Azure-Sentinel/Parsers/ZoomReports/Zoom.txt

// Usage Instruction : 
// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias (e.g. Zoom).
// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. Zoom | take 10).
// References : 
// Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
// Tech Community Blog on KQL Functions : https://techcommunity.microsoft.com/t5/Azure-Sentinel/Using-KQL-functions-to-speed-up-analysis-in-Azure-Sentinel/ba-p/712381
//
let Zoom_dates_report_view = view () {
    Zoom_CL 
    | where event_type_s == "dates"
    | summarize arg_max(TimeGenerated, *) by date_s
};
let Zoom_other_reports_view = view () {
    Zoom_CL 
    | where event_type_s != "dates"
};
let Zoom_all_reports_view = view () { 
    union isfuzzy=true Zoom_dates_report_view, Zoom_other_reports_view
    | extend
    			Date=column_ifexists('date_s', ''),
    			EventDay=column_ifexists('date_s', ''),
    			NewUsersCount=column_ifexists('new_users_d', ''),
    			MeetingsCount=column_ifexists('meetings_d', ''),
    			ParticipantsCount=column_ifexists('participants_d', ''),
    			MeetingMinutes=column_ifexists('meeting_minutes_d', ''),
    			EventType=column_ifexists('event_type_s', ''),
    			EventName=column_ifexists('event_name_s', ''),
    			EventMessage=column_ifexists('event_name_s', ''),
    			Id=column_ifexists('id_s', ''),
    			UserIdentity=column_ifexists('id_s', ''),
    			Email=column_ifexists('email_s', ''),
    			UserEmail=column_ifexists('email_s', ''),
    			UserName=column_ifexists('user_name_s', ''),
    			UserType=column_ifexists('type_d', ''),
    			Dept=column_ifexists('dept_s', ''),
    			Department=column_ifexists('dept_s', ''),
    			LastClientVersion=column_ifexists('last_client_version_s', ''),
    			DvcModelNumber=column_ifexists('last_client_version_s', ''),
    			EventEndTime=column_ifexists('last_login_time_t', ''),
    			LastLoginTime=column_ifexists('last_login_time_t', ''),
    			CreateTime=column_ifexists('create_time_t', ''),
    			EventCreationTime=column_ifexists('create_time_t', ''),
    			Usage=column_ifexists('usage_s', ''),
    			PlanUsage=column_ifexists('plan_usage_s', ''),
    			FreeUsage=column_ifexists('free_usage_s', ''),
    			Time=column_ifexists('time_t', ''),
    			EventOriginalTime=column_ifexists('time_t', ''),
    			Operator=column_ifexists('operator_s', ''),
    			CategoryType=column_ifexists('category_type_s', ''),
    			Action=column_ifexists('action_s', ''),
    			EventOriginalMessage=column_ifexists('operation_detail_s', ''),
    			OperationDetail=column_ifexists('operation_detail_s', ''),
    			EventResult=column_ifexists('type_s', ''),
    			IpAddress=column_ifexists('ip_address_s', ''),
    			SrcIpAddr=column_ifexists('ip_address_s', ''),
    			ClientType=column_ifexists('client_type_s', ''),
    			SrcDvcModelName=column_ifexists('client_type_s', ''),
    			SrcDvcModelNumber=column_ifexists('version_s', ''),
    			Version=column_ifexists('version_s', ''),
    			EventVendor="Zoom",
                EventProduct="Zoom Reports"
    | project
                TimeGenerated, 
                EventVendor,
                EventProduct,
                Date,
    			EventDay,
    			NewUsersCount,
    			MeetingsCount,
    			ParticipantsCount,
    			MeetingMinutes,
    			EventType,
    			EventName,
    			EventMessage,
    			Id,
    			UserIdentity,
    			Email,
    			UserEmail,
    			UserName,
    			UserType,
    			Dept,
    			Department,
    			LastClientVersion,
    			DvcModelNumber,
    			EventEndTime,
    			LastLoginTime,
    			CreateTime,
    			EventCreationTime,
    			Usage,
    			PlanUsage,
    			FreeUsage,
    			Time,
    			EventOriginalTime,
    			Operator,
    			CategoryType,
    			Action,
    			EventOriginalMessage,
    			OperationDetail,
    			EventResult,
    			IpAddress,
    			SrcIpAddr,
    			ClientType,
    			SrcDvcModelName,
    			SrcDvcModelNumber,
    			Version
};
Zoom_all_reports_view