externaldata lookup script

The following project tool provides a PS script to generate and lookup archived azure sentinel event logs that were created by data export rules to blob storage. Script generates the base KQL and includes and generates the SAS Uri Signatures needed for each blob in lookup time range. ~ See: https://swiftsolves.substack.com/p/azure-sentinel-data-export-to-azure https://swiftsolves.substack.com/p/8766f774-2f47-4f08-9297-d460981cf904 https://swiftsolvesblog.blob.core.windows.net/images/genstoragectxkql-ps1-animation.gif
2021-09-26 22:30:06 -04:00 · 2021-09-26 22:30:06 -04:00 · ee72063328
--- a/Tools/externaldata/README.md
+++ b/Tools/externaldata/README.md
@ -0,0 +1,36 @@
 # externaldata project
 author: Nathan Swift
 The following project will provide the example externaldata()[] KQL queries and schema to use agaisnt Azure Storage, where Data Export rules are sending the Azure Sentinel logs to for long term retention.
 To leverage the solution create a Azure storage account where you will store long term retention security logs into. Create and deploy a data export rule to azure storage onto the Log analytics workspace, updating the deployment template to include the table names that need to have the logs stored in log term retention.
 [Data Export ARM Template](https://docs.microsoft.com/en-us/azure/azure-monitor/logs/logs-data-export?tabs=json#create-or-update-data-export-rule)
 Once logs are archiving into the Azure Storage account you can use the following script to operationalize extenal data lookup tasks by generating the Base KQL query that will include the schema and the SAS Uri signatures needed for each blob in start and end time range for 8 hours.
 [Generate Storage Lookup KQL Query PowerShel Script](https://github.com/Azure/Azure-Sentinel/blob/master/Tools/externaldata/genstoragectxkql.ps1)
 Example input into the script:
 ```
 LAWorkspaceName : azulabs
 StorageAcctName : siempipestorage
 TableName 	: emailevents
 StartDate 	: 09/11/2021 02:00 AM
 EndDate 	: 09/12/2021 12:00 PM
 ```
 The script generates a kql query .yaml file and opens the file in notepade.exe.
 ```
 externaldata(TenantId:string, AttachmentCount:int, ConfidenceLevel:string, Connectors:string, DetectionMethods:string, DeliveryAction:string, DeliveryLocation:string, EmailClusterId:long, EmailDirection:string, EmailLanguage:string, EmailAction:string, EmailActionPolicy:string, EmailActionPolicyGuid:string, OrgLevelAction:string, OrgLevelPolicy:string, InternetMessageId:string, NetworkMessageId:string, RecipientEmailAddress:string, RecipientObjectId:string, ReportId:string, SenderDisplayName:string, SenderObjectId:string, SenderIPv4:string, SenderIPv6:string, SenderMailFromAddress:string, SenderMailFromDomain:string, Subject:string, ThreatTypes:string, ThreatNames:string, TimeGenerated:datetime, Timestamp:datetime, UrlCount:int, UserLevelAction:string, UserLevelPolicy:string, SourceSystem:string, Type:string)
 [
 h@"https://siempipestorage.blob.core.windows.net/am-emailevents/WorkspaceResourceId=/subscriptions/f77542d9-6668-/resourcegroups/rgoperations/providers/microsoft.operationalinsights/workspaces/azulabs/y=2021/m=09/d=11/h=21/m=00/PT1H.json?sv=2019-07-07&sr=b&sig=&se=2021-09-14T03%3A29%3A16Z&sp=r",
 h@"https://siempipestorage.blob.core.windows.net/am-emailevents/WorkspaceResourceId=/subscriptions/f77542d9-6668-/resourcegroups/rgoperations/providers/microsoft.operationalinsights/workspaces/azulabs/y=2021/m=09/d=12/h=06/m=00/PT1H.json?sv=2019-07-07&sr=b&sig=&se=2021-09-14T03%3A29%3A16Z&sp=r",
 h@"https://siempipestorage.blob.core.windows.net/am-emailevents/WorkspaceResourceId=/subscriptions/f77542d9-6668-/resourcegroups/rgoperations/providers/microsoft.operationalinsights/workspaces/azulabs/y=2021/m=09/d=12/h=11/m=00/PT1H.json?sv=2019-07-07&sr=b&sig=%&se=2021-09-14T03%3A29%3A16Z&sp=r"
 ]
 with(format="json")
 ```
 ## Usage
 [Animated Usage of Script](https://swiftsolvesblog.blob.core.windows.net/images/genstoragectxkql-ps1-animation.gif)
--- a/Tools/externaldata/appservicehttplogs.yaml
+++ b/Tools/externaldata/appservicehttplogs.yaml
@ -0,0 +1,5 @@
 externaldata(TenantId:string, TimeGenerated:datetime, Category:string, CsMethod:string, CsUriStem:string, SPort:string, CIp:string, UserAgent:string, CsHost:string, ScStatus:int, ScSubStatus:string, ScWin32Status:string, ScBytes:int, CsBytes:int, TimeTaken:int, Result:string, Cookie:string, CsUriQuery:string, CsUsername:string, Referer:string, SourceSystem:string, Type:string, _ResourceId:string)
 [
  h@"https://STORAGEACCOUNTNAME.blob.core.windows.net/am-appservicehttplogs/SASSIG"
 ]
 with(format="json")
--- a/Tools/externaldata/auditlogs.yaml
+++ b/Tools/externaldata/auditlogs.yaml
@ -0,0 +1,5 @@
 externaldata(TenantId:string, SourceSystem:string, TimeGenerated:datetime, ResourceId:string, OperationName:string, OperationVersion:string, Category:string, ResultType:string, ResultSignature:string, ResultDescription:string, DurationMs:long, CorrelationId:string, Resource:string, ResourceGroup:string, ResourceProvider:string, Identity:string, Level:string, Location:string, AdditionalDetails:dynamic, Id:string, InitiatedBy:dynamic, LoggedByService:string, Result:string, ResultReason:string, TargetResources:dynamic, AADTenantId:string, ActivityDisplayName:string, ActivityDateTime:datetime, AADOperationType:string, Type:string)
 [
  h@"https://STORAGEACCOUNTNAME.blob.core.windows.net/am-auditlogs/SASSIG"
 ]
 with(format="json")
--- a/Tools/externaldata/awscloudtrail.yaml
+++ b/Tools/externaldata/awscloudtrail.yaml
@ -0,0 +1,5 @@
 externaldata(TimeGenerated:datetime, AwsEventId:string, EventVersion:string, EventSource:string, EventTypeName:string, EventName:string, UserIdentityType:string, UserIdentityPrincipalid:string, UserIdentityArn:string, UserIdentityAccountId:string, UserIdentityInvokedBy:string, UserIdentityAccessKeyId:string, UserIdentityUserName:string, SessionMfaAuthenticated:bool, SessionCreationDate:datetime, SessionIssuerType:string, SessionIssuerPrincipalId:string, SessionIssuerArn:string, SessionIssuerAccountId:string, SessionIssuerUserName:string, AWSRegion:string, SourceIpAddress:string, UserAgent:string, ErrorCode:string, ErrorMessage:string, RequestParameters:string, ResponseElements:string, AdditionalEventData:string, AwsRequestId:string, AwsRequestId_:string, Resources:string, APIVersion:string, ReadOnly:bool, RecipientAccountId:string, ServiceEventDetails:string, SharedEventId:string, VpcEndpointId:string, ManagementEvent:bool, TenantId:string, SourceSystem:string, OperationName:string, Category:string, Type:string)
 [
  h@"https://STORAGEACCOUNTNAME.blob.core.windows.net/am-awscloudtrail/SASSIG"
 ]
 with(format="json")
--- a/Tools/externaldata/commonsecuritylog.yaml
+++ b/Tools/externaldata/commonsecuritylog.yaml
@ -0,0 +1,5 @@
 externaldata(TenantId:string, SourceSystem:string, TimeGenerated:datetime, ReceiptTime:string, DeviceVendor:string, DeviceProduct:string, DeviceEventClassID:string, LogSeverity:string, OriginalLogSeverity:string, DeviceAction:string, SimplifiedDeviceAction:string, Computer:string, CommunicationDirection:string, DeviceFacility:string, DestinationPort:int, DestinationIP:string, DeviceAddress:string, DeviceName:string, Message:string, Protocol:string, SourcePort:int, SourceIP:string, RemoteIP:string, RemotePort:string, MaliciousIP:string, ThreatSeverity:int, IndicatorThreatType:string, ThreatDescription:string, ThreatConfidence:string, ReportReferenceLink:string, MaliciousIPLongitude:real, MaliciousIPLatitude:real, MaliciousIPCountry:string, DeviceVersion:string, Activity:string, ApplicationProtocol:string, EventCount:int, DestinationDnsDomain:string, DestinationServiceName:string, DestinationTranslatedAddress:string, DestinationTranslatedPort:int, DeviceDnsDomain:string, DeviceExternalID:string, DeviceInboundInterface:string, DeviceNtDomain:string, DeviceOutboundInterface:string, DevicePayloadId:string, ProcessName:string, DeviceTranslatedAddress:string, DestinationHostName:string, DestinationMACAddress:string, DestinationNTDomain:string, DestinationProcessId:int, DestinationUserPrivileges:string, DestinationProcessName:string, DeviceTimeZone:string, DestinationUserID:string, DestinationUserName:string, DeviceMacAddress:string, ProcessID:int, ExternalID:int, FileCreateTime:string, FileHash:string, FileID:string, FileModificationTime:string, FilePath:string, FilePermission:string, FileType:string, FileName:string, FileSize:int, ReceivedBytes:long, OldFileCreateTime:string, OldFileHash:string, OldFileID:string, OldFileModificationTime:string, OldFileName:string, OldFilePath:string, OldFilePermission:string, OldFileSize:int, OldFileType:string, SentBytes:long, RequestURL:string, RequestClientApplication:string, RequestContext:string, RequestCookies:string, RequestMethod:string, SourceHostName:string, SourceMACAddress:string, SourceNTDomain:string, SourceDnsDomain:string, SourceServiceName:string, SourceTranslatedAddress:string, SourceTranslatedPort:int, SourceProcessId:int, SourceUserPrivileges:string, SourceProcessName:string, SourceUserID:string, SourceUserName:string, EventType:int, DeviceCustomIPv6Address1:string, DeviceCustomIPv6Address1Label:string, DeviceCustomIPv6Address2:string, DeviceCustomIPv6Address2Label:string, DeviceCustomIPv6Address3:string, DeviceCustomIPv6Address3Label:string, DeviceCustomIPv6Address4:string, DeviceCustomIPv6Address4Label:string, DeviceCustomFloatingPoint1:real, DeviceCustomFloatingPoint1Label:string, DeviceCustomFloatingPoint2:real, DeviceCustomFloatingPoint2Label:string, DeviceCustomFloatingPoint3:real, DeviceCustomFloatingPoint3Label:string, DeviceCustomFloatingPoint4:real, DeviceCustomFloatingPoint4Label:string, DeviceCustomNumber1:int, DeviceCustomNumber1Label:string, DeviceCustomNumber2:int, DeviceCustomNumber2Label:string, DeviceCustomNumber3:int, DeviceCustomNumber3Label:string, DeviceCustomString1:string, DeviceCustomString1Label:string, DeviceCustomString2:string, DeviceCustomString2Label:string, DeviceCustomString3:string, DeviceCustomString3Label:string, DeviceCustomString4:string, DeviceCustomString4Label:string, DeviceCustomString5:string, DeviceCustomString5Label:string, DeviceCustomString6:string, DeviceCustomString6Label:string, DeviceCustomDate1:string, DeviceCustomDate1Label:string, DeviceCustomDate2:string, DeviceCustomDate2Label:string, FlexDate1:string, FlexDate1Label:string, FlexNumber1:int, FlexNumber1Label:string, FlexNumber2:int, FlexNumber2Label:string, FlexString1:string, FlexString1Label:string, FlexString2:string, FlexString2Label:string, AdditionalExtensions:string, StartTime:datetime, EndTime:datetime, Type:string, _ResourceId:string)
 [
  h@"https://STORAGEACCOUNTNAME.blob.core.windows.net/am-commonsecuritylog/SASSIG"
 ]
 with(format="json")
--- a/Tools/externaldata/dnsevents.yaml
+++ b/Tools/externaldata/dnsevents.yaml
@ -0,0 +1,5 @@
 externaldata(TenantId:string, Computer:string, SourceSystem:string, TimeGenerated:datetime, EventId:int, SubType:string, ClientIP:string, Name:string, Result:string, IPAddresses:string, Message:string, TaskCategory:string, QueryType:string, ResultCode:int, MaliciousIP:string, IndicatorThreatType:string, Description:string, Confidence:string, Severity:int, ReportReferenceLink:string, RemoteIPLongitude:real, RemoteIPLatitude:real, RemoteIPCountry:string, Type:string, _ResourceId:string)
 [
  h@"https://STORAGEACCOUNTNAME.blob.core.windows.net/am-dnsevents/SASSIG"
 ]
 with(format="json")
--- a/Tools/externaldata/emailattachmentinfo.yaml
+++ b/Tools/externaldata/emailattachmentinfo.yaml
@ -0,0 +1,5 @@
 externaldata(TenantId:string, FileName:string, FileType:string, NetworkMessageId:string, RecipientEmailAddress:string, RecipientObjectId:string, ReportId:string, SHA256:string, SenderDisplayName:string, SenderObjectId:string, ThreatTypes:string, ThreatNames:string, DetectionMethods:string, TimeGenerated:datetime, Timestamp:datetime, SourceSystem:string, Type:string)
 [
  h@"https://STORAGEACCOUNTNAME.blob.core.windows.net/am-emailattachmentinfo/SASSIG"
 ]
 with(format="json")
--- a/Tools/externaldata/emailevents.yaml
+++ b/Tools/externaldata/emailevents.yaml
@ -0,0 +1,5 @@
 externaldata(TenantId:string, AttachmentCount:int, ConfidenceLevel:string, Connectors:string, DetectionMethods:string, DeliveryAction:string, DeliveryLocation:string, EmailClusterId:long, EmailDirection:string, EmailLanguage:string, EmailAction:string, EmailActionPolicy:string, EmailActionPolicyGuid:string, OrgLevelAction:string, OrgLevelPolicy:string, InternetMessageId:string, NetworkMessageId:string, RecipientEmailAddress:string, RecipientObjectId:string, ReportId:string, SenderDisplayName:string, SenderObjectId:string, SenderIPv4:string, SenderIPv6:string, SenderMailFromAddress:string, SenderMailFromDomain:string, Subject:string, ThreatTypes:string, ThreatNames:string, TimeGenerated:datetime, Timestamp:datetime, UrlCount:int, UserLevelAction:string, UserLevelPolicy:string, SourceSystem:string, Type:string)
 [
  h@"https://STORAGEACCOUNTNAME.blob.core.windows.net/am-emailevents/SASSIG"
 ]
 with(format="json")
--- a/Tools/externaldata/emailurlinfo.yaml
+++ b/Tools/externaldata/emailurlinfo.yaml
@ -0,0 +1,5 @@
 externaldata(TenantId:string, NetworkMessageId:string, ReportId:string, TimeGenerated:datetime, Timestamp:datetime, Url:string, UrlDomain:string, SourceSystem:string, Type:string)
 [
  h@"https://STORAGEACCOUNTNAME.blob.core.windows.net/am-emailurlinfo/SASSIG"
 ]
 with(format="json")
--- a/Tools/externaldata/event.yaml
+++ b/Tools/externaldata/event.yaml
@ -0,0 +1,5 @@
 externaldata(TenantId:string, SourceSystem:string, TimeGenerated:datetime, Source:string, EventLog:string, Computer:string, EventLevel:int, EventLevelName:string, ParameterXml:string, EventData:string, EventID:int, RenderedDescription:string, AzureDeploymentID:string, Role:string, EventCategory:int, UserName:string, Message:string, MG:string, ManagementGroupName:string, Type:string, _ResourceId:string)
 [
  h@"https://STORAGEACCOUNTNAME.blob.core.windows.net/am-event/SASSIG"
 ]
 with(format="json")
--- a/Tools/externaldata/genstoragectxkql.ps1
+++ b/Tools/externaldata/genstoragectxkql.ps1
@ -0,0 +1,125 @@
 # Created On: 9/13/2021 3:36 PM
 # Created By: Nathan Swift - nathan.swift@swiftsolves.com
 # This script is as is and not supported by Microsoft 
 # Microsoft does not assume any risk of data loss
 # Use it at your own risk
 ################################################################################
 <#  Possible Futures:
 1. rewrite into Functions with Parameter inputs
 2. logic checks on the string inputs
 3. Bug: fix output file there is an extra line seperator between externaldata() and open array
 #>
 <#
 # Used for manual testing
 $storageaccount = "storageaccountname"
 $loganalyticsworkspace = "workspacename"
 $tablename = "emailevents"
 $startdate = [DateTime] "09/11/2021 02:00 AM"
 $enddate = [DateTime] "09/12/2021 12:00 PM"
 #>
 # Prompt user for key information for look ups
 $loganalyticsworkspace = Read-Host -Prompt "Enter your Log Analytics workspace name to lookup logs"
 # Log analyticsworkspace resource id
 $loganalyticsworkspaceid = (Get-AzResource -Name $loganalyticsworkspace).ResourceId
 # Storage account name
 $storageaccount = Read-Host -Prompt "Enter your storage account name to lookup logs"
 # Storage resource id
 $storageid = (Get-AzResource -Name $storageaccount).ResourceId
 # Log analytics workspace table name
 $tablename = Read-Host -Prompt "Enter your table name to export"
 $tablename = $tablename.ToLower()
 $containername = "am-" + $tablename
 $containernamesearch = "am-" + $tablename + "*"
 # generate filepath for kql table query lookup
 $file = Get-Date -Format "yyyyMMddhhmmss"
 $filepath = $containername + $file + ".yaml" #"c:\temp\" + 
 # Start date to find log files for
 $startdate = Read-Host -Prompt "Enter your start date using this format as an ex. 09/11/2021 02:00 AM"
 # End date to find log files for
 $enddate = Read-Host -Prompt "Enter your end date using this format as an ex. 09/12/2021 12:00 PM"
 # Storage resource group
 $storerg = $storageid.Split('/')[4]
 # Obtain storage account key where logs are
 $azstorekey = (Get-AzStorageAccountKey -Name $storageaccount -ResourceGroupName $storerg).value[0]
 # Generate storage account context
 $context = New-AzStorageContext -StorageAccountName $storageaccount -StorageAccountKey $azstorekey
 # Obtain storage blobs from within the start and end date ranges
 $blobs = Get-AzStorageContainer -Name $containernamesearch -Context $context | Get-AzStorageBlob 
 $blobs = $blobs | Where-Object {$_.LastModified -ge $startdate -and $_.LastModified -le $enddate}
 # request for generated SAS Uris for 8 hours to KQL query
 $expiredattime = (Get-Date).AddHours(8)
 # Obtain URL for first line of extenaldata() lookup kql file
 $url = 'https://raw.githubusercontent.com/swiftsolves-msft/kql/main/externaldata/' + $tablename + '.yaml'
 $firststring = Invoke-WebRequest -UseBasicParsing $url
 #Build Error handling for generic lookup with no schema found
 $lineinsert = ($firststring.Content).Split('[')[0] 
 Echo $lineinsert | Out-File $filepath -Append
 # count number of blobs to determine when last SAS uri is requested
 $numblobs = $blobs.Count
 # KQL Query insert
 $lineinsert = '['
 Echo $lineinsert | Out-File $filepath -Append
 #Start counter at one
 $counter = 1
 #For each of the SAS Blobs generate a SAS Uri and KQL Query insert
 Foreach ($blob in $blobs){
    #generate blob uri
    $bloburi = New-AzStorageBlobSASToken -Context $context -Container $containername -Blob $blob.Name -Permission r -ExpiryTime $expiredattime -FullUri
    # KQL Query insert SAS Uri
    if ($counter -lt $numblobs) {
        $lineinsert = 'h@"' + $bloburi + '",'
        Echo $lineinsert | Out-File $filepath -Append
    }
    if ($counter -ge $numblobs) {
        $lineinsert = 'h@"' + $bloburi + '"'
        Echo $lineinsert | Out-File $filepath -Append
    }
    # update counter 
    $counter++
 }
 # KQL Query insert
 $lineinsert = ']'
 Echo $lineinsert | Out-File $filepath -Append
 $lineinsert = 'with(format="json")'
 Echo $lineinsert | Out-File $filepath -Append
 ## Fix Caritridge return space
 (Get-Content $filepath) | ? {$_.trim() -ne "" } | set-content $filepath
 # Open a notepad of the KQL Query
 Start-Process notepad.exe $filepath
--- a/Tools/externaldata/heartbeat.yaml
+++ b/Tools/externaldata/heartbeat.yaml
@ -0,0 +1,5 @@
 externaldata(Category:string, Computer:string, ComputerEnvironment:string, ComputerIP:string, IsGatewayInstalled:boolean, ManagementGroupName:string, MG:string, OSMajorVersion:string, OSMinorVersion:string, OSType:string, RemoteIPCountry:string, RemoteIPLatitude:real, RemoteIPLongitude:real, Resource:string, ResourceGroup:string, ResourceId:string, ResourceProvider:string, ResourceType:string, SCAgentChannel:string, Solutions:string, SourceComputerId:string, SourceSystem:string, SubscriptionId:string, TimeGenerated:datetime, TenantId:string, Type:string, Version:string, VMUUID:string, _Internal_WorkspaceResourceId:string, _ResourceId:string)
 [
  h@"https://STORAGEACCOUNTNAME.blob.core.windows.net/am-heartbeat/SASSIG"
 ]
 with(format="json")
--- a/Tools/externaldata/officeactivity.yaml
+++ b/Tools/externaldata/officeactivity.yaml
@ -0,0 +1,5 @@
 externaldata(TenantId:string, Application:string, UserDomain:string, UserAgent:string, RecordType:string, TimeGenerated:datetime, Operation:string, OrganizationId:string, OrganizationId_:string, UserType:string, UserKey:string, OfficeWorkload:string, ResultStatus:string, ResultReasonType:string, OfficeObjectId:string, UserId:string, UserId_:string, ClientIP:string, ClientIP_:string, Scope:string, Site_:string, ItemType:string, EventSource:string, Source_Name:string, MachineDomainInfo:string, MachineId:string, Site_Url:string, Site_Url_:string, SourceRelativeUrl:string, SourceRelativeUrl_:string, SourceFileName:string, SourceFileName_:string, SourceFileExtension:string, DestinationRelativeUrl:string, DestinationFileName:string, DestinationFileExtension:string, UserSharedWith:string, SharingType:string, CustomEvent:string, Event_Data:string, ModifiedObjectResolvedName:string, Parameters:string, ExternalAccess:string, OriginatingServer:string, OrganizationName:string, Logon_Type:string, InternalLogonType:int, MailboxGuid:string, MailboxOwnerUPN:string, MailboxOwnerSid:string, MailboxOwnerMasterAccountSid:string, LogonUserSid:string, LogonUserDisplayName:string, ClientInfoString:string, Client_IPAddress:string, ClientMachineName:string, ClientProcessName:string, ClientVersion:string, Folder:string, CrossMailboxOperations:bool, DestMailboxId:string, DestMailboxOwnerUPN:string, DestMailboxOwnerSid:string, DestMailboxOwnerMasterAccountSid:string, DestFolder:string, Folders:string, AffectedItems:string, Item:string, ModifiedProperties:string, SendAsUserSmtp:string, SendAsUserMailboxGuid:string, SendOnBehalfOfUserSmtp:string, SendonBehalfOfUserMailboxGuid:string, ExtendedProperties:string, Client:string, LoginStatus:int, Actor:string, ActorContextId:string, ActorIpAddress:string, InterSystemsId:string, IntraSystemId:string, SupportTicketId:string, TargetContextId:string, DataCenterSecurityEventType:int, EffectiveOrganization:string, ElevationTime:datetime, ElevationApprover:string, ElevationApprovedTime:datetime, ElevationRequestId:string, ElevationRole:string, ElevationDuration:int, GenericInfo:string, SourceSystem:string, OfficeId:string, SourceRecordId:string, AzureActiveDirectory_EventType:string, AADTarget:string, Start_Time:datetime, OfficeTenantId:string, OfficeTenantId_:string, TargetUserOrGroupName:string, TargetUserOrGroupType:string, MessageId:string, Members:dynamic, TeamName:string, TeamGuid:string, ChannelType:string, ChannelName:string, ChannelGuid:string, ExtraProperties:dynamic, AddOnType:string, AddonName:string, TabType:string, Name:string, OldValue:string, NewValue:string, ItemName:string, ChatThreadId:string, ChatName:string, CommunicationType:string, AADGroupId:string, AddOnGuid:string, AppDistributionMode:string, TargetUserId:string, OperationScope:string, AzureADAppId:string, OperationProperties:dynamic, AppId:string, ClientAppId:string, Type:string, _ResourceId:string)
 [
  h@"https://STORAGEACCOUNTNAME.blob.core.windows.net/am-officeactivity/SASSIG"
 ]
 with(format="json")
--- a/Tools/externaldata/securityalert.yaml
+++ b/Tools/externaldata/securityalert.yaml
@ -0,0 +1,5 @@
 externaldata(TenantId:string, TimeGenerated:datetime, DisplayName:string, AlertName:string, AlertSeverity:string, Description:string, ProviderName:string, VendorName:string, VendorOriginalId:string, SystemAlertId:string, ResourceId:string, SourceComputerId:string, AlertType:string, ConfidenceLevel:string, ConfidenceScore:real, IsIncident:bool, StartTime:datetime, EndTime:datetime, ProcessingEndTime:datetime, RemediationSteps:string, ExtendedProperties:string, Entities:string, SourceSystem:string, WorkspaceSubscriptionId:string, WorkspaceResourceGroup:string, ExtendedLinks:string, ProductName:string, ProductComponentName:string, AlertLink:string, Status:string, CompromisedEntity:string, Tactics:string, Type:string)
 [
  h@"https://STORAGEACCOUNTNAME.blob.core.windows.net/am-securityalert/SASSIG"
 ]
 with(format="json")
--- a/Tools/externaldata/securityevent.yaml
+++ b/Tools/externaldata/securityevent.yaml
@ -0,0 +1,5 @@
 externaldata(TenantId:string, TimeGenerated:datetime, SourceSystem:string, Account:string, AccountType:string, Computer:string, EventSourceName:string, Channel:string, Task:int, Level:string, EventData:string, EventID:int, Activity:string, PartitionKey:string, RowKey:string, StorageAccount:string, AzureDeploymentID:string, AzureTableName:string, AccessList:string, AccessMask:string, AccessReason:string, AccountDomain:string, AccountExpires:string, AccountName:string, AccountSessionIdentifier:string, AdditionalInfo:string, AdditionalInfo2:string, AllowedToDelegateTo:string, Attributes:string, AuditPolicyChanges:string, AuditsDiscarded:int, AuthenticationLevel:int, AuthenticationPackageName:string, AuthenticationProvider:string, AuthenticationServer:string, AuthenticationService:int, AuthenticationType:string, CACertificateHash:string, CalledStationID:string, CallerProcessId:string, CallerProcessName:string, CallingStationID:string, CAPublicKeyHash:string, CategoryId:string, CertificateDatabaseHash:string, ClassId:string, ClassName:string, ClientAddress:string, ClientIPAddress:string, ClientName:string, CommandLine:string, CompatibleIds:string, DCDNSName:string, DeviceDescription:string, DeviceId:string, DisplayName:string, Disposition:string, DomainBehaviorVersion:string, DomainName:string, DomainPolicyChanged:string, DomainSid:string, EAPType:string, ElevatedToken:string, ErrorCode:int, ExtendedQuarantineState:string, FailureReason:string, FileHash:string, FilePath:string, FilePathNoUser:string, Filter:string, ForceLogoff:string, Fqbn:string, FullyQualifiedSubjectMachineName:string, FullyQualifiedSubjectUserName:string, GroupMembership:string, HandleId:string, HardwareIds:string, HomeDirectory:string, HomePath:string, ImpersonationLevel:string, InterfaceUuid:string, IpAddress:string, IpPort:string, KeyLength:int, LmPackageName:string, LocationInformation:string, LockoutDuration:string, LockoutObservationWindow:string, LockoutThreshold:string, LoggingResult:string, LogonGuid:string, LogonHours:string, LogonID:string, LogonProcessName:string, LogonType:int, LogonTypeName:string, MachineAccountQuota:string, MachineInventory:string, MachineLogon:string, MandatoryLabel:string, MaxPasswordAge:string, MemberName:string, MemberSid:string, MinPasswordAge:string, MinPasswordLength:string, MixedDomainMode:string, NASIdentifier:string, NASIPv4Address:string, NASIPv6Address:string, NASPort:string, NASPortType:string, NetworkPolicyName:string, NewDate:string, NewMaxUsers:string, NewProcessId:string, NewProcessName:string, NewRemark:string, NewShareFlags:string, NewTime:string, NewUacValue:string, NewValue:string, NewValueType:string, ObjectName:string, ObjectServer:string, ObjectType:string, ObjectValueName:string, OemInformation:string, OldMaxUsers:string, OldRemark:string, OldShareFlags:string, OldUacValue:string, OldValue:string, OldValueType:string, OperationType:string, PackageName:string, ParentProcessName:string, PasswordHistoryLength:string, PasswordLastSet:string, PasswordProperties:string, PreviousDate:string, PreviousTime:string, PrimaryGroupId:string, PrivateKeyUsageCount:string, PrivilegeList:string, Process:string, ProcessId:string, ProcessName:string, Properties:string, ProfilePath:string, ProtocolSequence:string, ProxyPolicyName:string, QuarantineHelpURL:string, QuarantineSessionID:string, QuarantineSessionIdentifier:string, QuarantineState:string, QuarantineSystemHealthResult:string, RelativeTargetName:string, RemoteIpAddress:string, RemotePort:string, Requester:string, RequestId:string, RestrictedAdminMode:string, RowsDeleted:string, SamAccountName:string, ScriptPath:string, SecurityDescriptor:string, ServiceAccount:string, ServiceFileName:string, ServiceName:string, ServiceStartType:int, ServiceType:string, SessionName:string, ShareLocalPath:string, ShareName:string, SidHistory:string, Status:string, SubjectAccount:string, SubcategoryGuid:string, SubcategoryId:string, Subject:string, SubjectDomainName:string, SubjectKeyIdentifier:string, SubjectLogonId:string, SubjectMachineName:string, SubjectMachineSID:string, SubjectUserName:string, SubjectUserSid:string, SubStatus:string, TableId:string, TargetAccount:string, TargetDomainName:string, TargetInfo:string, TargetLinkedLogonId:string, TargetLogonGuid:string, TargetLogonId:string, TargetOutboundDomainName:string, TargetOutboundUserName:string, TargetServerName:string, TargetSid:string, TargetUser:string, TargetUserName:string, TargetUserSid:string, TemplateContent:string, TemplateDSObjectFQDN:string, TemplateInternalName:string, TemplateOID:string, TemplateSchemaVersion:string, TemplateVersion:string, TokenElevationType:string, TransmittedServices:string, UserAccountControl:string, UserParameters:string, UserPrincipalName:string)
 [
  h@"https://STORAGEACCOUNTNAME.blob.core.windows.net/am-securityevent/SASSIG"
 ]
 with(format="json")
--- a/Tools/externaldata/signinlogs.yaml
+++ b/Tools/externaldata/signinlogs.yaml
@ -0,0 +1,5 @@
 externaldata(TenantId:string, SourceSystem:string, TimeGenerated:datetime, ResourceId:string, OperationName:string, OperationVersion:string, Category:string, ResultType:string, ResultSignature:string, ResultDescription:string, DurationMs:long, CorrelationId:string, Resource:string, ResourceGroup:string, ResourceProvider:string, Identity:string, Level:string, Location:string, AlternateSignInName:string, AppDisplayName:string, AppId:string, AuthenticationDetails:string, AuthenticationMethodsUsed:string, AuthenticationProcessingDetails:string, AuthenticationRequirement:string, AuthenticationRequirementPolicies:string, ClientAppUsed:string, ConditionalAccessPolicies:dynamic, ConditionalAccessStatus:string, CreatedDateTime:datetime, DeviceDetail:dynamic, IsInteractive:bool, Id:string, IPAddress:string, IsRisky:bool, LocationDetails:dynamic, MfaDetail:dynamic, NetworkLocationDetails:string, OriginalRequestId:string, ProcessingTimeInMilliseconds:string, RiskDetail:string, RiskEventTypes:string, RiskEventTypes_V2:string, RiskLevelAggregated:string, RiskLevelDuringSignIn:string, RiskState:string, ResourceDisplayName:string, ResourceIdentity:string, ServicePrincipalId:string, ServicePrincipalName:string, Status:dynamic, TokenIssuerName:string, TokenIssuerType:string, UserAgent:string, UserDisplayName:string, UserId:string, UserPrincipalName:string, AADTenantId:string, UserType:string, FlaggedForReview:bool, IPAddressFromResourceProvider:string, SignInIdentifier:string, SignInIdentifierType:string, ResourceTenantId:string, HomeTenantId:string, Type:string)
 [
  h@"https://STORAGEACCOUNTNAME.blob.core.windows.net/am-signinlogs/SASSIG"
 ]
 with(format="json")