// Usage Instruction : // Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as Fortinet_FortiNDR_Cloud. // Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. Fortinet_FortiNDR_Cloud | take 10). // Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions let FortiNDR_Cloud_suricata_view = view () { FncEventsSuricata_CL | extend su_timestamp=column_ifexists('timestamp_t',''), su_uuid=column_ifexists('uuid_g',''), su_event_type=column_ifexists('event_type_s',''), su_customer_id=column_ifexists('customer_id_s',''), su_sensor_id=column_ifexists('sensor_id_s',''), su_source=column_ifexists('source_s',''), su_src_ip=column_ifexists('src_ip_s',''), su_src_port=column_ifexists('src_port_d',''), su_dst_ip=column_ifexists('dest_ip_s',''), su_dst_port=column_ifexists('dest_port_d',''), su_proto=column_ifexists('proto_s',''), su_sig_id=column_ifexists('alert_signature_id_d',''), su_sig_rev=column_ifexists('alert_rev_d',''), su_sig_name=column_ifexists('alert_signature_s',''), su_sig_category=column_ifexists('alert_category_s',''), su_sig_severity=column_ifexists('alert_severity_d',''), su_src_internal=column_ifexists('src_ip_enrichments_internal_b',''), su_src_geo_lat=column_ifexists('src_ip_enrichments_geo_location_lat_d',''), su_src_geo_lon=column_ifexists('src_ip_enrichments_geo_location_lon_d',''), su_src_geo_country=column_ifexists('src_ip_enrichments_geo_country_s',''), su_src_geo_subdivision=column_ifexists('src_ip_enrichments_geo_subdivision_s',''), su_src_geo_city=column_ifexists('src_ip_enrichments_geo_city_s',''), su_src_asn_asn=column_ifexists('src_ip_enrichments_asn_asn_d',''), su_src_asn_org=column_ifexists('src_ip_enrichments_asn_org_s',''), su_src_asn_isp=column_ifexists('src_ip_enrichments_asn_isp_s',''), su_src_asn_asn_org=column_ifexists('src_ip_enrichments_asn_asn_org_s',''), su_src_annotations_applications=column_ifexists('src_ip_enrichments_annotations_applications_s',''), su_src_annotations_environments=column_ifexists('src_ip_enrichments_annotations_environments_s',''), su_src_annotations_locations=column_ifexists('src_ip_enrichments_annotations_locations_s',''), su_src_annotations_owners=column_ifexists('src_ip_enrichments_annotations_owners_s',''), su_src_annotations_roles=column_ifexists('src_ip_enrichments_annotations_roles_s',''), su_src_annotations_tags=column_ifexists('src_ip_enrichments_annotations_tags_s',''), su_dst_internal=column_ifexists('dst_ip_enrichments_internal_b',''), su_dst_geo_lat=column_ifexists('dst_ip_enrichments_geo_location_lat_d',''), su_dst_geo_lon=column_ifexists('dst_ip_enrichments_geo_location_lon_d',''), su_dst_geo_country=column_ifexists('dst_ip_enrichments_geo_country_s',''), su_dst_geo_subdivision=column_ifexists('dst_ip_enrichments_geo_subdivision_s',''), su_dst_geo_city=column_ifexists('dst_ip_enrichments_geo_city_s',''), su_dst_asn_asn=column_ifexists('dst_ip_enrichments_asn_asn_d',''), su_dst_asn_org=column_ifexists('dst_ip_enrichments_asn_org_s',''), su_dst_asn_isp=column_ifexists('dst_ip_enrichments_asn_isp_s',''), su_dst_asn_asn_org=column_ifexists('dst_ip_enrichments_asn_asn_org_s',''), su_dst_annotations_applications=column_ifexists('dst_ip_enrichments_annotations_applications_s',''), su_dst_annotations_environments=column_ifexists('dst_ip_enrichments_annotations_environments_s',''), su_dst_annotations_locations=column_ifexists('dst_ip_enrichments_annotations_locations_s',''), su_dst_annotations_owners=column_ifexists('dst_ip_enrichments_annotations_owners_s',''), su_dst_annotations_roles=column_ifexists('dst_ip_enrichments_annotations_roles_s',''), su_dst_annotations_tags=column_ifexists('dst_ip_enrichments_annotations_tags_s',''), su_geo_distance=column_ifexists('geo_distance_d',''), su_http_status=column_ifexists('http_status_d',''), su_http_protocol=column_ifexists('http_protocol_s',''), su_http_url=column_ifexists('http_url_s',''), su_http_hostname=column_ifexists('http_hostname_s',''), su_http_host_internal=column_ifexists('http_hostname_enrichments_ip_enrichments_internal_b',''), su_http_host_geo_lat=column_ifexists('http_hostname_enrichments_ip_enrichments_geo_location_lat_d',''), su_http_host_geo_lon=column_ifexists('http_hostname_enrichments_ip_enrichments_geo_location_lon_d',''), su_http_host_geo_subdivision=column_ifexists('http_hostname_enrichments_ip_enrichments_geo_subdivision_s',''), su_http_host_geo_city=column_ifexists('http_hostname_enrichments_ip_enrichments_geo_city_s',''), su_http_host_asn_asn=column_ifexists('http_hostname_enrichments_ip_enrichments_asn_asn_d',''), su_http_host_asn_org=column_ifexists('http_hostname_enrichments_ip_enrichments_asn_org_s',''), su_http_host_asn_isp=column_ifexists('http_hostname_enrichments_ip_enrichments_asn_isp_s',''), su_http_host_asn_asn_org=column_ifexists('http_hostname_enrichments_ip_enrichments_asn_asn_org_s',''), su_http_host_geo_country=column_ifexists('http_hostname_enrichments_ip_enrichments_geo_country_s',''), su_http_host_annotations_applications=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_applications_s',''), su_http_host_annotations_environments=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_environments_s',''), su_http_host_annotations_locations=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_locations_s',''), su_http_host_annotations_owners=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_owners_s',''), su_http_host_annotations_roles=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_roles_s',''), su_http_host_annotations_tags=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_tags_s',''), su_http_host_domain_entropy=column_ifexists('http_hostname_enrichments_domain_enrichments_domain_entropy_d',''), su_http_length=column_ifexists('http_length_d',''), su_http_method=column_ifexists('http_http_method_s',''), su_http_content_type=column_ifexists('http_http_content_type_s',''), su_http_refer=column_ifexists('http_http_refer_s',''), su_http_user_agent=column_ifexists('http_http_user_agent_s',''), su_http_redirect=column_ifexists('http_redirect_s',''), su_http_xtf=column_ifexists('http_xtf_s',''), su_payload=column_ifexists('payload_s',''), su_intel=column_ifexists('intel_s','') | project su_timestamp, su_event_type, su_src_ip, su_src_port, su_dst_ip, su_dst_port, su_intel, su_sig_name, su_sig_id, su_sig_rev, su_sig_category, su_sig_severity, su_payload, su_source, su_proto, su_sensor_id, su_src_internal, su_src_geo_lat, su_src_geo_lon, su_src_geo_country, su_src_geo_subdivision, su_src_geo_city, su_src_asn_asn, su_src_asn_org, su_src_asn_isp, su_src_asn_asn_org, su_src_annotations_applications, su_src_annotations_environments, su_src_annotations_locations, su_src_annotations_owners, su_src_annotations_roles, su_src_annotations_tags, su_dst_internal, su_dst_geo_lat, su_dst_geo_lon, su_dst_geo_country, su_dst_geo_subdivision, su_dst_geo_city, su_dst_asn_asn, su_dst_asn_org, su_dst_asn_isp, su_dst_asn_asn_org, su_dst_annotations_applications, su_dst_annotations_environments, su_dst_annotations_locations, su_dst_annotations_owners, su_dst_annotations_roles, su_dst_annotations_tags, su_geo_distance, su_http_status, su_http_protocol, su_http_url, su_http_hostname, su_http_host_internal, su_http_host_geo_lat, su_http_host_geo_lon, su_http_host_geo_country, su_http_host_geo_subdivision, su_http_host_geo_city, su_http_host_asn_asn, su_http_host_asn_org, su_http_host_asn_isp, su_http_host_asn_asn_org, su_http_host_annotations_applications, su_http_host_annotations_environments, su_http_host_annotations_locations, su_http_host_annotations_owners, su_http_host_annotations_roles, su_http_host_annotations_tags, su_http_host_domain_entropy, su_http_length, su_http_method, su_http_content_type, su_http_refer, su_http_user_agent, su_http_redirect, su_http_xtf, su_uuid, su_customer_id, Type }; let FortiNDR_Cloud_observation_view = view () { FncEventsObservation_CL | extend ob_timestamp=column_ifexists('timestamp_t',''), ob_uuid=column_ifexists('uuid_g',''), ob_event_type=column_ifexists('event_type_s',''), ob_customer_id=column_ifexists('customer_id_s',''), ob_sensor_id=column_ifexists('sensor_id_s',''), ob_source=column_ifexists('source_s',''), ob_evidence_start_timestamp=column_ifexists('evidence_start_timestamp_t',''), ob_evidence_end_timestamp=column_ifexists('evidence_end_timestamp_t',''), ob_observation_uuid=column_ifexists('observation_uuid_g',''), ob_observation_title=column_ifexists('title_s',''), ob_confidence=column_ifexists('confidence_s',''), ob_src_ip=column_ifexists('src_ip_s',''), ob_dst_ip=column_ifexists('dst_ip_s',''), ob_src_internal=column_ifexists('src_ip_enrichments_internal_b',''), ob_src_geo_lat=column_ifexists('src_ip_enrichments_geo_location_lat_d',''), ob_src_geo_lon=column_ifexists('src_ip_enrichments_geo_location_lon_d',''), ob_src_geo_country=column_ifexists('src_ip_enrichments_geo_country_s',''), ob_src_geo_subdivision=column_ifexists('src_ip_enrichments_geo_subdivision_s',''), ob_src_geo_city=column_ifexists('src_ip_enrichments_geo_city_s',''), ob_src_asn_asn=column_ifexists('src_ip_enrichments_asn_asn_d',''), ob_src_asn_org=column_ifexists('src_ip_enrichments_asn_org_s',''), ob_src_asn_isp=column_ifexists('src_ip_enrichments_asn_isp_s',''), ob_src_asn_asn_org=column_ifexists('src_ip_enrichments_asn_asn_org_s',''), ob_src_annotations_applications=column_ifexists('src_ip_enrichments_annotations_applications_s',''), ob_src_annotations_environments=column_ifexists('src_ip_enrichments_annotations_environments_s',''), ob_src_annotations_locations=column_ifexists('src_ip_enrichments_annotations_locations_s',''), ob_src_annotations_owners=column_ifexists('src_ip_enrichments_annotations_owners_s',''), ob_src_annotations_roles=column_ifexists('src_ip_enrichments_annotations_roles_s',''), ob_src_annotations_tags=column_ifexists('src_ip_enrichments_annotations_tags_s',''), ob_dst_internal=column_ifexists('dst_ip_enrichments_internal_b',''), ob_dst_geo_lat=column_ifexists('dst_ip_enrichments_geo_location_lat_d',''), ob_dst_geo_lon=column_ifexists('dst_ip_enrichments_geo_location_lon_d',''), ob_dst_geo_country=column_ifexists('dst_ip_enrichments_geo_country_s',''), ob_dst_geo_subdivision=column_ifexists('dst_ip_enrichments_geo_subdivision_s',''), ob_dst_geo_city=column_ifexists('dst_ip_enrichments_geo_city_s',''), ob_dst_asn_asn=column_ifexists('dst_ip_enrichments_asn_asn_d',''), ob_dst_asn_org=column_ifexists('dst_ip_enrichments_asn_org_s',''), ob_dst_asn_isp=column_ifexists('dst_ip_enrichments_asn_isp_s',''), ob_dst_asn_asn_org=column_ifexists('dst_ip_enrichments_asn_asn_org_s',''), ob_dst_annotations_applications=column_ifexists('dst_ip_enrichments_annotations_applications_s',''), ob_dst_annotations_environments=column_ifexists('dst_ip_enrichments_annotations_environments_s',''), ob_dst_annotations_locations=column_ifexists('dst_ip_enrichments_annotations_locations_s',''), ob_dst_annotations_owners=column_ifexists('dst_ip_enrichments_annotations_owners_s',''), ob_dst_annotations_roles=column_ifexists('dst_ip_enrichments_annotations_roles_s',''), ob_dst_annotations_tags=column_ifexists('dst_ip_enrichments_annotations_tags_s',''), ob_geo_distance=column_ifexists('geo_distance_d',''), ob_sensor_ids=column_ifexists('sensor_ids_s',''), ob_evidence_iql=column_ifexists('evidence_iql_s',''), ob_description=column_ifexists('description_s',''), ob_context=column_ifexists('context_s',''), ob_class=column_ifexists('class_s',''), ob_intel=column_ifexists('intel_s', ''), ob_category=column_ifexists('Category', '') | project ob_timestamp, ob_observation_title, ob_confidence, ob_category, ob_class, ob_context, ob_evidence_iql, ob_evidence_end_timestamp, ob_evidence_start_timestamp, ob_description, ob_observation_uuid, ob_sensor_ids, ob_event_type, ob_src_ip, ob_dst_ip, ob_intel, ob_source, ob_sensor_id, ob_src_internal, ob_src_geo_lat, ob_src_geo_lon, ob_src_geo_country, ob_src_geo_subdivision, ob_src_geo_city, ob_src_asn_asn, ob_src_asn_org, ob_src_asn_isp, ob_src_asn_asn_org, ob_src_annotations_applications, ob_src_annotations_environments, ob_src_annotations_locations, ob_src_annotations_owners, ob_src_annotations_roles, ob_src_annotations_tags, ob_dst_internal, ob_dst_geo_lat, ob_dst_geo_lon, ob_dst_geo_country, ob_dst_geo_subdivision, ob_dst_geo_city, ob_dst_asn_asn, ob_dst_asn_org, ob_dst_asn_isp, ob_dst_asn_asn_org, ob_dst_annotations_applications, ob_dst_annotations_environments, ob_dst_annotations_locations, ob_dst_annotations_owners, ob_dst_annotations_roles, ob_dst_annotations_tags, ob_geo_distance, ob_uuid, ob_customer_id, Type }; let FortiNDR_Cloud_detections_view = view () { FncEventsDetections_CL | extend de_account_id=column_ifexists('account_uuid_g', ''), de_device_ip=column_ifexists('device_ip_s',''), de_rule_name=column_ifexists('rule_name_s',''), de_severity=column_ifexists('rule_severity_s',''), de_confidence=column_ifexists('rule_confidence_s',''), de_sensor_id=column_ifexists('sensor_id_s',''), de_muted=column_ifexists('muted_b',''), de_rule_muted=column_ifexists('muted_rule_b',''), de_rule_uuid=column_ifexists('rule_uuid_g',''), de_mute_comment=column_ifexists('muted_comment_s',''), de_muted_by=column_ifexists('muted_user_uuid_g', ''), de_date_muted=column_ifexists('muted_timestamp_t', ''), de_resolved_by=column_ifexists('resolution_user_uuid_g', ''), de_date_resolved=column_ifexists('resolution_timestamp_t', ''), de_resolution=column_ifexists('resolution_s', ''), de_resolution_comment=column_ifexists('resolution_comment_s', ''), de_first_seen=column_ifexists('first_seen_t',''), de_last_seen=column_ifexists('last_seen_t',''), de_created=column_ifexists('created_t',''), de_updated=column_ifexists('updated_t',''), de_uuid=column_ifexists('uuid_g',''), de_status=column_ifexists('status_s',''), de_indicators=column_ifexists('indicators_s',''), de_username=column_ifexists('username_s', ''), de_hostname=column_ifexists('hostname_s', ''), de_category=column_ifexists('rule_category_s', ''), de_dhcp=column_ifexists('dhcp_s', ''), de_pdns=column_ifexists('PDNS_s', ''), de_event_count=column_ifexists('event_count_d', ''), de_events=column_ifexists('events_s', '') | project de_device_ip, de_event_count, de_events, de_indicators, de_last_seen, de_status, de_rule_name, de_severity, de_confidence, de_resolved_by, de_resolution, de_resolution_comment, de_date_resolved, de_rule_uuid, de_category, de_created, de_updated, de_first_seen, de_muted, de_rule_muted, de_mute_comment, de_muted_by, de_date_muted, de_sensor_id, de_account_id, de_uuid, de_username, de_hostname, de_dhcp, de_pdns, Type }; union isfuzzy=true FortiNDR_Cloud_suricata_view, FortiNDR_Cloud_observation_view, FortiNDR_Cloud_detections_view