// Usage Instruction : // Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as Cisco_Umbrella. // Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. Cisco_Umbrella | take 10). // Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions let Cisco_Umbrella_dns_view = view () { Cisco_Umbrella_dns_CL | extend EventEndTime=column_ifexists('Timestamp_t', ''), SrcIpAddr=column_ifexists('InternalIp_s', ''), SrcNatIpAddr=column_ifexists('ExternalIp_s', ''), DvcAction=column_ifexists('Action_s', ''), DnsQueryName=column_ifexists('Domain_s', ''), UrlCategory=column_ifexists('Categories_s', ''), ThreatCategory=column_ifexists('Blocked_Categories_s', ''), Identities=column_ifexists('Identities_s', ''), DnsQueryTypeName=column_ifexists('QueryType_s', ''), DnsResponseCodeName=column_ifexists('ResponseCode_s', ''), IdentityTypes=column_ifexists('Identity_Types_s', ''), EventType=column_ifexists('EventType_s', ''), PolicyIdentity=column_ifexists('Policy_Identity_s', ''), PolicyIdentityType=column_ifexists('Policy_Identity_Type_s', '') | project TimeGenerated, EventEndTime, SrcIpAddr, SrcNatIpAddr, DvcAction, DnsQueryName, UrlCategory, ThreatCategory, Identities, DnsQueryTypeName, DnsResponseCodeName, IdentityTypes, EventType, PolicyIdentity, PolicyIdentityType }; let Cisco_Umbrella_proxy_view = view () { Cisco_Umbrella_proxy_CL | extend EventType=column_ifexists('EventType_s', ''), EventEndTime=column_ifexists('Timestamp_t', ''), PolicyIdentity=column_ifexists('Policy_Identity_s', ''), SrcIpAddr=column_ifexists('Internal_IP_s', ''), SrcNatIpAddr=column_ifexists('External_IP_s', ''), DstIpAddr=column_ifexists('Destination_IP_s', ''), HttpContentType=column_ifexists('Content_Type_s', ''), DvcAction=column_ifexists('Verdict_s', ''), UrlOriginal=column_ifexists('URL_s', ''), HttpReferrerOriginal=column_ifexists('Referer_s', ''), HttpUserAgentOriginal=column_ifexists('userAgent_s', ''), HttpStatusCode=column_ifexists('statusCode_s', ''), SrcBytes=column_ifexists('requestSize_d', ''), DstBytes=column_ifexists('responseSize_d', ''), HttpResponseBodyBytes=column_ifexists('responseBodySize_d', ''), HashSha256=column_ifexists('SHA-SHA256_s', ''), UrlCategory=column_ifexists('Categories_s', ''), AvDetections=column_ifexists('AVDetections_s', ''), Puas=column_ifexists('PUAs_s', ''), AmpDisposition=column_ifexists('AMP_Disposition_s', ''), ThreatName=column_ifexists('AMP_Malware_Name_s', ''), AmpScore=column_ifexists('AMP_Score_s', ''), PolicyIdentityType=column_ifexists('Policy_Identity_Type_s', ''), ThreatCategory=column_ifexists('Blocked_Categories_s', ''), Identities=column_ifexists('Identities_s', ''), IdentityType=column_ifexists('Identity_Type_s', ''), HttpRequestMethod=column_ifexists('Request_Method_s', ''), DLPStatus=column_ifexists('DLP_Status_s', ''), CertificateErrors=column_ifexists('Certificate_Errors_s', ''), FileName=column_ifexists('File_Name_s', ''), RuleID=column_ifexists('Rule_ID_s', ''), RulesetID=column_ifexists('Ruleset_ID_s', ''), DestinationListIDs=column_ifexists('Destination_List_IDs_s', '') | project TimeGenerated, EventType, EventEndTime, PolicyIdentity, SrcIpAddr, SrcNatIpAddr, DstIpAddr, HttpContentType, DvcAction, UrlOriginal, HttpReferrerOriginal, HttpUserAgentOriginal, HttpStatusCode, SrcBytes, DstBytes, HttpResponseBodyBytes, HashSha256, UrlCategory, AvDetections, Puas, AmpDisposition, ThreatName, AmpScore, PolicyIdentityType, ThreatCategory, Identities, IdentityType, HttpRequestMethod, DLPStatus, CertificateErrors, FileName, RuleID, RulesetID, DestinationListIDs }; let Cisco_Umbrella_ip_view = view () { Cisco_Umbrella_ip_CL | extend EventType=column_ifexists('EventType_s', ''), EventEndTime=column_ifexists('Timestamp_t', ''), Identities=column_ifexists('Identity_s', ''), SrcIpAddr=column_ifexists('Source_IP_s', ''), SrcPortNumber=column_ifexists('Source_Port_s', ''), DstIpAddr=column_ifexists('Destination_IP_s', ''), DstPortNumber=column_ifexists('Destination_Port_s', ''), UrlCategory=column_ifexists('Categories_s', '') | project TimeGenerated, EventType, EventEndTime, Identities, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, UrlCategory }; let Cisco_Umbrella_cloudfirewall_view = view () { Cisco_Umbrella_cloudfirewall_CL | extend EventType=column_ifexists('EventType_s', ''), EventEndTime=column_ifexists('Timestamp_t', ''), NetworkSessionId=column_ifexists('originId_s', ''), NetworkRuleName=column_ifexists('Identity_s', ''), IdentityType=column_ifexists('Identity_Type_s', ''), NetworkDirection=column_ifexists('Direction_s', ''), NetworkProtocol=column_ifexists('ipProtocol_s', ''), NetworkPackets=column_ifexists('packetSize_s', ''), SrcIpAddr=column_ifexists('sourceIp_s', ''), SrcPortNumber=column_ifexists('sourcePort_s', ''), DstIpAddr=column_ifexists('destinationIp_s', ''), DstPortNumber=column_ifexists('destinationPort_s', ''), DvcHostname=column_ifexists('dataCenter_s', ''), NetworkRuleNumber=column_ifexists('ruleId_s', ''), DvcAction=column_ifexists('verdict_s', '') | project TimeGenerated, EventType, EventEndTime, NetworkSessionId, NetworkRuleName, IdentityType, NetworkDirection, NetworkProtocol, NetworkPackets, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DvcHostname, NetworkRuleNumber, DvcAction }; union isfuzzy=true Cisco_Umbrella_dns_view, Cisco_Umbrella_proxy_view, Cisco_Umbrella_ip_view, Cisco_Umbrella_cloudfirewall_view