replacing deprecated parsejson with parse_json

2021-08-17 12:26:48 -07:00 · 2021-08-17 12:26:48 -07:00 · f1956267ef
--- a/Queries/InputEntity_Host/AlertsOnHost.txt
+++ b/Queries/InputEntity_Host/AlertsOnHost.txt
@ -18,7 +18,7 @@ let v_EndTime = suspiciousEventTime+6h;
 SecurityAlert
 | where TimeGenerated between (v_StartTime .. v_EndTime)
 // expand JSON properties
-| extend Extprop = parsejson(ExtendedProperties)
+| extend Extprop = parse_json(ExtendedProperties)
 | extend Computer = toupper(tostring(Extprop["Compromised Host"]))
 | where Computer contains v_Host
 | project TimeGenerated, AlertName, Computer, ExtendedProperties
--- a/Queries/InputEntity_IP/AlertsForIP.txt
+++ b/Queries/InputEntity_IP/AlertsForIP.txt
@ -18,7 +18,7 @@ let v_EndTime = suspiciousEventTime+6h;
 SecurityAlert
 | where TimeGenerated between (v_StartTime .. v_EndTime)
 // expand JSON properties
-| extend Extprop = parsejson(ExtendedProperties)
+| extend Extprop = parse_json(ExtendedProperties)
 | extend Computer = toupper(tostring(Extprop["Compromised Host"]))
 | extend Account =  tolower(tostring(Extprop["User Name"]))
 | where ExtendedProperties contains v_ipAddress or Entities contains v_ipAddress
--- a/Queries/InputEntity_IP/LeastPrevUsersByIPAddress.yaml
+++ b/Queries/InputEntity_IP/LeastPrevUsersByIPAddress.yaml
@ -20,7 +20,7 @@ query: |
  let GetLeastPrevUsersbyIP = (v_IP_Address:string){
  SigninLogs
  | where IPAddress contains v_IP_Address
-  | extend RemoteHost = tolower(tostring(parsejson(DeviceDetail['displayName'])))
+  | extend RemoteHost = tolower(tostring(parse_json(DeviceDetail['displayName'])))
  | extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser
  | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)
  | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)
--- a/Queries/InputEntity_IP/MostPrevUsersByIPAddress.yaml
+++ b/Queries/InputEntity_IP/MostPrevUsersByIPAddress.yaml
@ -20,7 +20,7 @@ query: |
  let GetMostPrevUsersbyIP = (v_IP_Address:string){
  SigninLogs
  | where IPAddress contains v_IP_Address
-  | extend RemoteHost = tolower(tostring(parsejson(DeviceDetail['displayName'])))
+  | extend RemoteHost = tolower(tostring(parse_json(DeviceDetail['displayName'])))
  | extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser
  | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)
  | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)
--- a/Functions/AlertsOnComputer.txt
+++ b/Functions/AlertsOnComputer.txt
@ -1,7 +1,7 @@
 // If we also wanted to see what alerts fired on these machines we could extend the above query and join them with the SecurityAlerts table from Azure Security Center.
 // Azure Security Center must be enabled for this query to be valid
 | join (SecurityAlert
-                 | extend ExtProps=parsejson(ExtendedProperties)
+                 | extend ExtProps=parse_json(ExtendedProperties)
                 | extend Computer=toupper(tostring(ExtProps["Compromised Host"]))
                 )
 on Computer
--- a/Queries/MultipleDataSources/PermutationsOnLogonNames.yaml
+++ b/Queries/MultipleDataSources/PermutationsOnLogonNames.yaml
@ -44,8 +44,8 @@ query: |
  UserNameOnly contains "-", split(UserNameOnly, "-"),
  UserNameOnly contains "_", split(UserNameOnly, "_"),
  UserNameOnly)
-  | extend First = iff(isnotempty(tostring(parsejson(unoArray)[0])), tostring(parsejson(unoArray)[0]),tostring(unoArray))
-  | extend Last = tostring(parsejson(unoArray)[1])
+  | extend First = iff(isnotempty(tostring(parse_json(unoArray)[0])), tostring(parse_json(unoArray)[0]),tostring(unoArray))
+  | extend Last = tostring(parse_json(unoArray)[1])
  | extend First4char = iff(countof(substring(First, 0,4), '[0-9A-Za-z]', "regex") >= 4, substring(First, 0,4), "LessThan4"),
  First6char = iff(countof(substring(First, 0,6), '[0-9A-Za-z]', "regex") >= 6, substring(First, 0,6), "LessThan6"),
  First8char = iff(countof(substring(First, 0,8), '[0-9A-Za-z]', "regex") >= 8, substring(First, 0,8), "LessThan8"),
--- a/Queries/MultipleDataSources/TrackingPrivAccounts.yaml
+++ b/Queries/MultipleDataSources/TrackingPrivAccounts.yaml
@ -144,7 +144,7 @@ query: |
  ) on DomainSlashAccount),
  (ra_Today | join kind=inner
  (SigninLogs | where TimeGenerated > LastDay
-  | extend RemoteHost = tolower(tostring(parsejson(DeviceDetail.["displayName"])))
+  | extend RemoteHost = tolower(tostring(parse_json(DeviceDetail.["displayName"])))
  | extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, StatusCode = tostring(Status.errorCode),
  StatusDetails = tostring(Status.additionalDetails), State = tostring(LocationDetails.state)
  | summarize rel_StartTime = min(TimeGenerated), rel_EndTime = max(TimeGenerated), a_RelatedRemoteHostSet = makeset(RemoteHost),
@ -160,7 +160,7 @@ query: |
  ) on AccountName),
  (ra_Today | join kind=inner
  (SecurityAlert | where TimeGenerated > LastDay
-  | extend ExtProps=parsejson(ExtendedProperties)
+  | extend ExtProps=parse_json(ExtendedProperties)
  | extend AccountName = tostring(ExtProps.["user name"])
  | summarize rel_StartTime = min(TimeGenerated), rel_EndTime = max(TimeGenerated), rel_ServiceOrSystemCount = dcount(AlertType),
  rel_ServiceOrSystemSet = makeset(AlertType),
--- a/Queries/SecurityAlert/AlertsForIP.yaml
+++ b/Queries/SecurityAlert/AlertsForIP.yaml
@ -23,9 +23,9 @@ query: |
  SecurityAlert
  | where TimeGenerated between (v_StartTime .. v_EndTime)
  // expand JSON properties
-  | extend Extprop = parsejson(Entities)
+  | extend Extprop = parse_json(Entities)
  | mv-expand Extprop
-  | extend Extprop = parsejson(Extprop)
+  | extend Extprop = parse_json(Extprop)
  | extend IpAddress = iff(Extprop["Type"] == "ip",Extprop['Address'], '')
  | where IpAddress == v_ipAddress
  | extend Account = Extprop['Name']
--- a/Queries/SecurityAlert/AlertsForUser.yaml
+++ b/Queries/SecurityAlert/AlertsForUser.yaml
@ -22,9 +22,9 @@ query: |
  let v_EndTime = suspiciousEventTime+6h;
  SecurityAlert
  | where TimeGenerated between (v_StartTime .. v_EndTime)
-  | extend Extprop = parsejson(Entities)
+  | extend Extprop = parse_json(Entities)
  | mv-expand Extprop
-  | extend Extprop = parsejson(Extprop)
+  | extend Extprop = parse_json(Extprop)
  | extend Account = Extprop['Name']
  | extend Domain = Extprop['UPNSuffix']
  | extend Account = iif(isnotempty(Domain) and Extprop['Type']=="account", tolower(strcat(Account, "@", Domain)), iif(Extprop['Type']=="account", tolower(Account), ""))
--- a/Queries/SecurityAlert/AlertsOnHost.yaml
+++ b/Queries/SecurityAlert/AlertsOnHost.yaml
@ -24,7 +24,7 @@ query: |
  | where TimeGenerated between (v_StartTime .. v_EndTime)
  | where Computer contains v_Host
  // expand JSON properties
-  | extend Extprop = parsejson(ExtendedProperties)
+  | extend Extprop = parse_json(ExtendedProperties)
  | extend Computer = iff(isnotempty(toupper(tostring(Extprop["Compromised Host"]))), toupper(tostring(Extprop["Compromised Host"])), tostring(parse_json(Entities)[0].HostName))
  | extend Account = iff(isnotempty(tolower(tostring(Extprop["User Name"]))), tolower(tostring(Extprop["User Name"])), tolower(tostring(Extprop["user name"])))
  | extend IpAddress = tostring(parse_json(ExtendedProperties).["Client Address"]) 
--- a/Queries/SecurityAlert/AlertsWithProcess.yaml
+++ b/Queries/SecurityAlert/AlertsWithProcess.yaml
@ -22,9 +22,9 @@ query: |
  SecurityAlert
  | where TimeGenerated between (v_StartTime .. v_EndTime)
  | where Entities has v_Process
-  | extend Extprop = parsejson(Entities)
+  | extend Extprop = parse_json(Entities)
  | mv-expand Extprop
-  | extend Extprop = parsejson(Extprop)
+  | extend Extprop = parse_json(Extprop)
  | extend CmdLine = iff(Extprop['Type']=="process", Extprop['CommandLine'], '')
  | extend File = iff(Extprop['Type']=="file", Extprop['Name'], '')
  | extend Account = Extprop['Name']