90 строки
5.7 KiB
Plaintext
90 строки
5.7 KiB
Plaintext
// Usage Instruction :
|
|
// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as CiscoDuo.
|
|
// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. CiscoDuo | take 10).
|
|
// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
|
|
CiscoDuo_CL
|
|
| extend EventVendor = 'Cisco'
|
|
| extend EventProduct = 'Duo Security'
|
|
| extend parse_json(description_s)
|
|
| extend SrcDvcType=description_s['device'],
|
|
SrcIpAddr=iff(isnotempty(description_s), description_s['ip_address'], access_device_ip_s),
|
|
DstUserName=iff(isnotempty(username_s), username_s, user_name_s),
|
|
SrcUserName=object_s,
|
|
EventType=iff(isnotempty(eventtype_s), eventtype_s, event_type_s),
|
|
EventEndTime=unixtime_seconds_todatetime(tolong(timestamp_d)),
|
|
HttpUserAgentOriginal = description_s['user_agent']
|
|
| extend AccessDvcSecurityAgents=column_ifexists( "access_device_security_agents_s" , "")
|
|
, TrustedEndpointStatus=column_ifexists( "trusted_endpoint_status_s", "")
|
|
, SurfacedAuthAccessDeviceSecurityAgents=column_ifexists( "surfaced_auth_access_device_security_agents_s", "")
|
|
, SrcDvcOs=column_ifexists( "access_device_os_s", "")
|
|
, DstGeoRegion=column_ifexists( "state_s", "")
|
|
, AccessDvcBrowser=column_ifexists( "access_device_browser_s", "")
|
|
, AccessDvcBrowserVersion=column_ifexists( "access_device_browser_version_s", "")
|
|
, AccessDvcFlashVersion=column_ifexists( "access_device_flash_version_s", "")
|
|
, AccessDvcEncryptionEnabled=column_ifexists( "access_device_is_encryption_enabled_s", "")
|
|
, AccessDvcFirewallEnabled=column_ifexists( "access_device_is_firewall_enabled_s", "")
|
|
, AccessDvcPasswordSet=column_ifexists( "access_device_is_password_set_s", "")
|
|
, AccessDvcJavaVersion=column_ifexists( "access_device_java_version_s", "")
|
|
, AccessDvcOsVersion=column_ifexists( "access_device_os_version_s", "")
|
|
, Explanations=column_ifexists( "explanations_s", "")
|
|
, FromCommonNetblock=column_ifexists( "from_common_netblock_b", "")
|
|
, FromNewUser=column_ifexists( "from_new_user_b", "")
|
|
, SrcRiskLevel=column_ifexists( "low_risk_ip_b", "")
|
|
, PriorityEvent=column_ifexists( "priority_event_b", "")
|
|
, PriorityReasons=column_ifexists( "priority_reasons_s", "")
|
|
, Sekey=column_ifexists( "sekey_s", "")
|
|
, SurfacedAuthAccessDeviceBrowser=column_ifexists( "surfaced_auth_access_device_browser_s", "")
|
|
, SurfacedAuthAccessDeviceBrowserVersion=column_ifexists( "surfaced_auth_access_device_browser_version_s", "")
|
|
, SurfacedAuthAccessDeviceIp=column_ifexists( "surfaced_auth_access_device_ip_s", "")
|
|
, SurfacedAuthAccessDeviceEncryptionEnabled=column_ifexists( "surfaced_auth_access_device_is_encryption_enabled_s", "")
|
|
, SurfacedAuthAccessDeviceFirewallEnabled=column_ifexists( "surfaced_auth_access_device_is_firewall_enabled_s", "")
|
|
, SurfacedAuthAccessDevicePasswordSet=column_ifexists( "surfaced_auth_access_device_is_password_set_s", "")
|
|
, SurfacedAuthAccessDeviceLocationCity=column_ifexists( "surfaced_auth_access_device_location_city_s", "")
|
|
, SurfacedAuthAccessDeviceLocationCountry=column_ifexists( "surfaced_auth_access_device_location_country_s", "")
|
|
, SurfacedAuthAccessDeviceLocationState=column_ifexists( "surfaced_auth_access_device_location_state_s", "")
|
|
, SurfacedAuthAccessDeviceOs=column_ifexists( "surfaced_auth_access_device_os_s", "")
|
|
, SurfacedAuthAccessDeviceOsVersion_s=column_ifexists( "surfaced_auth_access_device_os_version_s", "")
|
|
, SurfacedAuthAlias=column_ifexists( "surfaced_auth_alias_s", "")
|
|
, SurfacedAuthApplicationKey=column_ifexists( "surfaced_auth_application_key_s", "")
|
|
, SurfacedAuthApplicationName=column_ifexists( "surfaced_auth_application_name_s", "")
|
|
, SurfacedAuthEmail=column_ifexists( "surfaced_auth_email_s", "")
|
|
, SurfacedAuthFactor=column_ifexists( "surfaced_auth_factor_s", "")
|
|
, SurfacedAuthIsotimestamp=column_ifexists( "surfaced_auth_isotimestamp_t", "")
|
|
, SurfacedAuthOodSoftware_s=column_ifexists( "surfaced_auth_ood_software_s", "")
|
|
, SurfacedAuthReason=column_ifexists( "surfaced_auth_reason_s", "")
|
|
, SurfacedAuthResult=column_ifexists( "surfaced_auth_result_s", "")
|
|
, SurfacedAuthTimestamp=column_ifexists( "surfaced_auth_timestamp_d", "")
|
|
, SurfacedAuthTransactionId=column_ifexists( "surfaced_auth_txid_g", "")
|
|
, SurfacedAuthUserGroups=column_ifexists( "surfaced_auth_user_groups_s", "")
|
|
, SurfacedAuthUserKey=column_ifexists( "surfaced_auth_user_key_s", "")
|
|
, SurfacedAuthUserName=column_ifexists( "surfaced_auth_user_name_s", "")
|
|
, SurfacedTimestamp=column_ifexists( "surfaced_timestamp_d", "")
|
|
, EventUid=column_ifexists( "triage_event_uri_s", "")
|
|
, TriagedAsInteresting=column_ifexists( "triaged_as_interesting_b", "")
|
|
, Credits=column_ifexists( "credits_d", "")
|
|
| project-rename DvcAction=action_s,
|
|
DvcHostname=host_s,
|
|
SrcGeoCountry=access_device_location_country_s,
|
|
SrcGeoCity=access_device_location_city_s,
|
|
EventResult=result_s,
|
|
EventResultDetails=reason_s,
|
|
AuthDeviceCountry=auth_device_location_country_s,
|
|
AuthFactor=factor_s,
|
|
AccessDvcIpAddr=access_device_ip_s,
|
|
AccessDvcLocationState=access_device_location_state_s,
|
|
Alias=alias_s,
|
|
User=email_s,
|
|
SrcAppId=application_key_s,
|
|
SrcAppName=application_name_s,
|
|
DvcIpAddr=auth_device_ip_s,
|
|
AuthDeviceCity=auth_device_location_city_s,
|
|
AuthDeviceState=auth_device_location_state_s,
|
|
SrcHostname=auth_device_name_s,
|
|
TransactionId=txid_g,
|
|
UserGroups=user_groups_s,
|
|
SrcUserId=user_key_s,
|
|
Context=context_s,
|
|
IsoTimestamp=isotimestamp_t,
|
|
Phone=phone_s,
|
|
SrcDomainType=type_s
|
|
|