"Type": "string"
},
{
"Name": "usr_title_s",
"Type": "string"
},
{
"Name": "usr_udf_primarydomain_s",
"Type": "string"
},
{
"Name": "browser_version_s",
"Type": "string"
},
{
"Name": "appsuite_s",
"Type": "string"
},
{
"Name": "malware_id_s",
"Type": "string"
},
{
"Name": "from_user_s",
"Type": "string"
},
{
"Name": "detection_type_s",
"Type": "string"
},
{
"Name": "sha1_s",
"Type": "string"
},
{
"Name": "userip_s",
"Type": "string"
},
{
"Name": "browser_session_id_d",
"Type": "real"
},
{
"Name": "severity_id_d",
"Type": "real"
},
{
"Name": "usr_display_name_s",
"Type": "string"
},
{
"Name": "department_s",
"Type": "string"
},
{
"Name": "usr_udf_businesssegmentlevel2_s",
"Type": "string"
},
{
"Name": "hostname_s",
"Type": "string"
},
{
"Name": "filename_s",
"Type": "string"
},
{
"Name": "referer_s",
"Type": "string"
},
{
"Name": "usr_udf_supervisorid_s",
"Type": "string"
},
{
"Name": "sanctioned_instance_s",
"Type": "string"
},
{
"Name": "file_id_s",
"Type": "string"
},
{
"Name": "src_time_s",
"Type": "string"
},
{
"Name": "app_name_s",
"Type": "string"
},
{
"Name": "TSS_scan_s",
"Type": "string"
},
{
"Name": "malware_severity_s",
"Type": "string"
},
{
"Name": "os_version_s",
"Type": "string"
},
{
"Name": "userPrincipalName_s",
"Type": "string"
},
{
"Name": "usr_udf_supervisorname_s",
"Type": "string"
},
{
"Name": "severity_s",
"Type": "string"
},
{
"Name": "detection_engine_s",
"Type": "string"
},
{
"Name": "managed_app_s",
"Type": "string"
},
{
"Name": "shared_with_s",
"Type": "string"
},
{
"Name": "connection_id_d",
"Type": "real"
},
{
"Name": "page_s",
"Type": "string"
},
{
"Name": "scanner_result_s",
"Type": "string"
},
{
"Name": "usr_udf_businesssegmentlevel3_s",
"Type": "string"
},
{
"Name": "shared_type_s",
"Type": "string"
},
{
"Name": "userCountry_s",
"Type": "string"
},
{
"Name": "device_classification_s",
"Type": "string"
},
{
"Name": "scan_time_d",
"Type": "real"
},
{
"Name": "tss_mode_s",
"Type": "string"
},
{
"Name": "protocol_s",
"Type": "string"
},
{
"Name": "local_md5_s",
"Type": "string"
},
{
"Name": "src_timezone_s",
"Type": "string"
},
{
"Name": "fastscan_results_s",
"Type": "string"
},
{
"Name": "title_s",
"Type": "string"
},
{
"Name": "incident_id_d",
"Type": "real"
},
{
"Name": "malware_type_s",
"Type": "string"
},
{
"Name": "ml_detection_s",
"Type": "string"
},
{
"Name": "cci_d",
"Type": "real"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

869
.script/tests/KqlvalidationsTests/CustomTables/alertspolicydata_CL.json Normal file
Просмотреть файл

@ -0,0 +1,869 @@
{
"Name": "alertspolicydata_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "_id_s",
"Type": "string"
},
{
"Name": "access_method_s",
"Type": "string"
},
{
"Name": "acked_s",
"Type": "string"
},
{
"Name": "action_s",
"Type": "string"
},
{
"Name": "activity_s",
"Type": "string"
},
{
"Name": "alert_s",
"Type": "string"
},
{
"Name": "alert_name_s",
"Type": "string"
},
{
"Name": "alert_type_s",
"Type": "string"
},
{
"Name": "app_s",
"Type": "string"
},
{
"Name": "appcategory_s",
"Type": "string"
},
{
"Name": "browser_s",
"Type": "string"
},
{
"Name": "Category",
"Type": "string"
},
{
"Name": "cci_d",
"Type": "real"
},
{
"Name": "ccl_s",
"Type": "string"
},
{
"Name": "count_d",
"Type": "real"
},
{
"Name": "device_s",
"Type": "string"
},
{
"Name": "dst_country_s",
"Type": "string"
},
{
"Name": "dst_geoip_src_d",
"Type": "real"
},
{
"Name": "dst_latitude_d",
"Type": "real"
},
{
"Name": "dst_location_s",
"Type": "string"
},
{
"Name": "dst_longitude_d",
"Type": "real"
},
{
"Name": "dst_region_s",
"Type": "string"
},
{
"Name": "dst_zipcode_s",
"Type": "string"
},
{
"Name": "dstip_s",
"Type": "string"
},
{
"Name": "exposure_s",
"Type": "string"
},
{
"Name": "file_path_s",
"Type": "string"
},
{
"Name": "file_size_d",
"Type": "real"
},
{
"Name": "file_type_s",
"Type": "string"
},
{
"Name": "instance_s",
"Type": "string"
},
{
"Name": "instance_id_s",
"Type": "string"
},
{
"Name": "md5_g",
"Type": "string"
},
{
"Name": "mime_type_s",
"Type": "string"
},
{
"Name": "modified_d",
"Type": "real"
},
{
"Name": "object_s",
"Type": "string"
},
{
"Name": "object_id_s",
"Type": "string"
},
{
"Name": "object_type_s",
"Type": "string"
},
{
"Name": "organization_unit_s",
"Type": "string"
},
{
"Name": "os_s",
"Type": "string"
},
{
"Name": "other_categories_s",
"Type": "string"
},
{
"Name": "owner_s",
"Type": "string"
},
{
"Name": "policy_s",
"Type": "string"
},
{
"Name": "request_id_s",
"Type": "string"
},
{
"Name": "scan_type_s",
"Type": "string"
},
{
"Name": "site_s",
"Type": "string"
},
{
"Name": "src_country_s",
"Type": "string"
},
{
"Name": "src_geoip_src_d",
"Type": "real"
},
{
"Name": "src_latitude_d",
"Type": "real"
},
{
"Name": "src_location_s",
"Type": "string"
},
{
"Name": "src_longitude_d",
"Type": "real"
},
{
"Name": "src_region_s",
"Type": "string"
},
{
"Name": "src_zipcode_s",
"Type": "string"
},
{
"Name": "srcip_s",
"Type": "string"
},
{
"Name": "suppression_key_s",
"Type": "string"
},
{
"Name": "timestamp_d",
"Type": "real"
},
{
"Name": "traffic_type_s",
"Type": "string"
},
{
"Name": "type_s",
"Type": "string"
},
{
"Name": "ur_normalized_s",
"Type": "string"
},
{
"Name": "url_s",
"Type": "string"
},
{
"Name": "user_s",
"Type": "string"
},
{
"Name": "network_session_id_s",
"Type": "string"
},
{
"Name": "telemetry_app_s",
"Type": "string"
},
{
"Name": "user_tmp_s",
"Type": "string"
},
{
"Name": "shared_with_s",
"Type": "string"
},
{
"Name": "referer_s",
"Type": "string"
},
{
"Name": "start_time_s",
"Type": "string"
},
{
"Name": "appsuite_s",
"Type": "string"
},
{
"Name": "malware_id_s",
"Type": "string"
},
{
"Name": "remediation_profile_s",
"Type": "string"
},
{
"Name": "suppression_start_time_d",
"Type": "real"
},
{
"Name": "hostname_s",
"Type": "string"
},
{
"Name": "managed_app_s",
"Type": "string"
},
{
"Name": "activity_status_s",
"Type": "string"
},
{
"Name": "from_user_s",
"Type": "string"
},
{
"Name": "user_id_s",
"Type": "string"
},
{
"Name": "file_category_s",
"Type": "string"
},
{
"Name": "dsthost_s",
"Type": "string"
},
{
"Name": "message_size_d",
"Type": "real"
},
{
"Name": "tunnel_type_s",
"Type": "string"
},
{
"Name": "end_time_s",
"Type": "string"
},
{
"Name": "malicious_s",
"Type": "string"
},
{
"Name": "quarantine_profile_id_s",
"Type": "string"
},
{
"Name": "browser_version_s",
"Type": "string"
},
{
"Name": "q_original_filepath_s",
"Type": "string"
},
{
"Name": "last_name_s",
"Type": "string"
},
{
"Name": "userCountry_s",
"Type": "string"
},
{
"Name": "manager_s",
"Type": "string"
},
{
"Name": "q_original_version_s",
"Type": "string"
},
{
"Name": "threat_match_field_s",
"Type": "string"
},
{
"Name": "publisher_cn_s",
"Type": "string"
},
{
"Name": "app_session_id_d",
"Type": "real"
},
{
"Name": "sAMAccountName_s",
"Type": "string"
},
{
"Name": "conn_duration_d",
"Type": "real"
},
{
"Name": "parent_id_s",
"Type": "string"
},
{
"Name": "from_object_s",
"Type": "string"
},
{
"Name": "connection_id_d",
"Type": "real"
},
{
"Name": "risk_level_s",
"Type": "string"
},
{
"Name": "total_collaborator_count_d",
"Type": "real"
},
{
"Name": "memberOf_s",
"Type": "string"
},
{
"Name": "notify_template_s",
"Type": "string"
},
{
"Name": "client_bytes_d",
"Type": "real"
},
{
"Name": "useragent_s",
"Type": "string"
},
{
"Name": "encrypt_failure_s",
"Type": "string"
},
{
"Name": "serial_s",
"Type": "string"
},
{
"Name": "quarantine_file_name_s",
"Type": "string"
},
{
"Name": "tunnel_id_s",
"Type": "string"
},
{
"Name": "from_storage_s",
"Type": "string"
},
{
"Name": "session_duration_d",
"Type": "real"
},
{
"Name": "page_site_s",
"Type": "string"
},
{
"Name": "browser_session_id_d",
"Type": "real"
},
{
"Name": "tunnel_up_time_d",
"Type": "real"
},
{
"Name": "resp_cnt_d",
"Type": "real"
},
{
"Name": "group_s",
"Type": "string"
},
{
"Name": "sAMAccountType_s",
"Type": "string"
},
{
"Name": "to_object_s",
"Type": "string"
},
{
"Name": "managementID_s",
"Type": "string"
},
{
"Name": "malware_severity_s",
"Type": "string"
},
{
"Name": "protocol_s",
"Type": "string"
},
{
"Name": "activity_type_s",
"Type": "string"
},
{
"Name": "q_original_filename_s",
"Type": "string"
},
{
"Name": "tss_mode_s",
"Type": "string"
},
{
"Name": "page_s",
"Type": "string"
},
{
"Name": "http_status_s",
"Type": "string"
},
{
"Name": "smtp_to_s",
"Type": "string"
},
{
"Name": "q_app_s",
"Type": "string"
},
{
"Name": "smtp_status_s",
"Type": "string"
},
{
"Name": "protocol_port_s",
"Type": "string"
},
{
"Name": "src_time_s",
"Type": "string"
},
{
"Name": "server_packets_d",
"Type": "real"
},
{
"Name": "sanctioned_instance_s",
"Type": "string"
},
{
"Name": "client_packets_d",
"Type": "real"
},
{
"Name": "malware_name_s",
"Type": "string"
},
{
"Name": "userip_s",
"Type": "string"
},
{
"Name": "Title_s",
"Type": "string"
},
{
"Name": "dynamic_classification_s",
"Type": "string"
},
{
"Name": "sender_s",
"Type": "string"
},
{
"Name": "threat_source_id_d",
"Type": "real"
},
{
"Name": "internal_collaborator_count_d",
"Type": "real"
},
{
"Name": "total_packets_d",
"Type": "real"
},
{
"Name": "app_scopes_s",
"Type": "string"
},
{
"Name": "log_file_name_s",
"Type": "string"
},
{
"Name": "malsite_category_s",
"Type": "string"
},
{
"Name": "redirect_url_s",
"Type": "string"
},
{
"Name": "dstport_d",
"Type": "real"
},
{
"Name": "aggregated_user_s",
"Type": "string"
},
{
"Name": "numbytes_d",
"Type": "real"
},
{
"Name": "sfwder_s",
"Type": "string"
},
{
"Name": "q_original_shared_s",
"Type": "string"
},
{
"Name": "srcport_d",
"Type": "real"
},
{
"Name": "to_user_s",
"Type": "string"
},
{
"Name": "q_admin_s",
"Type": "string"
},
{
"Name": "universal_connector_s",
"Type": "string"
},
{
"Name": "forward_to_proxy_xau_s",
"Type": "string"
},
{
"Name": "publisher_name_s",
"Type": "string"
},
{
"Name": "quarantine_profile_s",
"Type": "string"
},
{
"Name": "shared_domains_s",
"Type": "string"
},
{
"Name": "trust_computer_checked_s",
"Type": "string"
},
{
"Name": "malware_type_s",
"Type": "string"
},
{
"Name": "dlp_profile_s",
"Type": "string"
},
{
"Name": "all_policy_matches_s",
"Type": "string"
},
{
"Name": "data_type_s",
"Type": "string"
},
{
"Name": "TSS_scan_s",
"Type": "string"
},
{
"Name": "external_collaborator_count_d",
"Type": "real"
},
{
"Name": "severity_s",
"Type": "string"
},
{
"Name": "num_sessions_d",
"Type": "real"
},
{
"Name": "distinguishedName_s",
"Type": "string"
},
{
"Name": "gateway_s",
"Type": "string"
},
{
"Name": "profile_emails_s",
"Type": "string"
},
{
"Name": "mail_s",
"Type": "string"
},
{
"Name": "suppression_end_time_d",
"Type": "real"
},
{
"Name": "dst_timezone_s",
"Type": "string"
},
{
"Name": "nsdeviceuid_s",
"Type": "string"
},
{
"Name": "ip_protocol_s",
"Type": "string"
},
{
"Name": "tss_scan_failed_s",
"Type": "string"
},
{
"Name": "cc_s",
"Type": "string"
},
{
"Name": "req_cnt_d",
"Type": "real"
},
{
"Name": "tss_fail_reason_s",
"Type": "string"
},
{
"Name": "displayName_s",
"Type": "string"
},
{
"Name": "sessionid_s",
"Type": "string"
},
{
"Name": "justification_type_s",
"Type": "string"
},
{
"Name": "threat_match_value_s",
"Type": "string"
},
{
"Name": "incident_id_d",
"Type": "real"
},
{
"Name": "file_id_s",
"Type": "string"
},
{
"Name": "division_s",
"Type": "string"
},
{
"Name": "os_version_s",
"Type": "string"
},
{
"Name": "two_factor_auth_s",
"Type": "string"
},
{
"Name": "dlp_fail_reason_s",
"Type": "string"
},
{
"Name": "network_s",
"Type": "string"
},
{
"Name": "server_bytes_d",
"Type": "real"
},
{
"Name": "orignal_file_path_s",
"Type": "string"
},
{
"Name": "app_activity_s",
"Type": "string"
},
{
"Name": "event_type_s",
"Type": "string"
},
{
"Name": "src_timezone_s",
"Type": "string"
},
{
"Name": "device_classification_s",
"Type": "string"
},
{
"Name": "bcc_s",
"Type": "string"
},
{
"Name": "act_user_s",
"Type": "string"
},
{
"Name": "to_storage_s",
"Type": "string"
},
{
"Name": "custom_connector_s",
"Type": "string"
},
{
"Name": "object_count_d",
"Type": "real"
},
{
"Name": "q_instance_s",
"Type": "string"
},
{
"Name": "policy_id_s",
"Type": "string"
},
{
"Name": "message_id_s",
"Type": "string"
},
{
"Name": "dlp_scan_failed_s",
"Type": "string"
},
{
"Name": "transaction_id_d",
"Type": "real"
},
{
"Name": "quarantine_file_id_s",
"Type": "string"
},
{
"Name": "org_s",
"Type": "string"
},
{
"Name": "justification_reason_s",
"Type": "string"
},
{
"Name": "cci_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

293
.script/tests/KqlvalidationsTests/CustomTables/alertsquarantinedata_CL.json Normal file
Просмотреть файл

@ -0,0 +1,293 @@
{
"Name": "alertsquarantinedata_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "_id_s",
"Type": "string"
},
{
"Name": "access_method_s",
"Type": "string"
},
{
"Name": "acked_s",
"Type": "string"
},
{
"Name": "action_s",
"Type": "string"
},
{
"Name": "alert_s",
"Type": "string"
},
{
"Name": "alert_name_s",
"Type": "string"
},
{
"Name": "alert_type_s",
"Type": "string"
},
{
"Name": "app_s",
"Type": "string"
},
{
"Name": "appcategory_s",
"Type": "string"
},
{
"Name": "browser_s",
"Type": "string"
},
{
"Name": "Category",
"Type": "string"
},
{
"Name": "cci_s",
"Type": "string"
},
{
"Name": "ccl_s",
"Type": "string"
},
{
"Name": "count_d",
"Type": "real"
},
{
"Name": "device_s",
"Type": "string"
},
{
"Name": "exposure_s",
"Type": "string"
},
{
"Name": "file_path_s",
"Type": "string"
},
{
"Name": "file_size_d",
"Type": "real"
},
{
"Name": "file_type_s",
"Type": "string"
},
{
"Name": "instance_id_s",
"Type": "string"
},
{
"Name": "md5_g",
"Type": "string"
},
{
"Name": "mime_type_s",
"Type": "string"
},
{
"Name": "modified_d",
"Type": "real"
},
{
"Name": "object_s",
"Type": "string"
},
{
"Name": "object_id_s",
"Type": "string"
},
{
"Name": "object_type_s",
"Type": "string"
},
{
"Name": "organization_unit_s",
"Type": "string"
},
{
"Name": "os_s",
"Type": "string"
},
{
"Name": "other_categories_s",
"Type": "string"
},
{
"Name": "owner_s",
"Type": "string"
},
{
"Name": "policy_s",
"Type": "string"
},
{
"Name": "scan_type_s",
"Type": "string"
},
{
"Name": "site_s",
"Type": "string"
},
{
"Name": "suppression_key_s",
"Type": "string"
},
{
"Name": "timestamp_d",
"Type": "real"
},
{
"Name": "traffic_type_s",
"Type": "string"
},
{
"Name": "type_s",
"Type": "string"
},
{
"Name": "ur_normalized_s",
"Type": "string"
},
{
"Name": "url_s",
"Type": "string"
},
{
"Name": "user_s",
"Type": "string"
},
{
"Name": "userkey_s",
"Type": "string"
},
{
"Name": "departmentNumber_s",
"Type": "string"
},
{
"Name": "file_id_s",
"Type": "string"
},
{
"Name": "dlp_profile_s",
"Type": "string"
},
{
"Name": "quarantine_file_name_s",
"Type": "string"
},
{
"Name": "manager_s",
"Type": "string"
},
{
"Name": "quarantine_profile_id_s",
"Type": "string"
},
{
"Name": "q_original_shared_s",
"Type": "string"
},
{
"Name": "profile_emails_s",
"Type": "string"
},
{
"Name": "from_user_s",
"Type": "string"
},
{
"Name": "shared_with_s",
"Type": "string"
},
{
"Name": "q_original_version_s",
"Type": "string"
},
{
"Name": "q_original_filepath_s",
"Type": "string"
},
{
"Name": "user_id_s",
"Type": "string"
},
{
"Name": "quarantine_profile_s",
"Type": "string"
},
{
"Name": "quarantine_file_id_s",
"Type": "string"
},
{
"Name": "q_admin_s",
"Type": "string"
},
{
"Name": "q_original_filename_s",
"Type": "string"
},
{
"Name": "q_app_s",
"Type": "string"
},
{
"Name": "department_s",
"Type": "string"
},
{
"Name": "orignal_file_path_s",
"Type": "string"
},
{
"Name": "q_instance_s",
"Type": "string"
},
{
"Name": "cci_d",
"Type": "real"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

389
.script/tests/KqlvalidationsTests/CustomTables/alertsremediationdata_CL.json Normal file
Просмотреть файл

@ -0,0 +1,389 @@
{
"Name": "alertsremediationdata_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "_id_s",
"Type": "string"
},
{
"Name": "access_method_s",
"Type": "string"
},
{
"Name": "acked_s",
"Type": "string"
},
{
"Name": "action_s",
"Type": "string"
},
{
"Name": "activity_s",
"Type": "string"
},
{
"Name": "alert_s",
"Type": "string"
},
{
"Name": "alert_name_s",
"Type": "string"
},
{
"Name": "alert_type_s",
"Type": "string"
},
{
"Name": "app_s",
"Type": "string"
},
{
"Name": "appcategory_s",
"Type": "string"
},
{
"Name": "browser_s",
"Type": "string"
},
{
"Name": "Category",
"Type": "string"
},
{
"Name": "cci_s",
"Type": "string"
},
{
"Name": "ccl_s",
"Type": "string"
},
{
"Name": "count_d",
"Type": "real"
},
{
"Name": "device_s",
"Type": "string"
},
{
"Name": "dst_country_s",
"Type": "string"
},
{
"Name": "dst_geoip_src_d",
"Type": "real"
},
{
"Name": "dst_latitude_d",
"Type": "real"
},
{
"Name": "dst_location_s",
"Type": "string"
},
{
"Name": "dst_longitude_d",
"Type": "real"
},
{
"Name": "dst_region_s",
"Type": "string"
},
{
"Name": "dst_zipcode_s",
"Type": "string"
},
{
"Name": "dstip_s",
"Type": "string"
},
{
"Name": "file_size_d",
"Type": "real"
},
{
"Name": "file_type_s",
"Type": "string"
},
{
"Name": "instance_id_s",
"Type": "string"
},
{
"Name": "md5_g",
"Type": "string"
},
{
"Name": "object_s",
"Type": "string"
},
{
"Name": "object_type_s",
"Type": "string"
},
{
"Name": "organization_unit_s",
"Type": "string"
},
{
"Name": "os_s",
"Type": "string"
},
{
"Name": "policy_s",
"Type": "string"
},
{
"Name": "request_id_s",
"Type": "string"
},
{
"Name": "site_s",
"Type": "string"
},
{
"Name": "src_country_s",
"Type": "string"
},
{
"Name": "src_geoip_src_d",
"Type": "real"
},
{
"Name": "src_latitude_d",
"Type": "real"
},
{
"Name": "src_location_s",
"Type": "string"
},
{
"Name": "src_longitude_d",
"Type": "real"
},
{
"Name": "src_region_s",
"Type": "string"
},
{
"Name": "src_zipcode_s",
"Type": "string"
},
{
"Name": "srcip_s",
"Type": "string"
},
{
"Name": "timestamp_d",
"Type": "real"
},
{
"Name": "traffic_type_s",
"Type": "string"
},
{
"Name": "type_s",
"Type": "string"
},
{
"Name": "ur_normalized_s",
"Type": "string"
},
{
"Name": "url_s",
"Type": "string"
},
{
"Name": "user_s",
"Type": "string"
},
{
"Name": "appsuite_s",
"Type": "string"
},
{
"Name": "transaction_id_d",
"Type": "real"
},
{
"Name": "page_s",
"Type": "string"
},
{
"Name": "hostname_s",
"Type": "string"
},
{
"Name": "policy_id_s",
"Type": "string"
},
{
"Name": "connection_id_d",
"Type": "real"
},
{
"Name": "app_session_id_d",
"Type": "real"
},
{
"Name": "severity_s",
"Type": "string"
},
{
"Name": "tss_mode_s",
"Type": "string"
},
{
"Name": "managed_app_s",
"Type": "string"
},
{
"Name": "endpoint_count_d",
"Type": "real"
},
{
"Name": "malware_type_s",
"Type": "string"
},
{
"Name": "notify_template_s",
"Type": "string"
},
{
"Name": "device_classification_s",
"Type": "string"
},
{
"Name": "page_site_s",
"Type": "string"
},
{
"Name": "dlp_profile_s",
"Type": "string"
},
{
"Name": "managementID_s",
"Type": "string"
},
{
"Name": "all_policy_matches_s",
"Type": "string"
},
{
"Name": "profile_hits_s",
"Type": "string"
},
{
"Name": "malware_severity_s",
"Type": "string"
},
{
"Name": "sanctioned_instance_s",
"Type": "string"
},
{
"Name": "src_timezone_s",
"Type": "string"
},
{
"Name": "dst_timezone_s",
"Type": "string"
},
{
"Name": "edr_app_s",
"Type": "string"
},
{
"Name": "browser_session_id_d",
"Type": "real"
},
{
"Name": "os_version_s",
"Type": "string"
},
{
"Name": "src_time_s",
"Type": "string"
},
{
"Name": "nsdeviceuid_s",
"Type": "string"
},
{
"Name": "actions_taken_s",
"Type": "string"
},
{
"Name": "malware_id_s",
"Type": "string"
},
{
"Name": "from_user_s",
"Type": "string"
},
{
"Name": "endpoints_s",
"Type": "string"
},
{
"Name": "protocol_s",
"Type": "string"
},
{
"Name": "incident_id_d",
"Type": "real"
},
{
"Name": "remediation_profile_s",
"Type": "string"
},
{
"Name": "userip_s",
"Type": "string"
},
{
"Name": "malware_name_s",
"Type": "string"
},
{
"Name": "cci_d",
"Type": "real"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

233
.script/tests/KqlvalidationsTests/CustomTables/alertssecurityassessmentdata_CL.json Normal file
Просмотреть файл

@ -0,0 +1,233 @@
{
"Name": "alertssecurityassessmentdata_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "_id_s",
"Type": "string"
},
{
"Name": "access_method_s",
"Type": "string"
},
{
"Name": "acked_s",
"Type": "string"
},
{
"Name": "action_s",
"Type": "string"
},
{
"Name": "activity_s",
"Type": "string"
},
{
"Name": "alert_s",
"Type": "string"
},
{
"Name": "alert_name_s",
"Type": "string"
},
{
"Name": "alert_type_s",
"Type": "string"
},
{
"Name": "app_s",
"Type": "string"
},
{
"Name": "appcategory_s",
"Type": "string"
},
{
"Name": "browser_s",
"Type": "string"
},
{
"Name": "Category",
"Type": "string"
},
{
"Name": "cci_s",
"Type": "string"
},
{
"Name": "ccl_s",
"Type": "string"
},
{
"Name": "count_d",
"Type": "real"
},
{
"Name": "device_s",
"Type": "string"
},
{
"Name": "instance_id_s",
"Type": "string"
},
{
"Name": "object_s",
"Type": "string"
},
{
"Name": "object_type_s",
"Type": "string"
},
{
"Name": "organization_unit_s",
"Type": "string"
},
{
"Name": "os_s",
"Type": "string"
},
{
"Name": "policy_s",
"Type": "string"
},
{
"Name": "site_s",
"Type": "string"
},
{
"Name": "timestamp_d",
"Type": "real"
},
{
"Name": "traffic_type_s",
"Type": "string"
},
{
"Name": "type_s",
"Type": "string"
},
{
"Name": "ur_normalized_s",
"Type": "string"
},
{
"Name": "user_s",
"Type": "string"
},
{
"Name": "userkey_s",
"Type": "string"
},
{
"Name": "iaas_asset_tags_s",
"Type": "string"
},
{
"Name": "sa_rule_id_s",
"Type": "string"
},
{
"Name": "region_id_s",
"Type": "string"
},
{
"Name": "resource_category_s",
"Type": "string"
},
{
"Name": "asset_id_s",
"Type": "string"
},
{
"Name": "asset_object_id_s",
"Type": "string"
},
{
"Name": "sa_profile_name_s",
"Type": "string"
},
{
"Name": "resource_group_s",
"Type": "string"
},
{
"Name": "sa_profile_id_d",
"Type": "real"
},
{
"Name": "sAMAccountName_s",
"Type": "string"
},
{
"Name": "sa_rule_severity_s",
"Type": "string"
},
{
"Name": "policy_id_d",
"Type": "real"
},
{
"Name": "account_name_s",
"Type": "string"
},
{
"Name": "account_id_s",
"Type": "string"
},
{
"Name": "iaas_remediated_s",
"Type": "string"
},
{
"Name": "sa_rule_name_s",
"Type": "string"
},
{
"Name": "region_name_s",
"Type": "string"
},
{
"Name": "compliance_standards_s",
"Type": "string"
},
{
"Name": "cci_d",
"Type": "real"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

629
.script/tests/KqlvalidationsTests/CustomTables/alertsubadata_CL.json Normal file
Просмотреть файл

@ -0,0 +1,629 @@
{
"Name": "alertsubadata_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "_id_s",
"Type": "string"
},
{
"Name": "access_method_s",
"Type": "string"
},
{
"Name": "acked_s",
"Type": "string"
},
{
"Name": "action_s",
"Type": "string"
},
{
"Name": "activity_s",
"Type": "string"
},
{
"Name": "alert_s",
"Type": "string"
},
{
"Name": "alert_id_g",
"Type": "string"
},
{
"Name": "alert_name_s",
"Type": "string"
},
{
"Name": "alert_type_s",
"Type": "string"
},
{
"Name": "app_s",
"Type": "string"
},
{
"Name": "app_session_id_d",
"Type": "real"
},
{
"Name": "appcategory_s",
"Type": "string"
},
{
"Name": "browser_s",
"Type": "string"
},
{
"Name": "browser_session_id_d",
"Type": "real"
},
{
"Name": "browser_version_s",
"Type": "string"
},
{
"Name": "Category",
"Type": "string"
},
{
"Name": "cci_d",
"Type": "real"
},
{
"Name": "ccl_s",
"Type": "string"
},
{
"Name": "connection_id_d",
"Type": "real"
},
{
"Name": "count_d",
"Type": "real"
},
{
"Name": "device_s",
"Type": "string"
},
{
"Name": "dst_country_s",
"Type": "string"
},
{
"Name": "dst_geoip_src_d",
"Type": "real"
},
{
"Name": "dst_latitude_d",
"Type": "real"
},
{
"Name": "dst_location_s",
"Type": "string"
},
{
"Name": "dst_longitude_d",
"Type": "real"
},
{
"Name": "dst_region_s",
"Type": "string"
},
{
"Name": "dst_timezone_s",
"Type": "string"
},
{
"Name": "dst_zipcode_s",
"Type": "string"
},
{
"Name": "dstip_s",
"Type": "string"
},
{
"Name": "event_type_s",
"Type": "string"
},
{
"Name": "evt_src_chnl_s",
"Type": "string"
},
{
"Name": "file_size_d",
"Type": "real"
},
{
"Name": "hostname_s",
"Type": "string"
},
{
"Name": "instance_id_s",
"Type": "string"
},
{
"Name": "managed_app_s",
"Type": "string"
},
{
"Name": "md5_g",
"Type": "string"
},
{
"Name": "object_s",
"Type": "string"
},
{
"Name": "object_id_g",
"Type": "string"
},
{
"Name": "object_type_s",
"Type": "string"
},
{
"Name": "organization_unit_s",
"Type": "string"
},
{
"Name": "os_s",
"Type": "string"
},
{
"Name": "os_version_s",
"Type": "string"
},
{
"Name": "page_s",
"Type": "string"
},
{
"Name": "page_site_s",
"Type": "string"
},
{
"Name": "parent_id_s",
"Type": "string"
},
{
"Name": "policy_s",
"Type": "string"
},
{
"Name": "policy_actions_s",
"Type": "string"
},
{
"Name": "profile_id_s",
"Type": "string"
},
{
"Name": "referer_s",
"Type": "string"
},
{
"Name": "score_s",
"Type": "string"
},
{
"Name": "severity_s",
"Type": "string"
},
{
"Name": "site_s",
"Type": "string"
},
{
"Name": "src_country_s",
"Type": "string"
},
{
"Name": "src_geoip_src_d",
"Type": "real"
},
{
"Name": "src_latitude_d",
"Type": "real"
},
{
"Name": "src_location_s",
"Type": "string"
},
{
"Name": "src_longitude_d",
"Type": "real"
},
{
"Name": "src_region_s",
"Type": "string"
},
{
"Name": "src_timezone_s",
"Type": "string"
},
{
"Name": "src_zipcode_s",
"Type": "string"
},
{
"Name": "srcip_s",
"Type": "string"
},
{
"Name": "telemetry_app_s",
"Type": "string"
},
{
"Name": "threshold_d",
"Type": "real"
},
{
"Name": "threshold_time_d",
"Type": "real"
},
{
"Name": "timestamp_d",
"Type": "real"
},
{
"Name": "traffic_type_s",
"Type": "string"
},
{
"Name": "transaction_id_d",
"Type": "real"
},
{
"Name": "type_s",
"Type": "string"
},
{
"Name": "ur_normalized_s",
"Type": "string"
},
{
"Name": "url_s",
"Type": "string"
},
{
"Name": "user_s",
"Type": "string"
},
{
"Name": "userip_s",
"Type": "string"
},
{
"Name": "userkey_s",
"Type": "string"
},
{
"Name": "loginurl_s",
"Type": "string"
},
{
"Name": "managementID_s",
"Type": "string"
},
{
"Name": "act_user_s",
"Type": "string"
},
{
"Name": "last_location_s",
"Type": "string"
},
{
"Name": "surhn_s",
"Type": "string"
},
{
"Name": "to_user_s",
"Type": "string"
},
{
"Name": "incident_id_d",
"Type": "real"
},
{
"Name": "TSS_scan_s",
"Type": "string"
},
{
"Name": "web_universal_connector_s",
"Type": "string"
},
{
"Name": "app_category_s",
"Type": "string"
},
{
"Name": "to_object_s",
"Type": "string"
},
{
"Name": "app_activity_s",
"Type": "string"
},
{
"Name": "distinguishedName_s",
"Type": "string"
},
{
"Name": "AccountType_s",
"Type": "string"
},
{
"Name": "last_device_s",
"Type": "string"
},
{
"Name": "User_SPACE_Name_s",
"Type": "string"
},
{
"Name": "user_id_s",
"Type": "string"
},
{
"Name": "activity_status_s",
"Type": "string"
},
{
"Name": "all_policy_matches_s",
"Type": "string"
},
{
"Name": "object_count_d",
"Type": "real"
},
{
"Name": "from_user_s",
"Type": "string"
},
{
"Name": "displayName_s",
"Type": "string"
},
{
"Name": "user_role_s",
"Type": "string"
},
{
"Name": "download_app_s",
"Type": "string"
},
{
"Name": "last_app_s",
"Type": "string"
},
{
"Name": "shared_credential_user_s",
"Type": "string"
},
{
"Name": "createdTime_s",
"Type": "string"
},
{
"Name": "last_region_s",
"Type": "string"
},
{
"Name": "audit_type_s",
"Type": "string"
},
{
"Name": "suppression_start_time_d",
"Type": "real"
},
{
"Name": "scopes_s",
"Type": "string"
},
{
"Name": "uba_inst1_s",
"Type": "string"
},
{
"Name": "file_category_s",
"Type": "string"
},
{
"Name": "two_factor_auth_s",
"Type": "string"
},
{
"Name": "group_s",
"Type": "string"
},
{
"Name": "bin_timestamp_d",
"Type": "real"
},
{
"Name": "User_SPACE_Id_s",
"Type": "string"
},
{
"Name": "risk_level_s",
"Type": "string"
},
{
"Name": "useragent_s",
"Type": "string"
},
{
"Name": "user_name_s",
"Type": "string"
},
{
"Name": "risk_level_id_d",
"Type": "real"
},
{
"Name": "policy_id_s",
"Type": "string"
},
{
"Name": "file_type_s",
"Type": "string"
},
{
"Name": "request_id_d",
"Type": "real"
},
{
"Name": "userPrincipalName_s",
"Type": "string"
},
{
"Name": "sanctioned_instance_s",
"Type": "string"
},
{
"Name": "uba_inst2_s",
"Type": "string"
},
{
"Name": "appsuite_s",
"Type": "string"
},
{
"Name": "from_user_category_s",
"Type": "string"
},
{
"Name": "mail_s",
"Type": "string"
},
{
"Name": "sAMAccountName_s",
"Type": "string"
},
{
"Name": "tss_mode_s",
"Type": "string"
},
{
"Name": "uba_ap1_s",
"Type": "string"
},
{
"Name": "last_timestamp_d",
"Type": "real"
},
{
"Name": "tss_fail_reason_s",
"Type": "string"
},
{
"Name": "suppression_end_time_d",
"Type": "real"
},
{
"Name": "to_user_category_s",
"Type": "string"
},
{
"Name": "netskope_activity_s",
"Type": "string"
},
{
"Name": "last_country_s",
"Type": "string"
},
{
"Name": "device_classification_s",
"Type": "string"
},
{
"Name": "anomaly_type_s",
"Type": "string"
},
{
"Name": "division_s",
"Type": "string"
},
{
"Name": "windowId_d",
"Type": "real"
},
{
"Name": "audit_category_s",
"Type": "string"
},
{
"Name": "src_time_s",
"Type": "string"
},
{
"Name": "logintype_s",
"Type": "string"
},
{
"Name": "tss_scan_failed_s",
"Type": "string"
},
{
"Name": "manager_s",
"Type": "string"
},
{
"Name": "protocol_s",
"Type": "string"
},
{
"Name": "employeeType_s",
"Type": "string"
},
{
"Name": "user_category_s",
"Type": "string"
},
{
"Name": "uba_ap2_s",
"Type": "string"
},
{
"Name": "policy_name_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

621
.script/tests/KqlvalidationsTests/CustomTables/eventsapplicationdata_CL.json Normal file
Просмотреть файл

@ -0,0 +1,621 @@
{
"Name": "eventsapplicationdata_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "_id_s",
"Type": "string"
},
{
"Name": "access_method_s",
"Type": "string"
},
{
"Name": "action_s",
"Type": "string"
},
{
"Name": "activity_s",
"Type": "string"
},
{
"Name": "alert_s",
"Type": "string"
},
{
"Name": "alert_type_s",
"Type": "string"
},
{
"Name": "app_s",
"Type": "string"
},
{
"Name": "appcategory_s",
"Type": "string"
},
{
"Name": "browser_s",
"Type": "string"
},
{
"Name": "Category",
"Type": "string"
},
{
"Name": "cci_d",
"Type": "real"
},
{
"Name": "ccl_s",
"Type": "string"
},
{
"Name": "count_d",
"Type": "real"
},
{
"Name": "device_s",
"Type": "string"
},
{
"Name": "dst_country_s",
"Type": "string"
},
{
"Name": "dst_geoip_src_d",
"Type": "real"
},
{
"Name": "dst_latitude_d",
"Type": "real"
},
{
"Name": "dst_location_s",
"Type": "string"
},
{
"Name": "dst_longitude_d",
"Type": "real"
},
{
"Name": "dst_region_s",
"Type": "string"
},
{
"Name": "dst_zipcode_s",
"Type": "string"
},
{
"Name": "dstip_s",
"Type": "string"
},
{
"Name": "exposure_s",
"Type": "string"
},
{
"Name": "file_lang_s",
"Type": "string"
},
{
"Name": "file_path_s",
"Type": "string"
},
{
"Name": "file_size_d",
"Type": "real"
},
{
"Name": "file_type_s",
"Type": "string"
},
{
"Name": "instance_s",
"Type": "string"
},
{
"Name": "instance_id_s",
"Type": "string"
},
{
"Name": "md5_g",
"Type": "string"
},
{
"Name": "mime_type_s",
"Type": "string"
},
{
"Name": "modified_d",
"Type": "real"
},
{
"Name": "object_s",
"Type": "string"
},
{
"Name": "object_id_s",
"Type": "string"
},
{
"Name": "object_type_s",
"Type": "string"
},
{
"Name": "organization_unit_s",
"Type": "string"
},
{
"Name": "os_s",
"Type": "string"
},
{
"Name": "other_categories_s",
"Type": "string"
},
{
"Name": "owner_s",
"Type": "string"
},
{
"Name": "policy_s",
"Type": "string"
},
{
"Name": "request_id_s",
"Type": "string"
},
{
"Name": "scan_type_s",
"Type": "string"
},
{
"Name": "site_s",
"Type": "string"
},
{
"Name": "src_country_s",
"Type": "string"
},
{
"Name": "src_geoip_src_d",
"Type": "real"
},
{
"Name": "src_latitude_d",
"Type": "real"
},
{
"Name": "src_location_s",
"Type": "string"
},
{
"Name": "src_longitude_d",
"Type": "real"
},
{
"Name": "src_region_s",
"Type": "string"
},
{
"Name": "src_zipcode_s",
"Type": "string"
},
{
"Name": "srcip_s",
"Type": "string"
},
{
"Name": "suppression_key_s",
"Type": "string"
},
{
"Name": "timestamp_d",
"Type": "real"
},
{
"Name": "traffic_type_s",
"Type": "string"
},
{
"Name": "type_s",
"Type": "string"
},
{
"Name": "ur_normalized_s",
"Type": "string"
},
{
"Name": "url_s",
"Type": "string"
},
{
"Name": "user_s",
"Type": "string"
},
{
"Name": "userkey_s",
"Type": "string"
},
{
"Name": "orignal_file_path_s",
"Type": "string"
},
{
"Name": "managed_app_s",
"Type": "string"
},
{
"Name": "userip_s",
"Type": "string"
},
{
"Name": "resp_cnt_d",
"Type": "real"
},
{
"Name": "dst_timezone_s",
"Type": "string"
},
{
"Name": "protocol_s",
"Type": "string"
},
{
"Name": "hostname_s",
"Type": "string"
},
{
"Name": "dlp_profile_s",
"Type": "string"
},
{
"Name": "to_user_s",
"Type": "string"
},
{
"Name": "parent_id_s",
"Type": "string"
},
{
"Name": "CononicalName_s",
"Type": "string"
},
{
"Name": "dlp_rule_s",
"Type": "string"
},
{
"Name": "total_collaborator_count_d",
"Type": "real"
},
{
"Name": "sha256_s",
"Type": "string"
},
{
"Name": "shared_with_s",
"Type": "string"
},
{
"Name": "dsthost_s",
"Type": "string"
},
{
"Name": "severity_s",
"Type": "string"
},
{
"Name": "suppression_end_time_d",
"Type": "real"
},
{
"Name": "dlp_unique_count_d",
"Type": "real"
},
{
"Name": "audit_category_s",
"Type": "string"
},
{
"Name": "app_session_id_d",
"Type": "real"
},
{
"Name": "workspace_id_s",
"Type": "string"
},
{
"Name": "req_cnt_d",
"Type": "real"
},
{
"Name": "universal_connector_s",
"Type": "string"
},
{
"Name": "logintype_s",
"Type": "string"
},
{
"Name": "connection_id_d",
"Type": "real"
},
{
"Name": "app_activity_s",
"Type": "string"
},
{
"Name": "channel_id_s",
"Type": "string"
},
{
"Name": "src_timezone_s",
"Type": "string"
},
{
"Name": "numbytes_d",
"Type": "real"
},
{
"Name": "conn_duration_d",
"Type": "real"
},
{
"Name": "managementID_s",
"Type": "string"
},
{
"Name": "dlp_is_unique_count_s",
"Type": "string"
},
{
"Name": "dlp_mail_parent_id_s",
"Type": "string"
},
{
"Name": "from_user_category_s",
"Type": "string"
},
{
"Name": "policy_id_s",
"Type": "string"
},
{
"Name": "useragent_s",
"Type": "string"
},
{
"Name": "device_classification_s",
"Type": "string"
},
{
"Name": "dlp_file_s",
"Type": "string"
},
{
"Name": "dlp_rule_count_d",
"Type": "real"
},
{
"Name": "sAMAccountName_s",
"Type": "string"
},
{
"Name": "audit_type_s",
"Type": "string"
},
{
"Name": "telemetry_app_s",
"Type": "string"
},
{
"Name": "web_universal_connector_s",
"Type": "string"
},
{
"Name": "title_s",
"Type": "string"
},
{
"Name": "data_type_s",
"Type": "string"
},
{
"Name": "userPrincipalName_s",
"Type": "string"
},
{
"Name": "page_s",
"Type": "string"
},
{
"Name": "serial_s",
"Type": "string"
},
{
"Name": "sessionid_s",
"Type": "string"
},
{
"Name": "smtp_to_s",
"Type": "string"
},
{
"Name": "appsuite_s",
"Type": "string"
},
{
"Name": "log_file_name_s",
"Type": "string"
},
{
"Name": "dlp_parent_id_d",
"Type": "real"
},
{
"Name": "tss_mode_s",
"Type": "string"
},
{
"Name": "server_bytes_d",
"Type": "real"
},
{
"Name": "client_bytes_d",
"Type": "real"
},
{
"Name": "page_site_s",
"Type": "string"
},
{
"Name": "loginurl_s",
"Type": "string"
},
{
"Name": "os_version_s",
"Type": "string"
},
{
"Name": "fromlogs_s",
"Type": "string"
},
{
"Name": "true_obj_category_s",
"Type": "string"
},
{
"Name": "true_obj_type_s",
"Type": "string"
},
{
"Name": "browser_session_id_d",
"Type": "real"
},
{
"Name": "workspace_s",
"Type": "string"
},
{
"Name": "dlp_rule_severity_s",
"Type": "string"
},
{
"Name": "dstport_d",
"Type": "real"
},
{
"Name": "netskope_activity_s",
"Type": "string"
},
{
"Name": "data_center_s",
"Type": "string"
},
{
"Name": "dlp_incident_id_d",
"Type": "real"
},
{
"Name": "suppression_start_time_d",
"Type": "real"
},
{
"Name": "nsdeviceuid_s",
"Type": "string"
},
{
"Name": "org_s",
"Type": "string"
},
{
"Name": "src_time_s",
"Type": "string"
},
{
"Name": "user_id_s",
"Type": "string"
},
{
"Name": "custom_connector_s",
"Type": "string"
},
{
"Name": "transaction_id_d",
"Type": "real"
},
{
"Name": "user_category_s",
"Type": "string"
},
{
"Name": "netskope_pop_s",
"Type": "string"
},
{
"Name": "browser_version_s",
"Type": "string"
},
{
"Name": "from_user_s",
"Type": "string"
},
{
"Name": "referer_s",
"Type": "string"
},
{
"Name": "internal_collaborator_count_d",
"Type": "real"
},
{
"Name": "sanctioned_instance_s",
"Type": "string"
},
{
"Name": "notify_template_s",
"Type": "string"
},
{
"Name": "cci_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

101
.script/tests/KqlvalidationsTests/CustomTables/eventsauditdata_CL.json Normal file
Просмотреть файл

@ -0,0 +1,101 @@
{
"Name": "eventsauditdata_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "timestamp_d",
"Type": "real"
},
{
"Name": "type_s",
"Type": "string"
},
{
"Name": "user_s",
"Type": "string"
},
{
"Name": "severity_level_d",
"Type": "real"
},
{
"Name": "audit_log_event_s",
"Type": "string"
},
{
"Name": "supporting_data_data_type_s",
"Type": "string"
},
{
"Name": "supporting_data_data_values_s",
"Type": "string"
},
{
"Name": "organization_unit_s",
"Type": "string"
},
{
"Name": "ur_normalized_s",
"Type": "string"
},
{
"Name": "count_d",
"Type": "real"
},
{
"Name": "_id_s",
"Type": "string"
},
{
"Name": "details_s",
"Type": "string"
},
{
"Name": "sAMAccountName_s",
"Type": "string"
},
{
"Name": "ccl_s",
"Type": "string"
},
{
"Name": "userPrincipalName_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

241
.script/tests/KqlvalidationsTests/CustomTables/eventsconnectiondata_CL.json Normal file
Просмотреть файл

@ -0,0 +1,241 @@
{
"Name": "eventsconnectiondata_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "suppression_end_time_d",
"Type": "real"
},
{
"Name": "suppression_start_time_d",
"Type": "real"
},
{
"Name": "_id_s",
"Type": "string"
},
{
"Name": "access_method_s",
"Type": "string"
},
{
"Name": "app_s",
"Type": "string"
},
{
"Name": "appcategory_s",
"Type": "string"
},
{
"Name": "bypass_reason_s",
"Type": "string"
},
{
"Name": "bypass_traffic_s",
"Type": "string"
},
{
"Name": "Category",
"Type": "string"
},
{
"Name": "cci_d",
"Type": "real"
},
{
"Name": "ccl_s",
"Type": "string"
},
{
"Name": "connection_id_d",
"Type": "real"
},
{
"Name": "count_d",
"Type": "real"
},
{
"Name": "domain_s",
"Type": "string"
},
{
"Name": "dst_country_s",
"Type": "string"
},
{
"Name": "dst_latitude_d",
"Type": "real"
},
{
"Name": "dst_location_s",
"Type": "string"
},
{
"Name": "dst_longitude_d",
"Type": "real"
},
{
"Name": "dst_region_s",
"Type": "string"
},
{
"Name": "dst_timezone_s",
"Type": "string"
},
{
"Name": "dst_zipcode_s",
"Type": "string"
},
{
"Name": "dstip_s",
"Type": "string"
},
{
"Name": "dstport_d",
"Type": "real"
},
{
"Name": "incident_id_d",
"Type": "real"
},
{
"Name": "netskope_pop_s",
"Type": "string"
},
{
"Name": "organization_unit_s",
"Type": "string"
},
{
"Name": "other_categories_s",
"Type": "string"
},
{
"Name": "page_s",
"Type": "string"
},
{
"Name": "request_id_d",
"Type": "real"
},
{
"Name": "site_s",
"Type": "string"
},
{
"Name": "src_country_s",
"Type": "string"
},
{
"Name": "src_latitude_d",
"Type": "real"
},
{
"Name": "src_location_s",
"Type": "string"
},
{
"Name": "src_longitude_d",
"Type": "real"
},
{
"Name": "src_region_s",
"Type": "string"
},
{
"Name": "src_time_s",
"Type": "string"
},
{
"Name": "src_timezone_s",
"Type": "string"
},
{
"Name": "src_zipcode_s",
"Type": "string"
},
{
"Name": "srcip_s",
"Type": "string"
},
{
"Name": "ssl_decrypt_policy_s",
"Type": "string"
},
{
"Name": "timestamp_d",
"Type": "real"
},
{
"Name": "traffic_type_s",
"Type": "string"
},
{
"Name": "transaction_id_d",
"Type": "real"
},
{
"Name": "type_s",
"Type": "string"
},
{
"Name": "ur_normalized_s",
"Type": "string"
},
{
"Name": "url_s",
"Type": "string"
},
{
"Name": "user_s",
"Type": "string"
},
{
"Name": "user_generated_s",
"Type": "string"
},
{
"Name": "userip_s",
"Type": "string"
},
{
"Name": "userkey_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

245
.script/tests/KqlvalidationsTests/CustomTables/eventsincidentdata_CL.json Normal file
Просмотреть файл

@ -0,0 +1,245 @@
{
"Name": "eventsincidentdata_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "_id_s",
"Type": "string"
},
{
"Name": "access_method_s",
"Type": "string"
},
{
"Name": "acting_user_s",
"Type": "string"
},
{
"Name": "activity_s",
"Type": "string"
},
{
"Name": "app_s",
"Type": "string"
},
{
"Name": "app_session_id_d",
"Type": "real"
},
{
"Name": "assignee_s",
"Type": "string"
},
{
"Name": "connection_id_d",
"Type": "real"
},
{
"Name": "dlp_incident_id_d",
"Type": "real"
},
{
"Name": "dlp_match_info_s",
"Type": "string"
},
{
"Name": "dlp_parent_id_d",
"Type": "real"
},
{
"Name": "dst_location_s",
"Type": "string"
},
{
"Name": "file_lang_s",
"Type": "string"
},
{
"Name": "file_size_d",
"Type": "real"
},
{
"Name": "file_type_s",
"Type": "string"
},
{
"Name": "md5_g",
"Type": "string"
},
{
"Name": "object_id_s",
"Type": "string"
},
{
"Name": "object_type_s",
"Type": "string"
},
{
"Name": "severity_s",
"Type": "string"
},
{
"Name": "site_s",
"Type": "string"
},
{
"Name": "src_location_s",
"Type": "string"
},
{
"Name": "status_s",
"Type": "string"
},
{
"Name": "timestamp_d",
"Type": "real"
},
{
"Name": "title_s",
"Type": "string"
},
{
"Name": "true_obj_category_s",
"Type": "string"
},
{
"Name": "true_obj_type_s",
"Type": "string"
},
{
"Name": "url_s",
"Type": "string"
},
{
"Name": "user_s",
"Type": "string"
},
{
"Name": "referer_s",
"Type": "string"
},
{
"Name": "user_id_s",
"Type": "string"
},
{
"Name": "object_s",
"Type": "string"
},
{
"Name": "instance_id_s",
"Type": "string"
},
{
"Name": "from_user_s",
"Type": "string"
},
{
"Name": "to_user_s",
"Type": "string"
},
{
"Name": "channel_s",
"Type": "string"
},
{
"Name": "zip_file_id_s",
"Type": "string"
},
{
"Name": "destination_instance_id_s",
"Type": "string"
},
{
"Name": "instance_s",
"Type": "string"
},
{
"Name": "bcc_s",
"Type": "string"
},
{
"Name": "cc_s",
"Type": "string"
},
{
"Name": "inline_dlp_match_info_s",
"Type": "string"
},
{
"Name": "owner_s",
"Type": "string"
},
{
"Name": "original_file_snapshot_id_s",
"Type": "string"
},
{
"Name": "dlp_file_s",
"Type": "string"
},
{
"Name": "owner_pdl_s",
"Type": "string"
},
{
"Name": "destination_site_s",
"Type": "string"
},
{
"Name": "latest_incident_id_d",
"Type": "real"
},
{
"Name": "classification_s",
"Type": "string"
},
{
"Name": "destination_app_s",
"Type": "string"
},
{
"Name": "file_path_s",
"Type": "string"
},
{
"Name": "exposure_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

305
.script/tests/KqlvalidationsTests/CustomTables/eventsnetworkdata_CL.json Normal file
Просмотреть файл

@ -0,0 +1,305 @@
{
"Name": "eventsnetworkdata_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "_id_s",
"Type": "string"
},
{
"Name": "access_method_s",
"Type": "string"
},
{
"Name": "action_s",
"Type": "string"
},
{
"Name": "app_s",
"Type": "string"
},
{
"Name": "appcategory_s",
"Type": "string"
},
{
"Name": "Category",
"Type": "string"
},
{
"Name": "cci_d",
"Type": "real"
},
{
"Name": "ccl_s",
"Type": "string"
},
{
"Name": "client_bytes_d",
"Type": "real"
},
{
"Name": "client_packets_d",
"Type": "real"
},
{
"Name": "count_d",
"Type": "real"
},
{
"Name": "device_s",
"Type": "string"
},
{
"Name": "dst_country_s",
"Type": "string"
},
{
"Name": "dst_geoip_src_d",
"Type": "real"
},
{
"Name": "dst_latitude_d",
"Type": "real"
},
{
"Name": "dst_location_s",
"Type": "string"
},
{
"Name": "dst_longitude_d",
"Type": "real"
},
{
"Name": "dst_region_s",
"Type": "string"
},
{
"Name": "dst_zipcode_s",
"Type": "string"
},
{
"Name": "dstip_s",
"Type": "string"
},
{
"Name": "dstport_d",
"Type": "real"
},
{
"Name": "ip_protocol_s",
"Type": "string"
},
{
"Name": "numbytes_d",
"Type": "real"
},
{
"Name": "organization_unit_s",
"Type": "string"
},
{
"Name": "os_s",
"Type": "string"
},
{
"Name": "os_version_s",
"Type": "string"
},
{
"Name": "policy_s",
"Type": "string"
},
{
"Name": "protocol_s",
"Type": "string"
},
{
"Name": "publisher_name_s",
"Type": "string"
},
{
"Name": "server_bytes_d",
"Type": "real"
},
{
"Name": "server_packets_d",
"Type": "real"
},
{
"Name": "session_duration_d",
"Type": "real"
},
{
"Name": "site_s",
"Type": "string"
},
{
"Name": "src_country_s",
"Type": "string"
},
{
"Name": "src_geoip_src_d",
"Type": "real"
},
{
"Name": "src_latitude_d",
"Type": "real"
},
{
"Name": "src_location_s",
"Type": "string"
},
{
"Name": "src_longitude_d",
"Type": "real"
},
{
"Name": "src_region_s",
"Type": "string"
},
{
"Name": "src_zipcode_s",
"Type": "string"
},
{
"Name": "srcip_s",
"Type": "string"
},
{
"Name": "srcport_d",
"Type": "real"
},
{
"Name": "timestamp_d",
"Type": "real"
},
{
"Name": "total_packets_d",
"Type": "real"
},
{
"Name": "traffic_type_s",
"Type": "string"
},
{
"Name": "tunnel_id_s",
"Type": "string"
},
{
"Name": "tunnel_type_s",
"Type": "string"
},
{
"Name": "tunnel_up_time_d",
"Type": "real"
},
{
"Name": "type_s",
"Type": "string"
},
{
"Name": "ur_normalized_s",
"Type": "string"
},
{
"Name": "user_s",
"Type": "string"
},
{
"Name": "userip_s",
"Type": "string"
},
{
"Name": "userkey_s",
"Type": "string"
},
{
"Name": "dsthost_s",
"Type": "string"
},
{
"Name": "hostname_s",
"Type": "string"
},
{
"Name": "domain_s",
"Type": "string"
},
{
"Name": "network_session_id_s",
"Type": "string"
},
{
"Name": "publisher_cn_s",
"Type": "string"
},
{
"Name": "start_time_s",
"Type": "string"
},
{
"Name": "num_sessions_d",
"Type": "real"
},
{
"Name": "end_time_s",
"Type": "string"
},
{
"Name": "sAMAccountName_s",
"Type": "string"
},
{
"Name": "protocol_port_s",
"Type": "string"
},
{
"Name": "userPrincipalName_s",
"Type": "string"
},
{
"Name": "flow_status_s",
"Type": "string"
},
{
"Name": "cci_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

385
.script/tests/KqlvalidationsTests/CustomTables/eventspagedata_CL.json Normal file
Просмотреть файл

@ -0,0 +1,385 @@
{
"Name": "eventspagedata_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "string"
},
{
"Name": "SourceSystem",
"Type": "string"
},
{
"Name": "MG",
"Type": "string"
},
{
"Name": "ManagementGroupName",
"Type": "string"
},
{
"Name": "TimeGenerated",
"Type": "datetime"
},
{
"Name": "Computer",
"Type": "string"
},
{
"Name": "RawData",
"Type": "string"
},
{
"Name": "_id_s",
"Type": "string"
},
{
"Name": "access_method_s",
"Type": "string"
},
{
"Name": "app_s",
"Type": "string"
},
{
"Name": "appcategory_s",
"Type": "string"
},
{
"Name": "bypass_reason_s",
"Type": "string"
},
{
"Name": "bypass_traffic_s",
"Type": "string"
},
{
"Name": "Category",
"Type": "string"
},
{
"Name": "cci_d",
"Type": "real"
},
{
"Name": "ccl_s",
"Type": "string"
},
{
"Name": "connection_id_d",
"Type": "real"
},
{
"Name": "count_d",
"Type": "real"
},
{
"Name": "domain_s",
"Type": "string"
},
{
"Name": "dst_country_s",
"Type": "string"
},
{
"Name": "dst_latitude_d",
"Type": "real"
},
{
"Name": "dst_location_s",
"Type": "string"
},
{
"Name": "dst_longitude_d",
"Type": "real"
},
{
"Name": "dst_region_s",
"Type": "string"
},
{
"Name": "dst_timezone_s",
"Type": "string"
},
{
"Name": "dst_zipcode_s",
"Type": "string"
},
{
"Name": "dstip_s",
"Type": "string"
},
{
"Name": "dstport_d",
"Type": "real"
},
{
"Name": "netskope_pop_s",
"Type": "string"
},
{
"Name": "organization_unit_s",
"Type": "string"
},
{
"Name": "other_categories_s",
"Type": "string"
},
{
"Name": "page_s",
"Type": "string"
},
{
"Name": "request_id_d",
"Type": "real"
},
{
"Name": "site_s",
"Type": "string"
},
{
"Name": "src_country_s",
"Type": "string"
},
{
"Name": "src_latitude_d",
"Type": "real"
},
{
"Name": "src_location_s",
"Type": "string"
},
{
"Name": "src_longitude_d",
"Type": "real"
},
{
"Name": "src_region_s",
"Type": "string"
},
{
"Name": "src_time_s",
"Type": "string"
},
{
"Name": "src_timezone_s",
"Type": "string"
},
{
"Name": "src_zipcode_s",
"Type": "string"
},
{
"Name": "srcip_s",
"Type": "string"
},
{
"Name": "ssl_decrypt_policy_s",
"Type": "string"
},
{
"Name": "timestamp_d",
"Type": "real"
},
{
"Name": "traffic_type_s",
"Type": "string"
},
{
"Name": "transaction_id_d",
"Type": "real"
},
{
"Name": "type_s",
"Type": "string"
},
{
"Name": "ur_normalized_s",
"Type": "string"
},
{
"Name": "url_s",
"Type": "string"
},
{
"Name": "user_s",
"Type": "string"
},
{
"Name": "user_generated_s",
"Type": "string"
},
{
"Name": "userip_s",
"Type": "string"
},
{
"Name": "userkey_s",
"Type": "string"
},
{
"Name": "server_bytes_d",
"Type": "real"
},
{
"Name": "browser_session_id_d",
"Type": "real"
},
{
"Name": "sessionid_s",
"Type": "string"
},
{
"Name": "fromlogs_s",
"Type": "string"
},
{
"Name": "browser_version_s",
"Type": "string"
},
{
"Name": "network_s",
"Type": "string"
},
{
"Name": "org_s",
"Type": "string"
},
{
"Name": "resp_content_type_s",
"Type": "string"
},
{
"Name": "conn_duration_d",
"Type": "real"
},
{
"Name": "policy_s",
"Type": "string"
},
{
"Name": "log_file_name_s",
"Type": "string"
},
{
"Name": "resp_cnt_d",
"Type": "real"
},
{
"Name": "severity_s",
"Type": "string"
},
{
"Name": "serial_s",
"Type": "string"
},
{
"Name": "hostname_s",
"Type": "string"
},
{
"Name": "suppression_start_time_d",
"Type": "real"
},
{
"Name": "conn_endtime_d",
"Type": "real"
},
{
"Name": "sAMAccountName_s",
"Type": "string"
},
{
"Name": "numbytes_d",
"Type": "real"
},
{
"Name": "req_cnt_d",
"Type": "real"
},
{
"Name": "src_geoip_src_d",
"Type": "real"
},
{
"Name": "forward_to_proxy_profile_s",
"Type": "string"
},
{
"Name": "resp_content_len_d",
"Type": "real"
},
{
"Name": "os_s",
"Type": "string"
},
{
"Name": "userPrincipalName_s",
"Type": "string"
},
{
"Name": "suppression_end_time_d",
"Type": "real"
},
{
"Name": "os_version_s",
"Type": "string"
},
{
"Name": "device_s",
"Type": "string"
},
{
"Name": "dynamic_classification_s",
"Type": "string"
},
{
"Name": "dst_geoip_src_d",
"Type": "real"
},
{
"Name": "CononicalName_s",
"Type": "string"
},
{
"Name": "conn_starttime_d",
"Type": "real"
},
{
"Name": "browser_s",
"Type": "string"
},
{
"Name": "dsthost_s",
"Type": "string"
},
{
"Name": "client_bytes_d",
"Type": "real"
},
{
"Name": "app_session_id_d",
"Type": "real"
},
{
"Name": "http_transaction_count_d",
"Type": "real"
},
{
"Name": "useragent_s",
"Type": "string"
},
{
"Name": "protocol_s",
"Type": "string"
},
{
"Name": "Type",
"Type": "string"
},
{
"Name": "_ResourceId",
"Type": "string"
}
]
}

4
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Просмотреть файл

@ -237,5 +237,7 @@
"FortinetFortiWebAma",
"InfobloxSOCInsightsDataConnector_API",
"InfobloxSOCInsightsDataConnector_Legacy",
"InfobloxSOCInsightsDataConnector_AMA"
"InfobloxSOCInsightsDataConnector_AMA",
"NetskopeDataConnector",
"NetskopeWebTransactionsDataConnector"
]

10
Sample Data/Custom/Netskope/NetskopeWebtxData_CL.csv Normal file
Просмотреть файл

@ -0,0 +1,10 @@
TenantId,SourceSystem,MG,ManagementGroupName,TimeGenerated [UTC],Computer,RawData,cs_uri_query_g,date_s,time_s,time_taken_s,cs_bytes_s,sc_bytes_s,bytes_s,c_ip_s,s_ip_s,cs_username_s,cs_method_s,cs_uri_scheme_s,cs_uri_query_s,cs_user_agent_s,cs_content_type_s,sc_status_s,sc_content_type_s,cs_dns_s,cs_host_s,cs_uri_s,cs_uri_port_s,cs_referer_s,x_cs_session_id_s,x_cs_access_method_s,x_cs_app_s,x_s_country_s,x_s_latitude_s,x_s_longitude_s,x_s_location_s,x_s_region_s,x_s_zipcode_s,x_c_country_s,x_c_latitude_s,x_c_longitude_s,x_c_location_s,x_c_region_s,x_c_zipcode_s,x_c_os_s,x_c_browser_s,x_c_browser_version_s,x_c_device_s,x_cs_site_s,x_cs_timestamp_s,x_cs_page_id_s,x_cs_userip_s,x_cs_traffic_type_s,x_cs_tunnel_id_s,x_category_s,x_other_category_s,x_type_s,x_server_ssl_err_s,x_client_ssl_err_s,x_transaction_id_s,x_request_id_s,x_cs_sni_s,x_cs_domain_fronted_sni_s,x_category_id_s,x_other_category_id_s,x_sr_headers_name_s,x_sr_headers_value_s,x_cs_ssl_ja3_g,x_sr_ssl_ja3s_s,x_ssl_bypass_s,x_ssl_bypass_reason_s,x_r_cert_subject_cn_s,x_r_cert_issuer_cn_s,x_r_cert_startdate_s,x_r_cert_enddate_s,x_r_cert_valid_s,x_r_cert_expired_s,x_r_cert_untrusted_root_s,x_r_cert_incomplete_chain_s,x_r_cert_self_signed_s,x_r_cert_revoked_s,x_r_cert_revocation_check_s,x_r_cert_mismatch_s,x_cs_ssl_fronting_error_s,x_cs_ssl_handshake_error_s,x_sr_ssl_handshake_error_s,x_sr_ssl_client_certificate_error_s,x_sr_ssl_malformed_ssl_s,x_s_custom_signing_ca_error_s,x_cs_ssl_engine_action_s,x_cs_ssl_engine_action_reason_s,x_sr_ssl_engine_action_s,x_sr_ssl_engine_action_reason_s,x_ssl_policy_src_ip_s,x_ssl_policy_dst_ip_s,x_ssl_policy_dst_host_s,x_ssl_policy_dst_host_source_s,x_ssl_policy_categories_s,x_ssl_policy_action_s,x_ssl_policy_name_s,x_cs_ssl_version_s,x_cs_ssl_cipher_s,x_sr_ssl_version_s,x_sr_ssl_cipher_s,x_cs_src_ip_egress_s,x_s_dp_name_s,x_cs_src_ip_s,x_cs_src_port_s,x_cs_dst_ip_s,x_cs_dst_port_s,x_sr_src_ip_s,x_sr_src_port_s,x_sr_dst_ip_s,x_sr_dst_port_s,x_cs_ip_connect_xff_s,x_cs_ip_xff_s,x_cs_connect_host_s,x_cs_connect_port_s,x_cs_connect_user_agent_s,x_cs_url_s,x_cs_uri_path_s,x_cs_http_version_s,rs_status_s,x_cs_app_category_s,x_cs_app_cci_s,x_cs_app_ccl_s,x_cs_app_tags_s,x_cs_app_suite_s,x_cs_app_instance_id_s,x_cs_app_instance_name_s,x_cs_app_instance_tag_s,x_cs_app_activity_s,x_cs_app_from_user_s,x_cs_app_to_user_s,x_cs_app_object_type_s,x_cs_app_object_name_s,x_cs_app_object_id_s,x_rs_file_type_s,x_rs_file_category_s,x_rs_file_language_s,x_rs_file_size_s,x_rs_file_md5_s,x_rs_file_sha256_s,x_error_s,x_c_local_time_s,x_policy_action_s,x_policy_name_s,x_policy_src_ip_s,x_policy_dst_ip_s,x_policy_dst_host_s,x_policy_dst_host_source_s,x_policy_justification_type_s,x_policy_justification_reason_s,x_sc_notification_name_s,netskope_api_host_name_s,x_cs_ssl_ja3_s,x_rs_file_md5_g,Type,_ResourceId
abcd-efg-hijk,RestAPI,,,"2/20/2024, 3:51:25 PM",,,,2024-02-20,15:51:11,208,4802,90903,95705,1.2.3.4,5.6.7.8,dummyuser@something.com,GET,http,-,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36",-,200,text/html; charset=utf-8,www.msnbc.com,www.msnbc.com,/,443,-,6326394171326945461,Client,msnbc,US,47.353,-111.9543,Santa Clara,California,95052,US,47.1835,-111.7714,San Jose,California,95141,Windows Server 2016,Chrome,119.0.0.0,Windows Device,msnbc,1708444271,0,1.1.1.1,Web,-,News & Media,All Categories,http_transaction,-,-,5216593391501189756,2780252508038218752,www.msnbc.com,-,537,10001,-,-,0858b1a5-d5c4-d5a8-cf16-09a87c74d42f,NotAvailable,No,-,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,No,No,NotChecked,NotChecked,NotChecked,NotChecked,Allow,Established,None,NotEstablished,2.2.2.2,3.3.3.3,www.msnbc.com,Sni,"News & Media, All Categories",Decrypt,-,TLSv1.3,ABC_TLS_AES_256_GCM_SHA123,NotChecked,NotChecked,4.4.4.4,US-SFO1,5.5.5.5,58871,6.6.6.6,443,-,-,7.7.7.7,860,-,-,-,-,-,http://www.msnbc.com:443/,/,HTTP1.1,200,-,-,-,-,-,-,-,-,Browse,-,-,File,-,-,text/html,Text,-,-,-,-,-,2024-02-20 7:50:08,allow_default,DefaultAction,8.8.8.8,9.9.9.9,www.msnbc.com,HttpHostHeader,-,-,-,allces.goskope.com,,,NetskopeWebtxData_CL,
abcd-efg-hijk,RestAPI,,,"2/20/2024, 3:51:25 PM",,,,2024-02-20,15:51:13,37,4779,628,5407,1.2.3.4,5.6.7.8,dummyuser@something.com,GET,https,-,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36",-,304,video/mp4,www.msnbc.com,www.msnbc.com,/_next/static/src/assets/videos/28978261684cd12447cbff1287190620.mp4,443,https://www.msnbc.com/,6326394171326945461,Client,msnbc,US,47.353,-111.9543,Santa Clara,California,95052,US,47.1835,-111.7714,San Jose,California,95141,Windows Server 2016,Chrome,119.0.0.0,Windows Device,msnbc,1708444273,1261774939245039714,1.1.1.1,Web,-,News & Media,All Categories,http_transaction,-,-,6424739376955203561,2780252519153124352,www.msnbc.com,-,537,10001,-,-,0858b1a5-d5c4-d5a8-cf16-09a87c74d42f,NotAvailable,No,-,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,No,No,NotChecked,NotChecked,NotChecked,NotChecked,Allow,Established,None,NotEstablished,-,-,-,Unknown,-,Decrypt,-,TLSv1.3,ABC_TLS_AES_256_GCM_SHA124,NotChecked,NotChecked,4.4.4.4,US-SFO1,5.5.5.5,58871,6.6.6.6,443,-,-,7.7.7.7,860,-,-,-,-,-,https://www.msnbc.com/_next/static/src/assets/videos/28978261684cd12447cbff12871,/_next/static/src/assets/videos/28978261684cd12447cbff1287190620.mp4,HTTP1.1,304,-,-,-,-,-,-,-,-,Browse,-,-,-,-,-,-,-,-,-,-,-,-,2024-02-20 7:51:08,allow_default,DefaultAction,8.8.8.8,9.9.9.9,www.msnbc.com,HttpHostHeader,-,-,-,allces.goskope.com,,,NetskopeWebtxData_CL,
abcd-efg-hijk,RestAPI,,,"2/20/2024, 3:51:25 PM",,,,2024-02-20,15:51:13,76,4712,2238,6950,1.2.3.4,5.6.7.8,dummyuser@something.com,GET,http,-,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36",-,200,application/json; charset=utf-8,www.msnbc.com,www.msnbc.com,/services/tve/schedule/msnbc,443,https://www.msnbc.com/,6326394171326945461,Client,msnbc,US,47.353,-111.9543,Santa Clara,California,95052,US,47.1835,-111.7714,San Jose,California,95141,Windows Server 2016,Chrome,119.0.0.0,Windows Device,msnbc,1708444273,1261774939245039714,1.1.1.1,Web,-,News & Media,All Categories,http_transaction,-,-,2184596302302331693,2780252519153124096,www.msnbc.com,-,537,10001,-,-,911a5621-894f-4d83-92ca-88415c3c7818,NotAvailable,No,-,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,No,No,NotChecked,NotChecked,NotChecked,NotChecked,Allow,Established,None,NotEstablished,2.2.2.2,3.3.3.3,www.msnbc.com,Sni,"News & Media, All Categories",Decrypt,-,TLSv1.3,ABC_TLS_AES_256_GCM_SHA125,NotChecked,NotChecked,4.4.4.4,US-SFO1,5.5.5.5,58871,6.6.6.6,443,-,-,7.7.7.7,871,-,-,-,-,-,http://www.msnbc.com:443/services/tve/schedule/ms,/services/tve/schedule/msnbc,HTTP1.1,200,-,-,-,-,-,-,-,-,Browse,-,-,File,-,-,text/plain,Text,-,-,-,-,-,2024-02-20 7:51:08,allow_default,DefaultAction,8.8.8.8,9.9.9.9,www.msnbc.com,HttpHostHeader,-,-,-,allces.goskope.com,,,NetskopeWebtxData_CL,
abcd-efg-hijk,RestAPI,,,"2/20/2024, 3:51:25 PM",,,,2024-02-20,15:51:13,45,4714,957,5671,1.2.3.4,5.6.7.8,dummyuser@something.com,GET,https,-,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36",-,200,application/json; charset=utf-8,www.msnbc.com,www.msnbc.com,/services/miniPlayerTease/msnbc,443,https://www.msnbc.com/,6326394171326945461,Client,msnbc,US,47.353,-111.9543,Santa Clara,California,95052,US,47.1835,-111.7714,San Jose,California,95141,Windows Server 2016,Chrome,119.0.0.0,Windows Device,msnbc,1708444273,1261774939245039714,1.1.1.1,Web,-,News & Media,All Categories,http_transaction,-,-,1300544121152535217,2780252520495301632,www.msnbc.com,-,537,10001,-,-,0858b1a5-d5c4-d5a8-cf16-09a87c74d42f,NotAvailable,No,-,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,No,No,NotChecked,NotChecked,NotChecked,NotChecked,Allow,Established,None,NotEstablished,-,-,-,Unknown,-,Decrypt,-,TLSv1.3,ABC_TLS_AES_256_GCM_SHA126,NotChecked,NotChecked,4.4.4.4,US-SFO1,5.5.5.5,58871,6.6.6.6,443,-,-,7.7.7.7,860,-,-,-,-,-,https://www.msnbc.com/services/miniPlayerTease/ms,/services/miniPlayerTease/msnbc,HTTP1.1,200,-,-,-,-,-,-,-,-,Browse,-,-,File,-,-,text/plain,Text,-,-,-,-,-,2024-02-20 7:51:08,allow_default,DefaultAction,8.8.8.8,9.9.9.9,www.msnbc.com,HttpHostHeader,-,-,-,allces.goskope.com,,,NetskopeWebtxData_CL,
abcd-efg-hijk,RestAPI,,,"2/20/2024, 3:51:25 PM",,,,2024-02-20,15:43:30,365,5215,2322213,2327428,1.2.3.4,5.6.7.8,dummyuser@something.com,GET,http,stream=MSNBC_TVE&mvpdHash=null&mpid=1745196552392127496&timestamp=1708443731265&usPrivacy=1YNN&autoplay=true&mutedAutoplay=true&token_Widevine=9cde749626f145b857802ef96df16b5d93ac82187cc4e6e2aa9337cb1fda028f&token_Fairplay=05e22acc2cc44851d8a9d89b9a76e6b40c8f3c11c7b2b4a85d11f0ca6f2e2a74&token_PlayReady=c8ea61a415c018fad0ac61ef758b95cb41ca78f8282c866082f8172e60b66e16&initialWidth=280&childId=core-video&parentTitle=MSNBC%20News%20-%20Breaking%20News%20and%20News%20Today%20%7C%20Latest%20News&parentUrl=https%3A%2F%2Fwww.msnbc.com%2F,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36",-,200,text/html; charset=UTF-8,www.msnbc.com,www.msnbc.com,/sigma.html?stream=MSNBC_TVE&mvpdHash=null&mpid=1745196552392127496&timestamp=1708443731265&usPrivacy=1YNN&autoplay=true&mutedAutoplay=true&token_Widevine=9cde749626f145b857802ef96df16b5d93ac82187cc4e6e2aa9337cb1fda028f&token_Fairplay=05e22acc2cc44851d8a9d89b9a76e6b40c8f3c11c7b2b4a85d11f0ca6f2e2a74&token_PlayReady=c8ea61a415c018fad0ac61ef758b95cb41ca78f8282c866082f8172e60b66e16&initialWidth=280&childId=core-video&parentTitle=MSNBC%20News%20-%20Breaking%20News%20and%20News%20Today%20%7C%20Latest%20News&parentUrl=https%3A%2F%2Fwww.msnbc.com%2F,443,https://www.msnbc.com/,6326394171326945461,Client,msnbc,US,47.353,-111.9543,Santa Clara,California,95052,US,47.1835,-111.7714,San Jose,California,95141,Windows Server 2016,Chrome,119.0.0.0,Windows Device,msnbc,1708443810,3067349774468027936,1.1.1.1,Web,-,News & Media,All Categories,http_transaction,-,-,4018871287092426288,2780248636326532352,www.msnbc.com,-,537,10001,-,-,2add0d93-df10-8807-866a-2bffbb3340b2,NotAvailable,No,-,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,No,No,NotChecked,NotChecked,NotChecked,NotChecked,Allow,Established,None,NotEstablished,2.2.2.2,3.3.3.3,www.msnbc.com,Sni,"News & Media, All Categories",Decrypt,-,TLSv1.3,ABC_TLS_AES_256_GCM_SHA127,NotChecked,NotChecked,4.4.4.4,US-SFO1,5.5.5.5,58871,6.6.6.6,443,-,-,7.7.7.7,889,-,-,-,-,-,http://www.msnbc.com:443/sigma.html?stream=MSNBC_TVE&mvpdHash=null&mpid=1745196552392127496&timestamp=1708443731265&usPrivacy=1YNN&autoplay=true&mutedAutoplay=true&token_Widevine=9cde749626f145b857802ef96df16b5d93ac82187cc4e6e2aa9337cb1fda028f&token_Fairplay=05e22acc2cc44851d8a9d89b9a76e6b40c8f3c11c7b2b4a85d11f0ca6f2e2a74&token_PlayReady=c8ea61a415c018fad0ac61ef758b95cb41ca78f8282c866082f8172e60b66e16&initialWidth=280&childId=core-video&parentUrl=https%3A%2F,/sigma.html,HTTP1.1,200,-,-,-,-,-,-,-,-,Browse,-,-,File,-,-,text/html,Text,-,-,-,-,-,2024-02-20 7:43:08,allow_default,DefaultAction,8.8.8.8,9.9.9.9,www.msnbc.com,HttpHostHeader,-,-,-,allces.goskope.com,,,NetskopeWebtxData_CL,
abcd-efg-hijk,RestAPI,,,"2/20/2024, 3:51:26 PM",,,,2024-02-20,15:51:18,356,5311,2322213,2327524,1.2.3.4,5.6.7.8,dummyuser@something.com,GET,http,stream=MSNBC_TVE&mvpdHash=null&mpid=1745196552392127496&timestamp=1708444212571&usPrivacy=1YNN&autoplay=true&mutedAutoplay=true&token_Widevine=44fd56038b7914e0db57f0f1ab63bb2a39e372979ada489d0b5f55ee37c98c93&token_Fairplay=7600640cf4d0eac4b95acf4b0231eb16b83cdf77542cc47d26fe2740959e702d&token_PlayReady=2b70b8e2bc410baa90cc8f78208f2c96c94bf1024b117ad54a783dadfc7a5657&initialWidth=280&childId=core-video&parentTitle=MSNBC%20News%20-%20Breaking%20News%20and%20News%20Today%20%7C%20Latest%20News&parentUrl=https%3A%2F%2Fwww.msnbc.com%2F,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36",-,200,text/html; charset=UTF-8,www.msnbc.com,www.msnbc.com,/sigma.html?stream=MSNBC_TVE&mvpdHash=null&mpid=1745196552392127496&timestamp=1708444212571&usPrivacy=1YNN&autoplay=true&mutedAutoplay=true&token_Widevine=44fd56038b7914e0db57f0f1ab63bb2a39e372979ada489d0b5f55ee37c98c93&token_Fairplay=7600640cf4d0eac4b95acf4b0231eb16b83cdf77542cc47d26fe2740959e702d&token_PlayReady=2b70b8e2bc410baa90cc8f78208f2c96c94bf1024b117ad54a783dadfc7a5657&initialWidth=280&childId=core-video&parentTitle=MSNBC%20News%20-%20Breaking%20News%20and%20News%20Today%20%7C%20Latest%20News&parentUrl=https%3A%2F%2Fwww.msnbc.com%2F,443,https://www.msnbc.com/,6326394171326945461,Client,msnbc,US,47.353,-111.9543,Santa Clara,California,95052,US,47.1835,-111.7714,San Jose,California,95141,Windows Server 2016,Chrome,119.0.0.0,Windows Device,msnbc,1708444278,1261774939245039714,1.1.1.1,Web,-,News & Media,All Categories,http_transaction,-,-,8879759428117034966,2780252561070994432,www.msnbc.com,-,537,10001,-,-,292929e8-1ca3-2211-49d6-3c4532381d06,NotAvailable,No,-,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,No,No,NotChecked,NotChecked,NotChecked,NotChecked,Allow,Established,None,NotEstablished,2.2.2.2,3.3.3.3,www.msnbc.com,Sni,"News & Media, All Categories",Decrypt,-,TLSv1.3,ABC_TLS_AES_256_GCM_SHA128,NotChecked,NotChecked,4.4.4.4,US-SFO1,5.5.5.5,58871,6.6.6.6,443,-,-,7.7.7.7,806,-,-,-,-,-,http://www.msnbc.com:443/sigma.html?stream=MSNBC_TVE&mvpdHash=null&mpid=1745196552392127496&timestamp=1708444212571&usPrivacy=1YNN&autoplay=true&mutedAutoplay=true&token_Widevine=44fd56038b7914e0db57f0f1ab63bb2a39e372979ada489d0b5f55ee37c98c93&token_Fairplay=7600640cf4d0eac4b95acf4b0231eb16b83cdf77542cc47d26fe2740959e702d&token_PlayReady=2b70b8e2bc410baa90cc8f78208f2c96c94bf1024b117ad54a783dadfc7a5657&initialWidth=280&childId=core-video&parentTitle=MSNBC%20News%20-%20Breaking%20News%20and%20News%20Today%20%7C%20Latest%20News&parentUrl=https%3A%2F%2Fwww.msnbc.com%2F,/sigma.html,HTTP1.1,200,-,-,-,-,-,-,-,-,Browse,-,-,File,-,-,text/html,Text,-,-,-,-,-,2024-02-20 7:51:08,allow_default,DefaultAction,8.8.8.8,9.9.9.9,www.msnbc.com,HttpHostHeader,-,-,-,allces.goskope.com,,,NetskopeWebtxData_CL,
abcd-efg-hijk,RestAPI,,,"2/20/2024, 3:51:26 PM",,,,2024-02-20,15:43:21,124,4109,88750,92859,1.2.3.4,5.6.7.8,dummyuser@something.com,GET,http,-,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36",-,200,text/html; charset=utf-8,www.msnbc.com,www.msnbc.com,/,443,-,6326394171326945461,Client,msnbc,US,47.353,-111.9543,Santa Clara,California,95052,US,47.1835,-111.7714,San Jose,California,95141,Windows Server 2016,Chrome,119.0.0.0,Windows Device,msnbc,1708443801,0,1.1.1.1,Web,-,News & Media,All Categories,http_transaction,-,-,8965014869871943343,2780248560938100992,www.msnbc.com,-,537,10001,-,-,690a2b56-28cd-0dee-4636-1189923000f3,NotAvailable,No,-,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,No,No,NotChecked,NotChecked,NotChecked,NotChecked,Allow,Established,None,NotEstablished,2.2.2.2,3.3.3.3,www.msnbc.com,Sni,"News & Media, All Categories",Decrypt,-,TLSv1.3,ABC_TLS_AES_256_GCM_SHA129,NotChecked,NotChecked,4.4.4.4,US-SFO1,5.5.5.5,58871,6.6.6.6,443,-,-,7.7.7.7,852,-,-,-,-,-,http://www.msnbc.com:44,/,HTTP1.1,200,-,-,-,-,-,-,-,-,Browse,-,-,File,-,-,text/html,Text,-,-,-,-,-,2024-02-20 7:43:08,allow_default,DefaultAction,8.8.8.8,9.9.9.9,www.msnbc.com,HttpHostHeader,-,-,-,allces.goskope.com,,,NetskopeWebtxData_CL,
abcd-efg-hijk,RestAPI,,,"2/20/2024, 3:51:26 PM",,,,2024-02-20,15:43:23,69,4162,2238,6400,1.2.3.4,5.6.7.8,dummyuser@something.com,GET,https,-,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36",-,200,application/json; charset=utf-8,www.msnbc.com,www.msnbc.com,/services/tve/schedule/msnbc,443,https://www.msnbc.com/,6326394171326945461,Client,msnbc,US,47.353,-111.9543,Santa Clara,California,95052,US,47.1835,-111.7714,San Jose,California,95141,Windows Server 2016,Chrome,119.0.0.0,Windows Device,msnbc,1708443803,3067349774468027936,1.1.1.1,Web,-,News & Media,All Categories,http_transaction,-,-,4662318295215182777,2780248576666740992,www.msnbc.com,-,537,10001,-,-,690a2b56-28cd-0dee-4636-1189923000f3,NotAvailable,No,-,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,No,No,NotChecked,NotChecked,NotChecked,NotChecked,Allow,Established,None,NotEstablished,-,-,-,Unknown,-,Decrypt,-,TLSv1.3,ABC_TLS_AES_256_GCM_SHA130,NotChecked,NotChecked,4.4.4.4,US-SFO1,5.5.5.5,58871,6.6.6.6,443,-,-,7.7.7.7,852,-,-,-,-,-,https://www.msnbc.com/services/tve/schedule/ms,/services/tve/schedule/msnbc,HTTP1.1,200,-,-,-,-,-,-,-,-,Browse,-,-,File,-,-,text/plain,Text,-,-,-,-,-,2024-02-20 7:43:08,allow_default,DefaultAction,8.8.8.8,9.9.9.9,www.msnbc.com,HttpHostHeader,-,-,-,allces.goskope.com,,,NetskopeWebtxData_CL,
abcd-efg-hijk,RestAPI,,,"2/20/2024, 3:51:26 PM",,,,2024-02-20,15:43:23,29,4229,628,4857,1.2.3.4,5.6.7.8,dummyuser@something.com,GET,http,-,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36",-,304,video/mp4,www.msnbc.com,www.msnbc.com,/_next/static/src/assets/videos/28978261684cd12447cbff1287190620.mp4,443,https://www.msnbc.com/,6326394171326945461,Client,msnbc,US,47.353,-111.9543,Santa Clara,California,95052,US,47.1835,-111.7714,San Jose,California,95141,Windows Server 2016,Chrome,119.0.0.0,Windows Device,msnbc,1708443803,3067349774468027936,1.1.1.1,Web,-,News & Media,All Categories,http_transaction,-,-,7355203339990228596,2780248577933419264,www.msnbc.com,-,537,10001,-,-,4d800cd2-7490-febe-bb8b-2ee57fe86587,NotAvailable,No,-,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,NotChecked,No,No,NotChecked,NotChecked,NotChecked,NotChecked,Allow,Established,None,NotEstablished,2.2.2.2,3.3.3.3,www.msnbc.com,Sni,"News & Media, All Categories",Decrypt,-,TLSv1.3,ABC_TLS_AES_256_GCM_SHA131,NotChecked,NotChecked,4.4.4.4,US-SFO1,5.5.5.5,58871,6.6.6.6,443,-,-,7.7.7.7,882,-,-,-,-,-,http://www.msnbc.com:443/_next/static/src/assets/videos/28978261684cd12447cb,/_next/static/src/assets/videos/28978261684cd12447cbff1287190620.mp4,HTTP1.1,304,-,-,-,-,-,-,-,-,Browse,-,-,-,-,-,-,-,-,-,-,-,-,2024-02-20 7:43:08,allow_default,DefaultAction,8.8.8.8,9.9.9.9,www.msnbc.com,HttpHostHeader,-,-,-,allces.goskope.com,,,NetskopeWebtxData_CL,
1 TenantId SourceSystem MG ManagementGroupName TimeGenerated [UTC] Computer RawData cs_uri_query_g date_s time_s time_taken_s cs_bytes_s sc_bytes_s bytes_s c_ip_s s_ip_s cs_username_s cs_method_s cs_uri_scheme_s cs_uri_query_s cs_user_agent_s cs_content_type_s sc_status_s sc_content_type_s cs_dns_s cs_host_s cs_uri_s cs_uri_port_s cs_referer_s x_cs_session_id_s x_cs_access_method_s x_cs_app_s x_s_country_s x_s_latitude_s x_s_longitude_s x_s_location_s x_s_region_s x_s_zipcode_s x_c_country_s x_c_latitude_s x_c_longitude_s x_c_location_s x_c_region_s x_c_zipcode_s x_c_os_s x_c_browser_s x_c_browser_version_s x_c_device_s x_cs_site_s x_cs_timestamp_s x_cs_page_id_s x_cs_userip_s x_cs_traffic_type_s x_cs_tunnel_id_s x_category_s x_other_category_s x_type_s x_server_ssl_err_s x_client_ssl_err_s x_transaction_id_s x_request_id_s x_cs_sni_s x_cs_domain_fronted_sni_s x_category_id_s x_other_category_id_s x_sr_headers_name_s x_sr_headers_value_s x_cs_ssl_ja3_g x_sr_ssl_ja3s_s x_ssl_bypass_s x_ssl_bypass_reason_s x_r_cert_subject_cn_s x_r_cert_issuer_cn_s x_r_cert_startdate_s x_r_cert_enddate_s x_r_cert_valid_s x_r_cert_expired_s x_r_cert_untrusted_root_s x_r_cert_incomplete_chain_s x_r_cert_self_signed_s x_r_cert_revoked_s x_r_cert_revocation_check_s x_r_cert_mismatch_s x_cs_ssl_fronting_error_s x_cs_ssl_handshake_error_s x_sr_ssl_handshake_error_s x_sr_ssl_client_certificate_error_s x_sr_ssl_malformed_ssl_s x_s_custom_signing_ca_error_s x_cs_ssl_engine_action_s x_cs_ssl_engine_action_reason_s x_sr_ssl_engine_action_s x_sr_ssl_engine_action_reason_s x_ssl_policy_src_ip_s x_ssl_policy_dst_ip_s x_ssl_policy_dst_host_s x_ssl_policy_dst_host_source_s x_ssl_policy_categories_s x_ssl_policy_action_s x_ssl_policy_name_s x_cs_ssl_version_s x_cs_ssl_cipher_s x_sr_ssl_version_s x_sr_ssl_cipher_s x_cs_src_ip_egress_s x_s_dp_name_s x_cs_src_ip_s x_cs_src_port_s x_cs_dst_ip_s x_cs_dst_port_s x_sr_src_ip_s x_sr_src_port_s x_sr_dst_ip_s x_sr_dst_port_s x_cs_ip_connect_xff_s x_cs_ip_xff_s x_cs_connect_host_s x_cs_connect_port_s x_cs_connect_user_agent_s x_cs_url_s x_cs_uri_path_s x_cs_http_version_s rs_status_s x_cs_app_category_s x_cs_app_cci_s x_cs_app_ccl_s x_cs_app_tags_s x_cs_app_suite_s x_cs_app_instance_id_s x_cs_app_instance_name_s x_cs_app_instance_tag_s x_cs_app_activity_s x_cs_app_from_user_s x_cs_app_to_user_s x_cs_app_object_type_s x_cs_app_object_name_s x_cs_app_object_id_s x_rs_file_type_s x_rs_file_category_s x_rs_file_language_s x_rs_file_size_s x_rs_file_md5_s x_rs_file_sha256_s x_error_s x_c_local_time_s x_policy_action_s x_policy_name_s x_policy_src_ip_s x_policy_dst_ip_s x_policy_dst_host_s x_policy_dst_host_source_s x_policy_justification_type_s x_policy_justification_reason_s x_sc_notification_name_s netskope_api_host_name_s x_cs_ssl_ja3_s x_rs_file_md5_g Type _ResourceId
2 abcd-efg-hijk RestAPI 2/20/2024, 3:51:25 PM 2024-02-20 15:51:11 208 4802 90903 95705 1.2.3.4 5.6.7.8 dummyuser@something.com GET http - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 - 200 text/html; charset=utf-8 www.msnbc.com www.msnbc.com / 443 - 6326394171326945461 Client msnbc US 47.353 -111.9543 Santa Clara California 95052 US 47.1835 -111.7714 San Jose California 95141 Windows Server 2016 Chrome 119.0.0.0 Windows Device msnbc 1708444271 0 1.1.1.1 Web - News & Media All Categories http_transaction - - 5216593391501189756 2780252508038218752 www.msnbc.com - 537 10001 - - 0858b1a5-d5c4-d5a8-cf16-09a87c74d42f NotAvailable No - NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked No No NotChecked NotChecked NotChecked NotChecked Allow Established None NotEstablished 2.2.2.2 3.3.3.3 www.msnbc.com Sni News & Media, All Categories Decrypt - TLSv1.3 ABC_TLS_AES_256_GCM_SHA123 NotChecked NotChecked 4.4.4.4 US-SFO1 5.5.5.5 58871 6.6.6.6 443 - - 7.7.7.7 860 - - - - - http://www.msnbc.com:443/ / HTTP1.1 200 - - - - - - - - Browse - - File - - text/html Text - - - - - 2024-02-20 7:50:08 allow_default DefaultAction 8.8.8.8 9.9.9.9 www.msnbc.com HttpHostHeader - - - allces.goskope.com NetskopeWebtxData_CL
3 abcd-efg-hijk RestAPI 2/20/2024, 3:51:25 PM 2024-02-20 15:51:13 37 4779 628 5407 1.2.3.4 5.6.7.8 dummyuser@something.com GET https - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 - 304 video/mp4 www.msnbc.com www.msnbc.com /_next/static/src/assets/videos/28978261684cd12447cbff1287190620.mp4 443 https://www.msnbc.com/ 6326394171326945461 Client msnbc US 47.353 -111.9543 Santa Clara California 95052 US 47.1835 -111.7714 San Jose California 95141 Windows Server 2016 Chrome 119.0.0.0 Windows Device msnbc 1708444273 1261774939245039714 1.1.1.1 Web - News & Media All Categories http_transaction - - 6424739376955203561 2780252519153124352 www.msnbc.com - 537 10001 - - 0858b1a5-d5c4-d5a8-cf16-09a87c74d42f NotAvailable No - NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked No No NotChecked NotChecked NotChecked NotChecked Allow Established None NotEstablished - - - Unknown - Decrypt - TLSv1.3 ABC_TLS_AES_256_GCM_SHA124 NotChecked NotChecked 4.4.4.4 US-SFO1 5.5.5.5 58871 6.6.6.6 443 - - 7.7.7.7 860 - - - - - https://www.msnbc.com/_next/static/src/assets/videos/28978261684cd12447cbff12871 /_next/static/src/assets/videos/28978261684cd12447cbff1287190620.mp4 HTTP1.1 304 - - - - - - - - Browse - - - - - - - - - - - - 2024-02-20 7:51:08 allow_default DefaultAction 8.8.8.8 9.9.9.9 www.msnbc.com HttpHostHeader - - - allces.goskope.com NetskopeWebtxData_CL
4 abcd-efg-hijk RestAPI 2/20/2024, 3:51:25 PM 2024-02-20 15:51:13 76 4712 2238 6950 1.2.3.4 5.6.7.8 dummyuser@something.com GET http - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 - 200 application/json; charset=utf-8 www.msnbc.com www.msnbc.com /services/tve/schedule/msnbc 443 https://www.msnbc.com/ 6326394171326945461 Client msnbc US 47.353 -111.9543 Santa Clara California 95052 US 47.1835 -111.7714 San Jose California 95141 Windows Server 2016 Chrome 119.0.0.0 Windows Device msnbc 1708444273 1261774939245039714 1.1.1.1 Web - News & Media All Categories http_transaction - - 2184596302302331693 2780252519153124096 www.msnbc.com - 537 10001 - - 911a5621-894f-4d83-92ca-88415c3c7818 NotAvailable No - NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked No No NotChecked NotChecked NotChecked NotChecked Allow Established None NotEstablished 2.2.2.2 3.3.3.3 www.msnbc.com Sni News & Media, All Categories Decrypt - TLSv1.3 ABC_TLS_AES_256_GCM_SHA125 NotChecked NotChecked 4.4.4.4 US-SFO1 5.5.5.5 58871 6.6.6.6 443 - - 7.7.7.7 871 - - - - - http://www.msnbc.com:443/services/tve/schedule/ms /services/tve/schedule/msnbc HTTP1.1 200 - - - - - - - - Browse - - File - - text/plain Text - - - - - 2024-02-20 7:51:08 allow_default DefaultAction 8.8.8.8 9.9.9.9 www.msnbc.com HttpHostHeader - - - allces.goskope.com NetskopeWebtxData_CL
5 abcd-efg-hijk RestAPI 2/20/2024, 3:51:25 PM 2024-02-20 15:51:13 45 4714 957 5671 1.2.3.4 5.6.7.8 dummyuser@something.com GET https - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 - 200 application/json; charset=utf-8 www.msnbc.com www.msnbc.com /services/miniPlayerTease/msnbc 443 https://www.msnbc.com/ 6326394171326945461 Client msnbc US 47.353 -111.9543 Santa Clara California 95052 US 47.1835 -111.7714 San Jose California 95141 Windows Server 2016 Chrome 119.0.0.0 Windows Device msnbc 1708444273 1261774939245039714 1.1.1.1 Web - News & Media All Categories http_transaction - - 1300544121152535217 2780252520495301632 www.msnbc.com - 537 10001 - - 0858b1a5-d5c4-d5a8-cf16-09a87c74d42f NotAvailable No - NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked No No NotChecked NotChecked NotChecked NotChecked Allow Established None NotEstablished - - - Unknown - Decrypt - TLSv1.3 ABC_TLS_AES_256_GCM_SHA126 NotChecked NotChecked 4.4.4.4 US-SFO1 5.5.5.5 58871 6.6.6.6 443 - - 7.7.7.7 860 - - - - - https://www.msnbc.com/services/miniPlayerTease/ms /services/miniPlayerTease/msnbc HTTP1.1 200 - - - - - - - - Browse - - File - - text/plain Text - - - - - 2024-02-20 7:51:08 allow_default DefaultAction 8.8.8.8 9.9.9.9 www.msnbc.com HttpHostHeader - - - allces.goskope.com NetskopeWebtxData_CL
6 abcd-efg-hijk RestAPI 2/20/2024, 3:51:25 PM 2024-02-20 15:43:30 365 5215 2322213 2327428 1.2.3.4 5.6.7.8 dummyuser@something.com GET http stream=MSNBC_TVE&mvpdHash=null&mpid=1745196552392127496&timestamp=1708443731265&usPrivacy=1YNN&autoplay=true&mutedAutoplay=true&token_Widevine=9cde749626f145b857802ef96df16b5d93ac82187cc4e6e2aa9337cb1fda028f&token_Fairplay=05e22acc2cc44851d8a9d89b9a76e6b40c8f3c11c7b2b4a85d11f0ca6f2e2a74&token_PlayReady=c8ea61a415c018fad0ac61ef758b95cb41ca78f8282c866082f8172e60b66e16&initialWidth=280&childId=core-video&parentTitle=MSNBC%20News%20-%20Breaking%20News%20and%20News%20Today%20%7C%20Latest%20News&parentUrl=https%3A%2F%2Fwww.msnbc.com%2F Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 - 200 text/html; charset=UTF-8 www.msnbc.com www.msnbc.com /sigma.html?stream=MSNBC_TVE&mvpdHash=null&mpid=1745196552392127496&timestamp=1708443731265&usPrivacy=1YNN&autoplay=true&mutedAutoplay=true&token_Widevine=9cde749626f145b857802ef96df16b5d93ac82187cc4e6e2aa9337cb1fda028f&token_Fairplay=05e22acc2cc44851d8a9d89b9a76e6b40c8f3c11c7b2b4a85d11f0ca6f2e2a74&token_PlayReady=c8ea61a415c018fad0ac61ef758b95cb41ca78f8282c866082f8172e60b66e16&initialWidth=280&childId=core-video&parentTitle=MSNBC%20News%20-%20Breaking%20News%20and%20News%20Today%20%7C%20Latest%20News&parentUrl=https%3A%2F%2Fwww.msnbc.com%2F 443 https://www.msnbc.com/ 6326394171326945461 Client msnbc US 47.353 -111.9543 Santa Clara California 95052 US 47.1835 -111.7714 San Jose California 95141 Windows Server 2016 Chrome 119.0.0.0 Windows Device msnbc 1708443810 3067349774468027936 1.1.1.1 Web - News & Media All Categories http_transaction - - 4018871287092426288 2780248636326532352 www.msnbc.com - 537 10001 - - 2add0d93-df10-8807-866a-2bffbb3340b2 NotAvailable No - NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked No No NotChecked NotChecked NotChecked NotChecked Allow Established None NotEstablished 2.2.2.2 3.3.3.3 www.msnbc.com Sni News & Media, All Categories Decrypt - TLSv1.3 ABC_TLS_AES_256_GCM_SHA127 NotChecked NotChecked 4.4.4.4 US-SFO1 5.5.5.5 58871 6.6.6.6 443 - - 7.7.7.7 889 - - - - - http://www.msnbc.com:443/sigma.html?stream=MSNBC_TVE&mvpdHash=null&mpid=1745196552392127496&timestamp=1708443731265&usPrivacy=1YNN&autoplay=true&mutedAutoplay=true&token_Widevine=9cde749626f145b857802ef96df16b5d93ac82187cc4e6e2aa9337cb1fda028f&token_Fairplay=05e22acc2cc44851d8a9d89b9a76e6b40c8f3c11c7b2b4a85d11f0ca6f2e2a74&token_PlayReady=c8ea61a415c018fad0ac61ef758b95cb41ca78f8282c866082f8172e60b66e16&initialWidth=280&childId=core-video&parentUrl=https%3A%2F /sigma.html HTTP1.1 200 - - - - - - - - Browse - - File - - text/html Text - - - - - 2024-02-20 7:43:08 allow_default DefaultAction 8.8.8.8 9.9.9.9 www.msnbc.com HttpHostHeader - - - allces.goskope.com NetskopeWebtxData_CL
7 abcd-efg-hijk RestAPI 2/20/2024, 3:51:26 PM 2024-02-20 15:51:18 356 5311 2322213 2327524 1.2.3.4 5.6.7.8 dummyuser@something.com GET http stream=MSNBC_TVE&mvpdHash=null&mpid=1745196552392127496&timestamp=1708444212571&usPrivacy=1YNN&autoplay=true&mutedAutoplay=true&token_Widevine=44fd56038b7914e0db57f0f1ab63bb2a39e372979ada489d0b5f55ee37c98c93&token_Fairplay=7600640cf4d0eac4b95acf4b0231eb16b83cdf77542cc47d26fe2740959e702d&token_PlayReady=2b70b8e2bc410baa90cc8f78208f2c96c94bf1024b117ad54a783dadfc7a5657&initialWidth=280&childId=core-video&parentTitle=MSNBC%20News%20-%20Breaking%20News%20and%20News%20Today%20%7C%20Latest%20News&parentUrl=https%3A%2F%2Fwww.msnbc.com%2F Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 - 200 text/html; charset=UTF-8 www.msnbc.com www.msnbc.com /sigma.html?stream=MSNBC_TVE&mvpdHash=null&mpid=1745196552392127496&timestamp=1708444212571&usPrivacy=1YNN&autoplay=true&mutedAutoplay=true&token_Widevine=44fd56038b7914e0db57f0f1ab63bb2a39e372979ada489d0b5f55ee37c98c93&token_Fairplay=7600640cf4d0eac4b95acf4b0231eb16b83cdf77542cc47d26fe2740959e702d&token_PlayReady=2b70b8e2bc410baa90cc8f78208f2c96c94bf1024b117ad54a783dadfc7a5657&initialWidth=280&childId=core-video&parentTitle=MSNBC%20News%20-%20Breaking%20News%20and%20News%20Today%20%7C%20Latest%20News&parentUrl=https%3A%2F%2Fwww.msnbc.com%2F 443 https://www.msnbc.com/ 6326394171326945461 Client msnbc US 47.353 -111.9543 Santa Clara California 95052 US 47.1835 -111.7714 San Jose California 95141 Windows Server 2016 Chrome 119.0.0.0 Windows Device msnbc 1708444278 1261774939245039714 1.1.1.1 Web - News & Media All Categories http_transaction - - 8879759428117034966 2780252561070994432 www.msnbc.com - 537 10001 - - 292929e8-1ca3-2211-49d6-3c4532381d06 NotAvailable No - NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked No No NotChecked NotChecked NotChecked NotChecked Allow Established None NotEstablished 2.2.2.2 3.3.3.3 www.msnbc.com Sni News & Media, All Categories Decrypt - TLSv1.3 ABC_TLS_AES_256_GCM_SHA128 NotChecked NotChecked 4.4.4.4 US-SFO1 5.5.5.5 58871 6.6.6.6 443 - - 7.7.7.7 806 - - - - - http://www.msnbc.com:443/sigma.html?stream=MSNBC_TVE&mvpdHash=null&mpid=1745196552392127496&timestamp=1708444212571&usPrivacy=1YNN&autoplay=true&mutedAutoplay=true&token_Widevine=44fd56038b7914e0db57f0f1ab63bb2a39e372979ada489d0b5f55ee37c98c93&token_Fairplay=7600640cf4d0eac4b95acf4b0231eb16b83cdf77542cc47d26fe2740959e702d&token_PlayReady=2b70b8e2bc410baa90cc8f78208f2c96c94bf1024b117ad54a783dadfc7a5657&initialWidth=280&childId=core-video&parentTitle=MSNBC%20News%20-%20Breaking%20News%20and%20News%20Today%20%7C%20Latest%20News&parentUrl=https%3A%2F%2Fwww.msnbc.com%2F /sigma.html HTTP1.1 200 - - - - - - - - Browse - - File - - text/html Text - - - - - 2024-02-20 7:51:08 allow_default DefaultAction 8.8.8.8 9.9.9.9 www.msnbc.com HttpHostHeader - - - allces.goskope.com NetskopeWebtxData_CL
8 abcd-efg-hijk RestAPI 2/20/2024, 3:51:26 PM 2024-02-20 15:43:21 124 4109 88750 92859 1.2.3.4 5.6.7.8 dummyuser@something.com GET http - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 - 200 text/html; charset=utf-8 www.msnbc.com www.msnbc.com / 443 - 6326394171326945461 Client msnbc US 47.353 -111.9543 Santa Clara California 95052 US 47.1835 -111.7714 San Jose California 95141 Windows Server 2016 Chrome 119.0.0.0 Windows Device msnbc 1708443801 0 1.1.1.1 Web - News & Media All Categories http_transaction - - 8965014869871943343 2780248560938100992 www.msnbc.com - 537 10001 - - 690a2b56-28cd-0dee-4636-1189923000f3 NotAvailable No - NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked No No NotChecked NotChecked NotChecked NotChecked Allow Established None NotEstablished 2.2.2.2 3.3.3.3 www.msnbc.com Sni News & Media, All Categories Decrypt - TLSv1.3 ABC_TLS_AES_256_GCM_SHA129 NotChecked NotChecked 4.4.4.4 US-SFO1 5.5.5.5 58871 6.6.6.6 443 - - 7.7.7.7 852 - - - - - http://www.msnbc.com:44 / HTTP1.1 200 - - - - - - - - Browse - - File - - text/html Text - - - - - 2024-02-20 7:43:08 allow_default DefaultAction 8.8.8.8 9.9.9.9 www.msnbc.com HttpHostHeader - - - allces.goskope.com NetskopeWebtxData_CL
9 abcd-efg-hijk RestAPI 2/20/2024, 3:51:26 PM 2024-02-20 15:43:23 69 4162 2238 6400 1.2.3.4 5.6.7.8 dummyuser@something.com GET https - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 - 200 application/json; charset=utf-8 www.msnbc.com www.msnbc.com /services/tve/schedule/msnbc 443 https://www.msnbc.com/ 6326394171326945461 Client msnbc US 47.353 -111.9543 Santa Clara California 95052 US 47.1835 -111.7714 San Jose California 95141 Windows Server 2016 Chrome 119.0.0.0 Windows Device msnbc 1708443803 3067349774468027936 1.1.1.1 Web - News & Media All Categories http_transaction - - 4662318295215182777 2780248576666740992 www.msnbc.com - 537 10001 - - 690a2b56-28cd-0dee-4636-1189923000f3 NotAvailable No - NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked No No NotChecked NotChecked NotChecked NotChecked Allow Established None NotEstablished - - - Unknown - Decrypt - TLSv1.3 ABC_TLS_AES_256_GCM_SHA130 NotChecked NotChecked 4.4.4.4 US-SFO1 5.5.5.5 58871 6.6.6.6 443 - - 7.7.7.7 852 - - - - - https://www.msnbc.com/services/tve/schedule/ms /services/tve/schedule/msnbc HTTP1.1 200 - - - - - - - - Browse - - File - - text/plain Text - - - - - 2024-02-20 7:43:08 allow_default DefaultAction 8.8.8.8 9.9.9.9 www.msnbc.com HttpHostHeader - - - allces.goskope.com NetskopeWebtxData_CL
10 abcd-efg-hijk RestAPI 2/20/2024, 3:51:26 PM 2024-02-20 15:43:23 29 4229 628 4857 1.2.3.4 5.6.7.8 dummyuser@something.com GET http - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 - 304 video/mp4 www.msnbc.com www.msnbc.com /_next/static/src/assets/videos/28978261684cd12447cbff1287190620.mp4 443 https://www.msnbc.com/ 6326394171326945461 Client msnbc US 47.353 -111.9543 Santa Clara California 95052 US 47.1835 -111.7714 San Jose California 95141 Windows Server 2016 Chrome 119.0.0.0 Windows Device msnbc 1708443803 3067349774468027936 1.1.1.1 Web - News & Media All Categories http_transaction - - 7355203339990228596 2780248577933419264 www.msnbc.com - 537 10001 - - 4d800cd2-7490-febe-bb8b-2ee57fe86587 NotAvailable No - NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked NotChecked No No NotChecked NotChecked NotChecked NotChecked Allow Established None NotEstablished 2.2.2.2 3.3.3.3 www.msnbc.com Sni News & Media, All Categories Decrypt - TLSv1.3 ABC_TLS_AES_256_GCM_SHA131 NotChecked NotChecked 4.4.4.4 US-SFO1 5.5.5.5 58871 6.6.6.6 443 - - 7.7.7.7 882 - - - - - http://www.msnbc.com:443/_next/static/src/assets/videos/28978261684cd12447cb /_next/static/src/assets/videos/28978261684cd12447cbff1287190620.mp4 HTTP1.1 304 - - - - - - - - Browse - - - - - - - - - - - - 2024-02-20 7:43:08 allow_default DefaultAction 8.8.8.8 9.9.9.9 www.msnbc.com HttpHostHeader - - - allces.goskope.com NetskopeWebtxData_CL

11
Sample Data/Custom/Netskope/NetskopeWebtxErrors_CL.csv Normal file
Просмотреть файл

@ -0,0 +1,11 @@
TenantId,SourceSystem,MG,ManagementGroupName,"TimeGenerated [UTC]",Computer,RawData,"error_s",Type,"_ResourceId"
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/21/2024, 7:38:24.168 AM",,,"600 : WebTx : (method=<module>) : Not receiving any messages from pubsub since time-21/02/2024 07:38:23","NetskopeWebtxErrors_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/21/2024, 7:18:24.552 AM",,,"600 : WebTx : (method=<module>) : Not receiving any messages from pubsub since time-21/02/2024 07:18:23","NetskopeWebtxErrors_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"3/4/2024, 6:43:46.559 AM",,,"Webtx Authentication : WebTx : (method=generate_sub_key_path) : Not authorized to use this feature. This is a licensed feature, please contact Netskope support to purchase.","NetskopeWebtxErrors_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"3/4/2024, 6:44:10.107 AM",,,"Invalid Netskope Hostname : WebTx : (method=get_sub_key_path) : The provided Netskope Hostname might be empty, Kindly verify and Enter Credentials again.","NetskopeWebtxErrors_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"3/4/2024, 6:44:23.832 AM",,,"Webtx Token Empty : WebTx : (method=generate_sub_key_path) : Please configure the ""Netskope Account"" which is configured with V2 token.","NetskopeWebtxErrors_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/26/2024, 12:05:35.022 PM",,,"200 : WebTx : (method=<module>) : Not receiving any messages from pubsub since time-26/02/2024 12:05:34","NetskopeWebtxErrors_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/26/2024, 1:05:10.401 PM",,,"200 : WebTx : (method=<module>) : Not receiving any messages from pubsub since time-26/02/2024 13:05:09","NetskopeWebtxErrors_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/26/2024, 1:13:05.221 PM",,,"200 : WebTx : (method=<module>) : Not receiving any messages from pubsub since time-26/02/2024 13:13:05","NetskopeWebtxErrors_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/27/2024, 6:37:21.146 AM",,,"200 : WebTx : (method=<module>) : Not receiving any messages from pubsub since time-27/02/2024 06:37:20","NetskopeWebtxErrors_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/27/2024, 7:05:07.929 AM",,,"200 : WebTx : (method=<module>) : Not receiving any messages from pubsub since time-27/02/2024 07:05:06","NetskopeWebtxErrors_CL",
1 TenantId SourceSystem MG ManagementGroupName TimeGenerated [UTC] Computer RawData error_s Type _ResourceId
2 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/21/2024, 7:38:24.168 AM 600 : WebTx : (method=<module>) : Not receiving any messages from pubsub since time-21/02/2024 07:38:23 NetskopeWebtxErrors_CL
3 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/21/2024, 7:18:24.552 AM 600 : WebTx : (method=<module>) : Not receiving any messages from pubsub since time-21/02/2024 07:18:23 NetskopeWebtxErrors_CL
4 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 3/4/2024, 6:43:46.559 AM Webtx Authentication : WebTx : (method=generate_sub_key_path) : Not authorized to use this feature. This is a licensed feature, please contact Netskope support to purchase. NetskopeWebtxErrors_CL
5 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 3/4/2024, 6:44:10.107 AM Invalid Netskope Hostname : WebTx : (method=get_sub_key_path) : The provided Netskope Hostname might be empty, Kindly verify and Enter Credentials again. NetskopeWebtxErrors_CL
6 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 3/4/2024, 6:44:23.832 AM Webtx Token Empty : WebTx : (method=generate_sub_key_path) : Please configure the "Netskope Account" which is configured with V2 token. NetskopeWebtxErrors_CL
7 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/26/2024, 12:05:35.022 PM 200 : WebTx : (method=<module>) : Not receiving any messages from pubsub since time-26/02/2024 12:05:34 NetskopeWebtxErrors_CL
8 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/26/2024, 1:05:10.401 PM 200 : WebTx : (method=<module>) : Not receiving any messages from pubsub since time-26/02/2024 13:05:09 NetskopeWebtxErrors_CL
9 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/26/2024, 1:13:05.221 PM 200 : WebTx : (method=<module>) : Not receiving any messages from pubsub since time-26/02/2024 13:13:05 NetskopeWebtxErrors_CL
10 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/27/2024, 6:37:21.146 AM 200 : WebTx : (method=<module>) : Not receiving any messages from pubsub since time-27/02/2024 06:37:20 NetskopeWebtxErrors_CL
11 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/27/2024, 7:05:07.929 AM 200 : WebTx : (method=<module>) : Not receiving any messages from pubsub since time-27/02/2024 07:05:06 NetskopeWebtxErrors_CL

121
Sample Data/Custom/Netskope/Netskope_WebTx_metrics_CL.csv Normal file
Просмотреть файл

@ -0,0 +1,121 @@
TenantId,SourceSystem,MG,ManagementGroupName,"TimeGenerated [UTC]",Computer,RawData,"timestamp_t [UTC]","backlog_message_count_d","oldest_unacked_message_age_s",Type,"_ResourceId"
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:01.365 AM",,,"2/19/2024, 8:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:01.365 AM",,,"2/19/2024, 7:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:01.365 AM",,,"2/19/2024, 6:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:01.365 AM",,,"2/19/2024, 5:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:01.365 AM",,,"2/19/2024, 4:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:01.365 AM",,,"2/19/2024, 3:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:01.365 AM",,,"2/19/2024, 2:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:01.365 AM",,,"2/19/2024, 1:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:01.365 AM",,,"2/19/2024, 12:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:01.365 AM",,,"2/18/2024, 11:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:01.365 AM",,,"2/18/2024, 10:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:01.365 AM",,,"2/18/2024, 9:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:01.365 AM",,,"2/18/2024, 8:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:01.365 AM",,,"2/18/2024, 7:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:01.365 AM",,,"2/18/2024, 6:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:01.365 AM",,,"2/18/2024, 5:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:01.365 AM",,,"2/18/2024, 4:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:01.365 AM",,,"2/18/2024, 3:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:01.365 AM",,,"2/18/2024, 2:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:01.365 AM",,,"2/18/2024, 1:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:01.365 AM",,,"2/18/2024, 12:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:01.365 AM",,,"2/18/2024, 11:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:01.365 AM",,,"2/18/2024, 10:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:01.365 AM",,,"2/18/2024, 9:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:35.573 AM",,,"2/19/2024, 8:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:35.573 AM",,,"2/19/2024, 7:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:35.573 AM",,,"2/19/2024, 6:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:35.573 AM",,,"2/19/2024, 5:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:35.573 AM",,,"2/19/2024, 4:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:35.573 AM",,,"2/19/2024, 3:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:35.573 AM",,,"2/19/2024, 2:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:35.573 AM",,,"2/19/2024, 1:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:35.573 AM",,,"2/19/2024, 12:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:35.573 AM",,,"2/18/2024, 11:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:35.573 AM",,,"2/18/2024, 10:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:35.573 AM",,,"2/18/2024, 9:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:35.573 AM",,,"2/18/2024, 8:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:35.573 AM",,,"2/18/2024, 7:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:35.573 AM",,,"2/18/2024, 6:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:35.573 AM",,,"2/18/2024, 5:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:35.573 AM",,,"2/18/2024, 4:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:35.573 AM",,,"2/18/2024, 3:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:35.573 AM",,,"2/18/2024, 2:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:35.573 AM",,,"2/18/2024, 1:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:35.573 AM",,,"2/18/2024, 12:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:35.573 AM",,,"2/18/2024, 11:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:35.573 AM",,,"2/18/2024, 10:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 8:20:35.573 AM",,,"2/18/2024, 9:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:35:01.089 AM",,,"2/19/2024, 7:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:35:01.089 AM",,,"2/19/2024, 6:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:35:01.089 AM",,,"2/19/2024, 5:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:35:01.089 AM",,,"2/19/2024, 4:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:35:01.089 AM",,,"2/19/2024, 3:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:35:01.089 AM",,,"2/19/2024, 2:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:35:01.089 AM",,,"2/19/2024, 1:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:35:01.089 AM",,,"2/19/2024, 12:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:35:01.089 AM",,,"2/18/2024, 11:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:35:01.089 AM",,,"2/18/2024, 10:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:35:01.089 AM",,,"2/18/2024, 9:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:35:01.089 AM",,,"2/18/2024, 8:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:35:01.089 AM",,,"2/18/2024, 7:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:35:01.089 AM",,,"2/18/2024, 6:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:35:01.089 AM",,,"2/18/2024, 5:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:35:01.089 AM",,,"2/18/2024, 4:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:35:01.089 AM",,,"2/18/2024, 3:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:35:01.089 AM",,,"2/18/2024, 2:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:35:01.089 AM",,,"2/18/2024, 1:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:35:01.089 AM",,,"2/18/2024, 12:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:35:01.089 AM",,,"2/18/2024, 11:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:35:01.089 AM",,,"2/18/2024, 10:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:35:01.089 AM",,,"2/18/2024, 9:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:35:01.089 AM",,,"2/18/2024, 8:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:30:00.972 AM",,,"2/19/2024, 7:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:30:00.972 AM",,,"2/19/2024, 6:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:30:00.972 AM",,,"2/19/2024, 5:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:30:00.972 AM",,,"2/19/2024, 4:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:30:00.972 AM",,,"2/19/2024, 3:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:30:00.972 AM",,,"2/19/2024, 2:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:30:00.972 AM",,,"2/19/2024, 1:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:30:00.972 AM",,,"2/19/2024, 12:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:30:00.972 AM",,,"2/18/2024, 11:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:30:00.972 AM",,,"2/18/2024, 10:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:30:00.972 AM",,,"2/18/2024, 9:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:30:00.972 AM",,,"2/18/2024, 8:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:30:00.972 AM",,,"2/18/2024, 7:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:30:00.972 AM",,,"2/18/2024, 6:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:30:00.972 AM",,,"2/18/2024, 5:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:30:00.972 AM",,,"2/18/2024, 4:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:30:00.972 AM",,,"2/18/2024, 3:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:30:00.972 AM",,,"2/18/2024, 2:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:30:00.972 AM",,,"2/18/2024, 1:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:30:00.972 AM",,,"2/18/2024, 12:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:30:00.972 AM",,,"2/18/2024, 11:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:30:00.972 AM",,,"2/18/2024, 10:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:30:00.972 AM",,,"2/18/2024, 9:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:30:00.972 AM",,,"2/18/2024, 8:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:31:01.562 AM",,,"2/19/2024, 7:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:31:01.562 AM",,,"2/19/2024, 6:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:31:01.562 AM",,,"2/19/2024, 5:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:31:01.562 AM",,,"2/19/2024, 4:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:31:01.562 AM",,,"2/19/2024, 3:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:31:01.562 AM",,,"2/19/2024, 2:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:31:01.562 AM",,,"2/19/2024, 1:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:31:01.562 AM",,,"2/19/2024, 12:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:31:01.562 AM",,,"2/18/2024, 11:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:31:01.562 AM",,,"2/18/2024, 10:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:31:01.562 AM",,,"2/18/2024, 9:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:31:01.562 AM",,,"2/18/2024, 8:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:31:01.562 AM",,,"2/18/2024, 7:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:31:01.562 AM",,,"2/18/2024, 6:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:31:01.562 AM",,,"2/18/2024, 5:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:31:01.562 AM",,,"2/18/2024, 4:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:31:01.562 AM",,,"2/18/2024, 3:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:31:01.562 AM",,,"2/18/2024, 2:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:31:01.562 AM",,,"2/18/2024, 1:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:31:01.562 AM",,,"2/18/2024, 12:00:00.000 PM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:31:01.562 AM",,,"2/18/2024, 11:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:31:01.562 AM",,,"2/18/2024, 10:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:31:01.562 AM",,,"2/18/2024, 9:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
"acd8fb14-e664-4b90-a4fd-1456cbfdbacd",RestAPI,,,"2/19/2024, 7:31:01.562 AM",,,"2/18/2024, 8:00:00.000 AM",0,"0hours, 0minutes","Netskope_WebTx_metrics_CL",
1 TenantId SourceSystem MG ManagementGroupName TimeGenerated [UTC] Computer RawData timestamp_t [UTC] backlog_message_count_d oldest_unacked_message_age_s Type _ResourceId
2 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:01.365 AM 2/19/2024, 8:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
3 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:01.365 AM 2/19/2024, 7:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
4 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:01.365 AM 2/19/2024, 6:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
5 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:01.365 AM 2/19/2024, 5:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
6 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:01.365 AM 2/19/2024, 4:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
7 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:01.365 AM 2/19/2024, 3:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
8 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:01.365 AM 2/19/2024, 2:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
9 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:01.365 AM 2/19/2024, 1:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
10 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:01.365 AM 2/19/2024, 12:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
11 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:01.365 AM 2/18/2024, 11:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
12 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:01.365 AM 2/18/2024, 10:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
13 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:01.365 AM 2/18/2024, 9:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
14 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:01.365 AM 2/18/2024, 8:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
15 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:01.365 AM 2/18/2024, 7:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
16 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:01.365 AM 2/18/2024, 6:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
17 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:01.365 AM 2/18/2024, 5:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
18 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:01.365 AM 2/18/2024, 4:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
19 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:01.365 AM 2/18/2024, 3:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
20 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:01.365 AM 2/18/2024, 2:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
21 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:01.365 AM 2/18/2024, 1:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
22 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:01.365 AM 2/18/2024, 12:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
23 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:01.365 AM 2/18/2024, 11:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
24 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:01.365 AM 2/18/2024, 10:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
25 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:01.365 AM 2/18/2024, 9:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
26 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:35.573 AM 2/19/2024, 8:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
27 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:35.573 AM 2/19/2024, 7:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
28 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:35.573 AM 2/19/2024, 6:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
29 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:35.573 AM 2/19/2024, 5:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
30 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:35.573 AM 2/19/2024, 4:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
31 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:35.573 AM 2/19/2024, 3:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
32 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:35.573 AM 2/19/2024, 2:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
33 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:35.573 AM 2/19/2024, 1:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
34 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:35.573 AM 2/19/2024, 12:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
35 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:35.573 AM 2/18/2024, 11:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
36 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:35.573 AM 2/18/2024, 10:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
37 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:35.573 AM 2/18/2024, 9:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
38 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:35.573 AM 2/18/2024, 8:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
39 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:35.573 AM 2/18/2024, 7:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
40 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:35.573 AM 2/18/2024, 6:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
41 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:35.573 AM 2/18/2024, 5:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
42 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:35.573 AM 2/18/2024, 4:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
43 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:35.573 AM 2/18/2024, 3:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
44 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:35.573 AM 2/18/2024, 2:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
45 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:35.573 AM 2/18/2024, 1:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
46 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:35.573 AM 2/18/2024, 12:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
47 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:35.573 AM 2/18/2024, 11:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
48 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:35.573 AM 2/18/2024, 10:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
49 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 8:20:35.573 AM 2/18/2024, 9:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
50 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:35:01.089 AM 2/19/2024, 7:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
51 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:35:01.089 AM 2/19/2024, 6:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
52 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:35:01.089 AM 2/19/2024, 5:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
53 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:35:01.089 AM 2/19/2024, 4:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
54 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:35:01.089 AM 2/19/2024, 3:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
55 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:35:01.089 AM 2/19/2024, 2:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
56 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:35:01.089 AM 2/19/2024, 1:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
57 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:35:01.089 AM 2/19/2024, 12:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
58 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:35:01.089 AM 2/18/2024, 11:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
59 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:35:01.089 AM 2/18/2024, 10:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
60 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:35:01.089 AM 2/18/2024, 9:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
61 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:35:01.089 AM 2/18/2024, 8:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
62 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:35:01.089 AM 2/18/2024, 7:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
63 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:35:01.089 AM 2/18/2024, 6:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
64 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:35:01.089 AM 2/18/2024, 5:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
65 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:35:01.089 AM 2/18/2024, 4:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
66 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:35:01.089 AM 2/18/2024, 3:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
67 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:35:01.089 AM 2/18/2024, 2:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
68 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:35:01.089 AM 2/18/2024, 1:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
69 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:35:01.089 AM 2/18/2024, 12:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
70 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:35:01.089 AM 2/18/2024, 11:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
71 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:35:01.089 AM 2/18/2024, 10:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
72 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:35:01.089 AM 2/18/2024, 9:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
73 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:35:01.089 AM 2/18/2024, 8:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
74 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:30:00.972 AM 2/19/2024, 7:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
75 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:30:00.972 AM 2/19/2024, 6:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
76 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:30:00.972 AM 2/19/2024, 5:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
77 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:30:00.972 AM 2/19/2024, 4:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
78 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:30:00.972 AM 2/19/2024, 3:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
79 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:30:00.972 AM 2/19/2024, 2:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
80 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:30:00.972 AM 2/19/2024, 1:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
81 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:30:00.972 AM 2/19/2024, 12:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
82 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:30:00.972 AM 2/18/2024, 11:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
83 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:30:00.972 AM 2/18/2024, 10:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
84 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:30:00.972 AM 2/18/2024, 9:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
85 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:30:00.972 AM 2/18/2024, 8:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
86 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:30:00.972 AM 2/18/2024, 7:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
87 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:30:00.972 AM 2/18/2024, 6:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
88 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:30:00.972 AM 2/18/2024, 5:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
89 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:30:00.972 AM 2/18/2024, 4:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
90 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:30:00.972 AM 2/18/2024, 3:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
91 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:30:00.972 AM 2/18/2024, 2:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
92 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:30:00.972 AM 2/18/2024, 1:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
93 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:30:00.972 AM 2/18/2024, 12:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
94 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:30:00.972 AM 2/18/2024, 11:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
95 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:30:00.972 AM 2/18/2024, 10:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
96 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:30:00.972 AM 2/18/2024, 9:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
97 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:30:00.972 AM 2/18/2024, 8:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
98 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:31:01.562 AM 2/19/2024, 7:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
99 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:31:01.562 AM 2/19/2024, 6:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
100 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:31:01.562 AM 2/19/2024, 5:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
101 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:31:01.562 AM 2/19/2024, 4:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
102 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:31:01.562 AM 2/19/2024, 3:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
103 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:31:01.562 AM 2/19/2024, 2:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
104 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:31:01.562 AM 2/19/2024, 1:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
105 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:31:01.562 AM 2/19/2024, 12:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
106 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:31:01.562 AM 2/18/2024, 11:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
107 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:31:01.562 AM 2/18/2024, 10:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
108 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:31:01.562 AM 2/18/2024, 9:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
109 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:31:01.562 AM 2/18/2024, 8:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
110 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:31:01.562 AM 2/18/2024, 7:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
111 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:31:01.562 AM 2/18/2024, 6:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
112 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:31:01.562 AM 2/18/2024, 5:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
113 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:31:01.562 AM 2/18/2024, 4:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
114 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:31:01.562 AM 2/18/2024, 3:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
115 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:31:01.562 AM 2/18/2024, 2:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
116 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:31:01.562 AM 2/18/2024, 1:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
117 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:31:01.562 AM 2/18/2024, 12:00:00.000 PM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
118 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:31:01.562 AM 2/18/2024, 11:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
119 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:31:01.562 AM 2/18/2024, 10:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
120 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:31:01.562 AM 2/18/2024, 9:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL
121 acd8fb14-e664-4b90-a4fd-1456cbfdbacd RestAPI 2/19/2024, 7:31:01.562 AM 2/18/2024, 8:00:00.000 AM 0 0hours, 0minutes Netskope_WebTx_metrics_CL

11
Sample Data/Custom/Netskope/alertscompromisedcredentialdata_CL.csv Normal file
Просмотреть файл

@ -0,0 +1,11 @@
TenantId,SourceSystem,MG,ManagementGroupName,TimeGenerated [UTC],Computer,RawData,_id_s,acked_s,alert_s,alert_name_s,alert_type_s,app_s,Category,cci_s,ccl_s,count_d,organization_unit_s,timestamp_d,type_s,ur_normalized_s,user_s,userkey_s,sAMAccountName_s,breach_id_s,employeeType_s,userPrincipalName_s,breach_media_references_s,breach_date_d,password_type_s,department_s,distinguishedName_s,breach_description_s,breach_score_s,mail_s,breach_target_references_s,matched_username_s,division_s,sAMAccountType_s,email_source_s,external_email_d,cci_d,Type,_ResourceId
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 8:10:32 AM",,,1e95eec04577985f4fde279d,FALSE,yes,Secret share,Compromised Credential,Your Simple Hosting,Cloud Storage,,poor,1,data.com/dataconnector/Active Users/US & International/Full Time,1704900433,datapolicy,dte3831-sjc1-86asd-0651t@test.data.com,dte3831-sjc1-86asd-0651t@test.data.com,dte3831-sjc1-86asd-0651t@test.data.com,,,,,,0,,,,,,,,,,,,0,24,alertscompromisedcredentialdata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 8:10:32 AM",,,1f687afc5d9fdb32cba04ced,TRUE,yes,Secret share,Compromised Credential,Groove eCommerce,Cloud Storage,,poor,1,data.com/dataconnector/Active Users/US & International/Full Time,1704900192,datapolicy,dte3831-sjc1-86asd-0671t@test.data.com,dte3831-sjc1-86asd-0671t@test.data.com,dte3831-sjc1-86asd-0671t@test.data.com,,,,,,0,,,,,,,,,,,,0,4,alertscompromisedcredentialdata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 8:10:32 AM",,,2072aec42a8c75e6c5825c71,TRUE,yes,Secret share,Compromised Credential,Feedback Loop,Cloud Storage,,poor,1,data.com/dataconnector/Active Users/US & International/Full Time,1704901446,datapolicy,dte3831-sjc1-86asd-0787t@test.data.com,dte3831-sjc1-86asd-0787t@test.data.com,dte3831-sjc1-86asd-0787t@test.data.com,,,,,,0,,,,,,,,,,,,0,20,alertscompromisedcredentialdata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 8:10:32 AM",,,25571defdddeaa92f0e33b6d,FALSE,yes,Secret share,Compromised Credential,Caesars Rewards Dining,Cloud Storage,,unknown,1,data.com/dataconnector/Active Users/US & International/Full Time,1704902026,datapolicy,dte3831-sjc1-86asd-0088t@test.data.com,dte3831-sjc1-86asd-0088t@test.data.com,dte3831-sjc1-86asd-0088t@test.data.com,,,,,,0,,,,,,,,,,,,0,32,alertscompromisedcredentialdata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 8:10:32 AM",,,269ea90792cb5d060f070f68,TRUE,yes,Secret share,Compromised Credential,Tri Pointe Homes,Cloud Storage,,unknown,1,data.com/dataconnector/Active Users/US & International/Full Time,1704900472,datapolicy,dte3831-sjc1-86asd-0483t@test.data.com,dte3831-sjc1-86asd-0483t@test.data.com,dte3831-sjc1-86asd-0483t@test.data.com,,,,,,0,,,,,,,,,,,,0,52,alertscompromisedcredentialdata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 8:10:32 AM",,,26e55ec4e48d0eaa957ace13,FALSE,yes,Secret share,Compromised Credential,Willis Towers Watson HR Software,Cloud Storage,,poor,1,data.com/dataconnector/Active Users/US & International/Full Time,1704900372,datapolicy,dte3831-sjc1-86asd-06571t@test.data.com,dte3831-sjc1-86asd-06571t@test.data.com,dte3831-sjc1-86asd-06571t@test.data.com,,,,,,0,,,,,,,,,,,,0,31,alertscompromisedcredentialdata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 8:10:32 AM",,,2792ad4901df4f49397133c3,TRUE,yes,Secret share,Compromised Credential,Supernatural All Stars,Cloud Storage,,unknown,1,data.com/dataconnector/Active Users/US & International/Full Time,1704900892,datapolicy,dte3831-sjc1-86asd-02351t@test.data.com,dte3831-sjc1-86asd-02351t@test.data.com,dte3831-sjc1-86asd-02351t@test.data.com,,,,,,0,,,,,,,,,,,,0,12,alertscompromisedcredentialdata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 8:10:32 AM",,,2885f581544dc1d26c6962b8,FALSE,yes,Secret share,Compromised Credential,The Smart Method,Cloud Storage,,,1,data.com/dataconnector/Active Users/US & International/Full Time,1704900612,datapolicy,dte3831-sjc1-86asd-23wt@test.data.com,dte3831-sjc1-86asd-23wt@test.data.com,dte3831-sjc1-86asd-23wt@test.data.com,,,,,,0,,,,,,,,,,,,0,9,alertscompromisedcredentialdata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 8:10:32 AM",,,29ea0c070903c693344277da,TRUE,yes,Secret share,Compromised Credential,SchoolBanks.com,Cloud Storage,,unknown,1,data.com/dataconnector/Active Users/US & International/Full Time,1704901787,datapolicy,dte3831-sjc1-86asd-2452t@test.data.com,dte3831-sjc1-86asd-2452t@test.data.com,dte3831-sjc1-86asd-2452t@test.data.com,,,,,,0,,,,,,,,,,,,0,4,alertscompromisedcredentialdata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 8:10:32 AM",,,2ac7a4590eeb2d7d4277b8dd,FALSE,yes,Secret share,Compromised Credential,unblockmyweb.com,Cloud Storage,,unknown,1,data.com/dataconnector/Active Users/US & International/Full Time,1704901752,datapolicy,dte3831-sjc1-86asd-3424t@test.data.com,dte3831-sjc1-86asd-3424t@test.data.com,dte3831-sjc1-86asd-3424t@test.data.com,,,,,,0,,,,,,,,,,,,0,7,alertscompromisedcredentialdata_CL,
1 TenantId SourceSystem MG ManagementGroupName TimeGenerated [UTC] Computer RawData _id_s acked_s alert_s alert_name_s alert_type_s app_s Category cci_s ccl_s count_d organization_unit_s timestamp_d type_s ur_normalized_s user_s userkey_s sAMAccountName_s breach_id_s employeeType_s userPrincipalName_s breach_media_references_s breach_date_d password_type_s department_s distinguishedName_s breach_description_s breach_score_s mail_s breach_target_references_s matched_username_s division_s sAMAccountType_s email_source_s external_email_d cci_d Type _ResourceId
2 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 8:10:32 AM 1e95eec04577985f4fde279d FALSE yes Secret share Compromised Credential Your Simple Hosting Cloud Storage poor 1 data.com/dataconnector/Active Users/US & International/Full Time 1704900433 datapolicy dte3831-sjc1-86asd-0651t@test.data.com dte3831-sjc1-86asd-0651t@test.data.com dte3831-sjc1-86asd-0651t@test.data.com 0 0 24 alertscompromisedcredentialdata_CL
3 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 8:10:32 AM 1f687afc5d9fdb32cba04ced TRUE yes Secret share Compromised Credential Groove eCommerce Cloud Storage poor 1 data.com/dataconnector/Active Users/US & International/Full Time 1704900192 datapolicy dte3831-sjc1-86asd-0671t@test.data.com dte3831-sjc1-86asd-0671t@test.data.com dte3831-sjc1-86asd-0671t@test.data.com 0 0 4 alertscompromisedcredentialdata_CL
4 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 8:10:32 AM 2072aec42a8c75e6c5825c71 TRUE yes Secret share Compromised Credential Feedback Loop Cloud Storage poor 1 data.com/dataconnector/Active Users/US & International/Full Time 1704901446 datapolicy dte3831-sjc1-86asd-0787t@test.data.com dte3831-sjc1-86asd-0787t@test.data.com dte3831-sjc1-86asd-0787t@test.data.com 0 0 20 alertscompromisedcredentialdata_CL
5 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 8:10:32 AM 25571defdddeaa92f0e33b6d FALSE yes Secret share Compromised Credential Caesars Rewards Dining Cloud Storage unknown 1 data.com/dataconnector/Active Users/US & International/Full Time 1704902026 datapolicy dte3831-sjc1-86asd-0088t@test.data.com dte3831-sjc1-86asd-0088t@test.data.com dte3831-sjc1-86asd-0088t@test.data.com 0 0 32 alertscompromisedcredentialdata_CL
6 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 8:10:32 AM 269ea90792cb5d060f070f68 TRUE yes Secret share Compromised Credential Tri Pointe Homes Cloud Storage unknown 1 data.com/dataconnector/Active Users/US & International/Full Time 1704900472 datapolicy dte3831-sjc1-86asd-0483t@test.data.com dte3831-sjc1-86asd-0483t@test.data.com dte3831-sjc1-86asd-0483t@test.data.com 0 0 52 alertscompromisedcredentialdata_CL
7 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 8:10:32 AM 26e55ec4e48d0eaa957ace13 FALSE yes Secret share Compromised Credential Willis Towers Watson HR Software Cloud Storage poor 1 data.com/dataconnector/Active Users/US & International/Full Time 1704900372 datapolicy dte3831-sjc1-86asd-06571t@test.data.com dte3831-sjc1-86asd-06571t@test.data.com dte3831-sjc1-86asd-06571t@test.data.com 0 0 31 alertscompromisedcredentialdata_CL
8 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 8:10:32 AM 2792ad4901df4f49397133c3 TRUE yes Secret share Compromised Credential Supernatural All Stars Cloud Storage unknown 1 data.com/dataconnector/Active Users/US & International/Full Time 1704900892 datapolicy dte3831-sjc1-86asd-02351t@test.data.com dte3831-sjc1-86asd-02351t@test.data.com dte3831-sjc1-86asd-02351t@test.data.com 0 0 12 alertscompromisedcredentialdata_CL
9 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 8:10:32 AM 2885f581544dc1d26c6962b8 FALSE yes Secret share Compromised Credential The Smart Method Cloud Storage 1 data.com/dataconnector/Active Users/US & International/Full Time 1704900612 datapolicy dte3831-sjc1-86asd-23wt@test.data.com dte3831-sjc1-86asd-23wt@test.data.com dte3831-sjc1-86asd-23wt@test.data.com 0 0 9 alertscompromisedcredentialdata_CL
10 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 8:10:32 AM 29ea0c070903c693344277da TRUE yes Secret share Compromised Credential SchoolBanks.com Cloud Storage unknown 1 data.com/dataconnector/Active Users/US & International/Full Time 1704901787 datapolicy dte3831-sjc1-86asd-2452t@test.data.com dte3831-sjc1-86asd-2452t@test.data.com dte3831-sjc1-86asd-2452t@test.data.com 0 0 4 alertscompromisedcredentialdata_CL
11 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 8:10:32 AM 2ac7a4590eeb2d7d4277b8dd FALSE yes Secret share Compromised Credential unblockmyweb.com Cloud Storage unknown 1 data.com/dataconnector/Active Users/US & International/Full Time 1704901752 datapolicy dte3831-sjc1-86asd-3424t@test.data.com dte3831-sjc1-86asd-3424t@test.data.com dte3831-sjc1-86asd-3424t@test.data.com 0 0 7 alertscompromisedcredentialdata_CL

11
Sample Data/Custom/Netskope/alertsctepdata_CL.csv Normal file
Просмотреть файл

@ -0,0 +1,11 @@
TenantId,SourceSystem,MG,ManagementGroupName,TimeGenerated [UTC],Computer,RawData,_id_s,acked_s,action_s,alert_s,alert_name_s,alert_type_s,app_s,Category,cci_d,ccl_s,count_d,device_s,dst_country_s,dst_geoip_src_d,dst_latitude_d,dst_location_s,dst_longitude_d,dst_region_s,dst_zipcode_s,dstip_s,organization_unit_s,os_s,other_categories_s,site_s,src_country_s,src_geoip_src_d,src_latitude_d,src_location_s,src_longitude_d,src_region_s,src_zipcode_s,srcip_s,timestamp_d,traffic_type_s,type_s,ur_normalized_s,url_s,user_s,userkey_s,signature_s,transaction_id_d,home_pop_s,tunnel_id_s,ip_protocol_s,userPrincipalName_s,company_s,http_method_s,manager_s,deviceClassification_s,gid_d,profile_id_s,referer_s,dstport_d,netskope_pop_s,userip_s,department_s,signature_id_d,srcport_d,hostname_s,http_port_d,cci_s,Type,_ResourceId
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:16:28 AM",,,d091d47d72e48c1b2af69f56,TRUE,,yes,ctep,ctep,Caspita for Gmail,Cloud Storage,,unknown,1,Other,US,2,42.7936,San Diego,-107.0689,California,92120,1.2.3.4,netskope.local/Netskope/Active Users/US & International/Full Time,Windows 10.0,[],Caspita for vtiger,DE,2,60.1188,Frankfurt am Main,18.6843,Hesse,60313,5.6.7.8,1705914843,CloudApp,nspolicy,dummyuser1@something.com,https://drive.google.com,dummyuser1@something.com,dummyuser1@something.com,,0,,,,,,,,[],0,,,0,,,,0,0,,0,,alertsctepdata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:16:28 AM",,,d2299cbf1173f5a6eb827e65,TRUE,block,yes,ctep,ctep,European University Flensburg,Cloud Storage,,unknown,1,iPhone XS Max,US,2,42.7936,San Diego,-107.0689,California,92120,1.2.3.4,netskope.local/Netskope/Active Users/US & International/Full Time,iOS 9.0,[],European University Flensburg,US,2,42.7936,San Diego,-107.0689,California,92120,5.6.7.8,1705915879,CloudApp,nspolicy,dummyuser2@something.com,https://drive.google.com,dummyuser2@something.com,dummyuser2@something.com,,0,,,,,,,,[],0,,,0,,,,0,0,,0,,alertsctepdata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:16:28 AM",,,d24e47c063e2ee19c5d22b23,TRUE,alert,yes,ctep,ctep,REG.COM,Cloud Storage,14,poor,1,iPhone 7,IN,2,22.9634,Bengaluru,87.5855,Karnataka,560058,1.2.3.4,netskope.local/Netskope/Active Users/US & International/Full Time,iOS 10.1,[],REG.com Domain Registration,NL,2,62.3759,Amsterdam,14.8975,North Holland,1012,5.6.7.8,1705915595,CloudApp,nspolicy,dummyuser3@something.com,https://drive.google.com,dummyuser3@something.com,dummyuser3@something.com,,0,,,,,,,,[],0,,,0,,,,0,0,,0,,alertsctepdata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:16:28 AM",,,d3247664360353e3b1f1f481,TRUE,alert,yes,ctep,ctep,LaunchPad Recruits,Cloud Storage,17,poor,1,ZTE - N720,US,2,42.7936,San Diego,-107.0689,California,92120,1.2.3.4,netskope.local/Netskope/Active Users/US & International/Full Time,Android 11.0,[],LaunchPad Recruits,NL,2,62.3759,Amsterdam,14.8975,North Holland,1012,5.6.7.8,1705915520,CloudApp,nspolicy,dummyuser4@something.com,https://drive.google.com,dummyuser4@something.com,dummyuser4@something.com,,0,,,,,,,,[],0,,,0,,,,0,0,,0,,alertsctepdata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:16:28 AM",,,d33e9ddc720f7554433b0d93,FALSE,,yes,ctep,ctep,Celigo Salesforce and NetSuite Connector,Cloud Storage,49,poor,1,iPhone 6S Plus,FR,1,57.89616,Ballots,-9.04759,Pays-de-la-Loire,,1.2.3.4,netskope.local/Netskope/Active Users/US & International/Full Time,iOS 9.0,[],Celigo Salesforce and NetSuite Connector,US,2,42.7936,San Diego,-107.0689,California,92120,5.6.7.8,1705913781,CloudApp,nspolicy,dummyuser5@something.com,https://drive.google.com,dummyuser5@something.com,dummyuser5@something.com,,0,,,,,,,,[],0,,,0,,,,0,0,,0,,alertsctepdata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:16:28 AM",,,d5a63620a3c06575173ee761,TRUE,,yes,ctep,ctep,La Region Auvergne-Rhone-Alpes,Cloud Storage,,unknown,1,ZTE - P253A20,US,2,42.7936,San Diego,-107.0689,California,92120,1.2.3.4,netskope.local/Netskope/Active Users/US & International/Full Time,Android 10.0,[],La Region Auvergne-Rhone-Alpes,NL,2,62.3759,Amsterdam,14.8975,North Holland,1012,5.6.7.8,1705913943,CloudApp,nspolicy,dummyuser6@something.com,https://drive.google.com,dummyuser6@something.com,dummyuser6@something.com,,0,,,,,,,,[],0,,,0,,,,0,0,,0,,alertsctepdata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:16:28 AM",,,d5c38ab458cb495041e490fd,TRUE,,yes,ctep,ctep,Hub Network Services,Cloud Storage,20,poor,1,ZTE - N721,US,2,55.8234,Boardman,-109.7257,Oregon,97818,1.2.3.4,netskope.local/Netskope/Active Users/US & International/Full Time,Android 11.0,[],Hub Network Solutions,IN,2,22.9634,Bengaluru,87.5855,Karnataka,560058,5.6.7.8,1705915315,CloudApp,nspolicy,dummyuser7@something.com,https://drive.google.com,dummyuser7@something.com,dummyuser7@something.com,,0,,,,,,,,[],0,,,0,,,,0,0,,0,,alertsctepdata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:16:28 AM",,,d7de0e1a3b4c5625919d6211,FALSE,,yes,ctep,ctep,Plum Voice,Cloud Storage,42,poor,1,ZTE - P253A20,IN,2,22.9634,Bengaluru,97.5855,Karnataka,560058,1.2.3.4,netskope.local/Netskope/Active Users/US & International/Full Time,Android 10.0,[],Plum Voice Hosted IVR,FR,1,57.89616,Ballots,-9.04759,Pays-de-la-Loire,,5.6.7.8,1705915643,CloudApp,nspolicy,dummyuser8@something.com,https://drive.google.com,dummyuser8@something.com,dummyuser8@something.com,,0,,,,,,,,[],0,,,0,,,,0,0,,0,,alertsctepdata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:16:28 AM",,,d8125f0bb127493ee96fed88,FALSE,block,yes,ctep,ctep,Willis Towers Watson HR Software,Cloud Storage,31,poor,1,12.9-inch iPad Pro,US,2,42.7936,San Diego,-107.0689,California,92120,1.2.3.4,netskope.local/Netskope/Active Users/US & International/Full Time,iOS 10.1,[],Willis Towers Watson HR Software,NL,2,62.3759,Amsterdam,14.8975,North Holland,1012,5.6.7.8,1705914187,CloudApp,nspolicy,dummyuser9@something.com,https://drive.google.com,dummyuser9@something.com,dummyuser9@something.com,,0,,,,,,,,[],0,,,0,,,,0,0,,0,,alertsctepdata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:16:28 AM",,,d8fac3dbe4bcba5814e4b904,FALSE,,yes,ctep,ctep,Siemens Apogee,Cloud Storage,0,unknown,1,Other,NL,2,62.3759,Amsterdam,14.8975,North Holland,1012,1.2.3.4,netskope.local/Netskope/Active Users/US & International/Full Time,Windows 7.0,[],siemens_apogee,NL,2,62.3759,Amsterdam,14.8975,North Holland,1012,5.6.7.8,1705914533,CloudApp,nspolicy,dummyuser10@something.com,https://drive.google.com,dummyuser10@something.com,dummyuser10@something.com,,0,,,,,,,,[],0,,,0,,,,0,0,,0,,alertsctepdata_CL,
1 TenantId SourceSystem MG ManagementGroupName TimeGenerated [UTC] Computer RawData _id_s acked_s action_s alert_s alert_name_s alert_type_s app_s Category cci_d ccl_s count_d device_s dst_country_s dst_geoip_src_d dst_latitude_d dst_location_s dst_longitude_d dst_region_s dst_zipcode_s dstip_s organization_unit_s os_s other_categories_s site_s src_country_s src_geoip_src_d src_latitude_d src_location_s src_longitude_d src_region_s src_zipcode_s srcip_s timestamp_d traffic_type_s type_s ur_normalized_s url_s user_s userkey_s signature_s transaction_id_d home_pop_s tunnel_id_s ip_protocol_s userPrincipalName_s company_s http_method_s manager_s deviceClassification_s gid_d profile_id_s referer_s dstport_d netskope_pop_s userip_s department_s signature_id_d srcport_d hostname_s http_port_d cci_s Type _ResourceId
2 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:16:28 AM d091d47d72e48c1b2af69f56 TRUE yes ctep ctep Caspita for Gmail Cloud Storage unknown 1 Other US 2 42.7936 San Diego -107.0689 California 92120 1.2.3.4 netskope.local/Netskope/Active Users/US & International/Full Time Windows 10.0 [] Caspita for vtiger DE 2 60.1188 Frankfurt am Main 18.6843 Hesse 60313 5.6.7.8 1705914843 CloudApp nspolicy dummyuser1@something.com https://drive.google.com dummyuser1@something.com dummyuser1@something.com 0 [] 0 0 0 0 0 alertsctepdata_CL
3 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:16:28 AM d2299cbf1173f5a6eb827e65 TRUE block yes ctep ctep European University Flensburg Cloud Storage unknown 1 iPhone XS Max US 2 42.7936 San Diego -107.0689 California 92120 1.2.3.4 netskope.local/Netskope/Active Users/US & International/Full Time iOS 9.0 [] European University Flensburg US 2 42.7936 San Diego -107.0689 California 92120 5.6.7.8 1705915879 CloudApp nspolicy dummyuser2@something.com https://drive.google.com dummyuser2@something.com dummyuser2@something.com 0 [] 0 0 0 0 0 alertsctepdata_CL
4 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:16:28 AM d24e47c063e2ee19c5d22b23 TRUE alert yes ctep ctep REG.COM Cloud Storage 14 poor 1 iPhone 7 IN 2 22.9634 Bengaluru 87.5855 Karnataka 560058 1.2.3.4 netskope.local/Netskope/Active Users/US & International/Full Time iOS 10.1 [] REG.com Domain Registration NL 2 62.3759 Amsterdam 14.8975 North Holland 1012 5.6.7.8 1705915595 CloudApp nspolicy dummyuser3@something.com https://drive.google.com dummyuser3@something.com dummyuser3@something.com 0 [] 0 0 0 0 0 alertsctepdata_CL
5 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:16:28 AM d3247664360353e3b1f1f481 TRUE alert yes ctep ctep LaunchPad Recruits Cloud Storage 17 poor 1 ZTE - N720 US 2 42.7936 San Diego -107.0689 California 92120 1.2.3.4 netskope.local/Netskope/Active Users/US & International/Full Time Android 11.0 [] LaunchPad Recruits NL 2 62.3759 Amsterdam 14.8975 North Holland 1012 5.6.7.8 1705915520 CloudApp nspolicy dummyuser4@something.com https://drive.google.com dummyuser4@something.com dummyuser4@something.com 0 [] 0 0 0 0 0 alertsctepdata_CL
6 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:16:28 AM d33e9ddc720f7554433b0d93 FALSE yes ctep ctep Celigo Salesforce and NetSuite Connector Cloud Storage 49 poor 1 iPhone 6S Plus FR 1 57.89616 Ballots -9.04759 Pays-de-la-Loire 1.2.3.4 netskope.local/Netskope/Active Users/US & International/Full Time iOS 9.0 [] Celigo Salesforce and NetSuite Connector US 2 42.7936 San Diego -107.0689 California 92120 5.6.7.8 1705913781 CloudApp nspolicy dummyuser5@something.com https://drive.google.com dummyuser5@something.com dummyuser5@something.com 0 [] 0 0 0 0 0 alertsctepdata_CL
7 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:16:28 AM d5a63620a3c06575173ee761 TRUE yes ctep ctep La Region Auvergne-Rhone-Alpes Cloud Storage unknown 1 ZTE - P253A20 US 2 42.7936 San Diego -107.0689 California 92120 1.2.3.4 netskope.local/Netskope/Active Users/US & International/Full Time Android 10.0 [] La Region Auvergne-Rhone-Alpes NL 2 62.3759 Amsterdam 14.8975 North Holland 1012 5.6.7.8 1705913943 CloudApp nspolicy dummyuser6@something.com https://drive.google.com dummyuser6@something.com dummyuser6@something.com 0 [] 0 0 0 0 0 alertsctepdata_CL
8 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:16:28 AM d5c38ab458cb495041e490fd TRUE yes ctep ctep Hub Network Services Cloud Storage 20 poor 1 ZTE - N721 US 2 55.8234 Boardman -109.7257 Oregon 97818 1.2.3.4 netskope.local/Netskope/Active Users/US & International/Full Time Android 11.0 [] Hub Network Solutions IN 2 22.9634 Bengaluru 87.5855 Karnataka 560058 5.6.7.8 1705915315 CloudApp nspolicy dummyuser7@something.com https://drive.google.com dummyuser7@something.com dummyuser7@something.com 0 [] 0 0 0 0 0 alertsctepdata_CL
9 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:16:28 AM d7de0e1a3b4c5625919d6211 FALSE yes ctep ctep Plum Voice Cloud Storage 42 poor 1 ZTE - P253A20 IN 2 22.9634 Bengaluru 97.5855 Karnataka 560058 1.2.3.4 netskope.local/Netskope/Active Users/US & International/Full Time Android 10.0 [] Plum Voice Hosted IVR FR 1 57.89616 Ballots -9.04759 Pays-de-la-Loire 5.6.7.8 1705915643 CloudApp nspolicy dummyuser8@something.com https://drive.google.com dummyuser8@something.com dummyuser8@something.com 0 [] 0 0 0 0 0 alertsctepdata_CL
10 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:16:28 AM d8125f0bb127493ee96fed88 FALSE block yes ctep ctep Willis Towers Watson HR Software Cloud Storage 31 poor 1 12.9-inch iPad Pro US 2 42.7936 San Diego -107.0689 California 92120 1.2.3.4 netskope.local/Netskope/Active Users/US & International/Full Time iOS 10.1 [] Willis Towers Watson HR Software NL 2 62.3759 Amsterdam 14.8975 North Holland 1012 5.6.7.8 1705914187 CloudApp nspolicy dummyuser9@something.com https://drive.google.com dummyuser9@something.com dummyuser9@something.com 0 [] 0 0 0 0 0 alertsctepdata_CL
11 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:16:28 AM d8fac3dbe4bcba5814e4b904 FALSE yes ctep ctep Siemens Apogee Cloud Storage 0 unknown 1 Other NL 2 62.3759 Amsterdam 14.8975 North Holland 1012 1.2.3.4 netskope.local/Netskope/Active Users/US & International/Full Time Windows 7.0 [] siemens_apogee NL 2 62.3759 Amsterdam 14.8975 North Holland 1012 5.6.7.8 1705914533 CloudApp nspolicy dummyuser10@something.com https://drive.google.com dummyuser10@something.com dummyuser10@something.com 0 [] 0 0 0 0 0 alertsctepdata_CL

11
Sample Data/Custom/Netskope/alertsdlpdata_CL.csv Normal file
Просмотреть файл

@ -0,0 +1,11 @@
TenantId,SourceSystem,MG,ManagementGroupName,TimeGenerated [UTC],Computer,RawData,_id_s,access_method_s,acked_s,action_s,activity_s,alert_s,alert_name_s,alert_type_s,app_s,appcategory_s,browser_s,Category,ccl_s,device_s,dst_country_s,dst_geoip_src_d,dst_latitude_d,dst_location_s,dst_longitude_d,dst_region_s,dst_zipcode_s,dstip_s,exposure_s,file_lang_s,file_path_s,file_size_d,file_type_s,instance_id_s,instance_id_s,local_sha256_s,md5_g,mime_type_s,modified_d,object_s,object_id_s,object_type_s,organization_unit_s,os_s,owner_s,policy_s,request_id_s,scan_type_s,site_s,src_country_s,src_geoip_src_d,src_latitude_d,src_location_s,src_longitude_d,src_region_s,src_zipcode_s,srcip_s,suppression_key_s,timestamp_d,traffic_type_s,type_s,ur_normalized_s,url_s,user_s,userkey_s,user_id_s,channel_s,dlp_rule_s,file_password_protected_s,tss_mode_s,dlp_rule_count_d,appsuite_s,web_universal_connector_s,outer_doc_type_d,shared_with_s,dlp_is_unique_count_s,dynamic_classification_s,classification_name_s,app_session_id_d,true_type_id_d,page_site_s,file_category_s,data_type_s,universal_connector_s,sanctioned_instance_s,protocol_s,dlp_mail_parent_id_s,violating_user_type_s,sub_type_s,os_version_s,smtp_to_s,incident_id_d,group_s,sha256_s,act_user_s,displayName_s,message_id_s,file_cls_encrypted_b,hostname_s,shared_domains_s,managed_app_s,from_storage_s,managementID_s,mail_s,title_s,dlp_file_s,from_user_s,dlp_fingerprint_classification_s,owner_pdl_s,violating_user_s,manager_s,to_user_s,parent_id_s,app_activity_s,dlp_incident_id_d,device_classification_s,browser_version_s,src_time_s,to_storage_s,dst_timezone_s,dlp_rule_severity_s,src_timezone_s,total_collaborator_count_d,userCountry_s,dlp_profile_s,true_obj_type_s,transaction_id_d,true_obj_category_s,userPrincipalName_s,orignal_file_path_s,collaborated_s,connection_id_d,bcc_s,userip_s,referer_s,sAMAccountName_s,message_size_d,dlp_parent_id_d,external_collaborator_count_d,retro_scan_name_s,dlp_unique_count_d,browser_session_id_d,dlp_fingerprint_match_s,severity_s,dlp_fingerprint_score_d,page_s,true_filetype_s,policy_id_s,dlp_rule_score_d,Type,_ResourceId
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/22/2024, 2:04:34 PM",,,4e3101afb739174bf08b4577,API Connector,FALSE,alert,Introspection Scan,yes,File shared publicly using cloud drive,DLP,ThinkHelpDesk,Cloud Storage,unknown,Cloud Storage,poor,iPhone XS Max,NL,2,53.7,Boardman,-19.72,Oregon,97818,1.2.3.4,organisation_wide_link,ENGLISH,/My Drive/Clickhouse/Tenant Migration across MPs,118842,application.document,datainstance.com,datainstance.com,32efe1952fe8eea427009e4774647a0d5adae21a4fe3d0b3431316d1362fde03,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application.document,1613760236,UHAqOVDmRlcHpLiD,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,data.com/dataconnector/Active Users/US & International/Full Time,iOS 9.0,asdf523adsd0-0245t@test.data.com,policy_ga28,2459149802892628500,Ongoing,ThinkHelpDesk,DE,2,53.7,Boardman,-19.72,Oregon,97818,1.2.3.4,Tenant Migration across MPs,1676246410,CloudApp,datapolicy,asdf523adsd0-0245t@test.data.com,https://drive.google.com,asdf523adsd0-0245t@test.data.com,asdf523adsd0-0245t@test.data.com,,,,,,0,,,0,,,,,0,0,,,,,,,,,,,[],0,,,,,,FALSE,,,,,,,,,,,,,,,,,0,,,,,,,,0,,,,0,,,,,0,,,,,0,0,0,,0,0,,,0,,,,0,alertsdlpdata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/22/2024, 2:04:34 PM",,,4e5dfc81afb4939bd9cd5952,API Connector,FALSE,block,Introspection Scan,yes,File shared publicly using cloud drive,DLP,MyEasyISO,Cloud Storage,unknown,Cloud Storage,poor,ZTE - Grand-S,US,2,12.9634,Amsterdam,4.8975,North Holland,1012,3.86.29.24,organisation_wide_link,ENGLISH,/My Drive/Clickhouse/Tenant Migration across MPs,119111,application.document,datainstance.com,datainstance.com,5b1eea86757bf9f6073eaa82de8aadf07e69a19020662ff6d3e20f3843fae2b2,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application.document,1613760236,YrsfUfWRuXasWynt,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,data.com/dataconnector/Active Users/US & International/Full Time,Windows 11.0,asdf523adsd0-0995t@test.data.com,policy_ga26,2459149802892628500,Ongoing,MyEasyISO ISO 9001 Software,FR,2,12.9634,Amsterdam,4.8975,North Holland,1012,3.86.29.24,Tenant Migration across MPs,1676246415,CloudApp,datapolicy,asdf523adsd0-0995t@test.data.com,https://drive.google.com,asdf523adsd0-0995t@test.data.com,asdf523adsd0-0995t@test.data.com,,,,,,0,,,0,,,,,0,0,,,,,,,,,,,[],0,,,,,,FALSE,,,,,,,,,,,,,,,,,0,,,,,,,,0,,,,0,,,,,0,,,,,0,0,0,,0,0,,,0,,,,0,alertsdlpdata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/22/2024, 2:04:34 PM",,,4e82a96f73568bd7fbc11f94,API Connector,FALSE,,Introspection Scan,yes,File shared publicly using cloud drive,DLP,Tri Pointe Homes,Cloud Storage,unknown,Cloud Storage,unknown,iPhone XR,US,2,7.896,Ballots,12.9634,Pays-de-la-Loire,3243,13.248.55.2,organisation_wide_link,ENGLISH,/My Drive/Clickhouse/Tenant Migration across MPs,118890,application.document,datainstance.com,datainstance.com,c970ad25da9fcbd822583d10efe096263b6294fe2ffffe99e448537b892c4693,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application.document,1613760236,VskBcjyDyjOQyWkD,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,data.com/dataconnector/Active Users/US & International/Full Time,Windows 8.1,asdf523adsd0-0646t@test.data.com,policy_ga51,2459149802892628500,Ongoing,Tri Pointe Homes,NL,2,7.896,Ballots,12.9634,Pays-de-la-Loire,,13.248.55.2,Tenant Migration across MPs,1676246406,CloudApp,datapolicy,asdf523adsd0-0646t@test.data.com,https://drive.google.com,asdf523adsd0-0646t@test.data.com,asdf523adsd0-0646t@test.data.com,,,,,,0,,,0,,,,,0,0,,,,,,,,,,,[],0,,,,,,FALSE,,,,,,,,,,,,,,,,,0,,,,,,,,0,,,,0,,,,,0,,,,,0,0,0,,0,0,,,0,,,,0,alertsdlpdata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/22/2024, 2:04:34 PM",,,4e91d034b9d63eb8dd13339d,API Connector,FALSE,block,Introspection Scan,yes,File shared publicly using cloud drive,DLP,Caspita for Gmail,Cloud Storage,unknown,Cloud Storage,unknown,iPhone 15,US,2,53.7,Amsterdam,4.8975,North Holland,1012,1.2.3.4,organisation_wide_link,ENGLISH,/My Drive/Clickhouse/Tenant Migration across MPs,119161,application.document,datainstance.com,datainstance.com,489329651e67cb2bc65d93a8e6c4bd72ddf59d112c83dfda7a93a8066b7f9d7e,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application.document,1613760236,vGBOBkANQtLUoKIk,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,data.com/dataconnector/Active Users/US & International/Full Time,iOS 9.0,asdf523adsd0-0014t@test.data.com,policy_ga29,2459149802892628500,Ongoing,Caspita for vtiger,IN,2,53.7,Amsterdam,4.8975,North Holland,1012,1.2.3.4,Tenant Migration across MPs,1676246404,CloudApp,datapolicy,asdf523adsd0-0014t@test.data.com,https://drive.google.com,asdf523adsd0-0014t@test.data.com,asdf523adsd0-0014t@test.data.com,,,,,,0,,,0,,,,,0,0,,,,,,,,,,,[],0,,,,,,FALSE,,,,,,,,,,,,,,,,,0,,,,,,,,0,,,,0,,,,,0,,,,,0,0,0,,0,0,,,0,,,,0,alertsdlpdata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/22/2024, 2:04:34 PM",,,4e945315566e7b804dd9494e,API Connector,TRUE,,Introspection Scan,yes,File shared publicly using cloud drive,DLP,c4.ai,Cloud Storage,unknown,Cloud Storage,,Samsung Fold 5,US,2,12.9634,Bengaluru,7.896,Karnataka,560058,3.86.29.24,organisation_wide_link,ENGLISH,/My Drive/Clickhouse/Tenant Migration across MPs,118578,application.document,datainstance.com,datainstance.com,df8ead0f14425eaf3284ac78b7484bc82ca69061d982affb04ba291a74be6454,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application.document,1613760236,NQrLaSeiPRjgrNhT,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,data.com/dataconnector/Active Users/US & International/Full Time,iOS 11.1,asdf523adsd0-0979t@test.data.com,policy_ga2,2459149802892628500,Ongoing,c4.ai,US,2,12.9634,Bengaluru,7.896,Karnataka,560058,3.86.29.24,Tenant Migration across MPs,1676246402,CloudApp,datapolicy,asdf523adsd0-0979t@test.data.com,https://drive.google.com,asdf523adsd0-0979t@test.data.com,asdf523adsd0-0979t@test.data.com,,,,,,0,,,0,,,,,0,0,,,,,,,,,,,[],0,,,,,,FALSE,,,,,,,,,,,,,,,,,0,,,,,,,,0,,,,0,,,,,0,,,,,0,0,0,,0,0,,,0,,,,0,alertsdlpdata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/22/2024, 2:04:34 PM",,,4e95206fe8771279d380dbf1,API Connector,TRUE,alert,Introspection Scan,yes,File shared publicly using cloud drive,DLP,CloudPital EClinic,Cloud Storage,unknown,Cloud Storage,poor,iPhone 11,US,2,53.7,Amsterdam,4.8975,North Holland,1012,13.248.55.2,organisation_wide_link,ENGLISH,/My Drive/Clickhouse/Tenant Migration across MPs,118924,application.document,datainstance.com,datainstance.com,70771a229f3933bce9d6feb3b37a5bc2b127091507e0c5c5314c3d3a03680d57,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application.document,1613760236,dUvSAEcVkRadtAWb,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,data.com/dataconnector/Active Users/US & International/Full Time,iOS 9.0,asdf523adsd0-0544t@test.data.com,policy_ga24,2459149802892628500,Ongoing,CloudPital EClinic,IN,2,53.7,Amsterdam,4.8975,North Holland,1012,13.248.55.2,Tenant Migration across MPs,1676246404,CloudApp,datapolicy,asdf523adsd0-0544t@test.data.com,https://drive.google.com,asdf523adsd0-0544t@test.data.com,asdf523adsd0-0544t@test.data.com,,,,,,0,,,0,,,,,0,0,,,,,,,,,,,[],0,,,,,,FALSE,,,,,,,,,,,,,,,,,0,,,,,,,,0,,,,0,,,,,0,,,,,0,0,0,,0,0,,,0,,,,0,alertsdlpdata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/22/2024, 2:04:34 PM",,,4ea0251f21d95111b6cd230e,API Connector,FALSE,block,Introspection Scan,yes,File shared publicly using cloud drive,DLP,EY CogniStreamer,Cloud Storage,unknown,Cloud Storage,poor,ZTE - P188T20,FR,2,52.3759,Amsterdam,7.896,North Holland,1012,1.2.3.4,organisation_wide_link,ENGLISH,/My Drive/Clickhouse/Tenant Migration across MPs,118576,application.document,datainstance.com,datainstance.com,942e0e797bb5867bc5df57266744ce0cd54ea12159e37581cf3c113d6f1cb2bc,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application.document,1613760236,kuQKwOCYzAseWVCx,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,data.com/dataconnector/Active Users/US & International/Full Time,Windows 8.0,asdf523adsd0-0838t@test.data.com,policy_ga2,2459149802892628500,Ongoing,CogniStreamer,FR,2,52.3759,Amsterdam,7.896,North Holland,1012,1.2.3.4,Tenant Migration across MPs,1676246420,CloudApp,datapolicy,asdf523adsd0-0838t@test.data.com,https://drive.google.com,asdf523adsd0-0838t@test.data.com,asdf523adsd0-0838t@test.data.com,,,,,,0,,,0,,,,,0,0,,,,,,,,,,,[],0,,,,,,FALSE,,,,,,,,,,,,,,,,,0,,,,,,,,0,,,,0,,,,,0,,,,,0,0,0,,0,0,,,0,,,,0,alertsdlpdata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/22/2024, 2:04:34 PM",,,4eb36bfeb684f02e601f31db,API Connector,TRUE,alert,Introspection Scan,yes,File shared publicly using cloud drive,DLP,c4.ai,Cloud Storage,unknown,Cloud Storage,,Other,NL,2,12.9634,Ballots,-19.72,Pays-de-la-Loire,3243,3.86.29.24,organisation_wide_link,ENGLISH,/My Drive/Clickhouse/Tenant Migration across MPs,118880,application.document,datainstance.com,datainstance.com,2391269788f8ce1f61de80771a7587f6514eb75dcf7cc3fa9e71ae23e439f848,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application.document,1613760236,RyPvKZstSCGovFDW,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,data.com/dataconnector/Active Users/US & International/Full Time,iOS 9.6,asdf523adsd0-0773t@test.data.com,policy_ga7,2459149802892628500,Ongoing,c4.ai,IN,2,12.9634,Ballots,-19.72,Pays-de-la-Loire,,3.86.29.24,Tenant Migration across MPs,1676246391,CloudApp,datapolicy,asdf523adsd0-0773t@test.data.com,https://drive.google.com,asdf523adsd0-0773t@test.data.com,asdf523adsd0-0773t@test.data.com,,,,,,0,,,0,,,,,0,0,,,,,,,,,,,[],0,,,,,,FALSE,,,,,,,,,,,,,,,,,0,,,,,,,,0,,,,0,,,,,0,,,,,0,0,0,,0,0,,,0,,,,0,alertsdlpdata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/22/2024, 2:04:34 PM",,,4eb5b8b7d8224c3aa96d34d0,API Connector,FALSE,block,Introspection Scan,yes,File shared publicly using cloud drive,DLP,Nordic Naturals,Cloud Storage,unknown,Cloud Storage,unknown,Samsung Fold 5,NL,2,53.7,Bengaluru,77.5855,Karnataka,560058,13.248.55.2,organisation_wide_link,ENGLISH,/My Drive/Clickhouse/Tenant Migration across MPs,119268,application.document,datainstance.com,datainstance.com,cceffbb68fe7add0547d0a6e936bb4c6081ac553ff72d03ac97e1904b8f3e22f,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application.document,1613760236,vqgUXgDrcHKtYBNm,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,data.com/dataconnector/Active Users/US & International/Full Time,iOS 9.0,asdf523adsd0-0804t@test.data.com,policy_ga36,2459149802892628500,Ongoing,Nordic Naturals,NL,2,53.7,Bengaluru,77.5855,Karnataka,560058,13.248.55.2,Tenant Migration across MPs,1676246407,CloudApp,datapolicy,asdf523adsd0-0804t@test.data.com,https://drive.google.com,asdf523adsd0-0804t@test.data.com,asdf523adsd0-0804t@test.data.com,,,,,,0,,,0,,,,,0,0,,,,,,,,,,,[],0,,,,,,FALSE,,,,,,,,,,,,,,,,,0,,,,,,,,0,,,,0,,,,,0,,,,,0,0,0,,0,0,,,0,,,,0,alertsdlpdata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/22/2024, 2:04:34 PM",,,4ebe6f7b8d466ce8d84189ba,API Connector,FALSE,,Introspection Scan,yes,File shared publicly using cloud drive,DLP,Long Beach Unified School District,Cloud Storage,unknown,Cloud Storage,unknown,iPhone 8,IN,2,7.896,Ballots,-1.04759,Pays-de-la-Loire,3243,19.2.5.21,organisation_wide_link,ENGLISH,/My Drive/Clickhouse/Tenant Migration across MPs,119106,application.document,datainstance.com,datainstance.com,d3cb0f14836aa8b3fa3c9b7547b5562bfe9fe370d3db3631f0ede9885df495c1,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application.document,1613760236,yTLvwNVHPknBqavq,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,data.com/dataconnector/Active Users/US & International/Full Time,Windows 7.0,asdf523adsd0-0054t@test.data.com,policy_ga21,2459149802892628500,Ongoing,Long Beach Unified School District,NL,2,7.896,Ballots,-1.04759,Pays-de-la-Loire,,19.2.5.21,Tenant Migration across MPs,1676246419,CloudApp,datapolicy,asdf523adsd0-0054t@test.data.com,https://drive.google.com,asdf523adsd0-0054t@test.data.com,asdf523adsd0-0054t@test.data.com,,,,,,0,,,0,,,,,0,0,,,,,,,,,,,[],0,,,,,,FALSE,,,,,,,,,,,,,,,,,0,,,,,,,,0,,,,0,,,,,0,,,,,0,0,0,,0,0,,,0,,,,0,alertsdlpdata_CL,
1 TenantId SourceSystem MG ManagementGroupName TimeGenerated [UTC] Computer RawData _id_s access_method_s acked_s action_s activity_s alert_s alert_name_s alert_type_s app_s appcategory_s browser_s Category ccl_s device_s dst_country_s dst_geoip_src_d dst_latitude_d dst_location_s dst_longitude_d dst_region_s dst_zipcode_s dstip_s exposure_s file_lang_s file_path_s file_size_d file_type_s instance_id_s instance_id_s local_sha256_s md5_g mime_type_s modified_d object_s object_id_s object_type_s organization_unit_s os_s owner_s policy_s request_id_s scan_type_s site_s src_country_s src_geoip_src_d src_latitude_d src_location_s src_longitude_d src_region_s src_zipcode_s srcip_s suppression_key_s timestamp_d traffic_type_s type_s ur_normalized_s url_s user_s userkey_s user_id_s channel_s dlp_rule_s file_password_protected_s tss_mode_s dlp_rule_count_d appsuite_s web_universal_connector_s outer_doc_type_d shared_with_s dlp_is_unique_count_s dynamic_classification_s classification_name_s app_session_id_d true_type_id_d page_site_s file_category_s data_type_s universal_connector_s sanctioned_instance_s protocol_s dlp_mail_parent_id_s violating_user_type_s sub_type_s os_version_s smtp_to_s incident_id_d group_s sha256_s act_user_s displayName_s message_id_s file_cls_encrypted_b hostname_s shared_domains_s managed_app_s from_storage_s managementID_s mail_s title_s dlp_file_s from_user_s dlp_fingerprint_classification_s owner_pdl_s violating_user_s manager_s to_user_s parent_id_s app_activity_s dlp_incident_id_d device_classification_s browser_version_s src_time_s to_storage_s dst_timezone_s dlp_rule_severity_s src_timezone_s total_collaborator_count_d userCountry_s dlp_profile_s true_obj_type_s transaction_id_d true_obj_category_s userPrincipalName_s orignal_file_path_s collaborated_s connection_id_d bcc_s userip_s referer_s sAMAccountName_s message_size_d dlp_parent_id_d external_collaborator_count_d retro_scan_name_s dlp_unique_count_d browser_session_id_d dlp_fingerprint_match_s severity_s dlp_fingerprint_score_d page_s true_filetype_s policy_id_s dlp_rule_score_d Type _ResourceId
2 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/22/2024, 2:04:34 PM 4e3101afb739174bf08b4577 API Connector FALSE alert Introspection Scan yes File shared publicly using cloud drive DLP ThinkHelpDesk Cloud Storage unknown Cloud Storage poor iPhone XS Max NL 2 53.7 Boardman -19.72 Oregon 97818 1.2.3.4 organisation_wide_link ENGLISH /My Drive/Clickhouse/Tenant Migration across MPs 118842 application.document datainstance.com datainstance.com 32efe1952fe8eea427009e4774647a0d5adae21a4fe3d0b3431316d1362fde03 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application.document 1613760236 UHAqOVDmRlcHpLiD 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File data.com/dataconnector/Active Users/US & International/Full Time iOS 9.0 asdf523adsd0-0245t@test.data.com policy_ga28 2459149802892628500 Ongoing ThinkHelpDesk DE 2 53.7 Boardman -19.72 Oregon 97818 1.2.3.4 Tenant Migration across MPs 1676246410 CloudApp datapolicy asdf523adsd0-0245t@test.data.com https://drive.google.com asdf523adsd0-0245t@test.data.com asdf523adsd0-0245t@test.data.com 0 0 0 0 [] 0 FALSE 0 0 0 0 0 0 0 0 0 0 0 alertsdlpdata_CL
3 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/22/2024, 2:04:34 PM 4e5dfc81afb4939bd9cd5952 API Connector FALSE block Introspection Scan yes File shared publicly using cloud drive DLP MyEasyISO Cloud Storage unknown Cloud Storage poor ZTE - Grand-S US 2 12.9634 Amsterdam 4.8975 North Holland 1012 3.86.29.24 organisation_wide_link ENGLISH /My Drive/Clickhouse/Tenant Migration across MPs 119111 application.document datainstance.com datainstance.com 5b1eea86757bf9f6073eaa82de8aadf07e69a19020662ff6d3e20f3843fae2b2 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application.document 1613760236 YrsfUfWRuXasWynt 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File data.com/dataconnector/Active Users/US & International/Full Time Windows 11.0 asdf523adsd0-0995t@test.data.com policy_ga26 2459149802892628500 Ongoing MyEasyISO ISO 9001 Software FR 2 12.9634 Amsterdam 4.8975 North Holland 1012 3.86.29.24 Tenant Migration across MPs 1676246415 CloudApp datapolicy asdf523adsd0-0995t@test.data.com https://drive.google.com asdf523adsd0-0995t@test.data.com asdf523adsd0-0995t@test.data.com 0 0 0 0 [] 0 FALSE 0 0 0 0 0 0 0 0 0 0 0 alertsdlpdata_CL
4 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/22/2024, 2:04:34 PM 4e82a96f73568bd7fbc11f94 API Connector FALSE Introspection Scan yes File shared publicly using cloud drive DLP Tri Pointe Homes Cloud Storage unknown Cloud Storage unknown iPhone XR US 2 7.896 Ballots 12.9634 Pays-de-la-Loire 3243 13.248.55.2 organisation_wide_link ENGLISH /My Drive/Clickhouse/Tenant Migration across MPs 118890 application.document datainstance.com datainstance.com c970ad25da9fcbd822583d10efe096263b6294fe2ffffe99e448537b892c4693 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application.document 1613760236 VskBcjyDyjOQyWkD 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File data.com/dataconnector/Active Users/US & International/Full Time Windows 8.1 asdf523adsd0-0646t@test.data.com policy_ga51 2459149802892628500 Ongoing Tri Pointe Homes NL 2 7.896 Ballots 12.9634 Pays-de-la-Loire 13.248.55.2 Tenant Migration across MPs 1676246406 CloudApp datapolicy asdf523adsd0-0646t@test.data.com https://drive.google.com asdf523adsd0-0646t@test.data.com asdf523adsd0-0646t@test.data.com 0 0 0 0 [] 0 FALSE 0 0 0 0 0 0 0 0 0 0 0 alertsdlpdata_CL
5 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/22/2024, 2:04:34 PM 4e91d034b9d63eb8dd13339d API Connector FALSE block Introspection Scan yes File shared publicly using cloud drive DLP Caspita for Gmail Cloud Storage unknown Cloud Storage unknown iPhone 15 US 2 53.7 Amsterdam 4.8975 North Holland 1012 1.2.3.4 organisation_wide_link ENGLISH /My Drive/Clickhouse/Tenant Migration across MPs 119161 application.document datainstance.com datainstance.com 489329651e67cb2bc65d93a8e6c4bd72ddf59d112c83dfda7a93a8066b7f9d7e 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application.document 1613760236 vGBOBkANQtLUoKIk 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File data.com/dataconnector/Active Users/US & International/Full Time iOS 9.0 asdf523adsd0-0014t@test.data.com policy_ga29 2459149802892628500 Ongoing Caspita for vtiger IN 2 53.7 Amsterdam 4.8975 North Holland 1012 1.2.3.4 Tenant Migration across MPs 1676246404 CloudApp datapolicy asdf523adsd0-0014t@test.data.com https://drive.google.com asdf523adsd0-0014t@test.data.com asdf523adsd0-0014t@test.data.com 0 0 0 0 [] 0 FALSE 0 0 0 0 0 0 0 0 0 0 0 alertsdlpdata_CL
6 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/22/2024, 2:04:34 PM 4e945315566e7b804dd9494e API Connector TRUE Introspection Scan yes File shared publicly using cloud drive DLP c4.ai Cloud Storage unknown Cloud Storage Samsung Fold 5 US 2 12.9634 Bengaluru 7.896 Karnataka 560058 3.86.29.24 organisation_wide_link ENGLISH /My Drive/Clickhouse/Tenant Migration across MPs 118578 application.document datainstance.com datainstance.com df8ead0f14425eaf3284ac78b7484bc82ca69061d982affb04ba291a74be6454 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application.document 1613760236 NQrLaSeiPRjgrNhT 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File data.com/dataconnector/Active Users/US & International/Full Time iOS 11.1 asdf523adsd0-0979t@test.data.com policy_ga2 2459149802892628500 Ongoing c4.ai US 2 12.9634 Bengaluru 7.896 Karnataka 560058 3.86.29.24 Tenant Migration across MPs 1676246402 CloudApp datapolicy asdf523adsd0-0979t@test.data.com https://drive.google.com asdf523adsd0-0979t@test.data.com asdf523adsd0-0979t@test.data.com 0 0 0 0 [] 0 FALSE 0 0 0 0 0 0 0 0 0 0 0 alertsdlpdata_CL
7 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/22/2024, 2:04:34 PM 4e95206fe8771279d380dbf1 API Connector TRUE alert Introspection Scan yes File shared publicly using cloud drive DLP CloudPital EClinic Cloud Storage unknown Cloud Storage poor iPhone 11 US 2 53.7 Amsterdam 4.8975 North Holland 1012 13.248.55.2 organisation_wide_link ENGLISH /My Drive/Clickhouse/Tenant Migration across MPs 118924 application.document datainstance.com datainstance.com 70771a229f3933bce9d6feb3b37a5bc2b127091507e0c5c5314c3d3a03680d57 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application.document 1613760236 dUvSAEcVkRadtAWb 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File data.com/dataconnector/Active Users/US & International/Full Time iOS 9.0 asdf523adsd0-0544t@test.data.com policy_ga24 2459149802892628500 Ongoing CloudPital EClinic IN 2 53.7 Amsterdam 4.8975 North Holland 1012 13.248.55.2 Tenant Migration across MPs 1676246404 CloudApp datapolicy asdf523adsd0-0544t@test.data.com https://drive.google.com asdf523adsd0-0544t@test.data.com asdf523adsd0-0544t@test.data.com 0 0 0 0 [] 0 FALSE 0 0 0 0 0 0 0 0 0 0 0 alertsdlpdata_CL
8 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/22/2024, 2:04:34 PM 4ea0251f21d95111b6cd230e API Connector FALSE block Introspection Scan yes File shared publicly using cloud drive DLP EY CogniStreamer Cloud Storage unknown Cloud Storage poor ZTE - P188T20 FR 2 52.3759 Amsterdam 7.896 North Holland 1012 1.2.3.4 organisation_wide_link ENGLISH /My Drive/Clickhouse/Tenant Migration across MPs 118576 application.document datainstance.com datainstance.com 942e0e797bb5867bc5df57266744ce0cd54ea12159e37581cf3c113d6f1cb2bc 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application.document 1613760236 kuQKwOCYzAseWVCx 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File data.com/dataconnector/Active Users/US & International/Full Time Windows 8.0 asdf523adsd0-0838t@test.data.com policy_ga2 2459149802892628500 Ongoing CogniStreamer FR 2 52.3759 Amsterdam 7.896 North Holland 1012 1.2.3.4 Tenant Migration across MPs 1676246420 CloudApp datapolicy asdf523adsd0-0838t@test.data.com https://drive.google.com asdf523adsd0-0838t@test.data.com asdf523adsd0-0838t@test.data.com 0 0 0 0 [] 0 FALSE 0 0 0 0 0 0 0 0 0 0 0 alertsdlpdata_CL
9 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/22/2024, 2:04:34 PM 4eb36bfeb684f02e601f31db API Connector TRUE alert Introspection Scan yes File shared publicly using cloud drive DLP c4.ai Cloud Storage unknown Cloud Storage Other NL 2 12.9634 Ballots -19.72 Pays-de-la-Loire 3243 3.86.29.24 organisation_wide_link ENGLISH /My Drive/Clickhouse/Tenant Migration across MPs 118880 application.document datainstance.com datainstance.com 2391269788f8ce1f61de80771a7587f6514eb75dcf7cc3fa9e71ae23e439f848 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application.document 1613760236 RyPvKZstSCGovFDW 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File data.com/dataconnector/Active Users/US & International/Full Time iOS 9.6 asdf523adsd0-0773t@test.data.com policy_ga7 2459149802892628500 Ongoing c4.ai IN 2 12.9634 Ballots -19.72 Pays-de-la-Loire 3.86.29.24 Tenant Migration across MPs 1676246391 CloudApp datapolicy asdf523adsd0-0773t@test.data.com https://drive.google.com asdf523adsd0-0773t@test.data.com asdf523adsd0-0773t@test.data.com 0 0 0 0 [] 0 FALSE 0 0 0 0 0 0 0 0 0 0 0 alertsdlpdata_CL
10 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/22/2024, 2:04:34 PM 4eb5b8b7d8224c3aa96d34d0 API Connector FALSE block Introspection Scan yes File shared publicly using cloud drive DLP Nordic Naturals Cloud Storage unknown Cloud Storage unknown Samsung Fold 5 NL 2 53.7 Bengaluru 77.5855 Karnataka 560058 13.248.55.2 organisation_wide_link ENGLISH /My Drive/Clickhouse/Tenant Migration across MPs 119268 application.document datainstance.com datainstance.com cceffbb68fe7add0547d0a6e936bb4c6081ac553ff72d03ac97e1904b8f3e22f 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application.document 1613760236 vqgUXgDrcHKtYBNm 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File data.com/dataconnector/Active Users/US & International/Full Time iOS 9.0 asdf523adsd0-0804t@test.data.com policy_ga36 2459149802892628500 Ongoing Nordic Naturals NL 2 53.7 Bengaluru 77.5855 Karnataka 560058 13.248.55.2 Tenant Migration across MPs 1676246407 CloudApp datapolicy asdf523adsd0-0804t@test.data.com https://drive.google.com asdf523adsd0-0804t@test.data.com asdf523adsd0-0804t@test.data.com 0 0 0 0 [] 0 FALSE 0 0 0 0 0 0 0 0 0 0 0 alertsdlpdata_CL
11 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/22/2024, 2:04:34 PM 4ebe6f7b8d466ce8d84189ba API Connector FALSE Introspection Scan yes File shared publicly using cloud drive DLP Long Beach Unified School District Cloud Storage unknown Cloud Storage unknown iPhone 8 IN 2 7.896 Ballots -1.04759 Pays-de-la-Loire 3243 19.2.5.21 organisation_wide_link ENGLISH /My Drive/Clickhouse/Tenant Migration across MPs 119106 application.document datainstance.com datainstance.com d3cb0f14836aa8b3fa3c9b7547b5562bfe9fe370d3db3631f0ede9885df495c1 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application.document 1613760236 yTLvwNVHPknBqavq 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File data.com/dataconnector/Active Users/US & International/Full Time Windows 7.0 asdf523adsd0-0054t@test.data.com policy_ga21 2459149802892628500 Ongoing Long Beach Unified School District NL 2 7.896 Ballots -1.04759 Pays-de-la-Loire 19.2.5.21 Tenant Migration across MPs 1676246419 CloudApp datapolicy asdf523adsd0-0054t@test.data.com https://drive.google.com asdf523adsd0-0054t@test.data.com asdf523adsd0-0054t@test.data.com 0 0 0 0 [] 0 FALSE 0 0 0 0 0 0 0 0 0 0 0 alertsdlpdata_CL

11
Sample Data/Custom/Netskope/alertsmalsitedata_CL.csv Normal file
Просмотреть файл

@ -0,0 +1,11 @@
TenantId,SourceSystem,MG,ManagementGroupName,TimeGenerated [UTC],Computer,RawData,_id_s,access_method_s,acked_s,action_s,alert_s,alert_name_s,alert_type_s,app_s,appcategory_s,browser_s,Category,cci_d,ccl_s,count_d,device_s,dst_country_s,dst_geoip_src_d,dst_latitude_d,dst_location_s,dst_longitude_d,dst_region_s,dst_zipcode_s,dstip_s,object_s,object_type_s,organization_unit_s,os_s,other_categories_s,policy_s,request_id_s,site_s,src_country_s,src_geoip_src_d,src_latitude_d,src_location_s,src_longitude_d,src_region_s,src_zipcode_s,srcip_s,timestamp_d,traffic_type_s,type_s,ur_normalized_s,url_s,user_s,src_time_s,serial_s,browser_version_s,page_s,severity_level_s,malsite_hostility_s,hostname_s,malsite_region_s,telemetry_app_s,ja3_s,gateway_s,transaction_id_d,suppression_start_time_d,malsite_category_s,malsite_confidence_d,malsite_latitude_d,userip_s,malsite_longitude_d,malsite_active_s,malsite_last_seen_d,numbytes_d,req_cnt_d,dst_timezone_s,managed_app_s,malsite_id_s,protocol_s,threat_match_field_s,browser_session_id_d,suppression_end_time_d,ja3s_s,incident_id_d,notify_template_s,appsuite_s,log_file_name_s,referer_s,fromlogs_s,sAMAccountName_s,threat_source_id_d,server_bytes_d,universal_connector_s,aggregated_user_s,device_classification_s,org_s,policy_id_s,page_site_s,useragent_s,malsite_ip_host_s,os_version_s,malicious_s,from_user_s,severity_s,department_s,malsite_reputation_s,connection_id_d,dsthost_s,sfwder_s,malsite_first_seen_d,severity_level_id_d,co_s,malsite_country_s,src_timezone_s,division_s,threat_match_value_s,app_session_id_d,resp_cnt_d,malsite_consecutive_s,conn_duration_d,client_bytes_d,dstport_d,cci_s,Type,_ResourceId
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:20:01 AM",,,b1f9ebbb882e1615f92c5d45,API Connector,FALSE,block,yes,malsite visit,malsite,iView Systems iTrak,Cloud Storage,unknown,Cloud Storage,7,poor,1,ZTE - P253A20,US,2,55.8234,Boardman,-109.7257,Oregon,97818,1.2.3.4,RqSvsczFIwhxOsgh,File,netskope.local/Netskope/Active Users/US & International/Full Time,Android 10.0,[],policy_ga32,2459149802892628500,iView Systems,IN,2,22.9634,Bengaluru,87.5855,Karnataka,560058,5.6.7.8,1706217736,CloudApp,nspolicy,dummyuser1@something.com,https://drive.google.com,dummyuser1@something.com,,,,,,,,,,,,0,0,[],0,0,,0,,0,0,0,,,,,,0,0,,0,,,,,,,0,0,,,,,,,,,,,,,,,0,,,0,0,,,,,,0,0,,0,0,0,,alertsmalsitedata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:20:01 AM",,,b25d030ece756fd5be78957c,API Connector,FALSE,,yes,malsite visit,malsite,Breez,Cloud Storage,unknown,Cloud Storage,,unknown,1,iPhone 7 Plus,US,2,42.7936,San Diego,-107.0689,California,92120,1.2.3.4,ItJxmezUvgSbKxuc,File,netskope.local/Netskope/Active Users/US & International/Full Time,iOS 9.0,[],policy_ga7,2459149802892628500,Breez Workforce,IN,2,22.9634,Bengaluru,87.5855,Karnataka,560058,5.6.7.8,1706216427,CloudApp,nspolicy,dummyuser2@something.com,https://drive.google.com,dummyuser2@something.com,,,,,,,,,,,,0,0,[],0,0,,0,,0,0,0,,,,,,0,0,,0,,,,,,,0,0,,,,,,,,,,,,,,,0,,,0,0,,,,,,0,0,,0,0,0,,alertsmalsitedata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:20:01 AM",,,b28085207865fa1b9e588566,API Connector,TRUE,block,yes,malsite visit,malsite,Shooter Suite,Cloud Storage,unknown,Cloud Storage,12,poor,1,Other,FR,1,57.89616,Ballots,-9.04759,Pays-de-la-Loire,,1.2.3.4,rGiqortgWUXxQNPb,File,netskope.local/Netskope/Active Users/US & International/Full Time,Windows 7.0,[],policy_ga50,2459149802892628500,Shooter Suite,IN,2,22.9634,Bengaluru,87.5855,Karnataka,560058,5.6.7.8,1706217380,CloudApp,nspolicy,dummyuser3@something.com,https://drive.google.com,dummyuser3@something.com,,,,,,,,,,,,0,0,[],0,0,,0,,0,0,0,,,,,,0,0,,0,,,,,,,0,0,,,,,,,,,,,,,,,0,,,0,0,,,,,,0,0,,0,0,0,,alertsmalsitedata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:20:01 AM",,,b525976fe8c0caef7ab4ffe4,API Connector,FALSE,block,yes,malsite visit,malsite,c4.ai,Cloud Storage,unknown,Cloud Storage,,,1,ZTE - P726CU,US,2,55.8234,Boardman,-109.7257,Oregon,97818,1.2.3.4,ErLohkwYkJyYqEZA,File,netskope.local/Netskope/Active Users/US & International/Full Time,Android 10.0,[],policy_ga27,2459149802892628500,c4.ai,FR,1,57.89616,Ballots,-9.04759,Pays-de-la-Loire,,5.6.7.8,1706216526,CloudApp,nspolicy,dummyuser4@something.com,https://drive.google.com,dummyuser4@something.com,,,,,,,,,,,,0,0,[],0,0,,0,,0,0,0,,,,,,0,0,,0,,,,,,,0,0,,,,,,,,,,,,,,,0,,,0,0,,,,,,0,0,,0,0,0,,alertsmalsitedata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:20:01 AM",,,b7827cd9b0029b21ecddfaf3,API Connector,FALSE,block,yes,malsite visit,malsite,Invoice Journal,Cloud Storage,unknown,Cloud Storage,17,poor,1,Other,FR,1,57.89616,Ballots,-9.04759,Pays-de-la-Loire,,1.2.3.4,GfMnrzfEJJhiWCQW,File,netskope.local/Netskope/Active Users/US & International/Full Time,Windows 7.1,[],policy_ga30,2459149802892628500,Invoice Journal,US,2,42.7936,San Diego,-107.0689,California,92120,5.6.7.8,1706215369,CloudApp,nspolicy,dummyuser5@something.com,https://drive.google.com,dummyuser5@something.com,,,,,,,,,,,,0,0,[],0,0,,0,,0,0,0,,,,,,0,0,,0,,,,,,,0,0,,,,,,,,,,,,,,,0,,,0,0,,,,,,0,0,,0,0,0,,alertsmalsitedata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:20:01 AM",,,bc5b7d68ebdf75e4d49dc9f3,API Connector,FALSE,block,yes,malsite visit,malsite,mTraction Enterprise,Cloud Storage,unknown,Cloud Storage,31,poor,1,iPod Touch (7th gen),US,2,42.7936,San Diego,-107.0689,California,92120,1.2.3.4,paIeBTpVEHDowOZl,File,netskope.local/Netskope/Active Users/US & International/Full Time,iOS 11.1,[],policy_ga24,2459149802892628500,mTraction Enterprise,NL,2,62.3759,Amsterdam,14.8975,North Holland,1012,5.6.7.8,1706216937,CloudApp,nspolicy,dummyuser6@something.com,https://drive.google.com,dummyuser6@something.com,,,,,,,,,,,,0,0,[],0,0,,0,,0,0,0,,,,,,0,0,,0,,,,,,,0,0,,,,,,,,,,,,,,,0,,,0,0,,,,,,0,0,,0,0,0,,alertsmalsitedata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:20:01 AM",,,bee8f8d42ea78bf96ce14e96,API Connector,TRUE,block,yes,malsite visit,malsite,Prevalent Exchange,Cloud Storage,unknown,Cloud Storage,9,poor,1,iPod Touch (7th gen),FR,1,57.89616,Ballots,-9.04759,Pays-de-la-Loire,,1.2.3.4,shWjouRiDIvMztpE,File,netskope.local/Netskope/Active Users/US & International/Full Time,iOS 9.0,[],policy_ga14,2459149802892628500,Prevalent Exchange,FR,1,57.89616,Ballots,-9.04759,Pays-de-la-Loire,,5.6.7.8,1706216511,CloudApp,nspolicy,dummyuser7@something.com,https://drive.google.com,dummyuser7@something.com,,,,,,,,,,,,0,0,[],0,0,,0,,0,0,0,,,,,,0,0,,0,,,,,,,0,0,,,,,,,,,,,,,,,0,,,0,0,,,,,,0,0,,0,0,0,,alertsmalsitedata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:20:01 AM",,,c1d5176d79c2966f1469adb8,API Connector,TRUE,block,yes,malsite visit,malsite,Saks Fifth Avenue,Cloud Storage,unknown,Cloud Storage,,unknown,1,ZTE - Grand-S,US,2,42.7936,San Diego,-107.0689,California,92120,1.2.3.4,rXTxwhWMsKCRzdhR,File,netskope.local/Netskope/Active Users/US & International/Full Time,Android 10.0,[],policy_ga5,2459149802892628500,Saks Fifth Avenue,DE,2,60.1188,Frankfurt am Main,18.6843,Hesse,60313,5.6.7.8,1706216288,CloudApp,nspolicy,dummyuser8@something.com,https://drive.google.com,dummyuser8@something.com,,,,,,,,,,,,0,0,[],0,0,,0,,0,0,0,,,,,,0,0,,0,,,,,,,0,0,,,,,,,,,,,,,,,0,,,0,0,,,,,,0,0,,0,0,0,,alertsmalsitedata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:20:01 AM",,,c227ac21e5100efb60bc326c,API Connector,FALSE,alert,yes,malsite visit,malsite,WebDT Device Manager,Cloud Storage,unknown,Cloud Storage,17,poor,1,Other,NL,2,62.3759,Amsterdam,14.8975,North Holland,1012,1.2.3.4,OnCANjfzjzRhwNOj,File,netskope.local/Netskope/Active Users/US & International/Full Time,Windows 11.0,[],policy_ga4,2459149802892628500,WebDT Device Manager,FR,1,57.89616,Ballots,-9.04759,Pays-de-la-Loire,,5.6.7.8,1706216116,CloudApp,nspolicy,dummyuser9@something.com,https://drive.google.com,dummyuser9@something.com,,,,,,,,,,,,0,0,[],0,0,,0,,0,0,0,,,,,,0,0,,0,,,,,,,0,0,,,,,,,,,,,,,,,0,,,0,0,,,,,,0,0,,0,0,0,,alertsmalsitedata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:20:01 AM",,,c47b36315e5d5c42f40d3c34,API Connector,TRUE,block,yes,malsite visit,malsite,Changepoint Project Portfolio Management,Cloud Storage,unknown,Cloud Storage,,,1,iPhone XR,IN,2,22.9634,Bengaluru,87.5855,Karnataka,560058,1.2.3.4,dGMqwyyPUholwvuO,File,netskope.local/Netskope/Active Users/US & International/Full Time,iOS 9.0,[],policy_ga0,2459149802892628500,Changepoint Daptiv,NL,2,62.3759,Amsterdam,14.8975,North Holland,1012,5.6.7.8,1706215872,CloudApp,nspolicy,dummyuser10@something.com,https://drive.google.com,dummyuser10@something.com,,,,,,,,,,,,0,0,[],0,0,,0,,0,0,0,,,,,,0,0,,0,,,,,,,0,0,,,,,,,,,,,,,,,0,,,0,0,,,,,,0,0,,0,0,0,,alertsmalsitedata_CL,
1 TenantId SourceSystem MG ManagementGroupName TimeGenerated [UTC] Computer RawData _id_s access_method_s acked_s action_s alert_s alert_name_s alert_type_s app_s appcategory_s browser_s Category cci_d ccl_s count_d device_s dst_country_s dst_geoip_src_d dst_latitude_d dst_location_s dst_longitude_d dst_region_s dst_zipcode_s dstip_s object_s object_type_s organization_unit_s os_s other_categories_s policy_s request_id_s site_s src_country_s src_geoip_src_d src_latitude_d src_location_s src_longitude_d src_region_s src_zipcode_s srcip_s timestamp_d traffic_type_s type_s ur_normalized_s url_s user_s src_time_s serial_s browser_version_s page_s severity_level_s malsite_hostility_s hostname_s malsite_region_s telemetry_app_s ja3_s gateway_s transaction_id_d suppression_start_time_d malsite_category_s malsite_confidence_d malsite_latitude_d userip_s malsite_longitude_d malsite_active_s malsite_last_seen_d numbytes_d req_cnt_d dst_timezone_s managed_app_s malsite_id_s protocol_s threat_match_field_s browser_session_id_d suppression_end_time_d ja3s_s incident_id_d notify_template_s appsuite_s log_file_name_s referer_s fromlogs_s sAMAccountName_s threat_source_id_d server_bytes_d universal_connector_s aggregated_user_s device_classification_s org_s policy_id_s page_site_s useragent_s malsite_ip_host_s os_version_s malicious_s from_user_s severity_s department_s malsite_reputation_s connection_id_d dsthost_s sfwder_s malsite_first_seen_d severity_level_id_d co_s malsite_country_s src_timezone_s division_s threat_match_value_s app_session_id_d resp_cnt_d malsite_consecutive_s conn_duration_d client_bytes_d dstport_d cci_s Type _ResourceId
2 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:20:01 AM b1f9ebbb882e1615f92c5d45 API Connector FALSE block yes malsite visit malsite iView Systems iTrak Cloud Storage unknown Cloud Storage 7 poor 1 ZTE - P253A20 US 2 55.8234 Boardman -109.7257 Oregon 97818 1.2.3.4 RqSvsczFIwhxOsgh File netskope.local/Netskope/Active Users/US & International/Full Time Android 10.0 [] policy_ga32 2459149802892628500 iView Systems IN 2 22.9634 Bengaluru 87.5855 Karnataka 560058 5.6.7.8 1706217736 CloudApp nspolicy dummyuser1@something.com https://drive.google.com dummyuser1@something.com 0 0 [] 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 alertsmalsitedata_CL
3 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:20:01 AM b25d030ece756fd5be78957c API Connector FALSE yes malsite visit malsite Breez Cloud Storage unknown Cloud Storage unknown 1 iPhone 7 Plus US 2 42.7936 San Diego -107.0689 California 92120 1.2.3.4 ItJxmezUvgSbKxuc File netskope.local/Netskope/Active Users/US & International/Full Time iOS 9.0 [] policy_ga7 2459149802892628500 Breez Workforce IN 2 22.9634 Bengaluru 87.5855 Karnataka 560058 5.6.7.8 1706216427 CloudApp nspolicy dummyuser2@something.com https://drive.google.com dummyuser2@something.com 0 0 [] 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 alertsmalsitedata_CL
4 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:20:01 AM b28085207865fa1b9e588566 API Connector TRUE block yes malsite visit malsite Shooter Suite Cloud Storage unknown Cloud Storage 12 poor 1 Other FR 1 57.89616 Ballots -9.04759 Pays-de-la-Loire 1.2.3.4 rGiqortgWUXxQNPb File netskope.local/Netskope/Active Users/US & International/Full Time Windows 7.0 [] policy_ga50 2459149802892628500 Shooter Suite IN 2 22.9634 Bengaluru 87.5855 Karnataka 560058 5.6.7.8 1706217380 CloudApp nspolicy dummyuser3@something.com https://drive.google.com dummyuser3@something.com 0 0 [] 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 alertsmalsitedata_CL
5 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:20:01 AM b525976fe8c0caef7ab4ffe4 API Connector FALSE block yes malsite visit malsite c4.ai Cloud Storage unknown Cloud Storage 1 ZTE - P726CU US 2 55.8234 Boardman -109.7257 Oregon 97818 1.2.3.4 ErLohkwYkJyYqEZA File netskope.local/Netskope/Active Users/US & International/Full Time Android 10.0 [] policy_ga27 2459149802892628500 c4.ai FR 1 57.89616 Ballots -9.04759 Pays-de-la-Loire 5.6.7.8 1706216526 CloudApp nspolicy dummyuser4@something.com https://drive.google.com dummyuser4@something.com 0 0 [] 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 alertsmalsitedata_CL
6 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:20:01 AM b7827cd9b0029b21ecddfaf3 API Connector FALSE block yes malsite visit malsite Invoice Journal Cloud Storage unknown Cloud Storage 17 poor 1 Other FR 1 57.89616 Ballots -9.04759 Pays-de-la-Loire 1.2.3.4 GfMnrzfEJJhiWCQW File netskope.local/Netskope/Active Users/US & International/Full Time Windows 7.1 [] policy_ga30 2459149802892628500 Invoice Journal US 2 42.7936 San Diego -107.0689 California 92120 5.6.7.8 1706215369 CloudApp nspolicy dummyuser5@something.com https://drive.google.com dummyuser5@something.com 0 0 [] 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 alertsmalsitedata_CL
7 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:20:01 AM bc5b7d68ebdf75e4d49dc9f3 API Connector FALSE block yes malsite visit malsite mTraction Enterprise Cloud Storage unknown Cloud Storage 31 poor 1 iPod Touch (7th gen) US 2 42.7936 San Diego -107.0689 California 92120 1.2.3.4 paIeBTpVEHDowOZl File netskope.local/Netskope/Active Users/US & International/Full Time iOS 11.1 [] policy_ga24 2459149802892628500 mTraction Enterprise NL 2 62.3759 Amsterdam 14.8975 North Holland 1012 5.6.7.8 1706216937 CloudApp nspolicy dummyuser6@something.com https://drive.google.com dummyuser6@something.com 0 0 [] 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 alertsmalsitedata_CL
8 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:20:01 AM bee8f8d42ea78bf96ce14e96 API Connector TRUE block yes malsite visit malsite Prevalent Exchange Cloud Storage unknown Cloud Storage 9 poor 1 iPod Touch (7th gen) FR 1 57.89616 Ballots -9.04759 Pays-de-la-Loire 1.2.3.4 shWjouRiDIvMztpE File netskope.local/Netskope/Active Users/US & International/Full Time iOS 9.0 [] policy_ga14 2459149802892628500 Prevalent Exchange FR 1 57.89616 Ballots -9.04759 Pays-de-la-Loire 5.6.7.8 1706216511 CloudApp nspolicy dummyuser7@something.com https://drive.google.com dummyuser7@something.com 0 0 [] 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 alertsmalsitedata_CL
9 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:20:01 AM c1d5176d79c2966f1469adb8 API Connector TRUE block yes malsite visit malsite Saks Fifth Avenue Cloud Storage unknown Cloud Storage unknown 1 ZTE - Grand-S US 2 42.7936 San Diego -107.0689 California 92120 1.2.3.4 rXTxwhWMsKCRzdhR File netskope.local/Netskope/Active Users/US & International/Full Time Android 10.0 [] policy_ga5 2459149802892628500 Saks Fifth Avenue DE 2 60.1188 Frankfurt am Main 18.6843 Hesse 60313 5.6.7.8 1706216288 CloudApp nspolicy dummyuser8@something.com https://drive.google.com dummyuser8@something.com 0 0 [] 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 alertsmalsitedata_CL
10 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:20:01 AM c227ac21e5100efb60bc326c API Connector FALSE alert yes malsite visit malsite WebDT Device Manager Cloud Storage unknown Cloud Storage 17 poor 1 Other NL 2 62.3759 Amsterdam 14.8975 North Holland 1012 1.2.3.4 OnCANjfzjzRhwNOj File netskope.local/Netskope/Active Users/US & International/Full Time Windows 11.0 [] policy_ga4 2459149802892628500 WebDT Device Manager FR 1 57.89616 Ballots -9.04759 Pays-de-la-Loire 5.6.7.8 1706216116 CloudApp nspolicy dummyuser9@something.com https://drive.google.com dummyuser9@something.com 0 0 [] 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 alertsmalsitedata_CL
11 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:20:01 AM c47b36315e5d5c42f40d3c34 API Connector TRUE block yes malsite visit malsite Changepoint Project Portfolio Management Cloud Storage unknown Cloud Storage 1 iPhone XR IN 2 22.9634 Bengaluru 87.5855 Karnataka 560058 1.2.3.4 dGMqwyyPUholwvuO File netskope.local/Netskope/Active Users/US & International/Full Time iOS 9.0 [] policy_ga0 2459149802892628500 Changepoint Daptiv NL 2 62.3759 Amsterdam 14.8975 North Holland 1012 5.6.7.8 1706215872 CloudApp nspolicy dummyuser10@something.com https://drive.google.com dummyuser10@something.com 0 0 [] 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 alertsmalsitedata_CL

11
Sample Data/Custom/Netskope/alertsmalwaredata_CL.csv Normal file
Просмотреть файл

@ -0,0 +1,11 @@
TenantId,SourceSystem,MG,ManagementGroupName,TimeGenerated [UTC],Computer,RawData,_id_s,access_method_s,acked_s,action_s,activity_s,alert_s,alert_name_s,alert_type_s,app_s,appcategory_s,browser_s,Category,cci_s,ccl_s,count_d,device_s,dst_country_s,dst_geoip_src_d,dst_latitude_d,dst_location_s,dst_longitude_d,dst_region_s,dst_zipcode_s,dstip_s,file_path_s,file_size_d,file_type_s,instance_s,instance_id_s,local_sha256_s,md5_g,mime_type_s,object_s,object_id_s,object_type_s,organization_unit_s,os_s,policy_s,request_id_s,scan_type_s,site_s,src_country_s,src_geoip_src_d,src_latitude_d,src_location_s,src_longitude_d,src_region_s,src_zipcode_s,srcip_s,timestamp_d,traffic_type_s,type_s,ur_normalized_s,url_s,user_s,user_id_s,file_category_s,app_session_id_d,created_date_d,policy_id_s,transaction_id_d,usr_udf_employeeid_s,managementID_s,malware_name_s,company_s,usr_status_s,usr_udf_businesssegmentlevel4_s,dst_timezone_s,parent_id_s,file_name_s,tss_license_s,manager_s,modified_date_d,page_site_s,nsdeviceuid_s,usr_udf_businesssegmentlevel1_s,usr_udf_companyname_s,malware_profile_s,true_filetype_s,usr_title_s,usr_udf_primarydomain_s,browser_version_s,appsuite_s,malware_id_s,from_user_s,detection_type_s,sha1_s,userip_s,browser_session_id_d,severity_id_d,usr_display_name_s,department_s,usr_udf_businesssegmentlevel2_s,hostname_s,filename_s,referer_s,usr_udf_supervisorid_s,sanctioned_instance_s,file_id_s,src_time_s,app_name_s,TSS_scan_s,malware_severity_s,os_version_s,userPrincipalName_s,usr_udf_supervisorname_s,severity_s,detection_engine_s,managed_app_s,shared_with_s,connection_id_d,page_s,scanner_result_s,usr_udf_businesssegmentlevel3_s,shared_type_s,userCountry_s,device_classification_s,scan_time_d,tss_mode_s,protocol_s,local_md5_s,src_timezone_s,fastscan_results_s,title_s,incident_id_d,malware_type_s,ml_detection_s,cci_d,Type,_ResourceId
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/16/2024, 1:46:15 PM",,,b3a4362d71d29d226de6cdd0,API Connector,FALSE,alert,Login Failed,yes,Malware alert,Malware,Social Explorer,Cloud Storage,unknown,Cloud Storage,,poor,1,iPhone XS Max,NL,2,53.7,Amsterdam,-19.72,North Holland,1012,1.2.3.4,/My Drive/Clickhouse/Tenant Migration across MPs,118731,application.document,datainstance.com,datainstance.com,3d9d42f7c17b46fd4f6cffa2ce134ebaa2488ed4d705c0da70da25c52b22406a,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application.document,GTtUiTMvYcMICtmP,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,data.com/dataconnector/Active Users/US & International/Full Time,Windows 7.0,policy_ga5,2459149802892628500,Ongoing,Social Explorer,NL,2,53.7,Amsterdam,-19.72,North Holland,1012,1.2.3.4,1676243502,CloudApp,datapolicy,adsf2343adf-0566t@test.data.com,https://drive.google.com,adsf2343adf-0566t@test.data.com,,,0,0,,0,,,,,,,,,,,,0,,,,,,,,,,,,,,,,0,0,,,,,,,,,,,,,,,,,,,,[],0,,,,,,,0,,,,,,,0,,,11,alertsmalwaredata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/16/2024, 1:46:15 PM",,,b3af6d82f16a7807e1bd22a6,API Connector,TRUE,block,Login Failed,yes,Malware alert,Malware,FastTrak Auto Shop Manager,Cloud Storage,unknown,Cloud Storage,,poor,1,ZTE - Grand-S,IN,2,12.9634,Mumbai,4.8975,Maharashtra,97818,3.86.29.24,/My Drive/Clickhouse/Tenant Migration across MPs,118848,application.document,datainstance.com,datainstance.com,4526efb334620e58c148dd11616a72b82d4bcbe50da5fad1a67df9945f162dda,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application.document,FDveLzHoNLVWZOlZ,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,data.com/dataconnector/Active Users/US & International/Full Time,Windows 11.0,policy_ga5,2459149802892628500,Ongoing,FastTrak Auto Shop Manager,IN,2,12.9634,Mumbai,4.8975,Maharashtra,400072,3.86.29.24,1676243507,CloudApp,datapolicy,adsf2343adf-0711t@test.data.com,https://drive.google.com,adsf2343adf-0711t@test.data.com,,,0,0,,0,,,,,,,,,,,,0,,,,,,,,,,,,,,,,0,0,,,,,,,,,,,,,,,,,,,,[],0,,,,,,,0,,,,,,,0,,,16,alertsmalwaredata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/16/2024, 1:46:15 PM",,,b3c29be50ffe526f7847e1d3,API Connector,FALSE,alert,Edit,yes,Malware alert,Malware,Free Logo Services,Cloud Storage,unknown,Cloud Storage,,poor,1,iPhone XR,NL,2,7.896,Amsterdam,12.9634,North Holland,1012,13.248.55.2,/My Drive/Clickhouse/Tenant Migration across MPs,119327,application.document,datainstance.com,datainstance.com,77455ecfc09c5e228c7ac283ee1f003404405dc863563568de7c99531daea3d4,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application.document,zriWMmSVpvVqdoCH,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,data.com/dataconnector/Active Users/US & International/Full Time,Android 11.0,policy_ga51,2459149802892628500,Ongoing,Free Logo Services,NL,2,7.896,Amsterdam,12.9634,North Holland,1012,13.248.55.2,1676243507,CloudApp,datapolicy,adsf2343adf-0669t@test.data.com,https://drive.google.com,adsf2343adf-0669t@test.data.com,,,0,0,,0,,,,,,,,,,,,0,,,,,,,,,,,,,,,,0,0,,,,,,,,,,,,,,,,,,,,[],0,,,,,,,0,,,,,,,0,,,20,alertsmalwaredata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/16/2024, 1:46:15 PM",,,b3f42b2b5d1a355519660ece,API Connector,TRUE,block,Upload,yes,Malware alert,Malware,Kiosk Software,Cloud Storage,unknown,Cloud Storage,,poor,1,iPhone 15,NL,2,53.7,Amsterdam,4.8975,North Holland,1012,1.2.3.4,/My Drive/Clickhouse/Tenant Migration across MPs,118887,application.document,datainstance.com,datainstance.com,186e83cac6055eaba3f83730dab2f5a4f90d22a6c0515c29baca01fa34db10c6,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application.document,WbhpPsmLXptLIUnJ,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,data.com/dataconnector/Active Users/US & International/Full Time,iOS 10.1,policy_ga15,2459149802892628500,Ongoing,Kiosk Software,DE,2,53.7,Frankfurt am Main,4.8975,Hesse,60313,1.2.3.4,1676243505,CloudApp,datapolicy,adsf2343adf-0779t@test.data.com,https://drive.google.com,adsf2343adf-0779t@test.data.com,,,0,0,,0,,,,,,,,,,,,0,,,,,,,,,,,,,,,,0,0,,,,,,,,,,,,,,,,,,,,[],0,,,,,,,0,,,,,,,0,,,29,alertsmalwaredata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/16/2024, 1:46:15 PM",,,b419629fbfed7288030304d1,API Connector,FALSE,alert,Upload,yes,Malware alert,Malware,The Invoice Machine,Cloud Storage,unknown,Cloud Storage,,poor,1,Samsung Fold 5,NL,2,12.9634,Amsterdam,7.896,North Holland,1012,3.86.29.24,/My Drive/Clickhouse/Tenant Migration across MPs,119336,application.document,datainstance.com,datainstance.com,5c7592801457d82a13d84abcd840d92d5484a739652d089b8603a8c8b77a9549,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application.document,aJwpPFuFOAPWGcjr,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,data.com/dataconnector/Active Users/US & International/Full Time,iOS 11.1,policy_ga14,2459149802892628500,Ongoing,The Invoice Machine,FR,2,12.9634,Paris,7.896,Île-de-France,75015,3.86.29.24,1676243503,CloudApp,datapolicy,adsf2343adf-0579t@test.data.com,https://drive.google.com,adsf2343adf-0579t@test.data.com,,,0,0,,0,,,,,,,,,,,,0,,,,,,,,,,,,,,,,0,0,,,,,,,,,,,,,,,,,,,,[],0,,,,,,,0,,,,,,,0,,,21,alertsmalwaredata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/16/2024, 1:46:15 PM",,,b429384cc1752d435d684d65,API Connector,TRUE,block,Login Successful,yes,Malware alert,Malware,Payara Server,Cloud Storage,unknown,Cloud Storage,,low,1,iPhone 11,NL,2,53.7,Amsterdam,4.8975,North Holland,1012,13.248.55.2,/My Drive/Clickhouse/Tenant Migration across MPs,118917,application.document,datainstance.com,datainstance.com,698d7e4953d8addbac44c4779de288338a129870185c885bb978ec1bc2b0af63,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application.document,FmWYpIIgzpsTUMnc,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,data.com/dataconnector/Active Users/US & International/Full Time,iOS 9.0,policy_ga25,2459149802892628500,Ongoing,Payara Server,US,2,53.7,Lakeside,4.8975,California,92040,13.248.55.2,1676243506,CloudApp,datapolicy,adsf2343adf-0850t@test.data.com,https://drive.google.com,adsf2343adf-0850t@test.data.com,,,0,0,,0,,,,,,,,,,,,0,,,,,,,,,,,,,,,,0,0,,,,,,,,,,,,,,,,,,,,[],0,,,,,,,0,,,,,,,0,,,56,alertsmalwaredata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/16/2024, 1:46:15 PM",,,b470d16e1622fcd2b286c642,API Connector,FALSE,,Create,yes,Malware alert,Malware,IIJ Document Exchange service(DOX),Cloud Storage,unknown,Cloud Storage,,medium,1,ZTE - P188T20,FR,2,52.3759,Paris,7.896,Île-de-France,560058,1.2.3.4,/My Drive/Clickhouse/Tenant Migration across MPs,118703,application.document,datainstance.com,datainstance.com,29247291575b67e2c5dc5fa2ff9fdfbc5e1fc762294a3d769adbf7815af187dc,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application.document,LQmUNyqmcMbxDMHB,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,data.com/dataconnector/Active Users/US & International/Full Time,Windows 10.0,policy_ga6,2459149802892628500,Ongoing,IIJ Document Exchange service(DOX),IN,2,52.3759,Mumbai,7.896,Maharashtra,400072,1.2.3.4,1676243504,CloudApp,datapolicy,adsf2343adf-0025t@test.data.com,https://drive.google.com,adsf2343adf-0025t@test.data.com,,,0,0,,0,,,,,,,,,,,,0,,,,,,,,,,,,,,,,0,0,,,,,,,,,,,,,,,,,,,,[],0,,,,,,,0,,,,,,,0,,,66,alertsmalwaredata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/16/2024, 1:46:15 PM",,,b486a452f7d46ed8de8860bd,API Connector,FALSE,alert,Edit,yes,Malware alert,Malware,PixelPoint POS,Cloud Storage,unknown,Cloud Storage,,unknown,1,Other,NL,2,12.9634,Amsterdam,-19.72,North Holland,1212,3.86.29.24,/My Drive/Clickhouse/Tenant Migration across MPs,118514,application.document,datainstance.com,datainstance.com,da2b2b74bc415044450c48306964303df796bd304de92f3f743f82230fa3d2f3,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application.document,iHsMaDgTXScNiLFY,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,data.com/dataconnector/Active Users/US & International/Full Time,Android 10.0,policy_ga23,2459149802892628500,Ongoing,PixelPoint POS,NL,2,12.9634,Amsterdam,-19.72,North Holland,1012,3.86.29.24,1676243490,CloudApp,datapolicy,adsf2343adf-0729t@test.data.com,https://drive.google.com,adsf2343adf-0729t@test.data.com,,,0,0,,0,,,,,,,,,,,,0,,,,,,,,,,,,,,,,0,0,,,,,,,,,,,,,,,,,,,,[],0,,,,,,,0,,,,,,,0,,,23,alertsmalwaredata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/16/2024, 1:46:15 PM",,,b4d0f147a9b622a9b41d8bf6,API Connector,TRUE,,Delete,yes,Malware alert,Malware,VAI S2K Enterprise OnCloud,Cloud Storage,unknown,Cloud Storage,,poor,1,Samsung Fold 5,US,2,53.7,Lakeside,77.5855,California,321,13.248.55.2,/My Drive/Clickhouse/Tenant Migration across MPs,118453,application.document,datainstance.com,datainstance.com,79770436de57c49c35ce76bf15d8b8b7c133ea98fdc6f17bf9203bd6ae2b5040,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application.document,mRSaqeGlcgaJZWXq,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,data.com/dataconnector/Active Users/US & International/Full Time,iOS 9.0,policy_ga5,2459149802892628500,Ongoing,Vormittag Associates S2K Enterprise,DE,2,53.7,Frankfurt am Main,77.5855,Hesse,60313,13.248.55.2,1676243507,CloudApp,datapolicy,adsf2343adf-0430t@test.data.com,https://drive.google.com,adsf2343adf-0430t@test.data.com,,,0,0,,0,,,,,,,,,,,,0,,,,,,,,,,,,,,,,0,0,,,,,,,,,,,,,,,,,,,,[],0,,,,,,,0,,,,,,,0,,,17,alertsmalwaredata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/16/2024, 1:46:15 PM",,,b4fa8fa4af7120854935d4e1,API Connector,FALSE,alert,Edit,yes,Malware alert,Malware,360-degree feedback,Cloud Storage,unknown,Cloud Storage,,poor,1,iPhone 8,US,2,7.896,Boardman,-1.04759,Oregon,1213,19.2.5.21,/My Drive/Clickhouse/Tenant Migration across MPs,119016,application.document,datainstance.com,datainstance.com,51e6e9750183770eade936144207e4c24ee69f8aacc5756294fae050147d80eb,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application.document,lLeyOMmAIRLXPhYE,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,data.com/dataconnector/Active Users/US & International/Full Time,iOS 9.6,policy_ga28,2459149802892628500,Ongoing,360-degree feedback,NL,2,7.896,Amsterdam,-1.04759,North Holland,1012,19.2.5.21,1676243510,CloudApp,datapolicy,adsf2343adf-0640t@test.data.com,https://drive.google.com,adsf2343adf-0640t@test.data.com,,,0,0,,0,,,,,,,,,,,,0,,,,,,,,,,,,,,,,0,0,,,,,,,,,,,,,,,,,,,,[],0,,,,,,,0,,,,,,,0,,,16,alertsmalwaredata_CL,
1 TenantId SourceSystem MG ManagementGroupName TimeGenerated [UTC] Computer RawData _id_s access_method_s acked_s action_s activity_s alert_s alert_name_s alert_type_s app_s appcategory_s browser_s Category cci_s ccl_s count_d device_s dst_country_s dst_geoip_src_d dst_latitude_d dst_location_s dst_longitude_d dst_region_s dst_zipcode_s dstip_s file_path_s file_size_d file_type_s instance_s instance_id_s local_sha256_s md5_g mime_type_s object_s object_id_s object_type_s organization_unit_s os_s policy_s request_id_s scan_type_s site_s src_country_s src_geoip_src_d src_latitude_d src_location_s src_longitude_d src_region_s src_zipcode_s srcip_s timestamp_d traffic_type_s type_s ur_normalized_s url_s user_s user_id_s file_category_s app_session_id_d created_date_d policy_id_s transaction_id_d usr_udf_employeeid_s managementID_s malware_name_s company_s usr_status_s usr_udf_businesssegmentlevel4_s dst_timezone_s parent_id_s file_name_s tss_license_s manager_s modified_date_d page_site_s nsdeviceuid_s usr_udf_businesssegmentlevel1_s usr_udf_companyname_s malware_profile_s true_filetype_s usr_title_s usr_udf_primarydomain_s browser_version_s appsuite_s malware_id_s from_user_s detection_type_s sha1_s userip_s browser_session_id_d severity_id_d usr_display_name_s department_s usr_udf_businesssegmentlevel2_s hostname_s filename_s referer_s usr_udf_supervisorid_s sanctioned_instance_s file_id_s src_time_s app_name_s TSS_scan_s malware_severity_s os_version_s userPrincipalName_s usr_udf_supervisorname_s severity_s detection_engine_s managed_app_s shared_with_s connection_id_d page_s scanner_result_s usr_udf_businesssegmentlevel3_s shared_type_s userCountry_s device_classification_s scan_time_d tss_mode_s protocol_s local_md5_s src_timezone_s fastscan_results_s title_s incident_id_d malware_type_s ml_detection_s cci_d Type _ResourceId
2 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/16/2024, 1:46:15 PM b3a4362d71d29d226de6cdd0 API Connector FALSE alert Login Failed yes Malware alert Malware Social Explorer Cloud Storage unknown Cloud Storage poor 1 iPhone XS Max NL 2 53.7 Amsterdam -19.72 North Holland 1012 1.2.3.4 /My Drive/Clickhouse/Tenant Migration across MPs 118731 application.document datainstance.com datainstance.com 3d9d42f7c17b46fd4f6cffa2ce134ebaa2488ed4d705c0da70da25c52b22406a 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application.document GTtUiTMvYcMICtmP 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File data.com/dataconnector/Active Users/US & International/Full Time Windows 7.0 policy_ga5 2459149802892628500 Ongoing Social Explorer NL 2 53.7 Amsterdam -19.72 North Holland 1012 1.2.3.4 1676243502 CloudApp datapolicy adsf2343adf-0566t@test.data.com https://drive.google.com adsf2343adf-0566t@test.data.com 0 0 0 0 0 0 [] 0 0 0 11 alertsmalwaredata_CL
3 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/16/2024, 1:46:15 PM b3af6d82f16a7807e1bd22a6 API Connector TRUE block Login Failed yes Malware alert Malware FastTrak Auto Shop Manager Cloud Storage unknown Cloud Storage poor 1 ZTE - Grand-S IN 2 12.9634 Mumbai 4.8975 Maharashtra 97818 3.86.29.24 /My Drive/Clickhouse/Tenant Migration across MPs 118848 application.document datainstance.com datainstance.com 4526efb334620e58c148dd11616a72b82d4bcbe50da5fad1a67df9945f162dda 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application.document FDveLzHoNLVWZOlZ 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File data.com/dataconnector/Active Users/US & International/Full Time Windows 11.0 policy_ga5 2459149802892628500 Ongoing FastTrak Auto Shop Manager IN 2 12.9634 Mumbai 4.8975 Maharashtra 400072 3.86.29.24 1676243507 CloudApp datapolicy adsf2343adf-0711t@test.data.com https://drive.google.com adsf2343adf-0711t@test.data.com 0 0 0 0 0 0 [] 0 0 0 16 alertsmalwaredata_CL
4 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/16/2024, 1:46:15 PM b3c29be50ffe526f7847e1d3 API Connector FALSE alert Edit yes Malware alert Malware Free Logo Services Cloud Storage unknown Cloud Storage poor 1 iPhone XR NL 2 7.896 Amsterdam 12.9634 North Holland 1012 13.248.55.2 /My Drive/Clickhouse/Tenant Migration across MPs 119327 application.document datainstance.com datainstance.com 77455ecfc09c5e228c7ac283ee1f003404405dc863563568de7c99531daea3d4 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application.document zriWMmSVpvVqdoCH 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File data.com/dataconnector/Active Users/US & International/Full Time Android 11.0 policy_ga51 2459149802892628500 Ongoing Free Logo Services NL 2 7.896 Amsterdam 12.9634 North Holland 1012 13.248.55.2 1676243507 CloudApp datapolicy adsf2343adf-0669t@test.data.com https://drive.google.com adsf2343adf-0669t@test.data.com 0 0 0 0 0 0 [] 0 0 0 20 alertsmalwaredata_CL
5 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/16/2024, 1:46:15 PM b3f42b2b5d1a355519660ece API Connector TRUE block Upload yes Malware alert Malware Kiosk Software Cloud Storage unknown Cloud Storage poor 1 iPhone 15 NL 2 53.7 Amsterdam 4.8975 North Holland 1012 1.2.3.4 /My Drive/Clickhouse/Tenant Migration across MPs 118887 application.document datainstance.com datainstance.com 186e83cac6055eaba3f83730dab2f5a4f90d22a6c0515c29baca01fa34db10c6 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application.document WbhpPsmLXptLIUnJ 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File data.com/dataconnector/Active Users/US & International/Full Time iOS 10.1 policy_ga15 2459149802892628500 Ongoing Kiosk Software DE 2 53.7 Frankfurt am Main 4.8975 Hesse 60313 1.2.3.4 1676243505 CloudApp datapolicy adsf2343adf-0779t@test.data.com https://drive.google.com adsf2343adf-0779t@test.data.com 0 0 0 0 0 0 [] 0 0 0 29 alertsmalwaredata_CL
6 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/16/2024, 1:46:15 PM b419629fbfed7288030304d1 API Connector FALSE alert Upload yes Malware alert Malware The Invoice Machine Cloud Storage unknown Cloud Storage poor 1 Samsung Fold 5 NL 2 12.9634 Amsterdam 7.896 North Holland 1012 3.86.29.24 /My Drive/Clickhouse/Tenant Migration across MPs 119336 application.document datainstance.com datainstance.com 5c7592801457d82a13d84abcd840d92d5484a739652d089b8603a8c8b77a9549 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application.document aJwpPFuFOAPWGcjr 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File data.com/dataconnector/Active Users/US & International/Full Time iOS 11.1 policy_ga14 2459149802892628500 Ongoing The Invoice Machine FR 2 12.9634 Paris 7.896 Île-de-France 75015 3.86.29.24 1676243503 CloudApp datapolicy adsf2343adf-0579t@test.data.com https://drive.google.com adsf2343adf-0579t@test.data.com 0 0 0 0 0 0 [] 0 0 0 21 alertsmalwaredata_CL
7 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/16/2024, 1:46:15 PM b429384cc1752d435d684d65 API Connector TRUE block Login Successful yes Malware alert Malware Payara Server Cloud Storage unknown Cloud Storage low 1 iPhone 11 NL 2 53.7 Amsterdam 4.8975 North Holland 1012 13.248.55.2 /My Drive/Clickhouse/Tenant Migration across MPs 118917 application.document datainstance.com datainstance.com 698d7e4953d8addbac44c4779de288338a129870185c885bb978ec1bc2b0af63 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application.document FmWYpIIgzpsTUMnc 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File data.com/dataconnector/Active Users/US & International/Full Time iOS 9.0 policy_ga25 2459149802892628500 Ongoing Payara Server US 2 53.7 Lakeside 4.8975 California 92040 13.248.55.2 1676243506 CloudApp datapolicy adsf2343adf-0850t@test.data.com https://drive.google.com adsf2343adf-0850t@test.data.com 0 0 0 0 0 0 [] 0 0 0 56 alertsmalwaredata_CL
8 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/16/2024, 1:46:15 PM b470d16e1622fcd2b286c642 API Connector FALSE Create yes Malware alert Malware IIJ Document Exchange service(DOX) Cloud Storage unknown Cloud Storage medium 1 ZTE - P188T20 FR 2 52.3759 Paris 7.896 Île-de-France 560058 1.2.3.4 /My Drive/Clickhouse/Tenant Migration across MPs 118703 application.document datainstance.com datainstance.com 29247291575b67e2c5dc5fa2ff9fdfbc5e1fc762294a3d769adbf7815af187dc 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application.document LQmUNyqmcMbxDMHB 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File data.com/dataconnector/Active Users/US & International/Full Time Windows 10.0 policy_ga6 2459149802892628500 Ongoing IIJ Document Exchange service(DOX) IN 2 52.3759 Mumbai 7.896 Maharashtra 400072 1.2.3.4 1676243504 CloudApp datapolicy adsf2343adf-0025t@test.data.com https://drive.google.com adsf2343adf-0025t@test.data.com 0 0 0 0 0 0 [] 0 0 0 66 alertsmalwaredata_CL
9 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/16/2024, 1:46:15 PM b486a452f7d46ed8de8860bd API Connector FALSE alert Edit yes Malware alert Malware PixelPoint POS Cloud Storage unknown Cloud Storage unknown 1 Other NL 2 12.9634 Amsterdam -19.72 North Holland 1212 3.86.29.24 /My Drive/Clickhouse/Tenant Migration across MPs 118514 application.document datainstance.com datainstance.com da2b2b74bc415044450c48306964303df796bd304de92f3f743f82230fa3d2f3 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application.document iHsMaDgTXScNiLFY 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File data.com/dataconnector/Active Users/US & International/Full Time Android 10.0 policy_ga23 2459149802892628500 Ongoing PixelPoint POS NL 2 12.9634 Amsterdam -19.72 North Holland 1012 3.86.29.24 1676243490 CloudApp datapolicy adsf2343adf-0729t@test.data.com https://drive.google.com adsf2343adf-0729t@test.data.com 0 0 0 0 0 0 [] 0 0 0 23 alertsmalwaredata_CL
10 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/16/2024, 1:46:15 PM b4d0f147a9b622a9b41d8bf6 API Connector TRUE Delete yes Malware alert Malware VAI S2K Enterprise OnCloud Cloud Storage unknown Cloud Storage poor 1 Samsung Fold 5 US 2 53.7 Lakeside 77.5855 California 321 13.248.55.2 /My Drive/Clickhouse/Tenant Migration across MPs 118453 application.document datainstance.com datainstance.com 79770436de57c49c35ce76bf15d8b8b7c133ea98fdc6f17bf9203bd6ae2b5040 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application.document mRSaqeGlcgaJZWXq 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File data.com/dataconnector/Active Users/US & International/Full Time iOS 9.0 policy_ga5 2459149802892628500 Ongoing Vormittag Associates S2K Enterprise DE 2 53.7 Frankfurt am Main 77.5855 Hesse 60313 13.248.55.2 1676243507 CloudApp datapolicy adsf2343adf-0430t@test.data.com https://drive.google.com adsf2343adf-0430t@test.data.com 0 0 0 0 0 0 [] 0 0 0 17 alertsmalwaredata_CL
11 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/16/2024, 1:46:15 PM b4fa8fa4af7120854935d4e1 API Connector FALSE alert Edit yes Malware alert Malware 360-degree feedback Cloud Storage unknown Cloud Storage poor 1 iPhone 8 US 2 7.896 Boardman -1.04759 Oregon 1213 19.2.5.21 /My Drive/Clickhouse/Tenant Migration across MPs 119016 application.document datainstance.com datainstance.com 51e6e9750183770eade936144207e4c24ee69f8aacc5756294fae050147d80eb 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application.document lLeyOMmAIRLXPhYE 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File data.com/dataconnector/Active Users/US & International/Full Time iOS 9.6 policy_ga28 2459149802892628500 Ongoing 360-degree feedback NL 2 7.896 Amsterdam -1.04759 North Holland 1012 19.2.5.21 1676243510 CloudApp datapolicy adsf2343adf-0640t@test.data.com https://drive.google.com adsf2343adf-0640t@test.data.com 0 0 0 0 0 0 [] 0 0 0 16 alertsmalwaredata_CL

11
Sample Data/Custom/Netskope/alertspolicydata_CL.csv Normal file
Просмотреть файл

@ -0,0 +1,11 @@
TenantId,SourceSystem,MG,ManagementGroupName,TimeGenerated [UTC],Computer,RawData,_id_s,access_method_s,acked_s,action_s,activity_s,alert_s,alert_name_s,alert_type_s,app_s,appcategory_s,browser_s,Category,cci_d,ccl_s,count_d,device_s,dst_country_s,dst_geoip_src_d,dst_latitude_d,dst_location_s,dst_longitude_d,dst_region_s,dst_zipcode_s,dstip_s,exposure_s,file_path_s,file_size_d,file_type_s,instance_s,instance_id_s,md5_g,mime_type_s,modified_d,object_s,object_id_s,object_type_s,organization_unit_s,os_s,other_categories_s,owner_s,policy_s,request_id_s,scan_type_s,site_s,src_country_s,src_geoip_src_d,src_latitude_d,src_location_s,src_longitude_d,src_region_s,src_zipcode_s,srcip_s,suppression_key_s,timestamp_d,traffic_type_s,type_s,ur_normalized_s,url_s,user_s,network_session_id_s,telemetry_app_s,user_tmp_s,shared_with_s,referer_s,start_time_s,appsuite_s,malware_id_s,remediation_profile_s,suppression_start_time_d,hostname_s,managed_app_s,activity_status_s,from_user_s,user_id_s,file_category_s,dsthost_s,message_size_d,tunnel_type_s,end_time_s,malicious_s,quarantine_profile_id_s,browser_version_s,q_original_filepath_s,last_name_s,userCountry_s,manager_s,q_original_version_s,threat_match_field_s,publisher_cn_s,app_session_id_d,sAMAccountName_s,conn_duration_d,parent_id_s,from_object_s,connection_id_d,risk_level_s,total_collaborator_count_d,memberOf_s,notify_template_s,client_bytes_d,useragent_s,encrypt_failure_s,serial_s,quarantine_file_name_s,tunnel_id_s,from_storage_s,session_duration_d,page_site_s,browser_session_id_d,tunnel_up_time_d,resp_cnt_d,group_s,sAMAccountType_s,to_object_s,managementID_s,malware_severity_s,protocol_s,activity_type_s,q_original_filename_s,tss_mode_s,page_s,http_status_s,smtp_to_s,q_app_s,smtp_status_s,protocol_port_s,src_time_s,server_packets_d,sanctioned_instance_s,client_packets_d,malware_name_s,userip_s,Title_s,dynamic_classification_s,sender_s,threat_source_id_d,internal_collaborator_count_d,total_packets_d,app_scopes_s,log_file_name_s,malsite_category_s,redirect_url_s,dstport_d,aggregated_user_s,numbytes_d,sfwder_s,q_original_shared_s,srcport_d,to_user_s,q_admin_s,universal_connector_s,forward_to_proxy_xau_s,publisher_name_s,quarantine_profile_s,shared_domains_s,trust_computer_checked_s,malware_type_s,dlp_profile_s,all_policy_matches_s,data_type_s,TSS_scan_s,external_collaborator_count_d,severity_s,num_sessions_d,distinguishedName_s,gateway_s,profile_emails_s,mail_s,suppression_end_time_d,dst_timezone_s,nsdeviceuid_s,ip_protocol_s,tss_scan_failed_s,cc_s,req_cnt_d,tss_fail_reason_s,displayName_s,sessionid_s,justification_type_s,threat_match_value_s,incident_id_d,file_id_s,division_s,os_version_s,two_factor_auth_s,dlp_fail_reason_s,network_s,server_bytes_d,orignal_file_path_s,app_activity_s,event_type_s,src_timezone_s,device_classification_s,bcc_s,act_user_s,to_storage_s,custom_connector_s,object_count_d,q_instance_s,policy_id_s,message_id_s,dlp_scan_failed_s,transaction_id_d,quarantine_file_id_s,org_s,justification_reason_s,cci_s,Type,_ResourceId
abcd-cdef-ghijk,RestAPI,,,"2/22/2024, 1:57:40 PM",,,af7b830dee49f538c2644c49,API Connector,TRUE,block,Upload,yes,Policy violation,policy,E-clinic Software,Cloud Storage,unknown,Cloud Storage,31,poor,1,Other,NL,2,62.3759,Amsterdam,14.8975,North Holland,1012,1.2.3.4,organisation_wide_link,/My Drive/Clickhouse/Tenant Migration across MPs,119067,application/vnd.google-apps.document,netskope.com,netskope.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application/vnd.google-apps.document,1613760236,PqgmyfuGsZIFgroo,14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg,File,netskope.local/Netskope/Active Users/US & International/Full Time,Windows 7.0,[],dte1953ce410-0569t@test.netskope.com,policy_ga42,2459149802892628500,Ongoing,E-clinic Software,IN,2,29.0748,Mumbai,82.8856,Maharashtra,400072,5.6.7.8,Tenant Migration across MPs,1676244575,CloudApp,nspolicy,dummyuser1@something.com,https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r,dummyuser1@something.com,,,,,,,,,,0,,,,,,,,0,,,,,,,,,,,,,0,,0,,,0,,0,,,0,,,,,,,0,,0,0,0,,,,,,,,,,,,[],,,,,0,,0,,,,,,0,0,0,,,[],,0,,0,,,0,,,,,,,,,,,[],,,0,,0,,,[],,0,,,,,,0,,,,,,0,,,,,,,0,,,,,,,,,,0,,,,,0,,,,,alertspolicydata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/22/2024, 1:57:40 PM",,,afb183aad25de76c968bc37c,API Connector,TRUE,block,Login Failed,yes,Policy violation,policy,SMILE V Air Hanbai,Cloud Storage,unknown,Cloud Storage,26,poor,1,Other,NL,2,62.3759,Amsterdam,14.8975,North Holland,1012,1.2.3.4,organisation_wide_link,/My Drive/Clickhouse/Tenant Migration across MPs,118916,application/vnd.google-apps.document,netskope.com,netskope.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application/vnd.google-apps.document,1613760236,nKNErZvXuMkDLAeX,14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg,File,netskope.local/Netskope/Active Users/US & International/Full Time,Windows 7.1,[],dte1953ce410-0283t@test.netskope.com,policy_ga14,2459149802892628500,Ongoing,SMILE V Air Hanbai,FR,2,58.8323,Paris,12.4075,Île-de-France,75015,5.6.7.8,Tenant Migration across MPs,1676244575,CloudApp,nspolicy,dummyuser2@something.com,https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r,dummyuser2@something.com,,,,,,,,,,0,,,,,,,,0,,,,,,,,,,,,,0,,0,,,0,,0,,,0,,,,,,,0,,0,0,0,,,,,,,,,,,,[],,,,,0,,0,,,,,,0,0,0,,,[],,0,,0,,,0,,,,,,,,,,,[],,,0,,0,,,[],,0,,,,,,0,,,,,,0,,,,,,,0,,,,,,,,,,0,,,,,0,,,,,alertspolicydata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/22/2024, 1:57:40 PM",,,afce97f183bfd7049dd3bf81,API Connector,FALSE,,Login Failed,yes,Policy violation,policy,Resource Anesthesia,Cloud Storage,unknown,Cloud Storage,7,poor,1,iPhone 7 Plus,IN,2,29.0748,Mumbai,82.8856,Maharashtra,400072,1.2.3.4,organisation_wide_link,/My Drive/Clickhouse/Tenant Migration across MPs,119234,application/vnd.google-apps.document,netskope.com,netskope.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application/vnd.google-apps.document,1613760236,mNLOKtDffwmTWQES,14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg,File,netskope.local/Netskope/Active Users/US & International/Full Time,iOS 10.1,[],dte1953ce410-0936t@test.netskope.com,policy_ga10,2459149802892628500,Ongoing,Resource Anesthesia,NL,2,62.3759,Amsterdam,14.8975,North Holland,1012,5.6.7.8,Tenant Migration across MPs,1676244591,CloudApp,nspolicy,dummyuser3@something.com,https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r,dummyuser3@something.com,,,,,,,,,,0,,,,,,,,0,,,,,,,,,,,,,0,,0,,,0,,0,,,0,,,,,,,0,,0,0,0,,,,,,,,,,,,[],,,,,0,,0,,,,,,0,0,0,,,[],,0,,0,,,0,,,,,,,,,,,[],,,0,,0,,,[],,0,,,,,,0,,,,,,0,,,,,,,0,,,,,,,,,,0,,,,,0,,,,,alertspolicydata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/22/2024, 1:57:40 PM",,,aff44b9900c6d4f6614cbf7f,API Connector,FALSE,block,Edit,yes,Policy violation,policy,iView Systems iTrak,Cloud Storage,unknown,Cloud Storage,8,poor,1,iPod Touch (7th gen),NL,2,62.3759,Amsterdam,14.8975,North Holland,1012,1.2.3.4,organisation_wide_link,/My Drive/Clickhouse/Tenant Migration across MPs,118709,application/vnd.google-apps.document,netskope.com,netskope.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application/vnd.google-apps.document,1613760236,PWCUXBcaRzMrGefk,14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg,File,netskope.local/Netskope/Active Users/US & International/Full Time,iOS 10.1,[],dte1953ce410-0302t@test.netskope.com,policy_ga52,2459149802892628500,Ongoing,iView Systems,US,2,42.8571,Lakeside,-126.9191,California,92040,5.6.7.8,Tenant Migration across MPs,1676244607,CloudApp,nspolicy,dummyuser4@something.com,https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r,dummyuser4@something.com,,,,,,,,,,0,,,,,,,,0,,,,,,,,,,,,,0,,0,,,0,,0,,,0,,,,,,,0,,0,0,0,,,,,,,,,,,,[],,,,,0,,0,,,,,,0,0,0,,,[],,0,,0,,,0,,,,,,,,,,,[],,,0,,0,,,[],,0,,,,,,0,,,,,,0,,,,,,,0,,,,,,,,,,0,,,,,0,,,,,alertspolicydata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/22/2024, 1:57:40 PM",,,b039144bdc1632c99dd5792f,API Connector,TRUE,alert,Login Successful,yes,Policy violation,policy,WebTranslateIt,Cloud Storage,unknown,Cloud Storage,41,poor,1,iPad Mini 4,US,2,42.8571,Lakeside,-106.9191,California,92040,1.2.3.4,organisation_wide_link,/My Drive/Clickhouse/Tenant Migration across MPs,119196,application/vnd.google-apps.document,netskope.com,netskope.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application/vnd.google-apps.document,1613760236,IAJZzkiWiQqrFKvd,14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg,File,netskope.local/Netskope/Active Users/US & International/Full Time,iOS 10.1,[],dte1953ce410-0752t@test.netskope.com,default,2459149802892628500,Ongoing,webtranslateit.com,IN,2,29.0748,Mumbai,82.8856,Maharashtra,400072,5.6.7.8,Tenant Migration across MPs,1676244577,CloudApp,nspolicy,dummyuser5@something.com,https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r,dummyuser5@something.com,,,,,,,,,,0,,,,,,,,0,,,,,,,,,,,,,0,,0,,,0,,0,,,0,,,,,,,0,,0,0,0,,,,,,,,,,,,[],,,,,0,,0,,,,,,0,0,0,,,[],,0,,0,,,0,,,,,,,,,,,[],,,0,,0,,,[],,0,,,,,,0,,,,,,0,,,,,,,0,,,,,,,,,,0,,,,,0,,,,,alertspolicydata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/22/2024, 1:57:40 PM",,,b03a70e73fa51bc6d8315607,API Connector,TRUE,block,Upload,yes,Policy violation,policy,GCP Container Registry,Cloud Storage,unknown,Cloud Storage,94,excellent,1,Other,FR,2,58.8323,Paris,12.4075,Île-de-France,75015,1.2.3.4,organisation_wide_link,/My Drive/Clickhouse/Tenant Migration across MPs,119020,application/vnd.google-apps.document,netskope.com,netskope.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application/vnd.google-apps.document,1613760236,WzxhDqPEVJisQuul,14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg,File,netskope.local/Netskope/Active Users/US & International/Full Time,Windows 7.1,[],dte1953ce410-0031t@test.netskope.com,policy_ga5,2459149802892628500,Ongoing,Google Cloud Container Registry,NL,2,62.3759,Amsterdam,14.8975,North Holland,1012,5.6.7.8,Tenant Migration across MPs,1676244595,CloudApp,nspolicy,dummyuser6@something.com,https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r,dummyuser6@something.com,,,,,,,,,,0,,,,,,,,0,,,,,,,,,,,,,0,,0,,,0,,0,,,0,,,,,,,0,,0,0,0,,,,,,,,,,,,[],,,,,0,,0,,,,,,0,0,0,,,[],,0,,0,,,0,,,,,,,,,,,[],,,0,,0,,,[],,0,,,,,,0,,,,,,0,,,,,,,0,,,,,,,,,,0,,,,,0,,,,,alertspolicydata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/22/2024, 1:57:40 PM",,,b06f00d6ce62c02ca7d1f341,API Connector,TRUE,alert,Create,yes,Policy violation,policy,IBM MAINFRAMES FORUMS,Cloud Storage,unknown,Cloud Storage,13,poor,1,ZTE - P722G,NL,2,62.3759,Amsterdam,14.8975,North Holland,1012,1.2.3.4,organisation_wide_link,/My Drive/Clickhouse/Tenant Migration across MPs,118846,application/vnd.google-apps.document,netskope.com,netskope.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application/vnd.google-apps.document,1613760236,BZpJrvcYTzJLVrQL,14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg,File,netskope.local/Netskope/Active Users/US & International/Full Time,Android 11.0,[],dte1953ce410-0412t@test.netskope.com,policy_ga35,2459149802892628500,Ongoing,IBM MAINFRAMES FORUMS,NL,2,62.3759,Amsterdam,14.8975,North Holland,1012,5.6.7.8,Tenant Migration across MPs,1676244585,CloudApp,nspolicy,dummyuser7@something.com,https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r,dummyuser7@something.com,,,,,,,,,,0,,,,,,,,0,,,,,,,,,,,,,0,,0,,,0,,0,,,0,,,,,,,0,,0,0,0,,,,,,,,,,,,[],,,,,0,,0,,,,,,0,0,0,,,[],,0,,0,,,0,,,,,,,,,,,[],,,0,,0,,,[],,0,,,,,,0,,,,,,0,,,,,,,0,,,,,,,,,,0,,,,,0,,,,,alertspolicydata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/22/2024, 1:57:40 PM",,,b077d697bca147ecd05d8ede,API Connector,TRUE,,Delete,yes,Policy violation,policy,BusinessConnect,Cloud Storage,unknown,Cloud Storage,8,poor,1,iPhone 6S Plus,NL,2,62.3759,Amsterdam,14.8975,North Holland,1012,1.2.3.4,organisation_wide_link,/My Drive/Clickhouse/Tenant Migration across MPs,119067,application/vnd.google-apps.document,netskope.com,netskope.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application/vnd.google-apps.document,1613760236,oZKMWPRRytyDxFPU,14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg,File,netskope.local/Netskope/Active Users/US & International/Full Time,iOS 9.6,[],dte1953ce410-0413t@test.netskope.com,policy_ga1,2459149802892628500,Ongoing,Business Connect,IN,2,29.0748,Mumbai,82.8856,Maharashtra,400072,5.6.7.8,Tenant Migration across MPs,1676244589,CloudApp,nspolicy,dummyuser8@something.com,https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r,dummyuser8@something.com,,,,,,,,,,0,,,,,,,,0,,,,,,,,,,,,,0,,0,,,0,,0,,,0,,,,,,,0,,0,0,0,,,,,,,,,,,,[],,,,,0,,0,,,,,,0,0,0,,,[],,0,,0,,,0,,,,,,,,,,,[],,,0,,0,,,[],,0,,,,,,0,,,,,,0,,,,,,,0,,,,,,,,,,0,,,,,0,,,,,alertspolicydata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/22/2024, 1:57:40 PM",,,b0a02acff780e2f24d8afbd4,API Connector,FALSE,block,Login Failed,yes,Policy violation,policy,Karl Marc John,Cloud Storage,unknown,Cloud Storage,,unknown,1,ZTE - P188T10,NL,2,62.3759,Amsterdam,14.8975,North Holland,1012,1.2.3.4,organisation_wide_link,/My Drive/Clickhouse/Tenant Migration across MPs,119329,application/vnd.google-apps.document,netskope.com,netskope.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application/vnd.google-apps.document,1613760236,ZDQYDIefXSUFmitP,14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg,File,netskope.local/Netskope/Active Users/US & International/Full Time,Android 10.0,[],dte1953ce410-0742t@test.netskope.com,policy_ga8,2459149802892628500,Ongoing,Karl Marc John,FR,2,58.8323,Paris,12.4075,Île-de-France,75015,5.6.7.8,Tenant Migration across MPs,1676244593,CloudApp,nspolicy,dummyuser9@something.com,https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r,dummyuser9@something.com,,,,,,,,,,0,,,,,,,,0,,,,,,,,,,,,,0,,0,,,0,,0,,,0,,,,,,,0,,0,0,0,,,,,,,,,,,,[],,,,,0,,0,,,,,,0,0,0,,,[],,0,,0,,,0,,,,,,,,,,,[],,,0,,0,,,[],,0,,,,,,0,,,,,,0,,,,,,,0,,,,,,,,,,0,,,,,0,,,,,alertspolicydata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/22/2024, 1:57:40 PM",,,b0b256a24652bcecca97ce28,API Connector,TRUE,alert,Login Failed,yes,Policy violation,policy,Celigo Salesforce and NetSuite Connector,Cloud Storage,unknown,Cloud Storage,51,low,1,ZTE - P188T20,IN,2,29.0748,Mumbai,82.8856,Maharashtra,400072,1.2.3.4,organisation_wide_link,/My Drive/Clickhouse/Tenant Migration across MPs,119393,application/vnd.google-apps.document,netskope.com,netskope.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application/vnd.google-apps.document,1613760236,wEHrIzUNYZLMNVvD,14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg,File,netskope.local/Netskope/Active Users/US & International/Full Time,Android 11.0,[],dte1953ce410-0175t@test.netskope.com,policy_ga1,2459149802892628500,Ongoing,Celigo Salesforce and NetSuite Connector,IN,2,29.0748,Mumbai,82.8856,Maharashtra,400072,5.6.7.8,Tenant Migration across MPs,1676244585,CloudApp,nspolicy,dummyuser10@something.com,https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r,dummyuser10@something.com,,,,,,,,,,0,,,,,,,,0,,,,,,,,,,,,,0,,0,,,0,,0,,,0,,,,,,,0,,0,0,0,,,,,,,,,,,,[],,,,,0,,0,,,,,,0,0,0,,,[],,0,,0,,,0,,,,,,,,,,,[],,,0,,0,,,[],,0,,,,,,0,,,,,,0,,,,,,,0,,,,,,,,,,0,,,,,0,,,,,alertspolicydata_CL,
1 TenantId SourceSystem MG ManagementGroupName TimeGenerated [UTC] Computer RawData _id_s access_method_s acked_s action_s activity_s alert_s alert_name_s alert_type_s app_s appcategory_s browser_s Category cci_d ccl_s count_d device_s dst_country_s dst_geoip_src_d dst_latitude_d dst_location_s dst_longitude_d dst_region_s dst_zipcode_s dstip_s exposure_s file_path_s file_size_d file_type_s instance_s instance_id_s md5_g mime_type_s modified_d object_s object_id_s object_type_s organization_unit_s os_s other_categories_s owner_s policy_s request_id_s scan_type_s site_s src_country_s src_geoip_src_d src_latitude_d src_location_s src_longitude_d src_region_s src_zipcode_s srcip_s suppression_key_s timestamp_d traffic_type_s type_s ur_normalized_s url_s user_s network_session_id_s telemetry_app_s user_tmp_s shared_with_s referer_s start_time_s appsuite_s malware_id_s remediation_profile_s suppression_start_time_d hostname_s managed_app_s activity_status_s from_user_s user_id_s file_category_s dsthost_s message_size_d tunnel_type_s end_time_s malicious_s quarantine_profile_id_s browser_version_s q_original_filepath_s last_name_s userCountry_s manager_s q_original_version_s threat_match_field_s publisher_cn_s app_session_id_d sAMAccountName_s conn_duration_d parent_id_s from_object_s connection_id_d risk_level_s total_collaborator_count_d memberOf_s notify_template_s client_bytes_d useragent_s encrypt_failure_s serial_s quarantine_file_name_s tunnel_id_s from_storage_s session_duration_d page_site_s browser_session_id_d tunnel_up_time_d resp_cnt_d group_s sAMAccountType_s to_object_s managementID_s malware_severity_s protocol_s activity_type_s q_original_filename_s tss_mode_s page_s http_status_s smtp_to_s q_app_s smtp_status_s protocol_port_s src_time_s server_packets_d sanctioned_instance_s client_packets_d malware_name_s userip_s Title_s dynamic_classification_s sender_s threat_source_id_d internal_collaborator_count_d total_packets_d app_scopes_s log_file_name_s malsite_category_s redirect_url_s dstport_d aggregated_user_s numbytes_d sfwder_s q_original_shared_s srcport_d to_user_s q_admin_s universal_connector_s forward_to_proxy_xau_s publisher_name_s quarantine_profile_s shared_domains_s trust_computer_checked_s malware_type_s dlp_profile_s all_policy_matches_s data_type_s TSS_scan_s external_collaborator_count_d severity_s num_sessions_d distinguishedName_s gateway_s profile_emails_s mail_s suppression_end_time_d dst_timezone_s nsdeviceuid_s ip_protocol_s tss_scan_failed_s cc_s req_cnt_d tss_fail_reason_s displayName_s sessionid_s justification_type_s threat_match_value_s incident_id_d file_id_s division_s os_version_s two_factor_auth_s dlp_fail_reason_s network_s server_bytes_d orignal_file_path_s app_activity_s event_type_s src_timezone_s device_classification_s bcc_s act_user_s to_storage_s custom_connector_s object_count_d q_instance_s policy_id_s message_id_s dlp_scan_failed_s transaction_id_d quarantine_file_id_s org_s justification_reason_s cci_s Type _ResourceId
2 abcd-cdef-ghijk RestAPI 2/22/2024, 1:57:40 PM af7b830dee49f538c2644c49 API Connector TRUE block Upload yes Policy violation policy E-clinic Software Cloud Storage unknown Cloud Storage 31 poor 1 Other NL 2 62.3759 Amsterdam 14.8975 North Holland 1012 1.2.3.4 organisation_wide_link /My Drive/Clickhouse/Tenant Migration across MPs 119067 application/vnd.google-apps.document netskope.com netskope.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application/vnd.google-apps.document 1613760236 PqgmyfuGsZIFgroo 14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg File netskope.local/Netskope/Active Users/US & International/Full Time Windows 7.0 [] dte1953ce410-0569t@test.netskope.com policy_ga42 2459149802892628500 Ongoing E-clinic Software IN 2 29.0748 Mumbai 82.8856 Maharashtra 400072 5.6.7.8 Tenant Migration across MPs 1676244575 CloudApp nspolicy dummyuser1@something.com https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r dummyuser1@something.com 0 0 0 0 0 0 0 0 0 0 0 [] 0 0 0 0 0 [] 0 0 0 [] 0 0 [] 0 0 0 0 0 0 alertspolicydata_CL
3 abcd-cdef-ghijk RestAPI 2/22/2024, 1:57:40 PM afb183aad25de76c968bc37c API Connector TRUE block Login Failed yes Policy violation policy SMILE V Air Hanbai Cloud Storage unknown Cloud Storage 26 poor 1 Other NL 2 62.3759 Amsterdam 14.8975 North Holland 1012 1.2.3.4 organisation_wide_link /My Drive/Clickhouse/Tenant Migration across MPs 118916 application/vnd.google-apps.document netskope.com netskope.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application/vnd.google-apps.document 1613760236 nKNErZvXuMkDLAeX 14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg File netskope.local/Netskope/Active Users/US & International/Full Time Windows 7.1 [] dte1953ce410-0283t@test.netskope.com policy_ga14 2459149802892628500 Ongoing SMILE V Air Hanbai FR 2 58.8323 Paris 12.4075 Île-de-France 75015 5.6.7.8 Tenant Migration across MPs 1676244575 CloudApp nspolicy dummyuser2@something.com https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r dummyuser2@something.com 0 0 0 0 0 0 0 0 0 0 0 [] 0 0 0 0 0 [] 0 0 0 [] 0 0 [] 0 0 0 0 0 0 alertspolicydata_CL
4 abcd-cdef-ghijk RestAPI 2/22/2024, 1:57:40 PM afce97f183bfd7049dd3bf81 API Connector FALSE Login Failed yes Policy violation policy Resource Anesthesia Cloud Storage unknown Cloud Storage 7 poor 1 iPhone 7 Plus IN 2 29.0748 Mumbai 82.8856 Maharashtra 400072 1.2.3.4 organisation_wide_link /My Drive/Clickhouse/Tenant Migration across MPs 119234 application/vnd.google-apps.document netskope.com netskope.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application/vnd.google-apps.document 1613760236 mNLOKtDffwmTWQES 14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg File netskope.local/Netskope/Active Users/US & International/Full Time iOS 10.1 [] dte1953ce410-0936t@test.netskope.com policy_ga10 2459149802892628500 Ongoing Resource Anesthesia NL 2 62.3759 Amsterdam 14.8975 North Holland 1012 5.6.7.8 Tenant Migration across MPs 1676244591 CloudApp nspolicy dummyuser3@something.com https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r dummyuser3@something.com 0 0 0 0 0 0 0 0 0 0 0 [] 0 0 0 0 0 [] 0 0 0 [] 0 0 [] 0 0 0 0 0 0 alertspolicydata_CL
5 abcd-cdef-ghijk RestAPI 2/22/2024, 1:57:40 PM aff44b9900c6d4f6614cbf7f API Connector FALSE block Edit yes Policy violation policy iView Systems iTrak Cloud Storage unknown Cloud Storage 8 poor 1 iPod Touch (7th gen) NL 2 62.3759 Amsterdam 14.8975 North Holland 1012 1.2.3.4 organisation_wide_link /My Drive/Clickhouse/Tenant Migration across MPs 118709 application/vnd.google-apps.document netskope.com netskope.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application/vnd.google-apps.document 1613760236 PWCUXBcaRzMrGefk 14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg File netskope.local/Netskope/Active Users/US & International/Full Time iOS 10.1 [] dte1953ce410-0302t@test.netskope.com policy_ga52 2459149802892628500 Ongoing iView Systems US 2 42.8571 Lakeside -126.9191 California 92040 5.6.7.8 Tenant Migration across MPs 1676244607 CloudApp nspolicy dummyuser4@something.com https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r dummyuser4@something.com 0 0 0 0 0 0 0 0 0 0 0 [] 0 0 0 0 0 [] 0 0 0 [] 0 0 [] 0 0 0 0 0 0 alertspolicydata_CL
6 abcd-cdef-ghijk RestAPI 2/22/2024, 1:57:40 PM b039144bdc1632c99dd5792f API Connector TRUE alert Login Successful yes Policy violation policy WebTranslateIt Cloud Storage unknown Cloud Storage 41 poor 1 iPad Mini 4 US 2 42.8571 Lakeside -106.9191 California 92040 1.2.3.4 organisation_wide_link /My Drive/Clickhouse/Tenant Migration across MPs 119196 application/vnd.google-apps.document netskope.com netskope.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application/vnd.google-apps.document 1613760236 IAJZzkiWiQqrFKvd 14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg File netskope.local/Netskope/Active Users/US & International/Full Time iOS 10.1 [] dte1953ce410-0752t@test.netskope.com default 2459149802892628500 Ongoing webtranslateit.com IN 2 29.0748 Mumbai 82.8856 Maharashtra 400072 5.6.7.8 Tenant Migration across MPs 1676244577 CloudApp nspolicy dummyuser5@something.com https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r dummyuser5@something.com 0 0 0 0 0 0 0 0 0 0 0 [] 0 0 0 0 0 [] 0 0 0 [] 0 0 [] 0 0 0 0 0 0 alertspolicydata_CL
7 abcd-cdef-ghijk RestAPI 2/22/2024, 1:57:40 PM b03a70e73fa51bc6d8315607 API Connector TRUE block Upload yes Policy violation policy GCP Container Registry Cloud Storage unknown Cloud Storage 94 excellent 1 Other FR 2 58.8323 Paris 12.4075 Île-de-France 75015 1.2.3.4 organisation_wide_link /My Drive/Clickhouse/Tenant Migration across MPs 119020 application/vnd.google-apps.document netskope.com netskope.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application/vnd.google-apps.document 1613760236 WzxhDqPEVJisQuul 14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg File netskope.local/Netskope/Active Users/US & International/Full Time Windows 7.1 [] dte1953ce410-0031t@test.netskope.com policy_ga5 2459149802892628500 Ongoing Google Cloud Container Registry NL 2 62.3759 Amsterdam 14.8975 North Holland 1012 5.6.7.8 Tenant Migration across MPs 1676244595 CloudApp nspolicy dummyuser6@something.com https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r dummyuser6@something.com 0 0 0 0 0 0 0 0 0 0 0 [] 0 0 0 0 0 [] 0 0 0 [] 0 0 [] 0 0 0 0 0 0 alertspolicydata_CL
8 abcd-cdef-ghijk RestAPI 2/22/2024, 1:57:40 PM b06f00d6ce62c02ca7d1f341 API Connector TRUE alert Create yes Policy violation policy IBM MAINFRAMES FORUMS Cloud Storage unknown Cloud Storage 13 poor 1 ZTE - P722G NL 2 62.3759 Amsterdam 14.8975 North Holland 1012 1.2.3.4 organisation_wide_link /My Drive/Clickhouse/Tenant Migration across MPs 118846 application/vnd.google-apps.document netskope.com netskope.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application/vnd.google-apps.document 1613760236 BZpJrvcYTzJLVrQL 14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg File netskope.local/Netskope/Active Users/US & International/Full Time Android 11.0 [] dte1953ce410-0412t@test.netskope.com policy_ga35 2459149802892628500 Ongoing IBM MAINFRAMES FORUMS NL 2 62.3759 Amsterdam 14.8975 North Holland 1012 5.6.7.8 Tenant Migration across MPs 1676244585 CloudApp nspolicy dummyuser7@something.com https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r dummyuser7@something.com 0 0 0 0 0 0 0 0 0 0 0 [] 0 0 0 0 0 [] 0 0 0 [] 0 0 [] 0 0 0 0 0 0 alertspolicydata_CL
9 abcd-cdef-ghijk RestAPI 2/22/2024, 1:57:40 PM b077d697bca147ecd05d8ede API Connector TRUE Delete yes Policy violation policy BusinessConnect Cloud Storage unknown Cloud Storage 8 poor 1 iPhone 6S Plus NL 2 62.3759 Amsterdam 14.8975 North Holland 1012 1.2.3.4 organisation_wide_link /My Drive/Clickhouse/Tenant Migration across MPs 119067 application/vnd.google-apps.document netskope.com netskope.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application/vnd.google-apps.document 1613760236 oZKMWPRRytyDxFPU 14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg File netskope.local/Netskope/Active Users/US & International/Full Time iOS 9.6 [] dte1953ce410-0413t@test.netskope.com policy_ga1 2459149802892628500 Ongoing Business Connect IN 2 29.0748 Mumbai 82.8856 Maharashtra 400072 5.6.7.8 Tenant Migration across MPs 1676244589 CloudApp nspolicy dummyuser8@something.com https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r dummyuser8@something.com 0 0 0 0 0 0 0 0 0 0 0 [] 0 0 0 0 0 [] 0 0 0 [] 0 0 [] 0 0 0 0 0 0 alertspolicydata_CL
10 abcd-cdef-ghijk RestAPI 2/22/2024, 1:57:40 PM b0a02acff780e2f24d8afbd4 API Connector FALSE block Login Failed yes Policy violation policy Karl Marc John Cloud Storage unknown Cloud Storage unknown 1 ZTE - P188T10 NL 2 62.3759 Amsterdam 14.8975 North Holland 1012 1.2.3.4 organisation_wide_link /My Drive/Clickhouse/Tenant Migration across MPs 119329 application/vnd.google-apps.document netskope.com netskope.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application/vnd.google-apps.document 1613760236 ZDQYDIefXSUFmitP 14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg File netskope.local/Netskope/Active Users/US & International/Full Time Android 10.0 [] dte1953ce410-0742t@test.netskope.com policy_ga8 2459149802892628500 Ongoing Karl Marc John FR 2 58.8323 Paris 12.4075 Île-de-France 75015 5.6.7.8 Tenant Migration across MPs 1676244593 CloudApp nspolicy dummyuser9@something.com https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r dummyuser9@something.com 0 0 0 0 0 0 0 0 0 0 0 [] 0 0 0 0 0 [] 0 0 0 [] 0 0 [] 0 0 0 0 0 0 alertspolicydata_CL
11 abcd-cdef-ghijk RestAPI 2/22/2024, 1:57:40 PM b0b256a24652bcecca97ce28 API Connector TRUE alert Login Failed yes Policy violation policy Celigo Salesforce and NetSuite Connector Cloud Storage unknown Cloud Storage 51 low 1 ZTE - P188T20 IN 2 29.0748 Mumbai 82.8856 Maharashtra 400072 1.2.3.4 organisation_wide_link /My Drive/Clickhouse/Tenant Migration across MPs 119393 application/vnd.google-apps.document netskope.com netskope.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application/vnd.google-apps.document 1613760236 wEHrIzUNYZLMNVvD 14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg File netskope.local/Netskope/Active Users/US & International/Full Time Android 11.0 [] dte1953ce410-0175t@test.netskope.com policy_ga1 2459149802892628500 Ongoing Celigo Salesforce and NetSuite Connector IN 2 29.0748 Mumbai 82.8856 Maharashtra 400072 5.6.7.8 Tenant Migration across MPs 1676244585 CloudApp nspolicy dummyuser10@something.com https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r dummyuser10@something.com 0 0 0 0 0 0 0 0 0 0 0 [] 0 0 0 0 0 [] 0 0 0 [] 0 0 [] 0 0 0 0 0 0 alertspolicydata_CL

11
Sample Data/Custom/Netskope/alertsquarantinedata_CL.csv Normal file
Просмотреть файл

@ -0,0 +1,11 @@
TenantId,SourceSystem,MG,ManagementGroupName,TimeGenerated [UTC],Computer,RawData,_id_s,access_method_s,acked_s,action_s,alert_s,alert_name_s,alert_type_s,app_s,appcategory_s,browser_s,Category,cci_s,ccl_s,count_d,device_s,exposure_s,file_path_s,file_size_d,file_type_s,instance_id_s,md5_g,mime_type_s,modified_d,object_s,object_id_s,object_type_s,organization_unit_s,os_s,other_categories_s,owner_s,policy_s,scan_type_s,site_s,suppression_key_s,timestamp_d,traffic_type_s,type_s,ur_normalized_s,url_s,user_s,userkey_s,departmentNumber_s,file_id_s,dlp_profile_s,quarantine_file_name_s,manager_s,quarantine_profile_id_s,q_original_shared_s,profile_emails_s,from_user_s,shared_with_s,q_original_version_s,q_original_filepath_s,user_id_s,quarantine_profile_s,quarantine_file_id_s,q_admin_s,q_original_filename_s,q_app_s,department_s,orignal_file_path_s,q_instance_s,cci_d,Type,_ResourceId
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 7:05:11 AM",,,ee7246d409667fd4e8a79e08,API Connector,FALSE,block,yes,Quarantine held,quarantine,iView Systems iTrak,Cloud Storage,unknown,Cloud Storage,,poor,1,iPhone XS Max,organisation_wide_link,/My Drive/Clickhouse/Tenant Migration across MPs,119177,application.document,datainstance.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application.document,1613760236,HfwIddtfIBejAtCE,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,data.com/dataconnector/Active Users/US & International/Full Time,Windows 8.0,[],dte3831-sjc1-8619-0265t@abc.data.com,policy_ga40,Ongoing,iView Systems,Tenant Migration across MPs,1703769276,CloudApp,datapolicy,dte3831-sjc1-8619-0265t@abc.data.com,https://drive.google.com,dte3831-sjc1-8619-0265t@abc.data.com,dte3831-sjc1-8619-0265t@abc.data.com,,,,,,,,[],,,,,,,,,,,,,,7,alertsquarantinedata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 7:05:11 AM",,,ef7b197992540899188dafc0,API Connector,TRUE,block,yes,Quarantine held,quarantine,CONA Services,Cloud Storage,unknown,Cloud Storage,,unknown,1,ZTE - Grand-S,organisation_wide_link,/My Drive/Clickhouse/Tenant Migration across MPs,118584,application.document,datainstance.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application.document,1613760236,oFJaJnpzpHODUZAv,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,data.com/dataconnector/Active Users/US & International/Full Time,Android 11.0,[],dte3831-sjc1-8619-0163t@abc.data.com,policy_ga6,Ongoing,CONA Services,Tenant Migration across MPs,1703769355,CloudApp,datapolicy,dte3831-sjc1-8619-0163t@abc.data.com,https://drive.google.com,dte3831-sjc1-8619-0163t@abc.data.com,dte3831-sjc1-8619-0163t@abc.data.com,,,,,,,,[],,,,,,,,,,,,,,3,alertsquarantinedata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 7:05:11 AM",,,f821eebda5f3a7fc71996ef4,API Connector,TRUE,,yes,Quarantine held,quarantine,SmartBear Cucumber Open,Cloud Storage,unknown,Cloud Storage,,poor,1,iPhone XR,organisation_wide_link,/My Drive/Clickhouse/Tenant Migration across MPs,118531,application.document,datainstance.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application.document,1613760236,nSHSkokrqMYBYJCF,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,data.com/dataconnector/Active Users/US & International/Full Time,Android 11.0,[],dte3831-sjc1-8619-0827t@abc.data.com,policy_ga32,Ongoing,SmartBear Cucumber Open,Tenant Migration across MPs,1703768967,CloudApp,datapolicy,dte3831-sjc1-8619-0827t@abc.data.com,https://drive.google.com,dte3831-sjc1-8619-0827t@abc.data.com,dte3831-sjc1-8619-0827t@abc.data.com,,,,,,,,[],,,,,,,,,,,,,,26,alertsquarantinedata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 7:05:11 AM",,,fa5867b11d02579bf24b3d8c,API Connector,TRUE,alert,yes,Quarantine held,quarantine,eGenuity eLube,Cloud Storage,unknown,Cloud Storage,,poor,1,iPhone 15,organisation_wide_link,/My Drive/Clickhouse/Tenant Migration across MPs,119023,application.document,datainstance.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application.document,1613760236,OvmmhHtXZLvzrcXY,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,data.com/dataconnector/Active Users/US & International/Full Time,Windows 10.0,[],dte3831-sjc1-8619-0712t@abc.data.com,policy_ga52,Ongoing,eGenuity eLube,Tenant Migration across MPs,1703768934,CloudApp,datapolicy,dte3831-sjc1-8619-0712t@abc.data.com,https://drive.google.com,dte3831-sjc1-8619-0712t@abc.data.com,dte3831-sjc1-8619-0712t@abc.data.com,,,,,,,,[],,,,,,,,,,,,,,12,alertsquarantinedata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 7:05:11 AM",,,0129dc00d799114214dd218f,API Connector,TRUE,alert,yes,Quarantine held,quarantine,N.nu Online HTML Editor,Cloud Storage,unknown,Cloud Storage,,unknown,1,Samsung Fold 5,organisation_wide_link,/My Drive/Clickhouse/Tenant Migration across MPs,119048,application.document,datainstance.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application.document,1613760236,dLPfUkhhzekVuDZl,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,data.com/dataconnector/Active Users/US & International/Full Time,Android 11.0,[],dte3831-sjc1-8619-0210t@abc.data.com,policy_ga32,Ongoing,N.nu Online HTML Editor,Tenant Migration across MPs,1703771785,CloudApp,datapolicy,dte3831-sjc1-8619-0210t@abc.data.com,https://drive.google.com,dte3831-sjc1-8619-0210t@abc.data.com,dte3831-sjc1-8619-0210t@abc.data.com,,,,,,,,[],,,,,,,,,,,,,,24,alertsquarantinedata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 7:05:11 AM",,,0407f53bceb6a1a38bec38af,API Connector,TRUE,,yes,Quarantine held,quarantine,TIBCO Spotfire Cloud,Cloud Storage,unknown,Cloud Storage,,medium,1,iPhone 11,organisation_wide_link,/My Drive/Clickhouse/Tenant Migration across MPs,118432,application.document,datainstance.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application.document,1613760236,QpNQCgogZyyOgjES,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,data.com/dataconnector/Active Users/US & International/Full Time,Windows 8.0,[],dte3831-sjc1-8619-0414t@abc.data.com,policy_ga30,Ongoing,TIBCO Spotfire Cloud,Tenant Migration across MPs,1703771703,CloudApp,datapolicy,dte3831-sjc1-8619-0414t@abc.data.com,https://drive.google.com,dte3831-sjc1-8619-0414t@abc.data.com,dte3831-sjc1-8619-0414t@abc.data.com,,,,,,,,[],,,,,,,,,,,,,,60,alertsquarantinedata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 7:05:11 AM",,,0509ac25dc31f066234dd344,API Connector,TRUE,block,yes,Quarantine held,quarantine,CoreHealth,Cloud Storage,unknown,Cloud Storage,,poor,1,ZTE - P188T20,organisation_wide_link,/My Drive/Clickhouse/Tenant Migration across MPs,119041,application.document,datainstance.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application.document,1613760236,XSVMWfQBapsPjSjF,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,data.com/dataconnector/Active Users/US & International/Full Time,iOS 9.0,[],dte3831-sjc1-8619-0231t@abc.data.com,policy_ga2,Ongoing,CoreHealth Corporate Wellness Platform,Tenant Migration across MPs,1703771880,CloudApp,datapolicy,dte3831-sjc1-8619-0231t@abc.data.com,https://drive.google.com,dte3831-sjc1-8619-0231t@abc.data.com,dte3831-sjc1-8619-0231t@abc.data.com,,,,,,,,[],,,,,,,,,,,,,,21,alertsquarantinedata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 7:05:11 AM",,,06e5386a9449b4d4d211b5a4,API Connector,TRUE,,yes,Quarantine held,quarantine,,Cloud Storage,unknown,Cloud Storage,,poor,1,Other,organisation_wide_link,/My Drive/Clickhouse/Tenant Migration across MPs,119052,application.document,datainstance.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application.document,1613760236,MnZNinVfgkFGPEyE,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,data.com/dataconnector/Active Users/US & International/Full Time,Windows 7.1,[],dte3831-sjc1-8619-0788t@abc.data.com,policy_ga53,Ongoing,Interstate Batteries,Tenant Migration across MPs,1703771731,CloudApp,datapolicy,dte3831-sjc1-8619-0788t@abc.data.com,https://drive.google.com,dte3831-sjc1-8619-0788t@abc.data.com,dte3831-sjc1-8619-0788t@abc.data.com,,,,,,,,[],,,,,,,,,,,,,,5,alertsquarantinedata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 7:05:11 AM",,,06fae3c6ea8f309305b3196e,API Connector,FALSE,alert,yes,Quarantine held,quarantine,Backup Systems,Cloud Storage,unknown,Cloud Storage,,poor,1,Samsung Fold 5,organisation_wide_link,/My Drive/Clickhouse/Tenant Migration across MPs,118774,application.document,datainstance.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application.document,1613760236,zdGVeKlpYcfhSrGQ,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,data.com/dataconnector/Active Users/US & International/Full Time,iOS 10.1,[],dte3831-sjc1-8619-0427t@abc.data.com,policy_ga35,Ongoing,Backup Systems,Tenant Migration across MPs,1703771604,CloudApp,datapolicy,dte3831-sjc1-8619-0427t@abc.data.com,https://drive.google.com,dte3831-sjc1-8619-0427t@abc.data.com,dte3831-sjc1-8619-0427t@abc.data.com,,,,,,,,[],,,,,,,,,,,,,,25,alertsquarantinedata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 7:05:11 AM",,,114cca8509859f5066ca2ca2,API Connector,FALSE,alert,yes,Quarantine held,quarantine,EZPro Service Desk,Cloud Storage,unknown,Cloud Storage,,,1,iPhone 8,organisation_wide_link,/My Drive/Clickhouse/Tenant Migration across MPs,118807,application.document,datainstance.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application.document,1613760236,tiZrdnCMLXFNyuCk,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,data.com/dataconnector/Active Users/US & International/Full Time,iOS 11.1,[],dte3831-sjc1-8619-0163t@abc.data.com,policy_ga36,Ongoing,EZPro Service Desk,Tenant Migration across MPs,1703771135,CloudApp,datapolicy,dte3831-sjc1-8619-0163t@abc.data.com,https://drive.google.com,dte3831-sjc1-8619-0163t@abc.data.com,dte3831-sjc1-8619-0163t@abc.data.com,,,,,,,,[],,,,,,,,,,,,,,53,alertsquarantinedata_CL,
1 TenantId SourceSystem MG ManagementGroupName TimeGenerated [UTC] Computer RawData _id_s access_method_s acked_s action_s alert_s alert_name_s alert_type_s app_s appcategory_s browser_s Category cci_s ccl_s count_d device_s exposure_s file_path_s file_size_d file_type_s instance_id_s md5_g mime_type_s modified_d object_s object_id_s object_type_s organization_unit_s os_s other_categories_s owner_s policy_s scan_type_s site_s suppression_key_s timestamp_d traffic_type_s type_s ur_normalized_s url_s user_s userkey_s departmentNumber_s file_id_s dlp_profile_s quarantine_file_name_s manager_s quarantine_profile_id_s q_original_shared_s profile_emails_s from_user_s shared_with_s q_original_version_s q_original_filepath_s user_id_s quarantine_profile_s quarantine_file_id_s q_admin_s q_original_filename_s q_app_s department_s orignal_file_path_s q_instance_s cci_d Type _ResourceId
2 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 7:05:11 AM ee7246d409667fd4e8a79e08 API Connector FALSE block yes Quarantine held quarantine iView Systems iTrak Cloud Storage unknown Cloud Storage poor 1 iPhone XS Max organisation_wide_link /My Drive/Clickhouse/Tenant Migration across MPs 119177 application.document datainstance.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application.document 1613760236 HfwIddtfIBejAtCE 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File data.com/dataconnector/Active Users/US & International/Full Time Windows 8.0 [] dte3831-sjc1-8619-0265t@abc.data.com policy_ga40 Ongoing iView Systems Tenant Migration across MPs 1703769276 CloudApp datapolicy dte3831-sjc1-8619-0265t@abc.data.com https://drive.google.com dte3831-sjc1-8619-0265t@abc.data.com dte3831-sjc1-8619-0265t@abc.data.com [] 7 alertsquarantinedata_CL
3 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 7:05:11 AM ef7b197992540899188dafc0 API Connector TRUE block yes Quarantine held quarantine CONA Services Cloud Storage unknown Cloud Storage unknown 1 ZTE - Grand-S organisation_wide_link /My Drive/Clickhouse/Tenant Migration across MPs 118584 application.document datainstance.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application.document 1613760236 oFJaJnpzpHODUZAv 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File data.com/dataconnector/Active Users/US & International/Full Time Android 11.0 [] dte3831-sjc1-8619-0163t@abc.data.com policy_ga6 Ongoing CONA Services Tenant Migration across MPs 1703769355 CloudApp datapolicy dte3831-sjc1-8619-0163t@abc.data.com https://drive.google.com dte3831-sjc1-8619-0163t@abc.data.com dte3831-sjc1-8619-0163t@abc.data.com [] 3 alertsquarantinedata_CL
4 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 7:05:11 AM f821eebda5f3a7fc71996ef4 API Connector TRUE yes Quarantine held quarantine SmartBear Cucumber Open Cloud Storage unknown Cloud Storage poor 1 iPhone XR organisation_wide_link /My Drive/Clickhouse/Tenant Migration across MPs 118531 application.document datainstance.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application.document 1613760236 nSHSkokrqMYBYJCF 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File data.com/dataconnector/Active Users/US & International/Full Time Android 11.0 [] dte3831-sjc1-8619-0827t@abc.data.com policy_ga32 Ongoing SmartBear Cucumber Open Tenant Migration across MPs 1703768967 CloudApp datapolicy dte3831-sjc1-8619-0827t@abc.data.com https://drive.google.com dte3831-sjc1-8619-0827t@abc.data.com dte3831-sjc1-8619-0827t@abc.data.com [] 26 alertsquarantinedata_CL
5 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 7:05:11 AM fa5867b11d02579bf24b3d8c API Connector TRUE alert yes Quarantine held quarantine eGenuity eLube Cloud Storage unknown Cloud Storage poor 1 iPhone 15 organisation_wide_link /My Drive/Clickhouse/Tenant Migration across MPs 119023 application.document datainstance.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application.document 1613760236 OvmmhHtXZLvzrcXY 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File data.com/dataconnector/Active Users/US & International/Full Time Windows 10.0 [] dte3831-sjc1-8619-0712t@abc.data.com policy_ga52 Ongoing eGenuity eLube Tenant Migration across MPs 1703768934 CloudApp datapolicy dte3831-sjc1-8619-0712t@abc.data.com https://drive.google.com dte3831-sjc1-8619-0712t@abc.data.com dte3831-sjc1-8619-0712t@abc.data.com [] 12 alertsquarantinedata_CL
6 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 7:05:11 AM 0129dc00d799114214dd218f API Connector TRUE alert yes Quarantine held quarantine N.nu Online HTML Editor Cloud Storage unknown Cloud Storage unknown 1 Samsung Fold 5 organisation_wide_link /My Drive/Clickhouse/Tenant Migration across MPs 119048 application.document datainstance.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application.document 1613760236 dLPfUkhhzekVuDZl 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File data.com/dataconnector/Active Users/US & International/Full Time Android 11.0 [] dte3831-sjc1-8619-0210t@abc.data.com policy_ga32 Ongoing N.nu Online HTML Editor Tenant Migration across MPs 1703771785 CloudApp datapolicy dte3831-sjc1-8619-0210t@abc.data.com https://drive.google.com dte3831-sjc1-8619-0210t@abc.data.com dte3831-sjc1-8619-0210t@abc.data.com [] 24 alertsquarantinedata_CL
7 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 7:05:11 AM 0407f53bceb6a1a38bec38af API Connector TRUE yes Quarantine held quarantine TIBCO Spotfire Cloud Cloud Storage unknown Cloud Storage medium 1 iPhone 11 organisation_wide_link /My Drive/Clickhouse/Tenant Migration across MPs 118432 application.document datainstance.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application.document 1613760236 QpNQCgogZyyOgjES 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File data.com/dataconnector/Active Users/US & International/Full Time Windows 8.0 [] dte3831-sjc1-8619-0414t@abc.data.com policy_ga30 Ongoing TIBCO Spotfire Cloud Tenant Migration across MPs 1703771703 CloudApp datapolicy dte3831-sjc1-8619-0414t@abc.data.com https://drive.google.com dte3831-sjc1-8619-0414t@abc.data.com dte3831-sjc1-8619-0414t@abc.data.com [] 60 alertsquarantinedata_CL
8 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 7:05:11 AM 0509ac25dc31f066234dd344 API Connector TRUE block yes Quarantine held quarantine CoreHealth Cloud Storage unknown Cloud Storage poor 1 ZTE - P188T20 organisation_wide_link /My Drive/Clickhouse/Tenant Migration across MPs 119041 application.document datainstance.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application.document 1613760236 XSVMWfQBapsPjSjF 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File data.com/dataconnector/Active Users/US & International/Full Time iOS 9.0 [] dte3831-sjc1-8619-0231t@abc.data.com policy_ga2 Ongoing CoreHealth Corporate Wellness Platform Tenant Migration across MPs 1703771880 CloudApp datapolicy dte3831-sjc1-8619-0231t@abc.data.com https://drive.google.com dte3831-sjc1-8619-0231t@abc.data.com dte3831-sjc1-8619-0231t@abc.data.com [] 21 alertsquarantinedata_CL
9 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 7:05:11 AM 06e5386a9449b4d4d211b5a4 API Connector TRUE yes Quarantine held quarantine Cloud Storage unknown Cloud Storage poor 1 Other organisation_wide_link /My Drive/Clickhouse/Tenant Migration across MPs 119052 application.document datainstance.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application.document 1613760236 MnZNinVfgkFGPEyE 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File data.com/dataconnector/Active Users/US & International/Full Time Windows 7.1 [] dte3831-sjc1-8619-0788t@abc.data.com policy_ga53 Ongoing Interstate Batteries Tenant Migration across MPs 1703771731 CloudApp datapolicy dte3831-sjc1-8619-0788t@abc.data.com https://drive.google.com dte3831-sjc1-8619-0788t@abc.data.com dte3831-sjc1-8619-0788t@abc.data.com [] 5 alertsquarantinedata_CL
10 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 7:05:11 AM 06fae3c6ea8f309305b3196e API Connector FALSE alert yes Quarantine held quarantine Backup Systems Cloud Storage unknown Cloud Storage poor 1 Samsung Fold 5 organisation_wide_link /My Drive/Clickhouse/Tenant Migration across MPs 118774 application.document datainstance.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application.document 1613760236 zdGVeKlpYcfhSrGQ 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File data.com/dataconnector/Active Users/US & International/Full Time iOS 10.1 [] dte3831-sjc1-8619-0427t@abc.data.com policy_ga35 Ongoing Backup Systems Tenant Migration across MPs 1703771604 CloudApp datapolicy dte3831-sjc1-8619-0427t@abc.data.com https://drive.google.com dte3831-sjc1-8619-0427t@abc.data.com dte3831-sjc1-8619-0427t@abc.data.com [] 25 alertsquarantinedata_CL
11 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 7:05:11 AM 114cca8509859f5066ca2ca2 API Connector FALSE alert yes Quarantine held quarantine EZPro Service Desk Cloud Storage unknown Cloud Storage 1 iPhone 8 organisation_wide_link /My Drive/Clickhouse/Tenant Migration across MPs 118807 application.document datainstance.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application.document 1613760236 tiZrdnCMLXFNyuCk 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File data.com/dataconnector/Active Users/US & International/Full Time iOS 11.1 [] dte3831-sjc1-8619-0163t@abc.data.com policy_ga36 Ongoing EZPro Service Desk Tenant Migration across MPs 1703771135 CloudApp datapolicy dte3831-sjc1-8619-0163t@abc.data.com https://drive.google.com dte3831-sjc1-8619-0163t@abc.data.com dte3831-sjc1-8619-0163t@abc.data.com [] 53 alertsquarantinedata_CL

11
Sample Data/Custom/Netskope/alertsremediationdata_CL.csv Normal file
Просмотреть файл

@ -0,0 +1,11 @@
TenantId,SourceSystem,MG,ManagementGroupName,TimeGenerated [UTC],Computer,RawData,_id_s,access_method_s,acked_s,action_s,activity_s,alert_s,alert_name_s,alert_type_s,app_s,appcategory_s,browser_s,Category,cci_s,ccl_s,count_d,device_s,dst_country_s,dst_geoip_src_d,dst_latitude_d,dst_location_s,dst_longitude_d,dst_region_s,dst_zipcode_s,dstip_s,file_size_d,file_type_s,instance_id_s,md5_g,object_s,object_type_s,organization_unit_s,os_s,policy_s,request_id_s,site_s,src_country_s,src_geoip_src_d,src_latitude_d,src_location_s,src_longitude_d,src_region_s,src_zipcode_s,srcip_s,timestamp_d,traffic_type_s,type_s,ur_normalized_s,url_s,user_s,appsuite_s,transaction_id_d,page_s,hostname_s,policy_id_s,connection_id_d,app_session_id_d,severity_s,tss_mode_s,managed_app_s,endpoint_count_d,malware_type_s,notify_template_s,device_classification_s,page_site_s,dlp_profile_s,managementID_s,all_policy_matches_s,profile_hits_s,malware_severity_s,sanctioned_instance_s,src_timezone_s,dst_timezone_s,edr_app_s,browser_session_id_d,os_version_s,src_time_s,nsdeviceuid_s,actions_taken_s,malware_id_s,from_user_s,endpoints_s,protocol_s,incident_id_d,remediation_profile_s,userip_s,malware_name_s,cci_d,Type,_ResourceId
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 7:54:23 AM",,,00ff811b4fd7735b4b2c4715,API Connector,TRUE,block,Download,yes,Remediation alert,Remediation,7proxysites.com,Cloud Storage,unknown,Cloud Storage,,unknown,1,iPhone XS Max,US,2,53.7,Boardman,-19.72,Oregon,97818,1.2.3.4,118989,application.document,datainstance.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,hVrmJXMeFaUmfIYB,File,data.com/dataconnector/Active Users/US & International/Full Time,iOS 9.6,policy_ga2,6559147653292628500,7proxysites.com,US,2,53.7,Boardman,-19.72,Oregon,97818,1.2.3.4,1703629363,CloudApp,datapolicy,dte3831-sjc1-86asd-0651t@test.data.com,https://drive.google.com,dte3831-sjc1-86asd-0651t@test.data.com,,0,,,,0,0,,,,0,,,,,,,[],[],,,,,,0,,,,,,,,,0,,,,23,alertsremediationdata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 7:54:23 AM",,,02050f461f9a1084e10f0767,API Connector,FALSE,alert,Edit,yes,Remediation alert,Remediation,IQ Coordinator,Cloud Storage,unknown,Cloud Storage,,poor,1,ZTE - Grand-S,NL,2,12.9634,Amsterdam,4.8975,North Holland,1012,3.86.29.24,119052,application.document,datainstance.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,vqwutrWpGDlKNMzY,File,data.com/dataconnector/Active Users/US & International/Full Time,Android 11.0,policy_ga21,6559147653292628501,IQ Coordinator,FR,1,12.9634,Amsterdam,4.8975,North Holland,1012,3.86.29.24,1703629182,CloudApp,datapolicy,dte3831-sjc1-86asd-0671t@test.data.com,https://drive.google.com,dte3831-sjc1-86asd-0671t@test.data.com,,0,,,,0,0,,,,0,,,,,,,[],[],,,,,,0,,,,,,,,,0,,,,17,alertsremediationdata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 7:54:23 AM",,,0457a6bbca4ce510ca507c66,API Connector,TRUE,block,Edit,yes,Remediation alert,Remediation,Amazon Ground Station,Cloud Storage,unknown,Cloud Storage,,high,1,iPhone XR,FR,1,7.896,Ballots,12.9634,Pays-de-la-Loire,,13.248.55.2,118986,application.document,datainstance.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,qqfmVwowgSVkHXYc,File,data.com/dataconnector/Active Users/US & International/Full Time,iOS 10.1,policy_ga30,6559147653292628502,Amazon Ground Station,US,2,7.896,Ballots,12.9634,Pays-de-la-Loire,,13.248.55.2,1703628842,CloudApp,datapolicy,dte3831-sjc1-86asd-0787t@test.data.com,https://drive.google.com,dte3831-sjc1-86asd-0787t@test.data.com,,0,,,,0,0,,,,0,,,,,,,[],[],,,,,,0,,,,,,,,,0,,,,82,alertsremediationdata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 7:54:23 AM",,,047ca6de7c862019732c2f75,API Connector,TRUE,alert,Upload,yes,Remediation alert,Remediation,Jadu,Cloud Storage,unknown,Cloud Storage,,poor,1,iPhone 15,NL,2,53.7,Amsterdam,4.8975,North Holland,1012,1.2.3.4,119334,application.document,datainstance.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,kIJrUmrTbTQlzAeC,File,data.com/dataconnector/Active Users/US & International/Full Time,Android 11.0,policy_ga19,6559147653292628503,Jadu Continuum,NL,2,53.7,Amsterdam,4.8975,North Holland,1012,1.2.3.4,1703628518,CloudApp,datapolicy,dte3831-sjc1-86asd-0088t@test.data.com,https://drive.google.com,dte3831-sjc1-86asd-0088t@test.data.com,,0,,,,0,0,,,,0,,,,,,,[],[],,,,,,0,,,,,,,,,0,,,,45,alertsremediationdata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 7:54:23 AM",,,065cf412fc3ab64e7cf9c71c,API Connector,TRUE,,Upload,yes,Remediation alert,Remediation,Veeva Vault eTMF,Cloud Storage,unknown,Cloud Storage,,poor,1,Samsung Fold 5,IN,2,12.9634,Bengaluru,7.896,Karnataka,560058,3.86.29.24,119334,application.document,datainstance.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,YnGOhEEjkculydkW,File,data.com/dataconnector/Active Users/US & International/Full Time,Windows 7.1,policy_ga25,6559147653292628504,Veeva Vault eTMF,US,2,12.9634,Bengaluru,7.896,Karnataka,560058,3.86.29.24,1703628667,CloudApp,datapolicy,dte3831-sjc1-86asd-0483t@test.data.com,https://drive.google.com,dte3831-sjc1-86asd-0483t@test.data.com,,0,,,,0,0,,,,0,,,,,,,[],[],,,,,,0,,,,,,,,,0,,,,41,alertsremediationdata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 7:54:23 AM",,,08726eda0f7d0ec4b10ee34a,API Connector,TRUE,block,Download,yes,Remediation alert,Remediation,Amazon Managed Blockchain,Cloud Storage,unknown,Cloud Storage,,high,1,iPhone 11,NL,2,53.7,Amsterdam,4.8975,North Holland,1012,13.248.55.2,118681,application.document,datainstance.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,rbBtMNeZpZSziVfW,File,data.com/dataconnector/Active Users/US & International/Full Time,iOS 9.0,policy_ga2,6559147653292628505,Amazon Managed Blockchain,IN,2,53.7,Amsterdam,4.8975,North Holland,1012,13.248.55.2,1703628972,CloudApp,datapolicy,dte3831-sjc1-86asd-06571t@test.data.com,https://drive.google.com,dte3831-sjc1-86asd-06571t@test.data.com,,0,,,,0,0,,,,0,,,,,,,[],[],,,,,,0,,,,,,,,,0,,,,82,alertsremediationdata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 7:54:23 AM",,,0965c56a7ab6a153958ccc44,API Connector,FALSE,block,Delete,yes,Remediation alert,Remediation,GCP Container Registry,Cloud Storage,unknown,Cloud Storage,,excellent,1,ZTE - P188T20,NL,2,52.3759,Amsterdam,7.896,North Holland,1012,1.2.3.4,118788,application.document,datainstance.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,mDdfkVIFlDlRzNyY,File,data.com/dataconnector/Active Users/US & International/Full Time,Android 11.0,policy_ga19,6559147653292628506,Google Cloud Container Registry,DE,2,52.3759,Amsterdam,7.896,North Holland,1012,1.2.3.4,1703628942,CloudApp,datapolicy,dte3831-sjc1-86asd-02351t@test.data.com,https://drive.google.com,dte3831-sjc1-86asd-02351t@test.data.com,,0,,,,0,0,,,,0,,,,,,,[],[],,,,,,0,,,,,,,,,0,,,,93,alertsremediationdata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 7:54:23 AM",,,1605359c71c46f28eaebe1f5,API Connector,FALSE,alert,Login Successful,yes,Remediation alert,Remediation,VAI S2K Enterprise OnCloud,Cloud Storage,unknown,Cloud Storage,,poor,1,Other,FR,1,12.9634,Ballots,-19.72,Pays-de-la-Loire,,3.86.29.24,118588,application.document,datainstance.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,qNKQFtGNMuBOxeFC,File,data.com/dataconnector/Active Users/US & International/Full Time,Windows 7.1,policy_ga31,6559147653292628507,Vormittag Associates S2K Enterprise,FR,1,12.9634,Ballots,-19.72,Pays-de-la-Loire,,3.86.29.24,1703628914,CloudApp,datapolicy,dte3831-sjc1-86asd-23wt@test.data.com,https://drive.google.com,dte3831-sjc1-86asd-23wt@test.data.com,,0,,,,0,0,,,,0,,,,,,,[],[],,,,,,0,,,,,,,,,0,,,,17,alertsremediationdata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 7:54:23 AM",,,16198a1fe10abbc48025b807,API Connector,TRUE,block,Edit,yes,Remediation alert,Remediation,CoreHealth,Cloud Storage,unknown,Cloud Storage,,poor,1,Samsung Fold 5,IN,2,53.7,Bengaluru,77.5855,Karnataka,560058,13.248.55.2,119058,application.document,datainstance.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,DbPMDKamlPPnWUJS,File,data.com/dataconnector/Active Users/US & International/Full Time,Android 10.0,policy_ga53,6559147653292628508,CoreHealth Corporate Wellness Platform,IN,2,53.7,Bengaluru,77.5855,Karnataka,560058,13.248.55.2,1703628551,CloudApp,datapolicy,dte3831-sjc1-86asd-2452t@test.data.com,https://drive.google.com,dte3831-sjc1-86asd-2452t@test.data.com,,0,,,,0,0,,,,0,,,,,,,[],[],,,,,,0,,,,,,,,,0,,,,21,alertsremediationdata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 7:54:23 AM",,,18a383d095feca0c1a71ea87,API Connector,TRUE,alert,Edit,yes,Remediation alert,Remediation,Dropbox,Cloud Storage,unknown,Cloud Storage,,high,1,iPhone 8,FR,1,7.896,Ballots,-1.04759,Pays-de-la-Loire,,19.2.5.21,118623,application.document,datainstance.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,bsPjlnclVZQedBXp,File,data.com/dataconnector/Active Users/US & International/Full Time,iOS 11.1,policy_ga0,6559147653292628509,Dropbox,IN,2,7.896,Ballots,-1.04759,Pays-de-la-Loire,,19.2.5.21,1703629370,CloudApp,datapolicy,dte3831-sjc1-86asd-3424t@test.data.com,https://drive.google.com,dte3831-sjc1-86asd-3424t@test.data.com,,0,,,,0,0,,,,0,,,,,,,[],[],,,,,,0,,,,,,,,,0,,,,86,alertsremediationdata_CL,
1 TenantId SourceSystem MG ManagementGroupName TimeGenerated [UTC] Computer RawData _id_s access_method_s acked_s action_s activity_s alert_s alert_name_s alert_type_s app_s appcategory_s browser_s Category cci_s ccl_s count_d device_s dst_country_s dst_geoip_src_d dst_latitude_d dst_location_s dst_longitude_d dst_region_s dst_zipcode_s dstip_s file_size_d file_type_s instance_id_s md5_g object_s object_type_s organization_unit_s os_s policy_s request_id_s site_s src_country_s src_geoip_src_d src_latitude_d src_location_s src_longitude_d src_region_s src_zipcode_s srcip_s timestamp_d traffic_type_s type_s ur_normalized_s url_s user_s appsuite_s transaction_id_d page_s hostname_s policy_id_s connection_id_d app_session_id_d severity_s tss_mode_s managed_app_s endpoint_count_d malware_type_s notify_template_s device_classification_s page_site_s dlp_profile_s managementID_s all_policy_matches_s profile_hits_s malware_severity_s sanctioned_instance_s src_timezone_s dst_timezone_s edr_app_s browser_session_id_d os_version_s src_time_s nsdeviceuid_s actions_taken_s malware_id_s from_user_s endpoints_s protocol_s incident_id_d remediation_profile_s userip_s malware_name_s cci_d Type _ResourceId
2 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 7:54:23 AM 00ff811b4fd7735b4b2c4715 API Connector TRUE block Download yes Remediation alert Remediation 7proxysites.com Cloud Storage unknown Cloud Storage unknown 1 iPhone XS Max US 2 53.7 Boardman -19.72 Oregon 97818 1.2.3.4 118989 application.document datainstance.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 hVrmJXMeFaUmfIYB File data.com/dataconnector/Active Users/US & International/Full Time iOS 9.6 policy_ga2 6559147653292628500 7proxysites.com US 2 53.7 Boardman -19.72 Oregon 97818 1.2.3.4 1703629363 CloudApp datapolicy dte3831-sjc1-86asd-0651t@test.data.com https://drive.google.com dte3831-sjc1-86asd-0651t@test.data.com 0 0 0 0 [] [] 0 0 23 alertsremediationdata_CL
3 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 7:54:23 AM 02050f461f9a1084e10f0767 API Connector FALSE alert Edit yes Remediation alert Remediation IQ Coordinator Cloud Storage unknown Cloud Storage poor 1 ZTE - Grand-S NL 2 12.9634 Amsterdam 4.8975 North Holland 1012 3.86.29.24 119052 application.document datainstance.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 vqwutrWpGDlKNMzY File data.com/dataconnector/Active Users/US & International/Full Time Android 11.0 policy_ga21 6559147653292628501 IQ Coordinator FR 1 12.9634 Amsterdam 4.8975 North Holland 1012 3.86.29.24 1703629182 CloudApp datapolicy dte3831-sjc1-86asd-0671t@test.data.com https://drive.google.com dte3831-sjc1-86asd-0671t@test.data.com 0 0 0 0 [] [] 0 0 17 alertsremediationdata_CL
4 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 7:54:23 AM 0457a6bbca4ce510ca507c66 API Connector TRUE block Edit yes Remediation alert Remediation Amazon Ground Station Cloud Storage unknown Cloud Storage high 1 iPhone XR FR 1 7.896 Ballots 12.9634 Pays-de-la-Loire 13.248.55.2 118986 application.document datainstance.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 qqfmVwowgSVkHXYc File data.com/dataconnector/Active Users/US & International/Full Time iOS 10.1 policy_ga30 6559147653292628502 Amazon Ground Station US 2 7.896 Ballots 12.9634 Pays-de-la-Loire 13.248.55.2 1703628842 CloudApp datapolicy dte3831-sjc1-86asd-0787t@test.data.com https://drive.google.com dte3831-sjc1-86asd-0787t@test.data.com 0 0 0 0 [] [] 0 0 82 alertsremediationdata_CL
5 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 7:54:23 AM 047ca6de7c862019732c2f75 API Connector TRUE alert Upload yes Remediation alert Remediation Jadu Cloud Storage unknown Cloud Storage poor 1 iPhone 15 NL 2 53.7 Amsterdam 4.8975 North Holland 1012 1.2.3.4 119334 application.document datainstance.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 kIJrUmrTbTQlzAeC File data.com/dataconnector/Active Users/US & International/Full Time Android 11.0 policy_ga19 6559147653292628503 Jadu Continuum NL 2 53.7 Amsterdam 4.8975 North Holland 1012 1.2.3.4 1703628518 CloudApp datapolicy dte3831-sjc1-86asd-0088t@test.data.com https://drive.google.com dte3831-sjc1-86asd-0088t@test.data.com 0 0 0 0 [] [] 0 0 45 alertsremediationdata_CL
6 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 7:54:23 AM 065cf412fc3ab64e7cf9c71c API Connector TRUE Upload yes Remediation alert Remediation Veeva Vault eTMF Cloud Storage unknown Cloud Storage poor 1 Samsung Fold 5 IN 2 12.9634 Bengaluru 7.896 Karnataka 560058 3.86.29.24 119334 application.document datainstance.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 YnGOhEEjkculydkW File data.com/dataconnector/Active Users/US & International/Full Time Windows 7.1 policy_ga25 6559147653292628504 Veeva Vault eTMF US 2 12.9634 Bengaluru 7.896 Karnataka 560058 3.86.29.24 1703628667 CloudApp datapolicy dte3831-sjc1-86asd-0483t@test.data.com https://drive.google.com dte3831-sjc1-86asd-0483t@test.data.com 0 0 0 0 [] [] 0 0 41 alertsremediationdata_CL
7 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 7:54:23 AM 08726eda0f7d0ec4b10ee34a API Connector TRUE block Download yes Remediation alert Remediation Amazon Managed Blockchain Cloud Storage unknown Cloud Storage high 1 iPhone 11 NL 2 53.7 Amsterdam 4.8975 North Holland 1012 13.248.55.2 118681 application.document datainstance.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 rbBtMNeZpZSziVfW File data.com/dataconnector/Active Users/US & International/Full Time iOS 9.0 policy_ga2 6559147653292628505 Amazon Managed Blockchain IN 2 53.7 Amsterdam 4.8975 North Holland 1012 13.248.55.2 1703628972 CloudApp datapolicy dte3831-sjc1-86asd-06571t@test.data.com https://drive.google.com dte3831-sjc1-86asd-06571t@test.data.com 0 0 0 0 [] [] 0 0 82 alertsremediationdata_CL
8 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 7:54:23 AM 0965c56a7ab6a153958ccc44 API Connector FALSE block Delete yes Remediation alert Remediation GCP Container Registry Cloud Storage unknown Cloud Storage excellent 1 ZTE - P188T20 NL 2 52.3759 Amsterdam 7.896 North Holland 1012 1.2.3.4 118788 application.document datainstance.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 mDdfkVIFlDlRzNyY File data.com/dataconnector/Active Users/US & International/Full Time Android 11.0 policy_ga19 6559147653292628506 Google Cloud Container Registry DE 2 52.3759 Amsterdam 7.896 North Holland 1012 1.2.3.4 1703628942 CloudApp datapolicy dte3831-sjc1-86asd-02351t@test.data.com https://drive.google.com dte3831-sjc1-86asd-02351t@test.data.com 0 0 0 0 [] [] 0 0 93 alertsremediationdata_CL
9 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 7:54:23 AM 1605359c71c46f28eaebe1f5 API Connector FALSE alert Login Successful yes Remediation alert Remediation VAI S2K Enterprise OnCloud Cloud Storage unknown Cloud Storage poor 1 Other FR 1 12.9634 Ballots -19.72 Pays-de-la-Loire 3.86.29.24 118588 application.document datainstance.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 qNKQFtGNMuBOxeFC File data.com/dataconnector/Active Users/US & International/Full Time Windows 7.1 policy_ga31 6559147653292628507 Vormittag Associates S2K Enterprise FR 1 12.9634 Ballots -19.72 Pays-de-la-Loire 3.86.29.24 1703628914 CloudApp datapolicy dte3831-sjc1-86asd-23wt@test.data.com https://drive.google.com dte3831-sjc1-86asd-23wt@test.data.com 0 0 0 0 [] [] 0 0 17 alertsremediationdata_CL
10 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 7:54:23 AM 16198a1fe10abbc48025b807 API Connector TRUE block Edit yes Remediation alert Remediation CoreHealth Cloud Storage unknown Cloud Storage poor 1 Samsung Fold 5 IN 2 53.7 Bengaluru 77.5855 Karnataka 560058 13.248.55.2 119058 application.document datainstance.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 DbPMDKamlPPnWUJS File data.com/dataconnector/Active Users/US & International/Full Time Android 10.0 policy_ga53 6559147653292628508 CoreHealth Corporate Wellness Platform IN 2 53.7 Bengaluru 77.5855 Karnataka 560058 13.248.55.2 1703628551 CloudApp datapolicy dte3831-sjc1-86asd-2452t@test.data.com https://drive.google.com dte3831-sjc1-86asd-2452t@test.data.com 0 0 0 0 [] [] 0 0 21 alertsremediationdata_CL
11 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 7:54:23 AM 18a383d095feca0c1a71ea87 API Connector TRUE alert Edit yes Remediation alert Remediation Dropbox Cloud Storage unknown Cloud Storage high 1 iPhone 8 FR 1 7.896 Ballots -1.04759 Pays-de-la-Loire 19.2.5.21 118623 application.document datainstance.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 bsPjlnclVZQedBXp File data.com/dataconnector/Active Users/US & International/Full Time iOS 11.1 policy_ga0 6559147653292628509 Dropbox IN 2 7.896 Ballots -1.04759 Pays-de-la-Loire 19.2.5.21 1703629370 CloudApp datapolicy dte3831-sjc1-86asd-3424t@test.data.com https://drive.google.com dte3831-sjc1-86asd-3424t@test.data.com 0 0 0 0 [] [] 0 0 86 alertsremediationdata_CL

11
Sample Data/Custom/Netskope/alertssecurityassessmentdata_CL.csv Normal file
Просмотреть файл

@ -0,0 +1,11 @@
TenantId,SourceSystem,MG,ManagementGroupName,TimeGenerated [UTC],Computer,RawData,_id_s,access_method_s,acked_s,action_s,activity_s,alert_s,alert_name_s,alert_type_s,app_s,appcategory_s,browser_s,Category,cci_s,ccl_s,count_d,device_s,instance_id_s,object_s,object_type_s,organization_unit_s,os_s,policy_s,site_s,timestamp_d,traffic_type_s,type_s,ur_normalized_s,user_s,userkey_s,iaas_asset_tags_s,sa_rule_id_s,region_id_s,resource_category_s,asset_id_s,asset_object_id_s,sa_profile_name_s,resource_group_s,sa_profile_id_d,sAMAccountName_s,sa_rule_severity_s,policy_id_d,account_name_s,account_id_s,iaas_remediated_s,sa_rule_name_s,region_name_s,compliance_standards_s,cci_d,Type,_ResourceId
abcd-cdef-ghijk,RestAPI,,,"2/23/2024, 5:34:59 AM",,,f29688becc3e41f9d438eb97,API Connector,TRUE,block,Login Successful,yes,Security Audit,Security Assessment,Groupsite.com,Cloud Storage,unknown,Cloud Storage,,poor,1,iPhone SE (2016),netskope.com,vwyMrbQlGUUDrutT,File,netskope.local/Netskope/Active Users/US & International/Full Time,iOS 9.6,policy_ga20,Groupsite.com,1676243384,CloudApp,nspolicy,dummyuser1@something.com,dummyuser1@something.com,dummyuser1@something.com,[],,,,,,,,0,,,0,,,,,,[],32,alertssecurityassessmentdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/23/2024, 5:34:59 AM",,,f2df4c59446ceeb3730a0e6a,API Connector,TRUE,alert,Download,yes,Security Audit,Security Assessment,MS Office Suite,Cloud Storage,unknown,Cloud Storage,,,1,ZTE - P726V,netskope.com,xiGgUgeXXddnQSjd,File,netskope.local/Netskope/Active Users/US & International/Full Time,Android 11.0,policy_ga42,MS Office Suite,1676243394,CloudApp,nspolicy,dummyuser2@something.com,dummyuser2@something.com,dummyuser2@something.com,[],,,,,,,,0,,,0,,,,,,[],,alertssecurityassessmentdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/23/2024, 5:34:59 AM",,,f30a89bd3896a8e71ab3a7d0,API Connector,FALSE,,Upload,yes,Security Audit,Security Assessment,Feedback Loop,Cloud Storage,unknown,Cloud Storage,,poor,1,ZTE - P722G,netskope.com,xvHwkfcEwKoraIaW,File,netskope.local/Netskope/Active Users/US & International/Full Time,Android 11.0,policy_ga34,Feedback Loop,1676243390,CloudApp,nspolicy,dummyuser3@something.com,dummyuser3@something.com,dummyuser3@something.com,[],,,,,,,,0,,,0,,,,,,[],21,alertssecurityassessmentdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/23/2024, 5:34:59 AM",,,f314d7ca07de6d43c76df48f,API Connector,TRUE,block,Delete,yes,Security Audit,Security Assessment,LinkedIn,Cloud Storage,unknown,Cloud Storage,,medium,1,ZTE - N720,netskope.com,fozfUhpIMWvAtIqv,File,netskope.local/Netskope/Active Users/US & International/Full Time,Android 11.0,policy_ga18,LinkedIn,1676243398,CloudApp,nspolicy,dummyuser4@something.com,dummyuser4@something.com,dummyuser4@something.com,[],,,,,,,,0,,,0,,,,,,[],68,alertssecurityassessmentdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/23/2024, 5:34:59 AM",,,f3278b8ca15944c92e4c0f5a,API Connector,TRUE,alert,Delete,yes,Security Audit,Security Assessment,IQ Coordinator,Cloud Storage,unknown,Cloud Storage,,poor,1,ZTE - P253A20,netskope.com,PoqdTbkYCHdzuVLB,File,netskope.local/Netskope/Active Users/US & International/Full Time,Android 10.0,policy_ga10,IQ Coordinator,1676243384,CloudApp,nspolicy,dummyuser5@something.com,dummyuser5@something.com,dummyuser5@something.com,[],,,,,,,,0,,,0,,,,,,[],18,alertssecurityassessmentdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/23/2024, 5:34:59 AM",,,f3974d2f014d658e6c1a2760,API Connector,FALSE,alert,Login Failed,yes,Security Audit,Security Assessment,Next Generation EASY Cloud,Cloud Storage,unknown,Cloud Storage,,poor,1,ZTE - P188T20,netskope.com,KvdDIhCQRRjpBdWH,File,netskope.local/Netskope/Active Users/US & International/Full Time,Android 11.0,policy_ga51,Next Generation EASY Cloud,1676243395,CloudApp,nspolicy,dummyuser6@something.com,dummyuser6@something.com,dummyuser6@something.com,[],,,,,,,,0,,,0,,,,,,[],48,alertssecurityassessmentdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/23/2024, 5:34:59 AM",,,f3ee8f71411674f8dfc5b394,API Connector,TRUE,alert,Create,yes,Security Audit,Security Assessment,Square9 ECM Software,Cloud Storage,unknown,Cloud Storage,,poor,1,iPhone X,netskope.com,HSUkeEhVChHxedTL,File,netskope.local/Netskope/Active Users/US & International/Full Time,iOS 9.0,policy_ga27,Square9 ECM Software,1676243392,CloudApp,nspolicy,dummyuser7@something.com,dummyuser7@something.com,dummyuser7@something.com,[],,,,,,,,0,,,0,,,,,,[],49,alertssecurityassessmentdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/23/2024, 5:34:59 AM",,,f4130645909a3d4530d81dbb,API Connector,TRUE,block,Create,yes,Security Audit,Security Assessment,Digi Remote Manager,Cloud Storage,unknown,Cloud Storage,,poor,1,Other,netskope.com,SztqwTJayeSvpAty,File,netskope.local/Netskope/Active Users/US & International/Full Time,Windows 11.0,policy_ga29,Digi Device Cloud,1676243380,CloudApp,nspolicy,dummyuser8@something.com,dummyuser8@something.com,dummyuser8@something.com,[],,,,,,,,0,,,0,,,,,,[],48,alertssecurityassessmentdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/23/2024, 5:34:59 AM",,,f418f0e066e29989076f24ef,API Connector,TRUE,alert,Login Failed,yes,Security Audit,Security Assessment,QuickStart Software,Cloud Storage,unknown,Cloud Storage,,poor,1,Other,netskope.com,zLzznEzjRRJlyMFA,File,netskope.local/Netskope/Active Users/US & International/Full Time,Windows 8.0,policy_ga8,QuickStart Software,1676243377,CloudApp,nspolicy,dummyuser9@something.com,dummyuser9@something.com,dummyuser9@something.com,[],,,,,,,,0,,,0,,,,,,[],15,alertssecurityassessmentdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/23/2024, 5:34:59 AM",,,f433128e038d2de669188298,API Connector,FALSE,block,Upload,yes,Security Audit,Security Assessment,MyEasyISO,Cloud Storage,unknown,Cloud Storage,,poor,1,iPhone 7 Plus,netskope.com,WwgtuFPaheHfIIWv,File,netskope.local/Netskope/Active Users/US & International/Full Time,iOS 11.1,policy_ga40,MyEasyISO ISO 9001 Software,1676243388,CloudApp,nspolicy,dummyuser10@something.com,dummyuser10@something.com,dummyuser10@something.com,[],,,,,,,,0,,,0,,,,,,[],36,alertssecurityassessmentdata_CL,
1 TenantId SourceSystem MG ManagementGroupName TimeGenerated [UTC] Computer RawData _id_s access_method_s acked_s action_s activity_s alert_s alert_name_s alert_type_s app_s appcategory_s browser_s Category cci_s ccl_s count_d device_s instance_id_s object_s object_type_s organization_unit_s os_s policy_s site_s timestamp_d traffic_type_s type_s ur_normalized_s user_s userkey_s iaas_asset_tags_s sa_rule_id_s region_id_s resource_category_s asset_id_s asset_object_id_s sa_profile_name_s resource_group_s sa_profile_id_d sAMAccountName_s sa_rule_severity_s policy_id_d account_name_s account_id_s iaas_remediated_s sa_rule_name_s region_name_s compliance_standards_s cci_d Type _ResourceId
2 abcd-cdef-ghijk RestAPI 2/23/2024, 5:34:59 AM f29688becc3e41f9d438eb97 API Connector TRUE block Login Successful yes Security Audit Security Assessment Groupsite.com Cloud Storage unknown Cloud Storage poor 1 iPhone SE (2016) netskope.com vwyMrbQlGUUDrutT File netskope.local/Netskope/Active Users/US & International/Full Time iOS 9.6 policy_ga20 Groupsite.com 1676243384 CloudApp nspolicy dummyuser1@something.com dummyuser1@something.com dummyuser1@something.com [] 0 0 [] 32 alertssecurityassessmentdata_CL
3 abcd-cdef-ghijk RestAPI 2/23/2024, 5:34:59 AM f2df4c59446ceeb3730a0e6a API Connector TRUE alert Download yes Security Audit Security Assessment MS Office Suite Cloud Storage unknown Cloud Storage 1 ZTE - P726V netskope.com xiGgUgeXXddnQSjd File netskope.local/Netskope/Active Users/US & International/Full Time Android 11.0 policy_ga42 MS Office Suite 1676243394 CloudApp nspolicy dummyuser2@something.com dummyuser2@something.com dummyuser2@something.com [] 0 0 [] alertssecurityassessmentdata_CL
4 abcd-cdef-ghijk RestAPI 2/23/2024, 5:34:59 AM f30a89bd3896a8e71ab3a7d0 API Connector FALSE Upload yes Security Audit Security Assessment Feedback Loop Cloud Storage unknown Cloud Storage poor 1 ZTE - P722G netskope.com xvHwkfcEwKoraIaW File netskope.local/Netskope/Active Users/US & International/Full Time Android 11.0 policy_ga34 Feedback Loop 1676243390 CloudApp nspolicy dummyuser3@something.com dummyuser3@something.com dummyuser3@something.com [] 0 0 [] 21 alertssecurityassessmentdata_CL
5 abcd-cdef-ghijk RestAPI 2/23/2024, 5:34:59 AM f314d7ca07de6d43c76df48f API Connector TRUE block Delete yes Security Audit Security Assessment LinkedIn Cloud Storage unknown Cloud Storage medium 1 ZTE - N720 netskope.com fozfUhpIMWvAtIqv File netskope.local/Netskope/Active Users/US & International/Full Time Android 11.0 policy_ga18 LinkedIn 1676243398 CloudApp nspolicy dummyuser4@something.com dummyuser4@something.com dummyuser4@something.com [] 0 0 [] 68 alertssecurityassessmentdata_CL
6 abcd-cdef-ghijk RestAPI 2/23/2024, 5:34:59 AM f3278b8ca15944c92e4c0f5a API Connector TRUE alert Delete yes Security Audit Security Assessment IQ Coordinator Cloud Storage unknown Cloud Storage poor 1 ZTE - P253A20 netskope.com PoqdTbkYCHdzuVLB File netskope.local/Netskope/Active Users/US & International/Full Time Android 10.0 policy_ga10 IQ Coordinator 1676243384 CloudApp nspolicy dummyuser5@something.com dummyuser5@something.com dummyuser5@something.com [] 0 0 [] 18 alertssecurityassessmentdata_CL
7 abcd-cdef-ghijk RestAPI 2/23/2024, 5:34:59 AM f3974d2f014d658e6c1a2760 API Connector FALSE alert Login Failed yes Security Audit Security Assessment Next Generation EASY Cloud Cloud Storage unknown Cloud Storage poor 1 ZTE - P188T20 netskope.com KvdDIhCQRRjpBdWH File netskope.local/Netskope/Active Users/US & International/Full Time Android 11.0 policy_ga51 Next Generation EASY Cloud 1676243395 CloudApp nspolicy dummyuser6@something.com dummyuser6@something.com dummyuser6@something.com [] 0 0 [] 48 alertssecurityassessmentdata_CL
8 abcd-cdef-ghijk RestAPI 2/23/2024, 5:34:59 AM f3ee8f71411674f8dfc5b394 API Connector TRUE alert Create yes Security Audit Security Assessment Square9 ECM Software Cloud Storage unknown Cloud Storage poor 1 iPhone X netskope.com HSUkeEhVChHxedTL File netskope.local/Netskope/Active Users/US & International/Full Time iOS 9.0 policy_ga27 Square9 ECM Software 1676243392 CloudApp nspolicy dummyuser7@something.com dummyuser7@something.com dummyuser7@something.com [] 0 0 [] 49 alertssecurityassessmentdata_CL
9 abcd-cdef-ghijk RestAPI 2/23/2024, 5:34:59 AM f4130645909a3d4530d81dbb API Connector TRUE block Create yes Security Audit Security Assessment Digi Remote Manager Cloud Storage unknown Cloud Storage poor 1 Other netskope.com SztqwTJayeSvpAty File netskope.local/Netskope/Active Users/US & International/Full Time Windows 11.0 policy_ga29 Digi Device Cloud 1676243380 CloudApp nspolicy dummyuser8@something.com dummyuser8@something.com dummyuser8@something.com [] 0 0 [] 48 alertssecurityassessmentdata_CL
10 abcd-cdef-ghijk RestAPI 2/23/2024, 5:34:59 AM f418f0e066e29989076f24ef API Connector TRUE alert Login Failed yes Security Audit Security Assessment QuickStart Software Cloud Storage unknown Cloud Storage poor 1 Other netskope.com zLzznEzjRRJlyMFA File netskope.local/Netskope/Active Users/US & International/Full Time Windows 8.0 policy_ga8 QuickStart Software 1676243377 CloudApp nspolicy dummyuser9@something.com dummyuser9@something.com dummyuser9@something.com [] 0 0 [] 15 alertssecurityassessmentdata_CL
11 abcd-cdef-ghijk RestAPI 2/23/2024, 5:34:59 AM f433128e038d2de669188298 API Connector FALSE block Upload yes Security Audit Security Assessment MyEasyISO Cloud Storage unknown Cloud Storage poor 1 iPhone 7 Plus netskope.com WwgtuFPaheHfIIWv File netskope.local/Netskope/Active Users/US & International/Full Time iOS 11.1 policy_ga40 MyEasyISO ISO 9001 Software 1676243388 CloudApp nspolicy dummyuser10@something.com dummyuser10@something.com dummyuser10@something.com [] 0 0 [] 36 alertssecurityassessmentdata_CL

11
Sample Data/Custom/Netskope/alertsubadata_CL.csv Normal file
Просмотреть файл

@ -0,0 +1,11 @@
TenantId,SourceSystem,MG,ManagementGroupName,TimeGenerated [UTC],Computer,RawData,_id_s,access_method_s,acked_s,action_s,activity_s,alert_s,alert_id_g,alert_name_s,alert_type_s,app_s,app_session_id_d,appcategory_s,browser_s,browser_session_id_d,browser_version_s,Category,cci_d,ccl_s,connection_id_d,count_d,device_s,dst_country_s,dst_geoip_src_d,dst_latitude_d,dst_location_s,dst_longitude_d,dst_region_s,dst_timezone_s,dst_zipcode_s,dstip_s,event_type_s,evt_src_chnl_s,file_size_d,hostname_s,instance_id_s,managed_app_s,md5_g,object_s,object_id_g,object_type_s,organization_unit_s,os_s,os_version_s,page_s,page_site_s,parent_id_s,policy_s,policy_actions_s,profile_id_s,referer_s,score_s,severity_s,site_s,src_country_s,src_geoip_src_d,src_latitude_d,src_location_s,src_longitude_d,src_region_s,src_timezone_s,src_zipcode_s,srcip_s,telemetry_app_s,threshold_d,threshold_time_d,timestamp_d,traffic_type_s,transaction_id_d,type_s,ur_normalized_s,url_s,user_s,userip_s,userkey_s,loginurl_s,managementID_s,act_user_s,last_location_s,surhn_s,to_user_s,incident_id_d,TSS_scan_s,web_universal_connector_s,app_category_s,to_object_s,app_activity_s,distinguishedName_s,AccountType_s,last_device_s,User_SPACE_Name_s,user_id_s,activity_status_s,all_policy_matches_s,object_count_d,from_user_s,displayName_s,user_role_s,download_app_s,last_app_s,shared_credential_user_s,createdTime_s,last_region_s,audit_type_s,suppression_start_time_d,scopes_s,uba_inst1_s,file_category_s,two_factor_auth_s,group_s,bin_timestamp_d,User_SPACE_Id_s,risk_level_s,useragent_s,user_name_s,risk_level_id_d,policy_id_s,file_type_s,request_id_d,userPrincipalName_s,sanctioned_instance_s,uba_inst2_s,appsuite_s,from_user_category_s,mail_s,sAMAccountName_s,tss_mode_s,uba_ap1_s,last_timestamp_d,tss_fail_reason_s,suppression_end_time_d,to_user_category_s,netskope_activity_s,last_country_s,device_classification_s,anomaly_type_s,division_s,windowId_d,audit_category_s,src_time_s,logintype_s,tss_scan_failed_s,manager_s,protocol_s,employeeType_s,user_category_s,uba_ap2_s,policy_name_s,Type,_ResourceId
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 7:54:53 AM",,,878baed0ac06430942e7f16b,Client,FALSE,anomaly_detection,Upload,yes,mgmmi8i90xjrrr7u074upl14,Tuvis,uba,Google Gmail,7.87085E+18,Webmail,Chrome,5.22127E+18,54.0.2840.90,Webmail,0,high,533435,1,Win Device,US,1,53.7,Boardman,-19.72,Oregon,America/Los_Angeles,98052,1.2.3.4,sequence,application,1093957,EC2AMAZ-1OAJ8QB,datainstance.com,yes,60c5e014-76f2-44f2-eef2-7c00a69ce63f,20170904-000047_demo.jpg,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,,Win,Win, ,google.com,/personal/Documents,Tuvis,"[""Upload""]",Tuvis,https:// ,1,informational,Google.com,CA,2,53.7,Boardman,-19.72,Oregon,America/Toronto,97818,1.2.3.4,,1,60,1701756004,CloudApp,123414231,datapolicy,asdf523adsd0-0245t@test.data.com,my-testing-my.gmail.com,asdf523adsd0-0245t@test.data.com,1.2.3.4,asdf523adsd0-0245t@test.data.com,,,,,,,0,,,,,,,,,,,,[],0,,,,,,,,,,0,[],,,,,0,,,,,0,,,0,,,,,,,,,,0,,0,,,,,,,0,,,,,,,,,,,alertsubadata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 7:54:53 AM",,,878baed0ac06430942e7f16b,Client,TRUE,anomaly_detection,Delete,yes,p4ul5v44r1dhypotm8cuzout,Tuvis,uba,Google Gmail,7.87085E+18,Webmail,Chrome,5.22127E+18,54.0.2840.90,Webmail,43,high,533435,1,Win Device,US,1,12.9634,Amsterdam,4.8975,North Holland,America/Los_Angeles,98052,3.86.29.24,sequence,application,1093957,EC2AMAZ-1OAJ8QB,datainstance.com,yes,60c5e014-76f2-44f2-eef2-7c00a69ce63f,20170904-000047_demo.jpg,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,,Win,Win, ,google.com,/personal/Documents,Tuvis,"[""Upload""]",Tuvis,https:// ,1,informational,Google.com,CA,2,12.9634,Amsterdam,4.8975,North Holland,America/Toronto,1012,3.86.29.24,,1,60,1701756004,CloudApp,123414231,datapolicy,asdf523adsd0-0995t@test.data.com,my-testing-my.gmail.com,asdf523adsd0-0995t@test.data.com,3.86.29.24,asdf523adsd0-0995t@test.data.com,,,,,,,0,,,,,,,,,,,,[],0,,,,,,,,,,0,[],,,,,0,,,,,0,,,0,,,,,,,,,,0,,0,,,,,,,0,,,,,,,,,,,alertsubadata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 7:54:53 AM",,,878baed0ac06430942e7f16b,Client,FALSE,alert,Upload,yes,x660dlgc4mbj2j6b2j24boqg,Tuvis,uba,Google Gmail,7.87085E+18,Webmail,Chrome,5.22127E+18,54.0.2840.90,Webmail,80,high,533435,1,Win Device,US,1,7.896,Ballots,12.9634,Pays-de-la-Loire,America/Los_Angeles,98052,13.248.55.2,sequence,application,1093957,EC2AMAZ-1OAJ8QB,datainstance.com,yes,60c5e014-76f2-44f2-eef2-7c00a69ce63f,20170904-000047_demo.jpg,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,,Win,Win, ,google.com,/personal/Documents,Tuvis,"[""Upload""]",Tuvis,https:// ,1,debug,Google.com,CA,2,7.896,Ballots,12.9634,Pays-de-la-Loire,America/Toronto,,13.248.55.2,,1,60,1701756004,CloudApp,123414231,datapolicy,asdf523adsd0-0646t@test.data.com,my-testing-my.gmail.com,asdf523adsd0-0646t@test.data.com,13.248.55.2,asdf523adsd0-0646t@test.data.com,,,,,,,0,,,,,,,,,,,,[],0,,,,,,,,,,0,[],,,,,0,,,,,0,,,0,,,,,,,,,,0,,0,,,,,,,0,,,,,,,,,,,alertsubadata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 7:54:53 AM",,,878baed0ac06430942e7f16b,Client,FALSE,block,Move,yes,5nkfb30tnq1shkonzr3cgbrq,Tuvis,uba,Google Gmail,7.87085E+18,Webmail,Chrome,5.22127E+18,54.0.2840.90,Webmail,12,high,533435,1,Win Device,US,1,53.7,Amsterdam,4.8975,North Holland,America/Los_Angeles,98052,1.2.3.4,sequence,application,1093957,EC2AMAZ-1OAJ8QB,datainstance.com,yes,60c5e014-76f2-44f2-eef2-7c00a69ce63f,20170904-000047_demo.jpg,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,,Win,Win, ,google.com,/personal/Documents,Tuvis,"[""Upload""]",Tuvis,https:// ,1,debug,Google.com,CA,2,53.7,Amsterdam,4.8975,North Holland,America/Toronto,1012,1.2.3.4,,1,60,1701756004,CloudApp,123414231,datapolicy,asdf523adsd0-0014t@test.data.com,my-testing-my.gmail.com,asdf523adsd0-0014t@test.data.com,1.2.3.4,asdf523adsd0-0014t@test.data.com,,,,,,,0,,,,,,,,,,,,[],0,,,,,,,,,,0,[],,,,,0,,,,,0,,,0,,,,,,,,,,0,,0,,,,,,,0,,,,,,,,,,,alertsubadata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 7:54:53 AM",,,878baed0ac06430942e7f16b,Client,FALSE,alert,Upload,yes,dqszmgjl8m4ib0ysmq2t41ib,Tuvis,uba,Google Gmail,7.87085E+18,Webmail,Chrome,5.22127E+18,54.0.2840.90,Webmail,80,low,533435,1,Win Device,US,1,12.9634,Bengaluru,7.896,Karnataka,Asia/Kolkata,98052,3.86.29.24,sequence,application,1093957,EC2AMAZ-1OAJ8QB,datainstance.com,yes,60c5e014-76f2-44f2-eef2-7c00a69ce63f,20170904-000047_demo.jpg,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,,Win,Win, ,google.com,/personal/Documents,Tuvis,"[""Upload""]",Tuvis,https:// ,1,debug,Google.com,CA,2,12.9634,Bengaluru,7.896,Karnataka,Asia/Kolkata,560058,3.86.29.24,,1,60,1701756004,CloudApp,123414231,datapolicy,asdf523adsd0-0979t@test.data.com,my-testing-my.gmail.com,asdf523adsd0-0979t@test.data.com,3.86.29.24,asdf523adsd0-0979t@test.data.com,,,,,,,0,,,,,,,,,,,,[],0,,,,,,,,,,0,[],,,,,0,,,,,0,,,0,,,,,,,,,,0,,0,,,,,,,0,,,,,,,,,,,alertsubadata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 7:54:53 AM",,,878baed0ac06430942e7f16b,Client,TRUE,anomaly_detection,Delete,yes,3f6lub7uwtbeyhznghq1dd8l,Tuvis,uba,Google Gmail,7.87085E+18,Webmail,Chrome,5.22127E+18,54.0.2840.90,Webmail,23,high,533435,1,Win Device,US,1,53.7,Amsterdam,4.8975,North Holland,America/Los_Angeles,98052,13.248.55.2,sequence,application,1093957,EC2AMAZ-1OAJ8QB,datainstance.com,yes,60c5e014-76f2-44f2-eef2-7c00a69ce63f,20170904-000047_demo.jpg,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,,Win,Win, ,google.com,/personal/Documents,Tuvis,"[""Upload""]",Tuvis,https:// ,1,informational,Google.com,CA,2,53.7,Amsterdam,4.8975,North Holland,America/Toronto,1012,13.248.55.2,,1,60,1701756004,CloudApp,123414231,datapolicy,asdf523adsd0-0544t@test.data.com,my-testing-my.gmail.com,asdf523adsd0-0544t@test.data.com,13.248.55.2,asdf523adsd0-0544t@test.data.com,,,,,,,0,,,,,,,,,,,,[],0,,,,,,,,,,0,[],,,,,0,,,,,0,,,0,,,,,,,,,,0,,0,,,,,,,0,,,,,,,,,,,alertsubadata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 7:54:53 AM",,,878baed0ac06430942e7f16b,Client,TRUE,alert,Delete,yes,cta6exz6i06o09eznjf0mb8z,Tuvis,uba,Google Gmail,7.87085E+18,Webmail,Chrome,5.22127E+18,54.0.2840.90,Webmail,1,low,533435,1,Win Device,US,1,52.3759,Amsterdam,7.896,North Holland,America/Los_Angeles,98052,1.2.3.4,sequence,application,1093957,EC2AMAZ-1OAJ8QB,datainstance.com,yes,60c5e014-76f2-44f2-eef2-7c00a69ce63f,20170904-000047_demo.jpg,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,,Win,Win, ,google.com,/personal/Documents,Tuvis,"[""Upload""]",Tuvis,https:// ,1,informational,Google.com,CA,2,52.3759,Amsterdam,7.896,North Holland,America/Toronto,1012,1.2.3.4,,1,60,1701756004,CloudApp,123414231,datapolicy,asdf523adsd0-0838t@test.data.com,my-testing-my.gmail.com,asdf523adsd0-0838t@test.data.com,1.2.3.4,asdf523adsd0-0838t@test.data.com,,,,,,,0,,,,,,,,,,,,[],0,,,,,,,,,,0,[],,,,,0,,,,,0,,,0,,,,,,,,,,0,,0,,,,,,,0,,,,,,,,,,,alertsubadata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 7:54:53 AM",,,878baed0ac06430942e7f16b,Client,FALSE,block,Login Failed,yes,6nncdj4y37jz2dtbeifawm4r,Tuvis,uba,Google Gmail,7.87085E+18,Webmail,Chrome,5.22127E+18,54.0.2840.90,Webmail,80,low,533435,1,Win Device,US,1,12.9634,Ballots,-19.72,Pays-de-la-Loire,America/Los_Angeles,98052,3.86.29.24,sequence,application,1093957,EC2AMAZ-1OAJ8QB,datainstance.com,yes,60c5e014-76f2-44f2-eef2-7c00a69ce63f,20170904-000047_demo.jpg,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,,Win,Win, ,google.com,/personal/Documents,Tuvis,"[""Upload""]",Tuvis,https:// ,1,informational,Google.com,CA,2,12.9634,Ballots,-19.72,Pays-de-la-Loire,America/Toronto,,3.86.29.24,,1,60,1701756004,CloudApp,123414231,datapolicy,asdf523adsd0-0773t@test.data.com,my-testing-my.gmail.com,asdf523adsd0-0773t@test.data.com,3.86.29.24,asdf523adsd0-0773t@test.data.com,,,,,,,0,,,,,,,,,,,,[],0,,,,,,,,,,0,[],,,,,0,,,,,0,,,0,,,,,,,,,,0,,0,,,,,,,0,,,,,,,,,,,alertsubadata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 7:54:53 AM",,,878baed0ac06430942e7f16b,Client,FALSE,alert,Login Failed,yes,ycx2hg0vnmfgh12cq0fluixn,Tuvis,uba,Google Gmail,7.87085E+18,Webmail,Chrome,5.22127E+18,54.0.2840.90,Webmail,52,high,533435,1,Win Device,US,1,53.7,Bengaluru,77.5855,Karnataka,Asia/Kolkata,98052,13.248.55.2,sequence,application,1093957,EC2AMAZ-1OAJ8QB,datainstance.com,yes,60c5e014-76f2-44f2-eef2-7c00a69ce63f,20170904-000047_demo.jpg,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,,Win,Win, ,google.com,/personal/Documents,Tuvis,"[""Upload""]",Tuvis,https:// ,1,informational,Google.com,CA,2,53.7,Bengaluru,77.5855,Karnataka,Asia/Kolkata,560058,13.248.55.2,,1,60,1701756004,CloudApp,123414231,datapolicy,asdf523adsd0-0804t@test.data.com,my-testing-my.gmail.com,asdf523adsd0-0804t@test.data.com,13.248.55.2,asdf523adsd0-0804t@test.data.com,,,,,,,0,,,,,,,,,,,,[],0,,,,,,,,,,0,[],,,,,0,,,,,0,,,0,,,,,,,,,,0,,0,,,,,,,0,,,,,,,,,,,alertsubadata_CL,
abc123-r231-4b90-a4fd-1456abcdegdd,RestAPI,,,"2/29/2024, 7:54:53 AM",,,878baed0ac06430942e7f16b,Client,FALSE,anomaly_detection,Edit,yes,dn7pu1cfohcge8xvk4v6ki0w,Tuvis,uba,Google Gmail,7.87085E+18,Webmail,Chrome,5.22127E+18,54.0.2840.90,Webmail,4,high,533435,1,Win Device,US,1,7.896,Ballots,-1.04759,Pays-de-la-Loire,America/Los_Angeles,98052,19.2.5.21,sequence,application,1093957,EC2AMAZ-1OAJ8QB,datainstance.com,yes,60c5e014-76f2-44f2-eef2-7c00a69ce63f,20170904-000047_demo.jpg,14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i,File,,Win,Win, ,google.com,/personal/Documents,Tuvis,"[""Upload""]",Tuvis,https:// ,1,informational,Google.com,CA,2,7.896,Ballots,-1.04759,Pays-de-la-Loire,America/Toronto,,19.2.5.21,,1,60,1701756004,CloudApp,123414231,datapolicy,asdf523adsd0-0054t@test.data.com,my-testing-my.gmail.com,asdf523adsd0-0054t@test.data.com,19.2.5.21,asdf523adsd0-0054t@test.data.com,,,,,,,0,,,,,,,,,,,,[],0,,,,,,,,,,0,[],,,,,0,,,,,0,,,0,,,,,,,,,,0,,0,,,,,,,0,,,,,,,,,,,alertsubadata_CL,
1 TenantId SourceSystem MG ManagementGroupName TimeGenerated [UTC] Computer RawData _id_s access_method_s acked_s action_s activity_s alert_s alert_id_g alert_name_s alert_type_s app_s app_session_id_d appcategory_s browser_s browser_session_id_d browser_version_s Category cci_d ccl_s connection_id_d count_d device_s dst_country_s dst_geoip_src_d dst_latitude_d dst_location_s dst_longitude_d dst_region_s dst_timezone_s dst_zipcode_s dstip_s event_type_s evt_src_chnl_s file_size_d hostname_s instance_id_s managed_app_s md5_g object_s object_id_g object_type_s organization_unit_s os_s os_version_s page_s page_site_s parent_id_s policy_s policy_actions_s profile_id_s referer_s score_s severity_s site_s src_country_s src_geoip_src_d src_latitude_d src_location_s src_longitude_d src_region_s src_timezone_s src_zipcode_s srcip_s telemetry_app_s threshold_d threshold_time_d timestamp_d traffic_type_s transaction_id_d type_s ur_normalized_s url_s user_s userip_s userkey_s loginurl_s managementID_s act_user_s last_location_s surhn_s to_user_s incident_id_d TSS_scan_s web_universal_connector_s app_category_s to_object_s app_activity_s distinguishedName_s AccountType_s last_device_s User_SPACE_Name_s user_id_s activity_status_s all_policy_matches_s object_count_d from_user_s displayName_s user_role_s download_app_s last_app_s shared_credential_user_s createdTime_s last_region_s audit_type_s suppression_start_time_d scopes_s uba_inst1_s file_category_s two_factor_auth_s group_s bin_timestamp_d User_SPACE_Id_s risk_level_s useragent_s user_name_s risk_level_id_d policy_id_s file_type_s request_id_d userPrincipalName_s sanctioned_instance_s uba_inst2_s appsuite_s from_user_category_s mail_s sAMAccountName_s tss_mode_s uba_ap1_s last_timestamp_d tss_fail_reason_s suppression_end_time_d to_user_category_s netskope_activity_s last_country_s device_classification_s anomaly_type_s division_s windowId_d audit_category_s src_time_s logintype_s tss_scan_failed_s manager_s protocol_s employeeType_s user_category_s uba_ap2_s policy_name_s Type _ResourceId
2 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 7:54:53 AM 878baed0ac06430942e7f16b Client FALSE anomaly_detection Upload yes mgmmi8i90xjrrr7u074upl14 Tuvis uba Google Gmail 7.87085E+18 Webmail Chrome 5.22127E+18 54.0.2840.90 Webmail 0 high 533435 1 Win Device US 1 53.7 Boardman -19.72 Oregon America/Los_Angeles 98052 1.2.3.4 sequence application 1093957 EC2AMAZ-1OAJ8QB datainstance.com yes 60c5e014-76f2-44f2-eef2-7c00a69ce63f 20170904-000047_demo.jpg 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File Win Win google.com /personal/Documents Tuvis ["Upload"] Tuvis https:// 1 informational Google.com CA 2 53.7 Boardman -19.72 Oregon America/Toronto 97818 1.2.3.4 1 60 1701756004 CloudApp 123414231 datapolicy asdf523adsd0-0245t@test.data.com my-testing-my.gmail.com asdf523adsd0-0245t@test.data.com 1.2.3.4 asdf523adsd0-0245t@test.data.com 0 [] 0 0 [] 0 0 0 0 0 0 alertsubadata_CL
3 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 7:54:53 AM 878baed0ac06430942e7f16b Client TRUE anomaly_detection Delete yes p4ul5v44r1dhypotm8cuzout Tuvis uba Google Gmail 7.87085E+18 Webmail Chrome 5.22127E+18 54.0.2840.90 Webmail 43 high 533435 1 Win Device US 1 12.9634 Amsterdam 4.8975 North Holland America/Los_Angeles 98052 3.86.29.24 sequence application 1093957 EC2AMAZ-1OAJ8QB datainstance.com yes 60c5e014-76f2-44f2-eef2-7c00a69ce63f 20170904-000047_demo.jpg 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File Win Win google.com /personal/Documents Tuvis ["Upload"] Tuvis https:// 1 informational Google.com CA 2 12.9634 Amsterdam 4.8975 North Holland America/Toronto 1012 3.86.29.24 1 60 1701756004 CloudApp 123414231 datapolicy asdf523adsd0-0995t@test.data.com my-testing-my.gmail.com asdf523adsd0-0995t@test.data.com 3.86.29.24 asdf523adsd0-0995t@test.data.com 0 [] 0 0 [] 0 0 0 0 0 0 alertsubadata_CL
4 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 7:54:53 AM 878baed0ac06430942e7f16b Client FALSE alert Upload yes x660dlgc4mbj2j6b2j24boqg Tuvis uba Google Gmail 7.87085E+18 Webmail Chrome 5.22127E+18 54.0.2840.90 Webmail 80 high 533435 1 Win Device US 1 7.896 Ballots 12.9634 Pays-de-la-Loire America/Los_Angeles 98052 13.248.55.2 sequence application 1093957 EC2AMAZ-1OAJ8QB datainstance.com yes 60c5e014-76f2-44f2-eef2-7c00a69ce63f 20170904-000047_demo.jpg 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File Win Win google.com /personal/Documents Tuvis ["Upload"] Tuvis https:// 1 debug Google.com CA 2 7.896 Ballots 12.9634 Pays-de-la-Loire America/Toronto 13.248.55.2 1 60 1701756004 CloudApp 123414231 datapolicy asdf523adsd0-0646t@test.data.com my-testing-my.gmail.com asdf523adsd0-0646t@test.data.com 13.248.55.2 asdf523adsd0-0646t@test.data.com 0 [] 0 0 [] 0 0 0 0 0 0 alertsubadata_CL
5 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 7:54:53 AM 878baed0ac06430942e7f16b Client FALSE block Move yes 5nkfb30tnq1shkonzr3cgbrq Tuvis uba Google Gmail 7.87085E+18 Webmail Chrome 5.22127E+18 54.0.2840.90 Webmail 12 high 533435 1 Win Device US 1 53.7 Amsterdam 4.8975 North Holland America/Los_Angeles 98052 1.2.3.4 sequence application 1093957 EC2AMAZ-1OAJ8QB datainstance.com yes 60c5e014-76f2-44f2-eef2-7c00a69ce63f 20170904-000047_demo.jpg 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File Win Win google.com /personal/Documents Tuvis ["Upload"] Tuvis https:// 1 debug Google.com CA 2 53.7 Amsterdam 4.8975 North Holland America/Toronto 1012 1.2.3.4 1 60 1701756004 CloudApp 123414231 datapolicy asdf523adsd0-0014t@test.data.com my-testing-my.gmail.com asdf523adsd0-0014t@test.data.com 1.2.3.4 asdf523adsd0-0014t@test.data.com 0 [] 0 0 [] 0 0 0 0 0 0 alertsubadata_CL
6 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 7:54:53 AM 878baed0ac06430942e7f16b Client FALSE alert Upload yes dqszmgjl8m4ib0ysmq2t41ib Tuvis uba Google Gmail 7.87085E+18 Webmail Chrome 5.22127E+18 54.0.2840.90 Webmail 80 low 533435 1 Win Device US 1 12.9634 Bengaluru 7.896 Karnataka Asia/Kolkata 98052 3.86.29.24 sequence application 1093957 EC2AMAZ-1OAJ8QB datainstance.com yes 60c5e014-76f2-44f2-eef2-7c00a69ce63f 20170904-000047_demo.jpg 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File Win Win google.com /personal/Documents Tuvis ["Upload"] Tuvis https:// 1 debug Google.com CA 2 12.9634 Bengaluru 7.896 Karnataka Asia/Kolkata 560058 3.86.29.24 1 60 1701756004 CloudApp 123414231 datapolicy asdf523adsd0-0979t@test.data.com my-testing-my.gmail.com asdf523adsd0-0979t@test.data.com 3.86.29.24 asdf523adsd0-0979t@test.data.com 0 [] 0 0 [] 0 0 0 0 0 0 alertsubadata_CL
7 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 7:54:53 AM 878baed0ac06430942e7f16b Client TRUE anomaly_detection Delete yes 3f6lub7uwtbeyhznghq1dd8l Tuvis uba Google Gmail 7.87085E+18 Webmail Chrome 5.22127E+18 54.0.2840.90 Webmail 23 high 533435 1 Win Device US 1 53.7 Amsterdam 4.8975 North Holland America/Los_Angeles 98052 13.248.55.2 sequence application 1093957 EC2AMAZ-1OAJ8QB datainstance.com yes 60c5e014-76f2-44f2-eef2-7c00a69ce63f 20170904-000047_demo.jpg 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File Win Win google.com /personal/Documents Tuvis ["Upload"] Tuvis https:// 1 informational Google.com CA 2 53.7 Amsterdam 4.8975 North Holland America/Toronto 1012 13.248.55.2 1 60 1701756004 CloudApp 123414231 datapolicy asdf523adsd0-0544t@test.data.com my-testing-my.gmail.com asdf523adsd0-0544t@test.data.com 13.248.55.2 asdf523adsd0-0544t@test.data.com 0 [] 0 0 [] 0 0 0 0 0 0 alertsubadata_CL
8 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 7:54:53 AM 878baed0ac06430942e7f16b Client TRUE alert Delete yes cta6exz6i06o09eznjf0mb8z Tuvis uba Google Gmail 7.87085E+18 Webmail Chrome 5.22127E+18 54.0.2840.90 Webmail 1 low 533435 1 Win Device US 1 52.3759 Amsterdam 7.896 North Holland America/Los_Angeles 98052 1.2.3.4 sequence application 1093957 EC2AMAZ-1OAJ8QB datainstance.com yes 60c5e014-76f2-44f2-eef2-7c00a69ce63f 20170904-000047_demo.jpg 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File Win Win google.com /personal/Documents Tuvis ["Upload"] Tuvis https:// 1 informational Google.com CA 2 52.3759 Amsterdam 7.896 North Holland America/Toronto 1012 1.2.3.4 1 60 1701756004 CloudApp 123414231 datapolicy asdf523adsd0-0838t@test.data.com my-testing-my.gmail.com asdf523adsd0-0838t@test.data.com 1.2.3.4 asdf523adsd0-0838t@test.data.com 0 [] 0 0 [] 0 0 0 0 0 0 alertsubadata_CL
9 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 7:54:53 AM 878baed0ac06430942e7f16b Client FALSE block Login Failed yes 6nncdj4y37jz2dtbeifawm4r Tuvis uba Google Gmail 7.87085E+18 Webmail Chrome 5.22127E+18 54.0.2840.90 Webmail 80 low 533435 1 Win Device US 1 12.9634 Ballots -19.72 Pays-de-la-Loire America/Los_Angeles 98052 3.86.29.24 sequence application 1093957 EC2AMAZ-1OAJ8QB datainstance.com yes 60c5e014-76f2-44f2-eef2-7c00a69ce63f 20170904-000047_demo.jpg 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File Win Win google.com /personal/Documents Tuvis ["Upload"] Tuvis https:// 1 informational Google.com CA 2 12.9634 Ballots -19.72 Pays-de-la-Loire America/Toronto 3.86.29.24 1 60 1701756004 CloudApp 123414231 datapolicy asdf523adsd0-0773t@test.data.com my-testing-my.gmail.com asdf523adsd0-0773t@test.data.com 3.86.29.24 asdf523adsd0-0773t@test.data.com 0 [] 0 0 [] 0 0 0 0 0 0 alertsubadata_CL
10 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 7:54:53 AM 878baed0ac06430942e7f16b Client FALSE alert Login Failed yes ycx2hg0vnmfgh12cq0fluixn Tuvis uba Google Gmail 7.87085E+18 Webmail Chrome 5.22127E+18 54.0.2840.90 Webmail 52 high 533435 1 Win Device US 1 53.7 Bengaluru 77.5855 Karnataka Asia/Kolkata 98052 13.248.55.2 sequence application 1093957 EC2AMAZ-1OAJ8QB datainstance.com yes 60c5e014-76f2-44f2-eef2-7c00a69ce63f 20170904-000047_demo.jpg 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File Win Win google.com /personal/Documents Tuvis ["Upload"] Tuvis https:// 1 informational Google.com CA 2 53.7 Bengaluru 77.5855 Karnataka Asia/Kolkata 560058 13.248.55.2 1 60 1701756004 CloudApp 123414231 datapolicy asdf523adsd0-0804t@test.data.com my-testing-my.gmail.com asdf523adsd0-0804t@test.data.com 13.248.55.2 asdf523adsd0-0804t@test.data.com 0 [] 0 0 [] 0 0 0 0 0 0 alertsubadata_CL
11 abc123-r231-4b90-a4fd-1456abcdegdd RestAPI 2/29/2024, 7:54:53 AM 878baed0ac06430942e7f16b Client FALSE anomaly_detection Edit yes dn7pu1cfohcge8xvk4v6ki0w Tuvis uba Google Gmail 7.87085E+18 Webmail Chrome 5.22127E+18 54.0.2840.90 Webmail 4 high 533435 1 Win Device US 1 7.896 Ballots -1.04759 Pays-de-la-Loire America/Los_Angeles 98052 19.2.5.21 sequence application 1093957 EC2AMAZ-1OAJ8QB datainstance.com yes 60c5e014-76f2-44f2-eef2-7c00a69ce63f 20170904-000047_demo.jpg 14WLYNjJxKgEyqfalskjfhaotlowurnmcxjklhpdsohqi2i File Win Win google.com /personal/Documents Tuvis ["Upload"] Tuvis https:// 1 informational Google.com CA 2 7.896 Ballots -1.04759 Pays-de-la-Loire America/Toronto 19.2.5.21 1 60 1701756004 CloudApp 123414231 datapolicy asdf523adsd0-0054t@test.data.com my-testing-my.gmail.com asdf523adsd0-0054t@test.data.com 19.2.5.21 asdf523adsd0-0054t@test.data.com 0 [] 0 0 [] 0 0 0 0 0 0 alertsubadata_CL

11
Sample Data/Custom/Netskope/eventsapplicationdata_CL.csv Normal file
Просмотреть файл

@ -0,0 +1,11 @@
TenantId,SourceSystem,MG,ManagementGroupName,TimeGenerated [UTC],Computer,RawData,_id_s,access_method_s,action_s,activity_s,alert_s,alert_type_s,app_s,appcategory_s,browser_s,Category,cci_d,ccl_s,count_d,device_s,dst_country_s,dst_geoip_src_d,dst_latitude_d,dst_location_s,dst_longitude_d,dst_region_s,dst_zipcode_s,dstip_s,exposure_s,file_lang_s,file_path_s,file_size_d,file_type_s,instance_s,instance_id_s,md5_g,mime_type_s,modified_d,object_s,object_id_s,object_type_s,organization_unit_s,os_s,other_categories_s,owner_s,policy_s,request_id_s,scan_type_s,site_s,src_country_s,src_geoip_src_d,src_latitude_d,src_location_s,src_longitude_d,src_region_s,src_zipcode_s,srcip_s,suppression_key_s,timestamp_d,traffic_type_s,type_s,ur_normalized_s,url_s,user_s,userkey_s,orignal_file_path_s,managed_app_s,userip_s,resp_cnt_d,dst_timezone_s,protocol_s,hostname_s,dlp_profile_s,to_user_s,parent_id_s,CononicalName_s,dlp_rule_s,total_collaborator_count_d,sha256_s,shared_with_s,dsthost_s,severity_s,suppression_end_time_d,dlp_unique_count_d,audit_category_s,app_session_id_d,workspace_id_s,req_cnt_d,universal_connector_s,logintype_s,connection_id_d,app_activity_s,channel_id_s,src_timezone_s,numbytes_d,conn_duration_d,managementID_s,dlp_is_unique_count_s,dlp_mail_parent_id_s,from_user_category_s,policy_id_s,useragent_s,device_classification_s,dlp_file_s,dlp_rule_count_d,sAMAccountName_s,audit_type_s,telemetry_app_s,web_universal_connector_s,title_s,data_type_s,userPrincipalName_s,page_s,serial_s,sessionid_s,smtp_to_s,appsuite_s,log_file_name_s,dlp_parent_id_d,tss_mode_s,server_bytes_d,client_bytes_d,page_site_s,loginurl_s,os_version_s,fromlogs_s,true_obj_category_s,true_obj_type_s,browser_session_id_d,workspace_s,dlp_rule_severity_s,dstport_d,netskope_activity_s,data_center_s,dlp_incident_id_d,suppression_start_time_d,nsdeviceuid_s,org_s,src_time_s,user_id_s,custom_connector_s,transaction_id_d,user_category_s,netskope_pop_s,browser_version_s,from_user_s,referer_s,internal_collaborator_count_d,sanctioned_instance_s,notify_template_s,cci_s,Type,_ResourceId
abcd-cdef-ghijk,RestAPI,,,"2/22/2024, 11:39:46 AM",,,757f3e4ac4a015c2b0a210ad,API Connector,alert,Login Successful,yes,quarantine,Ekos Brewmaster,Cloud Storage,unknown,Cloud Storage,12,poor,1,ZTE - P726N,FR,2,58.8323,Paris,12.4075,Île-de-France,75015,1.2.3.4,organisation_wide_link,ENGLISH,/My Drive/Clickhouse/Tenant Migration across MPs,118540,application/vnd.google-apps.document,netskope.com,netskope.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application/vnd.google-apps.document,1613760236,MhQiicRnBqGHFKGg,14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg,File,netskope.local/Netskope/Active Users/US & International/Full Time,Android 10.0,[],dummyuser1@something.com,policy_ga36,2459149802892628500,Ongoing,Ekos Brewmaster,NL,2,62.3759,Amsterdam,14.8975,North Holland,1012,5.6.7.8,Tenant Migration across MPs,1676243254,CloudApp,nspolicy,tempuser1@something.com,https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r,tempuser1@something.com,tempuser1@something.com,,,,0,,,,,,,,,0,,,,,0,0,,0,,0,,,0,,,,0,0,,,,,,,,,0,,,,,,,,,,,[],,,0,,0,0,,,,,,,0,,,0,,,0,0,,,,,,0,,,,,,0,,,,eventsapplicationdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/22/2024, 11:39:46 AM",,,75804388d4192925e022b6fc,API Connector,,Download,yes,quarantine,Real Time Cloud Services,Cloud Storage,unknown,Cloud Storage,39,poor,1,ZTE - P726N,NL,2,62.3759,Amsterdam,14.8975,North Holland,1012,1.2.3.4,organisation_wide_link,ENGLISH,/My Drive/Clickhouse/Tenant Migration across MPs,118418,application/vnd.google-apps.document,netskope.com,netskope.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application/vnd.google-apps.document,1613760236,tUmxqyiIMHhzJCUA,14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg,File,netskope.local/Netskope/Active Users/US & International/Full Time,Android 11.0,[],dummyuser2@something.com,policy_ga6,2459149802892628500,Ongoing,Real Time Cloud Services,IN,2,29.0748,Mumbai,82.8856,Maharashtra,400072,5.6.7.8,Tenant Migration across MPs,1676243244,CloudApp,nspolicy,tempuser2@something.com,https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r,tempuser2@something.com,tempuser2@something.com,,,,0,,,,,,,,,0,,,,,0,0,,0,,0,,,0,,,,0,0,,,,,,,,,0,,,,,,,,,,,[],,,0,,0,0,,,,,,,0,,,0,,,0,0,,,,,,0,,,,,,0,,,,eventsapplicationdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/22/2024, 11:39:46 AM",,,7581f4a7da63d0b04d09064c,API Connector,alert,Edit,yes,Remediation,Thomas Jefferson University,Cloud Storage,unknown,Cloud Storage,,unknown,1,ZTE - P117A13,US,2,52.8571,Lakeside,-106.9191,California,92040,1.2.3.4,organisation_wide_link,ENGLISH,/My Drive/Clickhouse/Tenant Migration across MPs,118707,application/vnd.google-apps.document,netskope.com,netskope.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application/vnd.google-apps.document,1613760236,DGSbPHjMixhisfmm,14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg,File,netskope.local/Netskope/Active Users/US & International/Full Time,Android 10.0,[],dummyuser3@something.com,policy_ga13,2459149802892628500,Ongoing,Thomas Jefferson University,US,2,42.8571,Lakeside,-106.9191,California,92040,5.6.7.8,Tenant Migration across MPs,1676243244,CloudApp,nspolicy,tempuser3@something.com,https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r,tempuser3@something.com,tempuser3@something.com,,,,0,,,,,,,,,0,,,,,0,0,,0,,0,,,0,,,,0,0,,,,,,,,,0,,,,,,,,,,,[],,,0,,0,0,,,,,,,0,,,0,,,0,0,,,,,,0,,,,,,0,,,,eventsapplicationdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/22/2024, 11:39:46 AM",,,7581fe8700403843dba63190,API Connector,block,Delete,yes,legal hold,Shooter Suite,Cloud Storage,unknown,Cloud Storage,12,poor,1,ZTE - NX501,FR,2,68.8323,Paris,12.4075,Île-de-France,75015,1.2.3.4,organisation_wide_link,ENGLISH,/My Drive/Clickhouse/Tenant Migration across MPs,118984,application/vnd.google-apps.document,netskope.com,netskope.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application/vnd.google-apps.document,1613760236,jZtpxrmvqsdCzZYJ,14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg,File,netskope.local/Netskope/Active Users/US & International/Full Time,Android 10.0,[],dummyuser4@something.com,policy_ga42,2459149802892628500,Ongoing,Shooter Suite,NL,2,62.3759,Amsterdam,14.8975,North Holland,1012,5.6.7.8,Tenant Migration across MPs,1676243237,CloudApp,nspolicy,tempuser4@something.com,https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r,tempuser4@something.com,tempuser4@something.com,,,,0,,,,,,,,,0,,,,,0,0,,0,,0,,,0,,,,0,0,,,,,,,,,0,,,,,,,,,,,[],,,0,,0,0,,,,,,,0,,,0,,,0,0,,,,,,0,,,,,,0,,,,eventsapplicationdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/22/2024, 11:39:46 AM",,,7585779147907c860810fedb,API Connector,,Download,yes,Remediation,Mainspring CMS,Cloud Storage,unknown,Cloud Storage,3,unknown,1,Other,US,2,55.8234,Boardman,-109.7257,Oregon,97818,1.2.3.4,organisation_wide_link,ENGLISH,/My Drive/Clickhouse/Tenant Migration across MPs,119402,application/vnd.google-apps.document,netskope.com,netskope.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application/vnd.google-apps.document,1613760236,KnBBdmGDJswydJwj,14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg,File,netskope.local/Netskope/Active Users/US & International/Full Time,Windows 7.1,[],dummyuser5@something.com,policy_ga1,2459149802892628500,Ongoing,Mainspring CMS,NL,2,62.3759,Amsterdam,14.8975,North Holland,1012,5.6.7.8,Tenant Migration across MPs,1676243221,CloudApp,nspolicy,tempuser5@something.com,https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r,tempuser5@something.com,tempuser5@something.com,,,,0,,,,,,,,,0,,,,,0,0,,0,,0,,,0,,,,0,0,,,,,,,,,0,,,,,,,,,,,[],,,0,,0,0,,,,,,,0,,,0,,,0,0,,,,,,0,,,,,,0,,,,eventsapplicationdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/22/2024, 11:39:46 AM",,,759f3259a51a7a624224edf0,API Connector,alert,Upload,yes,Malware,IIJ Document Exchange service(DOX),Cloud Storage,unknown,Cloud Storage,66,medium,1,ZTE - P726V,US,2,55.8234,Boardman,-109.7257,Oregon,97818,1.2.3.4,organisation_wide_link,ENGLISH,/My Drive/Clickhouse/Tenant Migration across MPs,118631,application/vnd.google-apps.document,netskope.com,netskope.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application/vnd.google-apps.document,1613760236,lYQoovfPPwzfmqyc,14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg,File,netskope.local/Netskope/Active Users/US & International/Full Time,Android 11.0,[],dummyuser6@something.com,policy_ga22,2459149802892628500,Ongoing,IIJ Document Exchange service(DOX),DE,2,60.1188,Frankfurt am Main,18.6843,Hesse,60313,5.6.7.8,Tenant Migration across MPs,1676243206,CloudApp,nspolicy,tempuser6@something.com,https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r,tempuser6@something.com,tempuser6@something.com,,,,0,,,,,,,,,0,,,,,0,0,,0,,0,,,0,,,,0,0,,,,,,,,,0,,,,,,,,,,,[],,,0,,0,0,,,,,,,0,,,0,,,0,0,,,,,,0,,,,,,0,,,,eventsapplicationdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/22/2024, 11:39:46 AM",,,75a31fe07f16fc9cf542a2f9,API Connector,,Edit,yes,Remediation,Careers Baron,Cloud Storage,unknown,Cloud Storage,,unknown,1,Other,US,2,52.8571,Lakeside,-106.9191,California,92040,1.2.3.4,organisation_wide_link,ENGLISH,/My Drive/Clickhouse/Tenant Migration across MPs,118413,application/vnd.google-apps.document,netskope.com,netskope.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application/vnd.google-apps.document,1613760236,hZhOnmOOZArBTImy,14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg,File,netskope.local/Netskope/Active Users/US & International/Full Time,Windows 8.0,[],dummyuser7@something.com,policy_ga52,2459149802892628500,Ongoing,Careers Baron,US,2,42.8571,Lakeside,-106.9191,California,92040,5.6.7.8,Tenant Migration across MPs,1676243231,CloudApp,nspolicy,tempuser7@something.com,https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r,tempuser7@something.com,tempuser7@something.com,,,,0,,,,,,,,,0,,,,,0,0,,0,,0,,,0,,,,0,0,,,,,,,,,0,,,,,,,,,,,[],,,0,,0,0,,,,,,,0,,,0,,,0,0,,,,,,0,,,,,,0,,,,eventsapplicationdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/22/2024, 11:39:46 AM",,,75a53ac9415f208c73973067,API Connector,,Create,yes,Remediation,Saks Fifth Avenue,Cloud Storage,unknown,Cloud Storage,,unknown,1,Other,IN,2,29.0748,Mumbai,82.8856,Maharashtra,400072,1.2.3.4,organisation_wide_link,ENGLISH,/My Drive/Clickhouse/Tenant Migration across MPs,119235,application/vnd.google-apps.document,netskope.com,netskope.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application/vnd.google-apps.document,1613760236,hfanELTPzPegZfkz,14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg,File,netskope.local/Netskope/Active Users/US & International/Full Time,Windows 7.1,[],dummyuser8@something.com,policy_ga47,2459149802892628500,Ongoing,Saks Fifth Avenue,DE,2,60.1188,Frankfurt am Main,18.6843,Hesse,60313,5.6.7.8,Tenant Migration across MPs,1676243231,CloudApp,nspolicy,tempuser8@something.com,https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r,tempuser8@something.com,tempuser8@something.com,,,,0,,,,,,,,,0,,,,,0,0,,0,,0,,,0,,,,0,0,,,,,,,,,0,,,,,,,,,,,[],,,0,,0,0,,,,,,,0,,,0,,,0,0,,,,,,0,,,,,,0,,,,eventsapplicationdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/22/2024, 11:39:46 AM",,,75a78d113b45442991dc297a,API Connector,alert,Login Failed,yes,policy,eLearning Platform,Cloud Storage,unknown,Cloud Storage,,unknown,1,iPhone 6S,IN,2,29.0748,Mumbai,82.8856,Maharashtra,400072,1.2.3.4,organisation_wide_link,ENGLISH,/My Drive/Clickhouse/Tenant Migration across MPs,119028,application/vnd.google-apps.document,netskope.com,netskope.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application/vnd.google-apps.document,1613760236,XPTIggGqLKHHOgCk,14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg,File,netskope.local/Netskope/Active Users/US & International/Full Time,iOS 9.6,[],dummyuser9@something.com,policy_ga2,2459149802892628500,Ongoing,eLearning Platform,US,2,42.8571,Lakeside,-106.9191,California,92040,5.6.7.8,Tenant Migration across MPs,1676243230,CloudApp,nspolicy,tempuser9@something.com,https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r,tempuser9@something.com,tempuser9@something.com,,,,0,,,,,,,,,0,,,,,0,0,,0,,0,,,0,,,,0,0,,,,,,,,,0,,,,,,,,,,,[],,,0,,0,0,,,,,,,0,,,0,,,0,0,,,,,,0,,,,,,0,,,,eventsapplicationdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/22/2024, 11:39:46 AM",,,75a81aad3192f7f4efd32009,API Connector,,Edit,yes,Malware,CareerHarmony,Cloud Storage,unknown,Cloud Storage,,,2,ZTE - Grand-S,FR,2,58.8323,Paris,12.4075,Île-de-France,75015,1.2.3.4,organisation_wide_link,ENGLISH,/My Drive/Clickhouse/Tenant Migration across MPs,118968,application/vnd.google-apps.document,netskope.com,netskope.com,4bf76801-95ec-aed5-5e3e-dabb5d95ca01,application/vnd.google-apps.document,1613760236,hxjrHXZHqSTzxiYx,14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg,File,netskope.local/Netskope/Active Users/US & International/Full Time,Android 10.0,[],dummyuser10@something.com,policy_ga19,2459149802892628500,Ongoing,CareerHarmony,NL,2,62.3759,Amsterdam,14.8975,North Holland,1012,5.6.7.8,Tenant Migration across MPs,1676243245,CloudApp,nspolicy,tempuser10@something.com,https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r,tempuser10@something.com,tempuser10@something.com,,,,0,,,,,,,,,0,,,,,0,0,,0,,0,,,0,,,,0,0,,,,,,,,,0,,,,,,,,,,,[],,,0,,0,0,,,,,,,0,,,0,,,0,0,,,,,,0,,,,,,0,,,,eventsapplicationdata_CL,
1 TenantId SourceSystem MG ManagementGroupName TimeGenerated [UTC] Computer RawData _id_s access_method_s action_s activity_s alert_s alert_type_s app_s appcategory_s browser_s Category cci_d ccl_s count_d device_s dst_country_s dst_geoip_src_d dst_latitude_d dst_location_s dst_longitude_d dst_region_s dst_zipcode_s dstip_s exposure_s file_lang_s file_path_s file_size_d file_type_s instance_s instance_id_s md5_g mime_type_s modified_d object_s object_id_s object_type_s organization_unit_s os_s other_categories_s owner_s policy_s request_id_s scan_type_s site_s src_country_s src_geoip_src_d src_latitude_d src_location_s src_longitude_d src_region_s src_zipcode_s srcip_s suppression_key_s timestamp_d traffic_type_s type_s ur_normalized_s url_s user_s userkey_s orignal_file_path_s managed_app_s userip_s resp_cnt_d dst_timezone_s protocol_s hostname_s dlp_profile_s to_user_s parent_id_s CononicalName_s dlp_rule_s total_collaborator_count_d sha256_s shared_with_s dsthost_s severity_s suppression_end_time_d dlp_unique_count_d audit_category_s app_session_id_d workspace_id_s req_cnt_d universal_connector_s logintype_s connection_id_d app_activity_s channel_id_s src_timezone_s numbytes_d conn_duration_d managementID_s dlp_is_unique_count_s dlp_mail_parent_id_s from_user_category_s policy_id_s useragent_s device_classification_s dlp_file_s dlp_rule_count_d sAMAccountName_s audit_type_s telemetry_app_s web_universal_connector_s title_s data_type_s userPrincipalName_s page_s serial_s sessionid_s smtp_to_s appsuite_s log_file_name_s dlp_parent_id_d tss_mode_s server_bytes_d client_bytes_d page_site_s loginurl_s os_version_s fromlogs_s true_obj_category_s true_obj_type_s browser_session_id_d workspace_s dlp_rule_severity_s dstport_d netskope_activity_s data_center_s dlp_incident_id_d suppression_start_time_d nsdeviceuid_s org_s src_time_s user_id_s custom_connector_s transaction_id_d user_category_s netskope_pop_s browser_version_s from_user_s referer_s internal_collaborator_count_d sanctioned_instance_s notify_template_s cci_s Type _ResourceId
2 abcd-cdef-ghijk RestAPI 2/22/2024, 11:39:46 AM 757f3e4ac4a015c2b0a210ad API Connector alert Login Successful yes quarantine Ekos Brewmaster Cloud Storage unknown Cloud Storage 12 poor 1 ZTE - P726N FR 2 58.8323 Paris 12.4075 Île-de-France 75015 1.2.3.4 organisation_wide_link ENGLISH /My Drive/Clickhouse/Tenant Migration across MPs 118540 application/vnd.google-apps.document netskope.com netskope.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application/vnd.google-apps.document 1613760236 MhQiicRnBqGHFKGg 14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg File netskope.local/Netskope/Active Users/US & International/Full Time Android 10.0 [] dummyuser1@something.com policy_ga36 2459149802892628500 Ongoing Ekos Brewmaster NL 2 62.3759 Amsterdam 14.8975 North Holland 1012 5.6.7.8 Tenant Migration across MPs 1676243254 CloudApp nspolicy tempuser1@something.com https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r tempuser1@something.com tempuser1@something.com 0 0 0 0 0 0 0 0 0 0 [] 0 0 0 0 0 0 0 0 0 eventsapplicationdata_CL
3 abcd-cdef-ghijk RestAPI 2/22/2024, 11:39:46 AM 75804388d4192925e022b6fc API Connector Download yes quarantine Real Time Cloud Services Cloud Storage unknown Cloud Storage 39 poor 1 ZTE - P726N NL 2 62.3759 Amsterdam 14.8975 North Holland 1012 1.2.3.4 organisation_wide_link ENGLISH /My Drive/Clickhouse/Tenant Migration across MPs 118418 application/vnd.google-apps.document netskope.com netskope.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application/vnd.google-apps.document 1613760236 tUmxqyiIMHhzJCUA 14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg File netskope.local/Netskope/Active Users/US & International/Full Time Android 11.0 [] dummyuser2@something.com policy_ga6 2459149802892628500 Ongoing Real Time Cloud Services IN 2 29.0748 Mumbai 82.8856 Maharashtra 400072 5.6.7.8 Tenant Migration across MPs 1676243244 CloudApp nspolicy tempuser2@something.com https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r tempuser2@something.com tempuser2@something.com 0 0 0 0 0 0 0 0 0 0 [] 0 0 0 0 0 0 0 0 0 eventsapplicationdata_CL
4 abcd-cdef-ghijk RestAPI 2/22/2024, 11:39:46 AM 7581f4a7da63d0b04d09064c API Connector alert Edit yes Remediation Thomas Jefferson University Cloud Storage unknown Cloud Storage unknown 1 ZTE - P117A13 US 2 52.8571 Lakeside -106.9191 California 92040 1.2.3.4 organisation_wide_link ENGLISH /My Drive/Clickhouse/Tenant Migration across MPs 118707 application/vnd.google-apps.document netskope.com netskope.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application/vnd.google-apps.document 1613760236 DGSbPHjMixhisfmm 14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg File netskope.local/Netskope/Active Users/US & International/Full Time Android 10.0 [] dummyuser3@something.com policy_ga13 2459149802892628500 Ongoing Thomas Jefferson University US 2 42.8571 Lakeside -106.9191 California 92040 5.6.7.8 Tenant Migration across MPs 1676243244 CloudApp nspolicy tempuser3@something.com https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r tempuser3@something.com tempuser3@something.com 0 0 0 0 0 0 0 0 0 0 [] 0 0 0 0 0 0 0 0 0 eventsapplicationdata_CL
5 abcd-cdef-ghijk RestAPI 2/22/2024, 11:39:46 AM 7581fe8700403843dba63190 API Connector block Delete yes legal hold Shooter Suite Cloud Storage unknown Cloud Storage 12 poor 1 ZTE - NX501 FR 2 68.8323 Paris 12.4075 Île-de-France 75015 1.2.3.4 organisation_wide_link ENGLISH /My Drive/Clickhouse/Tenant Migration across MPs 118984 application/vnd.google-apps.document netskope.com netskope.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application/vnd.google-apps.document 1613760236 jZtpxrmvqsdCzZYJ 14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg File netskope.local/Netskope/Active Users/US & International/Full Time Android 10.0 [] dummyuser4@something.com policy_ga42 2459149802892628500 Ongoing Shooter Suite NL 2 62.3759 Amsterdam 14.8975 North Holland 1012 5.6.7.8 Tenant Migration across MPs 1676243237 CloudApp nspolicy tempuser4@something.com https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r tempuser4@something.com tempuser4@something.com 0 0 0 0 0 0 0 0 0 0 [] 0 0 0 0 0 0 0 0 0 eventsapplicationdata_CL
6 abcd-cdef-ghijk RestAPI 2/22/2024, 11:39:46 AM 7585779147907c860810fedb API Connector Download yes Remediation Mainspring CMS Cloud Storage unknown Cloud Storage 3 unknown 1 Other US 2 55.8234 Boardman -109.7257 Oregon 97818 1.2.3.4 organisation_wide_link ENGLISH /My Drive/Clickhouse/Tenant Migration across MPs 119402 application/vnd.google-apps.document netskope.com netskope.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application/vnd.google-apps.document 1613760236 KnBBdmGDJswydJwj 14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg File netskope.local/Netskope/Active Users/US & International/Full Time Windows 7.1 [] dummyuser5@something.com policy_ga1 2459149802892628500 Ongoing Mainspring CMS NL 2 62.3759 Amsterdam 14.8975 North Holland 1012 5.6.7.8 Tenant Migration across MPs 1676243221 CloudApp nspolicy tempuser5@something.com https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r tempuser5@something.com tempuser5@something.com 0 0 0 0 0 0 0 0 0 0 [] 0 0 0 0 0 0 0 0 0 eventsapplicationdata_CL
7 abcd-cdef-ghijk RestAPI 2/22/2024, 11:39:46 AM 759f3259a51a7a624224edf0 API Connector alert Upload yes Malware IIJ Document Exchange service(DOX) Cloud Storage unknown Cloud Storage 66 medium 1 ZTE - P726V US 2 55.8234 Boardman -109.7257 Oregon 97818 1.2.3.4 organisation_wide_link ENGLISH /My Drive/Clickhouse/Tenant Migration across MPs 118631 application/vnd.google-apps.document netskope.com netskope.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application/vnd.google-apps.document 1613760236 lYQoovfPPwzfmqyc 14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg File netskope.local/Netskope/Active Users/US & International/Full Time Android 11.0 [] dummyuser6@something.com policy_ga22 2459149802892628500 Ongoing IIJ Document Exchange service(DOX) DE 2 60.1188 Frankfurt am Main 18.6843 Hesse 60313 5.6.7.8 Tenant Migration across MPs 1676243206 CloudApp nspolicy tempuser6@something.com https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r tempuser6@something.com tempuser6@something.com 0 0 0 0 0 0 0 0 0 0 [] 0 0 0 0 0 0 0 0 0 eventsapplicationdata_CL
8 abcd-cdef-ghijk RestAPI 2/22/2024, 11:39:46 AM 75a31fe07f16fc9cf542a2f9 API Connector Edit yes Remediation Careers Baron Cloud Storage unknown Cloud Storage unknown 1 Other US 2 52.8571 Lakeside -106.9191 California 92040 1.2.3.4 organisation_wide_link ENGLISH /My Drive/Clickhouse/Tenant Migration across MPs 118413 application/vnd.google-apps.document netskope.com netskope.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application/vnd.google-apps.document 1613760236 hZhOnmOOZArBTImy 14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg File netskope.local/Netskope/Active Users/US & International/Full Time Windows 8.0 [] dummyuser7@something.com policy_ga52 2459149802892628500 Ongoing Careers Baron US 2 42.8571 Lakeside -106.9191 California 92040 5.6.7.8 Tenant Migration across MPs 1676243231 CloudApp nspolicy tempuser7@something.com https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r tempuser7@something.com tempuser7@something.com 0 0 0 0 0 0 0 0 0 0 [] 0 0 0 0 0 0 0 0 0 eventsapplicationdata_CL
9 abcd-cdef-ghijk RestAPI 2/22/2024, 11:39:46 AM 75a53ac9415f208c73973067 API Connector Create yes Remediation Saks Fifth Avenue Cloud Storage unknown Cloud Storage unknown 1 Other IN 2 29.0748 Mumbai 82.8856 Maharashtra 400072 1.2.3.4 organisation_wide_link ENGLISH /My Drive/Clickhouse/Tenant Migration across MPs 119235 application/vnd.google-apps.document netskope.com netskope.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application/vnd.google-apps.document 1613760236 hfanELTPzPegZfkz 14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg File netskope.local/Netskope/Active Users/US & International/Full Time Windows 7.1 [] dummyuser8@something.com policy_ga47 2459149802892628500 Ongoing Saks Fifth Avenue DE 2 60.1188 Frankfurt am Main 18.6843 Hesse 60313 5.6.7.8 Tenant Migration across MPs 1676243231 CloudApp nspolicy tempuser8@something.com https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r tempuser8@something.com tempuser8@something.com 0 0 0 0 0 0 0 0 0 0 [] 0 0 0 0 0 0 0 0 0 eventsapplicationdata_CL
10 abcd-cdef-ghijk RestAPI 2/22/2024, 11:39:46 AM 75a78d113b45442991dc297a API Connector alert Login Failed yes policy eLearning Platform Cloud Storage unknown Cloud Storage unknown 1 iPhone 6S IN 2 29.0748 Mumbai 82.8856 Maharashtra 400072 1.2.3.4 organisation_wide_link ENGLISH /My Drive/Clickhouse/Tenant Migration across MPs 119028 application/vnd.google-apps.document netskope.com netskope.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application/vnd.google-apps.document 1613760236 XPTIggGqLKHHOgCk 14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg File netskope.local/Netskope/Active Users/US & International/Full Time iOS 9.6 [] dummyuser9@something.com policy_ga2 2459149802892628500 Ongoing eLearning Platform US 2 42.8571 Lakeside -106.9191 California 92040 5.6.7.8 Tenant Migration across MPs 1676243230 CloudApp nspolicy tempuser9@something.com https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r tempuser9@something.com tempuser9@something.com 0 0 0 0 0 0 0 0 0 0 [] 0 0 0 0 0 0 0 0 0 eventsapplicationdata_CL
11 abcd-cdef-ghijk RestAPI 2/22/2024, 11:39:46 AM 75a81aad3192f7f4efd32009 API Connector Edit yes Malware CareerHarmony Cloud Storage unknown Cloud Storage 2 ZTE - Grand-S FR 2 58.8323 Paris 12.4075 Île-de-France 75015 1.2.3.4 organisation_wide_link ENGLISH /My Drive/Clickhouse/Tenant Migration across MPs 118968 application/vnd.google-apps.document netskope.com netskope.com 4bf76801-95ec-aed5-5e3e-dabb5d95ca01 application/vnd.google-apps.document 1613760236 hxjrHXZHqSTzxiYx 14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg File netskope.local/Netskope/Active Users/US & International/Full Time Android 10.0 [] dummyuser10@something.com policy_ga19 2459149802892628500 Ongoing CareerHarmony NL 2 62.3759 Amsterdam 14.8975 North Holland 1012 5.6.7.8 Tenant Migration across MPs 1676243245 CloudApp nspolicy tempuser10@something.com https://drive.google.com/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82r tempuser10@something.com tempuser10@something.com 0 0 0 0 0 0 0 0 0 0 [] 0 0 0 0 0 0 0 0 0 eventsapplicationdata_CL

11
Sample Data/Custom/Netskope/eventsauditdata_CL.csv Normal file
Просмотреть файл

@ -0,0 +1,11 @@
TenantId,SourceSystem,MG,ManagementGroupName,TimeGenerated [UTC],Computer,RawData,timestamp_d,type_s,user_s,severity_level_d,audit_log_event_s,supporting_data_data_type_s,supporting_data_data_values_s,organization_unit_s,ur_normalized_s,count_d,_id_s,details_s,sAMAccountName_s,ccl_s,userPrincipalName_s,Type,_ResourceId
abcd-cdef-ghijk,RestAPI,,,"2/23/2024, 1:25:33 PM",,,1701153779,admin_audit_logs,dummyuser@something.com,2,SSO Login Successful,user,"[""dummy.user@something.com""]",,dummyuser@something.com,1,929f6ccdd5aa9782930abd5a,[],,,,eventsauditdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/23/2024, 1:25:33 PM",,,1701153779,admin_audit_logs,dummyuser@something.com,2,Login Successful,user,"[""24.29.140.10"",""dummy.user@something.com""]",,dummyuser@something.com,1,cd6b9161713ccc6429fce7a4,[],,,,eventsauditdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/23/2024, 1:25:33 PM",,,1701249894,admin_audit_logs,dummyuser@something.com,2,Login Successful,user,"[""24.29.140.10"",""dummy.user@something.com""]",,dummyuser@something.com,1,1dae3c6bbc57bc5145de505a,[],,,,eventsauditdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/23/2024, 1:25:33 PM",,,1701249894,admin_audit_logs,dummyuser@something.com,2,SSO Login Successful,user,"[""dummy.user@something.com""]",,dummyuser@something.com,1,b00777d35066571f9af2e10d,[],,,,eventsauditdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/23/2024, 1:25:33 PM",,,1701251729,admin_audit_logs,dummyuser@something.com,2,Logout Successful,reason,"[""Logged out due to inactivity""]",,dummyuser@something.com,1,8bf54c28227c16589b35499b,[],,,,eventsauditdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/23/2024, 1:25:33 PM",,,1701771708,admin_audit_logs,dummyuser@something.com,2,Login Successful,user,"[""24.29.134.11"",""dummy.user@something.com""]",,dummyuser@something.com,1,2238d53ed0c735384ad60f58,[],,,,eventsauditdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/23/2024, 1:25:33 PM",,,1701771708,admin_audit_logs,dummyuser@something.com,2,SSO Login Successful,user,"[""dummy.user@something.com""]",,dummyuser@something.com,1,8dbc9e2fe476c6f1988d6c43,[],,,,eventsauditdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/23/2024, 1:25:33 PM",,,1701773590,admin_audit_logs,dummyuser@something.com,2,Logout Successful,reason,"[""Logged out due to inactivity""]",,dummyuser@something.com,1,a25ef7c8e1d7e32e6573e35c,[],,,,eventsauditdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/23/2024, 1:25:33 PM",,,1701843916,admin_audit_logs,dummyuser@something.com,2,SSO Login Successful,user,"[""dummy.user@something.com""]",,dummyuser@something.com,1,ad5059e4cdb488132468806c,[],,,,eventsauditdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/23/2024, 1:25:33 PM",,,1701843916,admin_audit_logs,dummyuser@something.com,2,Login Successful,user,"[""24.29.140.10"",""dummy.user@something.com""]",,dummyuser@something.com,1,c0b00d1fe9a2cd6e4f486453,[],,,,eventsauditdata_CL,
1 TenantId SourceSystem MG ManagementGroupName TimeGenerated [UTC] Computer RawData timestamp_d type_s user_s severity_level_d audit_log_event_s supporting_data_data_type_s supporting_data_data_values_s organization_unit_s ur_normalized_s count_d _id_s details_s sAMAccountName_s ccl_s userPrincipalName_s Type _ResourceId
2 abcd-cdef-ghijk RestAPI 2/23/2024, 1:25:33 PM 1701153779 admin_audit_logs dummyuser@something.com 2 SSO Login Successful user ["dummy.user@something.com"] dummyuser@something.com 1 929f6ccdd5aa9782930abd5a [] eventsauditdata_CL
3 abcd-cdef-ghijk RestAPI 2/23/2024, 1:25:33 PM 1701153779 admin_audit_logs dummyuser@something.com 2 Login Successful user ["24.29.140.10","dummy.user@something.com"] dummyuser@something.com 1 cd6b9161713ccc6429fce7a4 [] eventsauditdata_CL
4 abcd-cdef-ghijk RestAPI 2/23/2024, 1:25:33 PM 1701249894 admin_audit_logs dummyuser@something.com 2 Login Successful user ["24.29.140.10","dummy.user@something.com"] dummyuser@something.com 1 1dae3c6bbc57bc5145de505a [] eventsauditdata_CL
5 abcd-cdef-ghijk RestAPI 2/23/2024, 1:25:33 PM 1701249894 admin_audit_logs dummyuser@something.com 2 SSO Login Successful user ["dummy.user@something.com"] dummyuser@something.com 1 b00777d35066571f9af2e10d [] eventsauditdata_CL
6 abcd-cdef-ghijk RestAPI 2/23/2024, 1:25:33 PM 1701251729 admin_audit_logs dummyuser@something.com 2 Logout Successful reason ["Logged out due to inactivity"] dummyuser@something.com 1 8bf54c28227c16589b35499b [] eventsauditdata_CL
7 abcd-cdef-ghijk RestAPI 2/23/2024, 1:25:33 PM 1701771708 admin_audit_logs dummyuser@something.com 2 Login Successful user ["24.29.134.11","dummy.user@something.com"] dummyuser@something.com 1 2238d53ed0c735384ad60f58 [] eventsauditdata_CL
8 abcd-cdef-ghijk RestAPI 2/23/2024, 1:25:33 PM 1701771708 admin_audit_logs dummyuser@something.com 2 SSO Login Successful user ["dummy.user@something.com"] dummyuser@something.com 1 8dbc9e2fe476c6f1988d6c43 [] eventsauditdata_CL
9 abcd-cdef-ghijk RestAPI 2/23/2024, 1:25:33 PM 1701773590 admin_audit_logs dummyuser@something.com 2 Logout Successful reason ["Logged out due to inactivity"] dummyuser@something.com 1 a25ef7c8e1d7e32e6573e35c [] eventsauditdata_CL
10 abcd-cdef-ghijk RestAPI 2/23/2024, 1:25:33 PM 1701843916 admin_audit_logs dummyuser@something.com 2 SSO Login Successful user ["dummy.user@something.com"] dummyuser@something.com 1 ad5059e4cdb488132468806c [] eventsauditdata_CL
11 abcd-cdef-ghijk RestAPI 2/23/2024, 1:25:33 PM 1701843916 admin_audit_logs dummyuser@something.com 2 Login Successful user ["24.29.140.10","dummy.user@something.com"] dummyuser@something.com 1 c0b00d1fe9a2cd6e4f486453 [] eventsauditdata_CL

11
Sample Data/Custom/Netskope/eventsconnectiondata_CL.csv Normal file
Просмотреть файл

@ -0,0 +1,11 @@
TenantId,SourceSystem,MG,ManagementGroupName,TimeGenerated [UTC],Computer,RawData,suppression_end_time_d,suppression_start_time_d,_id_s,access_method_s,app_s,appcategory_s,bypass_reason_s,bypass_traffic_s,Category,cci_d,ccl_s,connection_id_d,count_d,domain_s,dst_country_s,dst_latitude_d,dst_location_s,dst_longitude_d,dst_region_s,dst_timezone_s,dst_zipcode_s,dstip_s,dstport_d,incident_id_d,netskope_pop_s,organization_unit_s,other_categories_s,page_s,request_id_d,site_s,src_country_s,src_latitude_d,src_location_s,src_longitude_d,src_region_s,src_time_s,src_timezone_s,src_zipcode_s,srcip_s,ssl_decrypt_policy_s,timestamp_d,traffic_type_s,transaction_id_d,type_s,ur_normalized_s,url_s,user_s,user_generated_s,userip_s,userkey_s,Type,_ResourceId
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:29:41 AM",,,,,418246b69e23e565bb4c1624,IPSec,,Technology,Steering Exception - Default tenant config,yes,Technology,0,unknown,0,1,abc.microsoft.com,US,51.6021,Des Moines,-83.6124,Iowa,America/Chicago,50307,1.2.3.4,443,0,US-LAX1,,"[""Technology"",""All Categories"",""Business""]",abc.microsoft.com,2.72383E+18,microsoft,US,50.3325386,Doylestown,-65.11663818,Pennsylvania,Mon Dec 4 14:30:08 2023,America/New_York,N/A,5.6.7.8,no,1701718217,Web,0,connection,1.2.3.4,abc.microsoft.com,1.2.3.4,yes,1.2.3.4,1.2.3.4,eventsconnectiondata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:29:41 AM",,,,,463c1b2f0cdf28f5bcde842d,IPSec,,Technology,Steering Exception - Default tenant config,yes,Technology,0,unknown,0,1,def.microsoft.com,IE,63.3379,Dublin,4.2591,Leinster,Europe/Dublin,D02,1.2.3.4,443,0,US-LAX1,,"[""Technology"",""All Categories"",""Business""]",def.microsoft.com,2.72384E+18,microsoft,US,50.3325386,Doylestown,-65.11663818,Pennsylvania,Mon Dec 4 14:42:08 2023,America/New_York,N/A,5.6.7.8,no,1701718980,Web,0,connection,1.2.3.4,def.microsoft.com,1.2.3.4,yes,1.2.3.4,1.2.3.4,eventsconnectiondata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:29:41 AM",,,,,2cf20dcc184f1bdbb8616f32,IPSec,,Technology,Steering Exception - Default tenant config,yes,Technology,0,unknown,0,1,mno.microsoft.com,US,39.4227,San Antonio,-88.4927,Texas,America/Chicago,78288,1.2.3.4,443,0,US-LAX1,,"[""Technology"",""All Categories"",""Business""]",mno.microsoft.com,2.72384E+18,microsoft,US,50.3325386,Doylestown,-65.11663818,Pennsylvania,Mon Dec 4 14:44:08 2023,America/New_York,N/A,5.6.7.8,no,1701719097,Web,0,connection,1.2.3.4,mno.microsoft.com,1.2.3.4,yes,1.2.3.4,1.2.3.4,eventsconnectiondata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:29:41 AM",,,,,45ee63ea40593665bb76c1b8,IPSec,,Technology,Steering Exception - Default tenant config,yes,Technology,0,unknown,0,1,abc.microsoft.com,US,47.9273,Tappahannock,-66.8545,Virginia,America/New_York,22560,1.2.3.4,443,0,US-LAX1,,"[""Technology"",""All Categories"",""Business""]",abc.microsoft.com,2.72384E+18,microsoft,US,50.3325386,Doylestown,-65.11663818,Pennsylvania,Mon Dec 4 14:44:08 2023,America/New_York,N/A,5.6.7.8,no,1701719099,Web,0,connection,1.2.3.4,abc.microsoft.com,1.2.3.4,yes,1.2.3.4,1.2.3.4,eventsconnectiondata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:29:41 AM",,,,,34e2316c1dce6b19ea32b09b,IPSec,,Content Server,Steering Exception - Default tenant config,yes,Content Server,0,unknown,0,1,pqr.microsoft.com,US,47.23446274,Quincy,-109.8525772,Washington,America/Los_Angeles,N/A,1.2.3.4,443,0,US-LAX1,,"[""Content Server"",""All Categories""]",pqr.microsoft.com,2.72384E+18,microsoft,US,50.3325386,Doylestown,-65.11663818,Pennsylvania,Mon Dec 4 14:45:08 2023,America/New_York,N/A,5.6.7.8,no,1701719117,Web,0,connection,1.2.3.4,pqr.microsoft.com,1.2.3.4,yes,1.2.3.4,1.2.3.4,eventsconnectiondata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:29:41 AM",,,1701719120,1701719120,5628717ec407cba16d4582bc,IPSec,,Technology,Steering Exception - Default tenant config,yes,Technology,0,unknown,0,1,abc.microsoft.com,US,43.4475,Phoenix,-102.0866,Arizona,America/Phoenix,85001,1.2.3.4,443,0,US-LAX1,,"[""Technology"",""All Categories"",""Business""]",abc.microsoft.com,2.72384E+18,microsoft,US,50.3325386,Doylestown,-65.11663818,Pennsylvania,Mon Dec 4 14:45:08 2023,America/New_York,N/A,5.6.7.8,no,1701719120,Web,0,connection,1.2.3.4,abc.microsoft.com,1.2.3.4,yes,1.2.3.4,1.2.3.4,eventsconnectiondata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:29:41 AM",,,,,537a3b8f1441e8a086fb620c,IPSec,,Technology,Steering Exception - Default tenant config,yes,Technology,0,unknown,0,1,abc.microsoft.com,JP,35.6893,Tokyo,149.6899,Tokyo,Asia/Tokyo,102-0082,1.2.3.4,443,0,US-LAX1,,"[""Technology"",""All Categories"",""Business""]",abc.microsoft.com,2.72384E+18,microsoft,US,50.3325386,Doylestown,-65.11663818,Pennsylvania,Mon Dec 4 14:45:08 2023,America/New_York,N/A,5.6.7.8,no,1701719132,Web,0,connection,1.2.3.4,abc.microsoft.com,1.2.3.4,yes,1.2.3.4,1.2.3.4,eventsconnectiondata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:29:41 AM",,,,,df79ca72b027eacb14ee81c4,IPSec,,Technology,Steering Exception - Default tenant config,yes,Technology,0,unknown,0,1,rst.microsoft.com,US,39.4227,San Antonio,-88.4927,Texas,America/Chicago,78288,1.2.3.4,443,0,US-LAX1,,"[""Technology"",""All Categories"",""Business""]",rst.microsoft.com,2.72384E+18,microsoft,US,50.3325386,Doylestown,-65.11663818,Pennsylvania,Mon Dec 4 14:45:08 2023,America/New_York,N/A,5.6.7.8,no,1701719148,Web,0,connection,1.2.3.4,rst.microsoft.com,1.2.3.4,yes,1.2.3.4,1.2.3.4,eventsconnectiondata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:29:41 AM",,,,,02d86df9f75a02f20716f6a4,IPSec,,Content Server,Steering Exception - Default tenant config,yes,Content Server,0,unknown,0,1,rst.microsoft.com,US,39.4227,San Antonio,-88.4927,Texas,America/Chicago,78288,1.2.3.4,443,0,US-LAX1,,"[""Content Server"",""All Categories""]",rst.microsoft.com,2.72384E+18,microsoft,US,50.3325386,Doylestown,-65.11663818,Pennsylvania,Mon Dec 4 14:45:08 2023,America/New_York,N/A,5.6.7.8,no,1701719150,Web,0,connection,1.2.3.4,rst.microsoft.com,1.2.3.4,yes,1.2.3.4,1.2.3.4,eventsconnectiondata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:29:41 AM",,,,,f882894ac3608aa2dece7ee5,IPSec,,Content Server,Steering Exception - Default tenant config,yes,Content Server,0,unknown,0,1,def.microsoft.com,US,57.23446274,Quincy,-109.8525772,Washington,America/Los_Angeles,N/A,1.2.3.4,443,0,US-LAX1,,"[""Content Server"",""All Categories""]",def.microsoft.com,2.72384E+18,microsoft,US,50.3325386,Doylestown,-65.11663818,Pennsylvania,Mon Dec 4 14:45:08 2023,America/New_York,N/A,5.6.7.8,no,1701719153,Web,0,connection,1.2.3.4,def.microsoft.com,1.2.3.4,yes,1.2.3.4,1.2.3.4,eventsconnectiondata_CL,
1 TenantId SourceSystem MG ManagementGroupName TimeGenerated [UTC] Computer RawData suppression_end_time_d suppression_start_time_d _id_s access_method_s app_s appcategory_s bypass_reason_s bypass_traffic_s Category cci_d ccl_s connection_id_d count_d domain_s dst_country_s dst_latitude_d dst_location_s dst_longitude_d dst_region_s dst_timezone_s dst_zipcode_s dstip_s dstport_d incident_id_d netskope_pop_s organization_unit_s other_categories_s page_s request_id_d site_s src_country_s src_latitude_d src_location_s src_longitude_d src_region_s src_time_s src_timezone_s src_zipcode_s srcip_s ssl_decrypt_policy_s timestamp_d traffic_type_s transaction_id_d type_s ur_normalized_s url_s user_s user_generated_s userip_s userkey_s Type _ResourceId
2 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:29:41 AM 418246b69e23e565bb4c1624 IPSec Technology Steering Exception - Default tenant config yes Technology 0 unknown 0 1 abc.microsoft.com US 51.6021 Des Moines -83.6124 Iowa America/Chicago 50307 1.2.3.4 443 0 US-LAX1 ["Technology","All Categories","Business"] abc.microsoft.com 2.72383E+18 microsoft US 50.3325386 Doylestown -65.11663818 Pennsylvania Mon Dec 4 14:30:08 2023 America/New_York N/A 5.6.7.8 no 1701718217 Web 0 connection 1.2.3.4 abc.microsoft.com 1.2.3.4 yes 1.2.3.4 1.2.3.4 eventsconnectiondata_CL
3 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:29:41 AM 463c1b2f0cdf28f5bcde842d IPSec Technology Steering Exception - Default tenant config yes Technology 0 unknown 0 1 def.microsoft.com IE 63.3379 Dublin 4.2591 Leinster Europe/Dublin D02 1.2.3.4 443 0 US-LAX1 ["Technology","All Categories","Business"] def.microsoft.com 2.72384E+18 microsoft US 50.3325386 Doylestown -65.11663818 Pennsylvania Mon Dec 4 14:42:08 2023 America/New_York N/A 5.6.7.8 no 1701718980 Web 0 connection 1.2.3.4 def.microsoft.com 1.2.3.4 yes 1.2.3.4 1.2.3.4 eventsconnectiondata_CL
4 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:29:41 AM 2cf20dcc184f1bdbb8616f32 IPSec Technology Steering Exception - Default tenant config yes Technology 0 unknown 0 1 mno.microsoft.com US 39.4227 San Antonio -88.4927 Texas America/Chicago 78288 1.2.3.4 443 0 US-LAX1 ["Technology","All Categories","Business"] mno.microsoft.com 2.72384E+18 microsoft US 50.3325386 Doylestown -65.11663818 Pennsylvania Mon Dec 4 14:44:08 2023 America/New_York N/A 5.6.7.8 no 1701719097 Web 0 connection 1.2.3.4 mno.microsoft.com 1.2.3.4 yes 1.2.3.4 1.2.3.4 eventsconnectiondata_CL
5 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:29:41 AM 45ee63ea40593665bb76c1b8 IPSec Technology Steering Exception - Default tenant config yes Technology 0 unknown 0 1 abc.microsoft.com US 47.9273 Tappahannock -66.8545 Virginia America/New_York 22560 1.2.3.4 443 0 US-LAX1 ["Technology","All Categories","Business"] abc.microsoft.com 2.72384E+18 microsoft US 50.3325386 Doylestown -65.11663818 Pennsylvania Mon Dec 4 14:44:08 2023 America/New_York N/A 5.6.7.8 no 1701719099 Web 0 connection 1.2.3.4 abc.microsoft.com 1.2.3.4 yes 1.2.3.4 1.2.3.4 eventsconnectiondata_CL
6 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:29:41 AM 34e2316c1dce6b19ea32b09b IPSec Content Server Steering Exception - Default tenant config yes Content Server 0 unknown 0 1 pqr.microsoft.com US 47.23446274 Quincy -109.8525772 Washington America/Los_Angeles N/A 1.2.3.4 443 0 US-LAX1 ["Content Server","All Categories"] pqr.microsoft.com 2.72384E+18 microsoft US 50.3325386 Doylestown -65.11663818 Pennsylvania Mon Dec 4 14:45:08 2023 America/New_York N/A 5.6.7.8 no 1701719117 Web 0 connection 1.2.3.4 pqr.microsoft.com 1.2.3.4 yes 1.2.3.4 1.2.3.4 eventsconnectiondata_CL
7 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:29:41 AM 1701719120 1701719120 5628717ec407cba16d4582bc IPSec Technology Steering Exception - Default tenant config yes Technology 0 unknown 0 1 abc.microsoft.com US 43.4475 Phoenix -102.0866 Arizona America/Phoenix 85001 1.2.3.4 443 0 US-LAX1 ["Technology","All Categories","Business"] abc.microsoft.com 2.72384E+18 microsoft US 50.3325386 Doylestown -65.11663818 Pennsylvania Mon Dec 4 14:45:08 2023 America/New_York N/A 5.6.7.8 no 1701719120 Web 0 connection 1.2.3.4 abc.microsoft.com 1.2.3.4 yes 1.2.3.4 1.2.3.4 eventsconnectiondata_CL
8 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:29:41 AM 537a3b8f1441e8a086fb620c IPSec Technology Steering Exception - Default tenant config yes Technology 0 unknown 0 1 abc.microsoft.com JP 35.6893 Tokyo 149.6899 Tokyo Asia/Tokyo 102-0082 1.2.3.4 443 0 US-LAX1 ["Technology","All Categories","Business"] abc.microsoft.com 2.72384E+18 microsoft US 50.3325386 Doylestown -65.11663818 Pennsylvania Mon Dec 4 14:45:08 2023 America/New_York N/A 5.6.7.8 no 1701719132 Web 0 connection 1.2.3.4 abc.microsoft.com 1.2.3.4 yes 1.2.3.4 1.2.3.4 eventsconnectiondata_CL
9 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:29:41 AM df79ca72b027eacb14ee81c4 IPSec Technology Steering Exception - Default tenant config yes Technology 0 unknown 0 1 rst.microsoft.com US 39.4227 San Antonio -88.4927 Texas America/Chicago 78288 1.2.3.4 443 0 US-LAX1 ["Technology","All Categories","Business"] rst.microsoft.com 2.72384E+18 microsoft US 50.3325386 Doylestown -65.11663818 Pennsylvania Mon Dec 4 14:45:08 2023 America/New_York N/A 5.6.7.8 no 1701719148 Web 0 connection 1.2.3.4 rst.microsoft.com 1.2.3.4 yes 1.2.3.4 1.2.3.4 eventsconnectiondata_CL
10 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:29:41 AM 02d86df9f75a02f20716f6a4 IPSec Content Server Steering Exception - Default tenant config yes Content Server 0 unknown 0 1 rst.microsoft.com US 39.4227 San Antonio -88.4927 Texas America/Chicago 78288 1.2.3.4 443 0 US-LAX1 ["Content Server","All Categories"] rst.microsoft.com 2.72384E+18 microsoft US 50.3325386 Doylestown -65.11663818 Pennsylvania Mon Dec 4 14:45:08 2023 America/New_York N/A 5.6.7.8 no 1701719150 Web 0 connection 1.2.3.4 rst.microsoft.com 1.2.3.4 yes 1.2.3.4 1.2.3.4 eventsconnectiondata_CL
11 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:29:41 AM f882894ac3608aa2dece7ee5 IPSec Content Server Steering Exception - Default tenant config yes Content Server 0 unknown 0 1 def.microsoft.com US 57.23446274 Quincy -109.8525772 Washington America/Los_Angeles N/A 1.2.3.4 443 0 US-LAX1 ["Content Server","All Categories"] def.microsoft.com 2.72384E+18 microsoft US 50.3325386 Doylestown -65.11663818 Pennsylvania Mon Dec 4 14:45:08 2023 America/New_York N/A 5.6.7.8 no 1701719153 Web 0 connection 1.2.3.4 def.microsoft.com 1.2.3.4 yes 1.2.3.4 1.2.3.4 eventsconnectiondata_CL

11
Sample Data/Custom/Netskope/eventsincidentdata_CL.csv Normal file
Просмотреть файл

@ -0,0 +1,11 @@
TenantId,SourceSystem,MG,ManagementGroupName,TimeGenerated [UTC],Computer,RawData,_id_s,access_method_s,acting_user_s,activity_s,app_s,app_session_id_d,assignee_s,connection_id_d,dlp_incident_id_d,dlp_match_info_s,dlp_parent_id_d,dst_location_s,file_lang_s,file_size_d,file_type_s,md5_g,object_id_s,object_type_s,severity_s,site_s,src_location_s,status_s,timestamp_d,title_s,true_obj_category_s,true_obj_type_s,url_s,user_s,referer_s,user_id_s,object_s,instance_id_s,from_user_s,to_user_s,channel_s,zip_file_id_s,destination_instance_id_s,instance_s,bcc_s,cc_s,inline_dlp_match_info_s,owner_s,original_file_snapshot_id_s,dlp_file_s,owner_pdl_s,destination_site_s,latest_incident_id_d,classification_s,destination_app_s,file_path_s,exposure_s,Type,_ResourceId
abcd-cdef-ghijk,RestAPI,,,"2/29/2024, 7:55:29 AM",,,1657c5566973139b27357a8e23cf3a8703c4bca68ce210595e62a5dbdce7631c,Client,dummyuser@something.com,Download,Microsoft OneDrive,3.48391E+18,None,2.76243E+18,8.37325E+17,"[{""dlp_action"":""allow"",""dlp_forensic_id"":837363834,""dlp_policy"":""DLP PCI Alert"",""dlp_profile_name"":""Payment Card Industry Data Security Standard. PCI-DSS"",""dlp_rules"":[{""dlp_data_identifiers"":{""numbers/payment_card_number_terms/eng"":14375,""numbers/payment_card_numbers/major"":14375,""persons/proper_names/int/full"":14375},""dlp_incident_rule_count"":14375,""dlp_rule_name"":""INTL-PAN-Name"",""dlp_rule_score"":44563,""dlp_rule_severity"":""Critical"",""is_unique_count"":false,""weighted"":false}]},{""dlp_action"":""allow"",""dlp_forensic_id"":8373664663834,""dlp_policy"":""DLP PCI Alert"",""dlp_profile_name"":""DLP-PCI"",""dlp_rules"":[{""dlp_data_identifiers"":{""numbers/payment_card_number_terms/eng"":179687,""numbers/payment_card_numbers/major"":179687,""persons/proper_names/us/last"":179687},""dlp_incident_rule_count"":179687,""dlp_rule_name"":""Name-Credit Card (CC)"",""dlp_rule_score"":556311,""dlp_rule_severity"":""Critical"",""is_unique_count"":false,""weighted"":false}]}]",8.37325E+17,Redmond,ENGLISH,10256549,text/plain,2f6df996-9215-d9eb-4d26-6dd636337da7,hash_dummy@something.com_2f6df9969215d9eb4d266dd636337da7_1629a7e222524c487c6d8b1dba7f4f98b3d1557d,File,Critical,Microsoft OneDrive,San Diego,new,1703111543,hash_gjenkins@netskope.com_2f6df9969215d9eb4d266dd636337da7_1629a7e222524c487c6d8b1dba7f4f98b3d1557d,Text,Plain Text file,ahokbw.sn.files.1drv.com/y4pc8aBlHkeYewYjiXtXi8MYtOs86JJQqo7vg06SX0nKC7Vs3fzqIm5HZ1tF9qKUEmxwCvk-giW-jamW9OmRBUBUbc6nKoArJT-sTdqHY0MSqbenjH6MMv-Vq9TuwHYk34oEgAp3KBd_iy9PlNlQnH5Q5s8Kyirfb4J_uHfMJb74q5dVjeiVOiTvm6Bg1in49q-2xYBGMcsgjhJDHfTFC8-FayiqnePYKvvK2UOvOA,dummyuser@something.com,,,,,,,,,,,,,[],,,,,,0,,,,,eventsincidentdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/29/2024, 7:55:29 AM",,,07c703cd9b3e2185d00aa66c59e7b600ba0f4b8980307edaac2b9a4a322939eb,Client,dummyuser@something.com,Download,Microsoft OneDrive,3.48391E+18,None,2.76243E+18,4.23314E+18,"[{""dlp_action"":""alert"",""dlp_forensic_id"":8373664663834,""dlp_policy"":""DLP PCI Alert"",""dlp_profile_name"":""Payment Card Industry Data Security Standard. PCI-DSS"",""dlp_rules"":[{""dlp_data_identifiers"":{""numbers/payment_card_number_terms/eng"":14375,""numbers/payment_card_numbers/major"":14375,""persons/proper_names/int/full"":14375},""dlp_incident_rule_count"":14375,""dlp_rule_name"":""INTL-PAN-Name"",""dlp_rule_score"":44563,""dlp_rule_severity"":""Critical"",""is_unique_count"":false,""weighted"":false}]},{""dlp_action"":""alert"",""dlp_forensic_id"":8373664663834,""dlp_policy"":""DLP PCI Alert"",""dlp_profile_name"":""DLP-PCI"",""dlp_rules"":[{""dlp_data_identifiers"":{""numbers/payment_card_number_terms/eng"":179687,""numbers/payment_card_numbers/major"":179687,""persons/proper_names/us/last"":179687},""dlp_incident_rule_count"":179687,""dlp_rule_name"":""Name-Credit Card (CC)"",""dlp_rule_score"":556311,""dlp_rule_severity"":""Critical"",""is_unique_count"":false,""weighted"":false}]}]",4.23314E+18,Redmond,ENGLISH,10256549,text/plain,2f6df996-9215-d9eb-4d26-6dd636337da7,hash_dummy@something.com_2f6df9969215d9eb4d266dd636337da7_1629a7e222524c487c6d8b1dba7f4f98b3d1557d,File,Critical,Microsoft OneDrive,San Diego,new,1703111613,credit_cards.12.db,Text,Plain Text file,ahokbw.sn.files.1drv.com/y4pjpgKTqpQltjYaPUVp8c4C7k1RPR1Ijs-eXlAB_BFH3Q8q0wANMEsWuGk5OB2MrAexKOYas2VLGzl-DRmyayHFQXeVXJlS1ggc-PMzlmVRMWdTSzFI5SjNfTU2xMf-MvDOgrJ9W5H5RMnE1tpvWID3sI6OG_6pjRVspm4ugkYPDFSx9H4R-FrsalyUD29u698OVdP929_uQdf9zgpu5Xm5UYQXny6kTuf0MlRGS,dummyuser@something.com,,,credit_cards.12.db,,,,,,,,,,[],,,,,,0,,,,,eventsincidentdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/29/2024, 7:55:29 AM",,,8b7aa008de61e24da95355c3e53055eea363b198283a340a53356181b5a86d08,Client,dummyuser@something.com,Upload,Google Drive,6.24615E+18,None,6.93129E+18,4.76285E+18,"[{""dlp_action"":""allow"",""dlp_forensic_id"":47620006381054,""dlp_policy"":""DLP PCI Alert"",""dlp_profile_name"":""Payment Card Industry Data Security Standard. PCI-DSS"",""dlp_rules"":[{""dlp_data_identifiers"":{""numbers/payment_card_number_terms/eng"":14375,""numbers/payment_card_numbers/major"":14375,""persons/proper_names/int/full"":14375},""dlp_incident_rule_count"":14375,""dlp_rule_name"":""INTL-PAN-Name"",""dlp_rule_score"":44563,""dlp_rule_severity"":""Critical"",""is_unique_count"":false,""weighted"":false}]},{""dlp_action"":""allow"",""dlp_forensic_id"":47620006381054,""dlp_policy"":""DLP PCI Alert"",""dlp_profile_name"":""DLP-PCI"",""dlp_rules"":[{""dlp_data_identifiers"":{""numbers/payment_card_number_terms/eng"":179687,""numbers/payment_card_numbers/major"":179687,""persons/proper_names/us/last"":179687},""dlp_incident_rule_count"":179687,""dlp_rule_name"":""Name-Credit Card (CC)"",""dlp_rule_score"":556311,""dlp_rule_severity"":""Critical"",""is_unique_count"":false,""weighted"":false}]}]",4.76285E+18,Mountain View,ENGLISH,10256549,text/plain,2f6df996-9215-d9eb-4d26-6dd636337da7,ABPtcPp7R6hGPyJjysOA-xZ0xzk-lJSjnNOrGJpPdoFiMQlwDXVL5XPe6M57sY4gy9y78-8L0bmRvA_3wTFxozAhwhTrueDsnTKs,File,Critical,Google Drive,San Diego,new,1703111565,credit_cards.12 (1).db,Text,Plain Text file,clients6.google.com/upload/drive/v2internal/fi,dummyuser@something.com,https://drive.google.com/,,credit_cards.12 (1).db,netskope.com,dummyuser@something.com,,,,,,,,[],,,,,,0,,,,,eventsincidentdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/29/2024, 7:55:29 AM",,,c101104c6f9c6b48486e481e982297c0d6626df5d98a445dee0c6f25f6803bfb,Client,dummyuser@something.com,Upload,Google Drive,6.24615E+18,None,6.93129E+18,7.95493E+18,"[{""dlp_action"":""alert"",""dlp_forensic_id"":47620006381054,""dlp_policy"":""DLP PCI Alert"",""dlp_profile_name"":""Payment Card Industry Data Security Standard. PCI-DSS"",""dlp_rules"":[{""dlp_data_identifiers"":{""numbers/payment_card_number_terms/eng"":14375,""numbers/payment_card_numbers/major"":14375,""persons/proper_names/int/full"":14375},""dlp_incident_rule_count"":14375,""dlp_rule_name"":""INTL-PAN-Name"",""dlp_rule_score"":44563,""dlp_rule_severity"":""Critical"",""is_unique_count"":false,""weighted"":false}]},{""dlp_action"":""alert"",""dlp_forensic_id"":47620006381054,""dlp_policy"":""DLP PCI Alert"",""dlp_profile_name"":""DLP-PCI"",""dlp_rules"":[{""dlp_data_identifiers"":{""numbers/payment_card_number_terms/eng"":179687,""numbers/payment_card_numbers/major"":179687,""persons/proper_names/us/last"":179687},""dlp_incident_rule_count"":179687,""dlp_rule_name"":""Name-Credit Card (CC)"",""dlp_rule_score"":556311,""dlp_rule_severity"":""Critical"",""is_unique_count"":false,""weighted"":false}]}]",7.95493E+18,Mountain View,ENGLISH,10256549,text/plain,2f6df996-9215-d9eb-4d26-6dd636337da7,ABPtcPppbs0axNl5iJ-FXOBiMlONyKsUgfZ1MavsXJtUJNmJ6s1NUgY0YQsSHZfM6o5J3DZGaPWEe1-EPoXxwh4-uXFUw0OWD_Gm,File,Critical,Google Drive,San Diego,new,1703111625,credit_cards.13 (1).db,Text,Plain Text file,clients6.google.com/upload/drive/v2internal/fi,dummyuser@something.com,https://drive.google.com/,,credit_cards.13 (1).db,netskope.com,dummyuser@something.com,,,,,,,,[],,,,,,0,,,,,eventsincidentdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/29/2024, 7:55:29 AM",,,3079ce48fb36a4f8a8f2a85f9d5ddaac87e7d30ab33824bca369a6302ddd74fb,Client,dummyuser@something.com,Download,Microsoft OneDrive,3.48391E+18,None,2.76243E+18,6.15217E+18,"[{""dlp_action"":""alert"",""dlp_forensic_id"":47620006381054,""dlp_policy"":""DLP PCI Alert"",""dlp_profile_name"":""Payment Card Industry Data Security Standard. PCI-DSS"",""dlp_rules"":[{""dlp_data_identifiers"":{""numbers/payment_card_number_terms/eng"":14375,""numbers/payment_card_numbers/major"":14375,""persons/proper_names/int/full"":14375},""dlp_incident_rule_count"":14375,""dlp_rule_name"":""INTL-PAN-Name"",""dlp_rule_score"":44563,""dlp_rule_severity"":""Critical"",""is_unique_count"":false,""weighted"":false}]},{""dlp_action"":""alert"",""dlp_forensic_id"":47620006381054,""dlp_policy"":""DLP PCI Alert"",""dlp_profile_name"":""DLP-PCI"",""dlp_rules"":[{""dlp_data_identifiers"":{""numbers/payment_card_number_terms/eng"":179687,""numbers/payment_card_numbers/major"":179687,""persons/proper_names/us/last"":179687},""dlp_incident_rule_count"":179687,""dlp_rule_name"":""Name-Credit Card (CC)"",""dlp_rule_score"":556311,""dlp_rule_severity"":""Critical"",""is_unique_count"":false,""weighted"":false}]}]",6.15217E+18,Redmond,ENGLISH,10256549,text/plain,2f6df996-9215-d9eb-4d26-6dd636337da7,hash_dummy@something.com_2f6df9969215d9eb4d266dd636337da7_1629a7e222524c487c6d8b1dba7f4f98b3d1557d,File,Critical,Microsoft OneDrive,San Diego,new,1703111628,credit_cards.13.db,Text,Plain Text file,ahokbw.sn.files.1drv.com/y4p30HeUJd_wDXWVeT5vlWZSu9zu5eU4PFiO7rIt6wtcrWlZayLQsBjxzX1Z_48xpYMflqHMcEjWG3Df2PbOuJIyC2djQo0OYT3-m0-0ZC7a4oVAJjZ8JNddhHXCgIfzc_ZnlCCUrjFzVJ2Z0_WW6TU_GpkOiJlHo0TzWmEJ4KeR_Xq_dSN-pYYtHuhb5GUrzQ_zN8qG31XFSommi2IywJp0bxc5psj5-OtVHKP6Z,dummyuser@something.com,,,credit_cards.13.db,,,,,,,,,,[],,,,,,0,,,,,eventsincidentdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/29/2024, 7:55:29 AM",,,d50d5fbe80a9a4699e9d3913a28177059b6cfc6cc0a903716366233f731538e5,Client,dummyuser@something.com,Download,Microsoft OneDrive,3.48391E+18,None,2.76243E+18,7.00195E+18,"[{""dlp_action"":""allow"",""dlp_forensic_id"":70028303988805,""dlp_policy"":""DLP PCI Alert"",""dlp_profile_name"":""Payment Card Industry Data Security Standard. PCI-DSS"",""dlp_rules"":[{""dlp_data_identifiers"":{""numbers/payment_card_number_terms/eng"":14375,""numbers/payment_card_numbers/major"":14375,""persons/proper_names/int/full"":14375},""dlp_incident_rule_count"":14375,""dlp_rule_name"":""INTL-PAN-Name"",""dlp_rule_score"":44563,""dlp_rule_severity"":""Critical"",""is_unique_count"":false,""weighted"":false}]},{""dlp_action"":""allow"",""dlp_forensic_id"":70028303988805,""dlp_policy"":""DLP PCI Alert"",""dlp_profile_name"":""DLP-PCI"",""dlp_rules"":[{""dlp_data_identifiers"":{""numbers/payment_card_number_terms/eng"":179687,""numbers/payment_card_numbers/major"":179687,""persons/proper_names/us/last"":179687},""dlp_incident_rule_count"":179687,""dlp_rule_name"":""Name-Credit Card (CC)"",""dlp_rule_score"":556311,""dlp_rule_severity"":""Critical"",""is_unique_count"":false,""weighted"":false}]}]",7.00195E+18,Redmond,ENGLISH,10256549,text/plain,2f6df996-9215-d9eb-4d26-6dd636337da7,hash_dummy@something.com_2f6df9969215d9eb4d266dd636337da7_1629a7e222524c487c6d8b1dba7f4f98b3d1557d,File,Critical,Microsoft OneDrive,San Diego,new,1703111578,credit_cards.12.db,Text,Plain Text file,ahokbw.sn.files.1drv.com/y4pjlAr69yFu6cFDL27CPPQ2sTHkuvRfPt4pTUKZEKIA2WP5PyF2qY0oqQg2l1xA1IIaYFhWX5gWBQqs1GxS7BMQZ9QN2nBD1ZYanduxSqwAyXb01kdrznVFy0Um-IAi_7siD5L1Ixfe0lpEMeb-VGWADvSRjP97N2y2u212_frBnx8_0v_ytCaXqATNZUB5KRhcyULxTrwPIlxt5Gn6sbmLfPY07N3YezUgq90Lgi,dummyuser@something.com,,,credit_cards.12.db,,,,,,,,,,[],,,,,,0,,,,,eventsincidentdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/29/2024, 7:55:29 AM",,,eb6b4498a5d6996c9e99fa2ff3e9bb46228334b1818776e6ca3f2caa3fefafd7,Client,dummyuser@something.com,Upload,Google Drive,6.24615E+18,None,6.93129E+18,3.88471E+18,"[{""dlp_action"":""alert"",""dlp_forensic_id"":70028303988805,""dlp_policy"":""DLP PCI Alert"",""dlp_profile_name"":""Payment Card Industry Data Security Standard. PCI-DSS"",""dlp_rules"":[{""dlp_data_identifiers"":{""numbers/payment_card_number_terms/eng"":14375,""numbers/payment_card_numbers/major"":14375,""persons/proper_names/int/full"":14375},""dlp_incident_rule_count"":14375,""dlp_rule_name"":""INTL-PAN-Name"",""dlp_rule_score"":44563,""dlp_rule_severity"":""Critical"",""is_unique_count"":false,""weighted"":false}]},{""dlp_action"":""alert"",""dlp_forensic_id"":70028303988805,""dlp_policy"":""DLP PCI Alert"",""dlp_profile_name"":""DLP-PCI"",""dlp_rules"":[{""dlp_data_identifiers"":{""numbers/payment_card_number_terms/eng"":179687,""numbers/payment_card_numbers/major"":179687,""persons/proper_names/us/last"":179687},""dlp_incident_rule_count"":179687,""dlp_rule_name"":""Name-Credit Card (CC)"",""dlp_rule_score"":556311,""dlp_rule_severity"":""Critical"",""is_unique_count"":false,""weighted"":false}]}]",3.88471E+18,Mountain View,ENGLISH,10256549,text/plain,2f6df996-9215-d9eb-4d26-6dd636337da7,ABPtcPoZ1rvOEANdhvvx_dXcRn_Z6T-9s2ad0Vk2Shwp9up7mOHMax1YpccDlTcbbhKwTmxqeaOAv_CwMBpZ38GSFMjFWw,File,Critical,Google Drive,San Diego,new,1703111640,credit_cards.13.db,Text,Plain Text file,clients6.google.com/upload/drive/v2internal/fi,dummyuser@something.com,https://drive.google.com/,,credit_cards.13.db,netskope.com,dummyuser@something.com,,,,,,,,[],,,,,,0,,,,,eventsincidentdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/29/2024, 7:55:29 AM",,,96f5049032fbec94d9292b828402d250d97a41c827f006601088c915e8d96f71,Client,dummyuser@something.com,Download,Microsoft OneDrive,3.48391E+18,None,2.76243E+18,1.38264E+17,"[{""dlp_action"":""alert"",""dlp_forensic_id"":70028303988805,""dlp_policy"":""DLP PCI Alert"",""dlp_profile_name"":""Payment Card Industry Data Security Standard. PCI-DSS"",""dlp_rules"":[{""dlp_data_identifiers"":{""numbers/payment_card_number_terms/eng"":14375,""numbers/payment_card_numbers/major"":14375,""persons/proper_names/int/full"":14375},""dlp_incident_rule_count"":14375,""dlp_rule_name"":""INTL-PAN-Name"",""dlp_rule_score"":44563,""dlp_rule_severity"":""Critical"",""is_unique_count"":false,""weighted"":false}]},{""dlp_action"":""alert"",""dlp_forensic_id"":70028303988805,""dlp_policy"":""DLP PCI Alert"",""dlp_profile_name"":""DLP-PCI"",""dlp_rules"":[{""dlp_data_identifiers"":{""numbers/payment_card_number_terms/eng"":179687,""numbers/payment_card_numbers/major"":179687,""persons/proper_names/us/last"":179687},""dlp_incident_rule_count"":179687,""dlp_rule_name"":""Name-Credit Card (CC)"",""dlp_rule_score"":556311,""dlp_rule_severity"":""Critical"",""is_unique_count"":false,""weighted"":false}]}]",1.38264E+17,Redmond,ENGLISH,10256549,text/plain,2f6df996-9215-d9eb-4d26-6dd636337da7,hash_dummy@something.com_2f6df9969215d9eb4d266dd636337da7_1629a7e222524c487c6d8b1dba7f4f98b3d1557d,File,Critical,Microsoft OneDrive,San Diego,new,1703111643,credit_cards.13.db,Text,Plain Text file,ahokbw.sn.files.1drv.com/y4pBjWOfrko0wozG7PtpqexAbIQbk6HvfqD-rTeEoQiySV0aTnACx-8vtQ71n9JjmjqyAk-UFClmFcz7OmsMX0VCcQ0PGK1uE_9ijL43LJddzJSVFwnDNVmCTCp0eQOotDVVKO2PPI2Inrvfhr_gaMtlmEgg5BKS3xBUEZW7RIHqndfjcAXqqmZVchyNG2HDheNBLxQXojvR4EokTRx5rfuCl_PRTmaIfLWd5vcgXg,dummyuser@something.com,,,credit_cards.13.db,,,,,,,,,,[],,,,,,0,,,,,eventsincidentdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/29/2024, 7:55:29 AM",,,2cde132f75ab726c31918bb54e8c462711dd6421610c4c2c39f2fee51772944d,Client,dummyuser@something.com,Upload,Google Drive,6.24615E+18,None,6.93129E+18,1.99242E+18,"[{""dlp_action"":""alert"",""dlp_forensic_id"":70028303988805,""dlp_policy"":""DLP PCI Alert"",""dlp_profile_name"":""Payment Card Industry Data Security Standard. PCI-DSS"",""dlp_rules"":[{""dlp_data_identifiers"":{""numbers/payment_card_number_terms/eng"":14375,""numbers/payment_card_numbers/major"":14375,""persons/proper_names/int/full"":14375},""dlp_incident_rule_count"":14375,""dlp_rule_name"":""INTL-PAN-Name"",""dlp_rule_score"":44563,""dlp_rule_severity"":""Critical"",""is_unique_count"":false,""weighted"":false}]},{""dlp_action"":""alert"",""dlp_forensic_id"":70028303988805,""dlp_policy"":""DLP PCI Alert"",""dlp_profile_name"":""DLP-PCI"",""dlp_rules"":[{""dlp_data_identifiers"":{""numbers/payment_card_number_terms/eng"":179687,""numbers/payment_card_numbers/major"":179687,""persons/proper_names/us/last"":179687},""dlp_incident_rule_count"":179687,""dlp_rule_name"":""Name-Credit Card (CC)"",""dlp_rule_score"":556311,""dlp_rule_severity"":""Critical"",""is_unique_count"":false,""weighted"":false}]}]",1.99242E+18,Mountain View,ENGLISH,10256549,text/plain,2f6df996-9215-d9eb-4d26-6dd636337da7,ABPtcPrnHwqXnmEPAghIFRNUo2csB5FYdIPwpGVy5JclMsSV9CVkfjGyeT4YoiCXTzJS1tInGYYqzwbU8oLfXmJkALG_tMudkY8f,File,Critical,Google Drive,San Diego,new,1703111654,credit_cards.14 (1).db,Text,Plain Text file,clients6.google.com/upload/drive/v2internal/fi,dummyuser@something.com,https://drive.google.com/,,credit_cards.14 (1).db,netskope.com,dummyuser@something.com,,,,,,,,[],,,,,,0,,,,,eventsincidentdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/29/2024, 7:55:29 AM",,,cdf3eb46f5c275efc933b6ffb4a86aa75a84fb0084451cc7594f9eeb7c0b94f2,Client,dummyuser@something.com,Upload,Google Drive,6.24615E+18,None,6.93129E+18,4.2666E+17,"[{""dlp_action"":""allow"",""dlp_forensic_id"":4266462058463,""dlp_policy"":""DLP PCI Alert"",""dlp_profile_name"":""Payment Card Industry Data Security Standard. PCI-DSS"",""dlp_rules"":[{""dlp_data_identifiers"":{""numbers/payment_card_number_terms/eng"":14375,""numbers/payment_card_numbers/major"":14375,""persons/proper_names/int/full"":14375},""dlp_incident_rule_count"":14375,""dlp_rule_name"":""INTL-PAN-Name"",""dlp_rule_score"":44563,""dlp_rule_severity"":""Critical"",""is_unique_count"":false,""weighted"":false}]},{""dlp_action"":""allow"",""dlp_forensic_id"":4266462058463,""dlp_policy"":""DLP PCI Alert"",""dlp_profile_name"":""DLP-PCI"",""dlp_rules"":[{""dlp_data_identifiers"":{""numbers/payment_card_number_terms/eng"":179687,""numbers/payment_card_numbers/major"":179687,""persons/proper_names/us/last"":179687},""dlp_incident_rule_count"":179687,""dlp_rule_name"":""Name-Credit Card (CC)"",""dlp_rule_score"":556311,""dlp_rule_severity"":""Critical"",""is_unique_count"":false,""weighted"":false}]}]",4.2666E+17,Mountain View,ENGLISH,10256549,text/plain,2f6df996-9215-d9eb-4d26-6dd636337da7,ABPtcPpfvmvFyf31n-OvjtDoCzbyhDeKTC_aVG3rJ3gLqLqdP9CFqIqTxlHT7r0P_P6Ew8FsgwPISOSxO8p-ALfy6vROlgQxs9Pi,File,Critical,Google Drive,San Diego,new,1703111600,credit_cards.12.db,Text,Plain Text file,clients6.google.com/upload/drive/v2internal/fi,dummyuser@something.com,https://drive.google.com/,,credit_cards.12.db,netskope.com,dummyuser@something.com,,,,,,,,[],,,,,,0,,,,,eventsincidentdata_CL,
1 TenantId SourceSystem MG ManagementGroupName TimeGenerated [UTC] Computer RawData _id_s access_method_s acting_user_s activity_s app_s app_session_id_d assignee_s connection_id_d dlp_incident_id_d dlp_match_info_s dlp_parent_id_d dst_location_s file_lang_s file_size_d file_type_s md5_g object_id_s object_type_s severity_s site_s src_location_s status_s timestamp_d title_s true_obj_category_s true_obj_type_s url_s user_s referer_s user_id_s object_s instance_id_s from_user_s to_user_s channel_s zip_file_id_s destination_instance_id_s instance_s bcc_s cc_s inline_dlp_match_info_s owner_s original_file_snapshot_id_s dlp_file_s owner_pdl_s destination_site_s latest_incident_id_d classification_s destination_app_s file_path_s exposure_s Type _ResourceId
2 abcd-cdef-ghijk RestAPI 2/29/2024, 7:55:29 AM 1657c5566973139b27357a8e23cf3a8703c4bca68ce210595e62a5dbdce7631c Client dummyuser@something.com Download Microsoft OneDrive 3.48391E+18 None 2.76243E+18 8.37325E+17 [{"dlp_action":"allow","dlp_forensic_id":837363834,"dlp_policy":"DLP PCI Alert","dlp_profile_name":"Payment Card Industry Data Security Standard. PCI-DSS","dlp_rules":[{"dlp_data_identifiers":{"numbers/payment_card_number_terms/eng":14375,"numbers/payment_card_numbers/major":14375,"persons/proper_names/int/full":14375},"dlp_incident_rule_count":14375,"dlp_rule_name":"INTL-PAN-Name","dlp_rule_score":44563,"dlp_rule_severity":"Critical","is_unique_count":false,"weighted":false}]},{"dlp_action":"allow","dlp_forensic_id":8373664663834,"dlp_policy":"DLP PCI Alert","dlp_profile_name":"DLP-PCI","dlp_rules":[{"dlp_data_identifiers":{"numbers/payment_card_number_terms/eng":179687,"numbers/payment_card_numbers/major":179687,"persons/proper_names/us/last":179687},"dlp_incident_rule_count":179687,"dlp_rule_name":"Name-Credit Card (CC)","dlp_rule_score":556311,"dlp_rule_severity":"Critical","is_unique_count":false,"weighted":false}]}] 8.37325E+17 Redmond ENGLISH 10256549 text/plain 2f6df996-9215-d9eb-4d26-6dd636337da7 hash_dummy@something.com_2f6df9969215d9eb4d266dd636337da7_1629a7e222524c487c6d8b1dba7f4f98b3d1557d File Critical Microsoft OneDrive San Diego new 1703111543 hash_gjenkins@netskope.com_2f6df9969215d9eb4d266dd636337da7_1629a7e222524c487c6d8b1dba7f4f98b3d1557d Text Plain Text file ahokbw.sn.files.1drv.com/y4pc8aBlHkeYewYjiXtXi8MYtOs86JJQqo7vg06SX0nKC7Vs3fzqIm5HZ1tF9qKUEmxwCvk-giW-jamW9OmRBUBUbc6nKoArJT-sTdqHY0MSqbenjH6MMv-Vq9TuwHYk34oEgAp3KBd_iy9PlNlQnH5Q5s8Kyirfb4J_uHfMJb74q5dVjeiVOiTvm6Bg1in49q-2xYBGMcsgjhJDHfTFC8-FayiqnePYKvvK2UOvOA dummyuser@something.com [] 0 eventsincidentdata_CL
3 abcd-cdef-ghijk RestAPI 2/29/2024, 7:55:29 AM 07c703cd9b3e2185d00aa66c59e7b600ba0f4b8980307edaac2b9a4a322939eb Client dummyuser@something.com Download Microsoft OneDrive 3.48391E+18 None 2.76243E+18 4.23314E+18 [{"dlp_action":"alert","dlp_forensic_id":8373664663834,"dlp_policy":"DLP PCI Alert","dlp_profile_name":"Payment Card Industry Data Security Standard. PCI-DSS","dlp_rules":[{"dlp_data_identifiers":{"numbers/payment_card_number_terms/eng":14375,"numbers/payment_card_numbers/major":14375,"persons/proper_names/int/full":14375},"dlp_incident_rule_count":14375,"dlp_rule_name":"INTL-PAN-Name","dlp_rule_score":44563,"dlp_rule_severity":"Critical","is_unique_count":false,"weighted":false}]},{"dlp_action":"alert","dlp_forensic_id":8373664663834,"dlp_policy":"DLP PCI Alert","dlp_profile_name":"DLP-PCI","dlp_rules":[{"dlp_data_identifiers":{"numbers/payment_card_number_terms/eng":179687,"numbers/payment_card_numbers/major":179687,"persons/proper_names/us/last":179687},"dlp_incident_rule_count":179687,"dlp_rule_name":"Name-Credit Card (CC)","dlp_rule_score":556311,"dlp_rule_severity":"Critical","is_unique_count":false,"weighted":false}]}] 4.23314E+18 Redmond ENGLISH 10256549 text/plain 2f6df996-9215-d9eb-4d26-6dd636337da7 hash_dummy@something.com_2f6df9969215d9eb4d266dd636337da7_1629a7e222524c487c6d8b1dba7f4f98b3d1557d File Critical Microsoft OneDrive San Diego new 1703111613 credit_cards.12.db Text Plain Text file ahokbw.sn.files.1drv.com/y4pjpgKTqpQltjYaPUVp8c4C7k1RPR1Ijs-eXlAB_BFH3Q8q0wANMEsWuGk5OB2MrAexKOYas2VLGzl-DRmyayHFQXeVXJlS1ggc-PMzlmVRMWdTSzFI5SjNfTU2xMf-MvDOgrJ9W5H5RMnE1tpvWID3sI6OG_6pjRVspm4ugkYPDFSx9H4R-FrsalyUD29u698OVdP929_uQdf9zgpu5Xm5UYQXny6kTuf0MlRGS dummyuser@something.com credit_cards.12.db [] 0 eventsincidentdata_CL
4 abcd-cdef-ghijk RestAPI 2/29/2024, 7:55:29 AM 8b7aa008de61e24da95355c3e53055eea363b198283a340a53356181b5a86d08 Client dummyuser@something.com Upload Google Drive 6.24615E+18 None 6.93129E+18 4.76285E+18 [{"dlp_action":"allow","dlp_forensic_id":47620006381054,"dlp_policy":"DLP PCI Alert","dlp_profile_name":"Payment Card Industry Data Security Standard. PCI-DSS","dlp_rules":[{"dlp_data_identifiers":{"numbers/payment_card_number_terms/eng":14375,"numbers/payment_card_numbers/major":14375,"persons/proper_names/int/full":14375},"dlp_incident_rule_count":14375,"dlp_rule_name":"INTL-PAN-Name","dlp_rule_score":44563,"dlp_rule_severity":"Critical","is_unique_count":false,"weighted":false}]},{"dlp_action":"allow","dlp_forensic_id":47620006381054,"dlp_policy":"DLP PCI Alert","dlp_profile_name":"DLP-PCI","dlp_rules":[{"dlp_data_identifiers":{"numbers/payment_card_number_terms/eng":179687,"numbers/payment_card_numbers/major":179687,"persons/proper_names/us/last":179687},"dlp_incident_rule_count":179687,"dlp_rule_name":"Name-Credit Card (CC)","dlp_rule_score":556311,"dlp_rule_severity":"Critical","is_unique_count":false,"weighted":false}]}] 4.76285E+18 Mountain View ENGLISH 10256549 text/plain 2f6df996-9215-d9eb-4d26-6dd636337da7 ABPtcPp7R6hGPyJjysOA-xZ0xzk-lJSjnNOrGJpPdoFiMQlwDXVL5XPe6M57sY4gy9y78-8L0bmRvA_3wTFxozAhwhTrueDsnTKs File Critical Google Drive San Diego new 1703111565 credit_cards.12 (1).db Text Plain Text file clients6.google.com/upload/drive/v2internal/fi dummyuser@something.com https://drive.google.com/ credit_cards.12 (1).db netskope.com dummyuser@something.com [] 0 eventsincidentdata_CL
5 abcd-cdef-ghijk RestAPI 2/29/2024, 7:55:29 AM c101104c6f9c6b48486e481e982297c0d6626df5d98a445dee0c6f25f6803bfb Client dummyuser@something.com Upload Google Drive 6.24615E+18 None 6.93129E+18 7.95493E+18 [{"dlp_action":"alert","dlp_forensic_id":47620006381054,"dlp_policy":"DLP PCI Alert","dlp_profile_name":"Payment Card Industry Data Security Standard. PCI-DSS","dlp_rules":[{"dlp_data_identifiers":{"numbers/payment_card_number_terms/eng":14375,"numbers/payment_card_numbers/major":14375,"persons/proper_names/int/full":14375},"dlp_incident_rule_count":14375,"dlp_rule_name":"INTL-PAN-Name","dlp_rule_score":44563,"dlp_rule_severity":"Critical","is_unique_count":false,"weighted":false}]},{"dlp_action":"alert","dlp_forensic_id":47620006381054,"dlp_policy":"DLP PCI Alert","dlp_profile_name":"DLP-PCI","dlp_rules":[{"dlp_data_identifiers":{"numbers/payment_card_number_terms/eng":179687,"numbers/payment_card_numbers/major":179687,"persons/proper_names/us/last":179687},"dlp_incident_rule_count":179687,"dlp_rule_name":"Name-Credit Card (CC)","dlp_rule_score":556311,"dlp_rule_severity":"Critical","is_unique_count":false,"weighted":false}]}] 7.95493E+18 Mountain View ENGLISH 10256549 text/plain 2f6df996-9215-d9eb-4d26-6dd636337da7 ABPtcPppbs0axNl5iJ-FXOBiMlONyKsUgfZ1MavsXJtUJNmJ6s1NUgY0YQsSHZfM6o5J3DZGaPWEe1-EPoXxwh4-uXFUw0OWD_Gm File Critical Google Drive San Diego new 1703111625 credit_cards.13 (1).db Text Plain Text file clients6.google.com/upload/drive/v2internal/fi dummyuser@something.com https://drive.google.com/ credit_cards.13 (1).db netskope.com dummyuser@something.com [] 0 eventsincidentdata_CL
6 abcd-cdef-ghijk RestAPI 2/29/2024, 7:55:29 AM 3079ce48fb36a4f8a8f2a85f9d5ddaac87e7d30ab33824bca369a6302ddd74fb Client dummyuser@something.com Download Microsoft OneDrive 3.48391E+18 None 2.76243E+18 6.15217E+18 [{"dlp_action":"alert","dlp_forensic_id":47620006381054,"dlp_policy":"DLP PCI Alert","dlp_profile_name":"Payment Card Industry Data Security Standard. PCI-DSS","dlp_rules":[{"dlp_data_identifiers":{"numbers/payment_card_number_terms/eng":14375,"numbers/payment_card_numbers/major":14375,"persons/proper_names/int/full":14375},"dlp_incident_rule_count":14375,"dlp_rule_name":"INTL-PAN-Name","dlp_rule_score":44563,"dlp_rule_severity":"Critical","is_unique_count":false,"weighted":false}]},{"dlp_action":"alert","dlp_forensic_id":47620006381054,"dlp_policy":"DLP PCI Alert","dlp_profile_name":"DLP-PCI","dlp_rules":[{"dlp_data_identifiers":{"numbers/payment_card_number_terms/eng":179687,"numbers/payment_card_numbers/major":179687,"persons/proper_names/us/last":179687},"dlp_incident_rule_count":179687,"dlp_rule_name":"Name-Credit Card (CC)","dlp_rule_score":556311,"dlp_rule_severity":"Critical","is_unique_count":false,"weighted":false}]}] 6.15217E+18 Redmond ENGLISH 10256549 text/plain 2f6df996-9215-d9eb-4d26-6dd636337da7 hash_dummy@something.com_2f6df9969215d9eb4d266dd636337da7_1629a7e222524c487c6d8b1dba7f4f98b3d1557d File Critical Microsoft OneDrive San Diego new 1703111628 credit_cards.13.db Text Plain Text file ahokbw.sn.files.1drv.com/y4p30HeUJd_wDXWVeT5vlWZSu9zu5eU4PFiO7rIt6wtcrWlZayLQsBjxzX1Z_48xpYMflqHMcEjWG3Df2PbOuJIyC2djQo0OYT3-m0-0ZC7a4oVAJjZ8JNddhHXCgIfzc_ZnlCCUrjFzVJ2Z0_WW6TU_GpkOiJlHo0TzWmEJ4KeR_Xq_dSN-pYYtHuhb5GUrzQ_zN8qG31XFSommi2IywJp0bxc5psj5-OtVHKP6Z dummyuser@something.com credit_cards.13.db [] 0 eventsincidentdata_CL
7 abcd-cdef-ghijk RestAPI 2/29/2024, 7:55:29 AM d50d5fbe80a9a4699e9d3913a28177059b6cfc6cc0a903716366233f731538e5 Client dummyuser@something.com Download Microsoft OneDrive 3.48391E+18 None 2.76243E+18 7.00195E+18 [{"dlp_action":"allow","dlp_forensic_id":70028303988805,"dlp_policy":"DLP PCI Alert","dlp_profile_name":"Payment Card Industry Data Security Standard. PCI-DSS","dlp_rules":[{"dlp_data_identifiers":{"numbers/payment_card_number_terms/eng":14375,"numbers/payment_card_numbers/major":14375,"persons/proper_names/int/full":14375},"dlp_incident_rule_count":14375,"dlp_rule_name":"INTL-PAN-Name","dlp_rule_score":44563,"dlp_rule_severity":"Critical","is_unique_count":false,"weighted":false}]},{"dlp_action":"allow","dlp_forensic_id":70028303988805,"dlp_policy":"DLP PCI Alert","dlp_profile_name":"DLP-PCI","dlp_rules":[{"dlp_data_identifiers":{"numbers/payment_card_number_terms/eng":179687,"numbers/payment_card_numbers/major":179687,"persons/proper_names/us/last":179687},"dlp_incident_rule_count":179687,"dlp_rule_name":"Name-Credit Card (CC)","dlp_rule_score":556311,"dlp_rule_severity":"Critical","is_unique_count":false,"weighted":false}]}] 7.00195E+18 Redmond ENGLISH 10256549 text/plain 2f6df996-9215-d9eb-4d26-6dd636337da7 hash_dummy@something.com_2f6df9969215d9eb4d266dd636337da7_1629a7e222524c487c6d8b1dba7f4f98b3d1557d File Critical Microsoft OneDrive San Diego new 1703111578 credit_cards.12.db Text Plain Text file ahokbw.sn.files.1drv.com/y4pjlAr69yFu6cFDL27CPPQ2sTHkuvRfPt4pTUKZEKIA2WP5PyF2qY0oqQg2l1xA1IIaYFhWX5gWBQqs1GxS7BMQZ9QN2nBD1ZYanduxSqwAyXb01kdrznVFy0Um-IAi_7siD5L1Ixfe0lpEMeb-VGWADvSRjP97N2y2u212_frBnx8_0v_ytCaXqATNZUB5KRhcyULxTrwPIlxt5Gn6sbmLfPY07N3YezUgq90Lgi dummyuser@something.com credit_cards.12.db [] 0 eventsincidentdata_CL
8 abcd-cdef-ghijk RestAPI 2/29/2024, 7:55:29 AM eb6b4498a5d6996c9e99fa2ff3e9bb46228334b1818776e6ca3f2caa3fefafd7 Client dummyuser@something.com Upload Google Drive 6.24615E+18 None 6.93129E+18 3.88471E+18 [{"dlp_action":"alert","dlp_forensic_id":70028303988805,"dlp_policy":"DLP PCI Alert","dlp_profile_name":"Payment Card Industry Data Security Standard. PCI-DSS","dlp_rules":[{"dlp_data_identifiers":{"numbers/payment_card_number_terms/eng":14375,"numbers/payment_card_numbers/major":14375,"persons/proper_names/int/full":14375},"dlp_incident_rule_count":14375,"dlp_rule_name":"INTL-PAN-Name","dlp_rule_score":44563,"dlp_rule_severity":"Critical","is_unique_count":false,"weighted":false}]},{"dlp_action":"alert","dlp_forensic_id":70028303988805,"dlp_policy":"DLP PCI Alert","dlp_profile_name":"DLP-PCI","dlp_rules":[{"dlp_data_identifiers":{"numbers/payment_card_number_terms/eng":179687,"numbers/payment_card_numbers/major":179687,"persons/proper_names/us/last":179687},"dlp_incident_rule_count":179687,"dlp_rule_name":"Name-Credit Card (CC)","dlp_rule_score":556311,"dlp_rule_severity":"Critical","is_unique_count":false,"weighted":false}]}] 3.88471E+18 Mountain View ENGLISH 10256549 text/plain 2f6df996-9215-d9eb-4d26-6dd636337da7 ABPtcPoZ1rvOEANdhvvx_dXcRn_Z6T-9s2ad0Vk2Shwp9up7mOHMax1YpccDlTcbbhKwTmxqeaOAv_CwMBpZ38GSFMjFWw File Critical Google Drive San Diego new 1703111640 credit_cards.13.db Text Plain Text file clients6.google.com/upload/drive/v2internal/fi dummyuser@something.com https://drive.google.com/ credit_cards.13.db netskope.com dummyuser@something.com [] 0 eventsincidentdata_CL
9 abcd-cdef-ghijk RestAPI 2/29/2024, 7:55:29 AM 96f5049032fbec94d9292b828402d250d97a41c827f006601088c915e8d96f71 Client dummyuser@something.com Download Microsoft OneDrive 3.48391E+18 None 2.76243E+18 1.38264E+17 [{"dlp_action":"alert","dlp_forensic_id":70028303988805,"dlp_policy":"DLP PCI Alert","dlp_profile_name":"Payment Card Industry Data Security Standard. PCI-DSS","dlp_rules":[{"dlp_data_identifiers":{"numbers/payment_card_number_terms/eng":14375,"numbers/payment_card_numbers/major":14375,"persons/proper_names/int/full":14375},"dlp_incident_rule_count":14375,"dlp_rule_name":"INTL-PAN-Name","dlp_rule_score":44563,"dlp_rule_severity":"Critical","is_unique_count":false,"weighted":false}]},{"dlp_action":"alert","dlp_forensic_id":70028303988805,"dlp_policy":"DLP PCI Alert","dlp_profile_name":"DLP-PCI","dlp_rules":[{"dlp_data_identifiers":{"numbers/payment_card_number_terms/eng":179687,"numbers/payment_card_numbers/major":179687,"persons/proper_names/us/last":179687},"dlp_incident_rule_count":179687,"dlp_rule_name":"Name-Credit Card (CC)","dlp_rule_score":556311,"dlp_rule_severity":"Critical","is_unique_count":false,"weighted":false}]}] 1.38264E+17 Redmond ENGLISH 10256549 text/plain 2f6df996-9215-d9eb-4d26-6dd636337da7 hash_dummy@something.com_2f6df9969215d9eb4d266dd636337da7_1629a7e222524c487c6d8b1dba7f4f98b3d1557d File Critical Microsoft OneDrive San Diego new 1703111643 credit_cards.13.db Text Plain Text file ahokbw.sn.files.1drv.com/y4pBjWOfrko0wozG7PtpqexAbIQbk6HvfqD-rTeEoQiySV0aTnACx-8vtQ71n9JjmjqyAk-UFClmFcz7OmsMX0VCcQ0PGK1uE_9ijL43LJddzJSVFwnDNVmCTCp0eQOotDVVKO2PPI2Inrvfhr_gaMtlmEgg5BKS3xBUEZW7RIHqndfjcAXqqmZVchyNG2HDheNBLxQXojvR4EokTRx5rfuCl_PRTmaIfLWd5vcgXg dummyuser@something.com credit_cards.13.db [] 0 eventsincidentdata_CL
10 abcd-cdef-ghijk RestAPI 2/29/2024, 7:55:29 AM 2cde132f75ab726c31918bb54e8c462711dd6421610c4c2c39f2fee51772944d Client dummyuser@something.com Upload Google Drive 6.24615E+18 None 6.93129E+18 1.99242E+18 [{"dlp_action":"alert","dlp_forensic_id":70028303988805,"dlp_policy":"DLP PCI Alert","dlp_profile_name":"Payment Card Industry Data Security Standard. PCI-DSS","dlp_rules":[{"dlp_data_identifiers":{"numbers/payment_card_number_terms/eng":14375,"numbers/payment_card_numbers/major":14375,"persons/proper_names/int/full":14375},"dlp_incident_rule_count":14375,"dlp_rule_name":"INTL-PAN-Name","dlp_rule_score":44563,"dlp_rule_severity":"Critical","is_unique_count":false,"weighted":false}]},{"dlp_action":"alert","dlp_forensic_id":70028303988805,"dlp_policy":"DLP PCI Alert","dlp_profile_name":"DLP-PCI","dlp_rules":[{"dlp_data_identifiers":{"numbers/payment_card_number_terms/eng":179687,"numbers/payment_card_numbers/major":179687,"persons/proper_names/us/last":179687},"dlp_incident_rule_count":179687,"dlp_rule_name":"Name-Credit Card (CC)","dlp_rule_score":556311,"dlp_rule_severity":"Critical","is_unique_count":false,"weighted":false}]}] 1.99242E+18 Mountain View ENGLISH 10256549 text/plain 2f6df996-9215-d9eb-4d26-6dd636337da7 ABPtcPrnHwqXnmEPAghIFRNUo2csB5FYdIPwpGVy5JclMsSV9CVkfjGyeT4YoiCXTzJS1tInGYYqzwbU8oLfXmJkALG_tMudkY8f File Critical Google Drive San Diego new 1703111654 credit_cards.14 (1).db Text Plain Text file clients6.google.com/upload/drive/v2internal/fi dummyuser@something.com https://drive.google.com/ credit_cards.14 (1).db netskope.com dummyuser@something.com [] 0 eventsincidentdata_CL
11 abcd-cdef-ghijk RestAPI 2/29/2024, 7:55:29 AM cdf3eb46f5c275efc933b6ffb4a86aa75a84fb0084451cc7594f9eeb7c0b94f2 Client dummyuser@something.com Upload Google Drive 6.24615E+18 None 6.93129E+18 4.2666E+17 [{"dlp_action":"allow","dlp_forensic_id":4266462058463,"dlp_policy":"DLP PCI Alert","dlp_profile_name":"Payment Card Industry Data Security Standard. PCI-DSS","dlp_rules":[{"dlp_data_identifiers":{"numbers/payment_card_number_terms/eng":14375,"numbers/payment_card_numbers/major":14375,"persons/proper_names/int/full":14375},"dlp_incident_rule_count":14375,"dlp_rule_name":"INTL-PAN-Name","dlp_rule_score":44563,"dlp_rule_severity":"Critical","is_unique_count":false,"weighted":false}]},{"dlp_action":"allow","dlp_forensic_id":4266462058463,"dlp_policy":"DLP PCI Alert","dlp_profile_name":"DLP-PCI","dlp_rules":[{"dlp_data_identifiers":{"numbers/payment_card_number_terms/eng":179687,"numbers/payment_card_numbers/major":179687,"persons/proper_names/us/last":179687},"dlp_incident_rule_count":179687,"dlp_rule_name":"Name-Credit Card (CC)","dlp_rule_score":556311,"dlp_rule_severity":"Critical","is_unique_count":false,"weighted":false}]}] 4.2666E+17 Mountain View ENGLISH 10256549 text/plain 2f6df996-9215-d9eb-4d26-6dd636337da7 ABPtcPpfvmvFyf31n-OvjtDoCzbyhDeKTC_aVG3rJ3gLqLqdP9CFqIqTxlHT7r0P_P6Ew8FsgwPISOSxO8p-ALfy6vROlgQxs9Pi File Critical Google Drive San Diego new 1703111600 credit_cards.12.db Text Plain Text file clients6.google.com/upload/drive/v2internal/fi dummyuser@something.com https://drive.google.com/ credit_cards.12.db netskope.com dummyuser@something.com [] 0 eventsincidentdata_CL

33
Sample Data/Custom/Netskope/eventsnetworkdata_CL.csv Normal file
Просмотреть файл

@ -0,0 +1,33 @@
TenantId,SourceSystem,MG,ManagementGroupName,TimeGenerated [UTC],Computer,RawData,_id_s,access_method_s,action_s,app_s,appcategory_s,Category,cci_d,ccl_s,client_bytes_d,client_packets_d,count_d,device_s,dst_country_s,dst_geoip_src_d,dst_latitude_d,dst_location_s,dst_longitude_d,dst_region_s,dst_zipcode_s,dstip_s,dstport_d,ip_protocol_s,numbytes_d,organization_unit_s,os_s,os_version_s,policy_s,protocol_s,publisher_name_s,server_bytes_d,server_packets_d,session_duration_d,site_s,src_country_s,src_geoip_src_d,src_latitude_d,src_location_s,src_longitude_d,src_region_s,src_zipcode_s,srcip_s,srcport_d,timestamp_d,total_packets_d,traffic_type_s,tunnel_id_s,tunnel_type_s,tunnel_up_time_d,type_s,ur_normalized_s,user_s,userip_s,userkey_s,dsthost_s,hostname_s,domain_s,network_session_id_s,publisher_cn_s,start_time_s,num_sessions_d,end_time_s,sAMAccountName_s,protocol_port_s,userPrincipalName_s,flow_status_s,cci_s,Type,_ResourceId
abcd-cdef-ghijk,RestAPI,,,"2/16/2024, 1:56:26 PM",,,f978b254a7a01303cf0660dc,Client,allow,Google Cloud (gsutil),n/a,n/a,,,8774,73,1,Mobile device,FR,2,58.8323,Paris,12.4075,Île-de-France,75015,1.2.3.4,80,TCP,4446,,iOS,9.6,policy_ga36,Http,,39230,416,97,Google Cloud (gsutil),NL,2,62.3759,Amsterdam,14.8975,North Holland,1012,5.6.7.8,16,1676243521,128,PrivateApp,1840938105,NPA,93,network,dummyuser1@something.com,dummyuser1@something.com,1.1.1.1,dummyuser1@something.com,,,,,,,0,,,,,,,eventsnetworkdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/16/2024, 1:56:26 PM",,,f97ec59f6c3dd6cc3d94c432,Client,block,Box,Cloud Storage,Cloud Storage,82,high,8529,70,1,Windows device,US,2,55.8234,Boardman,-109.7257,Oregon,97818,1.2.3.4,80,TCP,4637,,Windows,7,policy_ga33,Http,,43627,590,119,Box,US,2,42.8571,Lakeside,-106.9191,California,92040,5.6.7.8,16,1676243505,128,PrivateApp,1840938936,NPA,101,network,dummyuser2@something.com,dummyuser2@something.com,1.1.1.1,dummyuser2@something.com,,,,,,,0,,,,,,,eventsnetworkdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/16/2024, 1:56:26 PM",,,f97ee5ff0561aecefc1408e6,Client,allow,Karl Marc John,Shopping,Shopping,,unknown,8176,102,1,Mobile device,US,2,42.8571,Lakeside,-106.9191,California,92040,1.2.3.4,80,TCP,4104,,iOS,11.1,policy_ga21,Http,,33346,388,53,Karl Marc John,IN,2,29.0748,Mumbai,82.8856,Maharashtra,400072,5.6.7.8,16,1676243520,128,PrivateApp,1840938082,NPA,75,network,dummyuser3@something.com,dummyuser3@something.com,1.1.1.1,dummyuser3@something.com,,,,,,,0,,,,,,,eventsnetworkdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/16/2024, 1:56:26 PM",,,f9826fad2bfe1ccd68856c9f,Client,allow,LucenaResearch,Business Intelligence and Data Analytics,Business Intelligence and Data Analytics,,unknown,8190,102,1,Windows device,US,2,42.8571,Lakeside,-106.9191,California,92040,1.2.3.4,80,TCP,4155,,Windows,7.1,policy_ga51,Http,,17582,613,102,LucenaResearch,IN,2,29.0748,Mumbai,82.8856,Maharashtra,400072,5.6.7.8,16,1676243516,128,PrivateApp,1840938902,NPA,95,network,dummyuser4@something.com,dummyuser4@something.com,1.1.1.1,dummyuser4@something.com,,,,,,,0,,,,,,,eventsnetworkdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/16/2024, 1:56:26 PM",,,f985b767eca72973bfec82ce,Client,block,Winona State University,Education,Education,,unknown,8752,101,1,Mobile device,NL,2,62.3759,Amsterdam,14.8975,North Holland,1012,1.2.3.4,80,TCP,4530,,Android,10,policy_ga51,Http,,26521,652,55,Winona State University,IN,2,29.0748,Mumbai,82.8856,Maharashtra,400072,5.6.7.8,16,1676243524,128,PrivateApp,1840938168,NPA,87,network,dummyuser5@something.com,dummyuser5@something.com,1.1.1.1,dummyuser5@something.com,,,,,,,0,,,,,,,eventsnetworkdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/16/2024, 1:56:26 PM",,,f98acd92fb9a40972bb53f0f,Client,block,Visma Proceedo,Enterprise Resource Planning,Enterprise Resource Planning,,unknown,8139,92,1,Windows device,FR,2,58.8323,Paris,12.4075,Île-de-France,75015,1.2.3.4,80,TCP,4233,,Windows,7,policy_ga35,Http,,28998,698,87,Visma Proceedo,FR,2,58.8323,Paris,12.4075,Île-de-France,75015,5.6.7.8,16,1676243500,128,PrivateApp,1840938216,NPA,100,network,dummyuser6@something.com,dummyuser6@something.com,1.1.1.1,dummyuser6@something.com,,,,,,,0,,,,,,,eventsnetworkdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/16/2024, 1:56:26 PM",,,f9909d03e1127939b0ea6a15,Client,allow,Sogang University,Education,Education,,unknown,8517,77,1,Mobile device,NL,2,62.3759,Amsterdam,14.8975,North Holland,1012,1.2.3.4,80,TCP,4101,,Android,10,policy_ga22,Http,,10236,684,98,Sogang University,US,2,42.8571,Lakeside,-106.9191,California,92040,5.6.7.8,16,1676243510,128,PrivateApp,1840938838,NPA,106,network,dummyuser7@something.com,dummyuser7@something.com,1.1.1.1,dummyuser7@something.com,,,,,,,0,,,,,,,eventsnetworkdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/16/2024, 1:56:26 PM",,,f991280ad3e40573f67de9ca,Client,allow,SeeMyMachines,Business Intelligence and Data Analytics,Business Intelligence and Data Analytics,17,poor,8159,76,1,Mobile device,US,2,55.8234,Boardman,-109.7257,Oregon,97818,1.2.3.4,80,TCP,4163,,Android,11,policy_ga18,Http,,12983,335,121,SeeMyMachines,NL,2,62.3759,Amsterdam,14.8975,North Holland,1012,5.6.7.8,16,1676243530,128,PrivateApp,1840938237,NPA,101,network,dummyuser8@something.com,dummyuser8@something.com,1.1.1.1,dummyuser8@something.com,,,,,,,0,,,,,,,eventsnetworkdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/16/2024, 1:56:26 PM",,,f9924a410735239d8c8064ac,Client,block,Amazing Charts EHR,Business Process Management,Business Process Management,27,poor,8697,105,1,Windows device,IN,2,29.0748,Mumbai,82.8856,Maharashtra,400072,1.2.3.4,80,TCP,4383,,Windows,10,policy_ga20,Http,,7731,64,92,Amazing Charts EHR,IN,2,29.0748,Mumbai,82.8856,Maharashtra,400072,5.6.7.8,16,1676243521,128,PrivateApp,1840938144,NPA,90,network,dummyuser9@something.com,dummyuser9@something.com,1.1.1.1,dummyuser9@something.com,,,,,,,0,,,,,,,eventsnetworkdata_CL,
abcd-cdef-ghijk,RestAPI,,,"2/16/2024, 1:56:26 PM",,,f996c9348586288466585699,Client,allow,University of Arkansas Grantham,Education,Education,,unknown,8240,116,1,Windows device,NL,2,62.3759,Amsterdam,14.8975,North Holland,1012,1.2.3.4,80,TCP,4259,,Windows,7,policy_ga36,Http,,22963,52,85,University of Arkansas Grantham,NL,2,62.3759,Amsterdam,14.8975,North Holland,1012,5.6.7.8,16,1676243524,128,PrivateApp,1840938855,NPA,79,network,dummyuser10@something.com,dummyuser10@something.com,1.1.1.1,dummyuser10@something.com,,,,,,,0,,,,,,,eventsnetworkdata_CL,
abcd-cdef-ghijk,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,dstip_s,,dst_latitude,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,srcip_s,,dst_longitude,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,userip,,dstport,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,ur_normalized,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,user,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,src_latitude,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,src_longitude,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,srcport,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
,,,,,,,,,,,,,,,,,,,,userkey,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
1 TenantId SourceSystem MG ManagementGroupName TimeGenerated [UTC] Computer RawData _id_s access_method_s action_s app_s appcategory_s Category cci_d ccl_s client_bytes_d client_packets_d count_d device_s dst_country_s dst_geoip_src_d dst_latitude_d dst_location_s dst_longitude_d dst_region_s dst_zipcode_s dstip_s dstport_d ip_protocol_s numbytes_d organization_unit_s os_s os_version_s policy_s protocol_s publisher_name_s server_bytes_d server_packets_d session_duration_d site_s src_country_s src_geoip_src_d src_latitude_d src_location_s src_longitude_d src_region_s src_zipcode_s srcip_s srcport_d timestamp_d total_packets_d traffic_type_s tunnel_id_s tunnel_type_s tunnel_up_time_d type_s ur_normalized_s user_s userip_s userkey_s dsthost_s hostname_s domain_s network_session_id_s publisher_cn_s start_time_s num_sessions_d end_time_s sAMAccountName_s protocol_port_s userPrincipalName_s flow_status_s cci_s Type _ResourceId
2 abcd-cdef-ghijk RestAPI 2/16/2024, 1:56:26 PM f978b254a7a01303cf0660dc Client allow Google Cloud (gsutil) n/a n/a 8774 73 1 Mobile device FR 2 58.8323 Paris 12.4075 Île-de-France 75015 1.2.3.4 80 TCP 4446 iOS 9.6 policy_ga36 Http 39230 416 97 Google Cloud (gsutil) NL 2 62.3759 Amsterdam 14.8975 North Holland 1012 5.6.7.8 16 1676243521 128 PrivateApp 1840938105 NPA 93 network dummyuser1@something.com dummyuser1@something.com 1.1.1.1 dummyuser1@something.com 0 eventsnetworkdata_CL
3 abcd-cdef-ghijk RestAPI 2/16/2024, 1:56:26 PM f97ec59f6c3dd6cc3d94c432 Client block Box Cloud Storage Cloud Storage 82 high 8529 70 1 Windows device US 2 55.8234 Boardman -109.7257 Oregon 97818 1.2.3.4 80 TCP 4637 Windows 7 policy_ga33 Http 43627 590 119 Box US 2 42.8571 Lakeside -106.9191 California 92040 5.6.7.8 16 1676243505 128 PrivateApp 1840938936 NPA 101 network dummyuser2@something.com dummyuser2@something.com 1.1.1.1 dummyuser2@something.com 0 eventsnetworkdata_CL
4 abcd-cdef-ghijk RestAPI 2/16/2024, 1:56:26 PM f97ee5ff0561aecefc1408e6 Client allow Karl Marc John Shopping Shopping unknown 8176 102 1 Mobile device US 2 42.8571 Lakeside -106.9191 California 92040 1.2.3.4 80 TCP 4104 iOS 11.1 policy_ga21 Http 33346 388 53 Karl Marc John IN 2 29.0748 Mumbai 82.8856 Maharashtra 400072 5.6.7.8 16 1676243520 128 PrivateApp 1840938082 NPA 75 network dummyuser3@something.com dummyuser3@something.com 1.1.1.1 dummyuser3@something.com 0 eventsnetworkdata_CL
5 abcd-cdef-ghijk RestAPI 2/16/2024, 1:56:26 PM f9826fad2bfe1ccd68856c9f Client allow LucenaResearch Business Intelligence and Data Analytics Business Intelligence and Data Analytics unknown 8190 102 1 Windows device US 2 42.8571 Lakeside -106.9191 California 92040 1.2.3.4 80 TCP 4155 Windows 7.1 policy_ga51 Http 17582 613 102 LucenaResearch IN 2 29.0748 Mumbai 82.8856 Maharashtra 400072 5.6.7.8 16 1676243516 128 PrivateApp 1840938902 NPA 95 network dummyuser4@something.com dummyuser4@something.com 1.1.1.1 dummyuser4@something.com 0 eventsnetworkdata_CL
6 abcd-cdef-ghijk RestAPI 2/16/2024, 1:56:26 PM f985b767eca72973bfec82ce Client block Winona State University Education Education unknown 8752 101 1 Mobile device NL 2 62.3759 Amsterdam 14.8975 North Holland 1012 1.2.3.4 80 TCP 4530 Android 10 policy_ga51 Http 26521 652 55 Winona State University IN 2 29.0748 Mumbai 82.8856 Maharashtra 400072 5.6.7.8 16 1676243524 128 PrivateApp 1840938168 NPA 87 network dummyuser5@something.com dummyuser5@something.com 1.1.1.1 dummyuser5@something.com 0 eventsnetworkdata_CL
7 abcd-cdef-ghijk RestAPI 2/16/2024, 1:56:26 PM f98acd92fb9a40972bb53f0f Client block Visma Proceedo Enterprise Resource Planning Enterprise Resource Planning unknown 8139 92 1 Windows device FR 2 58.8323 Paris 12.4075 Île-de-France 75015 1.2.3.4 80 TCP 4233 Windows 7 policy_ga35 Http 28998 698 87 Visma Proceedo FR 2 58.8323 Paris 12.4075 Île-de-France 75015 5.6.7.8 16 1676243500 128 PrivateApp 1840938216 NPA 100 network dummyuser6@something.com dummyuser6@something.com 1.1.1.1 dummyuser6@something.com 0 eventsnetworkdata_CL
8 abcd-cdef-ghijk RestAPI 2/16/2024, 1:56:26 PM f9909d03e1127939b0ea6a15 Client allow Sogang University Education Education unknown 8517 77 1 Mobile device NL 2 62.3759 Amsterdam 14.8975 North Holland 1012 1.2.3.4 80 TCP 4101 Android 10 policy_ga22 Http 10236 684 98 Sogang University US 2 42.8571 Lakeside -106.9191 California 92040 5.6.7.8 16 1676243510 128 PrivateApp 1840938838 NPA 106 network dummyuser7@something.com dummyuser7@something.com 1.1.1.1 dummyuser7@something.com 0 eventsnetworkdata_CL
9 abcd-cdef-ghijk RestAPI 2/16/2024, 1:56:26 PM f991280ad3e40573f67de9ca Client allow SeeMyMachines Business Intelligence and Data Analytics Business Intelligence and Data Analytics 17 poor 8159 76 1 Mobile device US 2 55.8234 Boardman -109.7257 Oregon 97818 1.2.3.4 80 TCP 4163 Android 11 policy_ga18 Http 12983 335 121 SeeMyMachines NL 2 62.3759 Amsterdam 14.8975 North Holland 1012 5.6.7.8 16 1676243530 128 PrivateApp 1840938237 NPA 101 network dummyuser8@something.com dummyuser8@something.com 1.1.1.1 dummyuser8@something.com 0 eventsnetworkdata_CL
10 abcd-cdef-ghijk RestAPI 2/16/2024, 1:56:26 PM f9924a410735239d8c8064ac Client block Amazing Charts EHR Business Process Management Business Process Management 27 poor 8697 105 1 Windows device IN 2 29.0748 Mumbai 82.8856 Maharashtra 400072 1.2.3.4 80 TCP 4383 Windows 10 policy_ga20 Http 7731 64 92 Amazing Charts EHR IN 2 29.0748 Mumbai 82.8856 Maharashtra 400072 5.6.7.8 16 1676243521 128 PrivateApp 1840938144 NPA 90 network dummyuser9@something.com dummyuser9@something.com 1.1.1.1 dummyuser9@something.com 0 eventsnetworkdata_CL
11 abcd-cdef-ghijk RestAPI 2/16/2024, 1:56:26 PM f996c9348586288466585699 Client allow University of Arkansas Grantham Education Education unknown 8240 116 1 Windows device NL 2 62.3759 Amsterdam 14.8975 North Holland 1012 1.2.3.4 80 TCP 4259 Windows 7 policy_ga36 Http 22963 52 85 University of Arkansas Grantham NL 2 62.3759 Amsterdam 14.8975 North Holland 1012 5.6.7.8 16 1676243524 128 PrivateApp 1840938855 NPA 79 network dummyuser10@something.com dummyuser10@something.com 1.1.1.1 dummyuser10@something.com 0 eventsnetworkdata_CL
12 abcd-cdef-ghijk
13
14
15
16
17
18
19
20
21
22
23
24
25 dstip_s dst_latitude
26 srcip_s dst_longitude
27 userip dstport
28 ur_normalized
29 user
30 src_latitude
31 src_longitude
32 srcport
33 userkey

11
Sample Data/Custom/Netskope/eventspagedata_CL.csv Normal file
Просмотреть файл

@ -0,0 +1,11 @@
TenantId,SourceSystem,MG,ManagementGroupName,TimeGenerated [UTC],Computer,RawData,_id_s,access_method_s,app_s,appcategory_s,bypass_reason_s,bypass_traffic_s,Category,cci_d,ccl_s,connection_id_d,count_d,domain_s,dst_country_s,dst_latitude_d ,dst_location_s,dst_longitude_d,dst_region_s,dst_timezone_s,dst_zipcode_s,dstip_s,dstport_d,netskope_pop_s,organization_unit_s,other_categories_s,page_s,request_id_d,site_s,src_country_s,src_latitude_d,src_location_s,src_longitude_d,src_region_s,src_time_s,src_timezone_s,src_zipcode_s,srcip_s,ssl_decrypt_policy_s,timestamp_d,traffic_type_s,transaction_id_d,type_s,ur_normalized_s,url_s,user_s,user_generated_s,userip_s,userkey_s,server_bytes_d,browser_session_id_d,sessionid_s,fromlogs_s,browser_version_s,network_s,org_s,resp_content_type_s,conn_duration_d,policy_s,log_file_name_s,resp_cnt_d,severity_s,serial_s,hostname_s,suppression_start_time_d,conn_endtime_d,sAMAccountName_s,numbytes_d,req_cnt_d,src_geoip_src_d,forward_to_proxy_profile_s,resp_content_len_d,os_s,userPrincipalName_s,suppression_end_time_d,os_version_s,device_s,dynamic_classification_s,dst_geoip_src_d,CononicalName_s,conn_starttime_d,browser_s,dsthost_s,client_bytes_d,app_session_id_d,http_transaction_count_d,useragent_s,protocol_s,Type,_ResourceId
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:07:16 AM",,,4ec61988f060fab4eaece27d,IPSec,,Technology,Steering Exception - Default tenant config,yes,Technology,0,unknown,0,1,abc.microsoft.com,JP,45.6893,Tokyo,149.6899,Tokyo,Asia/Tokyo,102-0082,1.2.3.4,443,US-LAX1,,"[""Technology"",""All Categories"",""Business""]",abc.microsoft.com,2.7238E+18,microsoft,US,50.3325386,Doylestown,-65.11663818,Pennsylvania,Mon Dec 4 13:28:00 2023,America/New_York,N/A,5.6.7.8,no,1701714497,Web,0,connection,1.2.3.4,abc.microsoft.com,1.2.3.4,yes,1.2.3.4,1.2.3.4,0,0,,,,,,,0,,,0,,,,0,0,,0,0,0,,0,,,0,,,,0,,0,,,0,0,0,,,eventspagedata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:07:16 AM",,,6c74dbf7c1167da0361714df,IPSec,,Technology,Steering Exception - Default tenant config,yes,Technology,0,unknown,0,1,rst.microsoft.com,IN,28.6161,Pune,83.7286,Maharashtra,Asia/Kolkata,411005,1.2.3.4,443,US-LAX1,,"[""Technology"",""All Categories"",""Business""]",rst.microsoft.com,2.7238E+18,microsoft,US,50.3325386,Doylestown,-65.11663818,Pennsylvania,Mon Dec 4 13:37:08 2023,America/New_York,N/A,5.6.7.8,no,1701715086,Web,0,connection,1.2.3.4,rst.microsoft.com,1.2.3.4,yes,1.2.3.4,1.2.3.4,0,0,,,,,,,0,,,0,,,,0,0,,0,0,0,,0,,,0,,,,0,,0,,,0,0,0,,,eventspagedata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:07:16 AM",,,c9313f57c168752dac102c0c,IPSec,,Technology,Steering Exception - Default tenant config,yes,Technology,0,unknown,0,1,rst.windowsupdate.com,US,51.8486,Chicago,-77.6288,Illinois,America/Chicago,60616,1.2.3.4,80,US-LAX1,,"[""Technology"",""All Categories""]",rst.windowsupdate.com,2.7238E+18,windowsupdate,US,50.3325386,Doylestown,-65.11663818,Pennsylvania,Mon Dec 4 13:40:08 2023,America/New_York,N/A,5.6.7.8,no,1701715206,Web,6.17517E+18,connection,1.2.3.4,rst.windowsupdate.com,1.2.3.4,yes,1.2.3.4,1.2.3.4,0,0,,,,,,,0,,,0,,,,0,0,,0,0,0,,0,,,0,,,,0,,0,,,0,0,0,,,eventspagedata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:07:16 AM",,,022162c22bc5b26005107f9e,IPSec,,Technology,Steering Exception - Default tenant config,yes,Technology,0,unknown,0,1,def.microsoft.com,IE,63.3379,Dublin,4.2591,Leinster,Europe/Dublin,D02,1.2.3.4,443,US-LAX1,,"[""Technology"",""All Categories"",""Business""]",def.microsoft.com,2.72381E+18,microsoft,US,50.3325386,Doylestown,-65.11663818,Pennsylvania,Mon Dec 4 13:44:08 2023,America/New_York,N/A,5.6.7.8,no,1701715460,Web,0,connection,1.2.3.4,def.microsoft.com,1.2.3.4,yes,1.2.3.4,1.2.3.4,0,0,,,,,,,0,,,0,,,,0,0,,0,0,0,,0,,,0,,,,0,,0,,,0,0,0,,,eventspagedata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:07:16 AM",,,f7dacbadb8d92f611941d64f,IPSec,,Technology,Steering Exception - Default tenant config,yes,Technology,0,unknown,0,1,pqr.microsoft.com,US,47.9273,Tappahannock,-66.8545,Virginia,America/New_York,22560,1.2.3.4,443,US-LAX1,,"[""Technology"",""All Categories"",""Business""]",pqr.microsoft.com,2.72381E+18,microsoft,US,50.3325386,Doylestown,-65.11663818,Pennsylvania,Mon Dec 4 13:52:08 2023,America/New_York,N/A,5.6.7.8,no,1701715981,Web,0,connection,1.2.3.4,pqr.microsoft.com,1.2.3.4,yes,1.2.3.4,1.2.3.4,0,0,,,,,,,0,,,0,,,,0,0,,0,0,0,,0,,,0,,,,0,,0,,,0,0,0,,,eventspagedata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:07:16 AM",,,aaa5b9a0653dc2e637a4314e,IPSec,,Technology,Steering Exception - Default tenant config,yes,Technology,0,unknown,0,1,rst.windowsupdate.com,US,44.0544,Los Angeles,-108.2441,California,America/Los_Angeles,90060,1.2.3.4,80,US-LAX1,,"[""Technology"",""All Categories""]",rst.windowsupdate.com,2.72381E+18,windowsupdate,US,50.3325386,Doylestown,-65.11663818,Pennsylvania,Mon Dec 4 13:53:08 2023,America/New_York,N/A,5.6.7.8,no,1701715991,Web,7.00157E+18,connection,1.2.3.4,rst.windowsupdate.com,1.2.3.4,yes,1.2.3.4,1.2.3.4,0,0,,,,,,,0,,,0,,,,0,0,,0,0,0,,0,,,0,,,,0,,0,,,0,0,0,,,eventspagedata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:07:16 AM",,,98d767066723cee068862952,IPSec,,Technology,Steering Exception - Default tenant config,yes,Technology,0,unknown,0,1,abc.microsoft.com,US,47.1835,San Jose,-111.7714,California,America/Los_Angeles,95141,1.2.3.4,443,US-LAX1,,"[""Technology"",""All Categories"",""Business""]",abc.microsoft.com,2.72382E+18,microsoft,US,50.3325386,Doylestown,-65.11663818,Pennsylvania,Mon Dec 4 14:00:00 2023,America/New_York,N/A,5.6.7.8,no,1701716444,Web,0,connection,1.2.3.4,abc.microsoft.com,1.2.3.4,yes,1.2.3.4,1.2.3.4,0,0,,,,,,,0,,,0,,,,0,0,,0,0,0,,0,,,0,,,,0,,0,,,0,0,0,,,eventspagedata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:07:16 AM",,,abe49d8c917b9748ff2943bc,IPSec,,Technology,Steering Exception - Default tenant config,yes,Technology,0,unknown,0,1,def.microsoft.com,IE,63.3379,Dublin,4.2591,Leinster,Europe/Dublin,D02,1.2.3.4,443,US-LAX1,,"[""Technology"",""All Categories"",""Business""]",def.microsoft.com,2.72382E+18,microsoft,US,50.3325386,Doylestown,-65.11663818,Pennsylvania,Mon Dec 4 14:08:00 2023,America/New_York,N/A,5.6.7.8,no,1701716885,Web,0,connection,1.2.3.4,def.microsoft.com,1.2.3.4,yes,1.2.3.4,1.2.3.4,0,0,,,,,,,0,,,0,,,,0,0,,0,0,0,,0,,,0,,,,0,,0,,,0,0,0,,,eventspagedata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:07:16 AM",,,52093b15ffc2a18d4b6cb38c,IPSec,,Technology,Steering Exception - Default tenant config,yes,Technology,0,unknown,0,1,pqr.microsoft.com,US,47.9273,Tappahannock,-66.8545,Virginia,America/New_York,22560,1.2.3.4,443,US-LAX1,,"[""Technology"",""All Categories"",""Business""]",pqr.microsoft.com,2.72383E+18,microsoft,US,50.3325386,Doylestown,-65.11663818,Pennsylvania,Mon Dec 4 14:22:00 2023,America/New_York,N/A,5.6.7.8,no,1701717781,Web,0,connection,1.2.3.4,pqr.microsoft.com,1.2.3.4,yes,1.2.3.4,1.2.3.4,0,0,,,,,,,0,,,0,,,,0,0,,0,0,0,,0,,,0,,,,0,,0,,,0,0,0,,,eventspagedata_CL,
acd8fb14-0000-0000-a4fd-1456cbfdbacd,RestAPI,,,"2/29/2024, 8:07:16 AM",,,b641a9df01a0ce3b4fa9a2f1,IPSec,,Technology,Steering Exception - Default tenant config,yes,Technology,0,unknown,0,1,def.microsoft.com,IE,63.3379,Dublin,4.2591,Leinster,Europe/Dublin,D02,1.2.3.4,443,US-LAX1,,"[""Technology"",""All Categories"",""Business""]",def.microsoft.com,2.72383E+18,microsoft,US,50.3325386,Doylestown,-65.11663818,Pennsylvania,Mon Dec 4 14:24:00 2023,America/New_York,N/A,5.6.7.8,no,1701717858,Web,0,connection,1.2.3.4,def.microsoft.com,1.2.3.4,yes,1.2.3.4,1.2.3.4,0,0,,,,,,,0,,,0,,,,0,0,,0,0,0,,0,,,0,,,,0,,0,,,0,0,0,,,eventspagedata_CL,
1 TenantId SourceSystem MG ManagementGroupName TimeGenerated [UTC] Computer RawData _id_s access_method_s app_s appcategory_s bypass_reason_s bypass_traffic_s Category cci_d ccl_s connection_id_d count_d domain_s dst_country_s dst_latitude_d dst_location_s dst_longitude_d dst_region_s dst_timezone_s dst_zipcode_s dstip_s dstport_d netskope_pop_s organization_unit_s other_categories_s page_s request_id_d site_s src_country_s src_latitude_d src_location_s src_longitude_d src_region_s src_time_s src_timezone_s src_zipcode_s srcip_s ssl_decrypt_policy_s timestamp_d traffic_type_s transaction_id_d type_s ur_normalized_s url_s user_s user_generated_s userip_s userkey_s server_bytes_d browser_session_id_d sessionid_s fromlogs_s browser_version_s network_s org_s resp_content_type_s conn_duration_d policy_s log_file_name_s resp_cnt_d severity_s serial_s hostname_s suppression_start_time_d conn_endtime_d sAMAccountName_s numbytes_d req_cnt_d src_geoip_src_d forward_to_proxy_profile_s resp_content_len_d os_s userPrincipalName_s suppression_end_time_d os_version_s device_s dynamic_classification_s dst_geoip_src_d CononicalName_s conn_starttime_d browser_s dsthost_s client_bytes_d app_session_id_d http_transaction_count_d useragent_s protocol_s Type _ResourceId
2 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:07:16 AM 4ec61988f060fab4eaece27d IPSec Technology Steering Exception - Default tenant config yes Technology 0 unknown 0 1 abc.microsoft.com JP 45.6893 Tokyo 149.6899 Tokyo Asia/Tokyo 102-0082 1.2.3.4 443 US-LAX1 ["Technology","All Categories","Business"] abc.microsoft.com 2.7238E+18 microsoft US 50.3325386 Doylestown -65.11663818 Pennsylvania Mon Dec 4 13:28:00 2023 America/New_York N/A 5.6.7.8 no 1701714497 Web 0 connection 1.2.3.4 abc.microsoft.com 1.2.3.4 yes 1.2.3.4 1.2.3.4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 eventspagedata_CL
3 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:07:16 AM 6c74dbf7c1167da0361714df IPSec Technology Steering Exception - Default tenant config yes Technology 0 unknown 0 1 rst.microsoft.com IN 28.6161 Pune 83.7286 Maharashtra Asia/Kolkata 411005 1.2.3.4 443 US-LAX1 ["Technology","All Categories","Business"] rst.microsoft.com 2.7238E+18 microsoft US 50.3325386 Doylestown -65.11663818 Pennsylvania Mon Dec 4 13:37:08 2023 America/New_York N/A 5.6.7.8 no 1701715086 Web 0 connection 1.2.3.4 rst.microsoft.com 1.2.3.4 yes 1.2.3.4 1.2.3.4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 eventspagedata_CL
4 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:07:16 AM c9313f57c168752dac102c0c IPSec Technology Steering Exception - Default tenant config yes Technology 0 unknown 0 1 rst.windowsupdate.com US 51.8486 Chicago -77.6288 Illinois America/Chicago 60616 1.2.3.4 80 US-LAX1 ["Technology","All Categories"] rst.windowsupdate.com 2.7238E+18 windowsupdate US 50.3325386 Doylestown -65.11663818 Pennsylvania Mon Dec 4 13:40:08 2023 America/New_York N/A 5.6.7.8 no 1701715206 Web 6.17517E+18 connection 1.2.3.4 rst.windowsupdate.com 1.2.3.4 yes 1.2.3.4 1.2.3.4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 eventspagedata_CL
5 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:07:16 AM 022162c22bc5b26005107f9e IPSec Technology Steering Exception - Default tenant config yes Technology 0 unknown 0 1 def.microsoft.com IE 63.3379 Dublin 4.2591 Leinster Europe/Dublin D02 1.2.3.4 443 US-LAX1 ["Technology","All Categories","Business"] def.microsoft.com 2.72381E+18 microsoft US 50.3325386 Doylestown -65.11663818 Pennsylvania Mon Dec 4 13:44:08 2023 America/New_York N/A 5.6.7.8 no 1701715460 Web 0 connection 1.2.3.4 def.microsoft.com 1.2.3.4 yes 1.2.3.4 1.2.3.4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 eventspagedata_CL
6 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:07:16 AM f7dacbadb8d92f611941d64f IPSec Technology Steering Exception - Default tenant config yes Technology 0 unknown 0 1 pqr.microsoft.com US 47.9273 Tappahannock -66.8545 Virginia America/New_York 22560 1.2.3.4 443 US-LAX1 ["Technology","All Categories","Business"] pqr.microsoft.com 2.72381E+18 microsoft US 50.3325386 Doylestown -65.11663818 Pennsylvania Mon Dec 4 13:52:08 2023 America/New_York N/A 5.6.7.8 no 1701715981 Web 0 connection 1.2.3.4 pqr.microsoft.com 1.2.3.4 yes 1.2.3.4 1.2.3.4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 eventspagedata_CL
7 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:07:16 AM aaa5b9a0653dc2e637a4314e IPSec Technology Steering Exception - Default tenant config yes Technology 0 unknown 0 1 rst.windowsupdate.com US 44.0544 Los Angeles -108.2441 California America/Los_Angeles 90060 1.2.3.4 80 US-LAX1 ["Technology","All Categories"] rst.windowsupdate.com 2.72381E+18 windowsupdate US 50.3325386 Doylestown -65.11663818 Pennsylvania Mon Dec 4 13:53:08 2023 America/New_York N/A 5.6.7.8 no 1701715991 Web 7.00157E+18 connection 1.2.3.4 rst.windowsupdate.com 1.2.3.4 yes 1.2.3.4 1.2.3.4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 eventspagedata_CL
8 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:07:16 AM 98d767066723cee068862952 IPSec Technology Steering Exception - Default tenant config yes Technology 0 unknown 0 1 abc.microsoft.com US 47.1835 San Jose -111.7714 California America/Los_Angeles 95141 1.2.3.4 443 US-LAX1 ["Technology","All Categories","Business"] abc.microsoft.com 2.72382E+18 microsoft US 50.3325386 Doylestown -65.11663818 Pennsylvania Mon Dec 4 14:00:00 2023 America/New_York N/A 5.6.7.8 no 1701716444 Web 0 connection 1.2.3.4 abc.microsoft.com 1.2.3.4 yes 1.2.3.4 1.2.3.4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 eventspagedata_CL
9 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:07:16 AM abe49d8c917b9748ff2943bc IPSec Technology Steering Exception - Default tenant config yes Technology 0 unknown 0 1 def.microsoft.com IE 63.3379 Dublin 4.2591 Leinster Europe/Dublin D02 1.2.3.4 443 US-LAX1 ["Technology","All Categories","Business"] def.microsoft.com 2.72382E+18 microsoft US 50.3325386 Doylestown -65.11663818 Pennsylvania Mon Dec 4 14:08:00 2023 America/New_York N/A 5.6.7.8 no 1701716885 Web 0 connection 1.2.3.4 def.microsoft.com 1.2.3.4 yes 1.2.3.4 1.2.3.4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 eventspagedata_CL
10 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:07:16 AM 52093b15ffc2a18d4b6cb38c IPSec Technology Steering Exception - Default tenant config yes Technology 0 unknown 0 1 pqr.microsoft.com US 47.9273 Tappahannock -66.8545 Virginia America/New_York 22560 1.2.3.4 443 US-LAX1 ["Technology","All Categories","Business"] pqr.microsoft.com 2.72383E+18 microsoft US 50.3325386 Doylestown -65.11663818 Pennsylvania Mon Dec 4 14:22:00 2023 America/New_York N/A 5.6.7.8 no 1701717781 Web 0 connection 1.2.3.4 pqr.microsoft.com 1.2.3.4 yes 1.2.3.4 1.2.3.4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 eventspagedata_CL
11 acd8fb14-0000-0000-a4fd-1456cbfdbacd RestAPI 2/29/2024, 8:07:16 AM b641a9df01a0ce3b4fa9a2f1 IPSec Technology Steering Exception - Default tenant config yes Technology 0 unknown 0 1 def.microsoft.com IE 63.3379 Dublin 4.2591 Leinster Europe/Dublin D02 1.2.3.4 443 US-LAX1 ["Technology","All Categories","Business"] def.microsoft.com 2.72383E+18 microsoft US 50.3325386 Doylestown -65.11663818 Pennsylvania Mon Dec 4 14:24:00 2023 America/New_York N/A 5.6.7.8 no 1701717858 Web 0 connection 1.2.3.4 def.microsoft.com 1.2.3.4 yes 1.2.3.4 1.2.3.4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 eventspagedata_CL

38
Solutions/Netskopev2/Analytic Rules/NetskopeWebTxErrors.yaml Normal file
Просмотреть файл

@ -0,0 +1,38 @@
id: "66c4cd4c-d391-47e8-b4e6-93e55d86ca9f"
name: "Netskope - WebTransaction Error Detection"
description: |
'Rule helps to track error occurred in Netskope WebTransaction Data Connector.'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: NetskopeDataConnector
dataTypes:
- NetskopeWebtxErrors_CL
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: GreaterThan
triggerThreshold: 0
tactics:
- Execution
relevantTechniques:
- T1204
query: |
NetskopeWebtxErrors_CL
|where error_s has_any ("Invalid Netskope Hostname", "Webtx Authentication", "Webtx Token Empty", "Webtx Exponential Backoff", "Webtx Idle Time")
incidentConfiguration:
createIncident: true
groupingConfiguration :
enabled: true
reopenClosedIncident: false
lookbackDuration : 5m
matchingMethod : AnyAlert
eventGroupingSettings:
aggregationKind: AlertPerResult
alertDetailsOverride:
alertDisplayNameFormat: 'Netskope Error at {{TimeGenerated}}'
alertDescriptionFormat: 'Error Message: {{error_s}}'
customDetails:
ErrorMessage: error_s
Time: TimeGenerated
version: 1.0.0
kind: Scheduled

Двоичные данные
Solutions/Netskopev2/Data Connectors/NetskopeDataConnector/NetskopeStorageToSentinel.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

22
Solutions/Netskopev2/Data Connectors/NetskopeDataConnector/NetskopeToAzureStorage/__init__.py Normal file
Просмотреть файл

@ -0,0 +1,22 @@
"""init module for NetskopeToAzureStorage activity function."""
import datetime
import logging
from .netskope_to_azure_storage import NetskopeToAzureStorage
from ..SharedCode import utils
import azure.functions as func
async def main(mytimer: func.TimerRequest) -> None:
"""Initialize netskope_to_azure_storage object and start execution."""
utc_timestamp = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat()
event_type_sub_type = utils.get_event_alert_type_subtype()
netskope_to_azure_storage = NetskopeToAzureStorage(
event_type_sub_type.get("type_of_data"), event_type_sub_type.get("sub_type")
)
await netskope_to_azure_storage.initiate_and_manage_iterators()
if mytimer.past_due:
logging.info("The timer is past due!")
logging.info("Python timer trigger function ran at %s", utc_timestamp)

12
Solutions/Netskopev2/Data Connectors/NetskopeDataConnector/NetskopeToAzureStorage/function.json Normal file
Просмотреть файл

@ -0,0 +1,12 @@
{
"scriptFile": "__init__.py",
"bindings": [
{
"name": "mytimer",
"type": "timerTrigger",
"direction": "in",
"schedule": "0 0/10 * * * *",
"useMonitor": true
}
]
}

200
Solutions/Netskopev2/Data Connectors/NetskopeDataConnector/NetskopeToAzureStorage/netskope_api_async.py Normal file
Просмотреть файл

@ -0,0 +1,200 @@
"""Make API call and handle exceptions."""
import asyncio
import inspect
from random import randrange
import aiohttp
from ..SharedCode import consts
from ..SharedCode.netskope_exception import NetskopeException
from ..SharedCode.logger import applogger
from aiohttp.client_exceptions import ServerDisconnectedError
class NetskopeAPIAsync:
"""Class to handle Netskope asynchronous api calls and exception handling."""
def __init__(self, type_of_data, sub_type) -> None:
"""Initialize NetskopeAPIAsync class.
Args:
type_of_data (str): The type of Netskope Data to fetch.(alerts/events)
sub_type (str): The subtype of the data to fetch.
"""
self.hostname = consts.NETSKOPE_HOSTNAME
self.type_of_data = type_of_data
self.sub_type = sub_type
self.nskp_data_type_for_logging = self.type_of_data + "_" + self.sub_type
def url_builder(self, iterator_name, operation) -> str:
"""Build the URL and return the built url.
Returns:
str: Generated url for http request
"""
url = consts.URL[self.type_of_data].format(
hostname=self.hostname,
sub_type=self.sub_type,
iterator_name=iterator_name,
operation=operation,
)
return url
async def aio_http_handler(self, url, session: aiohttp.ClientSession, server_disconnect_retry=0):
"""Make http request and handle the api call errors.
Args:
url (str): The url to perform the http request.
session (aiohttp.ClientSession): The session object used to perform api calls.
Raises:
NetskopeException: Netskope Custom Exception
Returns:
dict: Response from the api
"""
__method_name = inspect.currentframe().f_code.co_name
try:
retry_count_429 = 0
retry_count_409 = 0
retry_count_500 = 0
# Implemented retry mechanism for the status codes 409, 429 and 500.
# Retry count for 429 is higher due to higher frequency seen in tests.
while retry_count_429 <= 3 and retry_count_409 <= 1 and retry_count_500 <= 1:
applogger.debug(
"{}(method={}) : {} ({}): Initiating the get request.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
)
)
response = await session.get(url=url)
applogger.info(
"{}(method={}) : {} ({}): The API call response status code is {}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
response.status,
)
)
if response.status == 200:
applogger.info(
"{}(method={}) : {} ({}): Successfully fetched netskope data.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
)
)
json_response = await response.json()
return json_response
elif response.status == 403:
applogger.error(
"{}(method={}) : {} ({}): Status code 403 token issue."
"Check the API V2 token is associated to the valid endpoint and its not expired.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
)
)
raise NetskopeException()
elif response.status == 409:
applogger.error(
"{}(method={}) : {} ({}): Status code 409."
"Concurrency conflict and the request cannot be processed currently. Sleeping...".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
)
)
retry_count_409 += 1
await asyncio.sleep(randrange(2, 10))
elif response.status == 429:
retry_after = response.headers.get("RateLimit-Reset")
applogger.error(
"{}(method={}) : {} ({}): Status code 429."
"Too many request for the same tenant for the same endpoint. Retrying after {} seconds.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
retry_after,
)
)
await asyncio.sleep(float(retry_after))
retry_count_429 += 1
elif response.status >= 500 and response.status < 600:
applogger.error(
"{}(method={}) : {} ({}): Status code {}. Netskope is having a temporary server issue."
"Retrying after 5 seconds.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
response.status,
)
)
await asyncio.sleep(randrange(5, 10))
retry_count_500 += 1
applogger.error(
"{}(method={}) : {} ({}): Max retries exceeded.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
)
)
raise NetskopeException()
# Catching Server Disconnected Error which occurs when the amount of concurrent requests increases.
# Hence Retrying with random sleep timer.
except ServerDisconnectedError as server_error:
if server_disconnect_retry < 3:
retry_time = randrange(2, 10)
applogger.error(
"{}(method={}) : {} ({}): Server Disconnect error. Error-{}. Retrying after - {} seconds.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
server_error,
retry_time,
)
)
server_disconnect_retry += 1
await asyncio.sleep(retry_time)
json_response = await self.aio_http_handler(url, session, server_disconnect_retry)
return json_response
applogger.error(
"{}(method={}) : {} ({}): Max retries exceeded for server disconnect error.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
)
)
raise NetskopeException()
except NetskopeException:
applogger.error(
"{}(method={}) : {} ({}): Error while fetching data.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
)
)
raise NetskopeException()
except Exception as error:
applogger.error(
"{}(method={}) : {} ({}): Error while fetching data, Error-{}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
error,
)
)
raise NetskopeException()

812
Solutions/Netskopev2/Data Connectors/NetskopeDataConnector/NetskopeToAzureStorage/netskope_to_azure_storage.py Normal file
Просмотреть файл

@ -0,0 +1,812 @@
"""Fetch Netskope data and post to azure storage."""
import inspect
import json
import time
import aiohttp
import asyncio
from SharedCode.netskope_exception import NetskopeException
from .netskope_api_async import NetskopeAPIAsync
from ..SharedCode.state_manager import StateManager
from ..SharedCode.logger import applogger
from ..SharedCode import consts
from ..SharedCode.validate_params import validate_parameters
from azure.storage.fileshare import ShareServiceClient
class NetskopeToAzureStorage:
"""Netskope to azure storage utility class."""
def __init__(self, type_of_data, sub_type) -> None:
"""Initialize variables.
Args:
type_of_data (str): type of Netskope data
sub_type (str): subtype of Netskope data
"""
self.iterators = None
self.starttime = int(time.time())
self.netskope_api_async_obj = NetskopeAPIAsync(type_of_data, sub_type)
self.share_name = type_of_data + sub_type + "data"
self.share_name_for_duplication_check = type_of_data + sub_type + "duplicationcheck"
self.type_of_data = type_of_data
self.sub_type = sub_type
self.nskp_data_type_for_logging = self.type_of_data + "_" + self.sub_type
self.count = 0
self.start_epoch_filename = "{}_start_epoch"
try:
validate_parameters(consts.NETSKOPE_TO_AZURE_STORAGE)
except NetskopeException:
applogger.error(
"{}(method={}) : {} ({}) : Error while initializing the class.".format(
consts.LOGS_STARTS_WITH,
"__init__",
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
)
)
raise NetskopeException()
def is_response_empty(self, json_response):
"""Check if response is empty or not.
Args:
json_response (dict): Response from the netskope api.
Raises:
NetskopeException: Netskope Custom Exception.
Returns:
bool: True if response is empty else False.
"""
__method_name = inspect.currentframe().f_code.co_name
try:
if len(json_response.get("result")) == 0:
applogger.info(
"{}(method={}) : {} ({}) : The data returned is empty. Continuing to next iteration.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
)
)
return True
except KeyError as key_error:
applogger.error(
"{}(method={}) : {} ({}) : Error while accessing the data key in the response. Error-{}".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
key_error,
)
)
raise NetskopeException()
except Exception as error:
applogger.error(
"{}(method={}) : {} ({}) : Unknown Error. Error-{}".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
error,
)
)
raise NetskopeException()
return False
def delete_file_share(self):
"""Delete the file share.
Raises:
NetskopeException: Netskope Custom Exception.
"""
__method_name = inspect.currentframe().f_code.co_name
try:
applogger.info(
"{}(method={}) : {} ({}) : Deleting the file share.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
)
)
parent_dir = ShareServiceClient.from_connection_string(
conn_str=consts.CONNECTION_STRING,
)
# deleting both the file shares for initializing iterators again.
# deleting both share as if only one is deleted then there would be error in storage to sentinel.
parent_dir.delete_share(self.share_name)
parent_dir.delete_share(self.share_name_for_duplication_check)
except Exception as error:
applogger.error(
"{}(method={}) : {} ({}) : Unknown Error. Error-{}".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
error,
)
)
raise NetskopeException()
async def honour_wait_time(self, data):
"""Honour the wait time returned in the response.
Args:
data (dict): The response returned by the netskope api.
Raises:
NetskopeException: Netskope custom exception.
"""
__method_name = inspect.currentframe().f_code.co_name
try:
wait_time = int(data.get("wait_time"))
if wait_time > 0:
applogger.info(
"{}(method={}) : {} ({}) : The wait time returned is {}. Sleeping....".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
wait_time,
)
)
await asyncio.sleep(wait_time)
except KeyError as key_error:
applogger.error(
"{}(method={}) : {} ({}) : The Key wait_time not found. Error-{}".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
key_error,
)
)
raise NetskopeException()
except Exception as error:
applogger.error(
"{}(method={}) : {} ({}) : Error while honouring wait time. Error-{}".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
error,
)
)
raise NetskopeException()
async def reset_iterators(self, index, last_data_epoch, end_epoch, session):
"""Reset Netskope iterator.
Args:
index (int): index of iterator
last_epoch (int): last epoch time
session (aiohttp.ClientSession): session object
Returns:
int: updated epoch time
"""
__method_name = inspect.currentframe().f_code.co_name
try:
last_epoch_save_obj = StateManager(
consts.CONNECTION_STRING,
"{}_end_epoch_{}".format(index, str(int(time.time()))),
self.share_name_for_duplication_check,
)
last_epoch_save_obj.post(str(last_data_epoch))
updated_epoch = (3 * consts.DIFFERENCE_BETWEEN_ITERATORS_IN_SECONDS) + end_epoch
temp_state_manager_obj = StateManager(
consts.CONNECTION_STRING,
self.start_epoch_filename.format(index),
self.share_name,
)
url = self.netskope_api_async_obj.url_builder(index, updated_epoch)
data = await self.netskope_api_async_obj.aio_http_handler(url, session)
temp_state_manager_obj.post(str(updated_epoch))
applogger.info(
"{}(method={}) : {} ({}) : Reset epoch {} for iterator {}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
updated_epoch,
index,
)
)
file_name_for_saving = "{}_{}_{}_{}"
epoch = int(data.get("timestamp_hwm"))
if epoch > updated_epoch + 2 * consts.DIFFERENCE_BETWEEN_ITERATORS_IN_SECONDS:
applogger.info(
"{}(method={}) : {} ({}) : The epoch timestamp is more than the next iterator,"
"allowed chunk for iterator-{}. Current-{}, End-{} .".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
index,
epoch,
updated_epoch + consts.DIFFERENCE_BETWEEN_ITERATORS_IN_SECONDS,
)
)
file_name_for_saving = "{}_{}_{}_{}_empty_file"
data = {"ok": 1, "result": [], "wait_time": data.get("wait_time"), "timestamp_hwm": updated_epoch}
state_manager_obj_to_post_data = StateManager(
consts.CONNECTION_STRING,
file_name_for_saving.format(
index,
str(self.starttime),
str(updated_epoch),
str(int(time.time())),
),
self.share_name_for_duplication_check,
)
state_manager_obj_to_post_data.post(json.dumps(data))
start_epoch_state_manager_obj_for_duplicate_handle = StateManager(
consts.CONNECTION_STRING,
"{}_start_epoch_{}".format(index, str(int(time.time()))),
self.share_name_for_duplication_check,
)
start_epoch_state_manager_obj_for_duplicate_handle.post(str(updated_epoch))
await self.honour_wait_time(data)
return updated_epoch
except NetskopeException:
applogger.error(
"{}(method={}) : {} ({}) : Error while reseting iterators.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
)
)
raise NetskopeException()
except Exception as error:
applogger.error(
"{}(method={}) : {} ({}) : Error while reseting iterators, Error-{}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
error,
)
)
raise NetskopeException()
async def initiate_iterators(self):
"""Initialize Netskope iterators."""
__method_name = inspect.currentframe().f_code.co_name
applogger.info(
"{}(method={}) : {} ({}) : Initializing the iterators.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
)
)
try:
iterators_state_manager_obj = StateManager(consts.CONNECTION_STRING, "iteratorsname", self.share_name)
self.iterators = []
for i in range(4):
self.iterators.append(
"{}{}NSKPIterator{}_{}".format(self.type_of_data, self.sub_type, str(int(time.time())), i)
)
iterators_state_manager_obj.post(json.dumps(self.iterators))
share_name = self.share_name
async with aiohttp.ClientSession(
headers={
"User-Agent": "Netskope MSSentinel",
"Netskope-Api-Token": consts.NETSKOPE_TOKEN,
}
) as session:
is_first_iterator = True
for iterator in self.iterators:
if is_first_iterator:
url = self.netskope_api_async_obj.url_builder(iterator, "head")
data = await self.netskope_api_async_obj.aio_http_handler(url, session)
epoch = int(data.get("timestamp_hwm"))
applogger.info(
"{}(method={}) : {} ({}) : Initial epoch for first iterator {} is {}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
iterator,
epoch,
)
)
is_first_iterator = False
else:
share_name = self.share_name_for_duplication_check
epoch += consts.DIFFERENCE_BETWEEN_ITERATORS_IN_SECONDS
applogger.info(
"{}(method={}) : {} ({}) : Initial epoch for {} is {}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
iterator,
epoch,
)
)
url = self.netskope_api_async_obj.url_builder(iterator, epoch)
data = await self.netskope_api_async_obj.aio_http_handler(url, session)
# start_epoch_state_manager_obj_for_duplicate_handle this is the epoch value of the file stored
# so that it can be used in removing the overlapping duplicates.
start_epoch_state_manager_obj_for_duplicate_handle = StateManager(
consts.CONNECTION_STRING,
"{}_start_epoch_{}".format(iterator, str(int(time.time()))),
share_name,
)
start_epoch_state_manager_obj_for_duplicate_handle.post(str(epoch))
write_data_state_manager_obj = StateManager(
consts.CONNECTION_STRING,
"{}_{}_{}_{}".format(
iterator,
str(self.starttime),
str(epoch),
str(int(time.time())),
),
share_name,
)
write_data_state_manager_obj.post(json.dumps(data))
is_last_failed_state_manager_obj = StateManager(
consts.CONNECTION_STRING,
"{}_is_last_failed".format(iterator),
self.share_name,
)
is_last_failed_state_manager_obj.post("False")
start_epoch_state_manager_obj = StateManager(
consts.CONNECTION_STRING,
self.start_epoch_filename.format(iterator),
self.share_name,
)
start_epoch_state_manager_obj.post(str(epoch))
await self.honour_wait_time(data)
except NetskopeException:
applogger.error(
"{}(method={}) : {} ({}) : Error while Initializing iterators.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
)
)
raise NetskopeException()
except Exception as error:
applogger.error(
"{}(method={}) : {} ({}) : Error while Initializing iterators, Error-{}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
error,
)
)
raise NetskopeException()
async def remove_duplicates_generated_due_to_data_saving_failures(self, index, data, epoch):
"""Remove duplicate data if any due to data saving failure in the previous invocation.
Args:
index (str): The iterator name.
data (dict): The data to check duplicate for.
epoch (int): The epoch value in the data.
Raises:
NetskopeException: Custom Netskope Exception.
Returns:
bool: True if data is duplicate else False.
"""
__method_name = inspect.currentframe().f_code.co_name
try:
applogger.info("Checking for Duplicates")
from azure.storage.fileshare import ShareDirectoryClient
parent_dir = ShareDirectoryClient.from_connection_string(
conn_str=consts.CONNECTION_STRING,
share_name=self.share_name,
directory_path="",
)
list_of_files_response = parent_dir.list_directories_and_files(name_starts_with=index)
list_of_files = [file["name"] for file in list_of_files_response]
file_name_with_provided_epoch = None
epoch_of_file = 0
for file in list_of_files:
if (
"epoch" not in file
and "failed" not in file
and int(file.split("_")[-2]) == epoch
and int(file.split("_")[-1]) > epoch_of_file
):
file_name_with_provided_epoch = file
epoch_of_file = int(file.split("_")[-1])
if file_name_with_provided_epoch:
try:
state_manager_obj = StateManager(
consts.CONNECTION_STRING, file_name_with_provided_epoch, self.share_name
)
# Here we are fetching the previously saved data and comparing it with the data
# recieved in the current iteration and check if the data is duplicate or not.
duplicate_data = state_manager_obj.get(consts.NETSKOPE_TO_AZURE_STORAGE)
duplicate_json_data = json.loads(duplicate_data)
if duplicate_json_data == data or self.is_response_empty(duplicate_json_data):
applogger.error(
"{}(method={}) : {} ({}) : The data with epoch-{} and iterator-{} is duplicate.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
epoch,
index,
)
)
return True
return False
except json.JSONDecodeError:
parent_dir.delete_file(file_name_with_provided_epoch)
return False
return False
except Exception as error:
applogger.error(
"{}(method={}) : {} ({}) : Unknown Error, Error-{}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
error,
)
)
raise NetskopeException()
async def get_netskope_data_and_post_to_azure_storage(self, index, url, session, end_epoch, is_resend=False):
"""Fetch Netskope data and post to azure storage.
Args:
index (str): name of iterator
url (str): url for request
session (aiohttp.ClientSession): session object
end_epoch (int): end time epoch
is_resend (bool): if it is resend or not.
Returns:
int: updated epoch time
"""
__method_name = inspect.currentframe().f_code.co_name
try:
share_name = self.share_name
data = await self.netskope_api_async_obj.aio_http_handler(url, session)
epoch = int(data.get("timestamp_hwm"))
is_duplicate = False
if is_resend:
is_duplicate = await self.remove_duplicates_generated_due_to_data_saving_failures(index, data, epoch)
if is_duplicate:
applogger.info("The data for epoch {} and iterator {} was duplicate".format(epoch, index))
return None
applogger.info(
"{}(method={}) : {} ({}) : Netskope data fetched for iterator {} till {}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
index,
epoch,
)
)
file_name_for_saving = "{}_{}_{}_{}"
if epoch >= end_epoch:
share_name = self.share_name_for_duplication_check
if epoch > end_epoch + consts.DIFFERENCE_BETWEEN_ITERATORS_IN_SECONDS:
applogger.info(
"{}(method={}) : {} ({}) : The epoch timestamp is more than the next iterator,"
"allowed chunk for iterator-{}. Current-{}, End-{} .".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
index,
epoch,
end_epoch,
)
)
share_name = self.share_name_for_duplication_check
epoch = end_epoch
file_name_for_saving = "{}_{}_{}_{}_empty_file"
data = {"ok": 1, "result": [], "wait_time": data.get("wait_time"), "timestamp_hwm": end_epoch}
state_manager_obj_to_post_data = StateManager(
consts.CONNECTION_STRING,
file_name_for_saving.format(
index,
str(self.starttime),
str(epoch),
str(int(time.time())),
),
share_name,
)
state_manager_obj_to_post_data.post(json.dumps(data))
applogger.info(
"{}(method={}) : {} ({}) : Netskope data posted to azure storage for iterator {}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
index,
)
)
if epoch >= end_epoch:
applogger.info(
"{}(method={}) : {} ({}) : Iterator-{} : Got the {} seconds netskope data at time-{}, "
"Breaking Execution.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
index,
consts.DIFFERENCE_BETWEEN_ITERATORS_IN_SECONDS,
int(time.time()),
)
)
updated_start = await self.reset_iterators(index, epoch, end_epoch, session)
update_end_epoch = updated_start + consts.DIFFERENCE_BETWEEN_ITERATORS_IN_SECONDS
return update_end_epoch
await self.honour_wait_time(data)
except NetskopeException:
applogger.error(
"{}(method={}) : {} ({}) : Error while getting data and post to state manager.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
)
)
raise NetskopeException()
except Exception as error:
applogger.error(
"{}(method={}) : {} ({}) : Error captured in perform_request_function, Error-{}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
error,
)
)
raise NetskopeException()
async def check_last_failed_status_and_start_execution(self, index, end_epoch):
"""Check if last invocation was interrupted or not and start the execution accordingly.
Args:
index (int): index of iterator
end_epoch (int): end epoch time
"""
__method_name = inspect.currentframe().f_code.co_name
try:
async with aiohttp.ClientSession(
headers={
"User-Agent": "Netskope MSSentinel",
"Netskope-Api-Token": consts.NETSKOPE_TOKEN,
}
) as session:
is_last_failed_obj = StateManager(
consts.CONNECTION_STRING,
"{}_is_last_failed".format(index),
self.share_name,
)
while True:
# DATA_COLLECTION_TIMEOUT value is 570 seconds which is 9 minutes and 30 seconds
# We stop the exection at 9 minutes and 30 seconds to avoid issues due to function timeout.
if int(time.time()) >= self.starttime + consts.DATA_COLLECTION_TIMEOUT:
applogger.info(
"{}(method={}) : {} ({}) : 9:30 mins executed hence breaking.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
)
)
break
is_last_failed = is_last_failed_obj.get(consts.NETSKOPE_TO_AZURE_STORAGE)
if is_last_failed == "False":
applogger.debug(
"{}(method={}) : {} ({}) : Fetching next Netskope data for iterator {}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
index,
)
)
is_last_failed_obj.post("True")
url = self.netskope_api_async_obj.url_builder(index, "next")
end_epoch_to_update = await self.get_netskope_data_and_post_to_azure_storage(
index, url, session, end_epoch
)
is_last_failed_obj.post("False")
else:
applogger.debug(
"{}(method={}) : {} ({}) : Last iteration failed for iterator {}, hence retrying.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
index,
)
)
url = self.netskope_api_async_obj.url_builder(index, "resend")
end_epoch_to_update = await self.get_netskope_data_and_post_to_azure_storage(
index, url, session, end_epoch, True
)
is_last_failed_obj.post("False")
self.count += 1
applogger.debug(
"{}(method={}) : {} ({}) : The number of files stored to azure storage is {}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
self.count,
)
)
if end_epoch_to_update is not None:
end_epoch = end_epoch_to_update
except NetskopeException:
applogger.error(
"{}(method={}) : {} ({}) : Error while getting Netskope data.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
)
)
raise NetskopeException()
except Exception as error:
applogger.error(
"{}(method={}) : {} ({}) : Error captured in get data, Error-{}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
error,
)
)
raise NetskopeException()
async def create_tasks(self, start_epochs_list):
"""Create asynchronous tasks of the get data function.
Args:
start_epochs_list (list): list of the start epochs
Raises:
NetskopeException: Netskope Custom Exception
Returns:
list: lists of created tasks
"""
__method_name = inspect.currentframe().f_code.co_name
try:
tasks_to_return = []
for i, start_epoch in enumerate(start_epochs_list):
# DIFFERENCE_BETWEEN_ITERATORS_IN_SECONDS is the time difference between any two iterators.
# We calculate the end epoch of an iterator and reset epoch based on this value.
end_epoch = start_epoch + consts.DIFFERENCE_BETWEEN_ITERATORS_IN_SECONDS
if end_epoch > int(time.time()):
applogger.info(
"{}(method={}) : {} ({}) : The iterator-{} is in {} seconds range of the current time,"
"hence skipping execution.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
self.iterators[i],
consts.DIFFERENCE_BETWEEN_ITERATORS_IN_SECONDS,
)
)
continue
tasks_to_return.append(
asyncio.create_task(self.check_last_failed_status_and_start_execution(self.iterators[i], end_epoch))
)
return tasks_to_return
except Exception as e:
applogger.error(
"{}(method={}) : {} ({}) : Error occurred in Netskope to azure storage, Error-{}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
e,
)
)
raise NetskopeException()
async def initiate_and_manage_iterators(self):
"""Initiate the iterators if first run and start the normal execution."""
__method_name = inspect.currentframe().f_code.co_name
try:
applogger.debug(
"{}(method={}) : {} ({}) : Starting execution.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
)
)
iterators_state_manager_obj = StateManager(consts.CONNECTION_STRING, "iteratorsname", self.share_name)
self.iterators = iterators_state_manager_obj.get(consts.NETSKOPE_TO_AZURE_STORAGE)
if self.iterators is None:
await self.initiate_iterators()
else:
self.iterators = json.loads(self.iterators)
start_epochs_list = []
iterator_initialize_successful = False
retry_initiate_iterators = 0
while not iterator_initialize_successful and retry_initiate_iterators < 3:
iterator_initialize_successful = True
for index in self.iterators:
start_epoch_obj = StateManager(
consts.CONNECTION_STRING,
self.start_epoch_filename.format(index),
self.share_name,
)
start_epoch_raw = start_epoch_obj.get(consts.NETSKOPE_TO_AZURE_STORAGE)
if start_epoch_raw is None:
applogger.error(
"{}(method={}) : {} ({}) : None returned in the start epoch for iterator-{}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
index,
)
)
iterator_initialize_successful = False
break
start_epochs_list.append(int(start_epoch_raw))
if not iterator_initialize_successful:
applogger.info(
"{}(method={}) : {} ({}) : Initialization Failed, Deleting the file share and Retrying.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
)
)
self.delete_file_share()
await self.initiate_iterators()
retry_initiate_iterators += 1
if not iterator_initialize_successful:
applogger.error(
"{}(method={}) : {} ({}) : Iterator initialization was not successful."
"Try execution after sometime.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
)
)
raise NetskopeException()
tasks = await self.create_tasks(start_epochs_list)
await asyncio.gather(*tasks, return_exceptions=True)
except NetskopeException:
applogger.error(
"{}(method={}) : {} ({}) : Error occurred in Netskope to azure storage.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
)
)
raise NetskopeException()
except Exception as error:
applogger.error(
"{}(method={}) : {} ({}) : Error occurred in Netskope to azure storage, Error-{}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_TO_AZURE_STORAGE,
self.nskp_data_type_for_logging,
error,
)
)
raise NetskopeException()

Двоичные данные
Solutions/Netskopev2/Data Connectors/NetskopeDataConnector/NetskopeToStorage.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

Двоичные данные
Solutions/Netskopev2/Data Connectors/NetskopeDataConnector/NetskopeWebTxMetrics.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

432
Solutions/Netskopev2/Data Connectors/NetskopeDataConnector/Netskope_FunctionApp.json Normal file
Просмотреть файл

@ -0,0 +1,432 @@
{
"id": "NetskopeDataConnector",
"title": "Netskope Data Connector",
"publisher": "Netskope",
"descriptionMarkdown": "The [Netskope](https://docs.netskope.com/en/netskope-help/admin-console/rest-api/rest-api-v2-overview-312207/) data connector provides the following capabilities: \n 1. NetskopeToAzureStorage : \n >* Get the Netskope Alerts and Events data from Netskope and post to Azure storage. \n 2. StorageToSentinel : \n >* Get the Netskope Alerts and Events data from Azure storage and post to custom log table in log analytics workspace. \n 3. WebTxMetrics : \n >* Get the WebTxMetrics data from Netskope and post to custom log table in log analytics workspace.\n\n\n For more details of REST APIs refer to the below documentations: \n 1. Netskope API documentation: \n> https://docs.netskope.com/en/netskope-help/admin-console/rest-api/rest-api-v2-overview-312207/ \n 2. Azure storage documentation: \n> https://learn.microsoft.com/azure/storage/common/storage-introduction \n 3. Microsoft log analytic documentation: \n> https://learn.microsoft.com/azure/azure-monitor/logs/log-analytics-overview",
"graphQueries": [
{
"metricName": "Compromised Credential data received",
"legend": "alertscompromisedcredentialdata_CL",
"baseQuery": "alertscompromisedcredentialdata_CL"
},
{
"metricName": "CTEP data received",
"legend": "alertsctepdata_CL",
"baseQuery": "alertsctepdata_CL"
},
{
"metricName": "DLP data received",
"legend": "alertsdlpdata_CL",
"baseQuery": "alertsdlpdata_CL"
},
{
"metricName": "Malsite data received",
"legend": "alertsmalsitedata_CL",
"baseQuery": "alertsmalsitedata_CL"
},
{
"metricName": "Malware data received",
"legend": "alertsmalwaredata_CL",
"baseQuery": "alertsmalwaredata_CL"
},
{
"metricName": "Policy data received",
"legend": "alertspolicydata_CL",
"baseQuery": "alertspolicydata_CL"
},
{
"metricName": "Quarantine data received",
"legend": "alertsquarantinedata_CL",
"baseQuery": "alertsquarantinedata_CL"
},
{
"metricName": "Remediation data received",
"legend": "alertsremediationdata_CL",
"baseQuery": "alertsremediationdata_CL"
},
{
"metricName": "SecurityAssessment data received",
"legend": "alertssecurityassessmentdata_CL",
"baseQuery": "alertssecurityassessmentdata_CL"
},
{
"metricName": "UBA data received",
"legend": "alertsubadata_CL",
"baseQuery": "alertsubadata_CL"
},
{
"metricName": "Application data received",
"legend": "eventsapplicationdata_CL",
"baseQuery": "eventsapplicationdata_CL"
},
{
"metricName": "Audit data received",
"legend": "eventsauditdata_CL",
"baseQuery": "eventsauditdata_CL"
},
{
"metricName": "Connection data received",
"legend": "eventsconnectiondata_CL",
"baseQuery": "eventsconnectiondata_CL"
},
{
"metricName": "Incident data received",
"legend": "eventsincidentdata_CL",
"baseQuery": "eventsincidentdata_CL"
},
{
"metricName": "Network data received",
"legend": "eventsnetworkdata_CL",
"baseQuery": "eventsnetworkdata_CL"
},
{
"metricName": "Page data received",
"legend": "eventspagedata_CL",
"baseQuery": "eventspagedata_CL"
},
{
"metricName": "WebTxMetrics data received",
"legend": "Netskope_WebTx_metrics_CL",
"baseQuery": "Netskope_WebTx_metrics_CL"
}
],
"sampleQueries": [
{
"description": "Netskope CompromisedCredential Alerts Data",
"query": "alertscompromisedcredentialdata_CL\n | sort by TimeGenerated desc"
},
{
"description": "Netskope CTEP Alerts Data",
"query": "alertsctepdata_CL\n | sort by TimeGenerated desc"
},
{
"description": "Netskope DLP Alerts Data",
"query": "alertsdlpdata_CL\n | sort by TimeGenerated desc"
},
{
"description": "Netskope Malsite Alerts Data",
"query": "alertsmalsitedata_CL\n | sort by TimeGenerated desc"
},
{
"description": "Netskope Malware Alerts Data",
"query": "alertsmalwaredata_CL\n | sort by TimeGenerated desc"
},
{
"description": "Netskope Policy Alerts Data",
"query": "alertspolicydata_CL\n | sort by TimeGenerated desc"
},
{
"description": "Netskope Quarantine Alerts Data",
"query": "alertsquarantinedata_CL\n | sort by TimeGenerated desc"
},
{
"description": "Netskope Remediation Alerts Data",
"query": "alertsremediationdata_CL\n | sort by TimeGenerated desc"
},
{
"description": "Netskope SecurityAssessment Alerts Data",
"query": "alertssecurityassessmentdata_CL\n | sort by TimeGenerated desc"
},
{
"description": "Netskope Uba Alerts Data",
"query": "alertsubadata_CL\n | sort by TimeGenerated desc"
},
{
"description": "Netskope Application Events Data.",
"query": "eventsapplicationdata_CL\n | sort by TimeGenerated desc"
},
{
"description": "Netskope Audit Events Data",
"query": "eventsauditdata_CL\n | sort by TimeGenerated desc"
},
{
"description": "Netskope Connection Events Data",
"query": "eventsconnectiondata_CL\n | sort by TimeGenerated desc"
},
{
"description": "Netskope Incident Events Data",
"query": "eventsincidentdata_CL\n | sort by TimeGenerated desc"
},
{
"description": "Netskope Network Events Data",
"query": "eventsnetworkdata_CL\n | sort by TimeGenerated desc"
},
{
"description": "Netskope Page Events Data",
"query": "eventspagedata_CL\n | sort by TimeGenerated desc"
},
{
"description": "Netskope WebTransactions Metrics Data",
"query": "Netskope_WebTx_metrics_CL\n | sort by TimeGenerated desc"
}
],
"dataTypes": [
{
"name": "alertscompromisedcredentialdata_CL",
"lastDataReceivedQuery": "alertscompromisedcredentialdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "alertsctepdata_CL",
"lastDataReceivedQuery": "alertsctepdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "alertsdlpdata_CL",
"lastDataReceivedQuery": "alertsdlpdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "alertsmalsitedata_CL",
"lastDataReceivedQuery": "alertsmalsitedata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "alertsmalwaredata_CL",
"lastDataReceivedQuery": "alertsmalwaredata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "alertspolicydata_CL",
"lastDataReceivedQuery": "alertspolicydata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "alertsquarantinedata_CL",
"lastDataReceivedQuery": "alertsquarantinedata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "alertsremediationdata_CL",
"lastDataReceivedQuery": "alertsremediationdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "alertssecurityassessmentdata_CL",
"lastDataReceivedQuery": "alertssecurityassessmentdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "alertsubadata_CL",
"lastDataReceivedQuery": "alertsubadata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "eventsapplicationdata_CL",
"lastDataReceivedQuery": "eventsapplicationdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "eventsauditdata_CL",
"lastDataReceivedQuery": "eventsauditdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "eventsconnectiondata_CL",
"lastDataReceivedQuery": "eventsconnectiondata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "eventsincidentdata_CL",
"lastDataReceivedQuery": "eventsincidentdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "eventsnetworkdata_CL",
"lastDataReceivedQuery": "eventsnetworkdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "eventspagedata_CL",
"lastDataReceivedQuery": "eventspagedata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "Netskope_WebTx_metrics_CL",
"lastDataReceivedQuery": "Netskope_WebTx_metrics_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"alertscompromisedcredentialdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
},
{
"type": "IsConnectedQuery",
"value": [
"alertsctepdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
},
{
"type": "IsConnectedQuery",
"value": [
"alertsdlpdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
},
{
"type": "IsConnectedQuery",
"value": [
"alertsmalsitedata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
},
{
"type": "IsConnectedQuery",
"value": [
"alertsmalwaredata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
},
{
"type": "IsConnectedQuery",
"value": [
"alertspolicydata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
},
{
"type": "IsConnectedQuery",
"value": [
"alertsquarantinedata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
},
{
"type": "IsConnectedQuery",
"value": [
"alertsremediationdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
},
{
"type": "IsConnectedQuery",
"value": [
"alertssecurityassessmentdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
},
{
"type": "IsConnectedQuery",
"value": [
"alertsubadata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
},
{
"type": "IsConnectedQuery",
"value": [
"eventsapplicationdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
},
{
"type": "IsConnectedQuery",
"value": [
"eventsauditdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
},
{
"type": "IsConnectedQuery",
"value": [
"eventsconnectiondata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
},
{
"type": "IsConnectedQuery",
"value": [
"eventsincidentdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
},
{
"type": "IsConnectedQuery",
"value": [
"eventsnetworkdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
},
{
"type": "IsConnectedQuery",
"value": [
"eventspagedata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
},
{
"type": "IsConnectedQuery",
"value": [
"Netskope_WebTx_metrics_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions on the workspace are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"name": "Azure Subscription",
"description": "Azure Subscription with owner role is required to register an application in azure active directory() and assign role of contributor to app in resource group."
},
{
"name": "Microsoft.Web/sites permissions",
"description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
},
{
"name": "REST API Credentials/permissions",
"description": "**Netskope Tenant** and **Netskope API Token** is required. See the documentation to learn more about API on the [Rest API reference](https://docs.netskope.com/en/netskope-help/admin-console/rest-api/rest-api-v2-overview-312207/)"
}
]
},
"instructionSteps": [
{
"title": "",
"description": ">**NOTE:** This connector uses Azure Functions to connect to the Netskope APIs to pull its Alerts and Events data into custom log table. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
},
{
"title": "",
"description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
},
{
"title": "",
"description": "**STEP 1 - App Registration steps for the Application in Microsoft Entra ID**\n\n This integration requires an App registration in the Azure portal. Follow the steps in this section to create a new application in Microsoft Entra ID:\n 1. Sign in to the [Azure portal](https://portal.azure.com/).\n 2. Search for and select **Microsoft Entra ID**.\n 3. Under **Manage**, select **App registrations > New registration**.\n 4. Enter a display **Name** for your application.\n 5. Select **Register** to complete the initial app registration.\n 6. When registration finishes, the Azure portal displays the app registration's Overview pane. You see the **Application (client) ID** and **Tenant ID**. The client ID and Tenant ID is required as configuration parameters for the execution of the TriggersSync playbook. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app)"
},
{
"title": "",
"description": "**STEP 2 - Add a client secret for application in Microsoft Entra ID**\n\n Sometimes called an application password, a client secret is a string value required for the execution of TriggersSync playbook. Follow the steps in this section to create a new Client Secret:\n 1. In the Azure portal, in **App registrations**, select your application.\n 2. Select **Certificates & secrets > Client secrets > New client secret**.\n 3. Add a description for your client secret.\n 4. Select an expiration for the secret or specify a custom lifetime. Limit is 24 months.\n 5. Select **Add**. \n 6. *Record the secret's value for use in your client application code. This secret value is never displayed again after you leave this page.* The secret value is required as configuration parameter for the execution of TriggersSync playbook. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret)"
},
{
"title": "",
"description": "**STEP 3 - Assign role of Contributor to application in Microsoft Entra ID**\n\n Follow the steps in this section to assign the role:\n 1. In the Azure portal, Go to **Resource Group** and select your resource group.\n 2. Go to **Access control (IAM)** from left panel.\n 3. Click on **Add**, and then select **Add role assignment**.\n 4. Select **Contributor** as role and click on next.\n 5. In **Assign access to**, select `User, group, or service principal`.\n 6. Click on **add members** and type **your app name** that you have created and select it.\n 7. Now click on **Review + assign** and then again click on **Review + assign**. \n\n> **Reference link:** [https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal)"
},
{
"title": "",
"description": "**STEP 4 - Steps to create/get Credentials for the Netskope account** \n\n Follow the steps in this section to create/get **Netskope Hostname** and **Netskope API Token**:\n 1. Login to your **Netskope Tenant** and go to the **Settings menu** on the left navigation bar.\n 2. Click on Tools and then **REST API v2**\n 3. Now, click on the new token button. Then it will ask for token name, expiration duration and the endpoints that you want to fetch data from.\n 5. Once that is done click the save button, the token will be generated. Copy the token and save at a secure place for further usage."
},
{
"title": "",
"description": "**STEP 5 - Steps to create the azure functions for Netskope Alerts and Events Data Collection**\n\n>**IMPORTANT:** Before deploying Netskope data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available.., as well as the Netskope API Authorization Key(s).",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
},
{
"description": "Using the ARM template deploy the function apps for ingestion of Netskope events and alerts data to Sentinel.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-Netskope-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tNetskope HostName \n\t\tNetskope API Token \n\t\tSelect Yes in Alerts and Events types dropdown for that endpoint you want to fetch Alerts and Events \n\t\tLog Level \n\t\tWorkspace ID \n\t\tWorkspace Key \n4. Click on **Review+Create**. \n5. Then after validation click on **Create** to deploy."
}
]
}

1
Solutions/Netskopev2/Data Connectors/NetskopeDataConnector/SharedCode/__init__.py Normal file
Просмотреть файл

@ -0,0 +1 @@
"""This is init file to consider Shared_code as package."""

45
Solutions/Netskopev2/Data Connectors/NetskopeDataConnector/SharedCode/consts.py Normal file
Просмотреть файл

@ -0,0 +1,45 @@
"""Constants file."""
import os
# consts for logging
NETSKOPE_TO_SENTINEL = "NetskopeToSentinel"
NETSKOPE_TO_AZURE_STORAGE = "NetskopeToAzureStorage"
LOGS_STARTS_WITH = "NetskopeDataConnector"
LOG_LEVEL = os.environ.get("Log_Level", "")
# consts for state_manager
CONNECTION_STRING = os.environ.get("ConnectionString", "")
# consts for netskope API
# *************************#
# Alert Type constants #
# *************************#
ALERTS_URL = "https://{hostname}/api/v2/events/dataexport/alerts/{sub_type}?index={iterator_name}&operation={operation}"
# *************************#
# Event Type constants #
# *************************#
EVENTS_URL = "https://{hostname}/api/v2/events/dataexport/events/{sub_type}?index={iterator_name}&operation={operation}"
EVENTS_LIST = {"page", "application", "incident", "audit", "infrastructure", "network", "connection"}
DATA_COLLECTION_TIMEOUT = 570
DIFFERENCE_BETWEEN_ITERATORS_IN_SECONDS = 100
URL = {"events": EVENTS_URL, "alerts": ALERTS_URL}
NETSKOPE_HOSTNAME = os.environ.get("NetskopeHostname", "")
NETSKOPE_TOKEN = os.environ.get("NetskopeToken", "")
# constants for state manager to sentinel
WORKSPACE_KEY = os.environ.get("WorkspaceKey", "")
WORKSPACE_ID = os.environ.get("WorkspaceId", "")
NETSKOPE_AZURE_STORAGE_TO_SENTINEL = "NetskopeAzureStorageToSentinel"
ORIGINAL_INDEX = 15000000
SHARE_NAME = os.environ.get("ShareName", "").replace(" ", "")
# Remove duplicated constants
NETSKOPE_REMOVE_DUPLICATES = "NetskopeRemoveDuplicatesFromStorage"
# constants for WebTx metrics
WEBTX_METRICS_URL = "https://{hostname}/api/v2/events/metrics/transactionevents"
NETSKOPE_WEBTX = "Netskope_WebTx_metrics"
LOG_TYPE = "Netskope_WebTx_metrics"
HOURS = 24
DATETIME_FORMAT = "%a, %d %b %Y %H:%M:%S GMT" # sample : Mon, 19 Feb 2024 07:53:02 GMT

26
Solutions/Netskopev2/Data Connectors/NetskopeDataConnector/SharedCode/logger.py Normal file
Просмотреть файл

@ -0,0 +1,26 @@
"""Handle the logger."""
import logging
import sys
from ..SharedCode import consts
log_level = consts.LOG_LEVEL
try:
applogger = logging.getLogger("azure")
log_level = log_level.upper()
if log_level == "DEBUG":
applogger.setLevel(logging.DEBUG)
elif log_level == "INFO":
applogger.setLevel(logging.INFO)
elif log_level == "WARNING":
applogger.setLevel(logging.WARNING)
elif log_level == "ERROR":
applogger.setLevel(logging.ERROR)
except Exception:
applogger.info("{} : no log level selected hence setting log level as info.".format(consts.LOGS_STARTS_WITH))
applogger.setLevel(logging.INFO)
finally:
handler = logging.StreamHandler(stream=sys.stdout)
applogger.addHandler(handler)

13
Solutions/Netskopev2/Data Connectors/NetskopeDataConnector/SharedCode/netskope_exception.py Normal file
Просмотреть файл

@ -0,0 +1,13 @@
"""This File contains custom Exception class for Netskope."""
class NetskopeException(Exception):
"""Exception class to handle Netskope exception.
Args:
Exception (string): will print exception message.
"""
def __init__(self, message=None) -> None:
"""Initialize custom NetskopeException with custom message."""
super().__init__(message)

61
Solutions/Netskopev2/Data Connectors/NetskopeDataConnector/SharedCode/state_manager.py Normal file
Просмотреть файл

@ -0,0 +1,61 @@
"""This module will help to save file to statemanager."""
from azure.storage.fileshare import ShareClient
from azure.storage.fileshare import ShareFileClient
from azure.core.exceptions import ResourceNotFoundError
from .logger import applogger
import inspect
from ..SharedCode.consts import LOGS_STARTS_WITH
class StateManager:
"""State manager class for specific operation."""
def __init__(
self,
connection_string,
file_path,
share_name,
):
"""Initialize the share_cli and file_client."""
self.share_cli = ShareClient.from_connection_string(
conn_str=connection_string, share_name=share_name
)
self.file_cli = ShareFileClient.from_connection_string(
conn_str=connection_string, share_name=share_name, file_path=file_path
)
self.file_name = file_path
self.log_starts_with = LOGS_STARTS_WITH
def post(self, marker_text: str):
"""Post method for posting the data to azure storage."""
try:
self.file_cli.upload_file(marker_text)
except ResourceNotFoundError:
self.share_cli.create_share()
self.file_cli.upload_file(marker_text)
def get(self, azure_function_name):
"""Get method for getting the data from azure storage."""
__method_name = inspect.currentframe().f_code.co_name
try:
return self.file_cli.download_file().readall().decode()
except ResourceNotFoundError:
applogger.info(
"{}(method={}) : {} : The file {} is not available in azure storage.".format(
self.log_starts_with, __method_name, azure_function_name, self.file_name
)
)
return None
def get_data_bytes(self, azure_function_name):
"""Get method for getting the data from azure storage."""
__method_name = inspect.currentframe().f_code.co_name
try:
return self.file_cli.download_file().content_as_bytes()
except ResourceNotFoundError:
applogger.info(
"{}(method={}) : {} : The file is not available in azure storage.".format(
self.log_starts_with, __method_name, azure_function_name
)
)
return None

24
Solutions/Netskopev2/Data Connectors/NetskopeDataConnector/SharedCode/utils.py Normal file
Просмотреть файл

@ -0,0 +1,24 @@
"""Utility methods."""
import inspect
from . import consts
from .logger import applogger
from .netskope_exception import NetskopeException
def get_event_alert_type_subtype():
"""To get event alert type subtype."""
__method_name = inspect.currentframe().f_code.co_name
try:
events_alerts_subtype = consts.SHARE_NAME
if events_alerts_subtype in consts.EVENTS_LIST:
return {"type_of_data": "events", "sub_type": events_alerts_subtype}
return {"type_of_data": "alerts", "sub_type": events_alerts_subtype}
except Exception as error:
applogger.error(
"{}(method={}) : Error while getting alerts, events type or subtype. Error-{}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
error,
)
)
raise NetskopeException()

64
Solutions/Netskopev2/Data Connectors/NetskopeDataConnector/SharedCode/validate_params.py Normal file
Просмотреть файл

@ -0,0 +1,64 @@
"""Validate the parameters from consts."""
import inspect
from . import consts
from .logger import applogger
from .netskope_exception import NetskopeException
def validate_parameters(azure_function_name):
"""Validate the user input parameters.
Args:
azure_function_name (str): The name of the caller azure function for logging.
Raises:
NetskopeException: Netskope Custom Exception
"""
__method_name = inspect.currentframe().f_code.co_name
try:
required_params = {
"LogLevel": consts.LOG_LEVEL,
"ConnectionString": consts.CONNECTION_STRING,
"ShareName": consts.SHARE_NAME,
"NetskopeHostname": consts.NETSKOPE_HOSTNAME,
"NetskopeToken": consts.NETSKOPE_TOKEN,
}
applogger.debug(
"{}(method={}) : Checking if all the environment variables exist or not.".format(
consts.LOGS_STARTS_WITH, __method_name
)
)
missing_required_field = False
for label, params in required_params.items():
if not params or params == "":
missing_required_field = True
applogger.error(
'{}(method={}) : {} : "{}" field is not set in the environment please set '
"the environment variable and run the app.".format(
consts.LOGS_STARTS_WITH,
__method_name,
azure_function_name,
label,
)
)
if missing_required_field:
raise NetskopeException()
except NetskopeException:
applogger.error(
"{}(method={}) : {} : Error while validating environment variables.".format(
consts.LOGS_STARTS_WITH,
__method_name,
azure_function_name,
)
)
raise NetskopeException()
except Exception as error:
applogger.error(
"{}(method={}) : {} : Error while validating environment variables. Error-{}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
azure_function_name,
error,
)
)
raise NetskopeException()

50
Solutions/Netskopev2/Data Connectors/NetskopeDataConnector/StorageToSentinel/__init__.py Normal file
Просмотреть файл

@ -0,0 +1,50 @@
"""Init for Netskope Azure storage to Sentinel."""
import datetime
import logging
import inspect
import azure.functions as func
from .netskope_azure_storage_to_sentinel import NetskopeAzureStorageToSentinel
from ..StorageToSentinel.remove_duplicates_in_azure_storage import RemoveDuplicatesInAzureStorage
from ..SharedCode import utils
from ..SharedCode.logger import applogger
from ..SharedCode import consts
async def main(mytimer: func.TimerRequest) -> None:
"""Driver method for azure storage to sentinel."""
__method_name = inspect.currentframe().f_code.co_name
utc_timestamp = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat()
share_name_after_duplication = False
event_type_sub_type = utils.get_event_alert_type_subtype()
sharename = ''.join((event_type_sub_type.get("type_of_data"), event_type_sub_type.get("sub_type"), "data"))
duplicate_share_name = (
''.join((event_type_sub_type.get("type_of_data"), event_type_sub_type.get("sub_type"), "duplicationcheck"))
)
try:
remove_duplicates_obj = RemoveDuplicatesInAzureStorage(sharename, duplicate_share_name)
remove_duplicates_obj.list_file_names_and_remove_duplicate_data()
share_name_after_duplication = True
except Exception as error:
applogger.error(
"{}(method={}) : {} : Error occurred in deduplication or file share not available for share-{}"
"Error-{}.".format(
consts.LOGS_STARTS_WITH, __method_name, consts.NETSKOPE_AZURE_STORAGE_TO_SENTINEL, sharename, error
)
)
if share_name_after_duplication:
state_manager_to_sentinel_obj = NetskopeAzureStorageToSentinel(sharename)
await state_manager_to_sentinel_obj.list_files_and_ingest_files_data_to_sentinel()
else:
applogger.warn(
"{}(method={}) : {} : No logs found to send to Sentinel after executing deduplication.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_AZURE_STORAGE_TO_SENTINEL,
)
)
if mytimer.past_due:
logging.info("The timer is past due!")
logging.info("Python timer trigger function ran at %s", utc_timestamp)

12
Solutions/Netskopev2/Data Connectors/NetskopeDataConnector/StorageToSentinel/function.json Normal file
Просмотреть файл

@ -0,0 +1,12 @@
{
"scriptFile": "__init__.py",
"bindings": [
{
"name": "mytimer",
"type": "timerTrigger",
"direction": "in",
"schedule": "0 0/10 * * * *",
"useMonitor": true
}
]
}

396
Solutions/Netskopev2/Data Connectors/NetskopeDataConnector/StorageToSentinel/netskope_azure_storage_to_sentinel.py Normal file
Просмотреть файл

@ -0,0 +1,396 @@
"""Netskope azure storage to sentinel."""
import inspect
import json
import aiohttp
from azure.core.exceptions import ResourceNotFoundError
from azure.storage.fileshare import ShareDirectoryClient
from ..SharedCode.state_manager import StateManager
from ..SharedCode import consts
from .sentinel import post_data
from ..SharedCode.logger import applogger
from ..SharedCode.netskope_exception import NetskopeException
from math import ceil
class NetskopeAzureStorageToSentinel:
"""Netskope azure storage to sentinel utility class."""
def __init__(self, share_name: str) -> None:
"""Initialize variables."""
self.arr_to_return = []
self.share_name = share_name
if self.share_name.startswith("events"):
self.nskp_data_type_for_logging = "_".join(["events", (share_name.split("events")[-1]).replace("data", "")])
else:
self.nskp_data_type_for_logging = "_".join(["alerts", (share_name.split("alerts")[-1]).replace("data", "")])
iterators_state_manager_obj = StateManager(consts.CONNECTION_STRING, "iteratorsname", self.share_name)
self.iterators_name = json.loads(iterators_state_manager_obj.get(consts.NETSKOPE_REMOVE_DUPLICATES))
def is_response_empty(self, json_response):
"""Check if response is empty or not.
Args:
json_response (dict): Response from the netskope api.
Raises:
NetskopeException: Netskope Custom Exception.
Returns:
bool: True if response is empty else False.
"""
__method_name = inspect.currentframe().f_code.co_name
try:
if len(json_response.get("result")) == 0:
applogger.info(
"{}(method={}) : {} ({}) : The data returned is empty. Continuing to next iteration.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_AZURE_STORAGE_TO_SENTINEL,
self.nskp_data_type_for_logging,
)
)
return True
except KeyError as key_error:
applogger.error(
"{}(method={}) : {} ({}) : Error while accessing the data key in the response. Error-{}".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_AZURE_STORAGE_TO_SENTINEL,
self.nskp_data_type_for_logging,
key_error,
)
)
raise NetskopeException()
except Exception as error:
applogger.error(
"{}(method={}) : {} ({}) : Unknown Error. Error-{}".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_AZURE_STORAGE_TO_SENTINEL,
self.nskp_data_type_for_logging,
error,
)
)
raise NetskopeException()
return False
async def separate_data_into_chunks(self, raw_data):
"""Async generator function to separate data into 15 mb chunks and return them.
Args:
raw_data (bytes): raw bytes data from the file.
Yields:
bytearray: separated chunks in bytearray.
"""
__method_name = inspect.currentframe().f_code.co_name
raw_data = raw_data[20:-46]
main_bytearray = bytearray(raw_data)
index = 0
start_index = 0
original_index = consts.ORIGINAL_INDEX
number_of_iterations = ceil(len(main_bytearray) / original_index)
end_index = original_index
is_first_chunk = True
for _ in range(number_of_iterations):
if len(main_bytearray) < end_index:
chunk = main_bytearray[start_index:len(main_bytearray)]
if not is_first_chunk:
chunk.insert(0, 91)
yield chunk
break
chunk2 = bytearray()
chunk = main_bytearray[start_index:end_index]
if not is_first_chunk:
chunk.insert(0, 91) # adding square bracket to start of bytearray
index = end_index
open_brac_counter = 0
read_counter = 0
while True:
if chr(main_bytearray[index]) == "{":
if read_counter == 0:
open_brac_counter = -1
read_counter += 1
open_brac_counter += 1
if chr(main_bytearray[index]) == "}":
if read_counter == 0:
read_counter += 1
open_brac_counter -= 1
chunk2.append(main_bytearray[index])
index += 1
if open_brac_counter < 0:
try:
chunk2.append(93)
json.loads(chunk + chunk2)
break
except Exception:
applogger.error(
"{}(method={}) : {} ({}) : Error while loading the json in split data, continuing.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_AZURE_STORAGE_TO_SENTINEL,
self.nskp_data_type_for_logging,
)
)
open_brac_counter = 0
chunk2.pop()
chunk3 = chunk + chunk2
index += 2
start_index = index
end_index = start_index + original_index
is_first_chunk = False
yield chunk3
def return_file_names_to_query(self, file_names: list):
"""Return the file names for current execution.
Args:
file_names (list): list of file
prefix_to_search (str): file name prefix to search
Returns:
list: list of files
"""
__method_name = inspect.currentframe().f_code.co_name
try:
file_names_to_query = []
for iterator_name in self.iterators_name:
for file in file_names:
if iterator_name in file and "epoch" not in file and "failed" not in file:
file_names_to_query.append(file)
applogger.info("{}(method={}) : {} ({}) : Number of files found to ingest to sentinel are {}".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_AZURE_STORAGE_TO_SENTINEL,
self.nskp_data_type_for_logging,
len(file_names_to_query)
)
)
return file_names_to_query
except Exception as error:
applogger.error(
"{}(method={}) : {} ({}) : Error while searching file names, Error-{}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_AZURE_STORAGE_TO_SENTINEL,
self.nskp_data_type_for_logging,
error,
)
)
raise NetskopeException()
def delete_file_from_file_share(self, file_name, parent_dir):
"""Delete the file from azure file share.
Args:
file_name (str): name of the file to delete
parent_dir (ShareDirectory.from_connection_string): Object of ShareDirectory to perform operations
on file share.
"""
__method_name = inspect.currentframe().f_code.co_name
try:
parent_dir.delete_file(file_name)
applogger.debug(
"{}(method={}) : {} ({}) : File deleted successfully, filename-{}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_AZURE_STORAGE_TO_SENTINEL,
self.nskp_data_type_for_logging,
file_name,
)
)
except ResourceNotFoundError:
applogger.info(
"{}(method={}) : {} ({}) : File not found while deleting, filename-{}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_AZURE_STORAGE_TO_SENTINEL,
self.nskp_data_type_for_logging,
file_name,
)
)
except Exception as error:
applogger.error(
"{}(method={}) : {} ({}) : Error while deleting file, Error-{}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_AZURE_STORAGE_TO_SENTINEL,
self.nskp_data_type_for_logging,
error,
)
)
raise NetskopeException()
def get_files_list(self, parent_dir):
"""Get list of file names from directory.
Args:
parent_dir (ShareDirectory.from_connection_string): Object of ShareDirectory to perform operations
on file share.
Returns:
list: list of files
"""
__method_name = inspect.currentframe().f_code.co_name
try:
files_list = list(parent_dir.list_directories_and_files())
file_names = []
if (len(files_list)) > 0:
file_names = [file["name"] for file in files_list]
return file_names
return None
except ResourceNotFoundError:
applogger.error(
"{}(method={}) : {} ({}) : No storage directory found.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_AZURE_STORAGE_TO_SENTINEL,
self.nskp_data_type_for_logging,
)
)
return None
except Exception as error:
applogger.error(
"{}(method={}) : {} ({}) : Error while getting list of files, Error-{}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_AZURE_STORAGE_TO_SENTINEL,
self.nskp_data_type_for_logging,
error,
)
)
raise NetskopeException()
async def generate_chunks_and_ingest_data_to_sentinel(self, raw_data, log_type, session):
"""Separate the data into chunks and post the chunks to Log Analytics.
Args:
raw_data (bytes): raw bytes data from the stored data.
log_type (str): Name of the table to ingest data to.
session (aiohttp.ClientSession): session object.
"""
async for i in self.separate_data_into_chunks(raw_data):
await post_data(json.dumps(json.loads(i)), log_type, session)
def get_data_from_file(self, file_name):
"""Read file from azure storage.
Args:
file_name (str): file name to read
Returns:
json: Netskope data
"""
__method_name = inspect.currentframe().f_code.co_name
try:
state_manager_obj = StateManager(consts.CONNECTION_STRING, file_name, self.share_name)
raw_data = state_manager_obj.get_data_bytes(consts.NETSKOPE_AZURE_STORAGE_TO_SENTINEL)
return raw_data
except Exception as error:
applogger.error(
"{}(method={}) : {} ({}) : Error while reading netskope data from File, Error-{}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_AZURE_STORAGE_TO_SENTINEL,
self.nskp_data_type_for_logging,
error,
)
)
raise NetskopeException()
async def list_files_and_ingest_files_data_to_sentinel(self):
"""Read files list and ingest data to sentinel."""
__method_name = inspect.currentframe().f_code.co_name
try:
parent_dir = ShareDirectoryClient.from_connection_string(
conn_str=consts.CONNECTION_STRING,
share_name=self.share_name,
directory_path="",
)
count_data = 0
file_names_to_query = self.get_files_list(parent_dir)
file_names_to_get_data = self.return_file_names_to_query(file_names_to_query)
if len(file_names_to_query) == 0:
applogger.info(
"{}(method={}) : {} ({}) : The data is not yet processed for duplication.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_AZURE_STORAGE_TO_SENTINEL,
self.nskp_data_type_for_logging,
)
)
async with aiohttp.ClientSession() as session:
for file in file_names_to_get_data:
file_data = self.get_data_from_file(file)
if file_data is not None:
if self.is_response_empty(json.loads(file_data)):
applogger.info(
"{}(method={}) : {} ({}) : File Data was empty, hence deleting : {}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_AZURE_STORAGE_TO_SENTINEL,
self.nskp_data_type_for_logging,
file,
)
)
elif len(file_data) > 26214400:
await self.generate_chunks_and_ingest_data_to_sentinel(file_data, self.share_name, session)
count_data += 1
applogger.info(
"{}(method={}) : {} ({}) : Total files posted to Sentinel Till now : {}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_AZURE_STORAGE_TO_SENTINEL,
self.nskp_data_type_for_logging,
count_data,
)
)
else:
await post_data(
json.dumps(json.loads(file_data)["result"]),
self.share_name,
session,
)
applogger.info(
"{}(method={}) : {} ({}) : Netskope data posted successfully of file : {}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_AZURE_STORAGE_TO_SENTINEL,
self.nskp_data_type_for_logging,
file,
)
)
count_data += 1
applogger.info(
"{}(method={}) : {} ({}) : Total files posted to Sentinel Till now : {}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_AZURE_STORAGE_TO_SENTINEL,
self.nskp_data_type_for_logging,
count_data,
)
)
self.delete_file_from_file_share(file, parent_dir)
except NetskopeException:
applogger.error(
"{}(method={}) : {} ({}) : Error occurred in Netskope azure storage to sentinel.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_AZURE_STORAGE_TO_SENTINEL,
self.nskp_data_type_for_logging,
)
)
raise NetskopeException()
except Exception as error:
applogger.error(
"{}(method={}) : {} ({}) : Error occurred in netskope azure storage to sentinel, Error-{}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_AZURE_STORAGE_TO_SENTINEL,
self.nskp_data_type_for_logging,
error,
)
)
raise NetskopeException()

511
Solutions/Netskopev2/Data Connectors/NetskopeDataConnector/StorageToSentinel/remove_duplicates_in_azure_storage.py Normal file
Просмотреть файл

@ -0,0 +1,511 @@
"""Remove duplicate Netskope data from azure storage."""
import hashlib
import json
import inspect
import re
from ..SharedCode.state_manager import StateManager
from azure.core.exceptions import ResourceNotFoundError
from azure.storage.fileshare import ShareDirectoryClient
from ..SharedCode import consts
from ..SharedCode.logger import applogger
from itertools import cycle
from ..SharedCode.netskope_exception import NetskopeException
class RemoveDuplicatesInAzureStorage:
"""Utility class for removing duplicate Netskope data from azure storage."""
def __init__(self, data_folder_share_name, share_name) -> None:
"""Initialize variables."""
__method_name = inspect.currentframe().f_code.co_name
try:
self.duplicate_count = 0
self.share_name = share_name
self.data_folder_share_name = data_folder_share_name
iterators_state_manager_obj = StateManager(
consts.CONNECTION_STRING, "iteratorsname", self.data_folder_share_name
)
self.iterators_name = json.loads(iterators_state_manager_obj.get(consts.NETSKOPE_REMOVE_DUPLICATES))
applogger.error(self.iterators_name)
except Exception as error:
applogger.error(
"{}(method={}) : {} : Error while removing duplicates from Azure Storage, Error-{}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_REMOVE_DUPLICATES,
error,
)
)
raise NetskopeException()
def move_to_data_folder(self, file_data, file_name, parent_dir, is_empty_in_file_name=False):
"""Move the file to the data folder for ingestion to sentinel.
Args:
file_data (list): data to write in file
file_name (str): name of the file
parent_dir (ShareDirectory.from_connection_string): Object of ShareDirectory to perform operations
on file share.
is_empty_in_file_name (bool, optional): True if the file name endswith empty. Defaults to False.
"""
if not is_empty_in_file_name and not self.is_response_empty(file_data):
new_file_state_manager_obj = StateManager(consts.CONNECTION_STRING, file_name, self.data_folder_share_name)
new_file_state_manager_obj.post(json.dumps(file_data))
self.delete_file_from_file_share(file_name, parent_dir)
def filter_files(self, filter1, filter2, unfiltered_list):
"""Filter the given files list.
Args:
filter1 (str): first string to search
filter2 (str): second string to search
unfiltered_list (list): list to filter
Returns:
list: filtered files list
"""
__method_name = inspect.currentframe().f_code.co_name
try:
applogger.info("The filter names are {} and {}".format(filter1, filter2))
pattern = r"{filter1}_\d+_{filter2}_\d+".format(filter1=re.escape(filter1), filter2=re.escape(filter2))
filtered_list = []
filtered_list = [i for i in unfiltered_list if re.match(pattern, i)]
return filtered_list
except Exception as error:
applogger.error(
"{}(method={}) : {} : Error while filtering files, Error-{}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_REMOVE_DUPLICATES,
error,
)
)
raise NetskopeException()
def list_file_names_in_file_share(self, parent_dir):
"""Get list of file names from directory.
Args:
parent_dir (ShareDirectory.from_connection_string): Object of ShareDirectory to perform operations
on file share.
Returns:
list: list of files
"""
__method_name = inspect.currentframe().f_code.co_name
try:
files_list = list(parent_dir.list_directories_and_files())
file_names = []
if (len(files_list)) > 0:
for file in files_list:
file_names.append(file["name"])
return file_names
except ResourceNotFoundError:
applogger.error(
"{}(method={}) : {} : No storage directory found.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_REMOVE_DUPLICATES,
)
)
return None
except Exception as error:
applogger.error(
"{}(method={}) : {} : Error while getting list of files, Error-{}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_REMOVE_DUPLICATES,
error,
)
)
raise NetskopeException()
def delete_file_from_file_share(self, file_name, parent_dir):
"""Delete the file from azure file share.
Args:
file_name (str): name of the file to delete
parent_dir (ShareDirectory.from_connection_string): Object of ShareDirectory to perform operations
on file share.
"""
__method_name = inspect.currentframe().f_code.co_name
try:
parent_dir.delete_file(file_name)
applogger.debug(
"{}(method={}) : {} : File deleted successfully, filename-{}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_REMOVE_DUPLICATES,
file_name,
)
)
except ResourceNotFoundError:
applogger.info(
"{}(method={}) : {} : File not found while deleting, filename-{}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_REMOVE_DUPLICATES,
file_name,
)
)
except Exception as error:
applogger.error(
"{}(method={}) : {} : Error while deleting file, Error-{}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_REMOVE_DUPLICATES,
error,
)
)
raise NetskopeException()
def delete_duplicate_files(self, list_of_files, parent_dir):
"""Delete the duplicate files from the given list of files.
Args:
list_of_files (list): list of file names to check duplicates.
parent_dir (ShareDirectoryClient): ShareDirectory client object
Raises:
NetskopeException: Netskope Custom Exception.
"""
__method_name = inspect.currentframe().f_code.co_name
try:
if len(list_of_files) == 1:
return
hashes = []
for file in list_of_files:
state_manager_obj = StateManager(consts.CONNECTION_STRING, file, self.share_name)
file_data = state_manager_obj.get(consts.NETSKOPE_AZURE_STORAGE_TO_SENTINEL)
hashes.append(hashlib.sha256(file_data.encode("utf-8")).hexdigest())
duplicate_file_names = []
applogger.info(list_of_files)
for index, hashed_data in enumerate(hashes):
is_hash_duplicate = hashed_data in hashes[:index]
if is_hash_duplicate:
duplicate_file_names.append(list_of_files.pop(index))
for duplicate_file in duplicate_file_names:
self.delete_file_from_file_share(duplicate_file, parent_dir)
except Exception as error:
applogger.error(
"{}(method={}) : {} : Error while deleting duplicates, Error-{}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_REMOVE_DUPLICATES,
error,
)
)
raise NetskopeException()
def is_response_empty(self, json_response):
"""Check if response is empty or not.
Args:
json_response (dict): Response from the netskope api.
Raises:
NetskopeException: Netskope Custom Exception.
Returns:
bool: True if response is empty else False.
"""
__method_name = inspect.currentframe().f_code.co_name
try:
if len(json_response.get("result")) == 0:
applogger.info(
"{}(method={}) : {} : The data returned is empty. Continuing to next iteration.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_AZURE_STORAGE_TO_SENTINEL,
)
)
return True
except KeyError as key_error:
applogger.error(
"{}(method={}) : {} : Error while accessing the data key in the response. Error-{}".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_AZURE_STORAGE_TO_SENTINEL,
key_error,
)
)
raise NetskopeException()
except Exception as error:
applogger.error(
"{}(method={}) : {} : Unknown Error. Error-{}".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_AZURE_STORAGE_TO_SENTINEL,
error,
)
)
raise NetskopeException()
return False
def remove_duplicates(self, list_of_old_files, new_files_to_compare, parent_dir):
"""Remove duplicates from given files.
Args:
list_of_old_files (list): list of old files
new_files_to_compare (str): new file to compare
parent_dir(ShareDirectoryClient): parent_dir object
"""
__method_name = inspect.currentframe().f_code.co_name
try:
self.delete_duplicate_files(list_of_old_files, parent_dir)
self.delete_duplicate_files(new_files_to_compare, parent_dir)
file: str
for file in list_of_old_files:
if file.endswith("empty_file"):
applogger.error(
"{}(method={}) : {} : Empty data is found in file name-{}.".format(
consts.LOGS_STARTS_WITH, __method_name, consts.NETSKOPE_REMOVE_DUPLICATES, file
)
)
self.move_to_data_folder(None, file, parent_dir, True)
continue
state_manager_obj_for_old_file = StateManager(consts.CONNECTION_STRING, file, self.share_name)
old_data_raw = state_manager_obj_for_old_file.get(consts.NETSKOPE_REMOVE_DUPLICATES)
old_data = json.loads(old_data_raw)
state_manager_obj_for_new_file = StateManager(
consts.CONNECTION_STRING, new_files_to_compare[0], self.share_name
)
new_data_raw = state_manager_obj_for_new_file.get(consts.NETSKOPE_REMOVE_DUPLICATES)
new_data = json.loads(new_data_raw)
if self.is_response_empty(old_data) or self.is_response_empty(new_data):
applogger.error(
"{}(method={}) : {} : Empty data is found in a file.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_REMOVE_DUPLICATES,
)
)
self.move_to_data_folder(old_data, file, parent_dir)
continue
old_list_id = []
for cur_data in old_data.get("result"):
old_list_id.append(cur_data["_id"])
final_list = []
for cur_data in new_data.get("result"):
if cur_data["_id"] in old_list_id:
self.duplicate_count += 1
continue
final_list.append(cur_data)
new_data["result"] = final_list
self.move_to_data_folder(old_data, file, parent_dir)
state_manager_obj_for_new_file.post(json.dumps(new_data))
# Fetch the updated new file data.
if new_files_to_compare[0].endswith("empty_file"):
self.move_to_data_folder(None, new_files_to_compare[0], parent_dir, True)
return
state_manager_obj_for_new_file = StateManager(
consts.CONNECTION_STRING, new_files_to_compare[0], self.share_name
)
new_data_raw = state_manager_obj_for_new_file.get(consts.NETSKOPE_REMOVE_DUPLICATES)
new_data = json.loads(new_data_raw)
# move the new file to data folder.
self.move_to_data_folder(new_data, new_files_to_compare[0], parent_dir)
except Exception as error:
applogger.error(
"{}(method={}) : {} : Error while removing duplicates from azure storage, Error-{}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_REMOVE_DUPLICATES,
error,
)
)
raise NetskopeException()
def parse_files_and_find_duplicates(self, start_end_epochs, list_of_files, parent_dir):
"""Fetch the start and end epoch files data, get the file names with potential duplicates and remove duplicates.
Args:
start_end_epochs (dict): dictionary of epochs
list_of_files (list): list of files
parent_dir(ShareDirectoryClient): parent_dir object
"""
__method_name = inspect.currentframe().f_code.co_name
try:
it1_start = start_end_epochs.get("it1_start_epochs")
it2_start = start_end_epochs.get("it2_start_epochs")
it3_start = start_end_epochs.get("it3_start_epochs")
it4_start = start_end_epochs.get("it4_start_epochs")
it1_end = start_end_epochs.get("it1_end_epochs")
it2_end = start_end_epochs.get("it2_end_epochs")
it3_end = start_end_epochs.get("it3_end_epochs")
it4_end = start_end_epochs.get("it4_end_epochs")
queue_for_execution = [
it1_end,
it2_start,
it2_end,
it3_start,
it3_end,
it4_start,
it4_end,
it1_start,
]
end_epoch_counter = [0, 1, 2, 3]
start_epoch_counter = [1, 2, 3, 0]
end_epoch_pool = cycle(end_epoch_counter)
start_epoch_pool = cycle(start_epoch_counter)
for _ in range(4):
end_epochs_list = queue_for_execution.pop(0)
start_epochs_list = queue_for_execution.pop(0)
number_of_files_to_scan = min(len(end_epochs_list), len(start_epochs_list))
end_counter = next(end_epoch_pool)
start_counter = next(start_epoch_pool)
for index in range(number_of_files_to_scan):
state_manager_obj_for_end_epoch = StateManager(
consts.CONNECTION_STRING,
"{}_end_epoch_{}".format(self.iterators_name[end_counter], end_epochs_list[index]),
self.share_name,
)
epoch_for_end_file = state_manager_obj_for_end_epoch.get(consts.NETSKOPE_REMOVE_DUPLICATES)
state_manager_obj_for_start_epoch = StateManager(
consts.CONNECTION_STRING,
"{}_start_epoch_{}".format(self.iterators_name[start_counter], start_epochs_list[index]),
self.share_name,
)
epoch_for_start_file = state_manager_obj_for_start_epoch.get(consts.NETSKOPE_REMOVE_DUPLICATES)
if epoch_for_end_file is None or epoch_for_start_file is None:
applogger.error(
"{}(method={}) : {} : Epoch File Returned None."
"End Epoch: {} and Start Epoch: {}".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_REMOVE_DUPLICATES,
epoch_for_end_file,
epoch_for_start_file,
)
)
end_epoch_files = self.filter_files(
self.iterators_name[end_counter],
epoch_for_end_file,
list_of_files,
)
start_epoch_files = self.filter_files(
self.iterators_name[start_counter],
epoch_for_start_file,
list_of_files,
)
if len(end_epoch_files) > 0 and len(start_epoch_files) > 0:
self.remove_duplicates(end_epoch_files, start_epoch_files, parent_dir)
state_manager_obj_for_sentinel_ingestion = StateManager(
consts.CONNECTION_STRING,
"{}_sentinel_ingestion_epoch".format(self.iterators_name[end_counter]),
self.share_name,
)
state_manager_obj_for_sentinel_ingestion.post(epoch_for_end_file)
self.delete_file_from_file_share(
"{}_end_epoch_{}".format(self.iterators_name[end_counter], end_epochs_list[index]),
parent_dir,
)
self.delete_file_from_file_share(
"{}_start_epoch_{}".format(self.iterators_name[start_counter], start_epochs_list[index]),
parent_dir,
)
except NetskopeException:
applogger.error(
"{}(method={}) : {} : Error while parsing files and finding duplicates.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_REMOVE_DUPLICATES,
)
)
raise NetskopeException()
except Exception as error:
applogger.error(
"{}(method={}) : {} : Error while parsing files and finding duplicates, Error-{}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_REMOVE_DUPLICATES,
error,
)
)
raise NetskopeException()
def return_list_of_iterator_files(self, list_of_files):
"""Parse the list of iterator files and extract the epoch time created from the file names.
Args:
list_of_files (list): list of file names.
Returns:
dict: dictionary containing start epochs and end epochs.
"""
__method_name = inspect.currentframe().f_code.co_name
try:
epochs = {}
epochs["it1_start_epochs"] = []
epochs["it2_start_epochs"] = []
epochs["it3_start_epochs"] = []
epochs["it4_start_epochs"] = []
epochs["it1_end_epochs"] = []
epochs["it2_end_epochs"] = []
epochs["it3_end_epochs"] = []
epochs["it4_end_epochs"] = []
for file in list_of_files:
epochs["it{}_{}_epochs".format(int(file.split("_")[-4]) + 1, file.split("_")[-3])].append(
file.split("_")[-1]
)
return epochs
except Exception as error:
applogger.error(
"{}(method={}) : {} : Error while parsing epoch from file list, Error-{}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_REMOVE_DUPLICATES,
error,
)
)
raise NetskopeException()
def list_file_names_and_remove_duplicate_data(self):
"""Code for removing duplicates from azure storage."""
__method_name = inspect.currentframe().f_code.co_name
try:
parent_dir = ShareDirectoryClient.from_connection_string(
conn_str=consts.CONNECTION_STRING,
share_name=self.share_name,
directory_path="",
)
all_file_list = self.list_file_names_in_file_share(parent_dir)
list_of_epoch_files = []
for file_name in all_file_list:
if "_start_epoch_" in file_name or "_end_epoch_" in file_name:
list_of_epoch_files.append(file_name)
applogger.info("The list of epoch files are {}".format(list_of_epoch_files))
if len(list_of_epoch_files) > 0:
dict_of_iter_epochs = self.return_list_of_iterator_files(list_of_epoch_files)
self.parse_files_and_find_duplicates(dict_of_iter_epochs, all_file_list, parent_dir)
applogger.info(
"{}(method={}) : {} : Removed duplicate counts are {}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_REMOVE_DUPLICATES,
self.duplicate_count,
)
)
except NetskopeException:
applogger.error(
"{}(method={}) : {} : Failed to remove duplicates from azure storage.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_REMOVE_DUPLICATES,
)
)
raise NetskopeException()
except Exception as error:
applogger.error(
"{}(method={}) : {} : Failed to remove duplicates from azure storage, Error-{}.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_REMOVE_DUPLICATES,
error,
)
)
raise NetskopeException()

109
Solutions/Netskopev2/Data Connectors/NetskopeDataConnector/StorageToSentinel/sentinel.py Normal file
Просмотреть файл

@ -0,0 +1,109 @@
"""This file contains methods for creating microsoft indicator and custom log table."""
import inspect
import base64
import hashlib
import hmac
import datetime
import aiohttp
from ..SharedCode import consts
from ..SharedCode.logger import applogger
from ..SharedCode.netskope_exception import NetskopeException
def build_signature(
date,
content_length,
method,
content_type,
resource,
):
"""To build signature which is required in header."""
x_headers = "x-ms-date:" + date
string_to_hash = method + "\n" + str(content_length) + "\n" + content_type + "\n" + x_headers + "\n" + resource
bytes_to_hash = bytes(string_to_hash, encoding="utf-8")
decoded_key = base64.b64decode(consts.WORKSPACE_KEY)
encoded_hash = base64.b64encode(hmac.new(decoded_key, bytes_to_hash, digestmod=hashlib.sha256).digest()).decode()
authorization = "SharedKey {}:{}".format(consts.WORKSPACE_ID, encoded_hash)
return authorization
async def post_data(body, log_type, session: aiohttp.ClientSession):
"""Build and send a request to the POST API.
Args:
body (str): Data to post into Sentinel log analytics workspace
log_type (str): Custom log table name in which data wil be added.
Returns:
status_code: Returns the response status code got while posting data to sentinel.
"""
__method_name = inspect.currentframe().f_code.co_name
method = "POST"
content_type = "application/json"
resource = "/api/logs"
rfc1123date = datetime.datetime.utcnow().strftime("%a, %d %b %Y %H:%M:%S GMT")
content_length = len(body)
try:
signature = build_signature(
rfc1123date,
content_length,
method,
content_type,
resource,
)
except Exception as err:
applogger.error(
"{}(method={}) : {} : Error occurred: {}".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_AZURE_STORAGE_TO_SENTINEL,
err,
)
)
raise NetskopeException("Error while generating signature for posting data into log analytics.")
uri = "https://" + consts.WORKSPACE_ID + ".ods.opinsights.azure.com" + resource + "?api-version=2016-04-01"
headers = {
"content-type": content_type,
"Authorization": signature,
"Log-Type": log_type,
"x-ms-date": rfc1123date,
}
try:
response = await session.post(url=uri, data=body, headers=headers)
if response.status >= 200 and response.status <= 299:
applogger.debug(
"{}(method={}) : {} : Status_code: {} Accepted: Data Posted Successfully to azure sentinel.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_AZURE_STORAGE_TO_SENTINEL,
response.status,
)
)
return response.status
else:
raise NetskopeException(
"Response code: {} from posting data to log analytics.\nError: {}".format(
response.status, response.content
)
)
except NetskopeException as error:
applogger.error(
"{}(method={}) : {} : Error: {}".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_AZURE_STORAGE_TO_SENTINEL,
error,
)
)
raise NetskopeException("NetskopeException: Error while posting data to sentinel.")
except Exception as error:
applogger.error(
"{}(method={}) : {} : Error: {}".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_AZURE_STORAGE_TO_SENTINEL,
error,
)
)
raise NetskopeException("Exception: Error while posting data to sentinel.")

16
Solutions/Netskopev2/Data Connectors/NetskopeDataConnector/WebTxMetrics/__init__.py Normal file
Просмотреть файл

@ -0,0 +1,16 @@
"""Init for Web Transaction Metrics."""
import datetime
import logging
import azure.functions as func
from .ingest_message import ingest_backlog_unacked_message
def main(mytimer: func.TimerRequest) -> None:
"""Driver method WebTx metrics."""
utc_timestamp = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat()
ingest_backlog_unacked_message()
if mytimer.past_due:
logging.info("The timer is past due!")
logging.info("Python timer trigger function ran at %s", utc_timestamp)

11
Solutions/Netskopev2/Data Connectors/NetskopeDataConnector/WebTxMetrics/function.json Normal file
Просмотреть файл

@ -0,0 +1,11 @@
{
"scriptFile": "__init__.py",
"bindings": [
{
"name": "mytimer",
"type": "timerTrigger",
"direction": "in",
"schedule": "0 0 */24 * * *"
}
]
}

130
Solutions/Netskopev2/Data Connectors/NetskopeDataConnector/WebTxMetrics/ingest_message.py Normal file
Просмотреть файл

@ -0,0 +1,130 @@
"""Module to Ingest metrics in sentinel."""
import json
import requests
from requests.exceptions import InvalidURL, ConnectionError
import inspect
from ..SharedCode import consts
from ..SharedCode.logger import applogger
from ..SharedCode.netskope_exception import NetskopeException
from .sentinel import post_data
def ingest_backlog_unacked_message():
"""Fetch and Ingest WebTx Metrics to Sentinel."""
__method_name = inspect.currentframe().f_code.co_name
try:
headers = {"Netskope-Api-Token": consts.NETSKOPE_TOKEN}
parameters = {"hours": consts.HOURS}
res = requests.get(
consts.WEBTX_METRICS_URL.format(hostname=consts.NETSKOPE_HOSTNAME), headers=headers, params=parameters
)
if res.status_code == 200:
json_data = res.json()
if len(json_data['result']) == 0:
applogger.info(
"{}(method={}) : {} : Empty data was returned by the api.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_WEBTX,
)
)
return
subscription = list(json_data["result"]["subscription/backlog_message_count"].keys())[0]
backlog_message = json_data["result"]["subscription/backlog_message_count"][subscription][
"partition_num: 1"
]
oldest_unacked_message = json_data["result"]["subscription/oldest_unacked_message_age"][subscription][
"partition_num: 1"
]
data_to_post = []
for key in backlog_message:
data_to_post.append(
{
"timestamp": key,
"backlog_message_count": backlog_message[key],
"oldest_unacked_message_age": oldest_unacked_message[key],
}
)
post_data(json.dumps(data_to_post), consts.LOG_TYPE)
applogger.info(
"{}(method={}) : {} : WebTx metrics posted.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_WEBTX,
)
)
elif res.status_code == 401:
applogger.error(
"{}(method={}) : {} : Not authorized to use this feature.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_WEBTX,
)
)
raise NetskopeException()
elif res.status_code == 403:
applogger.error(
"{}(method={}) : {} : Netskope token is not valid. Token is either expired or invalid.Please "
"provide a V2 token with the api/v2/events/metrics/transactionevents endpoint's permission.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_WEBTX,
)
)
raise NetskopeException()
else:
applogger.error(
"{}(method={}) : {} : Error while fetching metrics status code {}.".format(
consts.LOGS_STARTS_WITH, __method_name, consts.NETSKOPE_WEBTX, res.status_code
)
)
raise NetskopeException()
except InvalidURL as error:
applogger.error(
"{}(method={}) : {} : InvalidURL: {}".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_WEBTX,
error,
)
)
raise NetskopeException()
except ConnectionError as error:
applogger.error(
"{}(method={}) : {} : ConnectionError: {}".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_WEBTX,
error,
)
)
raise NetskopeException()
except KeyError as error:
applogger.error(
"{}(method={}) : {} : KeyError: {}".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_WEBTX,
error,
)
)
raise NetskopeException()
except NetskopeException:
applogger.error(
"{}(method={}) : {} : Error occured while fetching and ingesting Netskope WebTxMetrics.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_WEBTX,
)
)
raise NetskopeException()
except Exception as error:
applogger.error(
"{}(method={}) : {} : Error: {}".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_WEBTX,
error,
)
)
raise NetskopeException()

109
Solutions/Netskopev2/Data Connectors/NetskopeDataConnector/WebTxMetrics/sentinel.py Normal file
Просмотреть файл

@ -0,0 +1,109 @@
"""This file contains methods for creating microsoft indicator and custom log table."""
import inspect
import base64
import hashlib
import hmac
import requests
import datetime
from ..SharedCode import consts
from ..SharedCode.logger import applogger
from ..SharedCode.netskope_exception import NetskopeException
def build_signature(
date,
content_length,
method,
content_type,
resource,
):
"""To build signature which is required in header."""
x_headers = "x-ms-date:" + date
string_to_hash = method + "\n" + str(content_length) + "\n" + content_type + "\n" + x_headers + "\n" + resource
bytes_to_hash = bytes(string_to_hash, encoding="utf-8")
decoded_key = base64.b64decode(consts.WORKSPACE_KEY)
encoded_hash = base64.b64encode(hmac.new(decoded_key, bytes_to_hash, digestmod=hashlib.sha256).digest()).decode()
authorization = "SharedKey {}:{}".format(consts.WORKSPACE_ID, encoded_hash)
return authorization
def post_data(body, log_type):
"""Build and send a request to the POST API.
Args:
body (str): Data to post into Sentinel log analytics workspace
log_type (str): Custom log table name in which data wil be added.
Returns:
status_code: Returns the response status code got while posting data to sentinel.
"""
__method_name = inspect.currentframe().f_code.co_name
method = "POST"
content_type = "application/json"
resource = "/api/logs"
rfc1123date = datetime.datetime.utcnow().strftime(consts.DATETIME_FORMAT)
content_length = len(body)
try:
signature = build_signature(
rfc1123date,
content_length,
method,
content_type,
resource,
)
except Exception as err:
applogger.error(
"{}(method={}) : {} : Error occurred: {}".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_WEBTX,
err,
)
)
raise NetskopeException("Error while generating signature for posting data into log analytics.")
uri = "https://" + consts.WORKSPACE_ID + ".ods.opinsights.azure.com" + resource + "?api-version=2016-04-01"
headers = {
"content-type": content_type,
"Authorization": signature,
"Log-Type": log_type,
"x-ms-date": rfc1123date,
}
try:
response = requests.post(url=uri, data=body, headers=headers)
if response.status_code >= 200 and response.status_code <= 299:
applogger.debug(
"{}(method={}) : {} : Status_code: {} Accepted: Data Posted Successfully to azure sentinel.".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_WEBTX,
response.status_code,
)
)
return response.status_code
else:
raise NetskopeException(
"Response code: {} from posting data to log analytics.\nError: {}".format(
response.status_code, response.content
)
)
except NetskopeException as error:
applogger.error(
"{}(method={}) : {} : Error: {}".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_WEBTX,
error,
)
)
raise NetskopeException("NetskopeException: Error while posting data to sentinel.")
except Exception as error:
applogger.error(
"{}(method={}) : {} : Error: {}".format(
consts.LOGS_STARTS_WITH,
__method_name,
consts.NETSKOPE_WEBTX,
error,
)
)
raise NetskopeException("Exception: Error while posting data to sentinel.")

916
Solutions/Netskopev2/Data Connectors/NetskopeDataConnector/azuredeploy_Connector_Netskope_AzureFunction.json Normal file
Просмотреть файл

@ -0,0 +1,916 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"AlertsUba": {
"defaultValue": "Yes",
"allowedValues": [
"Yes",
"No"
],
"metadata": {
"description": "Fetches data from /api/v2/events/dataexport/alerts/uba endpoint."
},
"type": "String"
},
"AlertsSecurityAssessment": {
"defaultValue": "Yes",
"allowedValues": [
"Yes",
"No"
],
"metadata": {
"description": "Fetches data from /api/v2/events/dataexport/alerts/securityassessment endpoint."
},
"type": "String"
},
"AlertsQuarantine": {
"defaultValue": "Yes",
"allowedValues": [
"Yes",
"No"
],
"metadata": {
"description": "Fetches data from /api/v2/events/dataexport/alerts/quarantine endpoint."
},
"type": "String"
},
"AlertsRemediation": {
"defaultValue": "Yes",
"allowedValues": [
"Yes",
"No"
],
"metadata": {
"description": "Fetches data from /api/v2/events/dataexport/alerts/remediation endpoint."
},
"type": "String"
},
"AlertsPolicy": {
"defaultValue": "Yes",
"allowedValues": [
"Yes",
"No"
],
"metadata": {
"description": "Fetches data from /api/v2/events/dataexport/alerts/policy endpoint."
},
"type": "String"
},
"AlertsMalware": {
"defaultValue": "Yes",
"allowedValues": [
"Yes",
"No"
],
"metadata": {
"description": "Fetches data from /api/v2/events/dataexport/alerts/malware endpoint."
},
"type": "String"
},
"AlertsMalsite": {
"defaultValue": "Yes",
"allowedValues": [
"Yes",
"No"
],
"metadata": {
"description": "Fetches data from /api/v2/events/dataexport/alerts/malsite endpoint."
},
"type": "String"
},
"AlertsCompromisedCredential": {
"defaultValue": "Yes",
"allowedValues": [
"Yes",
"No"
],
"metadata": {
"description": "Fetches data from /api/v2/events/dataexport/alerts/compromisedcredential endpoint."
},
"type": "String"
},
"AlertsCtep": {
"defaultValue": "Yes",
"allowedValues": [
"Yes",
"No"
],
"metadata": {
"description": "Fetches data from /api/v2/events/dataexport/alerts/ctep endpoint."
},
"type": "String"
},
"AlertsDlp": {
"defaultValue": "Yes",
"allowedValues": [
"Yes",
"No"
],
"metadata": {
"description": "Fetches data from /api/v2/events/dataexport/alerts/dlp endpoint."
},
"type": "String"
},
"EventsApplication": {
"defaultValue": "Yes",
"allowedValues": [
"Yes",
"No"
],
"metadata": {
"description": "Fetches data from /api/v2/events/dataexport/events/application endpoint."
},
"type": "String"
},
"EventsAudit": {
"defaultValue": "Yes",
"allowedValues": [
"Yes",
"No"
],
"metadata": {
"description": "Fetches data from /api/v2/events/dataexport/events/audit endpoint."
},
"type": "String"
},
"EventsConnection": {
"defaultValue": "Yes",
"allowedValues": [
"Yes",
"No"
],
"metadata": {
"description": "Fetches data from /api/v2/events/dataexport/events/connection endpoint."
},
"type": "String"
},
"EventsIncident": {
"defaultValue": "Yes",
"allowedValues": [
"Yes",
"No"
],
"metadata": {
"description": "Fetches data from /api/v2/events/dataexport/events/incident endpoint."
},
"type": "String"
},
"EventsInfrastructure": {
"defaultValue": "Yes",
"allowedValues": [
"Yes",
"No"
],
"metadata": {
"description": "Fetches data from /api/v2/events/dataexport/events/infrastructure endpoint."
},
"type": "String"
},
"EventsNetwork": {
"defaultValue": "Yes",
"allowedValues": [
"Yes",
"No"
],
"metadata": {
"description": "Fetches data from /api/v2/events/dataexport/events/network endpoint."
},
"type": "String"
},
"EventsPage": {
"defaultValue": "Yes",
"allowedValues": [
"Yes",
"No"
],
"metadata": {
"description": "Fetches data from /api/v2/events/dataexport/events/page endpoint."
},
"type": "String"
},
"NetskopeHostName": {
"type": "String",
"metadata": {
"description": "Enter the Netskope Host Name."
}
},
"NetskopeAPIToken": {
"type": "SecureString",
"metadata": {
"description": "Enter the Netskope API Token."
}
},
"LogLevel": {
"defaultValue": "Info",
"allowedValues": [
"Debug",
"Info",
"Error",
"Warning"
],
"type": "String",
"metadata": {
"description": "Please add log level or log severity value. By default it is set to INFO"
}
},
"WorkspaceID": {
"minLength": 1,
"type": "String",
"metadata": {
"description": "Enter Workspace ID of Log Analytics workspace."
}
},
"WorkspaceKey": {
"minLength": 1,
"type": "SecureString",
"metadata": {
"description": "Enter Workspace Key of Log Analytics workspace."
}
}
},
"variables": {
"WebTxMetrics": "[concat('WebTxMetric',uniqueString(resourceGroup().id))]",
"function_names": [
{
"name": "uba",
"takeornot": "[if(equals(parameters('AlertsUba'),'Yes'), 'true', 'false')]",
"sharename": "uba"
},
{
"name": "securit",
"takeornot": "[if(equals(parameters('AlertsSecurityAssessment'),'Yes'), 'true', 'false')]",
"sharename": "securityassessment"
},
{
"name": "quarant",
"takeornot": "[if(equals(parameters('AlertsQuarantine'),'Yes'), 'true', 'false')]",
"sharename": "quarantine"
},
{
"name": "remed",
"takeornot": "[if(equals(parameters('AlertsRemediation'),'Yes'), 'true', 'false')]",
"sharename": "remediation"
},
{
"name": "policy",
"takeornot": "[if(equals(parameters('AlertsPolicy'),'Yes'), 'true', 'false')]",
"sharename": "policy"
},
{
"name": "malware",
"takeornot": "[if(equals(parameters('AlertsMalware'),'Yes'), 'true', 'false')]",
"sharename": "malware"
},
{
"name": "malsite",
"takeornot": "[if(equals(parameters('AlertsMalsite'),'Yes'), 'true', 'false')]",
"sharename": "malsite"
},
{
"name": "cc",
"takeornot": "[if(equals(parameters('AlertsCompromisedCredential'),'Yes'), 'true', 'false')]",
"sharename": "compromisedcredential"
},
{
"name": "ctep",
"takeornot": "[if(equals(parameters('AlertsCtep'),'Yes'), 'true', 'false')]",
"sharename": "ctep"
},
{
"name": "dlp",
"takeornot": "[if(equals(parameters('AlertsDlp'),'Yes'), 'true', 'false')]",
"sharename": "dlp"
},
{
"name": "app",
"takeornot": "[if(equals(parameters('EventsApplication'),'Yes'), 'true', 'false')]",
"sharename": "application"
},
{
"name": "audit",
"takeornot": "[if(equals(parameters('EventsAudit'),'Yes'), 'true', 'false')]",
"sharename": "audit"
},
{
"name": "conn",
"takeornot": "[if(equals(parameters('EventsConnection'),'Yes'), 'true', 'false')]",
"sharename": "connection"
},
{
"name": "incid",
"takeornot": "[if(equals(parameters('EventsIncident'),'Yes'), 'true', 'false')]",
"sharename": "incident"
},
{
"name": "infra",
"takeornot": "[if(equals(parameters('EventsInfrastructure'),'Yes'), 'true', 'false')]",
"sharename": "infrastructure"
},
{
"name": "network",
"takeornot": "[if(equals(parameters('EventsNetwork'),'Yes'), 'true', 'false')]",
"sharename": "network"
},
{
"name": "page",
"takeornot": "[if(equals(parameters('EventsPage'),'Yes'), 'true', 'false')]",
"sharename": "page"
}
],
"copy": [
{
"name": "AlertsEventsNameArray",
"count": "[length(variables('function_names'))]",
"input": {
"NetskopeToStorage": "[concat('NtoS',variables('function_names')[copyIndex('AlertsEventsNameArray', 0)].name,uniqueString(resourceGroup().id))]",
"StorageToSentinel": "[concat('StoS',variables('function_names')[copyIndex('AlertsEventsNameArray', 0)].name,uniqueString(resourceGroup().id))]",
"CheckToInclude": "[variables('function_names')[copyIndex('AlertsEventsNameArray', 0)].takeornot]"
}
}
],
"StorageSuffix": "[environment().suffixes.storage]",
"LogAnaltyicsUri": "[replace(environment().portal, 'https://portal', concat('https://', toLower(parameters('WorkspaceID')), '.ods.opinsights'))]"
},
"resources": [
{
"type": "Microsoft.Insights/components",
"apiVersion": "2015-05-01",
"name": "[variables('AlertsEventsNameArray')[copyIndex()].NetskopeToStorage]",
"location": "[resourceGroup().location]",
"kind": "web",
"properties": {
"Application_Type": "web",
"ApplicationId": "[variables('AlertsEventsNameArray')[copyIndex()].NetskopeToStorage]"
},
"copy": {
"name": "componentcopy",
"count": "[length(variables('function_names'))]"
},
"condition": "[if(equals(variables('AlertsEventsNameArray')[copyIndex()].CheckToInclude, 'true'), true(), false())]"
},
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[tolower(variables('AlertsEventsNameArray')[copyIndex()].NetskopeToStorage)]",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [],
"ipRules": [],
"defaultAction": "Allow"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
}
},
"copy": {
"name": "storageaccountcopy",
"count": "[length(variables('function_names'))]"
},
"condition": "[if(equals(variables('AlertsEventsNameArray')[copyIndex()].CheckToInclude, 'true'), true(), false())]"
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2019-06-01",
"name": "[concat(variables('AlertsEventsNameArray')[copyIndex()].NetskopeToStorage, '/default')]",
"dependsOn": [
"storageaccountcopy"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": []
},
"deleteRetentionPolicy": {
"enabled": false
}
},
"copy": {
"name": "blobServicescopy",
"count": "[length(variables('function_names'))]"
},
"condition": "[if(equals(variables('AlertsEventsNameArray')[copyIndex()].CheckToInclude, 'true'), true(), false())]"
},
{
"type": "Microsoft.Storage/storageAccounts/fileServices",
"apiVersion": "2019-06-01",
"name": "[concat(variables('AlertsEventsNameArray')[copyIndex()].NetskopeToStorage, '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('AlertsEventsNameArray')[copyIndex()].NetskopeToStorage))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": []
}
},
"copy": {
"name": "fileServicescopy",
"count": "[length(variables('function_names'))]"
},
"condition": "[if(equals(variables('AlertsEventsNameArray')[copyIndex()].CheckToInclude, 'true'), true(), false())]"
},
{
"type": "Microsoft.Web/sites",
"apiVersion": "2018-11-01",
"name": "[variables('AlertsEventsNameArray')[copyIndex()].NetskopeToStorage]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('AlertsEventsNameArray')[copyIndex()].NetskopeToStorage))]",
"[resourceId('Microsoft.Insights/components', variables('AlertsEventsNameArray')[copyIndex()].NetskopeToStorage)]"
],
"kind": "functionapp,linux",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"name": "[variables('AlertsEventsNameArray')[copyIndex()].NetskopeToStorage]",
"httpsOnly": true,
"clientAffinityEnabled": true,
"alwaysOn": true,
"reserved": true,
"siteConfig": {
"linuxFxVersion": "python|3.9"
}
},
"resources": [
{
"type": "config",
"apiVersion": "2018-11-01",
"name": "appsettings",
"dependsOn": [
"[concat('Microsoft.Web/sites/', variables('AlertsEventsNameArray')[copyIndex()].NetskopeToStorage)]"
],
"properties": {
"FUNCTIONS_EXTENSION_VERSION": "~4",
"FUNCTIONS_WORKER_RUNTIME": "python",
"APPINSIGHTS_INSTRUMENTATIONKEY": "[if(equals(variables('AlertsEventsNameArray')[copyIndex()].CheckToInclude, 'true'), reference(resourceId('Microsoft.insights/components', variables('AlertsEventsNameArray')[copyIndex()].NetskopeToStorage), '2015-05-01').InstrumentationKey, '')]",
"APPLICATIONINSIGHTS_CONNECTION_STRING": "[if(equals(variables('AlertsEventsNameArray')[copyIndex()].CheckToInclude, 'true'), reference(resourceId('microsoft.insights/components', variables('AlertsEventsNameArray')[copyIndex()].NetskopeToStorage), '2015-05-01').ConnectionString, '')]",
"AzureWebJobsStorage": "[if(equals(variables('AlertsEventsNameArray')[copyIndex()].CheckToInclude, 'true'), concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('AlertsEventsNameArray')[copyIndex()].NetskopeToStorage),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('AlertsEventsNameArray')[copyIndex()].NetskopeToStorage)), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix'))), '')]",
"ConnectionString": "[if(equals(variables('AlertsEventsNameArray')[copyIndex()].CheckToInclude, 'true'), concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('AlertsEventsNameArray')[copyIndex()].NetskopeToStorage),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('AlertsEventsNameArray')[copyIndex()].NetskopeToStorage)), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix'))), '')]",
"logAnalyticsUri": "[variables('LogAnaltyicsUri')]",
"NetskopeHostname": "[parameters('NetskopeHostName')]",
"NetskopeToken": "[parameters('NetskopeAPIToken')]",
"ShareName": "[variables('function_names')[copyIndex('sitescopy')].sharename]",
"WorkspaceId": "[parameters('WorkspaceID')]",
"WorkspaceKey": "[parameters('WorkspaceKey')]",
"Log_Level": "[parameters('LogLevel')]",
"WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-NetskopeToStorage-functionapp"
},
"condition": "[if(equals(variables('AlertsEventsNameArray')[copyIndex()].CheckToInclude, 'true'), true(), false())]"
}
],
"copy": {
"name": "sitescopy",
"count": "[length(variables('function_names'))]"
},
"condition": "[if(equals(variables('AlertsEventsNameArray')[copyIndex()].CheckToInclude, 'true'), true(), false())]"
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(variables('AlertsEventsNameArray')[copyIndex()].NetskopeToStorage, '/default/azure-webjobs-hosts')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('AlertsEventsNameArray')[copyIndex()].NetskopeToStorage, 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('AlertsEventsNameArray')[copyIndex()].NetskopeToStorage)]"
],
"properties": {
"publicAccess": "None"
},
"copy": {
"name": "containerscopy",
"count": "[length(variables('function_names'))]"
},
"condition": "[if(equals(variables('AlertsEventsNameArray')[copyIndex()].CheckToInclude, 'true'), true(), false())]"
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(variables('AlertsEventsNameArray')[copyIndex()].NetskopeToStorage, '/default/azure-webjobs-secrets')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('AlertsEventsNameArray')[copyIndex()].NetskopeToStorage, 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('AlertsEventsNameArray')[copyIndex()].NetskopeToStorage)]"
],
"properties": {
"publicAccess": "None"
},
"copy": {
"name": "containerscopy",
"count": "[length(variables('function_names'))]"
},
"condition": "[if(equals(variables('AlertsEventsNameArray')[copyIndex()].CheckToInclude, 'true'), true(), false())]"
},
{
"type": "Microsoft.Storage/storageAccounts/fileServices/shares",
"apiVersion": "2019-06-01",
"name": "[concat(variables('AlertsEventsNameArray')[copyIndex()].NetskopeToStorage, '/default/', tolower(variables('AlertsEventsNameArray')[copyIndex()].NetskopeToStorage))]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/fileServices', variables('AlertsEventsNameArray')[copyIndex()].NetskopeToStorage, 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('AlertsEventsNameArray')[copyIndex()].NetskopeToStorage)]"
],
"properties": {
"shareQuota": 5120
},
"copy": {
"name": "sharescopy",
"count": "[length(variables('function_names'))]"
},
"condition": "[if(equals(variables('AlertsEventsNameArray')[copyIndex()].CheckToInclude, 'true'), true(), false())]"
},
{
"type": "Microsoft.Insights/components",
"apiVersion": "2015-05-01",
"name": "[variables('AlertsEventsNameArray')[copyIndex()].StorageToSentinel]",
"location": "[resourceGroup().location]",
"kind": "web",
"properties": {
"Application_Type": "web",
"ApplicationId": "[variables('AlertsEventsNameArray')[copyIndex()].StorageToSentinel]"
},
"copy": {
"name": "componentcopy",
"count": "[length(variables('function_names'))]"
},
"condition": "[if(equals(variables('AlertsEventsNameArray')[copyIndex()].CheckToInclude, 'true'), true(), false())]"
},
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[tolower(variables('AlertsEventsNameArray')[copyIndex()].StorageToSentinel)]",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [],
"ipRules": [],
"defaultAction": "Allow"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
}
},
"copy": {
"name": "storageaccountcopy",
"count": "[length(variables('function_names'))]"
},
"condition": "[if(equals(variables('AlertsEventsNameArray')[copyIndex()].CheckToInclude, 'true'), true(), false())]"
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2019-06-01",
"name": "[concat(variables('AlertsEventsNameArray')[copyIndex()].StorageToSentinel, '/default')]",
"dependsOn": [
"storageaccountcopy"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": []
},
"deleteRetentionPolicy": {
"enabled": false
}
},
"copy": {
"name": "blobServicescopy",
"count": "[length(variables('function_names'))]"
},
"condition": "[if(equals(variables('AlertsEventsNameArray')[copyIndex()].CheckToInclude, 'true'), true(), false())]"
},
{
"type": "Microsoft.Storage/storageAccounts/fileServices",
"apiVersion": "2019-06-01",
"name": "[concat(variables('AlertsEventsNameArray')[copyIndex()].StorageToSentinel, '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('AlertsEventsNameArray')[copyIndex()].StorageToSentinel))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": []
}
},
"copy": {
"name": "fileServicescopy",
"count": "[length(variables('function_names'))]"
},
"condition": "[if(equals(variables('AlertsEventsNameArray')[copyIndex()].CheckToInclude, 'true'), true(), false())]"
},
{
"type": "Microsoft.Web/sites",
"apiVersion": "2018-11-01",
"name": "[variables('AlertsEventsNameArray')[copyIndex()].StorageToSentinel]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('AlertsEventsNameArray')[copyIndex()].StorageToSentinel))]",
"[resourceId('Microsoft.Insights/components', variables('AlertsEventsNameArray')[copyIndex()].StorageToSentinel)]"
],
"kind": "functionapp,linux",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"name": "[variables('AlertsEventsNameArray')[copyIndex()].StorageToSentinel]",
"httpsOnly": true,
"clientAffinityEnabled": true,
"alwaysOn": true,
"reserved": true,
"siteConfig": {
"linuxFxVersion": "python|3.8"
}
},
"resources": [
{
"type": "config",
"apiVersion": "2018-11-01",
"name": "appsettings",
"dependsOn": [
"[concat('Microsoft.Web/sites/', variables('AlertsEventsNameArray')[copyIndex()].StorageToSentinel)]"
],
"properties": {
"FUNCTIONS_EXTENSION_VERSION": "~4",
"FUNCTIONS_WORKER_RUNTIME": "python",
"APPINSIGHTS_INSTRUMENTATIONKEY": "[if(equals(variables('AlertsEventsNameArray')[copyIndex()].CheckToInclude, 'true'), reference(resourceId('Microsoft.insights/components', variables('AlertsEventsNameArray')[copyIndex()].StorageToSentinel), '2015-05-01').InstrumentationKey, '')]",
"APPLICATIONINSIGHTS_CONNECTION_STRING": "[if(equals(variables('AlertsEventsNameArray')[copyIndex()].CheckToInclude, 'true'), reference(resourceId('microsoft.insights/components', variables('AlertsEventsNameArray')[copyIndex()].StorageToSentinel), '2015-05-01').ConnectionString, '')]",
"AzureWebJobsStorage": "[if(equals(variables('AlertsEventsNameArray')[copyIndex()].CheckToInclude, 'true'), concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('AlertsEventsNameArray')[copyIndex()].StorageToSentinel),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('AlertsEventsNameArray')[copyIndex()].StorageToSentinel)), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix'))), '')]",
"ConnectionString": "[if(equals(variables('AlertsEventsNameArray')[copyIndex()].CheckToInclude, 'true'), concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('AlertsEventsNameArray')[copyIndex()].NetskopeToStorage),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('AlertsEventsNameArray')[copyIndex()].NetskopeToStorage)), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix'))), '')]",
"logAnalyticsUri": "[variables('LogAnaltyicsUri')]",
"ShareName": "[variables('function_names')[copyIndex('sitescopy')].sharename]",
"WorkspaceId": "[parameters('WorkspaceID')]",
"WorkspaceKey": "[parameters('WorkspaceKey')]",
"Log_Level": "[parameters('LogLevel')]",
"WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-NetskopeStorageToSentinel-functionapp"
},
"condition": "[if(equals(variables('AlertsEventsNameArray')[copyIndex()].CheckToInclude, 'true'), true(), false())]"
}
],
"copy": {
"name": "sitescopy",
"count": "[length(variables('function_names'))]"
},
"condition": "[if(equals(variables('AlertsEventsNameArray')[copyIndex()].CheckToInclude, 'true'), true(), false())]"
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(variables('AlertsEventsNameArray')[copyIndex()].StorageToSentinel, '/default/azure-webjobs-hosts')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('AlertsEventsNameArray')[copyIndex()].StorageToSentinel, 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('AlertsEventsNameArray')[copyIndex()].StorageToSentinel)]"
],
"properties": {
"publicAccess": "None"
},
"copy": {
"name": "containerscopy",
"count": "[length(variables('function_names'))]"
},
"condition": "[if(equals(variables('AlertsEventsNameArray')[copyIndex()].CheckToInclude, 'true'), true(), false())]"
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(variables('AlertsEventsNameArray')[copyIndex()].StorageToSentinel, '/default/azure-webjobs-secrets')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('AlertsEventsNameArray')[copyIndex()].StorageToSentinel, 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('AlertsEventsNameArray')[copyIndex()].StorageToSentinel)]"
],
"properties": {
"publicAccess": "None"
},
"copy": {
"name": "containerscopy",
"count": "[length(variables('function_names'))]"
},
"condition": "[if(equals(variables('AlertsEventsNameArray')[copyIndex()].CheckToInclude, 'true'), true(), false())]"
},
{
"type": "Microsoft.Storage/storageAccounts/fileServices/shares",
"apiVersion": "2019-06-01",
"name": "[concat(variables('AlertsEventsNameArray')[copyIndex()].StorageToSentinel, '/default/', tolower(variables('AlertsEventsNameArray')[copyIndex()].StorageToSentinel))]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/fileServices', variables('AlertsEventsNameArray')[copyIndex()].StorageToSentinel, 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('AlertsEventsNameArray')[copyIndex()].StorageToSentinel)]"
],
"properties": {
"shareQuota": 5120
},
"copy": {
"name": "sharescopy",
"count": "[length(variables('function_names'))]"
},
"condition": "[if(equals(variables('AlertsEventsNameArray')[copyIndex()].CheckToInclude, 'true'), true(), false())]"
},
{
"type": "Microsoft.Insights/components",
"apiVersion": "2015-05-01",
"name": "[variables('WebTxMetrics')]",
"location": "[resourceGroup().location]",
"kind": "web",
"properties": {
"Application_Type": "web",
"ApplicationId": "[variables('WebTxMetrics')]"
}
},
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[tolower(variables('WebTxMetrics'))]",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [],
"ipRules": [],
"defaultAction": "Allow"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2019-06-01",
"name": "[concat(variables('WebTxMetrics'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('WebTxMetrics')))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": []
},
"deleteRetentionPolicy": {
"enabled": false
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/fileServices",
"apiVersion": "2019-06-01",
"name": "[concat(variables('WebTxMetrics'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('WebTxMetrics')))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": []
}
}
},
{
"type": "Microsoft.Web/sites",
"apiVersion": "2018-11-01",
"name": "[variables('WebTxMetrics')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('WebTxMetrics')))]",
"[resourceId('Microsoft.Insights/components', variables('WebTxMetrics'))]"
],
"kind": "functionapp,linux",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"name": "[variables('WebTxMetrics')]",
"httpsOnly": true,
"clientAffinityEnabled": true,
"alwaysOn": true,
"reserved": true,
"siteConfig": {
"linuxFxVersion": "python|3.8"
}
},
"resources": [
{
"type": "config",
"apiVersion": "2018-11-01",
"name": "appsettings",
"dependsOn": [
"[concat('Microsoft.Web/sites/', variables('WebTxMetrics'))]"
],
"properties": {
"FUNCTIONS_EXTENSION_VERSION": "~4",
"FUNCTIONS_WORKER_RUNTIME": "python",
"APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('WebTxMetrics')), '2015-05-01').InstrumentationKey]",
"APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('WebTxMetrics')), '2015-05-01').ConnectionString]",
"AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('WebTxMetrics')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('WebTxMetrics'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]",
"logAnalyticsUri": "[variables('LogAnaltyicsUri')]",
"NetskopeHostname": "[parameters('NetskopeHostName')]",
"NetskopeToken": "[parameters('NetskopeAPIToken')]",
"WorkspaceId": "[parameters('WorkspaceID')]",
"WorkspaceKey": "[parameters('WorkspaceKey')]",
"Log_Level": "[parameters('LogLevel')]",
"WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-NetskopeWebTxMetrics-functionapp"
}
}
]
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(variables('WebTxMetrics'), '/default/azure-webjobs-hosts')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('WebTxMetrics'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('WebTxMetrics'))]"
],
"properties": {
"publicAccess": "None"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(variables('WebTxMetrics'), '/default/azure-webjobs-secrets')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('WebTxMetrics'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('WebTxMetrics'))]"
],
"properties": {
"publicAccess": "None"
}
},
{
"type": "Microsoft.Storage/storageAccounts/fileServices/shares",
"apiVersion": "2019-06-01",
"name": "[concat(variables('WebTxMetrics'), '/default/', tolower(variables('WebTxMetrics')))]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/fileServices', variables('WebTxMetrics'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('WebTxMetrics'))]"
],
"properties": {
"shareQuota": 5120
}
}
]
}

29
Solutions/Netskopev2/Data Connectors/NetskopeDataConnector/host.json Normal file
Просмотреть файл

@ -0,0 +1,29 @@
{
"version": "2.0",
"functionTimeout": "00:10:00",
"logging": {
"logLevel": {
"default": "Trace",
"Host.Results": "Trace",
"Function": "Trace",
"Host.Aggregator": "Trace"
},
"applicationInsights": {
"samplingSettings": {
"isEnabled": true,
"excludedTypes": "Request"
}
}
},
"extensionBundle": {
"id": "Microsoft.Azure.Functions.ExtensionBundle",
"version": "[4.*, 5.0.0)"
},
"extensions": {
"durableTask": {
"storageProvider": {
"type": "AzureStorage"
}
}
}
}

10
Solutions/Netskopev2/Data Connectors/NetskopeDataConnector/requirements.txt Normal file
Просмотреть файл

@ -0,0 +1,10 @@
# DO NOT include azure-functions-worker in this file
# The Python Worker is managed by Azure Functions platform
# Manually managing azure-functions-worker may cause unexpected issues
azure-functions
azure-functions-durable
azure-storage-file-share==12.10.1
asyncio
aiohttp
requests

156
Solutions/Netskopev2/Data Connectors/NetskopeWebTransactionsDataConnector/Netskope_WebTransactions.json Normal file
Просмотреть файл

@ -0,0 +1,156 @@
{
"id": "NetskopeWebTransactionsDataConnector",
"title": "Netskope WebTransactions Data Connector",
"publisher": "Netskope",
"descriptionMarkdown": "The [Netskope WebTransactions](https://docs.netskope.com/en/netskope-help/data-security/transaction-events/netskope-transaction-events/) data connector provides the functionality of a docker image to pull the Netskope WebTransactions data from google pubsublite, process the data and ingest the processed data to Log Analytics.\n\n\n For more details of WebTransactions refer to the below documentations: \n 1. Netskope WebTransactions documentation: \n> https://docs.netskope.com/en/netskope-help/data-security/transaction-events/netskope-transaction-events/ \n 2. Microsoft log analytic documentation: \n> https://learn.microsoft.com/azure/azure-monitor/logs/log-analytics-overview",
"graphQueries": [
{
"metricName": "WebTransactions data received",
"legend": "NetskopeWebtxData_CL",
"baseQuery": "NetskopeWebtxData_CL"
},
{
"metricName": "WebTransactions Data Connector Errors",
"legend": "NetskopeWebtxErrors_CL",
"baseQuery": "NetskopeWebtxErrors_CL"
}
],
"sampleQueries": [
{
"description": "Netskope WebTransactions Data",
"query": "NetskopeWebtxData_CL\n | sort by TimeGenerated desc"
},
{
"description": "Netskope WebTransactions Data Connector Errors",
"query": "NetskopeWebtxErrors_CL\n | sort by TimeGenerated desc"
}
],
"dataTypes": [
{
"name": "NetskopeWebtxData_CL",
"lastDataReceivedQuery": "NetskopeWebtxData_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "NetskopeWebtxErrors_CL",
"lastDataReceivedQuery": "NetskopeWebtxErrors_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"NetskopeWebtxData_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
},
{
"type": "IsConnectedQuery",
"value": [
"NetskopeWebtxErrors_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions on the workspace are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"name": "Azure Subscription",
"description": "Azure Subscription with owner role is required to register an application in azure active directory() and assign role of contributor to app in resource group."
},
{
"name": "Microsoft.Compute permissions",
"description": "Read and write permissions to Azure VMs is required. [See the documentation to learn more about Azure VMs](https://learn.microsoft.com/azure/virtual-machines/overview)."
},
{
"name": "TransactionEvents Credentials/permissions",
"description": "**Netskope Tenant** and **Netskope API Token** is required. See the documentation to learn more about TransactionEvents on the [TransactionEvents reference](https://docs.netskope.com/en/netskope-help/data-security/transaction-events/netskope-transaction-events/)"
},
{
"name": "Microsoft.Web/sites permissions",
"description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
}
]
},
"instructionSteps": [
{
"title": "",
"description": ">**NOTE:** This connector provides the functionality of ingesting Netskope WebTransactions data using a docker image to be deployed on a virtual machine(Either Azure VM/On Premise VM) [Azure VM pricing page](https://azure.microsoft.com/pricing/details/virtual-machines/linux)."
},
{
"title": "",
"description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
},
{
"title": "",
"description": "**STEP 1 - Steps to create/get Credentials for the Netskope account** \n\n Follow the steps in this section to create/get **Netskope Hostname** and **Netskope API Token**:\n 1. Login to your **Netskope Tenant** and go to the **Settings menu** on the left navigation bar.\n 2. Click on Tools and then **REST API v2**\n 3. Now, click on the new token button. Then it will ask for token name, expiration duration and the endpoints that you want to fetch data from.\n 5. Once that is done click the save button, the token will be generated. Copy the token and save at a secure place for further usage."
},
{
"title": "",
"description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the docker based data connector to ingest Netskope WebTransactions data **\n\n>**IMPORTANT:** Before deploying Netskope data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available.., as well as the Netskope API Authorization Key(s)[Make sure the token has permissions for transaction events].",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
},
{
"title": "Option 1 - Using Azure Resource Manager (ARM) Template to deploy VM[Recommended]",
"description": "Using the ARM template deploy an Azure VM, install the prerequisites and start execution.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-NetskopeWebTransactions-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tDocker Image Name(deep1112002/netskopewebtransactions:nskpwebtransactions)\n\t\tNetskope HostName \n\t\tNetskope API Token \n\t\tSeek Timestamp(The epoch timestamp that you want to seek the pubsublite pointer, can be left empty) \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tBackoff Retry Count(The retry count for token related errors before restarting the execution.) \n\t\tBackoff Sleep Time(Number of seconds to sleep before retrying) \n\t\tIdle Timeout(Number of seconds to wait for WebTransactions Data before restarting execution) \n\t\tVM Name \n\t\tAuthentication Type \n\t\tAdmin Password or Key \n\t\tDNS Label Prefix \n\t\tUbuntu OS Version \n\t\tLocation \n\t\tVM Size \n\t\tSubnet Name \n\t\tNetwork Security Group Name \n\t\tSecurity Type \n4. Click on **Review+Create**. \n5. Then after validation click on **Create** to deploy."
},
{
"title": "Option 2 - Manual Deployment on previously created virtual machine",
"description": "Use the following step-by-step instructions to deploy the docker based data connector manually on a previously created virtual machine."
},
{
"title": "",
"description": "**1. Install docker and pull docker Image**\n\n>**NOTE:** Make sure that the VM is linux based(preferably Ubuntu).\n\n1. Firstly you will need to [SSH into the virtual machine](https://learn.microsoft.com/azure/virtual-machines/linux-vm-connect?tabs=Linux).\n2. Now install [docker engine](https://docs.docker.com/engine/install/).\n3. Now pull the docker image from docker hub using the command: sudo docker pull *<*docker_username*>*/*<*repository_name*>*:*<*docker_image_name*>*.\n4. Now to run the docker image use the command: sudo docker run -it -v $(pwd)/docker_persistent_volume:/app *<*docker_username*>*/*<*repository_name*>*:*<*docker_image_name*>*. You can replace *<*docker_username*>*/*<*repository_name*>*:*<*docker_image_name*>* with the image id, docker_persistent_volume is the name of the folder that would be created on the vm in which the files would be stored."
},
{
"title": "",
"description": "**2. Configure the Parameters**\n\n1. Once the docker image is running it will ask for the required parameters.\n2. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tNetskope HostName \n\t\tNetskope API Token \n\t\tSeek Timestamp(The epoch timestamp that you want to seek the pubsublite pointer, can be left empty) \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tBackoff Retry Count(The retry count for token related errors before restarting the execution.) \n\t\tBackoff Sleep Time(Number of seconds to sleep before retrying) \n\t\tIdle Timeout(Number of seconds to wait for WebTransactions Data before restarting execution)\n3. Now the execution has started but is in interactive mode, so that shell cannot be stopped. To run it as a background process, stop the current execution by pressing Ctrl+C and then use the command: sudo docker run -d -v $(pwd)/docker_persistent_volume:/app *<*docker_username*>*/*<*repository_name*>*:*<*docker_image_name*>*."
},
{
"title": "",
"description": "**3. Stop the docker container**\n\n1. Use the command 'sudo docker container ps' to list the running docker containers. Note down the container id.\n2. Now stop the container using the command: sudo docker stop *<*container-id*>*."
}
]
}

400
Solutions/Netskopev2/Data Connectors/NetskopeWebTransactionsDataConnector/azuredeploy_Connector_NetskopeWebTransaction.json Normal file
Просмотреть файл

@ -0,0 +1,400 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"DockerImageName": {
"type": "string",
"metadata": {
"description": "Enter the Docker image name."
}
},
"NetskopeHostName": {
"type": "string",
"metadata": {
"description": "Enter the Netskope Host Name."
}
},
"NetskopeAPIToken": {
"type": "securestring",
"metadata": {
"description": "Enter the Netskope API Token."
}
},
"SeekTimestamp": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "Enter the epoch timestamp if you want to seek the pubsublite pointer."
}
},
"WorkspaceID": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "Enter Workspace ID of Log Analytics workspace."
}
},
"WorkspaceKey": {
"type": "securestring",
"minLength": 1,
"metadata": {
"description": "Enter Workspace Key of Log Analytics workspace."
}
},
"BackoffRetryCount": {
"type": "int",
"defaultValue": 3,
"metadata": {
"description": "Enter the backoff retry count which is the number of retries for the exponential retry."
}
},
"BackoffSleepTime": {
"type": "int",
"defaultValue": 60,
"metadata": {
"description": "Enter the backoff sleep time which is the sleep time for the exponential retry."
}
},
"IdleTimeout": {
"type": "int",
"defaultValue": 600,
"metadata": {
"description": "Enter the idle timeout which is the time after which it will close the connection and retry pulling data."
}
},
"vmName": {
"defaultValue": "nskpWebtxVM",
"type": "String",
"metadata": {
"description": "The name of your Virtual Machine."
}
},
"authenticationType": {
"defaultValue": "password",
"allowedValues": [
"sshPublicKey",
"password"
],
"type": "String",
"metadata": {
"description": "Type of authentication to use on the Virtual Machine. SSH key is recommended."
}
},
"adminPasswordOrKey": {
"type": "SecureString",
"metadata": {
"description": "SSH Key or password for the Virtual Machine. SSH key is recommended."
}
},
"dnsLabelPrefix": {
"defaultValue": "[toLower(format('{0}-{1}', parameters('vmName'), uniqueString(resourceGroup().id)))]",
"type": "String",
"metadata": {
"description": "Unique DNS Name for the Public IP used to access the Virtual Machine."
}
},
"ubuntuOSVersion": {
"defaultValue": "Ubuntu-20.04",
"allowedValues": [
"Ubuntu-20.04",
"Ubuntu-22.04"
],
"type": "String",
"metadata": {
"description": "The Ubuntu version for the VM. This will pick a fully patched image of this given Ubuntu version."
}
},
"location": {
"defaultValue": "[resourceGroup().location]",
"type": "String",
"metadata": {
"description": "Location for all resources."
}
},
"vmSize": {
"defaultValue": "Standard_D8s_v3",
"type": "String",
"metadata": {
"description": "The size of the VM"
}
},
"virtualNetworkName": {
"defaultValue": "vNet",
"type": "String",
"metadata": {
"description": "Name of the VNET"
}
},
"subnetName": {
"defaultValue": "Subnet",
"type": "String",
"metadata": {
"description": "Name of the subnet in the virtual network"
}
},
"networkSecurityGroupName": {
"defaultValue": "SecGroupNet",
"type": "String",
"metadata": {
"description": "Name of the Network Security Group"
}
},
"securityType": {
"defaultValue": "TrustedLaunch",
"allowedValues": [
"Standard",
"TrustedLaunch"
],
"type": "String",
"metadata": {
"description": "Security Type of the Virtual Machine."
}
}
},
"variables": {
"imageReference": {
"Ubuntu-20.04": {
"publisher": "Canonical",
"offer": "0001-com-ubuntu-server-focal",
"sku": "20_04-lts-gen2",
"version": "latest"
},
"Ubuntu-22.04": {
"publisher": "Canonical",
"offer": "0001-com-ubuntu-server-jammy",
"sku": "22_04-lts-gen2",
"version": "latest"
}
},
"adminUsername": "devuser",
"publicIPAddressName": "[format('{0}PublicIP', parameters('vmName'))]",
"networkInterfaceName": "[format('{0}NetInt', parameters('vmName'))]",
"osDiskType": "Standard_LRS",
"subnetAddressPrefix": "10.1.0.0/24",
"addressPrefix": "10.1.0.0/16",
"linuxConfiguration": {
"disablePasswordAuthentication": true,
"ssh": {
"publicKeys": [
{
"path": "[format('/home/{0}/.ssh/authorized_keys', variables('adminUsername'))]",
"keyData": "[parameters('adminPasswordOrKey')]"
}
]
}
},
"securityProfileJson": {
"uefiSettings": {
"secureBootEnabled": true,
"vTpmEnabled": true
},
"securityType": "[parameters('securityType')]"
},
"extensionName": "GuestAttestation",
"customScriptExtensionName": "CustomScriptExtension",
"extensionPublisher": "Microsoft.Azure.Security.LinuxAttestation",
"extensionVersion": "1.0",
"maaTenantName": "GuestAttestation",
"maaEndpoint": "[substring('emptystring', 0, 0)]"
},
"resources": [
{
"type": "Microsoft.Network/networkInterfaces",
"apiVersion": "2021-05-01",
"name": "[variables('networkInterfaceName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]",
"[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]",
"[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnetName'))]"
],
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"subnet": {
"id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnetName'))]"
},
"privateIPAllocationMethod": "Dynamic",
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]"
}
}
}
],
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]"
}
}
},
{
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2021-05-01",
"name": "[parameters('networkSecurityGroupName')]",
"location": "[parameters('location')]",
"properties": {
"securityRules": [
{
"name": "SSH",
"properties": {
"priority": 1000,
"protocol": "Tcp",
"access": "Allow",
"direction": "Inbound",
"sourceAddressPrefix": "*",
"sourcePortRange": "*",
"destinationAddressPrefix": "*",
"destinationPortRange": "22"
}
}
]
}
},
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2021-05-01",
"name": "[parameters('virtualNetworkName')]",
"location": "[parameters('location')]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"[variables('addressPrefix')]"
]
}
}
},
{
"type": "Microsoft.Network/virtualNetworks/subnets",
"apiVersion": "2021-05-01",
"name": "[format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName'))]",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]"
],
"properties": {
"addressPrefix": "[variables('subnetAddressPrefix')]",
"privateEndpointNetworkPolicies": "Enabled",
"privateLinkServiceNetworkPolicies": "Enabled"
}
},
{
"type": "Microsoft.Network/publicIPAddresses",
"apiVersion": "2021-05-01",
"name": "[variables('publicIPAddressName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Basic"
},
"properties": {
"publicIPAllocationMethod": "Dynamic",
"publicIPAddressVersion": "IPv4",
"dnsSettings": {
"domainNameLabel": "[parameters('dnsLabelPrefix')]"
},
"idleTimeoutInMinutes": 4
}
},
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2021-11-01",
"name": "[parameters('vmName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]"
],
"properties": {
"hardwareProfile": {
"vmSize": "[parameters('vmSize')]"
},
"storageProfile": {
"osDisk": {
"createOption": "FromImage",
"managedDisk": {
"storageAccountType": "[variables('osDiskType')]"
},
"diskSizeGB": 50
},
"imageReference": "[variables('imageReference')[parameters('ubuntuOSVersion')]]"
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]"
}
]
},
"osProfile": {
"computerName": "[parameters('vmName')]",
"adminUsername": "[variables('adminUsername')]",
"adminPassword": "[parameters('adminPasswordOrKey')]",
"linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), null(), variables('linuxConfiguration'))]"
},
"securityProfile": "[if(equals(parameters('securityType'), 'TrustedLaunch'), variables('securityProfileJson'), null())]"
}
},
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"apiVersion": "2022-03-01",
"name": "[format('{0}/{1}', parameters('vmName'), variables('extensionName'))]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]"
],
"properties": {
"publisher": "[variables('extensionPublisher')]",
"type": "[variables('extensionName')]",
"typeHandlerVersion": "[variables('extensionVersion')]",
"autoUpgradeMinorVersion": true,
"enableAutomaticUpgrade": true,
"settings": {
"AttestationConfig": {
"MaaSettings": {
"maaEndpoint": "[variables('maaEndpoint')]",
"maaTenantName": "[variables('maaTenantName')]"
}
}
}
},
"condition": "[and(equals(parameters('securityType'), 'TrustedLaunch'), and(equals(variables('securityProfileJson').uefiSettings.secureBootEnabled, true()), equals(variables('securityProfileJson').uefiSettings.vTpmEnabled, true())))]"
},
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"apiVersion": "2019-03-01",
"name": "[format('{0}/{1}', parameters('vmName'), variables('customScriptExtensionName'))]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]"
],
"tags": {
"displayName": "config-app"
},
"properties": {
"publisher": "Microsoft.Azure.Extensions",
"type": "CustomScript",
"typeHandlerVersion": "2.1",
"autoUpgradeMinorVersion": true,
"settings": {},
"protectedSettings": {
"commandToExecute": "[concat('sudo sh install_docker.sh ',parameters('DockerImageName'),' ',parameters('NetskopeHostName'),' ',parameters('NetskopeAPIToken'),' ',parameters('WorkspaceKey'),' ',parameters('WorkspaceID'),' ',parameters('BackoffRetryCount'),' ',parameters('BackoffSleepTime'),' ',parameters('IdleTimeout'),' ',parameters('SeekTimestamp'))]",
"fileUris": [
"https://aka.ms/sentinel-InstallDocker"
]
}
}
}
],
"outputs": {
"adminUsername": {
"type": "String",
"value": "[variables('adminUsername')]"
},
"hostname": {
"type": "String",
"value": "[reference(resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName')), '2021-05-01').dnsSettings.fqdn]"
},
"sshCommand": {
"type": "String",
"value": "[format('ssh {0}@{1}', variables('adminUsername'), reference(resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName')), '2021-05-01').dnsSettings.fqdn)]"
}
}
}

18
Solutions/Netskopev2/Data Connectors/NetskopeWebTransactionsDataConnector/install_docker.sh Normal file
Просмотреть файл

@ -0,0 +1,18 @@
cd /home/devuser
DOCKER_LINK=$1
SEEK_TIMESTAMP=$9
DATA_DIR="/home/devuser/docker_persistent_volume"
mkdir /home/devuser/docker_persistent_volume
mkdir /home/devuser/docker_persistent_volume/sentinel
echo "Hostname=$2" > "$DATA_DIR/netskope_config.env"
echo "Token=$3" >> "$DATA_DIR/netskope_config.env"
echo "WorkspaceKey=$4" >> "$DATA_DIR/sentinel_config.env"
echo "WorkspaceId=$5" >> "$DATA_DIR/sentinel_config.env"
echo "BackoffRetryCount=$6" > "$DATA_DIR/general_config.env"
echo "BackoffSleepTime=$7" >> "$DATA_DIR/general_config.env"
echo "IdleTimeout=$8" >> "$DATA_DIR/general_config.env"
echo "SeekTimestamp=$SEEK_TIMESTAMP" >> "$DATA_DIR/seek_timestamp.env"
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
sudo docker pull $DOCKER_LINK
sudo docker run -d -v $(pwd)/docker_persistent_volume:/app $DOCKER_LINK

44
Solutions/Netskopev2/Data/Solution_Netskope.json Normal file
Просмотреть файл

@ -0,0 +1,44 @@
{
"Name": "Netskopev2",
"Author": "Netskope",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Netskope.svg\" width=\"75px\" height=\"75px\">",
"Description": "Netskope solution for Microsoft Sentinel enables you to ingest Netskope alerts and events into Microsoft Sentinel. The connector provides visibility into Netskope Platform Events and Alerts in Microsoft Sentinel to improve monitoring and investigation capabilities.",
"Analytic Rules": [
"Analytic Rules/NetskopeWebTxErrors.yaml"
],
"Workbooks": [
"Workbooks/NetskopeDashboard.json"
],
"Playbooks": [
"Playbooks/NetskopeDataConnectorsTriggerSync/azuredeploy.json",
"Playbooks/NetskopeWebTxErrorEmail/azuredeploy.json"
],
"Parsers": [
"Parsers/AlertsCompromisedCredential.yaml",
"Parsers/AlertsCtep.yaml",
"Parsers/AlertsDLP.yaml",
"Parsers/AlertsMalsite.yaml",
"Parsers/AlertsMalware.yaml",
"Parsers/AlertsPolicy.yaml",
"Parsers/AlertsQuarantine.yaml",
"Parsers/AlertsRemediation.yaml",
"Parsers/AlertsSecurityAssessment.yaml",
"Parsers/AlertsUba.yaml",
"Parsers/EventIncident.yaml",
"Parsers/EventsApplication.yaml",
"Parsers/EventsAudit.yaml",
"Parsers/EventsConnection.yaml",
"Parsers/EventsNetwork.yaml",
"Parsers/EventsPage.yaml",
"Parsers/NetskopeWebTransactions.yaml"
],
"Data Connectors": [
"Data Connectors/NetskopeDataConnector/Netskope_FunctionApp.json",
"Data Connectors/NetskopeWebTransactionsDataConnector/Netskope_WebTransactions.json"
],
"BasePath": "C:\\Azure-Sentinel\\Solutions\\Netskopev2",
"Version": "3.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
}

Двоичные данные
Solutions/Netskopev2/Package/3.0.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

211
Solutions/Netskopev2/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,211 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Netskope.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Netskopev2/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nNetskope solution for Microsoft Sentinel enables you to ingest Netskope alerts and events into Microsoft Sentinel. The connector provides visibility into Netskope Platform Events and Alerts in Microsoft Sentinel to improve monitoring and investigation capabilities.\n\n**Data Connectors:** 2, **Parsers:** 17, **Workbooks:** 1, **Analytic Rules:** 1, **Playbooks:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for Netskope. You can get Netskope custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for Netskope. You can get Netskope custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors-parser-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel."
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
},
{
"name": "workbooks",
"label": "Workbooks",
"subLabel": {
"preValidation": "Configure the workbooks",
"postValidation": "Done"
},
"bladeTitle": "Workbooks",
"elements": [
{
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
}
},
{
"name": "workbooks-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
}
}
},
{
"name": "workbook1",
"type": "Microsoft.Common.Section",
"label": "NetskopeDashboard",
"elements": [
{
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "A workbook providing insights into Netskope Alerts, Events and WebTransactions."
}
}
]
}
]
},
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
}
},
{
"name": "analytics-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "Netskope - WebTransaction Error Detection",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Rule helps to track error occurred in Netskope WebTransaction Data Connector."
}
}
]
}
]
},
{
"name": "playbooks",
"label": "Playbooks",
"subLabel": {
"preValidation": "Configure the playbooks",
"postValidation": "Done"
},
"bladeTitle": "Playbooks",
"elements": [
{
"name": "playbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub."
}
},
{
"name": "playbooks-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
}
]
}
],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
"workspace": "[basics('workspace')]"
}
}
}

5096
Solutions/Netskopev2/Package/mainTemplate.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

32
Solutions/Netskopev2/Package/testParameters.json Normal file
Просмотреть файл

@ -0,0 +1,32 @@
{
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
},
"workbook1-name": {
"type": "string",
"defaultValue": "NetskopeDashboard",
"minLength": 1,
"metadata": {
"description": "Name for the workbook"
}
}
}

102
Solutions/Netskopev2/Parsers/AlertsCompromisedCredential.yaml Normal file
Просмотреть файл

@ -0,0 +1,102 @@
id: 47794680-196f-4a19-a958-36f4f80794df
Function:
Title: Parser for AlertsCompromisedCredential
Version: "1.0.0"
LastUpdated: "2024-03-06"
Category: Microsoft Sentinel Parser
FunctionName: AlertsCompromisedCredential
FunctionAlias: AlertsCompromisedCredential
FunctionQuery: |
let Alerts_compromised_credential_View = view (){
alertscompromisedcredentialdata_CL
|extend
TenantId = column_ifexists('TenantId', ''),
SourceSystem = column_ifexists('SourceSystem', ''),
MG = column_ifexists('MG', ''),
ManagementGroupName = column_ifexists('ManagementGroupName', ''),
TimeGenerated = column_ifexists('TimeGenerated', ''),
Computer = column_ifexists('Computer', ''),
RawData = column_ifexists('RawData', ''),
_ResourceId = column_ifexists('_ResourceId', ''),
Category = column_ifexists('Category', ''),
Type = column_ifexists('Type', ''),
Id = column_ifexists('_id_s', ''),
Acked = column_ifexists('acked_s', ''),
Alert = column_ifexists('alert_s', ''),
AlertName = column_ifexists('alert_name_s', ''),
AlertType = column_ifexists('alert_type_s', ''),
App = column_ifexists('app_s', ''),
BreachDate = column_ifexists('breach_date_d', ''),
BreachDescription = column_ifexists('breach_description_s', ''),
BreachId = column_ifexists('breach_id_s', ''),
BreachMediaReferences = column_ifexists('breach_media_references_s', ''),
BreachScore = column_ifexists('breach_score_s', ''),
BreachTargetReferences = column_ifexists('breach_target_references_s', ''),
CCIString = column_ifexists('cci_s', ''),
CCI = column_ifexists('cci_d', ''),
CCL = column_ifexists('ccl_s', ''),
Count = column_ifexists('count_d', ''),
Department = column_ifexists('department_s', ''),
DistinguishedName = column_ifexists('distinguishedName_s', ''),
Division = column_ifexists('division_s', ''),
EmailSource = column_ifexists('email_source_s', ''),
EmployeeType = column_ifexists('employeeType_s', ''),
ExternalEmail = column_ifexists('external_email_d', ''),
Mail = column_ifexists('mail_s', ''),
MatchedUsername = column_ifexists('matched_username_s', ''),
OrganizationUnit = column_ifexists('organization_unit_s', ''),
PasswordType = column_ifexists('password_type_s', ''),
SAMAccountName = column_ifexists('sAMAccountName_s', ''),
SAMAccountType = column_ifexists('sAMAccountType_s', ''),
Timestamp = column_ifexists('timestamp_d', ''),
PolicyType = column_ifexists('type_s', ''),
UrNormalized = column_ifexists('ur_normalized_s', ''),
User = column_ifexists('user_s', ''),
UserKey = column_ifexists('userkey_s', ''),
UserPrincipalName = column_ifexists('userPrincipalName_s', '')
| project TenantId,
SourceSystem,
MG,
ManagementGroupName,
TimeGenerated,
Computer,
RawData,
_ResourceId,
Category,
Type,
Id,
Acked,
Alert,
AlertName,
AlertType,
App,
BreachDate,
BreachDescription,
BreachId,
BreachMediaReferences,
BreachScore,
BreachTargetReferences,
CCIString,
CCI,
CCL,
Count,
Department,
DistinguishedName,
Division,
EmailSource,
EmployeeType,
ExternalEmail,
Mail,
MatchedUsername,
OrganizationUnit,
PasswordType,
SAMAccountName,
SAMAccountType,
Timestamp,
PolicyType,
UrNormalized,
User,
UserKey,
UserPrincipalName
};
Alerts_compromised_credential_View

153
Solutions/Netskopev2/Parsers/AlertsCtep.yaml Normal file
Просмотреть файл

@ -0,0 +1,153 @@
id: 692b3a9d-ddd1-46f8-a44e-f830fb485ad5
Function:
Title: Parser for AlertsCtep
Version: "1.0.0"
LastUpdated: "2024-03-06"
Category: Microsoft Sentinel Parser
FunctionName: AlertsCtep
FunctionAlias: AlertsCtep
FunctionQuery: |
let Alerts_ctep_view = view(){
alertsctepdata_CL
| extend Category = column_ifexists('Category', ''),
Computer = column_ifexists('Computer', ''),
MG = column_ifexists('MG', ''),
ManagementGroupName = column_ifexists('ManagementGroupName', ''),
RawData = column_ifexists('RawData', ''),
SourceSystem = column_ifexists('SourceSystem', ''),
TenantId = column_ifexists('TenantId', ''),
TimeGenerated = column_ifexists('TimeGenerated', ''),
Type = column_ifexists('Type', ''),
_ResourceId = column_ifexists('_ResourceId', ''),
Id = column_ifexists('_id_s', ''),
Acked = column_ifexists('acked_s', ''),
Action = column_ifexists('action_s', ''),
AlertName = column_ifexists('alert_name_s', ''),
Alert = column_ifexists('alert_s', ''),
AlertType = column_ifexists('alert_type_s', ''),
App = column_ifexists('app_s', ''),
CCI = column_ifexists('cci_d', ''),
CCIString = column_ifexists('cci_s', ''),
CCL = column_ifexists('ccl_s', ''),
Company = column_ifexists('company_s', ''),
Count = column_ifexists('count_d', ''),
Department = column_ifexists('department_s', ''),
DeviceClassification = column_ifexists('deviceClassification_s', ''),
Device = column_ifexists('device_s', ''),
DestinationCountry = column_ifexists('dst_country_s', ''),
DestinationGeoipSource = column_ifexists('dst_geoip_src_d', ''),
DestinationLatitude = column_ifexists('dst_latitude_d', ''),
DestinationLocation = column_ifexists('dst_location_s', ''),
DestinationLongitude = column_ifexists('dst_longitude_d', ''),
DestinationRegion = column_ifexists('dst_region_s', ''),
DestinationZipcode = column_ifexists('dst_zipcode_s', ''),
DestinationIp = column_ifexists('dstip_s', ''),
DestinationPort = column_ifexists('dstport_d', ''),
GId = column_ifexists('gid_d', ''),
HomePop = column_ifexists('home_pop_s', ''),
HostName = column_ifexists('hostname_s', ''),
HttpMethod_s = column_ifexists('http_method_s', ''),
HttpPort_d = column_ifexists('http_port_d', ''),
IpProtocol = column_ifexists('ip_protocol_s', ''),
Manager = column_ifexists('manager_s', ''),
NetskopePop_s = column_ifexists('netskope_pop_s', ''),
OrganizationUnit = column_ifexists('organization_unit_s', ''),
OS = column_ifexists('os_s', ''),
OtherCategories = column_ifexists('other_categories_s', ''),
ProfileId = column_ifexists('profile_id_s', ''),
Referer = column_ifexists('referer_s', ''),
SignatureId = column_ifexists('signature_id_d', ''),
Signature = column_ifexists('signature_s', ''),
Site = column_ifexists('site_s', ''),
SourceCountry = column_ifexists('src_country_s', ''),
SourceGeoIpSrc = column_ifexists('src_geoip_src_d', ''),
SourceLatitude = column_ifexists('src_latitude_d', ''),
SourceLocation = column_ifexists('src_location_s', ''),
SourceLongitude = column_ifexists('src_longitude_d', ''),
SourceRegion = column_ifexists('src_region_s', ''),
SourceZipcode = column_ifexists('src_zipcode_s', ''),
SourceIp = column_ifexists('srcip_s', ''),
SourcePort = column_ifexists('srcport_d', ''),
Timestamp = column_ifexists('timestamp_d', ''),
TrafficType = column_ifexists('traffic_type_s', ''),
TransactionId = column_ifexists('transaction_id_d', ''),
TunnelId = column_ifexists('tunnel_id_s', ''),
PolicyType = column_ifexists('type_s', ''),
UrNormalized = column_ifexists('ur_normalized_s', ''),
Url = column_ifexists('url_s', ''),
UserPrincipalName = column_ifexists('userPrincipalName_s', ''),
User = column_ifexists('user_s', ''),
UserIp = column_ifexists('userip_s', ''),
Userkey = column_ifexists('userkey_s', '')
|project Category,
Computer,
MG,
ManagementGroupName,
RawData,
SourceSystem,
TenantId,
TimeGenerated,
Type,
_ResourceId,
Id,
Acked,
Action,
AlertName,
Alert,
AlertType,
App,
CCI,
CCIString,
CCL,
Company,
Count,
Department,
DeviceClassification,
Device,
DestinationCountry,
DestinationGeoipSource,
DestinationLatitude,
DestinationLocation,
DestinationLongitude,
DestinationRegion,
DestinationZipcode,
DestinationIp,
DestinationPort,
GId,
HomePop,
HostName,
HttpMethod_s,
HttpPort_d,
IpProtocol,
Manager,
NetskopePop_s,
OrganizationUnit,
OS,
OtherCategories,
ProfileId,
Referer,
SignatureId,
Signature,
Site,
SourceCountry,
SourceGeoIpSrc,
SourceLatitude,
SourceLocation,
SourceLongitude,
SourceRegion,
SourceZipcode,
SourceIp,
SourcePort,
Timestamp,
TrafficType,
TransactionId,
TunnelId,
PolicyType,
UrNormalized,
Url,
UserPrincipalName,
User,
UserIp,
Userkey
};
Alerts_ctep_view

319
Solutions/Netskopev2/Parsers/AlertsDLP.yaml Normal file
Просмотреть файл

@ -0,0 +1,319 @@
id: 6b84879b-285e-4e00-b28f-61907ad7e1ef
Function:
Title: Parser for AlertsDLP
Version: "1.0.0"
LastUpdated: "2024-03-06"
Category: Microsoft Sentinel Parser
FunctionName: AlertsDLP
FunctionAlias: AlertsDLP
FunctionQuery: |
let Alert_DLP_Data_View = view (){
alertsdlpdata_CL
|extend
Category = column_ifexists('Category', ''),
Computer = column_ifexists('Computer', ''),
MG = column_ifexists('MG', ''),
ManagementGroupName = column_ifexists('ManagementGroupName', ''),
RawData = column_ifexists('RawData', ''),
SourceSystem = column_ifexists('SourceSystem', ''),
TenantId = column_ifexists('TenantId', ''),
TimeGenerated = column_ifexists('TimeGenerated', ''),
Type = column_ifexists('Type', ''),
_ResourceId = column_ifexists('_ResourceId', ''),
Id = column_ifexists('_id_s', ''),
AccessMethod = column_ifexists('access_method_s', ''),
Acked = column_ifexists('acked_s', ''),
ActUser = column_ifexists('act_user_s', ''),
Action = column_ifexists('action_s', ''),
Activity = column_ifexists('activity_s', ''),
AlertName = column_ifexists('alert_name_s', ''),
Alert = column_ifexists('alert_s', ''),
AlertType = column_ifexists('alert_type_s', ''),
AppActivity = column_ifexists('app_activity_s', ''),
App = column_ifexists('app_s', ''),
AppSessionId = column_ifexists('app_session_id_d', ''),
AppCategory = column_ifexists('appcategory_s', ''),
AppSuite = column_ifexists('appsuite_s', ''),
BCC = column_ifexists('bcc_s', ''),
Browser = column_ifexists('browser_s', ''),
BrowserSessionId = column_ifexists('browser_session_id_d', ''),
BrowserVersion = column_ifexists('browser_version_s', ''),
CCL = column_ifexists('ccl_s', ''),
Channel = column_ifexists('channel_s', ''),
ClassificationName = column_ifexists('classification_name_s', ''),
Collaborated = column_ifexists('collaborated_s', ''),
ConnectionId = column_ifexists('connection_id_d', ''),
DataType = column_ifexists('data_type_s', ''),
DeviceClassification = column_ifexists('device_classification_s', ''),
Device = column_ifexists('device_s', ''),
DisplayName = column_ifexists('displayName_s', ''),
DlpFile = column_ifexists('dlp_file_s', ''),
DlpFingerprintClassification = column_ifexists('dlp_fingerprint_classification_s', ''),
DlpFingerprintMatch = column_ifexists('dlp_fingerprint_match_s', ''),
DlpFingerprintScore = column_ifexists('dlp_fingerprint_score_d', ''),
DlpIncidentId = column_ifexists('dlp_incident_id_d', ''),
DlpIsUniqueCount = column_ifexists('dlp_is_unique_count_s', ''),
DlpMailParentId = column_ifexists('dlp_mail_parent_id_s', ''),
DlpParentId = column_ifexists('dlp_parent_id_d', ''),
DlpProfile = column_ifexists('dlp_profile_s', ''),
DlpRuleCount = column_ifexists('dlp_rule_count_d', ''),
DlpRule = column_ifexists('dlp_rule_s', ''),
DlpRuleScore = column_ifexists('dlp_rule_score_d', ''),
DlpRuleSeverity = column_ifexists('dlp_rule_severity_s', ''),
DlpUniqueCount = column_ifexists('dlp_unique_count_d', ''),
DestinationCountry = column_ifexists('dst_country_s', ''),
DestinationGeoipSource = column_ifexists('dst_geoip_src_d', ''),
DestinationLatitude = column_ifexists('dst_latitude_d', ''),
DestinationLocation = column_ifexists('dst_location_s', ''),
DestinationLongitude = column_ifexists('dst_longitude_d', ''),
DestinationRegion = column_ifexists('dst_region_s', ''),
DestinationTimezone = column_ifexists('dst_timezone_s', ''),
DestinationZipcode = column_ifexists('dst_zipcode_s', ''),
DestinationIp = column_ifexists('dstip_s', ''),
DynamicClassification = column_ifexists('dynamic_classification_s', ''),
Exposure = column_ifexists('exposure_s', ''),
ExternalCollaboratorCount = column_ifexists('external_collaborator_count_d', ''),
FileCategory = column_ifexists('file_category_s', ''),
FileClsEncrypted = column_ifexists('file_cls_encrypted_b', ''),
FileLang = column_ifexists('file_lang_s', ''),
FilePasswordProtected = column_ifexists('file_password_protected_s', ''),
FilePath = column_ifexists('file_path_s', ''),
FileSize = column_ifexists('file_size_d', ''),
FileType = column_ifexists('file_type_s', ''),
FromStorage = column_ifexists('from_storage_s', ''),
FromUser = column_ifexists('from_user_s', ''),
Group = column_ifexists('group_s', ''),
HostName = column_ifexists('hostname_s', ''),
IncidentId = column_ifexists('incident_id_d', ''),
InstanceId = column_ifexists('instance_id_s', ''),
Instance = column_ifexists('instance_s', ''),
LocalSha256 = column_ifexists('local_sha256_s', ''),
Mail = column_ifexists('mail_s', ''),
ManagedApp = column_ifexists('managed_app_s', ''),
ManagementId = column_ifexists('managementID_s', ''),
Manager = column_ifexists('manager_s', ''),
Md5 = column_ifexists('md5_g', ''),
MessageId = column_ifexists('message_id_s', ''),
MessageSize = column_ifexists('message_size_d', ''),
MimeType = column_ifexists('mime_type_s', ''),
Modified = column_ifexists('modified_d', ''),
ObjectId = column_ifexists('object_id_s', ''),
Object = column_ifexists('object_s', ''),
ObjectType = column_ifexists('object_type_s', ''),
OrganizationUnit = column_ifexists('organization_unit_s', ''),
OrignalFilePath = column_ifexists('orignal_file_path_s', ''),
OS = column_ifexists('os_s', ''),
OsVersion = column_ifexists('os_version_s', ''),
OuterDocType = column_ifexists('outer_doc_type_d', ''),
OwnerPdl = column_ifexists('owner_pdl_s', ''),
Owner = column_ifexists('owner_s', ''),
Page = column_ifexists('page_s', ''),
PageSite = column_ifexists('page_site_s', ''),
ParentId = column_ifexists('parent_id_s', ''),
PolicyId = column_ifexists('policy_id_s', ''),
Policy = column_ifexists('policy_s', ''),
Protocol = column_ifexists('protocol_s', ''),
Referer = column_ifexists('referer_s', ''),
RequestId = column_ifexists('request_id_s', ''),
RetroScanName = column_ifexists('retro_scan_name_s', ''),
SAMAccountName = column_ifexists('sAMAccountName_s', ''),
SanctionedInstance = column_ifexists('sanctioned_instance_s', ''),
ScanType = column_ifexists('scan_type_s', ''),
Severity = column_ifexists('severity_s', ''),
SHA256 = column_ifexists('sha256_s', ''),
SharedDomains = column_ifexists('shared_domains_s', ''),
SharedWith = column_ifexists('shared_with_s', ''),
Site = column_ifexists('site_s', ''),
SmtpTo = column_ifexists('smtp_to_s', ''),
SourceCountry = column_ifexists('src_country_s', ''),
SourceGeoIpSrc = column_ifexists('src_geoip_src_d', ''),
SourceLatitude = column_ifexists('src_latitude_d', ''),
SourceLocation = column_ifexists('src_location_s', ''),
SourceLongitude = column_ifexists('src_longitude_d', ''),
SourceRegion = column_ifexists('src_region_s', ''),
SourceTime = column_ifexists('src_time_s', ''),
SourceTimezone = column_ifexists('src_timezone_s', ''),
SourceZipcode = column_ifexists('src_zipcode_s', ''),
SourceIp = column_ifexists('srcip_s', ''),
SubType = column_ifexists('sub_type_s', ''),
SuppressionKey = column_ifexists('suppression_key_s', ''),
Timestamp = column_ifexists('timestamp_d', ''),
Title = column_ifexists('title_s', ''),
ToStorage = column_ifexists('to_storage_s', ''),
ToUser = column_ifexists('to_user_s', ''),
TotalCollaboratorCount = column_ifexists('total_collaborator_count_d', ''),
TrafficType = column_ifexists('traffic_type_s', ''),
TransactionId = column_ifexists('transaction_id_d', ''),
TrueFileType = column_ifexists('true_filetype_s', ''),
TrueObjCategory = column_ifexists('true_obj_category_s', ''),
TrueObjType = column_ifexists('true_obj_type_s', ''),
TrueTypeId = column_ifexists('true_type_id_d', ''),
TssMode = column_ifexists('tss_mode_s', ''),
PolicyType = column_ifexists('type_s', ''),
UniversalConnector = column_ifexists('universal_connector_s', ''),
UrNormalized = column_ifexists('ur_normalized_s', ''),
Url = column_ifexists('url_s', ''),
UserCountry = column_ifexists('userCountry_s', ''),
UserPrincipalName = column_ifexists('userPrincipalName_s', ''),
UserId = column_ifexists('user_id_s', ''),
User = column_ifexists('user_s', ''),
UserIp = column_ifexists('userip_s', ''),
Userkey = column_ifexists('userkey_s', ''),
ViolatingUser = column_ifexists('violating_user_s', ''),
ViolatingUserType = column_ifexists('violating_user_type_s', ''),
WebUniversalConnector = column_ifexists('web_universal_connector_s', '')
| project
Category,
MG,
ManagementGroupName,
SourceSystem,
TenantId,
_ResourceId,
Computer,
RawData,
TimeGenerated,
Type,
Id,
AccessMethod,
Acked,
ActUser,
Action,
Activity,
AlertName,
Alert,
AlertType,
AppActivity,
App,
AppSessionId,
AppCategory,
AppSuite,
BCC,
Browser,
BrowserSessionId,
BrowserVersion,
CCL,
Channel,
ClassificationName,
Collaborated,
ConnectionId,
DataType,
DeviceClassification,
Device,
DisplayName,
DlpFile,
DlpFingerprintClassification,
DlpFingerprintMatch,
DlpFingerprintScore,
DlpIncidentId,
DlpIsUniqueCount,
DlpMailParentId,
DlpParentId,
DlpProfile,
DlpRuleCount,
DlpRule,
DlpRuleScore,
DlpRuleSeverity,
DlpUniqueCount,
DestinationCountry,
DestinationGeoipSource,
DestinationLatitude,
DestinationLocation,
DestinationLongitude,
DestinationRegion,
DestinationTimezone,
DestinationZipcode,
DestinationIp,
DynamicClassification,
Exposure,
ExternalCollaboratorCount,
FileCategory,
FileClsEncrypted,
FileLang,
FilePasswordProtected,
FilePath,
FileSize,
FileType,
FromStorage,
FromUser,
Group,
HostName,
IncidentId,
InstanceId,
Instance,
LocalSha256,
Mail,
ManagedApp,
ManagementId,
Manager,
Md5,
MessageId,
MessageSize,
MimeType,
Modified,
ObjectId,
Object,
ObjectType,
OrganizationUnit,
OrignalFilePath,
OS,
OsVersion,
OuterDocType,
OwnerPdl,
Owner,
Page,
PageSite,
ParentId,
PolicyId,
Policy,
Protocol,
Referer,
RequestId,
RetroScanName,
SAMAccountName,
SanctionedInstance,
ScanType,
Severity,
SHA256,
SharedDomains,
SharedWith,
Site,
SmtpTo,
SourceCountry,
SourceGeoIpSrc,
SourceLatitude,
SourceLocation,
SourceLongitude,
SourceRegion,
SourceTime,
SourceTimezone,
SourceZipcode,
SourceIp,
SubType,
SuppressionKey,
Timestamp,
Title,
ToStorage,
ToUser,
TotalCollaboratorCount,
TrafficType,
TransactionId,
TrueFileType,
TrueObjCategory,
TrueObjType,
TrueTypeId,
TssMode,
PolicyType,
UniversalConnector,
UrNormalized,
Url,
UserCountry,
UserPrincipalName,
UserId,
User,
UserIp,
Userkey,
ViolatingUser,
ViolatingUserType,
WebUniversalConnector
};
Alert_DLP_Data_View

261
Solutions/Netskopev2/Parsers/AlertsMalsite.yaml Normal file
Просмотреть файл

@ -0,0 +1,261 @@
id: a839f340-221e-4894-9a1c-e24d397cd508
Function:
Title: Parser for AlertsMalsite
Version: "1.0.0"
LastUpdated: "2024-03-06"
Category: Microsoft Sentinel Parser
FunctionName: AlertsMalsite
FunctionAlias: AlertsMalsite
FunctionQuery: |
let Alerts_malsite_view = view(){
alertsmalsitedata_CL
| extend Category = column_ifexists('Category', ''),
Computer = column_ifexists('Computer', ''),
MG = column_ifexists('MG', ''),
ManagementGroupName = column_ifexists('ManagementGroupName', ''),
RawData = column_ifexists('RawData', ''),
SourceSystem = column_ifexists('SourceSystem', ''),
TenantId = column_ifexists('TenantId', ''),
TimeGenerated = column_ifexists('TimeGenerated', ''),
Type = column_ifexists('Type', ''),
_ResourceId = column_ifexists('_ResourceId', ''),
Id = column_ifexists('_id_s', ''),
AccessMethod = column_ifexists('access_method_s', ''),
Acked = column_ifexists('acked_s', ''),
Action = column_ifexists('action_s', ''),
AggregatedUser = column_ifexists('aggregated_user_s', ''),
AlertName = column_ifexists('alert_name_s', ''),
Alert = column_ifexists('alert_s', ''),
AlertType = column_ifexists('alert_type_s', ''),
App = column_ifexists('app_s', ''),
AppSessionId = column_ifexists('app_session_id_d', ''),
AppCategory = column_ifexists('appcategory_s', ''),
AppSuite = column_ifexists('appsuite_s', ''),
Browser = column_ifexists('browser_s', ''),
BrowserSessionId = column_ifexists('browser_session_id_d', ''),
BrowserVersion = column_ifexists('browser_version_s', ''),
CCI = column_ifexists('cci_d', ''),
CCIString = column_ifexists('cci_s', ''),
CCL = column_ifexists('ccl_s', ''),
ClientBytes = column_ifexists('client_bytes_d', ''),
CO = column_ifexists('co_s', ''),
ConnDuration = column_ifexists('conn_duration_d', ''),
ConnectionId = column_ifexists('connection_id_d', ''),
Count = column_ifexists('count_d', ''),
Department = column_ifexists('department_s', ''),
DeviceClassification = column_ifexists('device_classification_s', ''),
Device = column_ifexists('device_s', ''),
Division = column_ifexists('division_s', ''),
DestinationCountry = column_ifexists('dst_country_s', ''),
DestinationGeoipSource = column_ifexists('dst_geoip_src_d', ''),
DestinationLatitude = column_ifexists('dst_latitude_d', ''),
DestinationLocation = column_ifexists('dst_location_s', ''),
DestinationLongitude = column_ifexists('dst_longitude_d', ''),
DestinationRegion = column_ifexists('dst_region_s', ''),
DestinationTimezone = column_ifexists('dst_timezone_s', ''),
DestinationZipcode = column_ifexists('dst_zipcode_s', ''),
DestinationHost = column_ifexists('dsthost_s', ''),
DestinationIp = column_ifexists('dstip_s', ''),
DestinationPort = column_ifexists('dstport_d', ''),
FromUser = column_ifexists('from_user_s', ''),
Fromlogs = column_ifexists('fromlogs_s', ''),
Gateway = column_ifexists('gateway_s', ''),
HostName = column_ifexists('hostname_s', ''),
IncidentId = column_ifexists('incident_id_d', ''),
JA3 = column_ifexists('ja3_s', ''),
JA3S = column_ifexists('ja3s_s', ''),
LogFileName = column_ifexists('log_file_name_s', ''),
Malicious = column_ifexists('malicious_s', ''),
malsite_active = column_ifexists('malsite_active_s', ''),
MalsiteCategory = column_ifexists('malsite_category_s', ''),
MalsiteConfidence = column_ifexists('malsite_confidence_d', ''),
MalsiteConsecutive = column_ifexists('malsite_consecutive_s', ''),
MalsiteCountry = column_ifexists('malsite_country_s', ''),
MalsiteFirstSeen = column_ifexists('malsite_first_seen_d', ''),
MalsiteHostility = column_ifexists('malsite_hostility_s', ''),
MalsiteId = column_ifexists('malsite_id_s', ''),
MalsiteIpHost = column_ifexists('malsite_ip_host_s', ''),
MalsiteLastSeen = column_ifexists('malsite_last_seen_d', ''),
MalsiteLatitude = column_ifexists('malsite_latitude_d', ''),
MalsiteLongitude = column_ifexists('malsite_longitude_d', ''),
MalsiteRegion = column_ifexists('malsite_region_s', ''),
MalsiteReputation = column_ifexists('malsite_reputation_s', ''),
ManagedApp = column_ifexists('managed_app_s', ''),
NotifyTemplate = column_ifexists('notify_template_s', ''),
Numbytes = column_ifexists('numbytes_d', ''),
Object = column_ifexists('object_s', ''),
ObjectType = column_ifexists('object_type_s', ''),
Org = column_ifexists('org_s', ''),
OrganizationUnit = column_ifexists('organization_unit_s', ''),
OS = column_ifexists('os_s', ''),
OsVersion = column_ifexists('os_version_s', ''),
OtherCategories = column_ifexists('other_categories_s', ''),
Page = column_ifexists('page_s', ''),
PageSite = column_ifexists('page_site_s', ''),
PolicyId = column_ifexists('policy_id_s', ''),
Policy = column_ifexists('policy_s', ''),
Protocol = column_ifexists('protocol_s', ''),
Referer = column_ifexists('referer_s', ''),
RequestCount = column_ifexists('req_cnt_d', ''),
RequestId = column_ifexists('request_id_s', ''),
ResponseCount = column_ifexists('resp_cnt_d', ''),
SAMAccountName = column_ifexists('sAMAccountName_s', ''),
Serial = column_ifexists('serial_s', ''),
ServerBytes = column_ifexists('server_bytes_d', ''),
severity_level_id = column_ifexists('severity_level_id_d', ''),
severity_level = column_ifexists('severity_level_s', ''),
Severity = column_ifexists('severity_s', ''),
Sfwder = column_ifexists('sfwder_s', ''),
Site = column_ifexists('site_s', ''),
SourceCountry = column_ifexists('src_country_s', ''),
SourceGeoIpSrc = column_ifexists('src_geoip_src_d', ''),
SourceLatitude = column_ifexists('src_latitude_d', ''),
SourceLocation = column_ifexists('src_location_s', ''),
SourceLongitude = column_ifexists('src_longitude_d', ''),
SourceRegion = column_ifexists('src_region_s', ''),
SourceTime = column_ifexists('src_time_s', ''),
SourceTimezone = column_ifexists('src_timezone_s', ''),
SourceZipcode = column_ifexists('src_zipcode_s', ''),
SourceIp = column_ifexists('srcip_s', ''),
SuppressionEndTime = column_ifexists('suppression_end_time_d', ''),
SuppressionStartTime = column_ifexists('suppression_start_time_d', ''),
TelemetryApp = column_ifexists('telemetry_app_s', ''),
ThreatMatchField = column_ifexists('threat_match_field_s', ''),
ThreatMatchValue = column_ifexists('threat_match_value_s', ''),
ThreatSourceId = column_ifexists('threat_source_id_d', ''),
Timestamp = column_ifexists('timestamp_d', ''),
TrafficType = column_ifexists('traffic_type_s', ''),
TransactionId = column_ifexists('transaction_id_d', ''),
PolicyType = column_ifexists('type_s', ''),
UniversalConnector = column_ifexists('universal_connector_s', ''),
UrNormalized = column_ifexists('ur_normalized_s', ''),
Url = column_ifexists('url_s', ''),
User = column_ifexists('user_s', ''),
Useragent = column_ifexists('useragent_s', ''),
UserIp = column_ifexists('userip_s', '')
| project Category,
Computer,
MG,
ManagementGroupName,
RawData,
SourceSystem,
TenantId,
TimeGenerated,
Type,
_ResourceId,
Id,
AccessMethod,
Acked,
Action,
AggregatedUser,
AlertName,
Alert,
AlertType,
App,
AppSessionId,
AppCategory,
AppSuite,
Browser,
BrowserSessionId,
BrowserVersion,
CCI,
CCIString,
CCL,
ClientBytes,
CO,
ConnDuration,
ConnectionId,
Count,
Department,
DeviceClassification,
Device,
Division,
DestinationCountry,
DestinationGeoipSource,
DestinationLatitude,
DestinationLocation,
DestinationLongitude,
DestinationRegion,
DestinationTimezone,
DestinationZipcode,
DestinationHost,
DestinationIp,
DestinationPort,
FromUser,
Fromlogs,
Gateway,
HostName,
IncidentId,
JA3,
JA3S,
LogFileName,
Malicious,
malsite_active,
MalsiteCategory,
MalsiteConfidence,
MalsiteConsecutive,
MalsiteCountry,
MalsiteFirstSeen,
MalsiteHostility,
MalsiteId,
MalsiteIpHost,
MalsiteLastSeen,
MalsiteLatitude,
MalsiteLongitude,
MalsiteRegion,
MalsiteReputation,
ManagedApp,
NotifyTemplate,
Numbytes,
Object,
ObjectType,
Org,
OrganizationUnit,
OS,
OsVersion,
OtherCategories,
Page,
PageSite,
PolicyId,
Policy,
Protocol,
Referer,
RequestCount,
RequestId,
ResponseCount,
SAMAccountName,
Serial,
ServerBytes,
severity_level_id,
severity_level,
Severity,
Sfwder,
Site,
SourceCountry,
SourceGeoIpSrc,
SourceLatitude,
SourceLocation,
SourceLongitude,
SourceRegion,
SourceTime,
SourceTimezone,
SourceZipcode,
SourceIp,
SuppressionEndTime,
SuppressionStartTime,
TelemetryApp,
ThreatMatchField,
ThreatMatchValue,
ThreatSourceId,
Timestamp,
TrafficType,
TransactionId,
PolicyType,
UniversalConnector,
UrNormalized,
Url,
User,
Useragent,
UserIp
};
Alerts_malsite_view

289
Solutions/Netskopev2/Parsers/AlertsMalware.yaml Normal file
Просмотреть файл

@ -0,0 +1,289 @@
id: 44db348f-92f4-4f81-96b9-7d38d9fe2254
Function:
Title: Parser for AlertsMalware
Version: "1.0.0"
LastUpdated: "2024-03-06"
Category: Microsoft Sentinel Parser
FunctionName: AlertsMalware
FunctionAlias: AlertsMalware
FunctionQuery: |
let Alerts_Malware_View = view(){
alertsmalwaredata_CL
| extend
Category = column_ifexists('Category', ''),
Computer = column_ifexists('Computer', ''),
MG = column_ifexists('MG', ''),
ManagementGroupName = column_ifexists('ManagementGroupName', ''),
RawData = column_ifexists('RawData', ''),
SourceSystem = column_ifexists('SourceSystem', ''),
TenantId = column_ifexists('TenantId', ''),
TimeGenerated = column_ifexists('TimeGenerated', ''),
Type = column_ifexists('Type', ''),
_ResourceId = column_ifexists('_ResourceId', ''),
Id = column_ifexists('_id_s', ''),
AccessMethod = column_ifexists('access_method_s', ''),
Acked = column_ifexists('acked_s', ''),
Action = column_ifexists('action_s', ''),
Activity = column_ifexists('activity_s', ''),
AlertName = column_ifexists('alert_name_s', ''),
Alert = column_ifexists('alert_s', ''),
AlertType = column_ifexists('alert_type_s', ''),
AppName = column_ifexists('app_name_s', ''),
App = column_ifexists('app_s', ''),
AppSessionId = column_ifexists('app_session_id_d', ''),
AppCategory = column_ifexists('appcategory_s', ''),
AppSuite = column_ifexists('appsuite_s', ''),
Browser = column_ifexists('browser_s', ''),
BrowserSessionId = column_ifexists('browser_session_id_d', ''),
BrowserVersion = column_ifexists('browser_version_s', ''),
CCI = column_ifexists('cci_d', ''),
CCIString = column_ifexists('cci_s', ''),
CCL = column_ifexists('ccl_s', ''),
Company = column_ifexists('company_s', ''),
ConnectionId = column_ifexists('connection_id_d', ''),
Count = column_ifexists('count_d', ''),
CreatedDate = column_ifexists('created_date_d', ''),
Department = column_ifexists('department_s', ''),
DetectionEngine = column_ifexists('detection_engine_s', ''),
DetectionType = column_ifexists('detection_type_s', ''),
DeviceClassification = column_ifexists('device_classification_s', ''),
Device = column_ifexists('device_s', ''),
DestinationCountry = column_ifexists('dst_country_s', ''),
DestinationGeoipSource = column_ifexists('dst_geoip_src_d', ''),
DestinationLatitude = column_ifexists('dst_latitude_d', ''),
DestinationLocation = column_ifexists('dst_location_s', ''),
DestinationLongitude = column_ifexists('dst_longitude_d', ''),
DestinationRegion = column_ifexists('dst_region_s', ''),
DestinationTimezone = column_ifexists('dst_timezone_s', ''),
DestinationZipcode = column_ifexists('dst_zipcode_s', ''),
DestinationIp = column_ifexists('dstip_s', ''),
FastscanResults = column_ifexists('fastscan_results_s', ''),
FileCategory = column_ifexists('file_category_s', ''),
FileId = column_ifexists('file_id_s', ''),
FileName1 = column_ifexists('file_name_s', ''),
FilePath = column_ifexists('file_path_s', ''),
FileSize = column_ifexists('file_size_d', ''),
FileType = column_ifexists('file_type_s', ''),
FileName2 = column_ifexists('filename_s', ''),
FromUser = column_ifexists('from_user_s', ''),
HostName = column_ifexists('hostname_s', ''),
IncidentId = column_ifexists('incident_id_d', ''),
InstanceId = column_ifexists('instance_id_s', ''),
Instance = column_ifexists('instance_s', ''),
LocalMd5 = column_ifexists('local_md5_s', ''),
LocalSha256 = column_ifexists('local_sha256_s', ''),
MalwareId = column_ifexists('malware_id_s', ''),
MalwareName = column_ifexists('malware_name_s', ''),
MalwareProfile = column_ifexists('malware_profile_s', ''),
MalwareSeverity = column_ifexists('malware_severity_s', ''),
MalwareType = column_ifexists('malware_type_s', ''),
ManagedApp = column_ifexists('managed_app_s', ''),
ManagementId = column_ifexists('managementID_s', ''),
Manager = column_ifexists('manager_s', ''),
Md5 = column_ifexists('md5_g', ''),
MimeType = column_ifexists('mime_type_s', ''),
MlDetection = column_ifexists('ml_detection_s', ''),
ModifiedDate = column_ifexists('modified_date_d', ''),
Nsdeviceuid = column_ifexists('nsdeviceuid_s', ''),
ObjectId = column_ifexists('object_id_s', ''),
Object = column_ifexists('object_s', ''),
ObjectType = column_ifexists('object_type_s', ''),
OrganizationUnit = column_ifexists('organization_unit_s', ''),
OS = column_ifexists('os_s', ''),
OsVersion = column_ifexists('os_version_s', ''),
Page = column_ifexists('page_s', ''),
PageSite = column_ifexists('page_site_s', ''),
ParentId = column_ifexists('parent_id_s', ''),
PolicyId = column_ifexists('policy_id_s', ''),
Policy = column_ifexists('policy_s', ''),
Protocol = column_ifexists('protocol_s', ''),
Referer = column_ifexists('referer_s', ''),
RequestId = column_ifexists('request_id_s', ''),
SanctionedInstance = column_ifexists('sanctioned_instance_s', ''),
ScanTime = column_ifexists('scan_time_d', ''),
ScanType = column_ifexists('scan_type_s', ''),
ScannerResult = column_ifexists('scanner_result_s', ''),
SeverityId = column_ifexists('severity_id_d', ''),
Severity = column_ifexists('severity_s', ''),
SHA1 = column_ifexists('sha1_s', ''),
SharedType = column_ifexists('shared_type_s', ''),
SharedWith = column_ifexists('shared_with_s', ''),
Site = column_ifexists('site_s', ''),
SourceCountry = column_ifexists('src_country_s', ''),
SourceGeoIpSrc = column_ifexists('src_geoip_src_d', ''),
SourceLatitude = column_ifexists('src_latitude_d', ''),
SourceLocation = column_ifexists('src_location_s', ''),
SourceLongitude = column_ifexists('src_longitude_d', ''),
SourceRegion = column_ifexists('src_region_s', ''),
SourceTime = column_ifexists('src_time_s', ''),
SourceTimezone = column_ifexists('src_timezone_s', ''),
SourceZipcode = column_ifexists('src_zipcode_s', ''),
SourceIp = column_ifexists('srcip_s', ''),
Timestamp = column_ifexists('timestamp_d', ''),
Title = column_ifexists('title_s', ''),
TrafficType = column_ifexists('traffic_type_s', ''),
TransactionId = column_ifexists('transaction_id_d', ''),
TrueFileType = column_ifexists('true_filetype_s', ''),
TssLicense = column_ifexists('tss_license_s', ''),
TssMode = column_ifexists('tss_mode_s', ''),
TssScan = column_ifexists('TSS_scan_s', ''),
PolicyType = column_ifexists('type_s', ''),
UrNormalized = column_ifexists('ur_normalized_s', ''),
Url = column_ifexists('url_s', ''),
UserCountry = column_ifexists('userCountry_s', ''),
UserPrincipalName = column_ifexists('userPrincipalName_s', ''),
UserId = column_ifexists('user_id_s', ''),
User = column_ifexists('user_s', ''),
UserIp = column_ifexists('userip_s', ''),
UsrDisplayName = column_ifexists('usr_display_name_s', ''),
usrStatus = column_ifexists('usr_status_s', ''),
usrTitle = column_ifexists('usr_title_s', ''),
UsrUdfBusinessSegmentLevel1 = column_ifexists('usr_udf_businesssegmentlevel1_s', ''),
UsrUdfBusinessSegmentLevel2 = column_ifexists('usr_udf_businesssegmentlevel2_s', ''),
UsrUdfBusinessSegmentLevel3 = column_ifexists('usr_udf_businesssegmentlevel3_s', ''),
UsrUdfBusinessSegmentLevel4 = column_ifexists('usr_udf_businesssegmentlevel4_s', ''),
UsrUdfCompanyName = column_ifexists('usr_udf_companyname_s', ''),
UsrUdfEmployeeId = column_ifexists('usr_udf_employeeid_s', ''),
UsrUdfPrimaryDomain = column_ifexists('usr_udf_primarydomain_s', ''),
UsrUdfSupervisorId = column_ifexists('usr_udf_supervisorid_s', ''),
UsrUdfSupervisorName = column_ifexists('usr_udf_supervisorname_s', '')
| project
Category,
Computer,
MG,
ManagementGroupName,
RawData,
SourceSystem,
TenantId,
TimeGenerated,
Type,
_ResourceId,
Id,
AccessMethod,
Acked,
Action,
Activity,
AlertName,
Alert,
AlertType,
AppName,
App,
AppSessionId,
AppCategory,
AppSuite,
Browser,
BrowserSessionId,
BrowserVersion,
CCI,
CCIString,
CCL,
Company,
ConnectionId,
Count,
CreatedDate,
Department,
DetectionEngine,
DetectionType,
DeviceClassification,
Device,
DestinationCountry,
DestinationGeoipSource,
DestinationLatitude,
DestinationLocation,
DestinationLongitude,
DestinationRegion,
DestinationTimezone,
DestinationZipcode,
DestinationIp,
FastscanResults,
FileCategory,
FileId,
FileName1,
FilePath,
FileSize,
FileType,
FileName2,
FromUser,
HostName,
IncidentId,
InstanceId,
Instance,
LocalMd5,
LocalSha256,
MalwareId,
MalwareName,
MalwareProfile,
MalwareSeverity,
MalwareType,
ManagedApp,
ManagementId,
Manager,
Md5,
MimeType,
MlDetection,
ModifiedDate,
Nsdeviceuid,
ObjectId,
Object,
ObjectType,
OrganizationUnit,
OS,
OsVersion,
Page,
PageSite,
ParentId,
PolicyId,
Policy,
Protocol,
Referer,
RequestId,
SanctionedInstance,
ScanTime,
ScanType,
ScannerResult,
SeverityId,
Severity,
SHA1,
SharedType,
SharedWith,
Site,
SourceCountry,
SourceGeoIpSrc,
SourceLatitude,
SourceLocation,
SourceLongitude,
SourceRegion,
SourceTime,
SourceTimezone,
SourceZipcode,
SourceIp,
Timestamp,
Title,
TrafficType,
TransactionId,
TrueFileType,
TssLicense,
TssMode,
TssScan,
PolicyType,
UrNormalized,
Url,
UserCountry,
UserPrincipalName,
UserId,
User,
UserIp,
UsrDisplayName,
usrStatus,
usrTitle,
UsrUdfBusinessSegmentLevel1,
UsrUdfBusinessSegmentLevel2,
UsrUdfBusinessSegmentLevel3,
UsrUdfBusinessSegmentLevel4,
UsrUdfCompanyName,
UsrUdfEmployeeId,
UsrUdfPrimaryDomain,
UsrUdfSupervisorId,
UsrUdfSupervisorName
};
Alerts_Malware_View

447
Solutions/Netskopev2/Parsers/AlertsPolicy.yaml Normal file
Просмотреть файл

@ -0,0 +1,447 @@
id: f5604faf-5b55-40ff-b8c2-caa207124664
Function:
Title: Parser for AlertsPolicy
Version: "1.0.0"
LastUpdated: "2024-03-06"
Category: Microsoft Sentinel Parser
FunctionName: AlertsPolicy
FunctionAlias: AlertsPolicy
FunctionQuery: |
let Alerts_Policy_View = view () {
alertspolicydata_CL
| extend
Category = column_ifexists('Category', ''),
Computer = column_ifexists('Computer', ''),
MG = column_ifexists('MG', ''),
ManagementGroupName = column_ifexists('ManagementGroupName', ''),
RawData = column_ifexists('RawData', ''),
SourceSystem = column_ifexists('SourceSystem', ''),
TenantId = column_ifexists('TenantId', ''),
TimeGenerated = column_ifexists('TimeGenerated', ''),
Type = column_ifexists('Type', ''),
_ResourceId = column_ifexists('_ResourceId', ''),
Id = column_ifexists('_id_s', ''),
AccessMethod = column_ifexists('access_method_s', ''),
Acked = column_ifexists('acked_s', ''),
ActUser = column_ifexists('act_user_s', ''),
Action = column_ifexists('action_s', ''),
Activity = column_ifexists('activity_s', ''),
ActivityStatus = column_ifexists('activity_status_s', ''),
ActivityType = column_ifexists('activity_type_s', ''),
AggregatedUser = column_ifexists('aggregated_user_s', ''),
Alert = column_ifexists('alert_s', ''),
AlertName = column_ifexists('alert_name_s', ''),
AlertType = column_ifexists('alert_type_s', ''),
AllPolicyMatches = column_ifexists('all_policy_matches_s', ''),
App = column_ifexists('app_s', ''),
AppActivity = column_ifexists('app_activity_s', ''),
AppScopes = column_ifexists('app_scopes_s', ''),
AppSessionId = column_ifexists('app_session_id_d', ''),
AppCategory = column_ifexists('appcategory_s', ''),
AppSuite = column_ifexists('appsuite_s', ''),
BCC = column_ifexists('bcc_s', ''),
Browser = column_ifexists('browser_s', ''),
BrowserSessionId = column_ifexists('browser_session_id_d', ''),
BrowserVersion = column_ifexists('browser_version_s', ''),
CC = column_ifexists('cc_s', ''),
CCI = column_ifexists('cci_d', ''),
CCIString = column_ifexists('cci_s', ''),
CCL = column_ifexists('ccl_s', ''),
ClientBytes = column_ifexists('client_bytes_d', ''),
ClientPackets = column_ifexists('client_packets_d', ''),
ConnDuration = column_ifexists('conn_duration_d', ''),
ConnectionId = column_ifexists('connection_id_d', ''),
Count = column_ifexists('count_d', ''),
CustomConnector = column_ifexists('custom_connector_s', ''),
DataType = column_ifexists('data_type_s', ''),
Device = column_ifexists('device_s', ''),
DeviceClassification = column_ifexists('device_classification_s', ''),
DisplayName = column_ifexists('displayName_s', ''),
DistinguishedName = column_ifexists('distinguishedName_s', ''),
Division = column_ifexists('division_s', ''),
DlpFailReason = column_ifexists('dlp_fail_reason_s', ''),
DlpProfile = column_ifexists('dlp_profile_s', ''),
DlpScanFailed = column_ifexists('dlp_scan_failed_s', ''),
DestinationCountry = column_ifexists('dst_country_s', ''),
DestinationGeoIpSource = column_ifexists('dst_geoip_src_d', ''),
DestinationLatitude = column_ifexists('dst_latitude_d', ''),
DestinationLocation = column_ifexists('dst_location_s', ''),
DestinationLongitude = column_ifexists('dst_longitude_d', ''),
DestinationRegion = column_ifexists('dst_region_s', ''),
DestinationTimezone = column_ifexists('dst_timezone_s', ''),
DestinationZipcode = column_ifexists('dst_zipcode_s', ''),
DestinationHost = column_ifexists('dsthost_s', ''),
DestinationIp = column_ifexists('dstip_s', ''),
DestinationPort = column_ifexists('dstport_d', ''),
DynamicClassification = column_ifexists('dynamic_classification_s', ''),
EncryptFailure = column_ifexists('encrypt_failure_s', ''),
EndTime = column_ifexists('end_time_s', ''),
EventType = column_ifexists('event_type_s', ''),
Exposure = column_ifexists('exposure_s', ''),
ExternalCollaboratorCount = column_ifexists('external_collaborator_count_d', ''),
FileCategory = column_ifexists('file_category_s', ''),
FileId = column_ifexists('file_id_s', ''),
FilePath = column_ifexists('file_path_s', ''),
FileSize = column_ifexists('file_size_d', ''),
FileType = column_ifexists('file_type_s', ''),
ForwardToProxyXau = column_ifexists('forward_to_proxy_xau_s', ''),
FromObject = column_ifexists('from_object_s', ''),
FromStorage = column_ifexists('from_storage_s', ''),
FromUser = column_ifexists('from_user_s', ''),
Gateway = column_ifexists('gateway_s', ''),
Group = column_ifexists('group_s', ''),
Hostname = column_ifexists('hostname_s', ''),
HttpStatus = column_ifexists('http_status_s', ''),
IncidentId = column_ifexists('incident_id_d', ''),
Instance = column_ifexists('instance_s', ''),
InstanceId = column_ifexists('instance_id_s', ''),
InternalCollaboratorCount = column_ifexists('internal_collaborator_count_d', ''),
IpProtocol = column_ifexists('ip_protocol_s', ''),
JustificationReason = column_ifexists('justification_reason_s', ''),
JustificationType = column_ifexists('justification_type_s', ''),
LastName = column_ifexists('last_name_s', ''),
LogFileName = column_ifexists('log_file_name_s', ''),
Mail = column_ifexists('mail_s', ''),
Malicious = column_ifexists('malicious_s', ''),
MalsiteCategory = column_ifexists('malsite_category_s', ''),
MalwareId = column_ifexists('malware_id_s', ''),
MalwareName = column_ifexists('malware_name_s', ''),
MalwareSeverity = column_ifexists('malware_severity_s', ''),
MalwareType = column_ifexists('malware_type_s', ''),
ManagedApp = column_ifexists('managed_app_s', ''),
ManagementId = column_ifexists('managementID_s', ''),
Manager = column_ifexists('manager_s', ''),
Md5 = column_ifexists('md5_g', ''),
MemberOf = column_ifexists('memberOf_s', ''),
MessageId = column_ifexists('message_id_s', ''),
MessageSize = column_ifexists('message_size_d', ''),
MimeType = column_ifexists('mime_type_s', ''),
Modified = column_ifexists('modified_d', ''),
Network = column_ifexists('network_s', ''),
NetworkSessionId = column_ifexists('network_session_id_s', ''),
NotifyTemplate = column_ifexists('notify_template_s', ''),
Nsdeviceuid = column_ifexists('nsdeviceuid_s', ''),
NumSessions = column_ifexists('num_sessions_d', ''),
NumBytes = column_ifexists('numbytes_d', ''),
Object = column_ifexists('object_s', ''),
ObjectCount = column_ifexists('object_count_d', ''),
ObjectId = column_ifexists('object_id_s', ''),
ObjectType = column_ifexists('object_type_s', ''),
Org = column_ifexists('org_s', ''),
OrganizationUnit = column_ifexists('organization_unit_s', ''),
OrignalFilePath = column_ifexists('orignal_file_path_s', ''),
OS = column_ifexists('os_s', ''),
OsVersion = column_ifexists('os_version_s', ''),
OtherCategories = column_ifexists('other_categories_s', ''),
Owner = column_ifexists('owner_s', ''),
Page = column_ifexists('page_s', ''),
PageSite = column_ifexists('page_site_s', ''),
ParentId = column_ifexists('parent_id_s', ''),
Policy = column_ifexists('policy_s', ''),
PolicyId = column_ifexists('policy_id_s', ''),
PolicyType = column_ifexists('type_s', ''),
ProfileEmails = column_ifexists('profile_emails_s', ''),
Protocol = column_ifexists('protocol_s', ''),
ProtocolPort = column_ifexists('protocol_port_s', ''),
PublisherCn = column_ifexists('publisher_cn_s', ''),
PublisherName = column_ifexists('publisher_name_s', ''),
QAdmin = column_ifexists('q_admin_s', ''),
QApp = column_ifexists('q_app_s', ''),
QInstance = column_ifexists('q_instance_s', ''),
QOriginalFilename = column_ifexists('q_original_filename_s', ''),
QOriginalFilepath = column_ifexists('q_original_filepath_s', ''),
QOriginalShared = column_ifexists('q_original_shared_s', ''),
QOriginalVersion = column_ifexists('q_original_version_s', ''),
QuarantineFileId = column_ifexists('quarantine_file_id_s', ''),
QuarantineFileName = column_ifexists('quarantine_file_name_s', ''),
QuarantineProfile = column_ifexists('quarantine_profile_s', ''),
QuarantineProfileId = column_ifexists('quarantine_profile_id_s', ''),
RedirectUrl = column_ifexists('redirect_url_s', ''),
Referer = column_ifexists('referer_s', ''),
RemediationProfile = column_ifexists('remediation_profile_s', ''),
ReqCnt = column_ifexists('req_cnt_d', ''),
RequestId = column_ifexists('request_id_s', ''),
RespCnt = column_ifexists('resp_cnt_d', ''),
RiskLevel = column_ifexists('risk_level_s', ''),
SAMAccountName = column_ifexists('sAMAccountName_s', ''),
SAMAccountType = column_ifexists('sAMAccountType_s', ''),
SanctionedInstance = column_ifexists('sanctioned_instance_s', ''),
ScanType = column_ifexists('scan_type_s', ''),
Sender = column_ifexists('sender_s', ''),
Serial = column_ifexists('serial_s', ''),
ServerBytes = column_ifexists('server_bytes_d', ''),
ServerPackets = column_ifexists('server_packets_d', ''),
SessionDuration = column_ifexists('session_duration_d', ''),
SessionId = column_ifexists('sessionid_s', ''),
Severity = column_ifexists('severity_s', ''),
Sfwder = column_ifexists('sfwder_s', ''),
SharedDomains = column_ifexists('shared_domains_s', ''),
SharedWith = column_ifexists('shared_with_s', ''),
Site = column_ifexists('site_s', ''),
SmtpStatus = column_ifexists('smtp_status_s', ''),
SmtpTo = column_ifexists('smtp_to_s', ''),
SourceCountry = column_ifexists('src_country_s', ''),
SourceGeoIpSource = column_ifexists('src_geoip_src_d', ''),
SourceLatitude = column_ifexists('src_latitude_d', ''),
SourceLocation = column_ifexists('src_location_s', ''),
SourceLongitude = column_ifexists('src_longitude_d', ''),
SourceRegion = column_ifexists('src_region_s', ''),
SourceTime = column_ifexists('src_time_s', ''),
SourceTimezone = column_ifexists('src_timezone_s', ''),
SourceZipcode = column_ifexists('src_zipcode_s', ''),
SourceIp = column_ifexists('srcip_s', ''),
SourcePort = column_ifexists('srcport_d', ''),
StartTime = column_ifexists('start_time_s', ''),
SuppressionEndTime = column_ifexists('suppression_end_time_d', ''),
SuppressionKey = column_ifexists('suppression_key_s', ''),
SuppressionStartTime = column_ifexists('suppression_start_time_d', ''),
TelemetryApp = column_ifexists('telemetry_app_s', ''),
ThreatMatchField = column_ifexists('threat_match_field_s', ''),
ThreatMatchValue = column_ifexists('threat_match_value_s', ''),
ThreatSourceId = column_ifexists('threat_source_id_d', ''),
Timestamp = column_ifexists('timestamp_d', ''),
Title = column_ifexists('Title_s', ''),
ToObject = column_ifexists('to_object_s', ''),
ToStorage = column_ifexists('to_storage_s', ''),
ToUser = column_ifexists('to_user_s', ''),
TotalCollaboratorCount = column_ifexists('total_collaborator_count_d', ''),
TotalPackets = column_ifexists('total_packets_d', ''),
TrafficType = column_ifexists('traffic_type_s', ''),
TransactionId = column_ifexists('transaction_id_d', ''),
TrustComputerChecked = column_ifexists('trust_computer_checked_s', ''),
TssFailReason = column_ifexists('tss_fail_reason_s', ''),
TssMode = column_ifexists('tss_mode_s', ''),
TssScanFailed = column_ifexists('tss_scan_failed_s', ''),
TssScan = column_ifexists('TSS_scan_s', ''),
TunnelId = column_ifexists('tunnel_id_s', ''),
TunnelType = column_ifexists('tunnel_type_s', ''),
TunnelUpTime = column_ifexists('tunnel_up_time_d', ''),
TwoFactorAuth = column_ifexists('two_factor_auth_s', ''),
UniversalConnector = column_ifexists('universal_connector_s', ''),
UrNormalized = column_ifexists('ur_normalized_s', ''),
Url = column_ifexists('url_s', ''),
User = column_ifexists('user_s', ''),
UserId = column_ifexists('user_id_s', ''),
UserTmp = column_ifexists('user_tmp_s', ''),
UserAgent = column_ifexists('useragent_s', ''),
UserCountry = column_ifexists('userCountry_s', ''),
UserIp = column_ifexists('userip_s', '')
| project
Category,
Computer,
MG,
ManagementGroupName,
RawData,
SourceSystem,
TenantId,
TimeGenerated,
Type,
_ResourceId,
Id,
AccessMethod,
Acked,
ActUser,
Action,
Activity,
ActivityStatus,
ActivityType,
AggregatedUser,
Alert,
AlertName,
AlertType,
AllPolicyMatches,
App,
AppActivity,
AppScopes,
AppSessionId,
AppCategory,
AppSuite,
BCC,
Browser,
BrowserSessionId,
BrowserVersion,
CC,
CCI,
CCIString,
CCL,
ClientBytes,
ClientPackets,
ConnDuration,
ConnectionId,
Count,
CustomConnector,
DataType,
Device,
DeviceClassification,
DisplayName,
DistinguishedName,
Division,
DlpFailReason,
DlpProfile,
DlpScanFailed,
DestinationCountry,
DestinationGeoIpSource,
DestinationLatitude,
DestinationLocation,
DestinationLongitude,
DestinationRegion,
DestinationTimezone,
DestinationZipcode,
DestinationHost,
DestinationIp,
DestinationPort,
DynamicClassification,
EncryptFailure,
EndTime,
EventType,
Exposure,
ExternalCollaboratorCount,
FileCategory,
FileId,
FilePath,
FileSize,
FileType,
ForwardToProxyXau,
FromObject,
FromStorage,
FromUser,
Gateway,
Group,
Hostname,
HttpStatus,
IncidentId,
Instance,
InstanceId,
InternalCollaboratorCount,
IpProtocol,
JustificationReason,
JustificationType,
LastName,
LogFileName,
Mail,
Malicious,
MalsiteCategory,
MalwareId,
MalwareName,
MalwareSeverity,
MalwareType,
ManagedApp,
ManagementId,
Manager,
Md5,
MemberOf,
MessageId,
MessageSize,
MimeType,
Modified,
Network,
NetworkSessionId,
NotifyTemplate,
Nsdeviceuid,
NumSessions,
NumBytes,
Object,
ObjectCount,
ObjectId,
ObjectType,
Org,
OrganizationUnit,
OrignalFilePath,
OS,
OsVersion,
OtherCategories,
Owner,
Page,
PageSite,
ParentId,
Policy,
PolicyId,
PolicyType,
ProfileEmails,
Protocol,
ProtocolPort,
PublisherCn,
PublisherName,
QAdmin,
QApp,
QInstance,
QOriginalFilename,
QOriginalFilepath,
QOriginalShared,
QOriginalVersion,
QuarantineFileId,
QuarantineFileName,
QuarantineProfile,
QuarantineProfileId,
RedirectUrl,
Referer,
RemediationProfile,
ReqCnt,
RequestId,
RespCnt,
RiskLevel,
SAMAccountName,
SAMAccountType,
SanctionedInstance,
ScanType,
Sender,
Serial,
ServerBytes,
ServerPackets,
SessionDuration,
SessionId,
Severity,
Sfwder,
SharedDomains,
SharedWith,
Site,
SmtpStatus,
SmtpTo,
SourceCountry,
SourceGeoIpSource,
SourceLatitude,
SourceLocation,
SourceLongitude,
SourceRegion,
SourceTime,
SourceTimezone,
SourceZipcode,
SourceIp,
SourcePort,
StartTime,
SuppressionEndTime,
SuppressionKey,
SuppressionStartTime,
TelemetryApp,
ThreatMatchField,
ThreatMatchValue,
ThreatSourceId,
Timestamp,
Title,
ToObject,
ToStorage,
ToUser,
TotalCollaboratorCount,
TotalPackets,
TrafficType,
TransactionId,
TrustComputerChecked,
TssFailReason,
TssMode,
TssScanFailed,
TssScan,
TunnelId,
TunnelType,
TunnelUpTime,
TwoFactorAuth,
UniversalConnector,
UrNormalized,
Url,
User,
UserId,
UserTmp,
UserAgent,
UserCountry,
UserIp
};
Alerts_Policy_View

157
Solutions/Netskopev2/Parsers/AlertsQuarantine.yaml Normal file
Просмотреть файл

@ -0,0 +1,157 @@
id: 7b72ab0b-8629-42fd-aacc-601f79e5f89d
Function:
Title: Parser for AlertsQuarantine
Version: "1.0.0"
LastUpdated: "2024-03-06"
Category: Microsoft Sentinel Parser
FunctionName: AlertsQuarantine
FunctionAlias: AlertsQuarantine
FunctionQuery: |
let ALert_Quarantine_View = view (){
alertsquarantinedata_CL
| extend TenantId = column_ifexists('TenantId', ''),
SourceSystem = column_ifexists('SourceSystem', ''),
MG = column_ifexists('MG', ''),
ManagementGroupName = column_ifexists('ManagementGroupName', ''),
Category = column_ifexists('Category', ''),
_ResourceId = column_ifexists('_ResourceId', ''),
TimeGenerated = column_ifexists('TimeGenerated', ''),
Computer = column_ifexists('Computer', ''),
RawData = column_ifexists('RawData', ''),
Type = column_ifexists('Type', ''),
Id = column_ifexists('_id_s', ''),
AccessMethod = column_ifexists('access_method_s', ''),
Acked = column_ifexists('acked_s', ''),
Action = column_ifexists('action_s', ''),
Alert = column_ifexists('alert_s', ''),
AlertName = column_ifexists('alert_name_s', ''),
AlertType = column_ifexists('alert_type_s', ''),
App = column_ifexists('app_s', ''),
AppCategory = column_ifexists('appcategory_s', ''),
Browser = column_ifexists('browser_s', ''),
CCI = column_ifexists('cci_d', ''),
CCIString = column_ifexists('cci_s', ''),
CCL = column_ifexists('ccl_s', ''),
Count = column_ifexists('count_d', ''),
Department = column_ifexists('department_s', ''),
DepartmentNumber = column_ifexists('departmentNumber_s', ''),
Device = column_ifexists('device_s', ''),
DlpProfile = column_ifexists('dlp_profile_s', ''),
Exposure = column_ifexists('exposure_s', ''),
FileId = column_ifexists('file_id_s', ''),
FilePath = column_ifexists('file_path_s', ''),
FileSize = column_ifexists('file_size_d', ''),
FileType = column_ifexists('file_type_s', ''),
FromUser = column_ifexists('from_user_s', ''),
InstanceId = column_ifexists('instance_id_s', ''),
Manager = column_ifexists('manager_s', ''),
Md5 = column_ifexists('md5_g', ''),
MimeType = column_ifexists('mime_type_s', ''),
Modified = column_ifexists('modified_d', ''),
Object = column_ifexists('object_s', ''),
ObjectId = column_ifexists('object_id_s', ''),
ObjectType = column_ifexists('object_type_s', ''),
OrganizationUnit = column_ifexists('organization_unit_s', ''),
OriginalFilePath = column_ifexists('orignal_file_path_s', ''),
OS = column_ifexists('os_s', ''),
Owner = column_ifexists('owner_s', ''),
OtherCategories = column_ifexists('other_categories_s', ''),
Policy = column_ifexists('policy_s', ''),
ProfileEmails = column_ifexists('profile_emails_s', ''),
QAdmin = column_ifexists('q_admin_s', ''),
QApp = column_ifexists('q_app_s', ''),
QInstance = column_ifexists('q_instance_s', ''),
QOriginalFilename = column_ifexists('q_original_filename_s', ''),
QOriginalFilepath = column_ifexists('q_original_filepath_s', ''),
QOriginalShared = column_ifexists('q_original_shared_s', ''),
QOriginalVersion = column_ifexists('q_original_version_s', ''),
QuarantineFileId = column_ifexists('quarantine_file_id_s', ''),
QuarantineFileName = column_ifexists('quarantine_file_name_s', ''),
QuarantineProfile = column_ifexists('quarantine_profile_s', ''),
QuarantineProfileId = column_ifexists('quarantine_profile_id_s', ''),
ScanType = column_ifexists('scan_type_s', ''),
SharedWith = column_ifexists('shared_with_s', ''),
Site = column_ifexists('site_s', ''),
SuppressionKey = column_ifexists('suppression_key_s', ''),
Timestamp = column_ifexists('timestamp_d', ''),
TrafficType = column_ifexists('traffic_type_s', ''),
PolicyType = column_ifexists('type_s', ''),
Url = column_ifexists('url_s', ''),
UrNormalized = column_ifexists('ur_normalized_s', ''),
User = column_ifexists('user_s', ''),
UserId = column_ifexists('user_id_s', ''),
UserKey = column_ifexists('userkey_s', '')
| project TenantId,
SourceSystem,
MG,
ManagementGroupName,
Category,
_ResourceId,
TimeGenerated,
Computer,
RawData,
Type,
Id,
AccessMethod,
Acked,
Action,
Alert,
AlertName,
AlertType,
App,
AppCategory,
Browser,
CCI,
CCIString,
CCL,
Count,
Department,
DepartmentNumber,
Device,
DlpProfile,
Exposure,
FileId,
FilePath,
FileSize,
FileType,
FromUser,
InstanceId,
Manager,
Md5,
MimeType,
Modified,
Object,
ObjectId,
ObjectType,
OrganizationUnit,
OriginalFilePath,
OS,
Owner,
OtherCategories,
Policy,
ProfileEmails,
QAdmin,
QApp,
QInstance,
QOriginalFilename,
QOriginalFilepath,
QOriginalShared,
QOriginalVersion,
QuarantineFileId,
QuarantineFileName,
QuarantineProfile,
QuarantineProfileId,
ScanType,
SharedWith,
Site,
SuppressionKey,
Timestamp,
TrafficType,
PolicyType,
Url,
UrNormalized,
User,
UserId,
UserKey
};
ALert_Quarantine_View

205
Solutions/Netskopev2/Parsers/AlertsRemediation.yaml Normal file
Просмотреть файл

@ -0,0 +1,205 @@
id: 7ac7ac9a-4020-46a0-9ab0-5d14de8a149c
Function:
Title: Parser for AlertsRemediation
Version: "1.0.0"
LastUpdated: "2024-03-06"
Category: Microsoft Sentinel Parser
FunctionName: AlertsRemediation
FunctionAlias: AlertsRemediation
FunctionQuery: |
let Alerts_Remediation_View = view (){
alertsremediationdata_CL
| extend Category = column_ifexists('Category', ''),
Computer = column_ifexists('Computer', ''),
MG = column_ifexists('MG', ''),
ManagementGroupName = column_ifexists('ManagementGroupName', ''),
RawData = column_ifexists('RawData', ''),
SourceSystem = column_ifexists('SourceSystem', ''),
TenantId = column_ifexists('TenantId', ''),
TimeGenerated = column_ifexists('TimeGenerated', ''),
Type = column_ifexists('Type', ''),
_ResourceId = column_ifexists('_ResourceId', ''),
Id = column_ifexists('_id_s', ''),
AccessMethod = column_ifexists('access_method_s', ''),
Acked = column_ifexists('acked_s', ''),
Action = column_ifexists('action_s', ''),
ActionsTaken = column_ifexists('actions_taken_s', ''),
Activity = column_ifexists('activity_s', ''),
AlertName = column_ifexists('alert_name_s', ''),
Alert = column_ifexists('alert_s', ''),
AlertType = column_ifexists('alert_type_s', ''),
AllPolicyMatches = column_ifexists('all_policy_matches_s', ''),
App = column_ifexists('app_s', ''),
AppSessionId = column_ifexists('app_session_id_d', ''),
AppCategory = column_ifexists('appcategory_s', ''),
AppSuite = column_ifexists('appsuite_s', ''),
Browser = column_ifexists('browser_s', ''),
BrowserSessionId = column_ifexists('browser_session_id_d', ''),
CCI = column_ifexists('cci_d', ''),
CCIString = column_ifexists('cci_s', ''),
CCL = column_ifexists('ccl_s', ''),
ConnectionId = column_ifexists('connection_id_d', ''),
Count = column_ifexists('count_d', ''),
DeviceClassification = column_ifexists('device_classification_s', ''),
Device = column_ifexists('device_s', ''),
DlpProfile = column_ifexists('dlp_profile_s', ''),
DestinationCountry = column_ifexists('dst_country_s', ''),
DestinationGeoipSource = column_ifexists('dst_geoip_src_d', ''),
DestinationLatitude = column_ifexists('dst_latitude_d', ''),
DestinationLocation = column_ifexists('dst_location_s', ''),
DestinationLongitude = column_ifexists('dst_longitude_d', ''),
DestinationRegion = column_ifexists('dst_region_s', ''),
DestinationTimezone = column_ifexists('dst_timezone_s', ''),
DestinationZipcode = column_ifexists('dst_zipcode_s', ''),
DestinationIp = column_ifexists('dstip_s', ''),
EdrApp = column_ifexists('edr_app_s', ''),
EndpointCount = column_ifexists('endpoint_count_d', ''),
Endpoints = column_ifexists('endpoints_s', ''),
FileSize = column_ifexists('file_size_d', ''),
FileType = column_ifexists('file_type_s', ''),
FromUser = column_ifexists('from_user_s', ''),
HostName = column_ifexists('hostname_s', ''),
IncidentId = column_ifexists('incident_id_d', ''),
InstanceId = column_ifexists('instance_id_s', ''),
MalwareId = column_ifexists('malware_id_s', ''),
MalwareName = column_ifexists('malware_name_s', ''),
MalwareSeverity = column_ifexists('malware_severity_s', ''),
MalwareType = column_ifexists('malware_type_s', ''),
ManagedApp = column_ifexists('managed_app_s', ''),
ManagementId = column_ifexists('managementID_s', ''),
Md5 = column_ifexists('md5_g', ''),
NotifyTemplate = column_ifexists('notify_template_s', ''),
Nsdeviceuid = column_ifexists('nsdeviceuid_s', ''),
Object = column_ifexists('object_s', ''),
ObjectType = column_ifexists('object_type_s', ''),
OrganizationUnit = column_ifexists('organization_unit_s', ''),
OS = column_ifexists('os_s', ''),
OsVersion = column_ifexists('os_version_s', ''),
Page = column_ifexists('page_s', ''),
PageSite = column_ifexists('page_site_s', ''),
PolicyId = column_ifexists('policy_id_s', ''),
Policy = column_ifexists('policy_s', ''),
ProfileHits = column_ifexists('profile_hits_s', ''),
Protocol = column_ifexists('protocol_s', ''),
RemediationProfile = column_ifexists('remediation_profile_s', ''),
RequestId = column_ifexists('request_id_s', ''),
SanctionedInstance = column_ifexists('sanctioned_instance_s', ''),
Severity = column_ifexists('severity_s', ''),
Site = column_ifexists('site_s', ''),
SourceCountry = column_ifexists('src_country_s', ''),
SourceGeoIpSrc = column_ifexists('src_geoip_src_d', ''),
SourceLatitude = column_ifexists('src_latitude_d', ''),
SourceLocation = column_ifexists('src_location_s', ''),
SourceLongitude = column_ifexists('src_longitude_d', ''),
SourceRegion = column_ifexists('src_region_s', ''),
SourceTime = column_ifexists('src_time_s', ''),
SourceTimezone = column_ifexists('src_timezone_s', ''),
SourceZipcode = column_ifexists('src_zipcode_s', ''),
SourceIp = column_ifexists('srcip_s', ''),
Timestamp = column_ifexists('timestamp_d', ''),
TrafficType = column_ifexists('traffic_type_s', ''),
TransactionId = column_ifexists('transaction_id_d', ''),
TssMode = column_ifexists('tss_mode_s', ''),
PolicyType = column_ifexists('type_s', ''),
UrNormalized = column_ifexists('ur_normalized_s', ''),
Url = column_ifexists('url_s', ''),
User = column_ifexists('user_s', ''),
Userip = column_ifexists('userip_s', '')
|project Category,
Computer,
MG,
ManagementGroupName,
RawData,
SourceSystem,
TenantId,
TimeGenerated,
Type,
_ResourceId,
Id,
AccessMethod,
Acked,
Action,
ActionsTaken,
Activity,
AlertName,
Alert,
AlertType,
AllPolicyMatches,
App,
AppSessionId,
AppCategory,
AppSuite,
Browser,
BrowserSessionId,
CCI,
CCIString,
CCL,
ConnectionId,
Count,
DeviceClassification,
Device,
DlpProfile,
DestinationCountry,
DestinationGeoipSource,
DestinationLatitude,
DestinationLocation,
DestinationLongitude,
DestinationRegion,
DestinationTimezone,
DestinationZipcode,
DestinationIp,
EdrApp,
EndpointCount,
Endpoints,
FileSize,
FileType,
FromUser,
HostName,
IncidentId,
InstanceId,
MalwareId,
MalwareName,
MalwareSeverity,
MalwareType,
ManagedApp,
ManagementId,
Md5,
NotifyTemplate,
Nsdeviceuid,
Object,
ObjectType,
OrganizationUnit,
OS,
OsVersion,
Page,
PageSite,
PolicyId,
Policy,
ProfileHits,
Protocol,
RemediationProfile,
RequestId,
SanctionedInstance,
Severity,
Site,
SourceCountry,
SourceGeoIpSrc,
SourceLatitude,
SourceLocation,
SourceLongitude,
SourceRegion,
SourceTime,
SourceTimezone,
SourceZipcode,
SourceIp,
Timestamp,
TrafficType,
TransactionId,
TssMode,
PolicyType,
UrNormalized,
Url,
User,
Userip
};
Alerts_Remediation_View

129
Solutions/Netskopev2/Parsers/AlertsSecurityAssessment.yaml Normal file
Просмотреть файл

@ -0,0 +1,129 @@
id: 1c41c3ba-678f-4b7b-9f98-b1e0377bc993
Function:
Title: Parser for AlertsSecurityAssessment
Version: "1.0.0"
LastUpdated: "2024-03-06"
Category: Microsoft Sentinel Parser
FunctionName: AlertsSecurityAssessment
FunctionAlias: AlertsSecurityAssessment
FunctionQuery: |
let Alerts_Security_Assessment_View = view ( ) {
alertssecurityassessmentdata_CL
| extend
Category = column_ifexists('Category', ''),
Computer = column_ifexists('Computer', ''),
MG = column_ifexists('MG', ''),
ManagementGroupName = column_ifexists('ManagementGroupName', ''),
RawData = column_ifexists('RawData', ''),
SourceSystem = column_ifexists('SourceSystem', ''),
TenantId = column_ifexists('TenantId', ''),
TimeGenerated = column_ifexists('TimeGenerated', ''),
Type = column_ifexists('Type', ''),
_ResourceId = column_ifexists('_ResourceId', ''),
Id = column_ifexists('_id_s', ''),
AccessMethod = column_ifexists('access_method_s', ''),
AccountId = column_ifexists('account_id_s', ''),
AccountName = column_ifexists('account_name_s', ''),
Acked = column_ifexists('acked_s', ''),
Action = column_ifexists('action_s', ''),
Activity = column_ifexists('activity_s', ''),
Alert = column_ifexists('alert_s', ''),
AlertName = column_ifexists('alert_name_s', ''),
AlertType = column_ifexists('alert_type_s', ''),
App = column_ifexists('app_s', ''),
AppCategory = column_ifexists('appcategory_s', ''),
AssetId = column_ifexists('asset_id_s', ''),
AssetObjectId = column_ifexists('asset_object_id_s', ''),
Browser = column_ifexists('browser_s', ''),
CCI = column_ifexists('cci_d', ''),
CCIString = column_ifexists('cci_s', ''),
CCL = column_ifexists('ccl_s', ''),
ComplianceStandards = column_ifexists('compliance_standards_s', ''),
Count = column_ifexists('count_d', ''),
Device = column_ifexists('device_s', ''),
IaasAssetTags = column_ifexists('iaas_asset_tags_s', ''),
IaasRemediated = column_ifexists('iaas_remediated_s', ''),
InstanceId = column_ifexists('instance_id_s', ''),
Object = column_ifexists('object_s', ''),
ObjectType = column_ifexists('object_type_s', ''),
OrganizationUnit = column_ifexists('organization_unit_s', ''),
OS = column_ifexists('os_s', ''),
Policy = column_ifexists('policy_s', ''),
PolicyId = column_ifexists('policy_id_d', ''),
PolicyType = column_ifexists('type_s', ''),
RegionId = column_ifexists('region_id_s', ''),
RegionName = column_ifexists('region_name_s', ''),
ResourceCategory = column_ifexists('resource_category_s', ''),
ResourceGroup = column_ifexists('resource_group_s', ''),
SaProfileId = column_ifexists('sa_profile_id_d', ''),
SaProfileName = column_ifexists('sa_profile_name_s', ''),
SaRuleId = column_ifexists('sa_rule_id_s', ''),
SaRuleName = column_ifexists('sa_rule_name_s', ''),
SaRuleSeverity = column_ifexists('sa_rule_severity_s', ''),
SAMAccountName = column_ifexists('sAMAccountName_s', ''),
Site = column_ifexists('site_s', ''),
Timestamp = column_ifexists('timestamp_d', ''),
TrafficType = column_ifexists('traffic_type_s', ''),
UrNormalized = column_ifexists('ur_normalized_s', ''),
User = column_ifexists('user_s', ''),
UserKey = column_ifexists('userkey_s', '')
| project
Category,
Computer,
MG,
ManagementGroupName,
RawData,
SourceSystem,
TenantId,
TimeGenerated,
Type,
_ResourceId,
Id,
AccessMethod,
AccountId,
AccountName,
Acked,
Action,
Activity,
Alert,
AlertName,
AlertType,
App,
AppCategory,
AssetId,
AssetObjectId,
Browser,
CCI,
CCIString,
CCL,
ComplianceStandards,
Count,
Device,
IaasAssetTags,
IaasRemediated,
InstanceId,
Object,
ObjectType,
OrganizationUnit,
OS,
Policy,
PolicyId,
PolicyType,
RegionId,
RegionName,
ResourceCategory,
ResourceGroup,
SaProfileId,
SaProfileName,
SaRuleId,
SaRuleName,
SaRuleSeverity,
SAMAccountName,
Site,
Timestamp,
TrafficType,
UrNormalized,
User,
UserKey
};
Alerts_Security_Assessment_View

326
Solutions/Netskopev2/Parsers/AlertsUba.yaml Normal file
Просмотреть файл

@ -0,0 +1,326 @@
id: 1038c863-722b-4ce2-88d7-3ffc0fc40043
Function:
Title: Parser for AlertsUba
Version: "1.0.0"
LastUpdated: "2024-03-06"
Category: Microsoft Sentinel Parser
FunctionName: AlertsUba
FunctionAlias: AlertsUba
FunctionQuery: |
let Alerts_Uda_view = view (){
alertsubadata_CL
| extend
Category = column_ifexists('Category', ''),
Computer = column_ifexists('Computer', ''),
MG = column_ifexists('MG', ''),
ManagementGroupName = column_ifexists('ManagementGroupName', ''),
RawData = column_ifexists('RawData', ''),
SourceSystem = column_ifexists('SourceSystem', ''),
TenantId = column_ifexists('TenantId', ''),
TimeGenerated = column_ifexists('TimeGenerated', ''),
Type = column_ifexists('Type', ''),
_ResourceId = column_ifexists('_ResourceId', ''),
TssScan = column_ifexists('TSS_scan_s', ''),
AccountType = column_ifexists('AccountType_s', ''),
UserSPACEId = column_ifexists('User_SPACE_Id_s', ''),
UserSPACEName = column_ifexists('User_SPACE_Name_s', ''),
Id = column_ifexists('_id_s', ''),
AccessMethod = column_ifexists('access_method_s', ''),
Acked = column_ifexists('acked_s', ''),
ActUser = column_ifexists('act_user_s', ''),
Action = column_ifexists('action_s', ''),
Activity = column_ifexists('activity_s', ''),
ActivityStatus = column_ifexists('activity_status_s', ''),
AlertId = column_ifexists('alert_id_g', ''),
AlertName = column_ifexists('alert_name_s', ''),
Alert = column_ifexists('alert_s', ''),
AlertType = column_ifexists('alert_type_s', ''),
AllPolicyMatches = column_ifexists('all_policy_matches_s', ''),
AnomalyType = column_ifexists('anomaly_type_s', ''),
AppActivity = column_ifexists('app_activity_s', ''),
AppCategory_ = column_ifexists('app_category_s', ''),
App = column_ifexists('app_s', ''),
AppSessionId = column_ifexists('app_session_id_d', ''),
AppCategory = column_ifexists('appcategory_s', ''),
AppSuite = column_ifexists('appsuite_s', ''),
AuditCategory = column_ifexists('audit_category_s', ''),
AuditType = column_ifexists('audit_type_s', ''),
BinTimestamp = column_ifexists('bin_timestamp_d', ''),
Browser = column_ifexists('browser_s', ''),
BrowserSessionId = column_ifexists('browser_session_id_d', ''),
BrowserVersion = column_ifexists('browser_version_s', ''),
CCI = column_ifexists('cci_d', ''),
CCL = column_ifexists('ccl_s', ''),
ConnectionId = column_ifexists('connection_id_d', ''),
Count = column_ifexists('count_d', ''),
CreatedTime = column_ifexists('createdTime_s', ''),
DeviceClassification = column_ifexists('device_classification_s', ''),
Device = column_ifexists('device_s', ''),
DisplayName = column_ifexists('displayName_s', ''),
DistinguishedName = column_ifexists('distinguishedName_s', ''),
Division = column_ifexists('division_s', ''),
DownloadApp = column_ifexists('download_app_s', ''),
DestinationCountry = column_ifexists('dst_country_s', ''),
DestinationGeoipSource = column_ifexists('dst_geoip_src_d', ''),
DestinationLatitude = column_ifexists('dst_latitude_d', ''),
DestinationLocation = column_ifexists('dst_location_s', ''),
DestinationLongitude = column_ifexists('dst_longitude_d', ''),
DestinationRegion = column_ifexists('dst_region_s', ''),
DestinationTimezone = column_ifexists('dst_timezone_s', ''),
DestinationZipcode = column_ifexists('dst_zipcode_s', ''),
DestinationIp = column_ifexists('dstip_s', ''),
EmployeeType = column_ifexists('employeeType_s', ''),
EventType = column_ifexists('event_type_s', ''),
EventSourceChannel = column_ifexists('evt_src_chnl_s', ''),
FileCategory = column_ifexists('file_category_s', ''),
FileSize = column_ifexists('file_size_d', ''),
FileType = column_ifexists('file_type_s', ''),
FromUserCategory = column_ifexists('from_user_category_s', ''),
FromUser = column_ifexists('from_user_s', ''),
Group = column_ifexists('group_s', ''),
HostName = column_ifexists('hostname_s', ''),
IncidentId = column_ifexists('incident_id_d', ''),
InstanceId = column_ifexists('instance_id_s', ''),
LastApp = column_ifexists('last_app_s', ''),
LastCountry = column_ifexists('last_country_s', ''),
LastDevice = column_ifexists('last_device_s', ''),
LastLocation = column_ifexists('last_location_s', ''),
LastRegion = column_ifexists('last_region_s', ''),
LastTimestamp = column_ifexists('last_timestamp_d', ''),
LoginType = column_ifexists('logintype_s', ''),
LoginUrl = column_ifexists('loginurl_s', ''),
Mail = column_ifexists('mail_s', ''),
ManagedApp = column_ifexists('managed_app_s', ''),
ManagementId = column_ifexists('managementID_s', ''),
Manager = column_ifexists('manager_s', ''),
Md5 = column_ifexists('md5_g', ''),
NetskopeActivity = column_ifexists('netskope_activity_s', ''),
ObjectCount = column_ifexists('object_count_d', ''),
ObjectId = column_ifexists('object_id_g', ''),
Object = column_ifexists('object_s', ''),
ObjectType = column_ifexists('object_type_s', ''),
OrganizationUnit = column_ifexists('organization_unit_s', ''),
OS = column_ifexists('os_s', ''),
OsVersion = column_ifexists('os_version_s', ''),
Page = column_ifexists('page_s', ''),
PageSite = column_ifexists('page_site_s', ''),
ParentId = column_ifexists('parent_id_s', ''),
PolicyActions = column_ifexists('policy_actions_s', ''),
PolicyId = column_ifexists('policy_id_s', ''),
PolicyName = column_ifexists('policy_name_s', ''),
Policy = column_ifexists('policy_s', ''),
ProfileId = column_ifexists('profile_id_s', ''),
Protocol = column_ifexists('protocol_s', ''),
Referer = column_ifexists('referer_s', ''),
RequestId = column_ifexists('request_id_d', ''),
RiskLevelId = column_ifexists('risk_level_id_d', ''),
RiskLevel = column_ifexists('risk_level_s', ''),
SAMAccountName = column_ifexists('sAMAccountName_s', ''),
SanctionedInstance = column_ifexists('sanctioned_instance_s', ''),
Scopes = column_ifexists('scopes_s', ''),
Score = column_ifexists('score_s', ''),
Severity = column_ifexists('severity_s', ''),
SharedCredentialUser = column_ifexists('shared_credential_user_s', ''),
Site = column_ifexists('site_s', ''),
SourceCountry = column_ifexists('src_country_s', ''),
SourceGeoIpSrc = column_ifexists('src_geoip_src_d', ''),
SourceLatitude = column_ifexists('src_latitude_d', ''),
SourceLocation = column_ifexists('src_location_s', ''),
SourceLongitude = column_ifexists('src_longitude_d', ''),
SourceRegion = column_ifexists('src_region_s', ''),
SourceTime = column_ifexists('src_time_s', ''),
SourceTimezone = column_ifexists('src_timezone_s', ''),
SourceZipcode = column_ifexists('src_zipcode_s', ''),
SourceIp = column_ifexists('srcip_s', ''),
SuppressionEndTime = column_ifexists('suppression_end_time_d', ''),
SuppressionStartTime = column_ifexists('suppression_start_time_d', ''),
Surhn = column_ifexists('surhn_s', ''),
TelemetryApp = column_ifexists('telemetry_app_s', ''),
Threshold = column_ifexists('threshold_d', ''),
ThresholdTime = column_ifexists('threshold_time_d', ''),
Timestamp = column_ifexists('timestamp_d', ''),
ToObject = column_ifexists('to_object_s', ''),
ToUserCategory = column_ifexists('to_user_category_s', ''),
ToUser = column_ifexists('to_user_s', ''),
TrafficType = column_ifexists('traffic_type_s', ''),
TransactionId = column_ifexists('transaction_id_d', ''),
TssFailReason = column_ifexists('tss_fail_reason_s', ''),
TssMode = column_ifexists('tss_mode_s', ''),
TssScanFailed = column_ifexists('tss_scan_failed_s', ''),
TwoFactorAuth = column_ifexists('two_factor_auth_s', ''),
PolicyType = column_ifexists('type_s', ''),
UbaAp1 = column_ifexists('uba_ap1_s', ''),
UbaAp2 = column_ifexists('uba_ap2_s', ''),
UbaInst1 = column_ifexists('uba_inst1_s', ''),
UbaInst2 = column_ifexists('uba_inst2_s', ''),
UrNormalized = column_ifexists('ur_normalized_s', ''),
Url = column_ifexists('url_s', ''),
UserPrincipalName = column_ifexists('userPrincipalName_s', ''),
UserCountry = column_ifexists('user_category_s', ''),
UserId = column_ifexists('user_id_s', ''),
UserName = column_ifexists('user_name_s', ''),
UserRole = column_ifexists('user_role_s', ''),
User = column_ifexists('user_s', ''),
Useragent = column_ifexists('useragent_s', ''),
UserIp = column_ifexists('userip_s', ''),
Userkey = column_ifexists('userkey_s', ''),
WebUniversalConnector = column_ifexists('web_universal_connector_s', ''),
WindowId = column_ifexists('windowId_d', '')
| project Category,
Computer,
MG,
ManagementGroupName,
RawData,
SourceSystem,
TenantId,
TimeGenerated,
Type,
_ResourceId,
TssScan,
AccountType,
UserSPACEId,
UserSPACEName,
Id,
AccessMethod,
Acked,
ActUser,
Action,
Activity,
ActivityStatus,
AlertId,
AlertName,
Alert,
AlertType,
AllPolicyMatches,
AnomalyType,
AppActivity,
AppCategory_,
App,
AppSessionId,
AppCategory,
AppSuite,
AuditCategory,
AuditType,
BinTimestamp,
Browser,
BrowserSessionId,
BrowserVersion,
CCI,
CCL,
ConnectionId,
Count,
CreatedTime,
DeviceClassification,
Device,
DisplayName,
DistinguishedName,
Division,
DownloadApp,
DestinationCountry,
DestinationGeoipSource,
DestinationLatitude,
DestinationLocation,
DestinationLongitude,
DestinationRegion,
DestinationTimezone,
DestinationZipcode,
DestinationIp,
EmployeeType,
EventType,
EventSourceChannel,
FileCategory,
FileSize,
FileType,
FromUserCategory,
FromUser,
Group,
HostName,
IncidentId,
InstanceId,
LastApp,
LastCountry,
LastDevice,
LastLocation,
LastRegion,
LastTimestamp,
LoginType,
LoginUrl,
Mail,
ManagedApp,
ManagementId,
Manager,
Md5,
NetskopeActivity,
ObjectCount,
ObjectId,
Object,
ObjectType,
OrganizationUnit,
OS,
OsVersion,
Page,
PageSite,
ParentId,
PolicyActions,
PolicyId,
PolicyName,
Policy,
ProfileId,
Protocol,
Referer,
RequestId,
RiskLevelId,
RiskLevel,
SAMAccountName,
SanctionedInstance,
Scopes,
Score,
Severity,
SharedCredentialUser,
Site,
SourceCountry,
SourceGeoIpSrc,
SourceLatitude,
SourceLocation,
SourceLongitude,
SourceRegion,
SourceTime,
SourceTimezone,
SourceZipcode,
SourceIp,
SuppressionEndTime,
SuppressionStartTime,
Surhn,
TelemetryApp,
Threshold,
ThresholdTime,
Timestamp,
ToObject,
ToUserCategory,
ToUser,
TrafficType,
TransactionId,
TssFailReason,
TssMode,
TssScanFailed,
TwoFactorAuth,
PolicyType,
UbaAp1,
UbaAp2,
UbaInst1,
UbaInst2,
UrNormalized,
Url,
UserPrincipalName,
UserCountry,
UserId,
UserName,
UserRole,
User,
Useragent,
UserIp,
Userkey,
WebUniversalConnector,
WindowId
};
Alerts_Uda_view

134
Solutions/Netskopev2/Parsers/EventIncident.yaml Normal file
Просмотреть файл

@ -0,0 +1,134 @@
id: 08956ab9-e6b5-4db3-919e-5c4d8e2d0e81
Function:
Title: Parser for EventIncident
Version: "1.0.0"
LastUpdated: "2024-03-06"
Category: Microsoft Sentinel Parser
FunctionName: EventIncident
FunctionAlias: EventIncident
FunctionQuery: |
let Event_Incidents_View = view (){
eventsincidentdata_CL
| extend
Computer = column_ifexists('Computer', ''),
MG = column_ifexists('MG', ''),
ManagementGroupName = column_ifexists('ManagementGroupName', ''),
RawData = column_ifexists('RawData', ''),
SourceSystem = column_ifexists('SourceSystem', ''),
TenantId = column_ifexists('TenantId', ''),
TimeGenerated = column_ifexists('TimeGenerated [UTC]', ''),
Type = column_ifexists('Type', ''),
_ResourceId = column_ifexists('_ResourceId', ''),
Id = column_ifexists('_id_s', ''),
AccessMethod = column_ifexists('access_method_s', ''),
ActingUser = column_ifexists('acting_user_s', ''),
Activity = column_ifexists('activity_s', ''),
App = column_ifexists('app_s', ''),
AppSessionId = column_ifexists('app_session_id_d', ''),
Assignee = column_ifexists('assignee_s', ''),
BCC = column_ifexists('bcc_s', ''),
CC = column_ifexists('cc_s', ''),
Channel = column_ifexists('channel_s', ''),
Classification = column_ifexists('classification_s', ''),
ConnectionId = column_ifexists('connection_id_d', ''),
DestinationApp = column_ifexists('destination_app_s', ''),
DestinationInstanceId = column_ifexists('destination_instance_id_s', ''),
DestinationSite = column_ifexists('destination_site_s', ''),
DlpFile = column_ifexists('dlp_file_s', ''),
DlpIncidentId = column_ifexists('dlp_incident_id_d', ''),
DlpMatchInfo = column_ifexists('dlp_match_info_s', ''),
DlpParentId = column_ifexists('dlp_parent_id_d', ''),
DestinationLocation = column_ifexists('dst_location_s', ''),
Exposure = column_ifexists('exposure_s', ''),
FileLang = column_ifexists('file_lang_s', ''),
FilePath = column_ifexists('file_path_s', ''),
FileSize = column_ifexists('file_size_d', ''),
FileType = column_ifexists('file_type_s', ''),
FromUser = column_ifexists('from_user_s', ''),
InlineDlpMatchInfo = column_ifexists('inline_dlp_match_info_s', ''),
InstanceId = column_ifexists('instance_id_s', ''),
Instance = column_ifexists('instance_s', ''),
LatestIncidentId = column_ifexists('latest_incident_id_d', ''),
Md5 = column_ifexists('md5_g', ''),
ObjectId = column_ifexists('object_id_s', ''),
Object = column_ifexists('object_s', ''),
ObjectType = column_ifexists('object_type_s', ''),
OriginalFileSnapshotId = column_ifexists('original_file_snapshot_id_s', ''),
OwnerPdl = column_ifexists('owner_pdl_s', ''),
Owner = column_ifexists('owner_s', ''),
Referer = column_ifexists('referer_s', ''),
Severity = column_ifexists('severity_s', ''),
Site = column_ifexists('site_s', ''),
SrcLocation = column_ifexists('src_location_s', ''),
Status = column_ifexists('status_s', ''),
Timestamp = column_ifexists('timestamp_d', ''),
Title = column_ifexists('title_s', ''),
ToUser = column_ifexists('to_user_s', ''),
TrueObjCategory = column_ifexists('true_obj_category_s', ''),
TrueObjType = column_ifexists('true_obj_type_s', ''),
Url = column_ifexists('url_s', ''),
UserId = column_ifexists('user_id_s', ''),
User = column_ifexists('user_s', ''),
ZipFileId = column_ifexists('zip_file_id_s', '')
| project Computer,
MG,
ManagementGroupName,
RawData,
SourceSystem,
TenantId,
TimeGenerated,
Type,
_ResourceId,
Id,
AccessMethod,
ActingUser,
Activity,
App,
AppSessionId,
Assignee,
BCC,
CC,
Channel,
Classification,
ConnectionId,
DestinationApp,
DestinationInstanceId,
DestinationSite,
DlpFile,
DlpIncidentId,
DlpMatchInfo,
DlpParentId,
DestinationLocation,
Exposure,
FileLang,
FilePath,
FileSize,
FileType,
FromUser,
InlineDlpMatchInfo,
InstanceId,
Instance,
LatestIncidentId,
Md5,
ObjectId,
Object,
ObjectType,
OriginalFileSnapshotId,
OwnerPdl,
Owner,
Referer,
Severity,
Site,
SrcLocation,
Status,
Timestamp,
Title,
ToUser,
TrueObjCategory,
TrueObjType,
Url,
UserId,
User,
ZipFileId
};
Event_Incidents_View

323
Solutions/Netskopev2/Parsers/EventsApplication.yaml Normal file
Просмотреть файл

@ -0,0 +1,323 @@
id: 84d4ecf3-64e0-4c38-9dab-9dafda4c576d
Function:
Title: Parser for EventsApplication
Version: "1.0.0"
LastUpdated: "2024-03-06"
Category: Microsoft Sentinel Parser
FunctionName: EventsApplication
FunctionAlias: EventsApplication
FunctionQuery: |
let Event_Application_View = view (){
eventsapplicationdata_CL
| extend
Category = column_ifexists('Category', ''),
Computer = column_ifexists('Computer', ''),
MG = column_ifexists('MG', ''),
ManagementGroupName = column_ifexists('ManagementGroupName', ''),
RawData = column_ifexists('RawData', ''),
SourceSystem = column_ifexists('SourceSystem', ''),
TenantId = column_ifexists('TenantId', ''),
TimeGenerated = column_ifexists('TimeGenerated', ''),
Type = column_ifexists('Type', ''),
_ResourceId = column_ifexists('_ResourceId', ''),
Id = column_ifexists('_id_s', ''),
AccessMethod = column_ifexists('access_method_s', ''),
Action = column_ifexists('action_s', ''),
Activity = column_ifexists('activity_s', ''),
Alert = column_ifexists('alert_s', ''),
AlertType = column_ifexists('alert_type_s', ''),
AppActivity = column_ifexists('app_activity_s', ''),
App = column_ifexists('app_s', ''),
AppSessionId = column_ifexists('app_session_id_d', ''),
AppCategory = column_ifexists('appcategory_s', ''),
AppSuite = column_ifexists('appsuite_s', ''),
audit_category = column_ifexists('audit_category_s', ''),
audit_type = column_ifexists('audit_type_s', ''),
Browser = column_ifexists('browser_s', ''),
BrowserSessionId = column_ifexists('browser_session_id_d', ''),
BrowserVersion = column_ifexists('browser_version_s', ''),
CCI = column_ifexists('cci_d', ''),
CCIString = column_ifexists('cci_s', ''),
CCL = column_ifexists('ccl_s', ''),
ChannelId = column_ifexists('channel_id_s', ''),
ClientBytes = column_ifexists('client_bytes_d', ''),
ConnDuration = column_ifexists('conn_duration_d', ''),
ConnectionId = column_ifexists('connection_id_d', ''),
Count = column_ifexists('count_d', ''),
CononicalName = column_ifexists('CononicalName_s', ''),
Custom_Connector = column_ifexists('custom_connector_s', ''),
DataCenter = column_ifexists('data_center_s', ''),
DataType = column_ifexists('data_type_s', ''),
DeviceClassification = column_ifexists('device_classification_s', ''),
Device = column_ifexists('device_s', ''),
DlpFile = column_ifexists('dlp_file_s', ''),
DlpIncidentId = column_ifexists('dlp_incident_id_d', ''),
DlpIsUniqueCount = column_ifexists('dlp_is_unique_count_s', ''),
DlpMailParentId = column_ifexists('dlp_mail_parent_id_s', ''),
DlpParentId = column_ifexists('dlp_parent_id_d', ''),
DlpProfile = column_ifexists('dlp_profile_s', ''),
DlpRule = column_ifexists('dlp_rule_s', ''),
DlpRuleCount = column_ifexists('dlp_rule_count_d', ''),
DlpRuleSeverity = column_ifexists('dlp_rule_severity_s', ''),
DlpUniquwCount = column_ifexists('dlp_unique_count_d', ''),
DestinationCountry = column_ifexists('dst_country_s', ''),
DestinationGeoipSource = column_ifexists('dst_geoip_src_d', ''),
DestinationLatitude = column_ifexists('dst_latitude_d', ''),
DestinationLocation = column_ifexists('dst_location_s', ''),
DestinationLongitude = column_ifexists('dst_longitude_d', ''),
DestinationRegion = column_ifexists('dst_region_s', ''),
DestinationTimezone = column_ifexists('dst_timezone_s', ''),
DestinationZipcode = column_ifexists('dst_zipcode_s', ''),
DestinationHost = column_ifexists('dsthost_s', ''),
DestinationIp = column_ifexists('dstip_s', ''),
DestinationPort = column_ifexists('dstport_d', ''),
Exposure = column_ifexists('exposure_s', ''),
FileLang = column_ifexists('file_lang_s', ''),
FilePath = column_ifexists('file_path_s', ''),
FileSize = column_ifexists('file_size_d', ''),
FileType = column_ifexists('file_type_s', ''),
FromUserCategory = column_ifexists('from_user_category_s', ''),
FromUser = column_ifexists('from_user_s', ''),
Fromlogs = column_ifexists('fromlogs_s', ''),
HostName = column_ifexists('hostname_s', ''),
InstanceId = column_ifexists('instance_id_s', ''),
Instance = column_ifexists('instance_s', ''),
InternalCollaboratorCount = column_ifexists('internal_collaborator_count_d', ''),
LogFileName = column_ifexists('log_file_name_s', ''),
LoginType = column_ifexists('logintype_s', ''),
LoginUrl = column_ifexists('loginurl_s', ''),
ManagedApp = column_ifexists('managed_app_s', ''),
ManagementId = column_ifexists('managementID_s', ''),
Md5 = column_ifexists('md5_g', ''),
MimeType = column_ifexists('mime_type_s', ''),
Modified = column_ifexists('modified_d', ''),
NetskopeActivity = column_ifexists('netskope_activity_s', ''),
NetskopePop = column_ifexists('netskope_pop_s', ''),
NotifyTemplate = column_ifexists('notify_template_s', ''),
Nsdeviceuid = column_ifexists('nsdeviceuid_s', ''),
Numbytes = column_ifexists('numbytes_d', ''),
ObjectId = column_ifexists('object_id_s', ''),
Object = column_ifexists('object_s', ''),
ObjectType = column_ifexists('object_type_s', ''),
Org = column_ifexists('org_s', ''),
OrganizationUnit = column_ifexists('organization_unit_s', ''),
OrignalFilePath = column_ifexists('orignal_file_path_s', ''),
OS = column_ifexists('os_s', ''),
OsVersion = column_ifexists('os_version_s', ''),
OtherCategories = column_ifexists('other_categories_s', ''),
Owner = column_ifexists('owner_s', ''),
Page = column_ifexists('page_s', ''),
PageSite = column_ifexists('page_site_s', ''),
ParentId = column_ifexists('parent_id_s', ''),
PolicyId = column_ifexists('policy_id_s', ''),
Policy = column_ifexists('policy_s', ''),
Protocol = column_ifexists('protocol_s', ''),
Referer = column_ifexists('referer_s', ''),
ReqCnt = column_ifexists('req_cnt_d', ''),
RequestId = column_ifexists('request_id_s', ''),
RespCnt = column_ifexists('resp_cnt_d', ''),
SAMAccountName = column_ifexists('sAMAccountName_s', ''),
sanctioned_instance = column_ifexists('sanctioned_instance_s', ''),
ScanType = column_ifexists('scan_type_s', ''),
Serial = column_ifexists('serial_s', ''),
ServerBytes = column_ifexists('server_bytes_d', ''),
SessionId = column_ifexists('sessionid_s', ''),
Severity = column_ifexists('severity_s', ''),
SHA256 = column_ifexists('sha256_s', ''),
SharedWith = column_ifexists('shared_with_s', ''),
Site = column_ifexists('site_s', ''),
SmtpTo = column_ifexists('smtp_to_s', ''),
SourceCountry = column_ifexists('src_country_s', ''),
SourceGeoIpSrc = column_ifexists('src_geoip_src_d', ''),
SourceLatitude = column_ifexists('src_latitude_d', ''),
SourceLocation = column_ifexists('src_location_s', ''),
SourceLongitude = column_ifexists('src_longitude_d', ''),
SourceRegion = column_ifexists('src_region_s', ''),
SourceTime = column_ifexists('src_time_s', ''),
SourceTimezone = column_ifexists('src_timezone_s', ''),
SourceZipcode = column_ifexists('src_zipcode_s', ''),
SourceIp = column_ifexists('srcip_s', ''),
SuppressionEndTime = column_ifexists('suppression_end_time_d', ''),
SuppressionKey = column_ifexists('suppression_key_s', ''),
SuppressionStartTime = column_ifexists('suppression_start_time_d', ''),
TelemetryApp = column_ifexists('telemetry_app_s', ''),
Timestamp = column_ifexists('timestamp_d', ''),
Title = column_ifexists('title_s', ''),
ToUser = column_ifexists('to_user_s', ''),
TotalCollaboratorCount = column_ifexists('total_collaborator_count_d', ''),
TrafficType = column_ifexists('traffic_type_s', ''),
TransactionId = column_ifexists('transaction_id_d', ''),
TrueObjCategory = column_ifexists('true_obj_category_s', ''),
TrueObjType = column_ifexists('true_obj_type_s', ''),
TssMode = column_ifexists('tss_mode_s', ''),
PolicyType = column_ifexists('type_s', ''),
UniversalConnector = column_ifexists('universal_connector_s', ''),
UrNormalized = column_ifexists('ur_normalized_s', ''),
Url = column_ifexists('url_s', ''),
UserPrincipalName = column_ifexists('userPrincipalName_s', ''),
UserCategory = column_ifexists('user_category_s', ''),
UserId = column_ifexists('user_id_s', ''),
User = column_ifexists('user_s', ''),
Useragent = column_ifexists('useragent_s', ''),
UserIp = column_ifexists('userip_s', ''),
Userkey = column_ifexists('userkey_s', ''),
WebUniversalConnector = column_ifexists('web_universal_connector_s', ''),
WorkspaceId = column_ifexists('workspace_id_s', ''),
Workspace = column_ifexists('workspace_s', '')
|project
Category,
Computer,
MG,
ManagementGroupName,
RawData,
SourceSystem,
TenantId,
TimeGenerated,
Type,
_ResourceId,
Id,
AccessMethod,
Action,
Activity,
Alert,
AlertType,
AppActivity,
App,
AppSessionId,
AppCategory,
AppSuite,
audit_category,
audit_type,
Browser,
BrowserSessionId,
BrowserVersion,
CCI,
CCIString,
CCL,
ChannelId,
ClientBytes,
ConnDuration,
ConnectionId,
Count,
CononicalName,
Custom_Connector,
DataCenter,
DataType,
DeviceClassification,
Device,
DlpFile,
DlpIncidentId,
DlpIsUniqueCount,
DlpMailParentId,
DlpParentId,
DlpProfile,
DlpRule,
DlpRuleCount,
DlpRuleSeverity,
DlpUniquwCount,
DestinationCountry,
DestinationGeoipSource,
DestinationLatitude,
DestinationLocation,
DestinationLongitude,
DestinationRegion,
DestinationTimezone,
DestinationZipcode,
DestinationHost,
DestinationIp,
DestinationPort,
Exposure,
FileLang,
FilePath,
FileSize,
FileType,
FromUserCategory,
FromUser,
Fromlogs,
HostName,
InstanceId,
Instance,
InternalCollaboratorCount,
LogFileName,
LoginType,
LoginUrl,
ManagedApp,
ManagementId,
Md5,
MimeType,
Modified,
NetskopeActivity,
NetskopePop,
NotifyTemplate,
Nsdeviceuid,
Numbytes,
ObjectId,
Object,
ObjectType,
Org,
OrganizationUnit,
OrignalFilePath,
OS,
OsVersion,
OtherCategories,
Owner,
Page,
PageSite,
ParentId,
PolicyId,
Policy,
Protocol,
Referer,
ReqCnt,
RequestId,
RespCnt,
SAMAccountName,
sanctioned_instance,
ScanType,
Serial,
ServerBytes,
SessionId,
Severity,
SHA256,
SharedWith,
Site,
SmtpTo,
SourceCountry,
SourceGeoIpSrc,
SourceLatitude,
SourceLocation,
SourceLongitude,
SourceRegion,
SourceTime,
SourceTimezone,
SourceZipcode,
SourceIp,
SuppressionEndTime,
SuppressionKey,
SuppressionStartTime,
TelemetryApp,
Timestamp,
Title,
ToUser,
TotalCollaboratorCount,
TrafficType,
TransactionId,
TrueObjCategory,
TrueObjType,
TssMode,
PolicyType,
UniversalConnector,
UrNormalized,
Url,
UserPrincipalName,
UserCategory,
UserId,
User,
Useragent,
UserIp,
Userkey,
WebUniversalConnector,
WorkspaceId,
Workspace
};
Event_Application_View

63
Solutions/Netskopev2/Parsers/EventsAudit.yaml Normal file
Просмотреть файл

@ -0,0 +1,63 @@
id: 8c73041c-7ffa-4c9c-bd7a-e266c9dd7338
Function:
Title: Parser for EventsAudit
Version: "1.0.0"
LastUpdated: "2024-03-06"
Category: Microsoft Sentinel Parser
FunctionName: EventsAudit
FunctionAlias: EventsAudit
FunctionQuery: |
let Event_Audit_View = view (){
eventsauditdata_CL
| extend
Computer = column_ifexists('Computer', ''),
MG = column_ifexists('MG', ''),
ManagementGroupName = column_ifexists('ManagementGroupName', ''),
RawData = column_ifexists('RawData', ''),
SourceSystem = column_ifexists('SourceSystem', ''),
TenantId = column_ifexists('TenantId', ''),
TimeGenerated = column_ifexists('TimeGenerated', ''),
Type = column_ifexists('Type', ''),
_ResourceId = column_ifexists('_ResourceId', ''),
Id = column_ifexists('_id_s', ''),
AuditLogEvent = column_ifexists('audit_log_event_s', ''),
CCL = column_ifexists('ccl_s', ''),
Count = column_ifexists('count_d', ''),
Details = column_ifexists('details_s', ''),
OrganizationUnit = column_ifexists('organization_unit_s', ''),
SAMAccountName = column_ifexists('sAMAccountName_s', ''),
SeverityLevel = column_ifexists('severity_level_d', ''),
SupportingData_DataType = column_ifexists('supporting_data_data_type_s', ''),
SupportingData_DataValues = column_ifexists('supporting_data_data_values_s', ''),
Timestamp = column_ifexists('timestamp_d', ''),
PolicyType = column_ifexists('type_s', ''),
UrNormalized = column_ifexists('ur_normalized_s', ''),
UserPrincipalName = column_ifexists('userPrincipalName_s', ''),
User = column_ifexists('user_s', '')
| project
Computer,
MG,
ManagementGroupName,
RawData,
SourceSystem,
TenantId,
TimeGenerated,
Type,
_ResourceId,
Id,
AuditLogEvent,
CCL,
Count,
Details,
OrganizationUnit,
SAMAccountName,
SeverityLevel,
SupportingData_DataType,
SupportingData_DataValues,
Timestamp,
PolicyType,
UrNormalized,
UserPrincipalName,
User
};
Event_Audit_View

131
Solutions/Netskopev2/Parsers/EventsConnection.yaml Normal file
Просмотреть файл

@ -0,0 +1,131 @@
id: 669e29da-9d79-4d40-b4f4-c051a5652b30
Function:
Title: Parser for EventsConnection
Version: "1.0.0"
LastUpdated: "2024-03-06"
Category: Microsoft Sentinel Parser
FunctionName: EventsConnection
FunctionAlias: EventsConnection
FunctionQuery: |
let Events_Connection_view = view(){
eventsconnectiondata_CL
| extend Category = column_ifexists('Category', ''),
Type = column_ifexists('Type', ''),
_ResourceId = column_ifexists('_ResourceId', ''),
TenantId = column_ifexists('TenantId', ''),
SourceSystem = column_ifexists('SourceSystem', ''),
MG = column_ifexists('MG', ''),
ManagementGroupName = column_ifexists('ManagementGroupName', ''),
TimeGenerated = column_ifexists('TimeGenerated [UTC]', ''),
Computer = column_ifexists('Computer', ''),
RawData = column_ifexists('RawData', ''),
SuppressionEndTime = column_ifexists('suppression_end_time_d', ''),
SuppressionStartTime = column_ifexists('suppression_start_time_d', ''),
Id = column_ifexists('_id_s', ''),
AccessMethod = column_ifexists('access_method_s', ''),
App = column_ifexists('app_s', ''),
AppCategory = column_ifexists('appcategory_s', ''),
BypassReason = column_ifexists('bypass_reason_s', ''),
BypassTraffic = column_ifexists('bypass_traffic_s', ''),
CCI = column_ifexists('cci_d', ''),
CCL = column_ifexists('ccl_s', ''),
ConnectionId = column_ifexists('connection_id_d', ''),
Count = column_ifexists('count_d', ''),
Domain = column_ifexists('domain_s', ''),
DestinationCountry = column_ifexists('dst_country_s', ''),
DestinationLatitude = column_ifexists('dst_latitude_d', ''),
DestinationLocation = column_ifexists('dst_location_s', ''),
DestinationLongitude = column_ifexists('dst_longitude_d', ''),
DestinationRegion = column_ifexists('dst_region_s', ''),
DestinationTimezone = column_ifexists('dst_timezone_s', ''),
DestinationZipcode = column_ifexists('dst_zipcode_s', ''),
DestinationIp = column_ifexists('dstip_s', ''),
DestinationPort = column_ifexists('dstport_d', ''),
IncidentId = column_ifexists('incident_id_d', ''),
NetskopePop = column_ifexists('netskope_pop_s', ''),
OrganizationUnit = column_ifexists('organization_unit_s', ''),
OtherCategories = column_ifexists('other_categories_s', ''),
Page = column_ifexists('page_s', ''),
RequestId = column_ifexists('request_id_d', ''),
Site = column_ifexists('site_s', ''),
SourceCountry = column_ifexists('src_country_s', ''),
SourceLatitude = column_ifexists('src_latitude_d', ''),
SourceLocation = column_ifexists('src_location_s', ''),
SourceLongitude = column_ifexists('src_longitude_d', ''),
SourceRegion = column_ifexists('src_region_s', ''),
SourceTime = column_ifexists('src_time_s', ''),
SourceTimezone = column_ifexists('src_timezone_s', ''),
SourceZipcode = column_ifexists('src_zipcode_s', ''),
SourceIp = column_ifexists('srcip_s', ''),
SslDecryptPolicy = column_ifexists('ssl_decrypt_policy_s', ''),
Timestamp = column_ifexists('timestamp_d', ''),
TrafficType = column_ifexists('traffic_type_s', ''),
TransactionId = column_ifexists('transaction_id_d', ''),
PolicyType = column_ifexists('type_s', ''),
UrNormalized = column_ifexists('ur_normalized_s', ''),
Url = column_ifexists('url_s', ''),
User = column_ifexists('user_s', ''),
UserGenerated = column_ifexists('user_generated_s', ''),
UserIp = column_ifexists('userip_s', ''),
Userkey = column_ifexists('userkey_s', '')
|project Category,
Type,
_ResourceId,
TenantId,
SourceSystem,
MG,
ManagementGroupName,
TimeGenerated,
Computer,
RawData,
SuppressionEndTime,
SuppressionStartTime,
Id,
AccessMethod,
App,
AppCategory,
BypassReason,
BypassTraffic,
CCI,
CCL,
ConnectionId,
Count,
Domain,
DestinationCountry,
DestinationLatitude,
DestinationLocation,
DestinationLongitude,
DestinationRegion,
DestinationTimezone,
DestinationZipcode,
DestinationIp,
DestinationPort,
IncidentId,
NetskopePop,
OrganizationUnit,
OtherCategories,
Page,
RequestId,
Site,
SourceCountry,
SourceLatitude,
SourceLocation,
SourceLongitude,
SourceRegion,
SourceTime,
SourceTimezone,
SourceZipcode,
SourceIp,
SslDecryptPolicy,
Timestamp,
TrafficType,
TransactionId,
PolicyType,
UrNormalized,
Url,
User,
UserGenerated,
UserIp,
Userkey
};
Events_Connection_view

165
Solutions/Netskopev2/Parsers/EventsNetwork.yaml Normal file
Просмотреть файл

@ -0,0 +1,165 @@
id: 0b360eb0-224d-4d99-af9b-43b1909ec0f9
Function:
Title: Parser for EventsNetwork
Version: "1.0.0"
LastUpdated: "2024-03-06"
Category: Microsoft Sentinel Parser
FunctionName: EventsNetwork
FunctionAlias: EventsNetwork
FunctionQuery: |
let Events_Network_View = view () {
eventsnetworkdata_CL
| extend
Category = column_ifexists('Category', ''),
Computer = column_ifexists('Computer', ''),
MG = column_ifexists('MG', ''),
ManagementGroupName = column_ifexists('ManagementGroupName', ''),
RawData = column_ifexists('RawData', ''),
SourceSystem = column_ifexists('SourceSystem', ''),
TenantId = column_ifexists('TenantId', ''),
TimeGenerated = column_ifexists('TimeGenerated', ''),
Type = column_ifexists('Type', ''),
_ResourceId = column_ifexists('_ResourceId', ''),
Id = column_ifexists('_id_s', ''),
AccessMethod = column_ifexists('access_method_s', ''),
Action = column_ifexists('action_s', ''),
App = column_ifexists('app_s', ''),
AppCategory = column_ifexists('appcategory_s', ''),
CCI = column_ifexists('cci_d', ''),
CCIString = column_ifexists('cci_s', ''),
CCL = column_ifexists('ccl_s', ''),
ClientBytes = column_ifexists('client_bytes_d', ''),
ClientPackets = column_ifexists('client_packets_d', ''),
Count = column_ifexists('count_d', ''),
Device = column_ifexists('device_s', ''),
Domain = column_ifexists('domain_s', ''),
DestinationCountry = column_ifexists('dst_country_s', ''),
DestinationGeoIpSource = column_ifexists('dst_geoip_src_d', ''),
DestinationLatitude = column_ifexists('dst_latitude_d', ''),
DestinationLocation = column_ifexists('dst_location_s', ''),
DestinationLongitude = column_ifexists('dst_longitude_d', ''),
DestinationRegion = column_ifexists('dst_region_s', ''),
DestinationZipcode = column_ifexists('dst_zipcode_s', ''),
DestinationHost = column_ifexists('dsthost_s', ''),
DestinationIp = column_ifexists('dstip_s', ''),
DestinationPort = column_ifexists('dstport_d', ''),
EndTime = column_ifexists('end_time_s', ''),
FlowStatus = column_ifexists('flow_status_s', ''),
HostName = column_ifexists('hostname_s', ''),
IpProtocol = column_ifexists('ip_protocol_s', ''),
NetworkSessionId = column_ifexists('network_session_id_s', ''),
NumSessions = column_ifexists('num_sessions_d', ''),
NumBytes = column_ifexists('numbytes_d', ''),
OrganizationUnit = column_ifexists('organization_unit_s', ''),
OS = column_ifexists('os_s', ''),
OsVersion = column_ifexists('os_version_s', ''),
Policy = column_ifexists('policy_s', ''),
PolicyType = column_ifexists('type_s', ''),
Protocol = column_ifexists('protocol_s', ''),
ProtocolPort = column_ifexists('protocol_port_s', ''),
PublisherCn = column_ifexists('publisher_cn_s', ''),
PublisherName = column_ifexists('publisher_name_s', ''),
SAMAccountName = column_ifexists('sAMAccountName_s', ''),
ServerBytes = column_ifexists('server_bytes_d', ''),
ServerPackets = column_ifexists('server_packets_d', ''),
SessionDuration = column_ifexists('session_duration_d', ''),
Site = column_ifexists('site_s', ''),
SourceCountry = column_ifexists('src_country_s', ''),
SourceGeoIpSource = column_ifexists('src_geoip_src_d', ''),
SourceLatitude = column_ifexists('src_latitude_d', ''),
SourceLocation = column_ifexists('src_location_s', ''),
SourceLongitude = column_ifexists('src_longitude_d', ''),
SourceRegion = column_ifexists('src_region_s', ''),
SourceZipcode = column_ifexists('src_zipcode_s', ''),
SourceIp = column_ifexists('srcip_s', ''),
SourcePort = column_ifexists('srcport_d', ''),
StartTime = column_ifexists('start_time_s', ''),
Timestamp = column_ifexists('timestamp_d', ''),
TotalPackets = column_ifexists('total_packets_d', ''),
TrafficType = column_ifexists('traffic_type_s', ''),
TunnelId = column_ifexists('tunnel_id_s', ''),
TunnelType = column_ifexists('tunnel_type_s', ''),
TunnelUpTime = column_ifexists('tunnel_up_time_d', ''),
UrNormalized = column_ifexists('ur_normalized_s', ''),
User = column_ifexists('user_s', ''),
Userip = column_ifexists('userip_s', ''),
Userkey = column_ifexists('userkey_s', ''),
UserPrincipalName = column_ifexists('userPrincipalName_s', '')
| project
Category,
Computer,
MG,
ManagementGroupName,
RawData,
SourceSystem,
TenantId,
TimeGenerated,
Type,
_ResourceId,
Id,
AccessMethod,
Action,
App,
AppCategory,
CCI,
CCIString,
CCL,
ClientBytes,
ClientPackets,
Count,
Device,
Domain,
DestinationCountry,
DestinationGeoIpSource,
DestinationLatitude,
DestinationLocation,
DestinationLongitude,
DestinationRegion,
DestinationZipcode,
DestinationHost,
DestinationIp,
DestinationPort,
EndTime,
FlowStatus,
HostName,
IpProtocol,
NetworkSessionId,
NumSessions,
NumBytes,
OrganizationUnit,
OS,
OsVersion,
Policy,
PolicyType,
Protocol,
ProtocolPort,
PublisherCn,
PublisherName,
SAMAccountName,
ServerBytes,
ServerPackets,
SessionDuration,
Site,
SourceCountry,
SourceGeoIpSource,
SourceLatitude,
SourceLocation,
SourceLongitude,
SourceRegion,
SourceZipcode,
SourceIp,
SourcePort,
StartTime,
Timestamp,
TotalPackets,
TrafficType,
TunnelId,
TunnelType,
TunnelUpTime,
UrNormalized,
User,
Userip,
Userkey,
UserPrincipalName
};
Events_Network_View

203
Solutions/Netskopev2/Parsers/EventsPage.yaml Normal file
Просмотреть файл

@ -0,0 +1,203 @@
id: 10cd00e3-4488-4762-b86d-800ef7b2d9ae
Function:
Title: Parser for EventsPage
Version: "1.0.0"
LastUpdated: "2024-03-06"
Category: Microsoft Sentinel Parser
FunctionName: EventsPage
FunctionAlias: EventsPage
FunctionQuery: |
let Events_page_view = view() {
eventspagedata_CL
| extend Category = column_ifexists('Category', ''),
Computer = column_ifexists('Computer', ''),
Type = column_ifexists('Type', ''),
ManagementGroupName = column_ifexists('ManagementGroupName', ''),
MG = column_ifexists('MG', ''),
RawData = column_ifexists('RawData', ''),
_ResourceId = column_ifexists('_ResourceId', ''),
SourceSystem = column_ifexists('SourceSystem', ''),
TenantId = column_ifexists('TenantId', ''),
TimeGenerated = column_ifexists('TimeGenerated', ''),
AccessMethod = column_ifexists('access_method_s', ''),
App = column_ifexists('app_s', ''),
AppCategory = column_ifexists('appcategory_s', ''),
AppSessionId = column_ifexists('app_session_id_d', ''),
Browser = column_ifexists('browser_s', ''),
BrowserSessionId = column_ifexists('browser_session_id_d', ''),
BrowserVersion = column_ifexists('browser_version_s', ''),
BypassReason = column_ifexists('bypass_reason_s', ''),
BypassTraffic = column_ifexists('bypass_traffic_s', ''),
CanonicalName = column_ifexists('CononicalName_s', ''),
CCI = column_ifexists('cci_d', ''),
CCL = column_ifexists('ccl_s', ''),
ClientBytes = column_ifexists('client_bytes_d', ''),
ConnDuration = column_ifexists('conn_duration_d', ''),
ConnectionEndTime = column_ifexists('conn_endtime_d', ''),
ConnectionId = column_ifexists('connection_id_d', ''),
ConnectionStartTime = column_ifexists('conn_starttime_d', ''),
Count = column_ifexists('count_d', ''),
DestinationCountry = column_ifexists('dst_country_s', ''),
DestinationGeoipSource = column_ifexists('dst_geoip_src_d', ''),
DestinationHost = column_ifexists('dsthost_s', ''),
DestinationIp = column_ifexists('dstip_s', ''),
DestinationLatitude = column_ifexists('dst_latitude_d', ''),
DestinationLocation = column_ifexists('dst_location_s', ''),
DestinationLongitude = column_ifexists('dst_longitude_d', ''),
DestinationPort = column_ifexists('dstport_d', ''),
DestinationRegion = column_ifexists('dst_region_s', ''),
DestinationTimezone = column_ifexists('dst_timezone_s', ''),
DestinationZipcode = column_ifexists('dst_zipcode_s', ''),
Device = column_ifexists('device_s', ''),
Domain = column_ifexists('domain_s', ''),
DynamicClassification = column_ifexists('dynamic_classification_s', ''),
ForwardToProxyProfile = column_ifexists('forward_to_proxy_profile_s', ''),
Fromlogs = column_ifexists('fromlogs_s', ''),
HostName = column_ifexists('hostname_s', ''),
HTTPTransactionCount = column_ifexists('http_transaction_count_d', ''),
Id = column_ifexists('_id_s', ''),
LogFileName = column_ifexists('log_file_name_s', ''),
NetskopePop = column_ifexists('netskope_pop_s', ''),
Network = column_ifexists('network_s', ''),
Numbytes = column_ifexists('numbytes_d', ''),
OS = column_ifexists('os_s', ''),
Org = column_ifexists('org_s', ''),
OrganizationUnit = column_ifexists('organization_unit_s', ''),
OSVersion = column_ifexists('os_version_s', ''),
OtherCategories = column_ifexists('other_categories_s', ''),
Page = column_ifexists('page_s', ''),
Policy = column_ifexists('policy_s', ''),
Protocol = column_ifexists('protocol_s', ''),
RequestCount = column_ifexists('req_cnt_d', ''),
RequestId = column_ifexists('request_id_d', ''),
ResponseContentLength = column_ifexists('resp_content_len_d', ''),
ResponseContentType = column_ifexists('resp_content_type_s', ''),
ResponseCount = column_ifexists('resp_cnt_d', ''),
SAMAccountName = column_ifexists('sAMAccountName_s', ''),
Serial = column_ifexists('serial_s', ''),
ServerBytes = column_ifexists('server_bytes_d', ''),
SessionId = column_ifexists('sessionid_s', ''),
Severity = column_ifexists('severity_s', ''),
Site = column_ifexists('site_s', ''),
SourceCountry = column_ifexists('src_country_s', ''),
SourceGeoIpSrc = column_ifexists('src_geoip_src_d', ''),
SourceIp = column_ifexists('srcip_s', ''),
SourceLatitude = column_ifexists('src_latitude_d', ''),
SourceLocation = column_ifexists('src_location_s', ''),
SourceLongitude = column_ifexists('src_longitude_d', ''),
SourceRegion = column_ifexists('src_region_s', ''),
SourceTime = column_ifexists('src_time_s', ''),
SourceTimezone = column_ifexists('src_timezone_s', ''),
SourceZipcode = column_ifexists('src_zipcode_s', ''),
SSLDecryptPolicy = column_ifexists('ssl_decrypt_policy_s', ''),
SuppressionEndTime = column_ifexists('suppression_end_time_d', ''),
SuppressionStartTime = column_ifexists('suppression_start_time_d', ''),
Timestamp = column_ifexists('timestamp_d', ''),
TrafficType = column_ifexists('traffic_type_s', ''),
TransactionId = column_ifexists('transaction_id_d', ''),
PolicyType = column_ifexists('type_s', ''),
Url = column_ifexists('url_s', ''),
UrNormalized = column_ifexists('ur_normalized_s', ''),
User = column_ifexists('user_s', ''),
Useragent = column_ifexists('useragent_s', ''),
UserGenerated = column_ifexists('user_generated_s', ''),
UserIp = column_ifexists('userip_s', ''),
UserKey = column_ifexists('userkey_s', ''),
UserPrincipalName = column_ifexists('userPrincipalName_s', '')
| project Category,
Computer,
Type,
ManagementGroupName,
MG,
RawData,
_ResourceId,
SourceSystem,
TenantId,
TimeGenerated,
AccessMethod,
App,
AppCategory,
AppSessionId,
Browser,
BrowserSessionId,
BrowserVersion,
BypassReason,
BypassTraffic,
CanonicalName,
CCI,
CCL,
ClientBytes,
ConnDuration,
ConnectionEndTime,
ConnectionId,
ConnectionStartTime,
Count,
DestinationCountry,
DestinationGeoipSource,
DestinationHost,
DestinationIp,
DestinationLatitude,
DestinationLocation,
DestinationLongitude,
DestinationPort,
DestinationRegion,
DestinationTimezone,
DestinationZipcode,
Device,
Domain,
DynamicClassification,
ForwardToProxyProfile,
Fromlogs,
HostName,
HTTPTransactionCount,
Id,
LogFileName,
NetskopePop,
Network,
Numbytes,
OS,
Org,
OrganizationUnit,
OSVersion,
OtherCategories,
Page,
Policy,
Protocol,
RequestCount,
RequestId,
ResponseContentLength,
ResponseContentType,
ResponseCount,
SAMAccountName,
Serial,
ServerBytes,
SessionId,
Severity,
Site,
SourceCountry,
SourceGeoIpSrc,
SourceIp,
SourceLatitude,
SourceLocation,
SourceLongitude,
SourceRegion,
SourceTime,
SourceTimezone,
SourceZipcode,
SSLDecryptPolicy,
SuppressionEndTime,
SuppressionStartTime,
Timestamp,
TrafficType,
TransactionId,
PolicyType,
Url,
UrNormalized,
User,
Useragent,
UserGenerated,
UserIp,
UserKey,
UserPrincipalName
};
Events_page_view

333
Solutions/Netskopev2/Parsers/NetskopeWebTransactions.yaml Normal file
Просмотреть файл

@ -0,0 +1,333 @@
id: 47794680-196f-4a19-a958-36f4f80794df
Function:
Title: Parser for NetskopeWebTransactions
Version: "1.0.0"
LastUpdated: "2024-03-06"
Category: Microsoft Sentinel Parser
FunctionName: NetskopeWebTransactions
FunctionAlias: NetskopeWebTransactions
FunctionQuery: |
let NetskopeWebTransactions_view = view() {
NetskopeWebtxData_CL
| extend
Computer = column_ifexists('Computer', ''),
MG = column_ifexists('MG', ''),
ManagementGroupName = column_ifexists('ManagementGroupName', ''),
RawData = column_ifexists('RawData', ''),
SourceSystem = column_ifexists('SourceSystem', ''),
TenantId = column_ifexists('TenantId', ''),
TimeGenerated = column_ifexists('TimeGenerated', ''),
Type = column_ifexists('Type', ''),
_ResourceId = column_ifexists('_ResourceId', ''),
LogMessageType = column_ifexists('x_type_s', ''),
TransactionId = column_ifexists('x_transaction_id_s', ''),
SSLPolicySourceIp = column_ifexists('x_ssl_policy_src_ip_s', ''),
SSLPolicyName = column_ifexists('x_ssl_policy_name_s', ''),
SSLPolicyDestinationIp = column_ifexists('x_ssl_policy_dst_ip_s', ''),
SSLPolicyDestinationHost = column_ifexists('x_ssl_policy_dst_host_source_s', ''),
SSLPolicyDestinationHostSource = column_ifexists('x_ssl_policy_dst_host_s', ''),
SSLPolicyCategories = column_ifexists('x_ssl_policy_categories_s', ''),
SSLPolicyAction = column_ifexists('x_ssl_policy_action_s', ''),
SSLBypass = column_ifexists('x_ssl_bypass_s', ''),
SSLBypassReason = column_ifexists('x_ssl_bypass_reason_s', ''),
ServerSSLVersion = column_ifexists('x_sr_ssl_version_s', ''),
MalformedSSLFound = column_ifexists('x_sr_ssl_malformed_ssl_s', ''),
ServerFingerPrints = column_ifexists('x_sr_ssl_ja3s_s', ''),
ServerSSLHandShakeError = column_ifexists('x_sr_ssl_handshake_error_s', ''),
ServerSSLEngineAction = column_ifexists('x_sr_ssl_engine_action_s', ''),
ServerSSLEngineActionReason = column_ifexists('x_sr_ssl_engine_action_reason_s', ''),
ServerSSLClientCertificateErr = column_ifexists('x_sr_ssl_client_certificate_error_s', ''),
ServerSSLCipher = column_ifexists('x_sr_ssl_cipher_s', ''),
RemoteServerSourcePort = column_ifexists('x_sr_src_port_s', ''),
RemoteServerSourceIp = column_ifexists('x_sr_src_ip_s', ''),
CustomHeadersValue = column_ifexists('x_sr_headers_value_s', ''),
CustomHeadersName = column_ifexists('x_sr_headers_name_s', ''),
RemoteServerDestinationPort = column_ifexists('x_sr_dst_port_s', ''),
RemoteServerDestinationIp = column_ifexists('x_sr_dst_ip_s', ''),
ServerSSLError = column_ifexists('x_server_ssl_err_s', ''),
Notification = column_ifexists('x_sc_notification_name_s', ''),
DestinationZipCode = column_ifexists('x_s_zipcode_s', ''),
DestinationRegion = column_ifexists('x_s_region_s', ''),
ServerLongitude = column_ifexists('x_s_longitude_s', ''),
DestinationLocation = column_ifexists('x_s_location_s', ''),
DestinationLatitude = column_ifexists('x_s_latitude_s', ''),
RequestProcessingDataPlane = column_ifexists('x_s_dp_name_s', ''),
CustomSigningCAError = column_ifexists('x_s_custom_signing_ca_error_s', ''),
DestinationCountry = column_ifexists('x_s_country_s', ''),
RemoteServerFileType = column_ifexists('x_rs_file_type_s', ''),
RemoteServerFileSize = column_ifexists('x_rs_file_size_s', ''),
RemoteServerFileSha256 = column_ifexists('x_rs_file_sha256_s', ''),
RemoteServerFileMd5 = column_ifexists('x_rs_file_md5_s', ''),
RemoteServerFileMd5GUID = column_ifexists('x_rs_file_md5_g', ''),
RemoteServerFileLanguage = column_ifexists('x_rs_file_language_s', ''),
RemoteServerFileCategory = column_ifexists('x_rs_file_category_s', ''),
RequestId = column_ifexists('x_request_id_s', ''),
CertValid = column_ifexists('x_r_cert_valid_s', ''),
CertUntrustedRoot = column_ifexists('x_r_cert_untrusted_root_s', ''),
CertSubjectCN = column_ifexists('x_r_cert_subject_cn_s', ''),
CertStartdate = column_ifexists('x_r_cert_startdate_s', ''),
CertificateSelfSigned = column_ifexists('x_r_cert_self_signed_s', ''),
CertRevoked = column_ifexists('x_r_cert_revoked_s', ''),
CertRevocationCheck = column_ifexists('x_r_cert_revocation_check_s', ''),
CertMisMatch = column_ifexists('x_r_cert_mismatch_s', ''),
CertIssuerCN = column_ifexists('x_r_cert_issuer_cn_s', ''),
CertIncompleteChain = column_ifexists('x_r_cert_incomplete_chain_s', ''),
CertExpired = column_ifexists('x_r_cert_expired_s', ''),
CertEnddate = column_ifexists('x_r_cert_enddate_s', ''),
PolicySourceIp = column_ifexists('x_policy_src_ip_s', ''),
PolicyName = column_ifexists('x_policy_name_s', ''),
PolicyJustificationType = column_ifexists('x_policy_justification_type_s', ''),
PolicyJustificationReason = column_ifexists('x_policy_justification_reason_s', ''),
PolicyDestinationIp = column_ifexists('x_policy_dst_ip_s', ''),
PolicyDestinationHostSource = column_ifexists('x_policy_dst_host_source_s', ''),
PolicyHostName = column_ifexists('x_policy_dst_host_s', ''),
PolicyAction = column_ifexists('x_policy_action_s', ''),
OtherCategory = column_ifexists('x_other_category_s', ''),
OtherCategoryId = column_ifexists('x_other_category_id_s', ''),
TransactionError = column_ifexists('x_error_s', ''),
SourceIp = column_ifexists('x_cs_userip_s', ''),
FullRequestURL = column_ifexists('x_cs_url_s', ''),
ClientUriPath = column_ifexists('x_cs_uri_path_s', ''),
ClientTunnelId = column_ifexists('x_cs_tunnel_id_s', ''),
ClientTrafficType = column_ifexists('x_cs_traffic_type_s', ''),
ClientTimestamp = column_ifexists('x_cs_timestamp_s', ''),
ClientSSLVersion = column_ifexists('x_cs_ssl_version_s', ''),
ClientSSLJa3 = column_ifexists('x_cs_ssl_ja3_s', ''),
ClientSSLJa3GUID = column_ifexists('x_cs_ssl_ja3_g', ''),
ClientSSLHandshakeError = column_ifexists('x_cs_ssl_handshake_error_s', ''),
ClientSSLFrontingError = column_ifexists('x_cs_ssl_fronting_error_s', ''),
ClientSSLEngineAction = column_ifexists('x_cs_ssl_engine_action_s', ''),
ClientSSLEngineActionReason = column_ifexists('x_cs_ssl_engine_action_reason_s', ''),
ClientSSLCipher = column_ifexists('x_cs_ssl_cipher_s', ''),
ClientSourcePort= column_ifexists('x_cs_src_port_s', ''),
ClientSourceIp = column_ifexists('x_cs_src_ip_s', ''),
ClientSourceIpEgress = column_ifexists('x_cs_src_ip_egress_s', ''),
ClientSNI = column_ifexists('x_cs_sni_s', ''),
Site = column_ifexists('x_cs_site_s', ''),
SessionId = column_ifexists('x_cs_session_id_s', ''),
ClientPageId = column_ifexists('x_cs_page_id_s', ''),
XFFGetRequest = column_ifexists('x_cs_ip_xff_s', ''),
XFFConnectRequest = column_ifexists('x_cs_ip_connect_xff_s', ''),
ClientHTTPVersion = column_ifexists('x_cs_http_version_s', ''),
ClientDestinationPort = column_ifexists('x_cs_dst_port_s', ''),
ClientDestinationIp = column_ifexists('x_cs_dst_ip_s', ''),
DomainFrontedSNI= column_ifexists('x_cs_domain_fronted_sni_s', ''),
ClientConnectUserAgent = column_ifexists('x_cs_connect_user_agent_s', ''),
ClientConnectPort = column_ifexists('x_cs_connect_port_s', ''),
ClientConnectHost = column_ifexists('x_cs_connect_host_s', ''),
CloudAppRecipientsList = column_ifexists('x_cs_app_to_user_s', ''),
CloudAppTags = column_ifexists('x_cs_app_tags_s', ''),
CloudAppSuite = column_ifexists('x_cs_app_suite_s', ''),
ClientCloudApp = column_ifexists('x_cs_app_s', ''),
CloudAppSharedObjectType = column_ifexists('x_cs_app_object_type_s', ''),
CloudAppSharedObjectName = column_ifexists('x_cs_app_object_name_s', ''),
CloudAppSharedObjectId = column_ifexists('x_cs_app_object_id_s', ''),
CloudAppInstanceTag = column_ifexists('x_cs_app_instance_tag_s', ''),
CloudAppInstanceName = column_ifexists('x_cs_app_instance_name_s', ''),
CloudAppInstanceId = column_ifexists('x_cs_app_instance_id_s', ''),
CloudAppUserIdentity = column_ifexists('x_cs_app_from_user_s', ''),
CCLevel = column_ifexists('x_cs_app_ccl_s', ''),
CCI= column_ifexists('x_cs_app_cci_s', ''),
CloudAppCategory = column_ifexists('x_cs_app_category_s', ''),
CloudAppActivity = column_ifexists('x_cs_app_activity_s', ''),
AccessMethod = column_ifexists('x_cs_access_method_s', ''),
ClientSSLError = column_ifexists('x_client_ssl_err_s', ''),
CategoryName = column_ifexists('x_category_s', ''),
CategoryId = column_ifexists('x_category_id_s', ''),
ClientZipCode = column_ifexists('x_c_zipcode_s', ''),
ClientRegion = column_ifexists('x_c_region_s', ''),
ClientOs = column_ifexists('x_c_os_s', ''),
ClientLongitude = column_ifexists('x_c_longitude_s', ''),
ClientLocation = column_ifexists('x_c_location_s', ''),
LocalTime = column_ifexists('x_c_local_time_s', ''),
ClientLatitude = column_ifexists('x_c_latitude_s', ''),
ClientDeviceType = column_ifexists('x_c_device_s', ''),
ClientCountry = column_ifexists('x_c_country_s', ''),
ClientBrowserVersion = column_ifexists('x_c_browser_version_s', ''),
ClientBrowser = column_ifexists('x_c_browser_s', ''),
TimeTaken = column_ifexists('time_taken_s', ''),
Time = column_ifexists('time_s', ''),
ServerStatusCode = column_ifexists('sc_status_s', ''),
ServerContentType = column_ifexists('sc_content_type_s', ''),
ServerBytes = column_ifexists('sc_bytes_s', ''),
ServerIp = column_ifexists('s_ip_s', ''),
RemoteServerStatusCode = column_ifexists('rs_status_s', ''),
NetskopeTenant= column_ifexists('netskope_api_host_name_s', ''),
Date = column_ifexists('date_s', ''),
ClientUsername = column_ifexists('cs_username_s', ''),
ClientUserAgent = column_ifexists('cs_user_agent_s', ''),
ClientUriScheme = column_ifexists('cs_uri_scheme_s', ''),
ClientUri = column_ifexists('cs_uri_s', ''),
ClientUriQuery = column_ifexists('cs_uri_query_s', ''),
ClientUriQueryGUID = column_ifexists('cs_uri_query_g', ''),
ClientUriPort = column_ifexists('cs_uri_port_s', ''),
HTTPReferer = column_ifexists('cs_referer_s', ''),
ClientMethod = column_ifexists('cs_method_s', ''),
ClientHost = column_ifexists('cs_host_s', ''),
DestinationDomain = column_ifexists('cs_dns_s', ''),
ClientContentType = column_ifexists('cs_content_type_s', ''),
ClientBytes = column_ifexists('cs_bytes_s', ''),
DeviceIp = column_ifexists('c_ip_s', ''),
TotalBytes = column_ifexists('bytes_s', '')
| project
Computer,
MG,
ManagementGroupName,
RawData,
SourceSystem,
TenantId,
TimeGenerated,
Type,
_ResourceId,
LogMessageType,
TransactionId,
SSLPolicySourceIp,
SSLPolicyName,
SSLPolicyDestinationIp,
SSLPolicyDestinationHost,
SSLPolicyDestinationHostSource,
SSLPolicyCategories,
SSLPolicyAction,
SSLBypass,
SSLBypassReason,
ServerSSLVersion,
MalformedSSLFound,
ServerFingerPrints,
ServerSSLHandShakeError,
ServerSSLEngineAction,
ServerSSLEngineActionReason,
ServerSSLClientCertificateErr,
ServerSSLCipher,
RemoteServerSourcePort,
RemoteServerSourceIp,
CustomHeadersValue,
CustomHeadersName,
RemoteServerDestinationPort,
RemoteServerDestinationIp,
ServerSSLError,
Notification,
DestinationZipCode,
DestinationRegion,
ServerLongitude,
DestinationLocation,
DestinationLatitude,
RequestProcessingDataPlane,
CustomSigningCAError,
DestinationCountry,
RemoteServerFileType,
RemoteServerFileSize,
RemoteServerFileSha256,
RemoteServerFileMd5,
RemoteServerFileMd5GUID,
RemoteServerFileLanguage,
RemoteServerFileCategory,
RequestId,
CertValid,
CertUntrustedRoot,
CertSubjectCN,
CertStartdate,
CertificateSelfSigned,
CertRevoked,
CertRevocationCheck,
CertMisMatch,
CertIssuerCN,
CertIncompleteChain,
CertExpired,
CertEnddate,
PolicySourceIp,
PolicyName,
PolicyJustificationType,
PolicyJustificationReason,
PolicyDestinationIp,
PolicyDestinationHostSource,
PolicyHostName,
PolicyAction,
OtherCategory,
OtherCategoryId,
TransactionError,
SourceIp,
FullRequestURL,
ClientUriPath,
ClientTunnelId,
ClientTrafficType,
ClientTimestamp,
ClientSSLVersion,
ClientSSLJa3,
ClientSSLJa3GUID,
ClientSSLHandshakeError,
ClientSSLFrontingError,
ClientSSLEngineAction,
ClientSSLEngineActionReason,
ClientSSLCipher,
ClientSourcePort,
ClientSourceIp,
ClientSourceIpEgress,
ClientSNI,
Site,
SessionId,
ClientPageId,
XFFGetRequest,
XFFConnectRequest,
ClientHTTPVersion,
ClientDestinationPort,
ClientDestinationIp,
DomainFrontedSNI,
ClientConnectUserAgent,
ClientConnectPort,
ClientConnectHost,
CloudAppRecipientsList,
CloudAppTags,
CloudAppSuite,
ClientCloudApp,
CloudAppSharedObjectType,
CloudAppSharedObjectName,
CloudAppSharedObjectId,
CloudAppInstanceTag,
CloudAppInstanceName,
CloudAppInstanceId,
CloudAppUserIdentity,
CCLevel,
CCI,
CloudAppCategory,
CloudAppActivity,
AccessMethod,
ClientSSLError,
CategoryName,
CategoryId,
ClientZipCode,
ClientRegion,
ClientOs,
ClientLongitude,
ClientLocation,
LocalTime,
ClientLatitude,
ClientDeviceType,
ClientCountry,
ClientBrowserVersion,
ClientBrowser,
TimeTaken,
Time,
ServerStatusCode,
ServerContentType,
ServerBytes,
ServerIp,
RemoteServerStatusCode,
NetskopeTenant,
Date,
ClientUsername,
ClientUserAgent,
ClientUriScheme,
ClientUri,
ClientUriQuery,
ClientUriQueryGUID,
ClientUriPort,
HTTPReferer,
ClientMethod,
ClientHost,
DestinationDomain,
ClientContentType,
ClientBytes,
DeviceIp,
TotalBytes
};
NetskopeWebTransactions_view

Двоичные данные
Solutions/Netskopev2/Playbooks/NetskopeDataConnectorsTriggerSync/Images/NetskopeDataConnectorsTriggerSync.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 91 KiB

39
Solutions/Netskopev2/Playbooks/NetskopeDataConnectorsTriggerSync/Readme.md Normal file
Просмотреть файл

@ -0,0 +1,39 @@
# NetskopeDataConnectorsTriggerSync
* [Summary](#Summary)
* [Prerequisites](#Prerequisites)
* [Deployment instructions](#Deployment-instructions)
* [Post-Deployment instructions](#Post-Deployment-instructions)
## Summary<a name="Summary"></a>
Playbook to sync timer trigger of all Netskope data connectors.
### Prerequisites<a name="Prerequisites"></a>
* Users must have a below Microsoft Azure credentials:
* 1.Tenant ID
* 2.Client ID
* 3.Client Secret
* 4.Resource Group Name
* 5.Subscription ID
### Deployment instructions<a name="Deployment-instructions"></a>
1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
2. Fill in the required parameters:
* Subscription : Select Subscription in which you want to deploy the Logic App.
* Resource Group: Select Resource Group name in which you want to deploy the Logic App.
* Playbook Name: Enter the playbook name
* Tenant ID : Enter the Azure Tenant ID.
* Client ID : Enter the Azure Client ID.
* Client Secret : Enter the Azure Client Secret.
* Resource Group Name : Enter the Azure Resource Group Name in which your Netskope data connectors are available.
* Subscription ID : Enter the Azure Subscription ID in which your Netskope data connectors are available.
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FNetskope%2FPlaybooks%2FNetskopeDataConnectorsTriggerSync%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FNetskope%2FPlaybooks%2FNetskopeDataConnectorsTriggerSync%2Fazuredeploy.json)
### Post-Deployment instructions<a name="Post-Deployment-instructions"></a>
##### a. Run the playbook to sync timer trigger of all Netskope Data connectors

789
Solutions/Netskopev2/Playbooks/NetskopeDataConnectorsTriggerSync/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,789 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "NetskopeDataConnectorsTriggerSync",
"description": "Playbook to sync timer trigger of all Netskope data connectors.",
"prerequisites": ["Users must have a below Microsoft credentials:",
"1.Tenant ID",
"2.Client ID",
"3.Client Secret",
"4.Resource Group Name",
"5.Subscription ID"],
"postDeployment": ["Run the playbook to sync timer trigger of all Netskope data connectors."],
"entities": [],
"tags": [
"Netskope",
"Sync",
"Timer",
"Trigger"
],
"support": {
"tier": "community",
"armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
},
"author": {
"name": "Netskope"
}
},
"parameters": {
"PlaybookName": {
"defaultValue": "NetskopeDataConnectorsTriggerSync",
"type": "string",
"metadata": {
"description": "Enter the playbook name"
}
},
"TenantID": {
"type": "string",
"metadata": {
"description": "Enter the Azure Tenant ID"
}
},
"ClientID": {
"type": "string",
"metadata": {
"description": "Enter the Azure Client ID"
}
},
"ClientSecret": {
"type": "securestring",
"metadata": {
"description": "Enter the Azure Client Secret"
}
},
"ResourceGroupName": {
"type": "string",
"metadata": {
"description": "Enter the Azure Resource Group Name in which your Netskope data connectors are available"
}
},
"SubscriptionID": {
"type": "string",
"metadata": {
"description": "Enter the Azure Subscription ID in which your Netskope data connectors are available, make sure that the subscription id is as per the Azure portal at all places"
}
}
},
"variables": {},
"resources": [
{
"properties": {
"provisioningState": "Succeeded",
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"triggers": {
"manual": {
"type": "Request",
"kind": "Http",
"inputs": {}
}
},
"actions": {
"For_each_app": {
"foreach": "@body('Get_all_Netskope_Function_apps')",
"actions": {
"Sync_timer_trigger_request": {
"runAfter": {},
"type": "Http",
"inputs": {
"headers": {
"Authorization": "Bearer @{body('Parse_Auth_token')?['access_token']} "
},
"method": "POST",
"uri": "https://@{variables('Manage')}.azure.com/subscriptions/@{variables('Subscription Id')}/resourceGroups/@{variables('Resource Group Name')}/providers/Microsoft.Web/sites/@{items('For_each_app')?['name']}/syncfunctiontriggers?api-version=2022-03-01"
}
}
},
"runAfter": {
"Get_all_Netskope_Function_apps": [
"Succeeded"
]
},
"type": "Foreach"
},
"Get_Auth_token": {
"runAfter": {
"Initialize_Management_variable": [
"Succeeded"
]
},
"type": "Http",
"inputs": {
"body": "client_id=@{variables('Client Id')}&\nclient_secret=@{variables('Client Secret')}&\ngrant_type=client_credentials&\nscope=https://@{variables('Manage')}.azure.com/.default",
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
},
"method": "POST",
"uri": "https://login.@{variables('MicrosoftOnline')}.com/@{variables('Tenant Id')}/oauth2/v2.0/token"
}
},
"Get_all_Netskope_Function_apps": {
"runAfter": {
"Get_all_running_function_app": [
"Succeeded"
]
},
"type": "Query",
"inputs": {
"from": "@body('Get_all_running_function_app')",
"where": "@or(startsWith(item()?['name'], 'NtoS'), startsWith(item()?['name'], 'StoS'),startsWith(item()?['name'], 'WebTxMetric'))"
}
},
"Get_all_running_function_app": {
"runAfter": {
"Parse_function_app_list": [
"Succeeded"
]
},
"type": "Query",
"inputs": {
"from": "@body('Parse_function_app_list')?['value']",
"where": "@equals(item()?['properties']?['state'], 'Running')"
}
},
"Get_function_app_list": {
"runAfter": {
"Parse_Auth_token": [
"Succeeded"
]
},
"type": "Http",
"inputs": {
"headers": {
"Authorization": "Bearer @{body('Parse_Auth_token')?['access_token']} "
},
"method": "GET",
"uri": "https://@{variables('Manage')}.azure.com/subscriptions/@{variables('Subscription Id')}/resourceGroups/@{variables('Resource Group Name')}/providers/Microsoft.Web/sites?api-version=2022-03-01"
}
},
"Initialize_Client_Id": {
"runAfter": {
"Initialize_Tenant_Id": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "Client Id",
"type": "string",
"value": "[parameters('ClientID')]"
}
]
}
},
"Initialize_Client_Secret": {
"runAfter": {
"Initialize_Client_Id": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "Client Secret",
"type": "string",
"value": "[parameters('ClientSecret')]"
}
]
}
},
"Initialize_Management_variable": {
"runAfter": {
"Initialize_Microsoftonline_variable": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "Manage",
"type": "string",
"value": "management"
}
]
}
},
"Initialize_Microsoftonline_variable": {
"runAfter": {
"Subscription_Id": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "MicrosoftOnline",
"type": "string",
"value": "microsoftonline"
}
]
}
},
"Initialize_Resource_Group": {
"runAfter": {
"Initialize_Client_Secret": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "Resource Group Name",
"type": "string",
"value": "[parameters('ResourceGroupName')]"
}
]
}
},
"Initialize_Tenant_Id": {
"runAfter": {},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "Tenant Id",
"type": "string",
"value": "[parameters('TenantID')]"
}
]
}
},
"Parse_Auth_token": {
"runAfter": {
"Get_Auth_token": [
"Succeeded"
]
},
"type": "ParseJson",
"inputs": {
"content": "@body('Get_Auth_token')",
"schema": {
"properties": {
"access_token": {
"type": "string"
},
"expires_in": {
"type": "integer"
},
"ext_expires_in": {
"type": "integer"
},
"token_type": {
"type": "string"
}
},
"type": "object"
}
}
},
"Parse_function_app_list": {
"runAfter": {
"Get_function_app_list": [
"Succeeded"
]
},
"type": "ParseJson",
"inputs": {
"content": "@body('Get_function_app_list')",
"schema": {
"properties": {
"value": {
"items": {
"properties": {
"id": {
"type": "string"
},
"identity": {
"properties": {
"principalId": {
"type": "string"
},
"tenantId": {
"type": "string"
},
"type": {
"type": "string"
}
},
"type": "object"
},
"kind": {
"type": "string"
},
"location": {
"type": "string"
},
"name": {
"type": "string"
},
"properties": {
"properties": {
"adminEnabled": {
"type": "boolean"
},
"afdEnabled": {
"type": "boolean"
},
"availabilityState": {
"type": "string"
},
"buildVersion": {},
"cers": {},
"clientAffinityEnabled": {
"type": "boolean"
},
"clientCertEnabled": {
"type": "boolean"
},
"clientCertExclusionPaths": {},
"clientCertMode": {
"type": "string"
},
"cloningInfo": {},
"computeMode": {},
"containerAllocationSubnet": {},
"containerSize": {
"type": "integer"
},
"contentAvailabilityState": {
"type": "string"
},
"csrs": {
"type": "array"
},
"customDomainVerificationId": {
"type": "string"
},
"dailyMemoryTimeQuota": {
"type": "integer"
},
"daprConfig": {},
"defaultHostName": {
"type": "string"
},
"defaultHostNameScope": {
"type": "string"
},
"deploymentId": {
"type": "string"
},
"dnsConfiguration": {
"properties": {},
"type": "object"
},
"domainVerificationIdentifiers": {},
"eligibleLogCategories": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"enabledHostNames": {
"items": {
"type": "string"
},
"type": "array"
},
"endToEndEncryptionEnabled": {
"type": "boolean"
},
"ftpUsername": {
"type": "string"
},
"ftpsHostName": {
"type": "string"
},
"functionExecutionUnitsCache": {},
"functionsRuntimeAdminIsolationEnabled": {
"type": "boolean"
},
"geoDistributions": {},
"homeStamp": {
"type": "string"
},
"hostNameSslStates": {
"items": {
"properties": {
"certificateResourceId": {},
"hostType": {
"type": "string"
},
"ipBasedSslResult": {},
"ipBasedSslState": {
"type": "string"
},
"name": {
"type": "string"
},
"sslState": {
"type": "string"
},
"thumbprint": {},
"toUpdate": {},
"toUpdateIpBasedSsl": {},
"virtualIP": {},
"virtualIPv6": {}
},
"required": [
"name",
"sslState",
"ipBasedSslResult",
"virtualIP",
"virtualIPv6",
"thumbprint",
"certificateResourceId",
"toUpdate",
"toUpdateIpBasedSsl",
"ipBasedSslState",
"hostType"
],
"type": "object"
},
"type": "array"
},
"hostNames": {
"items": {
"type": "string"
},
"type": "array"
},
"hostNamesDisabled": {
"type": "boolean"
},
"hostingEnvironment": {},
"hostingEnvironmentId": {},
"hostingEnvironmentProfile": {},
"httpsOnly": {
"type": "boolean"
},
"hyperV": {
"type": "boolean"
},
"inFlightFeatures": {},
"inProgressOperationId": {},
"inboundIpAddress": {
"type": "string"
},
"ipMode": {
"type": "string"
},
"isXenon": {
"type": "boolean"
},
"keyVaultReferenceIdentity": {
"type": "string"
},
"kind": {
"type": "string"
},
"lastModifiedTimeUtc": {
"type": "string"
},
"managedEnvironmentId": {},
"maxNumberOfWorkers": {},
"migrationState": {},
"name": {
"type": "string"
},
"outboundIpAddresses": {
"type": "string"
},
"owner": {},
"possibleInboundIpAddresses": {
"type": "string"
},
"possibleOutboundIpAddresses": {
"type": "string"
},
"privateEndpointConnections": {},
"privateLinkIdentifiers": {},
"publicNetworkAccess": {},
"redundancyMode": {
"type": "string"
},
"repositorySiteName": {
"type": "string"
},
"reserved": {
"type": "boolean"
},
"resourceConfig": {},
"resourceGroup": {
"type": "string"
},
"runtimeAvailabilityState": {
"type": "string"
},
"scmSiteAlsoStopped": {
"type": "boolean"
},
"secretsCollection": {
"type": "array"
},
"selfLink": {
"type": "string"
},
"serverFarm": {},
"serverFarmId": {
"type": "string"
},
"siteConfig": {
"properties": {
"acrUseManagedIdentityCreds": {
"type": "boolean"
},
"acrUserManagedIdentityID": {},
"alwaysOn": {
"type": "boolean"
},
"antivirusScanEnabled": {},
"apiDefinition": {},
"apiManagementConfig": {},
"appCommandLine": {},
"appSettings": {},
"autoHealEnabled": {},
"autoHealRules": {},
"autoSwapSlotName": {},
"azureMonitorLogCategories": {},
"azureStorageAccounts": {},
"connectionStrings": {},
"cors": {},
"customAppPoolIdentityAdminState": {},
"customAppPoolIdentityTenantState": {},
"defaultDocuments": {},
"detailedErrorLoggingEnabled": {},
"documentRoot": {},
"elasticWebAppScaleLimit": {},
"experiments": {},
"fileChangeAuditEnabled": {},
"ftpsState": {},
"functionAppScaleLimit": {
"type": "integer"
},
"functionsRuntimeScaleMonitoringEnabled": {},
"handlerMappings": {},
"healthCheckPath": {},
"http20Enabled": {
"type": "boolean"
},
"http20ProxyFlag": {},
"httpLoggingEnabled": {},
"ipSecurityRestrictions": {},
"ipSecurityRestrictionsDefaultAction": {},
"javaContainer": {},
"javaContainerVersion": {},
"javaVersion": {},
"keyVaultReferenceIdentity": {},
"limits": {},
"linuxFxVersion": {
"type": "string"
},
"loadBalancing": {},
"localMySqlEnabled": {},
"logsDirectorySizeLimit": {},
"machineKey": {},
"managedPipelineMode": {},
"managedServiceIdentityId": {},
"metadata": {},
"minTlsCipherSuite": {},
"minTlsVersion": {},
"minimumElasticInstanceCount": {
"type": "integer"
},
"netFrameworkVersion": {},
"nodeVersion": {},
"numberOfWorkers": {
"type": "integer"
},
"phpVersion": {},
"powerShellVersion": {},
"preWarmedInstanceCount": {},
"publicNetworkAccess": {},
"publishingPassword": {},
"publishingUsername": {},
"push": {},
"pythonVersion": {},
"remoteDebuggingEnabled": {},
"remoteDebuggingVersion": {},
"requestTracingEnabled": {},
"routingRules": {},
"runtimeADUser": {},
"runtimeADUserPassword": {},
"scmIpSecurityRestrictions": {},
"scmIpSecurityRestrictionsDefaultAction": {},
"scmIpSecurityRestrictionsUseMain": {},
"scmMinTlsVersion": {},
"scmType": {},
"sitePort": {},
"sitePrivateLinkHostEnabled": {},
"storageType": {},
"supportedTlsCipherSuites": {},
"tracingOptions": {},
"use32BitWorkerProcess": {},
"virtualApplications": {},
"vnetName": {},
"vnetPrivatePortsCount": {},
"vnetRouteAllEnabled": {},
"webSocketsEnabled": {},
"websiteTimeZone": {},
"winAuthAdminState": {},
"winAuthTenantState": {},
"windowsConfiguredStacks": {},
"windowsFxVersion": {},
"xManagedServiceIdentityId": {}
},
"type": "object"
},
"siteDisabledReason": {
"type": "integer"
},
"siteMode": {},
"siteProperties": {
"properties": {
"appSettings": {},
"metadata": {},
"properties": {
"items": {
"properties": {
"name": {
"type": "string"
},
"value": {
"type": [
"string",
"null"
]
}
},
"required": [
"name",
"value"
],
"type": "object"
},
"type": "array"
}
},
"type": "object"
},
"sku": {
"type": "string"
},
"slotName": {},
"slotSwapStatus": {},
"sshEnabled": {},
"sslCertificates": {},
"state": {
"type": "string"
},
"storageAccountRequired": {
"type": "boolean"
},
"storageRecoveryDefaultState": {
"type": "string"
},
"suspendedTill": {},
"tags": {},
"targetBuildVersion": {},
"targetSwapSlot": {},
"trafficManagerHostNames": {},
"usageState": {
"type": "string"
},
"useContainerLocalhostBindings": {},
"virtualNetworkSubnetId": {},
"vnetBackupRestoreEnabled": {
"type": "boolean"
},
"vnetContentShareEnabled": {
"type": "boolean"
},
"vnetImagePullEnabled": {
"type": "boolean"
},
"vnetRouteAllEnabled": {
"type": "boolean"
},
"webSpace": {
"type": "string"
},
"workloadProfileName": {}
},
"type": "object"
},
"tags": {
"properties": {
"Jira": {
"type": "string"
}
},
"type": "object"
},
"type": {
"type": "string"
}
},
"required": [
"id",
"name",
"type",
"kind",
"location",
"properties"
],
"type": "object"
},
"type": "array"
}
},
"type": "object"
}
}
},
"Subscription_Id": {
"runAfter": {
"Initialize_Resource_Group": [
"Succeeded"
]
},
"type": "InitializeVariable",
"inputs": {
"variables": [
{
"name": "Subscription Id",
"type": "string",
"value": "[parameters('SubscriptionID')]"
}
]
}
}
},
"outputs": {}
},
"parameters": {}
},
"name": "[parameters('PlaybookName')]",
"type": "Microsoft.Logic/workflows",
"location": "[resourceGroup().location]",
"tags": {
"hidden-SentinelTemplateName": "NetskopeDataConnectorsTriggerSync",
"hidden-SentinelTemplateVersion": "1.0"
},
"identity": {
"type": "SystemAssigned"
},
"apiVersion": "2017-07-01",
"dependsOn": []
}
]
}

Двоичные данные
Solutions/Netskopev2/Playbooks/NetskopeWebTxErrorEmail/Images/NetskopeWebTxEmail.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 36 KiB

46
Solutions/Netskopev2/Playbooks/NetskopeWebTxErrorEmail/Readme.md Normal file
Просмотреть файл

@ -0,0 +1,46 @@
# Netskope Web Transaction Error Email
* [Summary](#Summary)
* [Deployment instructions](#Deployment-instructions)
* [Post-Deployment instructions](#Post-Deployment-instructions)
## Summary<a name="Summary"></a>
This playbook sends email when error is detected while running Netskope WebTransactions data connector.
### Deployment instructions<a name="Deployment-instructions"></a>
1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
2. Fill the below parameters:
* Subscription: Azure Subscription ID which is present in the subscription tab in Microsoft Sentinel.
* Resource Group: The Azure Resource Group name in which you want to deploy the Logic App.
* Playbook Name: Enter the playbook name
* Receiver Email Id: Enter the receiver email id to receive error mails
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FNetskope%2FPlaybooks%2FNetskopeWebTxErrorEmail%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FNetskope%2FPlaybooks%2FNetskopeWebTxErrorEmail%2Fazuredeploy.json)
### Post-Deployment instructions<a name="Post-Deployment-instructions"></a>
##### a. Authorize connections
Once deployment is complete, authorize each connection like MicrosoftSentinelConnection.
1. Click the MicrosoftSentinelConnection resource
2. Click edit API connection
3. Click Authorize
4. Sign in
5. Click Save
6. Repeat same steps for OutlookConnection
##### b. Configurations in Microsoft Sentinel
1. In Microsoft Sentinel, analytics rules should be configured to trigger an incident.
> 1. Add your deployed logic app in analytic rule to be trigger on every generated incident, to do this follow below steps
>> * Select the ``` Netskope - WebTx Error Detection``` analytic rule you have deployed.
>> * Click on **Edit**
>> * Go to **Automated response** tab
>> * Click on **Add new**
>> * Provide name for your rule, In Actions dropdown select **Run playbook**
>> * In second dropdown select your deployed playbook
>> * Click on **Apply**
>> * Save the Analytic rule.

187
Solutions/Netskopev2/Playbooks/NetskopeWebTxErrorEmail/azuredeploy.json Normal file
Просмотреть файл

@ -0,0 +1,187 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"title": "NetskopeWebTxErrorEmail",
"description": "This playbook sends email when Netskope Web Transaction data connector error is detected.",
"postDeployment": [
"**Authorize connections**",
"Once deployment is complete, authorize each connection.",
"1. Click the MicrosoftSentinelConnection resource",
"2. Click edit API connections",
"3. Click Authorize",
"4. Provide Required Parameters",
"5. Click Save",
"6. Repeat same steps for OutlookConnection",
"**In Microsoft Sentinel, analytics rules should be configured to trigger an incident.**",
"1. Select the **Netskope - WebTx Error Detection** analytic rule you have deployed.",
"2. Click on **Edit**",
"3. Go to **Automated response** tab",
"4. Click on **Add new**",
"5. Provide name for your rule, In Actions dropdown select **Run playbook**",
"6. In second dropdown select your deployed playbook",
"7. Click on **Apply**",
"8. Save the Analytic rule."
],
"entities": [],
"tags": [
"Netskope",
"Email",
"WebTransaction"
],
"support": {
"tier": "community",
"armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
},
"author": {
"name": "Netskope"
}
},
"parameters": {
"PlaybookName": {
"defaultValue": "NetskopeWebTxErrorEmail",
"type": "string",
"metadata": {
"description": "Enter the playbook name."
}
},
"ReceiverEmailId": {
"type": "string",
"metadata": {
"description": "Enter the receiver email id to receive error mails."
}
}
},
"variables": {
"MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
"OutlookConnectionName": "[concat('Outlook-', parameters('PlaybookName'))]"
},
"resources": [
{
"properties": {
"provisioningState": "Succeeded",
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"Microsoft_Sentinel_incident": {
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel_1']['connectionId']"
}
},
"path": "/incident-creation"
}
}
},
"actions": {
"For_each_alert": {
"foreach": "@triggerBody()?['object']?['properties']?['Alerts']",
"actions": {
"Send_email_(V2)": {
"runAfter": {},
"type": "ApiConnection",
"inputs": {
"body": {
"Body": "<p>@{items('For_each_alert')?['properties']?['alertDisplayName']} @{items('For_each_alert')?['properties']?['description']}</p>",
"Importance": "High",
"Subject": "Netskope Webtx Error Encountered",
"To": "[parameters('ReceiverEmailId')]"
},
"host": {
"connection": {
"name": "@parameters('$connections')['outlook']['connectionId']"
}
},
"method": "post",
"path": "/v2/Mail"
}
}
},
"runAfter": {},
"type": "Foreach"
}
},
"outputs": {}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel_1": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"connectionName": "[variables('MicrosoftSentinelConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
}
},
"outlook": {
"connectionId": "[resourceId('Microsoft.Web/connections', variables('OutlookConnectionName'))]",
"connectionName": "[variables('OutlookConnectionName')]",
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Outlook')]"
}
}
}
}
},
"name": "[parameters('PlaybookName')]",
"type": "Microsoft.Logic/workflows",
"location": "[resourceGroup().location]",
"tags": {
"hidden-SentinelTemplateName": "NetskopeWebTxErrorEmail",
"hidden-SentinelTemplateVersion": "1.0"
},
"identity": {
"type": "SystemAssigned"
},
"apiVersion": "2017-07-01",
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('OutlookConnectionName'))]"
]
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('MicrosoftSentinelConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[variables('MicrosoftSentinelConnectionName')]",
"customParameterValues": {},
"parameterValueType": "Alternative",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]"
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('OutlookConnectionName')]",
"location": "[resourceGroup().location]",
"kind": "V1",
"properties": {
"displayName": "[variables('OutlookConnectionName')]",
"customParameterValues": {},
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Outlook')]"
}
}
}
]
}

3
Solutions/Netskopev2/ReleaseNotes.md Normal file
Просмотреть файл

@ -0,0 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
| 3.0.0 | 03-04-2024 | Initial Solution Release |

15
Solutions/Netskopev2/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"publisherId": "netskope",
"offerId": "netskope_mss",
"firstPublishDate": "2024-03-18",
"lastPublishDate": "2024-03-18",
"providers": ["Netskope"],
"categories": {
"domains" : ["Security - Network"]
},
"support": {
"name": "Netskope",
"tier": "Partner",
"link": "https://www.netskope.com/services#support"
}
}

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше