// Usage Instruction :
// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as Fortinet_FortiNDR_Cloud.
// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. Fortinet_FortiNDR_Cloud | take 10).
// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
let FortiNDR_Cloud_suricata_view = view () {
FncEventsSuricata_CL
| extend
su_timestamp=column_ifexists('timestamp_t',''),
su_uuid=column_ifexists('uuid_g',''),
su_event_type=column_ifexists('event_type_s',''),
su_customer_id=column_ifexists('customer_id_s',''),
su_sensor_id=column_ifexists('sensor_id_s',''),
su_source=column_ifexists('source_s',''),
su_src_ip=column_ifexists('src_ip_s',''),
su_src_port=column_ifexists('src_port_d',''),
su_dst_ip=column_ifexists('dest_ip_s',''),
su_dst_port=column_ifexists('dest_port_d',''),
su_proto=column_ifexists('proto_s',''),
su_sig_id=column_ifexists('alert_signature_id_d',''),
su_sig_rev=column_ifexists('alert_rev_d',''),
su_sig_name=column_ifexists('alert_signature_s',''),
su_sig_category=column_ifexists('alert_category_s',''),
su_sig_severity=column_ifexists('alert_severity_d',''),
su_src_internal=column_ifexists('src_ip_enrichments_internal_b',''),
su_src_geo_lat=column_ifexists('src_ip_enrichments_geo_location_lat_d',''),
su_src_geo_lon=column_ifexists('src_ip_enrichments_geo_location_lon_d',''),
su_src_geo_country=column_ifexists('src_ip_enrichments_geo_country_s',''),
su_src_geo_subdivision=column_ifexists('src_ip_enrichments_geo_subdivision_s',''),
su_src_geo_city=column_ifexists('src_ip_enrichments_geo_city_s',''),
su_src_asn_asn=column_ifexists('src_ip_enrichments_asn_asn_d',''),
su_src_asn_org=column_ifexists('src_ip_enrichments_asn_org_s',''),
su_src_asn_isp=column_ifexists('src_ip_enrichments_asn_isp_s',''),
su_src_asn_asn_org=column_ifexists('src_ip_enrichments_asn_asn_org_s',''),
su_src_annotations_applications=column_ifexists('src_ip_enrichments_annotations_applications_s',''),
su_src_annotations_environments=column_ifexists('src_ip_enrichments_annotations_environments_s',''),
su_src_annotations_locations=column_ifexists('src_ip_enrichments_annotations_locations_s',''),
su_src_annotations_owners=column_ifexists('src_ip_enrichments_annotations_owners_s',''),
su_src_annotations_roles=column_ifexists('src_ip_enrichments_annotations_roles_s',''),
su_src_annotations_tags=column_ifexists('src_ip_enrichments_annotations_tags_s',''),
su_dst_internal=column_ifexists('dst_ip_enrichments_internal_b',''),
su_dst_geo_lat=column_ifexists('dst_ip_enrichments_geo_location_lat_d',''),
su_dst_geo_lon=column_ifexists('dst_ip_enrichments_geo_location_lon_d',''),
su_dst_geo_country=column_ifexists('dst_ip_enrichments_geo_country_s',''),
su_dst_geo_subdivision=column_ifexists('dst_ip_enrichments_geo_subdivision_s',''),
su_dst_geo_city=column_ifexists('dst_ip_enrichments_geo_city_s',''),
su_dst_asn_asn=column_ifexists('dst_ip_enrichments_asn_asn_d',''),
su_dst_asn_org=column_ifexists('dst_ip_enrichments_asn_org_s',''),
su_dst_asn_isp=column_ifexists('dst_ip_enrichments_asn_isp_s',''),
su_dst_asn_asn_org=column_ifexists('dst_ip_enrichments_asn_asn_org_s',''),
su_dst_annotations_applications=column_ifexists('dst_ip_enrichments_annotations_applications_s',''),
su_dst_annotations_environments=column_ifexists('dst_ip_enrichments_annotations_environments_s',''),
su_dst_annotations_locations=column_ifexists('dst_ip_enrichments_annotations_locations_s',''),
su_dst_annotations_owners=column_ifexists('dst_ip_enrichments_annotations_owners_s',''),
su_dst_annotations_roles=column_ifexists('dst_ip_enrichments_annotations_roles_s',''),
su_dst_annotations_tags=column_ifexists('dst_ip_enrichments_annotations_tags_s',''),
su_geo_distance=column_ifexists('geo_distance_d',''),
su_http_status=column_ifexists('http_status_d',''),
su_http_protocol=column_ifexists('http_protocol_s',''),
su_http_url=column_ifexists('http_url_s',''),
su_http_hostname=column_ifexists('http_hostname_s',''),
su_http_host_internal=column_ifexists('http_hostname_enrichments_ip_enrichments_internal_b',''),
su_http_host_geo_lat=column_ifexists('http_hostname_enrichments_ip_enrichments_geo_location_lat_d',''),
su_http_host_geo_lon=column_ifexists('http_hostname_enrichments_ip_enrichments_geo_location_lon_d',''),
su_http_host_geo_subdivision=column_ifexists('http_hostname_enrichments_ip_enrichments_geo_subdivision_s',''),
su_http_host_geo_city=column_ifexists('http_hostname_enrichments_ip_enrichments_geo_city_s',''),
su_http_host_asn_asn=column_ifexists('http_hostname_enrichments_ip_enrichments_asn_asn_d',''),
su_http_host_asn_org=column_ifexists('http_hostname_enrichments_ip_enrichments_asn_org_s',''),
su_http_host_asn_isp=column_ifexists('http_hostname_enrichments_ip_enrichments_asn_isp_s',''),
su_http_host_asn_asn_org=column_ifexists('http_hostname_enrichments_ip_enrichments_asn_asn_org_s',''),
su_http_host_geo_country=column_ifexists('http_hostname_enrichments_ip_enrichments_geo_country_s',''),
su_http_host_annotations_applications=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_applications_s',''),
su_http_host_annotations_environments=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_environments_s',''),
su_http_host_annotations_locations=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_locations_s',''),
su_http_host_annotations_owners=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_owners_s',''),
su_http_host_annotations_roles=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_roles_s',''),
su_http_host_annotations_tags=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_tags_s',''),
su_http_host_domain_entropy=column_ifexists('http_hostname_enrichments_domain_enrichments_domain_entropy_d',''),
su_http_length=column_ifexists('http_length_d',''),
su_http_method=column_ifexists('http_http_method_s',''),
su_http_content_type=column_ifexists('http_http_content_type_s',''),
su_http_refer=column_ifexists('http_http_refer_s',''),
su_http_user_agent=column_ifexists('http_http_user_agent_s',''),
su_http_redirect=column_ifexists('http_redirect_s',''),
su_http_xtf=column_ifexists('http_xtf_s',''),
su_payload=column_ifexists('payload_s',''),
su_intel=column_ifexists('intel_s','')
| project
su_timestamp,
su_event_type,
su_src_ip,
su_src_port,
su_dst_ip,
su_dst_port,
su_intel,
su_sig_name,
su_sig_id,
su_sig_rev,
su_sig_category,
su_sig_severity,
su_payload,
su_source,
su_proto,
su_sensor_id,
su_src_internal,
su_src_geo_lat,
su_src_geo_lon,
su_src_geo_country,
su_src_geo_subdivision,
su_src_geo_city,
su_src_asn_asn,
su_src_asn_org,
su_src_asn_isp,
su_src_asn_asn_org,
su_src_annotations_applications,
su_src_annotations_environments,
su_src_annotations_locations,
su_src_annotations_owners,
su_src_annotations_roles,
su_src_annotations_tags,
su_dst_internal,
su_dst_geo_lat,
su_dst_geo_lon,
su_dst_geo_country,
su_dst_geo_subdivision,
su_dst_geo_city,
su_dst_asn_asn,
su_dst_asn_org,
su_dst_asn_isp,
su_dst_asn_asn_org,
su_dst_annotations_applications,
su_dst_annotations_environments,
su_dst_annotations_locations,
su_dst_annotations_owners,
su_dst_annotations_roles,
su_dst_annotations_tags,
su_geo_distance,
su_http_status,
su_http_protocol,
su_http_url,
su_http_hostname,
su_http_host_internal,
su_http_host_geo_lat,
su_http_host_geo_lon,
su_http_host_geo_country,
su_http_host_geo_subdivision,
su_http_host_geo_city,
su_http_host_asn_asn,
su_http_host_asn_org,
su_http_host_asn_isp,
su_http_host_asn_asn_org,
su_http_host_annotations_applications,
su_http_host_annotations_environments,
su_http_host_annotations_locations,
su_http_host_annotations_owners,
su_http_host_annotations_roles,
su_http_host_annotations_tags,
su_http_host_domain_entropy,
su_http_length,
su_http_method,
su_http_content_type,
su_http_refer,
su_http_user_agent,
su_http_redirect,
su_http_xtf,
su_uuid,
su_customer_id,
Type
};
let FortiNDR_Cloud_observation_view = view () {
FncEventsObservation_CL
| extend
ob_timestamp=column_ifexists('timestamp_t',''),
ob_uuid=column_ifexists('uuid_g',''),
ob_event_type=column_ifexists('event_type_s',''),
ob_customer_id=column_ifexists('customer_id_s',''),
ob_sensor_id=column_ifexists('sensor_id_s',''),
ob_source=column_ifexists('source_s',''),
ob_evidence_start_timestamp=column_ifexists('evidence_start_timestamp_t',''),
ob_evidence_end_timestamp=column_ifexists('evidence_end_timestamp_t',''),
ob_observation_uuid=column_ifexists('observation_uuid_g',''),
ob_observation_title=column_ifexists('title_s',''),
ob_confidence=column_ifexists('confidence_s',''),
ob_src_ip=column_ifexists('src_ip_s',''),
ob_dst_ip=column_ifexists('dst_ip_s',''),
ob_src_internal=column_ifexists('src_ip_enrichments_internal_b',''),
ob_src_geo_lat=column_ifexists('src_ip_enrichments_geo_location_lat_d',''),
ob_src_geo_lon=column_ifexists('src_ip_enrichments_geo_location_lon_d',''),
ob_src_geo_country=column_ifexists('src_ip_enrichments_geo_country_s',''),
ob_src_geo_subdivision=column_ifexists('src_ip_enrichments_geo_subdivision_s',''),
ob_src_geo_city=column_ifexists('src_ip_enrichments_geo_city_s',''),
ob_src_asn_asn=column_ifexists('src_ip_enrichments_asn_asn_d',''),
ob_src_asn_org=column_ifexists('src_ip_enrichments_asn_org_s',''),
ob_src_asn_isp=column_ifexists('src_ip_enrichments_asn_isp_s',''),
ob_src_asn_asn_org=column_ifexists('src_ip_enrichments_asn_asn_org_s',''),
ob_src_annotations_applications=column_ifexists('src_ip_enrichments_annotations_applications_s',''),
ob_src_annotations_environments=column_ifexists('src_ip_enrichments_annotations_environments_s',''),
ob_src_annotations_locations=column_ifexists('src_ip_enrichments_annotations_locations_s',''),
ob_src_annotations_owners=column_ifexists('src_ip_enrichments_annotations_owners_s',''),
ob_src_annotations_roles=column_ifexists('src_ip_enrichments_annotations_roles_s',''),
ob_src_annotations_tags=column_ifexists('src_ip_enrichments_annotations_tags_s',''),
ob_dst_internal=column_ifexists('dst_ip_enrichments_internal_b',''),
ob_dst_geo_lat=column_ifexists('dst_ip_enrichments_geo_location_lat_d',''),
ob_dst_geo_lon=column_ifexists('dst_ip_enrichments_geo_location_lon_d',''),
ob_dst_geo_country=column_ifexists('dst_ip_enrichments_geo_country_s',''),
ob_dst_geo_subdivision=column_ifexists('dst_ip_enrichments_geo_subdivision_s',''),
ob_dst_geo_city=column_ifexists('dst_ip_enrichments_geo_city_s',''),
ob_dst_asn_asn=column_ifexists('dst_ip_enrichments_asn_asn_d',''),
ob_dst_asn_org=column_ifexists('dst_ip_enrichments_asn_org_s',''),
ob_dst_asn_isp=column_ifexists('dst_ip_enrichments_asn_isp_s',''),
ob_dst_asn_asn_org=column_ifexists('dst_ip_enrichments_asn_asn_org_s',''),
ob_dst_annotations_applications=column_ifexists('dst_ip_enrichments_annotations_applications_s',''),
ob_dst_annotations_environments=column_ifexists('dst_ip_enrichments_annotations_environments_s',''),
ob_dst_annotations_locations=column_ifexists('dst_ip_enrichments_annotations_locations_s',''),
ob_dst_annotations_owners=column_ifexists('dst_ip_enrichments_annotations_owners_s',''),
ob_dst_annotations_roles=column_ifexists('dst_ip_enrichments_annotations_roles_s',''),
ob_dst_annotations_tags=column_ifexists('dst_ip_enrichments_annotations_tags_s',''),
ob_geo_distance=column_ifexists('geo_distance_d',''),
ob_sensor_ids=column_ifexists('sensor_ids_s',''),
ob_evidence_iql=column_ifexists('evidence_iql_s',''),
ob_description=column_ifexists('description_s',''),
ob_context=column_ifexists('context_s',''),
ob_class=column_ifexists('class_s',''),
ob_intel=column_ifexists('intel_s', ''),
ob_category=column_ifexists('Category', '')
| project
ob_timestamp,
ob_observation_title,
ob_confidence,
ob_category,
ob_class,
ob_context,
ob_evidence_iql,
ob_evidence_end_timestamp,
ob_evidence_start_timestamp,
ob_description,
ob_observation_uuid,
ob_sensor_ids,
ob_event_type,
ob_src_ip,
ob_dst_ip,
ob_intel,
ob_source,
ob_sensor_id,
ob_src_internal,
ob_src_geo_lat,
ob_src_geo_lon,
ob_src_geo_country,
ob_src_geo_subdivision,
ob_src_geo_city,
ob_src_asn_asn,
ob_src_asn_org,
ob_src_asn_isp,
ob_src_asn_asn_org,
ob_src_annotations_applications,
ob_src_annotations_environments,
ob_src_annotations_locations,
ob_src_annotations_owners,
ob_src_annotations_roles,
ob_src_annotations_tags,
ob_dst_internal,
ob_dst_geo_lat,
ob_dst_geo_lon,
ob_dst_geo_country,
ob_dst_geo_subdivision,
ob_dst_geo_city,
ob_dst_asn_asn,
ob_dst_asn_org,
ob_dst_asn_isp,
ob_dst_asn_asn_org,
ob_dst_annotations_applications,
ob_dst_annotations_environments,
ob_dst_annotations_locations,
ob_dst_annotations_owners,
ob_dst_annotations_roles,
ob_dst_annotations_tags,
ob_geo_distance,
ob_uuid,
ob_customer_id,
Type
};
let FortiNDR_Cloud_detections_view = view () {
FncEventsDetections_CL
| extend
de_account_id=column_ifexists('account_uuid_g', ''),
de_device_ip=column_ifexists('device_ip_s',''),
de_rule_name=column_ifexists('rule_name_s',''),
de_severity=column_ifexists('rule_severity_s',''),
de_confidence=column_ifexists('rule_confidence_s',''),
de_sensor_id=column_ifexists('sensor_id_s',''),
de_muted=column_ifexists('muted_b',''),
de_rule_muted=column_ifexists('muted_rule_b',''),
de_rule_uuid=column_ifexists('rule_uuid_g',''),
de_mute_comment=column_ifexists('muted_comment_s',''),
de_muted_by=column_ifexists('muted_user_uuid_g', ''),
de_date_muted=column_ifexists('muted_timestamp_t', ''),
de_resolved_by=column_ifexists('resolution_user_uuid_g', ''),
de_date_resolved=column_ifexists('resolution_timestamp_t', ''),
de_resolution=column_ifexists('resolution_s', ''),
de_resolution_comment=column_ifexists('resolution_comment_s', ''),
de_first_seen=column_ifexists('first_seen_t',''),
de_last_seen=column_ifexists('last_seen_t',''),
de_created=column_ifexists('created_t',''),
de_updated=column_ifexists('updated_t',''),
de_uuid=column_ifexists('uuid_g',''),
de_status=column_ifexists('status_s',''),
de_indicators=column_ifexists('indicators_s',''),
de_username=column_ifexists('username_s', ''),
de_hostname=column_ifexists('hostname_s', ''),
de_category=column_ifexists('rule_category_s', ''),
de_event_count=column_ifexists('event_count_d', ''),
de_events=column_ifexists('events_s', ''),
de_primary_attack_id=column_ifexists('rule_primary_attack_id_s', ''),
de_secondary_attack_id=column_ifexists('rule_secondary_attack_id_s', ''),
de_rule_url=column_ifexists('rule_url_s', '')
| project
de_device_ip,
de_event_count,
de_events,
de_indicators,
de_last_seen,
de_status,
de_rule_name,
de_severity,
de_confidence,
de_resolved_by,
de_resolution,
de_resolution_comment,
de_date_resolved,
de_rule_uuid,
de_category,
de_created,
de_updated,
de_first_seen,
de_muted,
de_rule_muted,
de_mute_comment,
de_muted_by,
de_date_muted,
de_sensor_id,
de_account_id,
de_uuid,
de_username,
de_hostname,
de_primary_attack_id,
de_secondary_attack_id,
de_rule_url,
Type
};
union isfuzzy=true
FortiNDR_Cloud_suricata_view,
FortiNDR_Cloud_observation_view,
FortiNDR_Cloud_detections_view