// Usage Instruction : 
// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as Cisco_Umbrella.
// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. Cisco_Umbrella | take 10).
// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions


let Cisco_Umbrella_dns_view = view () { 
    Cisco_Umbrella_dns_CL
    | extend 
        EventEndTime=column_ifexists('Timestamp_t', ''),
        SrcIpAddr=column_ifexists('InternalIp_s', ''),
        SrcNatIpAddr=column_ifexists('ExternalIp_s', ''),
        DvcAction=column_ifexists('Action_s', ''),
        DnsQueryName=column_ifexists('Domain_s', ''),
        UrlCategory=column_ifexists('Categories_s', ''),
        ThreatCategory=column_ifexists('Blocked_Categories_s', ''),
        Identities=column_ifexists('Identities_s', ''),
        DnsQueryTypeName=column_ifexists('QueryType_s', ''),
        DnsResponseCodeName=column_ifexists('ResponseCode_s', ''),
        IdentityTypes=column_ifexists('Identity_Types_s', ''),
        EventType=column_ifexists('EventType_s', ''),
        PolicyIdentity=column_ifexists('Policy_Identity_s', ''),
        PolicyIdentityType=column_ifexists('Policy_Identity_Type_s', '')
    | project 
        TimeGenerated,
        EventEndTime,
        SrcIpAddr,
        SrcNatIpAddr,
        DvcAction,
        DnsQueryName,
        UrlCategory,
        ThreatCategory,
        Identities,
        DnsQueryTypeName,
        DnsResponseCodeName,
        IdentityTypes,
        EventType,
        PolicyIdentity,
        PolicyIdentityType
};
let Cisco_Umbrella_proxy_view = view () { 
    Cisco_Umbrella_proxy_CL
    | extend 
        EventType=column_ifexists('EventType_s', ''),
        EventEndTime=column_ifexists('Timestamp_t', ''),
        PolicyIdentity=column_ifexists('Policy_Identity_s', ''),
        SrcIpAddr=column_ifexists('Internal_IP_s', ''),
        SrcNatIpAddr=column_ifexists('External_IP_s', ''),
        DstIpAddr=column_ifexists('Destination_IP_s', ''),
        HttpContentType=column_ifexists('Content_Type_s', ''),
        DvcAction=column_ifexists('Verdict_s', ''),
        UrlOriginal=column_ifexists('URL_s', ''),
        HttpReferrerOriginal=column_ifexists('Referer_s', ''),
        HttpUserAgentOriginal=column_ifexists('userAgent_s', ''),
        HttpStatusCode=column_ifexists('statusCode_s', ''),
        SrcBytes=column_ifexists('requestSize_d', ''),
        DstBytes=column_ifexists('responseSize_d', ''),
        HttpResponseBodyBytes=column_ifexists('responseBodySize_d', ''),
        HashSha256=column_ifexists('SHA-SHA256_s', ''),
        UrlCategory=column_ifexists('Categories_s', ''),
        AvDetections=column_ifexists('AVDetections_s', ''),
        Puas=column_ifexists('PUAs_s', ''),
        AmpDisposition=column_ifexists('AMP_Disposition_s', ''), 
        ThreatName=column_ifexists('AMP_Malware_Name_s', ''),
        AmpScore=column_ifexists('AMP_Score_s', ''),
        PolicyIdentityType=column_ifexists('Policy_Identity_Type_s', ''),
        ThreatCategory=column_ifexists('Blocked_Categories_s', ''),
        Identities=column_ifexists('Identities_s', ''),
        IdentityType=column_ifexists('Identity_Type_s', ''),
        HttpRequestMethod=column_ifexists('Request_Method_s', ''),
        DLPStatus=column_ifexists('DLP_Status_s', ''),
        CertificateErrors=column_ifexists('Certificate_Errors_s', ''),
        FileName=column_ifexists('File_Name_s', ''),
        RuleID=column_ifexists('Rule_ID_s', ''),
        RulesetID=column_ifexists('Ruleset_ID_s', ''),
        DestinationListIDs=column_ifexists('Destination_List_IDs_s', '')
    | project
        TimeGenerated,
        EventType,
        EventEndTime,
        PolicyIdentity,
        SrcIpAddr,
        SrcNatIpAddr,
        DstIpAddr,
        HttpContentType,
        DvcAction,
        UrlOriginal,
        HttpReferrerOriginal,
        HttpUserAgentOriginal,
        HttpStatusCode,
        SrcBytes,
        DstBytes,
        HttpResponseBodyBytes,
        HashSha256,
        UrlCategory,
        AvDetections,
        Puas,
        AmpDisposition,
        ThreatName,
        AmpScore,
        PolicyIdentityType,
        ThreatCategory,
        Identities,
        IdentityType,
        HttpRequestMethod,
        DLPStatus,
        CertificateErrors,
        FileName,
        RuleID,
        RulesetID,
        DestinationListIDs
};
let Cisco_Umbrella_ip_view = view () { 
    Cisco_Umbrella_ip_CL
    | extend 
        EventType=column_ifexists('EventType_s', ''),
        EventEndTime=column_ifexists('Timestamp_t', ''),
        Identities=column_ifexists('Identity_s', ''),
        SrcIpAddr=column_ifexists('Source_IP_s', ''),
        SrcPortNumber=column_ifexists('Source_Port_s', ''),
        DstIpAddr=column_ifexists('Destination_IP_s', ''),
        DstPortNumber=column_ifexists('Destination_Port_s', ''),
        UrlCategory=column_ifexists('Categories_s', '')
    | project
        TimeGenerated,
        EventType,
        EventEndTime,
        Identities,
        SrcIpAddr,
        SrcPortNumber,
        DstIpAddr,
        DstPortNumber,
        UrlCategory
};
let Cisco_Umbrella_cloudfirewall_view = view () { 
    Cisco_Umbrella_cloudfirewall_CL
    | extend 
        EventType=column_ifexists('EventType_s', ''),
        EventEndTime=column_ifexists('Timestamp_t', ''),
        NetworkSessionId=column_ifexists('originId_s', ''),
        NetworkRuleName=column_ifexists('Identity_s', ''),
        IdentityType=column_ifexists('Identity_Type_s', ''),
        NetworkDirection=column_ifexists('Direction_s', ''),
        NetworkProtocol=column_ifexists('ipProtocol_s', ''),
        NetworkPackets=column_ifexists('packetSize_s', ''),
        SrcIpAddr=column_ifexists('sourceIp_s', ''),
        SrcPortNumber=column_ifexists('sourcePort_s', ''),
        DstIpAddr=column_ifexists('destinationIp_s', ''),
        DstPortNumber=column_ifexists('destinationPort_s', ''),
        DvcHostname=column_ifexists('dataCenter_s', ''),
        NetworkRuleNumber=column_ifexists('ruleId_s', ''),
        DvcAction=column_ifexists('verdict_s', '')
    | project
        TimeGenerated,
        EventType,
        EventEndTime,
        NetworkSessionId,
        NetworkRuleName,
        IdentityType,
        NetworkDirection,
        NetworkProtocol,
        NetworkPackets,
        SrcIpAddr,
        SrcPortNumber,
        DstIpAddr,
        DstPortNumber,
        DvcHostname,
        NetworkRuleNumber,
        DvcAction
};
union isfuzzy=true Cisco_Umbrella_dns_view, Cisco_Umbrella_proxy_view, Cisco_Umbrella_ip_view, Cisco_Umbrella_cloudfirewall_view