Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Solutions/SentinelOne/Parsers/SentinelOne.txt

275 строки
14 KiB
Plaintext
Исходник Ответственный История

// References :
// Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
// Tech Community Blog on KQL Functions : https://techcommunity.microsoft.com/t5/Azure-Sentinel/Using-KQL-functions-to-speed-up-analysis-in-Azure-Sentinel/ba-p/712381
//
let SentinelOne_view = view () {
SentinelOne_CL
| extend
EventVendor="SentinelOne",
EventProduct="SentinelOne",
AccountId=column_ifexists('accountId_s', ''),
AccountName=column_ifexists('accountName_s', ''),
ActivityType=column_ifexists('activityType_d', ''),
EventCreationTime=column_ifexists('createdAt_t', ''),
DataAccountName=column_ifexists('data_accountName_s', ''),
DataFullScopeDetails=column_ifexists('data_fullScopeDetails_s', ''),
DataScopeLevel=column_ifexists('data_scopeLevel_s', ''),
DataScopeName=column_ifexists('data_scopeName_s', ''),
DataSiteId=column_ifexists('data_siteId_d', ''),
DataSiteName=column_ifexists('data_siteName_s', ''),
SrcUserName=column_ifexists('data_username_s', ''),
EventId=column_ifexists('id_s', ''),
EventOriginalMessage=column_ifexists('primaryDescription_s', ''),
SiteId=column_ifexists('siteId_s', ''),
SiteName=column_ifexists('siteName_s', ''),
UpdatedAt=column_ifexists('updatedAt_t', ''),
UserIdentity=column_ifexists('userId_s', ''),
EventType=column_ifexists('event_name_s', ''),
DataByUser=column_ifexists('data_byUser_s', ''),
DataRole=column_ifexists('data_role_s', ''),
DataUserScope=column_ifexists('data_userScope_s', ''),
EventTypeDetailed=column_ifexists('description_s', ''),
DataSource=column_ifexists('data_source_s', ''),
DataExpiryDateStr=column_ifexists('data_expiryDateStr_s', ''),
DataExpiryTime=column_ifexists('data_expiryTime_d', ''),
DataNetworkquarantine=column_ifexists('data_networkquarantine_b', ''),
DataRuleCreationTime=column_ifexists('data_ruleCreationTime_d', ''),
DataRuleDescription=column_ifexists('data_ruleDescription_s', ''),
DataRuleExpirationMode=column_ifexists('data_ruleExpirationMode_s', ''),
DataRuleId=column_ifexists('data_ruleId_d', ''),
DataRuleName=column_ifexists('data_ruleName_s', ''),
DataRuleQueryDetails=column_ifexists('data_ruleQueryDetails_s', ''),
DataRuleQueryType=column_ifexists('data_ruleQueryType_s', ''),
DataRuleSeverity=column_ifexists('data_ruleSeverity_s', ''),
DataScopeId=column_ifexists('data_scopeId_d', ''),
DataStatus=column_ifexists('data_status_s', ''),
DataSystemUser=column_ifexists('data_systemUser_d', ''),
DataTreatasthreat=column_ifexists('data_treatasthreat_s', ''),
DataUserId=column_ifexists('data_userId_d', ''),
DataUserName=column_ifexists('data_userName_s', ''),
EventSubStatus=column_ifexists('secondaryDescription_s', ''),
AgentId=column_ifexists('agentId_s', ''),
DataComputerName=column_ifexists('data_computerName_s', ''),
DataExternalIp=column_ifexists('data_externalIp_s', ''),
DataGroupName=column_ifexists('data_groupName_s', ''),
DataSystem=column_ifexists('data_system_b', ''),
DataUuid=column_ifexists('data_uuid_g', ''),
GroupId=column_ifexists('groupId_s', ''),
GroupName=column_ifexists('groupName_s', ''),
DataGroup=column_ifexists('data_group_s', ''),
DataOptionalGroups=column_ifexists('data_optionalGroups_s', ''),
DataCreatedAt=column_ifexists('data_createdAt_t', ''),
DataDownloadUrl=column_ifexists('data_downloadUrl_s', ''),
DataFilePath=column_ifexists('data_filePath_s', ''),
DataFilename=column_ifexists('data_filename_s', ''),
DataUploadedFilename=column_ifexists('data_uploadedFilename_s', ''),
Comments=column_ifexists('comments_s', ''),
DataNewValue=column_ifexists('data_newValue_s', ''),
DataPolicyId=column_ifexists('data_policy_id_s', ''),
DataPolicyName=column_ifexists('data_policyName_s', ''),
DataNewValueb=column_ifexists('data_newValue_b', ''),
DataShouldReboot=column_ifexists('data_shouldReboot_b', ''),
DataRoleName=column_ifexists('data_roleName_s', ''),
DataScopeLevelName=column_ifexists('data_scopeLevelName_s', ''),
ActiveDirectoryComputerDistinguishedName=column_ifexists('activeDirectory_computerDistinguishedName_s', ''),
ActiveDirectoryComputerMemberOf=column_ifexists('activeDirectory_computerMemberOf_s', ''),
ActiveDirectoryLastUserDistinguishedName=column_ifexists('activeDirectory_lastUserDistinguishedName_s', ''),
ActiveDirectoryLastUserMemberOf=column_ifexists('activeDirectory_lastUserMemberOf_s', ''),
ActiveThreats=column_ifexists('activeThreats_d', ''),
AgentVersion=column_ifexists('agentVersion_s', ''),
AllowRemoteShell=column_ifexists('allowRemoteShell_b', ''),
AppsVulnerabilityStatus=column_ifexists('appsVulnerabilityStatus_s', ''),
ComputerName=column_ifexists('computerName_s', ''),
ConsoleMigrationStatus=column_ifexists('consoleMigrationStatus_s', ''),
CoreCount=column_ifexists('coreCount_d', ''),
CpuCount=column_ifexists('cpuCount_d', ''),
CpuId=column_ifexists('cpuId_s', ''),
SrcDvcDomain=column_ifexists('domain_s', ''),
EncryptedApplications=column_ifexists('encryptedApplications_b', ''),
ExternalId=column_ifexists('externalId_s', ''),
ExternalIp=column_ifexists('externalIp_s', ''),
FirewallEnabled=column_ifexists('firewallEnabled_b', ''),
GroupIp=column_ifexists('groupIp_s', ''),
InRemoteShellSession=column_ifexists('inRemoteShellSession_b', ''),
Infected=column_ifexists('infected_b', ''),
InstallerType=column_ifexists('installerType_s', ''),
IsActive=column_ifexists('isActive_b', ''),
IsDecommissioned=column_ifexists('isDecommissioned_b', ''),
IsPendingUninstall=column_ifexists('isPendingUninstall_b', ''),
IsUninstalled=column_ifexists('isUninstalled_b', ''),
IsUpToDate=column_ifexists('isUpToDate_b', ''),
LastActiveDate=column_ifexists('lastActiveDate_t', ''),
LastIpToMgmt=column_ifexists('lastIpToMgmt_s', ''),
LastLoggedInUserName=column_ifexists('lastLoggedInUserName_s', ''),
LicenseKey=column_ifexists('licenseKey_s', ''),
LocationEnabled=column_ifexists('locationEnabled_b', ''),
LocationType=column_ifexists('locationType_s', ''),
Locations=column_ifexists('locations_s', ''),
MachineType=column_ifexists('machineType_s', ''),
MitigationMode=column_ifexists('mitigationMode_s', ''),
MitigationModeSuspicious=column_ifexists('mitigationModeSuspicious_s', ''),
SrcDvcModelName=column_ifexists('modelName_s', ''),
NetworkInterfaces=column_ifexists('networkInterfaces_s', ''),
NetworkQuarantineEnabled=column_ifexists('networkQuarantineEnabled_b', ''),
NetworkStatus=column_ifexists('networkStatus_s', ''),
OperationalState=column_ifexists('operationalState_s', ''),
OsArch=column_ifexists('osArch_s', ''),
SrcDvcOs=column_ifexists('osName_s', ''),
OsRevision=column_ifexists('osRevision_s', ''),
OsStartTime=column_ifexists('osStartTime_t', ''),
OsType=column_ifexists('osType_s', ''),
RangerStatus=column_ifexists('rangerStatus_s', ''),
RangerVersion=column_ifexists('rangerVersion_s', ''),
RegisteredAt=column_ifexists('registeredAt_t', ''),
RemoteProfilingState=column_ifexists('remoteProfilingState_s', ''),
ScanFinishedAt=column_ifexists('scanFinishedAt_t', ''),
ScanStartedAt=column_ifexists('scanStartedAt_t', ''),
ScanStatus=column_ifexists('scanStatus_s', ''),
ThreatRebootRequired=column_ifexists('threatRebootRequired_b', ''),
TotalMemory=column_ifexists('totalMemory_d', ''),
UserActionsNeeded=column_ifexists('userActionsNeeded_s', ''),
Uuid=column_ifexists('uuid_g', ''),
Creator=column_ifexists('creator_s', ''),
CreatorId=column_ifexists('creatorId_s', ''),
Inherits=column_ifexists('inherits_b', ''),
IsDefault=column_ifexists('isDefault_b', ''),
Name=column_ifexists('name_s', ''),
RegistrationToken=column_ifexists('registrationToken_s', ''),
TotalAgents=column_ifexists('totalAgents_d', ''),
Type=column_ifexists('type_s', '')
| project
TimeGenerated,
EventVendor,
EventProduct,
AccountName,
ActivityType,
EventCreationTime,
DataAccountName,
DataFullScopeDetails,
DataScopeLevel,
DataScopeName,
DataSiteId,
DataSiteName,
SrcUserName,
EventId,
EventOriginalMessage,
SiteId,
SiteName,
UpdatedAt,
UserIdentity,
EventType,
DataByUser,
DataRole,
DataUserScope,
EventTypeDetailed,
DataSource,
DataExpiryDateStr,
DataExpiryTime,
DataNetworkquarantine,
DataRuleCreationTime,
DataRuleDescription,
DataRuleExpirationMode,
DataRuleId,
DataRuleName,
DataRuleQueryDetails,
DataRuleQueryType,
DataRuleSeverity,
DataScopeId,
DataStatus,
DataSystemUser,
DataTreatasthreat,
DataUserId,
DataUserName,
EventSubStatus,
AgentId,
DataComputerName,
DataExternalIp,
DataGroupName,
DataSystem,
DataUuid,
GroupId,
GroupName,
DataGroup,
DataOptionalGroups,
DataCreatedAt,
DataDownloadUrl,
DataFilePath,
DataFilename,
DataUploadedFilename,
Comments,
DataNewValue,
DataPolicyId,
DataPolicyName,
DataNewValueb,
DataShouldReboot,
DataRoleName,
DataScopeLevelName,
ActiveDirectoryComputerDistinguishedName,
ActiveDirectoryComputerMemberOf,
ActiveDirectoryLastUserDistinguishedName,
ActiveDirectoryLastUserMemberOf,
ActiveThreats,
AgentVersion,
AllowRemoteShell,
AppsVulnerabilityStatus,
ComputerName,
ConsoleMigrationStatus,
CoreCount,
CpuCount,
CpuId,
SrcDvcDomain,
EncryptedApplications,
ExternalId,
ExternalIp,
FirewallEnabled,
GroupIp,
InRemoteShellSession,
Infected,
InstallerType,
IsActive,
IsDecommissioned,
IsPendingUninstall,
IsUninstalled,
IsUpToDate,
LastActiveDate,
LastIpToMgmt,
LastLoggedInUserName,
LicenseKey,
LocationEnabled,
LocationType,
Locations,
MachineType,
MitigationMode,
MitigationModeSuspicious,
SrcDvcModelName,
NetworkInterfaces,
NetworkQuarantineEnabled,
NetworkStatus,
OperationalState,
OsArch,
SrcDvcOs,
OsRevision,
OsStartTime,
OsType,
RangerStatus,
RangerVersion,
RegisteredAt,
RemoteProfilingState,
ScanFinishedAt,
ScanStartedAt,
ScanStatus,
ThreatRebootRequired,
TotalMemory,
UserActionsNeeded,
Uuid,
Creator,
CreatorId,
Inherits,
IsDefault,
Name,
RegistrationToken,
TotalAgents,
Type
};
SentinelOne_view
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку