.execute database script <|
.drop functions (_GetWatchlist, _ASIM_GetUsernameType, _ASIM_GetWindowsUserType, _ASIM_ResolveDstFQDN, _ASIM_ResolveDvcFQDN, _ASIM_ResolveFQDN, _ASIM_ResolveSrcFQDN, ASimAuditEvent, ASimAuditEventMicrosoftSecurityEvents, ASimAuditEventMicrosoftWindowsEvents, imAuditEvent, vimAuditEventMicrosoftSecurityEvents, vimAuditEventMicrosoftWindowsEvents, ASimAuthentication, ASimAuthenticationM365Defender, ASimAuthenticationMicrosoftWindowsEvent, imAuthentication, vimAuthenticationM365Defender, vimAuthenticationMicrosoftWindowsEvent, ASimDns, ASimDnsCorelightZeek, ASimDnsMicrosoft365Defender, ASimDnsMicrosoftSysmonWindowsEvent, imDns, vimDnsCorelightZeek, vimDnsMicrosoft365Defender, vimDnsMicrosoftSysmonWindowsEvent, ASimFileEvent, ASimFileEventMicrosoft365D, ASimFileEventMicrosoftSecurityEvents, ASimFileEventMicrosoftSysmonWindowsEvent, ASimFileEventMicrosoftWindowsEvents, imFileEvent, vimFileEventMicrosoft365D, vimFileEventMicrosoftSecurityEvents, vimFileEventMicrosoftSysmonWindowsEvent, vimFileEventMicrosoftWindowsEvents, ASimNetworkSession, ASimNetworkSessionCorelightZeek, ASimNetworkSessionMicrosoft365Defender, ASimNetworkSessionMicrosoftSecurityEventFirewall, ASimNetworkSessionMicrosoftSysmonWindowsEvent, ASimNetworkSessionMicrosoftWindowsEventFirewall, imNetworkSession, vimNetworkSessionCorelightZeek, vimNetworkSessionMicrosoft365Defender, vimNetworkSessionMicrosoftSecurityEventFirewall, vimNetworkSessionMicrosoftSysmonWindowsEvent, vimNetworkSessionMicrosoftWindowsEventFirewall, ASimProcessCreateMicrosoftSecurityEvents, ASimProcessCreateMicrosoftWindowsEvents, ASimProcessEvent, ASimProcessEventCreate, ASimProcessEventCreateMicrosoftSysmonWindowsEvent, ASimProcessEventMicrosoft365D, ASimProcessEventTerminate, ASimProcessEventTerminateMicrosoftSysmonWindowsEvent, ASimProcessTerminateMicrosoftSecurityEvents, ASimProcessTerminateMicrosoftWindowsEvents, imProcessCreate, imProcessEvent, imProcessTerminate, vimProcessCreateMicrosoftSecurityEvents, vimProcessCreateMicrosoftWindowsEvents, vimProcessEventCreateMicrosoftSysmonWindowsEvent, vimProcessEventMicrosoft365D, vimProcessEventTerminateMicrosoftSysmonWindowsEvent, vimProcessTerminateMicrosoftSecurityEvents, vimProcessTerminateMicrosoftWindowsEvents, ASimRegistry, ASimRegistryEventMicrosoft365D, ASimRegistryEventMicrosoftSysmonWindowsEvent, ASimRegistryEventMicrosoftWindowsEvent, imRegistry, vimRegistryEventMicrosoft365D, vimRegistryEventMicrosoftSysmonWindowsEvent, vimRegistryEventMicrosoftWindowsEvent, _ASim_Authentication, _ASim_Dns, _ASim_NetworkSession, _ASim_ProcessEvent, _ASim_ProcessCreate, _ASim_ProcessTerminate, _ASim_FileEvent, _ASim_RegistryEvent, _ASim_AuditEvent, _Im_Authentication, _Im_Dns, _Im_NetworkSession, _Im_ProcessEvent, _Im_ProcessCreate, _Im_ProcessTerminate, _Im_FileEvent, _Im_RegistryEvent, _Im_AuditEvent) ifexists
.drop tables (Corelight_CL, DeviceEvents, DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, DeviceLogonEvents, DeviceImageLoadEvents, DeviceRegistryEvents, DeviceInfo, DeviceNetworkInfo, DeviceFileCertificateInfo, SecurityEvent, WindowsEvent) ifexists
.create-merge table Corelight_CL ( TimeGenerated: datetime, Message: string )
.create-merge table DeviceEvents ( Timestamp: datetime, DeviceId: string, DeviceName: string, ActionType: string, FileName: string, FolderPath: string, SHA1: string, SHA256: string, MD5: string, FileSize: long, AccountDomain: string, AccountName: string, AccountSid: string, AccountObjectId: string, RemoteUrl: string, RemoteDeviceName: string, ProcessId: long, ProcessCommandLine: string, ProcessCreationTime: datetime, ProcessTokenElevation: string, LogonId: long, RegistryKey: string, RegistryValueName: string, RegistryValueData: string, RemoteIP: string, RemotePort: int, LocalIP: string, LocalPort: int, FileOriginUrl: string, FileOriginIP: string, FileOriginReferrerUrl: string, InitiatingProcessAccountDomain: string, InitiatingProcessAccountName: string, InitiatingProcessAccountSid: string, InitiatingProcessAccountObjectId: string, InitiatingProcessAccountUpn: string, InitiatingProcessVersionInfoCompanyName: string, InitiatingProcessVersionInfoProductName: string, InitiatingProcessVersionInfoProductVersion: string, InitiatingProcessVersionInfoInternalFileName: string, InitiatingProcessVersionInfoOriginalFileName: string, InitiatingProcessVersionInfoFileDescription: string, InitiatingProcessId: long, InitiatingProcessCommandLine: string, InitiatingProcessCreationTime: datetime, InitiatingProcessFolderPath: string, InitiatingProcessParentId: long, InitiatingProcessParentFileName: string, InitiatingProcessParentCreationTime: datetime, InitiatingProcessMD5: string, InitiatingProcessSHA1: string, InitiatingProcessSHA256: string, InitiatingProcessFileName: string, InitiatingProcessFileSize: long, InitiatingProcessSignerType: string, InitiatingProcessSignatureStatus: string, InitiatingProcessLogonId: long, InitiatingProcessIntegrityLevel: string, ReportId: long, AppGuardContainerId: string, AdditionalFields: dynamic )
.create-merge table DeviceProcessEvents ( Timestamp: datetime, DeviceId: string, DeviceName: string, ActionType: string, FileName: string, FolderPath: string, SHA1: string, SHA256: string, MD5: string, FileSize: long, ProcessVersionInfoCompanyName: string, ProcessVersionInfoProductName: string, ProcessVersionInfoProductVersion: string, ProcessVersionInfoInternalFileName: string, ProcessVersionInfoOriginalFileName: string, ProcessVersionInfoFileDescription: string, ProcessId: long, ProcessCommandLine: string, ProcessIntegrityLevel: string, ProcessTokenElevation: string, ProcessCreationTime: datetime, AccountDomain: string, AccountName: string, AccountSid: string, AccountObjectId: string, AccountUpn: string, LogonId: long, InitiatingProcessAccountDomain: string, InitiatingProcessAccountName: string, InitiatingProcessAccountSid: string, InitiatingProcessAccountObjectId: string, InitiatingProcessAccountUpn: string, InitiatingProcessLogonId: long, InitiatingProcessIntegrityLevel: string, InitiatingProcessTokenElevation: string, InitiatingProcessSHA1: string, InitiatingProcessSHA256: string, InitiatingProcessMD5: string, InitiatingProcessFileName: string, InitiatingProcessFileSize: long, InitiatingProcessVersionInfoCompanyName: string, InitiatingProcessVersionInfoProductName: string, InitiatingProcessVersionInfoProductVersion: string, InitiatingProcessVersionInfoInternalFileName: string, InitiatingProcessVersionInfoOriginalFileName: string, InitiatingProcessVersionInfoFileDescription: string, InitiatingProcessId: long, InitiatingProcessCommandLine: string, InitiatingProcessCreationTime: datetime, InitiatingProcessFolderPath: string, InitiatingProcessParentId: long, InitiatingProcessParentFileName: string, InitiatingProcessParentCreationTime: datetime, InitiatingProcessSignerType: string, InitiatingProcessSignatureStatus: string, ReportId: long, AppGuardContainerId: string, AdditionalFields: dynamic )
.create-merge table DeviceNetworkEvents ( Timestamp: datetime, DeviceId: string, DeviceName: string, ActionType: string, RemoteIP: string, RemotePort: int, RemoteUrl: string, LocalIP: string, LocalPort: int, Protocol: string, LocalIPType: string, RemoteIPType: string, InitiatingProcessAccountDomain: string, InitiatingProcessAccountName: string, InitiatingProcessAccountSid: string, InitiatingProcessAccountObjectId: string, InitiatingProcessAccountUpn: string, InitiatingProcessId: long, InitiatingProcessCommandLine: string, InitiatingProcessCreationTime: datetime, InitiatingProcessFolderPath: string, InitiatingProcessParentFileName: string, InitiatingProcessParentId: long, InitiatingProcessParentCreationTime: datetime, InitiatingProcessFileName: string, InitiatingProcessFileSize: long, InitiatingProcessVersionInfoCompanyName: string, InitiatingProcessVersionInfoProductName: string, InitiatingProcessVersionInfoProductVersion: string, InitiatingProcessVersionInfoInternalFileName: string, InitiatingProcessVersionInfoOriginalFileName: string, InitiatingProcessVersionInfoFileDescription: string, InitiatingProcessMD5: string, InitiatingProcessSHA1: string, InitiatingProcessSHA256: string, InitiatingProcessIntegrityLevel: string, InitiatingProcessTokenElevation: string, InitiatingProcessLogonId: long, InitiatingProcessSignerType: string, InitiatingProcessSignatureStatus: string, ReportId: long, AppGuardContainerId: string, AdditionalFields: dynamic )
.create-merge table DeviceFileEvents ( Timestamp: datetime, DeviceId: string, DeviceName: string, ActionType: string, FileName: string, FolderPath: string, SHA1: string, SHA256: string, MD5: string, FileSize: long, FileOriginUrl: string, FileOriginReferrerUrl: string, FileOriginIP: string, PreviousFolderPath: string, PreviousFileName: string, RequestProtocol: string, RequestSourceIP: string, RequestSourcePort: int, RequestAccountName: string, RequestAccountDomain: string, RequestAccountSid: string, ShareName: string, SensitivityLabel: string, SensitivitySubLabel: string, IsAzureInfoProtectionApplied: bool, InitiatingProcessAccountDomain: string, InitiatingProcessAccountName: string, InitiatingProcessAccountSid: string, InitiatingProcessAccountObjectId: string, InitiatingProcessAccountUpn: string, InitiatingProcessMD5: string, InitiatingProcessSHA1: string, InitiatingProcessSHA256: string, InitiatingProcessFolderPath: string, InitiatingProcessFileName: string, InitiatingProcessFileSize: long, InitiatingProcessVersionInfoCompanyName: string, InitiatingProcessVersionInfoProductName: string, InitiatingProcessVersionInfoProductVersion: string, InitiatingProcessVersionInfoInternalFileName: string, InitiatingProcessVersionInfoOriginalFileName: string, InitiatingProcessVersionInfoFileDescription: string, InitiatingProcessId: long, InitiatingProcessCommandLine: string, InitiatingProcessCreationTime: datetime, InitiatingProcessIntegrityLevel: string, InitiatingProcessTokenElevation: string, InitiatingProcessLogonId: long, InitiatingProcessParentId: long, InitiatingProcessParentFileName: string, InitiatingProcessParentCreationTime: datetime, InitiatingProcessSignerType: string, InitiatingProcessSignatureStatus: string, ReportId: long, AppGuardContainerId: string, AdditionalFields: dynamic )
.create-merge table DeviceLogonEvents ( Timestamp: datetime, DeviceId: string, DeviceName: string, ActionType: string, LogonType: string, AccountDomain: string, AccountName: string, AccountSid: string, AccountObjectId: string, Protocol: string, FailureReason: string, IsLocalAdmin: bool, LogonId: long, RemoteDeviceName: string, RemoteIP: string, RemoteIPType: string, RemotePort: int, InitiatingProcessAccountDomain: string, InitiatingProcessAccountName: string, InitiatingProcessAccountSid: string, InitiatingProcessAccountObjectId: string, InitiatingProcessAccountUpn: string, InitiatingProcessIntegrityLevel: string, InitiatingProcessTokenElevation: string, InitiatingProcessSHA1: string, InitiatingProcessSHA256: string, InitiatingProcessMD5: string, InitiatingProcessFileName: string, InitiatingProcessFileSize: long, InitiatingProcessVersionInfoCompanyName: string, InitiatingProcessVersionInfoProductName: string, InitiatingProcessVersionInfoProductVersion: string, InitiatingProcessVersionInfoInternalFileName: string, InitiatingProcessVersionInfoOriginalFileName: string, InitiatingProcessVersionInfoFileDescription: string, InitiatingProcessId: long, InitiatingProcessCommandLine: string, InitiatingProcessCreationTime: datetime, InitiatingProcessFolderPath: string, InitiatingProcessParentId: long, InitiatingProcessParentFileName: string, InitiatingProcessParentCreationTime: datetime, InitiatingProcessLogonId: long, InitiatingProcessSignerType: string, InitiatingProcessSignatureStatus: string, ReportId: long, AppGuardContainerId: string, AdditionalFields: dynamic )
.create-merge table DeviceImageLoadEvents ( Timestamp: datetime, DeviceId: string, DeviceName: string, ActionType: string, FileName: string, FolderPath: string, SHA1: string, SHA256: string, MD5: string, FileSize: long, InitiatingProcessAccountDomain: string, InitiatingProcessAccountName: string, InitiatingProcessAccountSid: string, InitiatingProcessAccountObjectId: string, InitiatingProcessAccountUpn: string, InitiatingProcessIntegrityLevel: string, InitiatingProcessTokenElevation: string, InitiatingProcessSHA1: string, InitiatingProcessSHA256: string, InitiatingProcessMD5: string, InitiatingProcessFileName: string, InitiatingProcessFileSize: long, InitiatingProcessVersionInfoCompanyName: string, InitiatingProcessVersionInfoProductName: string, InitiatingProcessVersionInfoProductVersion: string, InitiatingProcessVersionInfoInternalFileName: string, InitiatingProcessVersionInfoOriginalFileName: string, InitiatingProcessVersionInfoFileDescription: string, InitiatingProcessId: long, InitiatingProcessCommandLine: string, InitiatingProcessCreationTime: datetime, InitiatingProcessFolderPath: string, InitiatingProcessParentId: long, InitiatingProcessParentFileName: string, InitiatingProcessParentCreationTime: datetime, InitiatingProcessLogonId: long, InitiatingProcessSignerType: string, InitiatingProcessSignatureStatus: string, ReportId: long, AppGuardContainerId: string, AdditionalFields: dynamic )
.create-merge table DeviceRegistryEvents ( Timestamp: datetime, DeviceId: string, DeviceName: string, ActionType: string, RegistryKey: string, RegistryValueType: string, RegistryValueName: string, RegistryValueData: string, PreviousRegistryKey: string, PreviousRegistryValueName: string, PreviousRegistryValueData: string, InitiatingProcessAccountDomain: string, InitiatingProcessAccountName: string, InitiatingProcessAccountSid: string, InitiatingProcessAccountObjectId: string, InitiatingProcessAccountUpn: string, InitiatingProcessSHA1: string, InitiatingProcessSHA256: string, InitiatingProcessMD5: string, InitiatingProcessFileName: string, InitiatingProcessFileSize: long, InitiatingProcessVersionInfoCompanyName: string, InitiatingProcessVersionInfoProductName: string, InitiatingProcessVersionInfoProductVersion: string, InitiatingProcessVersionInfoInternalFileName: string, InitiatingProcessVersionInfoOriginalFileName: string, InitiatingProcessVersionInfoFileDescription: string, InitiatingProcessId: long, InitiatingProcessCommandLine: string, InitiatingProcessCreationTime: datetime, InitiatingProcessFolderPath: string, InitiatingProcessIntegrityLevel: string, InitiatingProcessTokenElevation: string, InitiatingProcessParentId: long, InitiatingProcessParentFileName: string, InitiatingProcessParentCreationTime: datetime, InitiatingProcessLogonId: long, InitiatingProcessSignerType: string, InitiatingProcessSignatureStatus: string, ReportId: long, AppGuardContainerId: string, AdditionalFields: dynamic )
.create-merge table DeviceInfo ( Timestamp: datetime, DeviceId: string, DeviceName: string, ClientVersion: string, PublicIP: string, OSArchitecture: string, OSPlatform: string, OSBuild: long, IsAzureADJoined: bool, AadDeviceId: string, LoggedOnUsers: dynamic, RegistryDeviceTag: string, OSVersion: string, MachineGroup: string, ReportId: long, OnboardingStatus: string, AdditionalFields: dynamic, DeviceCategory: string, DeviceType: string, Model: string, DeviceSubtype: string, OSDistribution: string, OSVersionInfo: string, MergedDeviceIds: string, MergedToDeviceId: string, JoinType: string, SensorHealthState: string )
.create-merge table DeviceNetworkInfo ( Timestamp: datetime, DeviceId: string, DeviceName: string, NetworkAdapterName: string, MacAddress: string, NetworkAdapterType: string, NetworkAdapterStatus: string, TunnelType: string, ConnectedNetworks: dynamic, DnsAddresses: dynamic, IPv4Dhcp: string, IPv6Dhcp: string, DefaultGateways: dynamic, IPAddresses: dynamic, ReportId: long )
.create-merge table DeviceFileCertificateInfo ( Timestamp: datetime, DeviceId: string, DeviceName: string, SHA1: string, IsSigned: bool, SignatureType: string, Signer: string, SignerHash: string, Issuer: string, IssuerHash: string, CertificateSerialNumber: string, CrlDistributionPointUrls: string, CertificateCreationTime: datetime, CertificateExpirationTime: datetime, CertificateCountersignatureTime: datetime, IsTrusted: bool, IsRootSignerMicrosoft: bool, ReportId: long )
.create-merge table SecurityEvent ( TimeGenerated: datetime, TimeCreated: datetime, SourceComputerId: string, Type: string, EventOriginId: string, Computer: string, Channel: string, Provider: string, ProviderGuid: string, EventId: int, EventRecordId: long, Version: int, EventSourceName: string, Task: int, Level: int, LevelName: string, Keywords: string, Opcode: string, Correlation: string, ProcessId: int, ThreadId: string, Activity: string, SubjectUserSid: string, SubjectUserName: string, SubjectDomainName: string, SubjectLogonId: string, SubjectAccount: string, SubjectMachineName: string, SubjectMachineSid: string, SubjectKeyIdentifier: string, Subject: string, TargetUserSid: string, TargetUserName: string, TargetDomainName: string, TargetLogonId: string, TargetLogonGuid: string, TargetAccount: string, TargetUser: string, TargetServerName: string, TargetSid: string, TargetInfo: string, TargetLinkedLogonId: string, TargetOutboundDomainName: string, TargetOutboundUserName: string, UserId: string, Account: string, AccountType: string, AccountDomain: string, AccountName: string, AccountExpires: string, AccountSessionIdentifier: string, LogonType: int, LogonTypeName: string, LogonGuid: string, LogonId: string, LogonProcessName: string, LogonHours: string, AuthenticationPackageName: string, AuthenticationProvider: string, AuthenticationServer: string, AuthenticationService: int, AuthenticationType: string, AuthenticationLevel: int, LmPackageName: string, PackageName: string, KeyLength: int, TransmittedServices: string, ElevatedToken: string, RestrictedAdminMode: string, VirtualAccount: string, TokenElevationType: string, MandatoryLabel: string, ImpersonationLevel: string, TerminalSessionId: int, ProtocolSequence: string, IpAddress: string, IpPort: string, WorkstationName: string, Workstation: string, ClientAddress: string, ClientIpAddress: string, ClientName: string, RemoteIpAddress: string, RemotePort: string, DestinationIp: string, DestinationPort: int, DestinationHostname: string, DestinationPortName: string, SourceIp: string, SourcePort: int, SourceHostname: string, SourcePortName: string, Protocol: string, ProcessName: string, Process: string, NewProcessId: string, NewProcessName: string, ParentProcessName: string, CommandLine: string, ParentCommandLine: string, Image: string, ParentImage: string, OriginalFileName: string, User: string, IntegrityLevel: string, Hashes: string, Hash: string, CurrentDirectory: string, ProcessGuid: string, ParentProcessGuid: string, SourceProcessGuid: string, TargetProcessGuid: string, SourceProcessId: int, TargetProcessId: int, SourceImage: string, TargetImage: string, GrantedAccess: string, CallTrace: string, CallerProcessId: string, CallerProcessName: string, ObjectName: string, ObjectServer: string, ObjectType: string, ObjectValueName: string, AccessMask: string, AccessList: string, AccessReason: string, HandleId: string, Properties: string, TargetFilename: string, TargetObject: string, Details: string, RelativeTargetName: string, OperationType: string, DisplayName: string, SamAccountName: string, UserPrincipalName: string, HomeDirectory: string, HomePath: string, ProfilePath: string, ScriptPath: string, UserWorkstations: string, PasswordLastSet: string, PasswordHistoryLength: string, PasswordProperties: string, MinPasswordAge: string, MinPasswordLength: string, MaxPasswordAge: string, PrimaryGroupId: string, AllowedToDelegateTo: string, SidHistory: string, UserAccountControl: string, UserParameters: string, GroupMembership: string, MemberName: string, MemberSid: string, DomainName: string, DomainSid: string, DomainPolicyChanged: string, OldUacValue: string, NewUacValue: string, OldValue: string, NewValue: string, OldValueType: string, NewValueType: string, CategoryId: string, SubcategoryId: string, SubcategoryGuid: string, AuditPolicyChanges: string, AuditsDiscarded: int, ForceLogoff: string, MixedDomainMode: string, ShareName: string, ShareLocalPath: string, NewShareFlags: string, OldShareFlags: string, NewMaxUsers: string, OldMaxUsers: string, NewRemark: string, OldRemark: string, FilePath: string, FilePathNoUser: string, FileHash: string, NewTime: string, NewDate: string, PreviousTime: string, PreviousDate: string, ServiceName: string, ServiceFileName: string, ServiceImagePath: string, ServiceAccount: string, ServiceType: string, ServiceStartType: int, TaskName: string, TaskContent: string, ScriptBlockText: string, ScriptBlockId: string, MessageNumber: int, MessageTotal: int, Path: string, HostApplication: string, EngineVersion: string, RunspaceId: string, TicketOptions: string, TicketEncryptionType: string, PreAuthType: string, CertIssuerName: string, CertSerialNumber: string, Requester: string, RequestId: string, CACertificateHash: string, CAPublicKeyHash: string, CertificateDatabaseHash: string, PrivateKeyUsageCount: string, TemplateContent: string, TemplateDSObjectFQDN: string, TemplateInternalName: string, TemplateOID: string, TemplateSchemaVersion: string, TemplateVersion: string, ClassId: string, ClassName: string, DeviceDescription: string, DeviceId: string, CompatibleIds: string, VendorIds: string, LocationInformation: string, OemInformation: string, ProxyPolicyName: string, Status: string, SubStatus: string, ErrorCode: int, FailureReason: string, FailureCode: string, CreationUtcTime: datetime, IsExecutable: string, Archived: string, FileVersion: string, Description: string, Product: string, Company: string, Signed: string, Signature: string, SignatureStatus: string, ImageLoaded: string, QueryName: string, QueryResults: string, QueryStatus: string, PipeName: string, Initiated: string, Operation: string, Consumer: string, WmiFilter: string, Destination: string, Namespace: string, WmiQuery: string, WmiType: string, ClientProcessId: string, Attributes: string, AdditionalInfo: string, AdditionalInfo2: string, Filter: string, Fqbn: string, PrivilegeList: string, RowsDeleted: string, TableId: string, SessionName: string, SecurityDescriptor: string, DomainBehaviorVersion: string, LockoutDuration: string, LockoutThreshold: string, LockoutObservationWindow: string, MachineAccountQuota: string, NASIdentifier: string, NASIPv4Address: string, NASIPv6Address: string, NASPort: string, NASPortType: string, CalledStationId: string, CallingStationId: string, FullyQualifiedSubjectMachineName: string, FullyQualifiedSubjectUserName: string, QuarantineState: string, QuarantineHelpURL: string, CertThumbprint: string, CertIssuedSubjectName: string, CertificateHash: string, ReaderName: string, TokenDeviceId: string, TokenDeviceType: string, TokenDeviceSerialNumber: string, EventData: dynamic, RawEventData: string, EventID: int, _ResourceId: string, _SubscriptionId: string, _ItemId: string, SourceSystem: string, TenantId: string, MG: string )
.create-merge table WindowsEvent ( TimeGenerated: datetime, Computer: string, Channel: string, Provider: string, EventID: int, EventLevel: int, EventLevelName: string, EventRecordId: string, Correlation: string, Keywords: string, Opcode: string, Task: int, Version: int, SystemProcessId: int, SystemThreadId: int, SystemUserId: string, EventOriginId: string, ManagementGroupName: string, SourceSystem: string, EventData: dynamic, RawEventData: string, Type: string, _ItemId: string, TenantId: string, _ResourceId: string, _SubscriptionId: string, MG: string, Data: string, TimeCollected: string, TimeCreated: datetime )
.create table Watchlist ( TenantId: string, TimeGenerated: datetime, AzureTenantId: string, WatchlistId: string, WatchlistItemId: string, WatchlistName: string, WatchlistAlias: string, Source: string, Provider: string, CreatedBy: dynamic, UpdatedBy: dynamic, CreatedTimeUTC: datetime, LastUpdatedTimeUTC: datetime, Notes: string, Tags: string, DefaultDuration: string, TimeToLive: datetime, WatchlistItem: dynamic, EntityMapping: dynamic, CorrelationId: string, SearchKey: string, WatchlistCategory: string, _DTTimestamp: datetime, _DTItemId: string, _DTItemType: string, _DTItemStatus: string, SourceSystem: string, Type: string )
.create-or-alter function with (skipvalidation=true) _GetWatchlist( ['watchlistAlias']:string, ['keys']:dynamic=dynamic([]) ) {
let function = (watchlists:string, keys:dynamic = dynamic([])) { Watchlist
| where TimeGenerated < now()
| where _DTItemType == 'watchlist-item'
| where WatchlistAlias in (watchlists)
| where array_length(keys) == 0 or SearchKey in (keys)
| summarize hint.shufflekey=_DTItemId arg_max(_DTTimestamp, _DTItemStatus, LastUpdatedTimeUTC, SearchKey, WatchlistItem) by _DTItemId
| where _DTItemStatus != 'Delete'
| project-away _DTTimestamp, _DTItemStatus
}; function(watchlistAlias, keys)
}
.create-or-alter function with (skipvalidation=true, docstring="An ASIM function sets the UsernameType based on the username", folder="ASIM") _ASIM_GetUsernameType(username:string) {
let ASIM_GetUsernameType = (username:string) { case ( username contains "@" , "UPN" , username contains "\\", "Windows" , (username has "CN=" or username has "OU=" or username has "DC="), "DN" , isempty(username), "" , "Simple" )
}; ASIM_GetUsernameType (username)
}
.create-or-alter function with (skipvalidation=true, docstring="An ASIM function sets the UserType for Windows systems based on the username and sid", folder="ASIM") _ASIM_GetWindowsUserType(username:string, sid:string) {
let ASIM_GetWindowsUserType = (username:string, sid:string) { case ( sid startswith "S-1-5-80", "Service", sid startswith "S-1-5-21", case ( sid endswith "-500", "Admin", sid endswith "-501", "Guest", sid endswith "-502", "Service", username contains "admin", "Admin", username endswith "$", "Machine", "Regular"), username endswith "$", "Machine", sid == "S-1-5-113", "Other", sid == "S-1-5-7", "Anonymous", sid == "S-1-5-17", "Service", sid == "S-1-5-18", "System", sid == "S-1-5-19", "Service", sid == "S-1-5-20", "Service" , isempty(username), "", "Other" )
}; ASIM_GetWindowsUserType(username,sid)
}
.create-or-alter function with (skipvalidation=true, docstring="An ASIM function sets DstHostname, DstDomain, DstDomainType and DstFQDN based for an FQDN or hostname provided as a parameter", folder="ASIM") _ASIM_ResolveDstFQDN(T:(*), field:string) {
 T
| invoke _ASIM_ResolveFQDN (field)
| project-rename DstHostname = ExtractedHostname, DstDomain = Domain, DstFQDN = FQDN, DstDomainType = DomainType
}
.create-or-alter function with (skipvalidation=true, docstring="An ASIM function sets DvcHostname, DvcDomain, DvcDomainType and DvcFQDN based for an FQDN or hostname provided as a parameter", folder="ASIM") _ASIM_ResolveDvcFQDN(T:(*), field:string) {
 T
| invoke _ASIM_ResolveFQDN (field)
| project-rename DvcHostname = ExtractedHostname, DvcDomain = Domain, DvcFQDN = FQDN, DvcDomainType = DomainType
}
.create-or-alter function with (skipvalidation=true, docstring="An ASIM function sets Hostname, Domain, DomainType and FQDN based for an FQDN or hostname provided as a parameter", folder="ASIM") _ASIM_ResolveFQDN(T:(*), field:string) {
 T
| extend ExtractedHostname = column_ifexists (field,'')
| extend DotSplitHostname = split(ExtractedHostname,".")
| extend SlashSplitHostname = split(ExtractedHostname,"\\")
| extend DomainType = case( array_length(SlashSplitHostname) > 1, "Windows", array_length(DotSplitHostname) > 1, "FQDN", "" )
| extend FQDN = iif (DomainType == '', '', ExtractedHostname), Domain = case ( DomainType == "Windows", SlashSplitHostname[0], DomainType == "FQDN", tostring(strcat_array(array_slice(DotSplitHostname, 1, -1), '.')), ""), ExtractedHostname = case ( DomainType == "Windows", SlashSplitHostname[1], DomainType == "FQDN", DotSplitHostname[0], ExtractedHostname)
| project-away DotSplitHostname, SlashSplitHostname
}
.create-or-alter function with (skipvalidation=true, docstring="An ASIM function sets SrcHostname, SrcDomain, SrcDomainType and SrcFQDN based for an FQDN or hostname provided as a parameter", folder="ASIM") _ASIM_ResolveSrcFQDN(T:(*), field:string) {
 T
| invoke _ASIM_ResolveFQDN (field)
| project-rename SrcHostname = ExtractedHostname, SrcDomain = Domain, SrcFQDN = FQDN, SrcDomainType = DomainType
}
.create-or-alter function with (skipvalidation=true) ASimAuditEvent( ['pack']:bool=false) {
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')
| where SearchKey in ('Any', 'ExcludeASimAuditEvent')
| extend SourceSpecificParser=column_ifexists('SourceSpecificParser','')
| distinct SourceSpecificParser);
let BuiltInDisabled=toscalar('ExcludeASimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); union isfuzzy=true vimAuditEventEmpty, ASimAuditEventMicrosoftExchangeAdmin365 (disabled=BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers))), ASimAuditEventMicrosoftWindowsEvents (disabled=BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftWindowsEvents' in (DisabledParsers))), ASimAuditEventMicrosoftSecurityEvents (disabled=BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftSecurityEvents' in (DisabledParsers))), ASimAuditEventMicrosoftEvent (disabled=BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftEvents' in (DisabledParsers))), ASimAuditEventAzureActivity (disabled=BuiltInDisabled or ('ExcludeASimAuditEventAzureActivity' in (DisabledParsers))), ASimAuditEventCiscoMeraki (disabled=BuiltInDisabled or ('ExcludeASimAuditEventCiscoMeraki' in (DisabledParsers))), ASimAuditEventCiscoMerakiSyslog (disabled=BuiltInDisabled or ('ExcludeASimAuditEventCiscoMerakiSyslog' in (DisabledParsers))), ASimAuditEventBarracudaWAF (disabled=BuiltInDisabled or ('ExcludeASimAuditEventBarracudaWAF' in (DisabledParsers))), ASimAuditEventBarracudaCEF (disabled=BuiltInDisabled or ('ExcludeASimAuditEventBarracudaCEF' in (DisabledParsers))), ASimAuditEventCiscoISE (disabled=BuiltInDisabled or ('ExcludeASimAuditEventCiscoISE' in (DisabledParsers))), ASimAuditEventVectraXDRAudit (disabled=BuiltInDisabled or ('ExcludeASimAuditEventVectraXDRAudit' in (DisabledParsers))), ASimAuditEventSentinelOne (disabled=BuiltInDisabled or ('ExcludeASimAuditEventSentinelOne' in (DisabledParsers))), ASimAuditEventCrowdStrikeFalconHost (disabled=BuiltInDisabled or ('ExcludeASimAuditEventCrowdStrikeFalconHost' in (DisabledParsers))), ASimAuditEventVMwareCarbonBlackCloud (disabled=BuiltInDisabled or ('ExcludeASimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers))), ASimAuditEventInfobloxBloxOne (disabled=BuiltInDisabled or ('ExcludeASimAuditEventInfobloxBloxOne' in (DisabledParsers))), ASimAuditEventIllumioSaaSCore (disabled=BuiltInDisabled or ('ExcludeASimAuditEventIllumioSaaSCore' in (DisabledParsers))), ASimAuditEventNative (disabled=BuiltInDisabled or ('ExcludeASimAuditEventNative' in (DisabledParsers)))
}
.create-or-alter function with (skipvalidation=true) ASimAuditEventMicrosoftSecurityEvents(['disabled']:bool=false) {
 vimAuditEventMicrosoftSecurityEvents(disabled=disabled)
}
.create-or-alter function with (skipvalidation=true) ASimAuditEventMicrosoftWindowsEvents(['disabled']:bool=false) {
 vimAuditEventMicrosoftWindowsEvents(disabled=disabled)
}
.create-or-alter function with (skipvalidation=true) imAuditEvent( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['operation_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['object_has_any']:dynamic=dynamic([]), ['newvalue_has_any']:dynamic=dynamic([]), ['pack']:bool=false) {
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')
| where SearchKey in ('Any', 'ExcludevimAuditEvent')
| extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')
| distinct SourceSpecificParser);
let BuiltInDisabled=toscalar('ExcludevimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); union isfuzzy=true vimAuditEventEmpty, vimAuditEventMicrosoftExchangeAdmin365 (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers)))), vimAuditEventMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventMicrosoftWindowsEvents' in (DisabledParsers)))), vimAuditEventMicrosoftSecurityEvents (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventMicrosoftSecurityEvents' in (DisabledParsers)))), vimAuditEventMicrosoftEvent (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventMicrosoftEvents' in (DisabledParsers)))), vimAuditEventAzureActivity (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventAzureActivity' in (DisabledParsers)))), vimAuditEventCiscoMeraki (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventCiscoMeraki' in (DisabledParsers)))), vimAuditEventCiscoMerakiSyslog (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventCiscoMerakiSyslog' in (DisabledParsers)))), vimAuditEventBarracudaWAF (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, operation_has_any=operation_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventBarracudaWAF' in (DisabledParsers)))), vimAuditEventBarracudaCEF (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, operation_has_any=operation_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventBarracudaCEF' in (DisabledParsers)))), vimAuditEventCiscoISE (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventCiscoISE' in (DisabledParsers)))), vimAuditEventVectraXDRAudit (starttime=starttime, endtime=endtime, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventVectraXDRAudit' in (DisabledParsers)))), vimAuditEventSentinelOne (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventSentinelOne' in (DisabledParsers)))), vimAuditEventCrowdStrikeFalconHost(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventCrowdStrikeFalconHost' in (DisabledParsers)))), vimAuditEventVMwareCarbonBlackCloud(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers)))), vimAuditEventInfbloxBloxOne(starttime=starttime, endtime=endtime, eventresult=eventresult,operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventInfbloxBloxOne' in (DisabledParsers)))), vimAuditEventIllumioSaaSCore(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventIllumioSaaSCore' in (DisabledParsers)))), vimAuditEventNative(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventNative' in (DisabledParsers))))
}
.create-or-alter function with (skipvalidation=true) vimAuditEventEmpty {
let EmptyAuditEvents =datatable ( ActorUserType:string, ActorUsernameType:string, ActorUserIdType:string, EventResult:string, EventType:string, EventSchema:string, ValueType:string, EventSeverity:string, EventVendor:string, EventProduct:string, SrcDvcIdType:string, TargetDvcIdType:string, SrcDomainType:string, TargetDomainType:string, SrcDeviceType:string, TargetDeviceType:string, ObjectType:string, OriginalObjectType:string, TargetAppType:string, TargetOriginalAppType:string, ActingAppType:string, ActingOriginalAppType:string, ThreatConfidence:int, SrcGeoCountry:string, TargetGeoCountry:string, EventSubType:string, EventResultDetails:string, SrcHostname:string, TargetHostname:string, SrcIpAddr:string, TargetIpAddr:string, SrcGeoRegion:string, SrcGeoCity:string, TargetGeoRegion:string, TargetGeoCity:string, ThreatRiskLevel:int, EventSchemaVersion:string, EventReportUrl:string, User:string, ActorUsername:string, Application:string, Process:string, Operation:string, Object:string, ObjectId:string, OldValue:string, NewValue:string, Value:string, TimeGenerated:datetime, _ResourceId:string, Type:string, AdditionalFields:dynamic, EventMessage:string, EventCount:int, EventStartTime:datetime, EventEndTime:datetime, EventOriginalUid:string, EventOriginalType:string, EventOriginalSubType:string, EventOriginalResultDetails:string, EventOriginalSeverity:string, EventProductVersion:string, EventOwner:string, Rule:string, RuleName:string, RuleNumber:int, ThreatId:string, ThreatName:string, ThreatCategory:string, ThreatOriginalRiskLevel:string, ThreatOriginalConfidence:string, ThreatIsActive:bool, ThreatIpAddr:string, ThreatField:string, ThreatFirstReportedTime:datetime, ThreatLastReportedTime:datetime, ActorUserId:string, ActorScopeId:string, ActorScope:string, ActorOriginalUserType:string, ActorSessionId:string, TargetAppId:string, TargetAppName:string, TargetUrl:string, ActingAppId:string, ActingAppName:string, HttpUserAgent:string, Src:string, SrcPortNumber:int, SrcDomain:string, SrcFQDN:string, SrcDvcDescription:string, SrcDvcId:string, SrcDvcScopeId:string, SrcDvcScope:string, SrcGeoLatitude:real, SrcGeoLongitude:real, Dst:string, TargetPortNumber:int, TargetDomain:string, TargetFQDN:string, TargetDvcDescription:string, TargetDvcId:string, TargetDvcScopeId:string, TargetDvcScope:string, TargetGeoLatitude:real, TargetGeoLongitude:real , Dvc: string , DvcId: string , DvcIpAddr: string , DvcHostname: string , DvcDomain:string , DvcDomainType:string , DvcFQDN:string , DvcDescription:string , DvcIdType:string , DvcMacAddr:string , DvcZone:string , DvcOs:string , DvcOsVersion:string , DvcAction:string , DvcOriginalAction:string , DvcScope:string , DvcScopeOd:string )[]; EmptyAuditEvents
}
.create-or-alter function with (skipvalidation=true) vimAuditEventMicrosoftSecurityEvents( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['operation_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['object_has_any']:dynamic=dynamic([]), ['newvalue_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
let parser = ( starttime: datetime=datetime(null), endtime: datetime=datetime(null), srcipaddr_has_any_prefix: dynamic=dynamic([]), eventtype_in: dynamic=dynamic([]), eventresult: string='*', actorusername_has_any: dynamic=dynamic([]), operation_has_any: dynamic=dynamic([]), object_has_any: dynamic=dynamic([]), newvalue_has_any: dynamic=dynamic([]), disabled: bool = false ) {
let ParsedEventIds = dynamic([4698, 4699, 4700, 4701, 4702, 4929, 5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037, 7035, 7036, 7040, 7045, 2009, 5136]);
let EventlogEventIds = dynamic([1102]);
let ScheduledTaskEventIds = dynamic([4698, 4699, 4700, 4701, 4702]);
let ActiveDirectoryReplicaIds = dynamic([4929]);
let FirewallEventIds = dynamic([5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037]);
let ServiceEventIds = dynamic([7035, 7036, 7040, 7045, 2009]);
let DirectoryServiceIds = dynamic([5136]);
let AuditLogClearedEventID = dynamic([1102]);
let EventIDLookup = datatable( EventID: int, Operation: string, EventType: string, Object: string, ObjectType: string, EventResult: string ) [ 1102, "Delete Logs", "Delete", "Security Logs", "Event Log", "Success", 4698, "Create Scheduled Task", "Create", "", "Scheduled Task", "Success", 4699, "Delete Scheduled Task", "Delete", "", "Scheduled Task", "Success", 4700, "Enable Scheduled Task", "Enable", "", "Scheduled Task", "Success", 4701, "Disable Scheduled Task ", "Disable", "", "Scheduled Task", "Success", 4702, "Update Scheduled Task", "Set", "", "Scheduled Task", "Success", 4929, "Remove Active Directory Replica Source Naming Context", "Delete", "", "Other", "Success", 5025, "Stop Firewall Service", "Disable", "Firewall Service", "Service", "Success", 5027, "Retrieve the Security Policy From The Local Storage", "Read", "Firewall Service", "Service", "Failure", 5028, "Parse the new Security Policy", "Set", "Firewall Service", "Service", "Failure", 5029, "Initialize the Firewall Driver", "Initialize", "Firewall Service", "Service", "Failure", 5030, "Start the Firewall Service", "Start", "Firewall Service", "Service", "Failure", 5034, "Stop Firewall Driver", "Stop", "Firewall Driver", "Driver", "Failure", 5035, "Start Firewall Driver", "Start", "Firewall Driver", "Driver", "Failure", 5037, "Terminating Firewall Driver", "Terminate", "Firewall Driver", "Driver", "Failure", 7035, "Start Control Sent", "Execute", "Service", "Service", "Success", 7036, "Enter Stop State", "Stop", "Service", "Service", "Success", 7040, "Changed Service Settings", "Set", "Service", "Service", "Success", 7045, "Install Service", "Install", "Service", "Service", "Success", 2009, "Load Group Policy", "Other", "Service", "Service", "Failure", 5136, "Modified Directory Services Object", "Set", "", "Directory Service Object", "Success" ];
let FilteredEventIds = toscalar(EventIDLookup
| where (array_length(eventtype_in) == 0 or EventType in (eventtype_in)) and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any)) and (eventresult == '*' or EventResult == eventresult) and EventID != 1102
| summarize make_set(EventID) );
let ParsedEvents = materialize( union ( SecurityEvent
| where not(disabled)
| where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) and EventID in(FilteredEventIds)
| where (array_length(srcipaddr_has_any_prefix) == 0) and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any)) and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any))
| project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId
| parse-kv EventData as ( SubjectUserSid: string, SubjectUserName: string, SubjectDomainName: string, SubjectLogonId: string, TaskName: string, TaskContent: string, TaskContentNew: string, ClientProcessId: string, DestinationDRA: string, SourceDRA: string, SourceAddr: string, ObjectDN: string, AttributeValue: string ) with (regex=@'<Data Name="(\w+)">{?([^<]*?)}?</Data>')
| where array_length(actorusername_has_any) == 0 or SubjectUserName has_any (actorusername_has_any) or SubjectDomainName has_any (actorusername_has_any)
| project-away EventData ), ( SecurityEvent
| where not(disabled)
| where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)
| where EventID in (AuditLogClearedEventID) and EventSourceName == "Microsoft-Windows-Eventlog"
| where (array_length(srcipaddr_has_any_prefix) == 0) and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any)) and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any)) and (array_length(eventtype_in) == 0 or 'Delete' in (eventtype_in)) and (array_length(operation_has_any) == 0 or 'Delete Logs' has_any (operation_has_any)) and (eventresult == '*' or 'Success' =~ eventresult)
| project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId
| extend Parsed_EventData = parse_xml(EventData)
| extend SubjectUserSid = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectUserSid), SubjectUserName = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectUserName), SubjectDomainName = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectDomainName), SubjectLogonId = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectLogonId)
| where array_length(actorusername_has_any) == 0 or SubjectUserName has_any (actorusername_has_any) or SubjectDomainName has_any (actorusername_has_any) or (strcat(SubjectDomainName, '\\', SubjectUserName)) has_any (actorusername_has_any)
| project-away EventData, Parsed_EventData )
| lookup EventIDLookup on EventID );
let EventLog = ParsedEvents
| where EventID in(EventlogEventIds) and (array_length(object_has_any) == 0 or Object has_any (object_has_any))
| project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;
let ScheduledTask = ParsedEvents
| where EventID in(ScheduledTaskEventIds)
| where (array_length(object_has_any) == 0 or TaskName has_any (object_has_any))
| extend Object = TaskName, NewValue = coalesce( TaskContent, TaskContentNew )
| where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))
| extend Value = NewValue
| project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue ;
let ActiveDirectoryReplica = ParsedEvents
| where EventID in(ActiveDirectoryReplicaIds)
| where (array_length(object_has_any) == 0 or DestinationDRA has_any (object_has_any))
| extend NewValue = SourceDRA, OldValue = DestinationDRA, SrcFQDN = SourceAddr
| where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))
| extend Value = NewValue, Object = OldValue
| project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue ;
let WindowsFirewall = ParsedEvents
| where EventID in(FirewallEventIds) and (array_length(object_has_any) == 0 or Object has_any (object_has_any))
| project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue ;
let ServiceEvent = ParsedEvents
| where EventID in(ServiceEventIds) and (array_length(object_has_any) == 0 or Object has_any (object_has_any))
| project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue ;
let DirectoryService = ParsedEvents
| where EventID in(DirectoryServiceIds) and (array_length(object_has_any) == 0 or ObjectDN has_any (object_has_any))
| extend Object = ObjectDN
| project-rename NewValue = AttributeValue
| extend Value = NewValue
| project-away Task*, *DRA, SourceAddr, ObjectDN ; union EventLog, ScheduledTask, ActiveDirectoryReplica, WindowsFirewall, ServiceEvent, DirectoryService
| invoke _ASIM_ResolveDvcFQDN("Computer")
| project-rename ActorUserId = SubjectUserSid, ActorSessionId = SubjectLogonId, DvcId = _ResourceId, ActingAppId = ClientProcessId, EventUid = _ItemId
| extend EventCount = int(1), EventStartTime = TimeGenerated, EventEndTime= TimeGenerated, EventProduct = 'Security Events', EventVendor = 'Microsoft', EventSchemaVersion = '0.1.0', EventSchema = 'AuditEvent', EventOriginalType = tostring(EventID), DvcIdType = iff (DvcId == "", "", "AzureResourceID"), ActorUsername = iff (SubjectDomainName == "", SubjectUserName, strcat (SubjectDomainName, '\\', SubjectUserName)), ActorUsernameType = iff (SubjectDomainName == "", 'Simple', 'Windows'), ActorUserIdType = iff (ActorUserId == "", "", "SID"), ActingAppType = "Process"
| extend User = ActorUsername, Dvc = DvcFQDN
| project-away Subject*, EventID, Computer,NewValue,ObjectType,Object,OldValue,Value
}; parser ( starttime = starttime, endtime = endtime, srcipaddr_has_any_prefix = srcipaddr_has_any_prefix, actorusername_has_any = actorusername_has_any, eventtype_in = eventtype_in, eventresult = eventresult, operation_has_any = operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=disabled )
}
.create-or-alter function with (skipvalidation=true) vimAuditEventMicrosoftWindowsEvents( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['operation_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['object_has_any']:dynamic=dynamic([]), ['newvalue_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
let parser = ( starttime: datetime=datetime(null), endtime: datetime=datetime(null), srcipaddr_has_any_prefix: dynamic=dynamic([]), eventtype_in: dynamic=dynamic([]), eventresult: string='*', actorusername_has_any: dynamic=dynamic([]), operation_has_any: dynamic=dynamic([]), object_has_any: dynamic=dynamic([]), newvalue_has_any: dynamic=dynamic([]), disabled: bool = false ) {
let ParsedEventIds = dynamic([4698, 4699, 4700, 4701, 4702, 4929, 5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037, 7035, 7036, 7040, 7045, 2009, 5136]);
let EventlogEventIds = dynamic([1102]);
let ScheduledTaskEventIds = dynamic([4698, 4699, 4700, 4701, 4702]);
let ActiveDirectoryReplicaIds = dynamic([4929]);
let FirewallEventIds = dynamic([5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037]);
let ServiceEventIds = dynamic([7035, 7036, 7040, 7045, 2009]);
let DirectoryServiceIds = dynamic([5136]);
let AuditLogClearedEventID = dynamic([1102]);
let EventIDLookup = datatable( EventID: int, Operation: string, EventType: string, Object: string, ObjectType: string, EventResult: string ) [ 1102, "Delete Logs", "Delete", "Security Logs", "Event Log", "Success", 4698, "Create Scheduled Task", "Create", "", "Scheduled Task", "Success", 4699, "Delete Scheduled Task", "Delete", "", "Scheduled Task", "Success", 4700, "Enable Scheduled Task", "Enable", "", "Scheduled Task", "Success", 4701, "Disable Scheduled Task ", "Disable", "", "Scheduled Task", "Success", 4702, "Update Scheduled Task", "Set", "", "Scheduled Task", "Success", 4929, "Remove Active Directory Replica Source Naming Context", "Delete", "", "Other", "Success", 5025, "Stop Firewall Service", "Disable", "Firewall Service", "Service", "Success", 5027, "Retrieve the Security Policy From The Local Storage", "Read", "Firewall Service", "Service", "Failure", 5028, "Parse the new Security Policy", "Set", "Firewall Service", "Service", "Failure", 5029, "Initialize the Firewall Driver", "Initialize", "Firewall Service", "Service", "Failure", 5030, "Start the Firewall Service", "Start", "Firewall Service", "Service", "Failure", 5034, "Stop Firewall Driver", "Stop", "Firewall Driver", "Driver", "Failure", 5035, "Start Firewall Driver", "Start", "Firewall Driver", "Driver", "Failure", 5037, "Terminating Firewall Driver", "Terminate", "Firewall Driver", "Driver", "Failure", 7035, "Start Control Sent", "Execute", "Service", "Service", "Success", 7036, "Enter Stop State", "Stop", "Service", "Service", "Success", 7040, "Changed Service Settings", "Set", "Service", "Service", "Success", 7045, "Install Service", "Install", "Service", "Service", "Success", 2009, "Load Group Policy", "Other", "Service", "Service", "Failure", 5136, "Modified Directory Services Object", "Set", "", "Directory Service Object", "Success" ];
let FilteredEventIds = toscalar(EventIDLookup
| where (array_length(eventtype_in) == 0 or EventType in (eventtype_in)) and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any)) and (eventresult == '*' or EventResult == eventresult) and EventID != 1102
| summarize make_set(EventID) );
let ParsedEvents = materialize( union ( WindowsEvent
| where not(disabled)
| where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) and EventID in(FilteredEventIds)
| where (array_length(srcipaddr_has_any_prefix) == 0) and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any)) and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any))
| project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId
| extend SubjectUserSid = tostring(EventData.SubjectUserSid), SubjectUserName = tostring(EventData.SubjectUserName), SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectLogonId = tostring(EventData.SubjectLogonId), TaskName = tostring(EventData.TaskName), TaskContent = tostring(EventData.TaskContent), TaskContentNew = tostring(EventData.TaskContentNew), ClientProcessId = tostring(EventData.ClientProcessId), DestinationDRA = tostring(EventData.DestinationDRA), SourceDRA = tostring(EventData.SourceDRA), SourceAddr = tostring(EventData.SourceAddr), ObjectDN = tostring(EventData.ObjectDN), AttributeValue = tostring(EventData.AttributeValue)
| where array_length(actorusername_has_any) == 0 or SubjectUserName has_any (actorusername_has_any) or SubjectUserName has_any (actorusername_has_any)
| project-away EventData ), ( WindowsEvent
| where not(disabled)
| where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)
| where EventID in (AuditLogClearedEventID) and Provider == "Microsoft-Windows-Eventlog"
| where (array_length(srcipaddr_has_any_prefix) == 0) and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any)) and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any)) and (array_length(eventtype_in) == 0 or 'Delete' in (eventtype_in)) and (array_length(operation_has_any) == 0 or 'Delete Logs' has_any (operation_has_any)) and (eventresult == '*' or 'Success' =~ eventresult)
| project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId
| extend SubjectUserSid = tostring(EventData.SubjectUserSid), SubjectUserName = tostring(EventData.SubjectUserName), SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectLogonId = tostring(EventData.SubjectLogonId)
| where array_length(actorusername_has_any) == 0 or SubjectUserName has_any (actorusername_has_any) or SubjectDomainName has_any (actorusername_has_any) or (strcat(SubjectDomainName, '\\', SubjectUserName)) has_any (actorusername_has_any)
| project-away EventData )
| lookup EventIDLookup on EventID );
let EventLog = ParsedEvents
| where EventID in(EventlogEventIds) and (array_length(object_has_any) == 0 or Object has_any (object_has_any))
| project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;
let ScheduledTask = ParsedEvents
| where EventID in(ScheduledTaskEventIds)
| where (array_length(object_has_any) == 0 or TaskName has_any (object_has_any))
| extend Object = TaskName, NewValue = coalesce( TaskContent, TaskContentNew )
| where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))
| extend Value = NewValue
| project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue ;
let ActiveDirectoryReplica = ParsedEvents
| where EventID in(ActiveDirectoryReplicaIds)
| where (array_length(object_has_any) == 0 or DestinationDRA has_any (object_has_any))
| extend NewValue = SourceDRA, OldValue = DestinationDRA, SrcFQDN = SourceAddr
| where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))
| extend Value = NewValue, Object = OldValue
| project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue ;
let WindowsFirewall = ParsedEvents
| where EventID in(FirewallEventIds) and (array_length(object_has_any) == 0 or Object has_any (object_has_any))
| project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue ;
let ServiceEvent = ParsedEvents
| where EventID in(ServiceEventIds) and (array_length(object_has_any) == 0 or Object has_any (object_has_any))
| project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue ;
let DirectoryService = ParsedEvents
| where EventID in(DirectoryServiceIds) and (array_length(object_has_any) == 0 or ObjectDN has_any (object_has_any))
| extend Object = ObjectDN
| project-rename NewValue = AttributeValue
| extend Value = NewValue
| project-away Task*, *DRA, SourceAddr, ObjectDN ; union EventLog, ScheduledTask, ActiveDirectoryReplica, WindowsFirewall, ServiceEvent, DirectoryService
| invoke _ASIM_ResolveDvcFQDN("Computer")
| project-rename ActorUserId = SubjectUserSid, ActorSessionId = SubjectLogonId, DvcId = _ResourceId, ActingAppId = ClientProcessId, EventUid = _ItemId
| extend EventCount = int(1), EventStartTime = TimeGenerated, EventEndTime= TimeGenerated, EventProduct = 'Security Events', EventVendor = 'Microsoft', EventSchemaVersion = '0.1.0', EventSchema = 'AuditEvent', EventOriginalType = tostring(EventID), DvcIdType = iff (DvcId == "", "", "AzureResourceID"), ActorUsername = iff (SubjectDomainName == "", SubjectUserName, strcat (SubjectDomainName, '\\', SubjectUserName)), ActorUsernameType = iff (SubjectDomainName == "", 'Simple', 'Windows'), ActorUserIdType = iff (ActorUserId == "", "", "SID"), ActingAppType = "Process"
| extend User = ActorUsername, Dvc = DvcFQDN
| project-away Subject*, EventID, Computer
}; parser ( starttime = starttime, endtime = endtime, srcipaddr_has_any_prefix = srcipaddr_has_any_prefix, actorusername_has_any = actorusername_has_any, eventtype_in = eventtype_in, eventresult = eventresult, operation_has_any = operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=disabled )
}
.create-or-alter function with (skipvalidation=true) ASimAuthentication( ['disabled']:bool=false) {
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')
| where SearchKey in ('Any', 'ExcludeASimAuthentication')
| extend SourceSpecificParser=column_ifexists('SourceSpecificParser','')
| distinct SourceSpecificParser);
let ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); union isfuzzy=true vimAuthenticationEmpty, ASimAuthenticationAADManagedIdentitySignInLogs (disabled=ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )), ASimAuthenticationAADNonInteractiveUserSignInLogs (disabled=ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )), ASimAuthenticationAADServicePrincipalSignInLogs (disabled=ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )), ASimAuthenticationAWSCloudTrail (disabled=ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) )), ASimAuthenticationBarracudaWAF (disabled=ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )), ASimAuthenticationCiscoASA (disabled=ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), ASimAuthenticationCiscoISE (disabled=ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )), ASimAuthenticationCiscoMeraki (disabled=ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )), ASimAuthenticationCiscoMerakiSyslog (disabled=ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )), ASimAuthenticationM365Defender (disabled=ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) )), ASimAuthenticationMD4IoT (disabled=ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) )), ASimAuthenticationMicrosoftWindowsEvent (disabled=ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )), ASimAuthenticationOktaSSO (disabled=ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) )), ASimAuthenticationOktaV2 (disabled=ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaV2' in (DisabledParsers) )), ASimAuthenticationPostgreSQL (disabled=ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) )), ASimAuthenticationSigninLogs (disabled=ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )), ASimAuthenticationSshd (disabled=ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )), ASimAuthenticationSu (disabled=ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )), ASimAuthenticationSudo (disabled=ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSudo' in (DisabledParsers) )), ASimAuthenticationSalesforceSC (disabled=ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) )), ASimAuthenticationVectraXDRAudit (disabled=ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )), ASimAuthenticationSentinelOne (disabled=ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )), ASimAuthenticationGoogleWorkspace (disabled=ASimAuthenticationDisabled or ('ExcludeASimAuthenticationGoogleWorkspace' in (DisabledParsers) )), ASimAuthenticationPaloAltoCortexDataLake (disabled=ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )), ASimAuthenticationVMwareCarbonBlackCloud (disabled=ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )), ASimAuthenticationCrowdStrikeFalconHost (disabled=ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) )), ASimAuthenticationIllumioSaaSCore (disabled=ASimAuthenticationDisabled or ('ExcludeASimAuthenticationIllumioSaaS' in (DisabledParsers) )), ASimAuthenticationNative (disabled=ASimAuthenticationDisabled or ('ExcludeASimAuthenticationNative' in (DisabledParsers) ))
}
.create-or-alter function with (skipvalidation=true) ASimAuthenticationM365Defender(['disabled']:bool=false) {
 vimAuthenticationM365Defender(disabled=disabled)
}
.create-or-alter function with (skipvalidation=true) ASimAuthenticationMicrosoftWindowsEvent( ['disabled']:bool=false) {
vimAuthenticationMicrosoftWindowsEvent(disabled=disabled)
}
.create-or-alter function with (skipvalidation=true) imAuthentication( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['username_has_any']:dynamic=dynamic([]), ['targetappname_has_any']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['srchostname_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresultdetails_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['pack']:bool=false) {
let Generic=(starttime: datetime=datetime(null), endtime: datetime=datetime(null), username_has_any: dynamic = dynamic([]), targetappname_has_any: dynamic = dynamic([]), srcipaddr_has_any_prefix: dynamic = dynamic([]), srchostname_has_any: dynamic = dynamic([]), eventtype_in: dynamic = dynamic([]), eventresultdetails_in: dynamic = dynamic([]), eventresult: string = '*', pack: bool=false) {
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')
| where SearchKey in ('Any', 'ExcludeimAuthentication')
| extend SourceSpecificParser=column_ifexists('SourceSpecificParser','')
| distinct SourceSpecificParser);
let imAuthenticationBuiltInDisabled=toscalar('ExcludeimAuthenticationBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); union isfuzzy=true vimAuthenticationEmpty , vimAuthenticationAADManagedIdentitySignInLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) ))) , vimAuthenticationAADNonInteractiveUserSignInLogs(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) ))) , vimAuthenticationAADServicePrincipalSignInLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) ))) , vimAuthenticationSigninLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSigninLogs' in (DisabledParsers) ))) , vimAuthenticationAWSCloudTrail (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled = (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAWSCloudTrail' in (DisabledParsers) ))) , vimAuthenticationOktaSSO (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationOktaSSO' in (DisabledParsers) ))) , vimAuthenticationOktaV2 (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationOktaV2' in (DisabledParsers) ))) , vimAuthenticationM365Defender (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationM365Defender' in (DisabledParsers) ))) , vimAuthenticationMicrosoftWindowsEvent (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) ))) , vimAuthenticationMD4IoT (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationMD4IoT' in (DisabledParsers) ))) , vimAuthenticationPostgreSQL (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationPostgreSQL' in (DisabledParsers) ))) , vimAuthenticationSshd (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSshd' in (DisabledParsers) ))) , vimAuthenticationSu (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSu' in (DisabledParsers) ))) , vimAuthenticationSudo (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSudo' in (DisabledParsers) ))) , vimAuthenticationCiscoASA (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoASA' in (DisabledParsers) ))) , vimAuthenticationCiscoMeraki (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoMeraki' in (DisabledParsers) ))) , vimAuthenticationCiscoMerakiSyslog (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) ))) , vimAuthenticationCiscoISE (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoISE' in (DisabledParsers) ))) , vimAuthenticationBarracudaWAF (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationBarracudaWAF' in (DisabledParsers) ))) , vimAuthenticationVectraXDRAudit (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVectraXDRAudit' in (DisabledParsers) ))) , vimAuthenticationGoogleWorkspace (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationGoogleWorkspace' in (DisabledParsers) ))) , vimAuthenticationSalesforceSC (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSalesforceSC' in (DisabledParsers) ))) , vimAuthenticationPaloAltoCortexDataLake (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) ))) , vimAuthenticationSentinelOne (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSentinelOne' in (DisabledParsers) ))) , vimAuthenticationCrowdStrikeFalconHost (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCrowdStrikeFalconHost' in (DisabledParsers) ))) , vimAuthenticationVMwareCarbonBlackCloud (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) ))) , vimAuthenticationIllumioSaaSCore (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationIllumioSaaS' in (DisabledParsers) ))) , vimAuthenticationNative (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationNative' in (DisabledParsers) )))
}; Generic(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, pack=pack)
}
.create-or-alter function with (skipvalidation=true) vimAuthenticationEmpty {
let EmptyAuthenticationTable=datatable( EventProduct:string , EventProductVersion: string , EventVendor:string , EventCount:int , EventReportUrl:string , EventSchemaVersion:string , EventSchema:string , TimeGenerated:datetime , EventOriginalUid:string , EventOriginalType:string , EventOriginalSubType:string , EventMessage:string , EventResult:string , EventResultDetails:string , EventOriginalResultDetails:string , EventStartTime:datetime , EventEndTime:datetime , EventType:string , EventSubType:string , EventUid:string , EventSeverity:string , EventOriginalSeverity:string , EventOwner:string , ActorSessionId:string , TargetSessionId:string , ActorUserId:string , ActorUsername:string , ActorUserType:string , ActorUserIdType:string , ActorUsernameType:string , ActorScopeId:string , ActorOriginalUserType:string , TargetUserId:string , TargetUsername:string , TargetUserType:string , SrcDvcId:string , SrcDvcIdType:string , SrcDeviceType:string , SrcDvcOs:string , HttpUserAgent:string , SrcIsp:string , SrcGeoCity:string , SrcGeoCountry:string , SrcGeoRegion:string , SrcGeoLatitude:real , SrcGeoLongitude:real , SrcIpAddr:string , SrcPortNumber:string , SrcHostname:string , SrcDomain:string , SrcDomainType:string , SrcFQDN:string , SrcDescription:string , SrcDvcScopeId:string , SrcRiskLevel:int , SrcOriginalRiskLevel:string , ActingAppId:string , ActingAppName:string , ActingAppType:string , ActingOriginalAppType:string , TargetAppId:string , TargetAppName:string , TargetAppType:string , TargetOriginalAppType:string , TargetDvcId:string , TargetDvcIdType:string , TargetHostname:string , TargetDomain:string , TargetDomainType:string , TargetFQDN:string , TargetDescription:string , TargetDeviceType:string , TargetIpAddr:string , TargetDvcOs:string , TargetUrl:string , TargetPortNumber:int , TargetDvcScope:string , TargetDvcScopeId:string , TargetGeoCity:string , TargetGeoCountry:string , TargetGeoRegion:string , TargetGeoLatitude:real , TargetGeoLongitude:real , LogonMethod: string , LogonProtocol: string , TargetUserIdType: string , TargetUsernameType: string , UserScope:string , UserScopeId:string , TargetOriginalUserType:string , TargetUserSessionId:string , User: string , IpAddr: string , SrcDvcHostnameType: string , LogonTarget: string , Dvc: string , DvcId: string , DvcIpAddr: string , DvcHostname: string , DvcDomain:string , DvcDomainType:string , DvcFQDN:string , DvcDescription:string , DvcIdType:string , DvcMacAddr:string , DvcZone:string , DvcOs:string , DvcOsVersion:string , DvcAction:string , DvcOriginalAction:string , DvcScope:string , DvcScopeOd:string , AdditionalFields:dynamic , Type:string , Src:string , Dst:string , Rule:string , RuleName:string , RuleNumber:int , ThreatId:string , ThreatName:string , ThreatCategory:string , ThreatOriginalRiskLevel:string , ThreatOriginalConfidence:string , ThreatIsActive:bool , ThreatField:string , ThreatConfidence:int , ThreatRiskLevel:string , ThreatFirstReportedTime:datetime , ThreatLastReportedTime:datetime , Application:string )[]; EmptyAuthenticationTable
}
.create-or-alter function with (skipvalidation=true) vimAuthenticationM365Defender( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['username_has_any']:dynamic=dynamic([]), ['targetappname_has_any']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['srchostname_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresultdetails_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
let EventResultDetailsLookup=datatable(EventOriginalResultDetails:string, EventResultDetails:string) [ 'InvalidUserNameOrPassword','No such user or password' ];
let EventSubTypeLookup = datatable (EventOriginalType:string, EventSubType:string) [ 'Batch', 'Service', 'CachedInteractive', 'Interactive', 'Interactive', 'Interactive', 'Network', 'Remote', 'Remote interactive (RDP) logons', 'RemoteInteractive', 'RemoteInteractive', 'RemoteInteractive', 'Service', 'Service', 'Unknown', '' ];
let EventResultLookup = datatable (ActionType:string, EventResult:string) [ 'LogonAttempted', 'NA', 'LogonFailed', 'Failure', 'LogonSuccess', 'Success' ];
let parser = ( starttime: datetime=datetime(null), endtime: datetime=datetime(null), username_has_any: dynamic = dynamic([]), targetappname_has_any: dynamic = dynamic([]), srcipaddr_has_any_prefix: dynamic = dynamic([]), srchostname_has_any: dynamic = dynamic([]), eventtype_in: dynamic = dynamic([]), eventresultdetails_in: dynamic = dynamic([]), eventresult: string = '*', disabled: bool=false) {
let UnixDeviceLogonEvents = (disabled: bool=false) { DeviceLogonEvents
| where not(disabled)
| where (isnull(starttime) or Timestamp >= starttime) and (isnull(endtime) or Timestamp <= endtime) and ((array_length(username_has_any) == 0) or (InitiatingProcessAccountName has_any (username_has_any)) or AccountName has_any (username_has_any)) and (array_length(targetappname_has_any) == 0) and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RemoteIP, srcipaddr_has_any_prefix)) and ((array_length(srchostname_has_any) == 0) or (RemoteDeviceName has_any (srchostname_has_any))) and ((array_length(eventtype_in) == 0) or "Logon" in~ (eventtype_in))
| where InitiatingProcessFolderPath startswith "/"
| extend ActorUsernameType = "Simple", TargetDvcOs = "Linux", TargetUsernameType = "Simple"
| project-rename ActingProcessName = InitiatingProcessFolderPath, ActorUsername = InitiatingProcessAccountName, TargetUsername = AccountName
| project-away InitiatingProcessAccountSid, AccountDomain, InitiatingProcessAccountDomain, InitiatingProcessFileName, AccountSid
};
let WindowsDeviceLogonEvents = (disabled: bool=false) { DeviceLogonEvents
| where not(disabled)
| where (isnull(starttime) or Timestamp >= starttime) and (isnull(endtime) or Timestamp <= endtime) and ((array_length(username_has_any) == 0) or (AccountName has_any (username_has_any)) or (AccountDomain has_any (username_has_any)) or (strcat(AccountDomain, '\\', AccountName) has_any (username_has_any)) or (InitiatingProcessAccountName has_any (username_has_any)) or (InitiatingProcessAccountDomain has_any (username_has_any)) or (strcat(InitiatingProcessAccountDomain, '\\', InitiatingProcessAccountName) has_any (username_has_any))) and (array_length(targetappname_has_any) == 0) and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RemoteIP, srcipaddr_has_any_prefix)) and ((array_length(srchostname_has_any) == 0) or (RemoteDeviceName has_any (srchostname_has_any))) and ((array_length(eventtype_in) == 0) or "Logon" in~ (eventtype_in))
| where InitiatingProcessFolderPath !startswith "/"
| extend ActingProcessName = strcat (InitiatingProcessFolderPath,'\\',InitiatingProcessFileName), ActorUserIdType = 'SID', ActorUsername = case ( isempty(InitiatingProcessAccountName), "", isempty(InitiatingProcessAccountDomain), InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\', InitiatingProcessAccountName) ), ActorUsernameType = iff ( InitiatingProcessAccountDomain == '','Simple', 'Windows' ), TargetDvcOs = "Windows", TargetUserIdType = 'SID', TargetUsername = iff ( isempty(AccountDomain), AccountName, strcat(AccountDomain, '\\', AccountName) ), TargetUsernameType = iff (AccountDomain == '','Simple', 'Windows')
| project-rename ActorUserId = InitiatingProcessAccountSid, TargetUserId = AccountSid
| extend TargetUserSid = TargetUserId, ActorUserSid = ActorUserId, TargetWindowsUsername = TargetUsername, ActorWindowsUsername = ActorUsername, ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)
| extend TargetUserType = iff(IsLocalAdmin, 'Admin', _ASIM_GetWindowsUserType (TargetWindowsUsername, TargetUserSid) )
| project-away InitiatingProcessAccountName, InitiatingProcessAccountDomain, AccountDomain, AccountName, InitiatingProcessFolderPath, InitiatingProcessFileName
}; union WindowsDeviceLogonEvents (disabled=disabled), UnixDeviceLogonEvents (disabled=disabled)
| extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any) , temp_isMatchActorUsername=ActorUsername has_any(username_has_any)
| extend ASimMatchingUsername = case ( array_length(username_has_any) == 0, "-", temp_isMatchTargetUsername and temp_isMatchActorUsername, "Both", temp_isMatchTargetUsername, "TargetUsername", temp_isMatchActorUsername, "ActorUsername", "No match" )
| extend EventUid = columnifexists('_ItemId', "")
| project-rename ActingProcessCommandLine = InitiatingProcessCommandLine, ActingProcessCreationTime = InitiatingProcessCreationTime, ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel, ActingProcessMD5 = InitiatingProcessMD5, ActingProcessSHA1 = InitiatingProcessSHA1 , ActingProcessSHA256 = InitiatingProcessSHA256, ActingProcessTokenElevation = InitiatingProcessTokenElevation, ActorUserAadId = InitiatingProcessAccountObjectId, ActorUserUpn = InitiatingProcessAccountUpn, EventOriginalResultDetails = FailureReason, EventOriginalType = LogonType, LogonProtocol = Protocol, ParentProcessCreationTime = InitiatingProcessParentCreationTime, ParentProcessName = InitiatingProcessParentFileName, SrcHostname = RemoteDeviceName, SrcPortNumber = RemotePort, TargetDvcId = DeviceId
| extend ActingProcessId = tostring (InitiatingProcessId), EventCount = int(1), EventEndTime = Timestamp, EventOriginalUid = tostring (ReportId), EventProduct = 'M365 Defender for EndPoint', EventSchema = 'Authentication', EventSchemaVersion = '0.1.3', EventStartTime = Timestamp, TimeGenerated = Timestamp, EventType = 'Logon', EventVendor = 'Microsoft', ParentProcessId = tostring (InitiatingProcessParentId), SrcIpAddr = iff (RemoteIP == '-', '', RemoteIP), TargetDvcIdType = 'MDEid', TargetSessionId = tostring (LogonId), AdditionalFields = todynamic(AdditionalFields), Type = "DeviceLogonEvents"
| extend Hash = coalesce( ActingProcessMD5, ActingProcessSHA1, ActingProcessSHA256 )
| extend HashType = iff(isempty(Hash), "", tostring(dynamic(["SHA256", "SHA1", "MD5"])[array_index_of(pack_array(ActingProcessSHA256, ActingProcessSHA1, ActingProcessMD5),Hash)]))
| invoke _ASIM_ResolveFQDN('DeviceName')
| project-rename TargetDomain = Domain, TargetDomainType = DomainType, TargetFQDN = FQDN, TargetHostname = ExtractedHostname
| project-away DeviceName
| lookup EventResultDetailsLookup on EventOriginalResultDetails
| where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in)) and ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))
| lookup EventSubTypeLookup on EventOriginalType
| lookup EventResultLookup on ActionType
| where (eventresult == "*" or (EventResult == eventresult))
| extend EventSeverity = iff (EventResult == "Success", "Informational", "Low")
| extend UnnormalizedFields = bag_pack( "ActingProcessCommandLine", ActingProcessCommandLine, "ActingProcessCreationTime", ActingProcessCreationTime, "ActingProcessIntegrityLevel", ActingProcessIntegrityLevel, "ActingProcessMD5", ActingProcessMD5, "ActingProcessSHA1", ActingProcessSHA1, "ActingProcessSHA256", ActingProcessSHA256, "ActingProcessTokenElevation", ActingProcessTokenElevation, "Hash", Hash, "HashType", HashType, "ParentProcessId", ParentProcessId, "ParentProcessCreationTime", ParentProcessCreationTime, "ParentProcessName", ParentProcessName, "ActingProcessId", ActingProcessId )
| extend AdditionalFields = bag_merge(AdditionalFields, UnnormalizedFields)
| extend ActingAppName = ActingProcessName, ActingAppType = "Process", Dvc = coalesce (TargetFQDN, TargetHostname), IpAddr = SrcIpAddr, Src = coalesce (SrcIpAddr, SrcHostname), User = TargetUsername, DvcDomain = TargetDomain, DvcDomainType = TargetDomainType, DvcFQDN = TargetFQDN, DvcHostname = TargetHostname, DvcId = TargetDvcId, DvcIdType = TargetDvcIdType, DvcOs = TargetDvcOs
| extend Dst = Dvc, LogonTarget = Dvc
| project TimeGenerated, Timestamp, Type, AdditionalFields, ActorUsernameType, TargetDvcOs, TargetUsernameType, ActingProcessName, ActorUsername, TargetUsername, ActorUserIdType, TargetUserIdType, ActorUserId, TargetUserId, TargetUserSid, ActorUserType, ActorUserAadId, ActorUserUpn, EventOriginalResultDetails, EventOriginalType, EventUid, LogonProtocol, SrcHostname, SrcPortNumber, TargetDvcId, EventCount, EventEndTime, EventOriginalUid, EventProduct, EventSchema, EventSchemaVersion, EventStartTime, EventType, EventVendor, SrcIpAddr, TargetDvcIdType, TargetSessionId, TargetDomain, TargetDomainType, TargetFQDN, TargetHostname, EventResultDetails, EventSubType, EventResult, EventSeverity, ActingAppName, ActingAppType, Dvc, IpAddr, Src, User, DvcDomain, DvcDomainType, DvcFQDN, DvcHostname, DvcId, DvcIdType, DvcOs, Dst, LogonTarget, ASimMatchingUsername
}; parser ( starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled )
}
.create-or-alter function with (skipvalidation=true) vimAuthenticationMicrosoftWindowsEvent( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['username_has_any']:dynamic=dynamic([]), ['targetappname_has_any']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['srchostname_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresultdetails_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
let LogonEvents=dynamic([4624, 4625]);
let LogoffEvents=dynamic([4634, 4647]);
let LogonTypes=datatable(LogonType: int, EventSubType: string) [ 2, 'Interactive', 3, 'Remote', 4, 'System', 5, 'Service', 7, 'Interactive', 8, 'NetworkCleartext', 9, 'AssumeRole', 10, 'RemoteInteractive', 11, 'Interactive' ];
let LogonStatus=datatable ( EventStatus: string, EventOriginalResultDetails: string, EventResultDetails: string ) [ '0x80090325', 'SEC_E_UNTRUSTED_ROOT', 'Other', '0xc0000064', 'STATUS_NO_SUCH_USER', 'No such user or password', '0xc000006f', 'STATUS_INVALID_LOGON_HOURS', 'Logon violates policy', '0xc0000070', 'STATUS_INVALID_WORKSTATION', 'Logon violates policy', '0xc0000071', 'STATUS_PASSWORD_EXPIRED', 'Password expired', '0xc0000072', 'STATUS_ACCOUNT_DISABLED', 'User disabled', '0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC', 'Other', '0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE', 'Other', '0xc0000193', 'STATUS_ACCOUNT_EXPIRED', 'Account expired', '0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN', 'Other', '0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED', 'Other', '0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED', 'Other', '0xc0000383', 'STATUS_SMARTCARD_NO_CARD', 'Other', '0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER', 'Other', '0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE', 'Other', '0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET', 'Other', '0xc0000387', 'STATUS_SMARTCARD_IO_ERROR', 'Other', '0xc0000388', 'STATUS_DOWNGRADE_DETECTED', 'Other', '0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED', 'Other', '0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION', 'Other', '0x80090308', 'SEC_E_INVALID_TOKEN', 'Other', '0x8009030e', 'SEC_E_NO_CREDENTIALS', 'Other', '0xc0000008', 'STATUS_INVALID_HANDLE', 'Other', '0xc0000017', 'STATUS_NO_MEMORY', 'Other', '0xc0000022', 'STATUS_ACCESS_DENIED', 'Other', '0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND', 'Other', '0xc000005e', 'STATUS_NO_LOGON_SERVERS', 'Other', '0xc000006a', 'STATUS_WRONG_PASSWORD', 'Incorrect password', '0xc000006d', 'STATUS_LOGON_FAILURE', 'Other', '0xc000006e', 'STATUS_ACCOUNT_RESTRICTION', 'Logon violates policy', '0xc0000073', 'STATUS_NONE_MAPPED', 'Other', '0xc00000fe', 'STATUS_NO_SUCH_PACKAGE', 'Other', '0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES', 'Other', '0xc00000dc', 'STATUS_INVALID_SERVER_STATE', 'Other', '0xc0000106', 'STATUS_NAME_TOO_LONG', 'Other', '0xc000010b', 'STATUS_INVALID_LOGON_TYPE', 'Logon violates policy', '0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED', 'Logon violates policy', '0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT', 'Logon violates policy', '0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE', 'Other', '0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT', 'User locked', '0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED', 'Other' ];
let WinLogon=( starttime: datetime=datetime(null), endtime: datetime=datetime(null), username_has_any: dynamic = dynamic([]), targetappname_has_any: dynamic = dynamic([]), srcipaddr_has_any_prefix: dynamic = dynamic([]), srchostname_has_any: dynamic = dynamic([]), eventtype_in: dynamic = dynamic([]), eventresultdetails_in: dynamic = dynamic([]), eventresult: string = '*', disabled: bool=false) { WindowsEvent
| where not(disabled)
| where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) and ((array_length(username_has_any) == 0) or (tostring(EventData.TargetUserName) has_any (username_has_any)) or (tostring(EventData.TargetDomainName) has_any (username_has_any)) or (strcat(tostring(EventData.TargetDomainName), '\\', tostring(EventData.TargetUserName)) has_any (username_has_any)) or (tostring(EventData.SubjectUserName) has_any (username_has_any)) or (tostring(EventData.SubjectDomainName) has_any (username_has_any)) or (strcat(tostring(EventData.SubjectDomainName), '\\', tostring(EventData.SubjectUserName)) has_any (username_has_any))) and (array_length(targetappname_has_any) == 0) and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(tostring(EventData.IpAddress), srcipaddr_has_any_prefix))) and (array_length(srchostname_has_any) == 0 or tostring(EventData.WorkstationName) has_any (srchostname_has_any) or Computer has_any (srchostname_has_any))
| where Provider == 'Microsoft-Windows-Security-Auditing'
| where EventID in (LogonEvents) or EventID in (LogoffEvents)
| project EventData, EventID, EventOriginId, Computer, TimeGenerated, _ItemId, Type
| extend LogonProtocol = tostring(EventData.AuthenticationPackageName), SrcIpAddr = tostring(EventData.IpAddress), TargetPortNumber = toint(EventData.IpPort), LogonGuid = tostring(EventData.LogonGuid), LogonType = toint(EventData.LogonType), ActingProcessCreationTime = EventData.ProcessCreationTime, ActingProcessId = tostring(toint(EventData.ProcessId)), ActingProcessName = tostring(EventData.ProcessName), Status = tostring(EventData.Status), ActorSessionId = tostring(EventData.SubjectLogonId), ActorUsername = tostring(iff (EventData.SubjectDomainName in ('-', ''), EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @"\", EventData.SubjectUserName))), ActorUserId = tostring(EventData.SubjectUserSid), SubStatus = tostring(EventData.SubStatus), TargetDomainName = tostring(EventData.TargetDomainName), TargetSessionId = tostring(EventData.TargetLogonId), TargetUserId = tostring(EventData.TargetUserSid), TargetUsername = tostring(iff (EventData.TargetDomainName in ('-', ''), EventData.TargetUserName, strcat(EventData.TargetDomainName, @"\", EventData.TargetUserName)))
| extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any) , temp_isMatchActorUsername=ActorUsername has_any(username_has_any)
| extend ASimMatchingUsername = case ( array_length(username_has_any) == 0, "-", temp_isMatchTargetUsername and temp_isMatchActorUsername, "Both", temp_isMatchTargetUsername, "TargetUsername", temp_isMatchActorUsername, "ActorUsername", "No match" )
| extend SrcHostname = tostring(iff(EventData.WorkstationName in ('-', ''), Computer, EventData.WorkstationName)), EventProduct = "Security Events"
| where (array_length(srchostname_has_any) == 0 or SrcHostname has_any (srchostname_has_any))
| extend EventStatus= iff(SubStatus == '0x0', Status, SubStatus)
| extend EventMessage = case ( EventID == 4634, "4634 - An account was logged off.", EventID == 4625, "4625 - An account failed to log on.", EventID == 4624, "4624 - An account was successfully logged on.", "4647 - User initiated logoff." ), EventResult = iff(EventID == 4625, 'Failure', 'Success')
| where (eventresult == "*" or (EventResult == eventresult)) and ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))
| project-rename TargetDvcHostname = Computer , EventOriginalUid = EventOriginId , EventOriginalType=EventID
| extend EventCount=int(1) , EventSchema = 'Authentication' , EventSchemaVersion='0.1.3' , ActorUserIdType='SID' , TargetUserIdType='SID' , EventVendor='Microsoft' , EventStartTime =TimeGenerated , EventEndTime=TimeGenerated , EventType=iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon') , ActorUsernameType= iff(EventData.SubjectDomainName in ('-', ''), 'Simple', 'Windows') , TargetUsernameType=iff (TargetDomainName in ('-', ''), 'Simple', 'Windows') , SrcDvcOs = 'Windows' , EventStatus= iff(SubStatus == '0x0', Status, SubStatus)
| where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))
| extend ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId) , TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId) , EventOriginalType = tostring(EventOriginalType)
| lookup LogonStatus on EventStatus
| where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))
| lookup LogonTypes on LogonType
| extend User=TargetUsername, LogonTarget=TargetDvcHostname, Dvc=SrcHostname, DvcHostName=SrcHostname, IpAddr=SrcIpAddr
| project-away EventData, LogonGuid, EventStatus, LogonType, Status, SubStatus, TargetDomainName, TargetDvcHostname
};
let SecEventLogon =(starttime: datetime=datetime(null), endtime: datetime=datetime(null), username_has_any: dynamic = dynamic([]), targetappname_has_any: dynamic = dynamic([]), srcipaddr_has_any_prefix: dynamic = dynamic([]), srchostname_has_any: dynamic = dynamic([]), eventtype_in: dynamic = dynamic([]), eventresultdetails_in: dynamic = dynamic([]), eventresult: string = '*', disabled: bool=false) { SecurityEvent
| where not(disabled)
| where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) and ((array_length(username_has_any) == 0) or (TargetUserName has_any (username_has_any)) or (TargetDomainName has_any (username_has_any)) or (strcat(TargetDomainName, '\\', TargetUserName) has_any (username_has_any)) or (SubjectUserName has_any (username_has_any)) or (SubjectDomainName has_any (username_has_any)) or (strcat(SubjectDomainName, '\\', SubjectUserName) has_any (username_has_any))) and (array_length(targetappname_has_any) == 0) and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(IpAddress, srcipaddr_has_any_prefix)) and ((array_length(srchostname_has_any) == 0) or (WorkstationName has_any (srchostname_has_any)) or (Computer has_any (srchostname_has_any)))
| where EventID in (LogonEvents) or EventID in (LogoffEvents)
| project SubjectLogonId, SubjectUserSid, Activity, EventID, EventOriginId, AuthenticationPackageName, WorkstationName, IpAddress, Computer, TargetLogonId, TargetUserSid, SubjectDomainName, SubjectUserName, SubjectAccount, TimeGenerated, SubStatus, TargetDomainName, TargetUserName, AccountType, TargetAccount, Status, LogonType, Type
| project-rename EventMessage = Activity , ActorSessionId=SubjectLogonId , TargetSessionId=TargetLogonId , ActorUserId=SubjectUserSid , TargetUserId =TargetUserSid , TargetDvcHostname = Computer , EventOriginalUid = EventOriginId , LogonProtocol=AuthenticationPackageName , SrcIpAddr=IpAddress , EventOriginalType=EventID
| extend EventResult = iff(EventOriginalType == 4625, 'Failure', 'Success') , EventCount=int(1) , EventSchema = 'Authentication' , EventSchemaVersion='0.1.3' , EventProduct = "Security Events" , ActorUserIdType='SID' , TargetUserIdType='SID' , EventVendor='Microsoft' , EventStartTime =TimeGenerated , EventEndTime=TimeGenerated , EventType=iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon') , ActorUsername = iff (SubjectDomainName in ('-', ''), SubjectUserName, SubjectAccount) , ActorUsernameType= iff(SubjectDomainName in ('-', ''), 'Simple', 'Windows') , TargetUsername = iff (TargetDomainName in ('-', ''), trim(@'\\', TargetUserName), trim(@'\\', TargetAccount)) , TargetUsernameType=iff (TargetDomainName in ('-', ''), 'Simple', 'Windows') , SrcDvcOs = 'Windows' , SrcHostname = iff (WorkstationName in ('-', ''), TargetDvcHostname, WorkstationName) , EventStatus= iff(SubStatus == '0x0', Status, SubStatus)
| extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any) , temp_isMatchActorUsername=ActorUsername has_any(username_has_any)
| extend ASimMatchingUsername = case ( array_length(username_has_any) == 0, "-", temp_isMatchTargetUsername and temp_isMatchActorUsername, "Both", temp_isMatchTargetUsername, "TargetUsername", temp_isMatchActorUsername, "ActorUsername", "No match" )
| where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)) and (eventresult == "*" or (EventResult == eventresult)) and ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))
| project-away TargetUserName, AccountType
| extend ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId) , TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId) , EventOriginalType = tostring(EventOriginalType)
| lookup LogonStatus on EventStatus
| where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))
| lookup LogonTypes on LogonType
| extend User=TargetUsername, LogonTarget=TargetDvcHostname, Dvc=SrcHostname, DvcHostName = SrcHostname, IpAddr=SrcIpAddr
| project-away EventStatus, LogonType, Status, SubStatus, SubjectAccount, SubjectDomainName, SubjectUserName, EventStatus, TargetAccount, TargetDomainName, TargetDvcHostname
}; union SecEventLogon(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled) , WinLogon(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)
}
.create-or-alter function with (skipvalidation=true) ASimDns( ['pack']:bool=false) {
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')
| where SearchKey in ('Any', 'ExcludeASimDns')
| extend SourceSpecificParser=column_ifexists('SourceSpecificParser','')
| distinct SourceSpecificParser);
let imDnsBuiltInDisabled=toscalar('ExcludeASimDnsBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); union isfuzzy=true vimDnsEmpty, ASimDnsAzureFirewall (disabled=imDnsBuiltInDisabled or ('ExcludeASimASimDnsAzureFirewall' in (DisabledParsers) )), ASimDnsCiscoUmbrella (disabled=imDnsBuiltInDisabled or ('ExcludeASimDnsCiscoUmbrella' in (DisabledParsers) )), ASimDnsCorelightZeek (disabled=imDnsBuiltInDisabled or ('ExcludeASimDnsCorelightZeek' in (DisabledParsers) )), ASimDnsFortinetFortiGate (disabled=imDnsBuiltInDisabled or ('ExcludeASimDnsFortinetFortiGate' in (DisabledParsers) )), ASimDnsGcp (disabled=imDnsBuiltInDisabled or ('ExcludeASimDnsDnsGcp' in (DisabledParsers) )), ASimDnsInfobloxNIOS (disabled=imDnsBuiltInDisabled or ('ExcludeASimDnsInfobloxNIOS' in (DisabledParsers) )), ASimDnsMicrosoftNXlog (disabled=imDnsBuiltInDisabled or ('ExcludeASimDnsMicrosoftNXlog' in (DisabledParsers) )), ASimDnsMicrosoftOMS (disabled=imDnsBuiltInDisabled or ('ExcludeASimDnsMicrosoftOMS' in (DisabledParsers) )), ASimDnsMicrosoftSysmon (disabled=imDnsBuiltInDisabled or ('ExcludeASimDnsMicrosoftSysmon' in (DisabledParsers) )), ASimDnsMicrosoftSysmonWindowsEvent (disabled=imDnsBuiltInDisabled or ('ExcludeASimDnsMicrosoftSysmonWindowsEvent' in (DisabledParsers) )), ASimDnsNative (disabled=imDnsBuiltInDisabled or ('ExcludeASimDnsNative' in (DisabledParsers) )), ASimDnsSentinelOne (disabled=imDnsBuiltInDisabled or ('ExcludeASimDnsSentinelOne' in (DisabledParsers) )), ASimDnsVectraAI (disabled=imDnsBuiltInDisabled or ('ExcludeASimDnsVectraAI' in (DisabledParsers) )), ASimDnsZscalerZIA (disabled=imDnsBuiltInDisabled or ('ExcludeASimDnsZscalerZIA' in (DisabledParsers) )), ASimDnsInfobloxBloxOne (disabled=imDnsBuiltInDisabled or ('ExcludeASimDnsInfobloxBloxOne' in (DisabledParsers) ))
}
.create-or-alter function with (skipvalidation=true) ASimDnsCorelightZeek(['disabled']:bool=false) {
 vimDnsCorelightZeek(disabled=disabled)
}
.create-or-alter function with (skipvalidation=true) ASimDnsMicrosoftSysmonWindowsEvent(['disabled']:bool=false) {
 vimDnsMicrosoftSysmonWindowsEvent(disabled=disabled)
}
.create-or-alter function with (skipvalidation=true) imDns( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr']:string='*', ['domain_has_any']:dynamic=dynamic([]), ['responsecodename']:string='*', ['response_has_ipv4']:string='*', ['response_has_any_prefix']:dynamic=dynamic([]), ['eventtype']:string='lookup', ['pack']:bool=false) {
let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null) , srcipaddr:string='*' , domain_has_any:dynamic=dynamic([]) , responsecodename:string='*', response_has_ipv4:string='*' , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='lookup', pack:bool=false ){
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')
| where SearchKey in ('Any', 'ExcludeimDns')
| extend SourceSpecificParser=column_ifexists('SourceSpecificParser','')
| distinct SourceSpecificParser);
let imDnsBuiltInDisabled=toscalar('ExcludeimDnsBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); union isfuzzy=true vimDnsEmpty, vimDnsAzureFirewall (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=(imDnsBuiltInDisabled or('ExcludevimDnsAzureFirewall' in (DisabledParsers) ))), vimDnsCiscoUmbrella (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=(imDnsBuiltInDisabled or('ExcludevimDnsCiscoUmbrella' in (DisabledParsers) ))), vimDnsCorelightZeek (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=(imDnsBuiltInDisabled or('ExcludevimDnsCorelightZeek' in (DisabledParsers) ))), vimDnsFortinetFortiGate (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=(imDnsBuiltInDisabled or('ExcludevimDnsFortinetFortiGate' in (DisabledParsers) ))), vimDnsGcp (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=(imDnsBuiltInDisabled or('ExcludevimDnsDnsGcp' in (DisabledParsers) ))), vimDnsInfobloxNIOS (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=(imDnsBuiltInDisabled or('ExcludevimDnsInfobloxNIOS' in (DisabledParsers) ))), vimDnsMicrosoftNXlog (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=(imDnsBuiltInDisabled or('ExcludevimDnsMicrosoftNXlog' in (DisabledParsers) ))), vimDnsMicrosoftOMS (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=(imDnsBuiltInDisabled or('ExcludevimDnsMicrosoftOMS' in (DisabledParsers) ))), vimDnsMicrosoftSysmon (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=(imDnsBuiltInDisabled or('ExcludevimDnsMicrosoftSysmon' in (DisabledParsers) ))), vimDnsMicrosoftSysmonWindowsEvent (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=(imDnsBuiltInDisabled or('ExcludevimDnsMicrosoftSysmonWindowsevent' in (DisabledParsers) ))), vimDnsNative (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=(imDnsBuiltInDisabled or('ExcludevimDnsNative' in (DisabledParsers) ))), vimDnsSentinelOne (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=(imDnsBuiltInDisabled or('ExcludevimDnsSentinelOne' in (DisabledParsers) ))), vimDnsVectraAI (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=(imDnsBuiltInDisabled or('ExcludevimDnsVectraAI' in (DisabledParsers) ))), vimDnsZscalerZIA (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=(imDnsBuiltInDisabled or('ExcludevimDnsZscalerZIA' in (DisabledParsers) ))), vimDnsInfobloxBloxOne (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=(imDnsBuiltInDisabled or('ExcludevimDnsInfobloxBloxOne' in (DisabledParsers) )))
}; Generic( starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, pack=pack)
}
.create-or-alter function with (skipvalidation=true) vimDnsCorelightZeek( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr']:string='*', ['domain_has_any']:dynamic=dynamic([]), ['responsecodename']:string='*', ['response_has_ipv4']:string='*', ['response_has_any_prefix']:dynamic=dynamic([]), ['eventtype']:string='Query', ['disabled']:bool=false) {
let query_type_lookup=datatable(DnsQueryType:int,DnsQueryTypeName:string)[ 0, "Reserved", 1, "A", 2, "NS", 3, "MD", 4, "MF", 5, "CNAME", 6, "SOA", 7, "MB", 8, "MG", 9, "MR", 10, "NULL", 11, "WKS", 12, "PTR", 13, "HINFO", 14, "MINFO", 15, "MX", 16, "TXT", 17, "RP", 18, "AFSDB", 19, "X25", 20, "ISDN", 21, "RT", 22, "NSAP", 23, "NSAP-PTR", 24, "SIG", 25, "KEY", 26, "PX", 27, "GPOS", 28, "AAAA", 29, "LOC", 30, "NXT", 31, "EID", 32, "NIMLOC", 33, "SRV", 34, "ATMA", 35, "NAPTR", 36, "KX", 37, "CERT", 38, "A6", 39, "DNAME", 40, "SINK", 41, "OPT", 42, "APL", 43, "DS", 44, "SSHFP", 45, "IPSECKEY", 46, "RRSIG", 47, "NSEC", 48, "DNSKEY", 49, "DHCID", 50, "NSEC3", 51, "NSEC3PARAM", 52, "TLSA", 53, "SMIMEA", 54, "Unassigned", 55, "HIP", 56, "NINFO", 57, "RKEY", 58, "TALINK", 59, "CDS", 60, "CDNSKEY", 61, "OPENPGPKEY", 62, "CSYNC", 99, "SPF", 100, "UINFO", 101, "UID", 102, "GID", 103, "UNSPEC", 104, "NID", 105, "L32", 106, "L64", 107, "LP", 108, "EUI48", 109, "EUI64", 249, "TKEY", 250, "TSIG", 251, "IXFR", 252, "AXFR", 253, "MAILB", 254, "MAILA", 255, "ANY", 256, "URI", 257, "CAA", 258, "AVC", 259, "DOA", 32768, "TA", 32769, "DLV"];
let class_lookup = datatable(DnsQueryClass:int, DnsQueryClassName: string)[ 0, 'Reserved', 1, 'IN', 2, 'Unassigned', 3, 'CH', 4, 'HS', 254, 'None', 255, 'Any'];
let parser=( starttime:datetime=datetime(null) , endtime:datetime=datetime(null) , srcipaddr:string='*' , domain_has_any:dynamic=dynamic([]) , responsecodename:string='*' , response_has_ipv4:string='*' , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query' , disabled:bool=false ){ Corelight_CL
| where not(disabled)
| where (eventtype in~ ('lookup', 'Query')) and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) and (Message has '"_path":"dns"' or Message has '"_path":"dns_red"') and (srcipaddr=='*' or has_ipv4(Message, srcipaddr)) and (array_length(domain_has_any) ==0 or Message has_any (domain_has_any)) and (responsecodename=='*' or Message has responsecodename) and (response_has_ipv4=='*' or has_ipv4(Message,response_has_ipv4) ) and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(Message, response_has_any_prefix))
| project Message, TimeGenerated
| extend parsed_msg = parse_json(Message)
| extend Dvc = tostring(parsed_msg.host.name)
| parse-kv Message as ( ['"_write_ts"']:datetime, ['"ts"']:datetime, ['"uid"']:string, ['"id.orig_h"']:string, ['"id.orig_p"']:int, ['"id.resp_h"']:string, ['"id.resp_p"']:int, ['"proto"']:string, ['"trans_id"']:int, ['"query"']:string, ['"qclass"']:int, ['"qtype"']:int, ['"AA"']:bool, ['"TC"']:bool, ['"CD"']:bool, ['"RD"']:bool, ['"RA"']:bool, ['"Z"']:int, ['"rejected"']:bool, ['"rcode"']:int, ['"rcode_name"']:string, ['"rtt"']:real, ) with (quote = '"')
| extend answers = tostring(parsed_msg.answers)
| extend TTLs = tostring(parsed_msg.TTLs)
| where (srcipaddr=="*" or srcipaddr==['"id.orig_h"']) and (array_length(domain_has_any) ==0 or ['"query"'] has_any (domain_has_any)) and (responsecodename=="*" or ['"rcode_name"'] has responsecodename) and (response_has_ipv4=='*' or has_ipv4(answers,response_has_ipv4) ) and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(answers, response_has_any_prefix))
| extend EventCount=int(1), EventProduct="Zeek", EventVendor="Corelight", EventSchema = "Dns", EventSchemaVersion="0.1.4", EventType="Query"
| project-rename EventStartTime= ['"ts"'], EventEndTime = ['"_write_ts"'], EventOriginalUid = ['"uid"'], SrcIpAddr = ['"id.orig_h"'], SrcPortNumber = ['"id.orig_p"'], DstIpAddr = ['"id.resp_h"'], DstPortNumber = ['"id.resp_p"'], NetworkProtocol = ['"proto"'], DnsQuery = ['"query"'], DnsResponseCode = ['"rcode"'], EventResultDetails = ['"rcode_name"'], DnsFlagsAuthoritative = ['"AA"'], DnsFlagsTruncated = ['"TC"'], DnsFlagsRecursionDesired = ['"RD"'], DnsFlagsCheckingDisabled = ['"CD"'], DnsFlagsRecursionAvailable = ['"RA"'], DnsQueryClass = ['"qclass"'], DnsQueryType = ['"qtype"'], rtt = ['"rtt"'], Z = ['"Z"'], trans_id = ['"trans_id"'], rejected = ['"rejected"']
| lookup query_type_lookup on DnsQueryType
| lookup class_lookup on DnsQueryClass
| extend EventSubType=iff(isnull(DnsResponseCode),'request','response'), DnsNetworkDuration = toint(rtt*1000), EventResult = iff (EventResultDetails!~'NOERROR' or rejected,'Failure','Success'), DnsQueryTypeName = case (DnsQueryTypeName == "" and not(isnull(DnsQueryType)), strcat("TYPE", DnsQueryType), DnsQueryTypeName), DnsQueryClassName = case (DnsQueryClassName == "" and not(isnull(DnsQueryClass)), strcat("CLASS", DnsQueryClass), DnsQueryClassName), TransactionIdHex = tohex(toint(trans_id)), DnsFlagsZ = (Z != 0), DnsResponseName = iff(isempty(answers) or answers == "[]", "", strcat_array(todynamic(answers), ";"))
| project-away rtt
| extend DnsResponseCodeName=EventResultDetails, Domain=DnsQuery, IpAddr=SrcIpAddr, Src=SrcIpAddr, Duration=DnsNetworkDuration, Dst=DstIpAddr
| project-away Message, Z, TTLs, answers, trans_id, rejected, parsed_msg
}; parser (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, disabled=disabled)
}
.create-or-alter function with (skipvalidation=true) vimDnsEmpty {
let EmptyNewDnsEvents=datatable( _ResourceId: string, AdditionalFields: dynamic, DnsFlags: string, DnsFlagsAuthenticated: bool, DnsFlagsAuthoritative: bool, DnsFlagsCheckingDisabled: bool, DnsFlagsRecursionAvailable: bool, DnsFlagsRecursionDesired: bool, DnsFlagsTruncated: bool, DnsFlagsZ: bool, DnsNetworkDuration: int, DnsQuery: string, DnsQueryClass: int, DnsQueryClassName: string, DnsQueryType: int, DnsQueryTypeName: string, DnsResponseCode: int, DnsResponseCodeName: string, DnsResponseIpCity: string, DnsResponseIpCountry: string, DnsResponseIpLatitude: real, DnsResponseIpLongitude: real, DnsResponseIpRegion: string, DnsResponseName: string, DnsSessionId: string, Domain: string, DomainCategory: string, Dst: string, DstDescription: string, DstDeviceType: string, DstDomain: string, DstDomainType: string, DstDvcId: string, DstDvcIdType: string, DstDvcScopeId: string, DstDvcScope: string, DstFQDN: string, DstGeoCity: string, DstGeoCountry: string, DstGeoLatitude: real, DstGeoLongitude: real, DstGeoRegion: string, DstHostname: string, DstIpAddr: string, DstPortNumber: int, DstRiskLevel: int, DstOriginalRiskLevel: string, Duration: int, Dvc: string, DvcAction: string, DvcDescription: string, DvcDomain: string, DvcDomainType: string, DvcFQDN: string, DvcHostname: string, DvcId: string, DvcIdType: string, DvcInterface: string, DvcIpAddr: string, DvcMacAddr: string, DvcOriginalAction: string, DvcOs: string, DvcOsVersion: string, DvcScope: string, DvcScopeId: string, DvcZone: string, EventCount: int, EventEndTime: datetime, EventMessage: string, EventOriginalSeverity: string, EventOriginalSubType: string, EventOriginalType: string, EventOriginalUid: string, EventOwner: string, EventProduct: string, EventProductVersion: string, EventReportUrl: string, EventResult: string, EventResultDetails: string, EventSchema: string, EventSchemaVersion: string, EventSeverity: string, EventStartTime: datetime, EventSubType: string, EventType: string, EventUid: string, EventVendor: string, Hostname: string, IpAddr: string, NetworkProtocol: string, NetworkProtocolVersion: string, Process: string, Rule: string, RuleName: string, RuleNumber: int, SessionId: string, Src: string, SrcDescription: string, SrcDeviceType: string, SrcDomain: string, SrcDomainType: string, SrcDvcId: string, SrcDvcIdType: string, SrcDvcScope: string, SrcDvcScopeId: string, SrcFQDN: string, SrcGeoCity: string, SrcGeoCountry: string, SrcGeoLatitude: real, SrcGeoLongitude: real, SrcGeoRegion: string, SrcHostname: string, SrcIpAddr: string, SrcOriginalRiskLevel: string, SrcOriginalUserType: string, SrcPortNumber: int, SrcProcessGuid: string, SrcProcessId: string, SrcProcessName: string, SrcRiskLevel: int, SrcUserId: string, SrcUserAadId: string, SrcUserSid: string, SrcUserAWSId: string, SrcUserOktaId: string, SrcUserUid: string, SrcUserIdType: string, SrcUserScope: string, SrcUserScopeId: string, SrcUsername: string, SrcUsernameType: string, SrcUserType: string, SrcUserSessionId: string, TenantId: string, ThreatCategory: string, ThreatConfidence: int, ThreatField: string, ThreatFirstReportedTime: datetime, ThreatId: string, ThreatIpAddr: string, ThreatIsActive: bool, ThreatLastReportedTime: datetime, ThreatName: string, ThreatOriginalConfidence: string, ThreatOriginalRiskLevel: string, ThreatRiskLevel: int, TimeGenerated: datetime, TransactionIdHex: string, Type: string, UrlCategory: string, User: string )[]; EmptyNewDnsEvents
}
.create-or-alter function with (skipvalidation=true) vimDnsMicrosoftSysmonWindowsEvent( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr']:string='*', ['domain_has_any']:dynamic=dynamic([]), ['responsecodename']:string='*', ['response_has_ipv4']:string='*', ['response_has_any_prefix']:dynamic=dynamic([]), ['eventtype']:string='lookup', ['disabled']:bool=false) {
let RCodeTable=datatable(DnsResponseCode:int,DnsResponseCodeName:string)[ 0, 'NOERROR' , 9001, "FORMERR" , 9002,"SERVFAIL" , 9003,'NXDOMAIN' , 9004,'NOTIMP' , 9005,'REFUSED' , 9006,'YXDOMAIN' , 9007,'YXRRSET' , 9008,'NXRRSET' , 9009,'NOTAUTH' , 9010,'NOTZONE' , 9011,'DSOTYPENI' , 9016,'BADVERS' , 9016,'BADSIG' , 9017,'BADKEY' , 9018,'BADTIME' , 9019,'BADMODE' , 9020,'BADNAME' , 9021,'BADALG' , 9022,'BADTRUNC' , 9023,'BADCOOKIE' , 1460, 'TIMEOUT' ];
let ParsedDnsEvent_WindowsEvent =( starttime:datetime=datetime(null), endtime:datetime=datetime(null) , srcipaddr:string='*' , domain_has_any:dynamic=dynamic([]) , responsecodename:string='*', response_has_ipv4:string='*' , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='lookup' , disabled:bool=false ) { WindowsEvent
| where not(disabled)
| project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Provider, Type , _ItemId
| where Provider == "Microsoft-Windows-Sysmon" and EventID == 22
| project-away Provider, EventID
| where (eventtype=='lookup') and (srcipaddr=='*') and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) and (array_length(domain_has_any) ==0 or EventData has_any (domain_has_any)) and (response_has_ipv4=='*' or has_ipv4(EventData,response_has_ipv4) ) and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(EventData, response_has_any_prefix))
| extend DnsResponseCode = toint(EventData.QueryStatus)
| lookup RCodeTable on DnsResponseCode
| where (responsecodename=="*" or DnsResponseCodeName has responsecodename)
| extend RuleName = tostring(EventData.RuleName), EventEndTime = todatetime(EventData.UtcTime), SrcProcessGuid = tostring(EventData.ProcessGuid), SrcProcessId = tostring(EventData.ProcessId), DnsQuery = tostring(EventData.QueryName), DnsResponseName = tostring(EventData.QueryResults), SrcProcessName = tostring(EventData.Image), SrcUsername = tostring(EventData.User), EventUid = _ItemId
| project-away EventData
| parse SrcProcessGuid with '{' SrcProcessGuid '}'
};
let ParsedDnsEvent=( starttime:datetime=datetime(null), endtime:datetime=datetime(null) , srcipaddr:string='*' , domain_has_any:dynamic=dynamic([]) , responsecodename:string='*', response_has_ipv4:string='*' , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='lookup' , disabled:bool=false ) { ParsedDnsEvent_WindowsEvent (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)
| where (array_length(domain_has_any) == 0 or DnsQuery has_any (domain_has_any)) and (response_has_ipv4=='*' or has_ipv4(DnsResponseName,response_has_ipv4) ) and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(DnsResponseName, response_has_any_prefix))
| project-rename DvcHostname = Computer, DvcScopeId = _SubscriptionId, DvcId = _ResourceId
| extend EventOriginalType = '22', EventCount=int(1), EventProduct = 'Sysmon', EventVendor = 'Microsoft', EventSchema = 'Dns', EventSchemaVersion="0.1.6", EventType = 'Query', EventResult = iff (DnsResponseCode == 0,'Success','Failure'), EventStartTime = EventEndTime, EventSubType= 'response', EventSeverity= iif (DnsResponseCode == 0, 'Informational', 'Low'), SrcUsernameType = 'Windows', RuleName = iff (RuleName == "-", "", RuleName), DnsResponseName = iff (DnsResponseName == "-", "", DnsResponseName), DnsResponseCodeName = iff (DnsResponseCodeName == "", "NA", DnsResponseCodeName), DvcIdType = iff (DvcId != "", "AzureResourceId", "")
| extend EventResultDetails = DnsResponseCodeName, Domain = DnsQuery, Dvc = DvcHostname, SrcHostname = DvcHostname, Src = DvcHostname, Hostname=DvcHostname, DnsResponseCode = toint(iff (DnsResponseCode > 9000 and DnsResponseCode < 9100, DnsResponseCode-9000, DnsResponseCode)), User = SrcUsername, Process = SrcProcessName, Rule = RuleName, DvcAzureResourceId = DvcId
| project-away DvcAzureResourceId
}; ParsedDnsEvent (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=disabled)
}
.create-or-alter function with (skipvalidation=true) ASimFileEvent( ['pack']:bool=false) {
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')
| where SearchKey in ('Any', 'ExcludeASimFile')
| extend SourceSpecificParser=column_ifexists('SourceSpecificParser','')
| distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));
let ASimBuiltInDisabled=toscalar('ExcludeASimFileEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));
let parser=(pack:bool=false){ union isfuzzy=true vimFileEventEmpty, ASimFileEventLinuxSysmonFileCreated(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventLinuxSysmonFileCreated' in (DisabledParsers) ))), ASimFileEventLinuxSysmonFileDeleted(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventLinuxSysmonFileDeleted' in (DisabledParsers) ))), ASimFileEventAzureBlobStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureBlobStorage' in (DisabledParsers) ))), ASimFileEventMicrosoft365D(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoft365D' in (DisabledParsers) ))), ASimFileEventAzureFileStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureFileStorage' in (DisabledParsers) ))), ASimFileEventAzureQueueStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureQueueStorage' in (DisabledParsers) ))), ASimFileEventMicrosoftSharePoint(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSharePoint' in (DisabledParsers) ))), ASimFileEventMicrosoftSysmon(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSysmon' in (DisabledParsers) ))), ASimFileEventMicrosoftSysmonWindowsEvent(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))), ASimFileEventAzureTableStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureTableStorage' in (DisabledParsers) ))), ASimFileEventMicrosoftWindowsEvents(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftWindowsEvents' in (DisabledParsers) ))), ASimFileEventMicrosoftSecurityEvents(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSecurityEvents' in (DisabledParsers) ))), ASimFileEventNative(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventNative' in (DisabledParsers) ))), ASimFileEventSentinelOne(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventSentinelOne' in (DisabledParsers) ))), ASimFileEventVMwareCarbonBlackCloud(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventVMwareCarbonBlackCloud' in (DisabledParsers) ))), ASimFileEventGoogleWorkspace(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventGoogleWorkspace' in (DisabledParsers) )))
}; parser (pack=pack)
}
.create-or-alter function with (skipvalidation=true) ASimFileEventMicrosoft365D(['disabled']:bool=false) {
 vimFileEventMicrosoft365D(disabled=disabled)
}
.create-or-alter function with (skipvalidation=true) ASimFileEventMicrosoftSecurityEvents(['disabled']:bool=false) {
 vimFileEventMicrosoftSecurityEvents(disabled=disabled)
}
.create-or-alter function with (skipvalidation=true) ASimFileEventMicrosoftSysmonWindowsEvent(['disabled']:bool=false) {
 vimFileEventMicrosoftSysmonWindowsEvent(disabled=disabled)
}
.create-or-alter function with (skipvalidation=true) ASimFileEventMicrosoftWindowsEvents(['disabled']:bool=false) {
 vimFileEventMicrosoftWindowsEvents(disabled=disabled)
}
.create-or-alter function with (skipvalidation=true) imFileEvent( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['targetfilepath_has_any']:dynamic=dynamic([]), ['srcfilepath_has_any']:dynamic=dynamic([]), ['hashes_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false, ['pack']:bool=false) {
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')
| where SearchKey in ('Any', 'ExcludevimFile')
| extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')
| distinct SourceSpecificParser
| where isnotempty(SourceSpecificParser));
let vimBuiltInDisabled=toscalar('ExcludevimFileEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));
let parser=( starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), targetfilepath_has_any: dynamic=dynamic([]), srcfilepath_has_any: dynamic=dynamic([]), hashes_has_any: dynamic=dynamic([]), dvchostname_has_any: dynamic=dynamic([]), pack: bool=false ) { union isfuzzy=true vimFileEventEmpty, vimFileEventLinuxSysmonFileCreated(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventLinuxSysmonFileCreated' in (DisabledParsers)))), vimFileEventLinuxSysmonFileDeleted(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventLinuxSysmonFileDeleted' in (DisabledParsers)))), vimFileEventAzureBlobStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureBlobStorage' in (DisabledParsers)))), vimFileEventMicrosoft365D(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoft365D' in (DisabledParsers)))), vimFileEventAzureFileStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureFileStorage' in (DisabledParsers)))), vimFileEventAzureQueueStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureQueueStorage' in (DisabledParsers)))), vimFileEventMicrosoftSharePoint(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSharePoint' in (DisabledParsers)))), vimFileEventMicrosoftSysmon(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSysmon' in (DisabledParsers)))), vimFileEventMicrosoftSysmonWindowsEvent(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSysmonWindowsEvent' in (DisabledParsers)))), vimFileEventAzureTableStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureTableStorage' in (DisabledParsers)))), vimFileEventMicrosoftWindowsEvents(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftWindowsEvents' in (DisabledParsers)))), vimFileEventMicrosoftSecurityEvents(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSecurityEvents' in (DisabledParsers)))), vimFileEventNative(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventNative' in (DisabledParsers)))), vimFileEventSentinelOne(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('vimFileEventSentinelOne' in (DisabledParsers)))), vimFileEventVMwareCarbonBlackCloud(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('vimFileEventVMwareCarbonBlackCloud' in (DisabledParsers)))), vimFileEventGoogleWorkspace(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('vimFileEventGoogleWorkspace' in (DisabledParsers))))
}; parser(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, pack=pack)
}
.create-or-alter function with (skipvalidation=true) vimFileEventEmpty {
let FileEvent=datatable( _ResourceId:string, ActingProcessCommandLine:string, ActingProcessGuid:string, ActingProcessId:string, ActingProcessName:string, ActorOriginalUserType:string, ActorScope:string, ActorScopeId:string, ActorSessionId:string, ActorUserAadId:string, ActorUserId:string, ActorUserIdType:string, ActorUsername:string, ActorUsernameType:string, ActorUserSid:string, ActorUserType:string, AdditionalFields:dynamic, Application:string, Dvc:string, DvcAction:string, DvcDescription:string, DvcDomain:string, DvcDomainType:string, DvcFQDN:string, DvcHostname:string, DvcId:string, DvcIdType:string, DvcInterface:string, DvcIpAddr:string, DvcMacAddr:string, DvcOriginalAction:string, DvcOs:string, DvcOsVersion:string, DvcScopeId:string, DvcScope:string, DvcZone:string, EventCount:int, EventEndTime:datetime, EventMessage:string, EventOriginalResultDetails:string, EventOriginalSeverity:string, EventOriginalSubType:string, EventOriginalType:string, EventOriginalUid:string, EventOwner:string, EventProduct:string, EventProductVersion:string, EventReportUrl:string, EventResult:string, EventSchema:string, EventSchemaVersion:string, EventSeverity:string, EventStartTime:datetime, EventType:string, EventUid:string, EventVendor:string, EventSubType:string, EventResultDetails:string, FileName:string, FilePath:string, Hash:string, HashType:string, HttpUserAgent:string, IpAddr:string, NetworkApplicationProtocol:string, Process:string, Rule:string, RuleName:string, RuleNumber:int, Src:string, SrcDescription:string, SrcDeviceType:string, SrcDomain:string, SrcDomainType:string, SrcDvcId:string, SrcDvcIdType:string, SrcDvcScope:string, SrcDvcScopeId:string, SrcFileCreationTime:datetime, SrcFileDirectory:string, SrcFileExtension:string, SrcFileMD5:string, SrcFileMimeType:string, SrcFileName:string, SrcFilePath:string, SrcFilePathType:string, SrcFileSHA1:string, SrcFileSHA256:string, SrcFileSHA512:string, SrcFileSize:long, SrcFQDN:string, SrcGeoCity:string, SrcGeoCountry:string, SrcGeoLatitude:real, SrcGeoLongitude:real, SrcGeoRegion:string, SrcHostname:string, SrcIpAddr:string, SrcPortNumber:int, SrcMacAddr:string, SrcRiskLevel:int, SrcOriginalRiskLevel:string, TargetAppId:string, TargetAppName:string, TargetAppType:string, TargetOriginalAppType:string, TargetFileCreationTime:datetime, TargetFileDirectory:string, TargetFileExtension:string, TargetFileMD5:string, TargetFileMimeType:string, TargetFileName:string, TargetFilePath:string, TargetFilePathType:string, TargetFileSHA1:string, TargetFileSHA256:string, TargetFileSHA512:string, TargetFileSize:long, TargetUrl:string, ThreatCategory:string, ThreatConfidence:int, ThreatField:string, ThreatFilePath:string, ThreatFirstReportedTime:datetime, ThreatId:string, ThreatIpAddr:string, ThreatIsActive:bool, ThreatLastReportedTime:datetime, ThreatName:string, ThreatOriginalConfidence:string, ThreatOriginalRiskLevel:string, ThreatRiskLevel:int, TimeGenerated:datetime, Type:string, Url:string, User:string, ActorUserPuid:string, ActorUpn:string, Dst:string )[]; FileEvent
}
.create-or-alter function with (skipvalidation=true) vimFileEventMicrosoft365D( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['targetfilepath_has_any']:dynamic=dynamic([]), ['srcfilepath_has_any']:dynamic=dynamic([]), ['hashes_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
let protocols = dynamic(['smb']);
let parser=( starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), targetfilepath_has_any: dynamic=dynamic([]), srcfilepath_has_any: dynamic=dynamic([]), hashes_has_any: dynamic=dynamic([]), dvchostname_has_any: dynamic=dynamic([]), disabled: bool=false ) {
let remote_events = DeviceFileEvents
| where not(disabled)
| where (isnull(starttime) or Timestamp >= starttime) and (isnull(endtime) or Timestamp <= endtime)
| where isnotempty(RequestAccountName)
| where ((array_length(eventtype_in) == 0 or ActionType in~ (eventtype_in))) and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(RequestSourceIP, srcipaddr_has_any_prefix))) and ((array_length(actorusername_has_any) == 0) or (RequestAccountName has_any (actorusername_has_any)) or (RequestAccountDomain has_any (actorusername_has_any)) or (strcat(RequestAccountDomain, '\\', RequestAccountName) has_any (actorusername_has_any))) and ((array_length(targetfilepath_has_any) == 0) or (FileName has_any (targetfilepath_has_any)) or (FolderPath has_any (targetfilepath_has_any)) or (strcat(FolderPath, iff(FolderPath startswith "/", "/", "\\"), FileName) has_any (targetfilepath_has_any))) and ((array_length(srcfilepath_has_any) == 0) or (PreviousFileName has_any (srcfilepath_has_any)) or (PreviousFolderPath has_any (srcfilepath_has_any)) or (strcat(FolderPath, iff(PreviousFolderPath startswith "/", "/", "\\"), PreviousFileName) has_any (srcfilepath_has_any))) and ((array_length(hashes_has_any) == 0) or (SHA256 in (hashes_has_any)) or (SHA1 in (hashes_has_any)) or (MD5 in (hashes_has_any))) and (array_length(dvchostname_has_any) == 0 or DeviceName has_any (dvchostname_has_any))
| project-rename SrcIpAddr = RequestSourceIP, ActorUserSid = RequestAccountSid, TargetUserSid = InitiatingProcessAccountSid, TargetUserAadId = InitiatingProcessAccountObjectId, TargetUserUpn = InitiatingProcessAccountUpn
| extend ActorWindowsUsername = strcat(RequestAccountDomain, '\\', RequestAccountName), TargetWindowsUsername = strcat(InitiatingProcessAccountDomain, '\\', InitiatingProcessAccountName), ActorUserUpn = "", ActorUserAadId = ""
| extend ActorUserType = _ASIM_GetWindowsUserType(ActorWindowsUsername, ActorUserSid), TargetUserType = _ASIM_GetWindowsUserType(TargetWindowsUsername, TargetUserSid)
| extend SrcPortNumber = toint(RequestSourcePort), TargetUsername = coalesce(TargetUserUpn, TargetWindowsUsername), TargetUsernameType = iff(isempty(TargetUserUpn), 'Windows', 'UPN'), TargetUserId = coalesce(TargetUserAadId, TargetUserSid), TargetUserIdType = iff(isempty(TargetUserSid), 'AADID', 'SID'), IpAddr = SrcIpAddr, Src = SrcIpAddr ;
let local_events = DeviceFileEvents
| where not(disabled)
| where (isnull(starttime) or Timestamp >= starttime) and (isnull(endtime) or Timestamp <= endtime)
| where isempty(RequestAccountName)
| where ((array_length(eventtype_in) == 0 or ActionType in~ (eventtype_in))) and ((array_length(srcipaddr_has_any_prefix) == 0)) and ((array_length(actorusername_has_any) == 0) or (InitiatingProcessAccountDomain has_any (actorusername_has_any)) or (InitiatingProcessAccountName has_any (actorusername_has_any)) or (strcat(InitiatingProcessAccountDomain, '\\', InitiatingProcessAccountName) has_any (actorusername_has_any)) or (InitiatingProcessAccountUpn has_any (actorusername_has_any))) and ((array_length(targetfilepath_has_any) == 0) or (FileName has_any (targetfilepath_has_any)) or (FolderPath has_any (targetfilepath_has_any)) or (strcat(FolderPath, iff(FolderPath startswith "/", "/", "\\"), FileName) has_any (targetfilepath_has_any))) and ((array_length(srcfilepath_has_any) == 0) or (PreviousFileName has_any (srcfilepath_has_any)) or (PreviousFolderPath has_any (srcfilepath_has_any)) or (strcat(FolderPath, iff(PreviousFolderPath startswith "/", "/", "\\"), PreviousFileName) has_any (srcfilepath_has_any))) and ((array_length(hashes_has_any) == 0) or (SHA256 in (hashes_has_any)) or (SHA1 in (hashes_has_any)) or (MD5 in (hashes_has_any))) and (array_length(dvchostname_has_any) == 0 or DeviceName has_any (dvchostname_has_any))
| project-rename ActorUserSid = InitiatingProcessAccountSid, ActorUserAadId = InitiatingProcessAccountObjectId, ActorUserUpn = InitiatingProcessAccountUpn
| extend ActorWindowsUsername = strcat(InitiatingProcessAccountDomain, '\\', InitiatingProcessAccountName)
| extend ActorUserType = _ASIM_GetWindowsUserType(ActorWindowsUsername, ActorUserSid)
| project-away RequestAccountSid, RequestSourceIP ; union remote_events , local_events
| project-rename EventType = ActionType, DvcId = DeviceId, TargetFileMD5 = MD5, TargetFileSHA1 = SHA1, TargetFileSHA256 = SHA256, ActingProcessCommandLine = InitiatingProcessCommandLine, ActingProcessName =InitiatingProcessFolderPath, ActingProcessMD5 = InitiatingProcessMD5, ActingProcessSHA1 = InitiatingProcessSHA1, ActingProcessSHA256 = InitiatingProcessSHA256, ActingProcessParentFileName = InitiatingProcessParentFileName, ActingProcessCreationTime = InitiatingProcessCreationTime, ActingProcessParentCreationTime = InitiatingProcessParentCreationTime, TargetFileName = FileName, SrcFileName = PreviousFileName
| extend DvcOs = iff(FolderPath startswith "/", "Linux", "Windows"), TargetFileSize = tolong(FileSize)
| extend EventCount = int(1), EventOriginalUid = tostring(ReportId), ActingProcessId = tostring(InitiatingProcessId), EventStartTime = Timestamp, EventEndTime= Timestamp, TimeGenerated = Timestamp, EventResult = 'Success', EventProduct = 'M365 Defender for Endpoint', EventSchema = 'FileEvent', EventVendor = 'Microsoft', EventSeverity = 'Informational', EventSchemaVersion = '0.2.1', DvcIdType = "MDEid", ActorUsername = coalesce(ActorUserUpn, ActorWindowsUsername), ActorUsernameType = iff(isempty(ActorUserUpn), 'Windows', 'UPN'), ActorUserId = coalesce(ActorUserAadId, ActorUserSid), ActorUserIdType = iff(isempty(ActorUserSid), 'AADID', 'SID'), TargetFilePath = FolderPath, TargetFilePathType = iff(DvcOs == "Linux", "Unix", "Windows Local"), SrcFilePath = iff(isnotempty(PreviousFolderPath), PreviousFolderPath, ""), SrcFilePathType = iff(DvcOs == "Linux", "Unix", "Windows Local"), Hash=coalesce(TargetFileSHA256, TargetFileSHA1, TargetFileMD5), NetworkApplicationProtocol = iff (RequestProtocol in (protocols), toupper(RequestProtocol), "")
| invoke _ASIM_ResolveDvcFQDN ('DeviceName')
| project-away DeviceName
| extend HashType = iff(isempty(Hash), "", tostring(dynamic(["SHA256", "SHA1", "MD5"])[array_index_of(pack_array(TargetFileSHA256, TargetFileSHA1, TargetFileMD5), Hash)]))
| extend User = ActorUsername, Dvc = coalesce(DvcFQDN, DvcHostname), FilePath = TargetFilePath, Process = ActingProcessName, CommandLine = ActingProcessCommandLine, DvcMDEid = DvcId, FileName = TargetFileName
| project-away ReportId, Initiating*, Timestamp, Request*, PreviousFolderPath, FolderPath
}; parser ( starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=disabled )
}
.create-or-alter function with (skipvalidation=true) vimFileEventMicrosoftSecurityEvents( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['targetfilepath_has_any']:dynamic=dynamic([]), ['srcfilepath_has_any']:dynamic=dynamic([]), ['hashes_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
let Parser=( starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), targetfilepath_has_any: dynamic=dynamic([]), srcfilepath_has_any: dynamic=dynamic([]), hashes_has_any: dynamic=dynamic([]), dvchostname_has_any: dynamic=dynamic([]), disabled: bool=false ) {
let EventTypeLookup = datatable (AccessMask: string, EventType: string) [ "0x1", "ObjectAccessed" , "0x10", "MetadataModified" , "0x100", "MetadataModified" , "0x10000", "ObjectDeleted" , "0x2", "ObjectModified" , "0x20000", "MetadataAccessed" , "0x4", "ObjectModified" , "0x40", "ObjectDeleted" , "0x40000", "MetadataModified" , "0x6", "ObjectModified" , "0x8", "MetadataAccessed" , "0x80", "MetadataAccessed" , "0x80000", "MetadataModified" ];
let UserTypeLookup = datatable (AccountType: string, ActorUserType: string) [ 'User', 'Regular', 'Machine', 'Machine' ];
let KnownSIDs = datatable (sid: string, username: string, type: string) [ 'S-1-5-18', 'Local System', 'Simple', 'S-1-0-0', 'Nobody', 'Simple' ]; SecurityEvent
| where not(disabled)
| where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)
| where EventID == 4663 and ObjectType == "File" and ObjectName !startswith @"\Device\"
| where (array_length(srcipaddr_has_any_prefix) == 0) and ((array_length(targetfilepath_has_any) == 0) or (ObjectName has_any (targetfilepath_has_any))) and (array_length(srcfilepath_has_any) == 0) and (array_length(hashes_has_any) == 0) and (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))
| project TimeGenerated, EventID, AccessMask, ProcessName, SubjectUserSid, AccountType, Computer, ObjectName, ProcessId, SubjectUserName, SubjectAccount, SubjectLogonId, HandleId, Type
| lookup EventTypeLookup on AccessMask
| where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)))
| lookup UserTypeLookup on AccountType
| lookup KnownSIDs on $left.SubjectUserSid == $right.sid
| extend ActingProcessName = ProcessName , ActorUsername = iff (SubjectUserName == "-", username, SubjectAccount) , ActorUsernameType = iff(SubjectUserName == '-', type, 'Windows') , EventStartTime = TimeGenerated , EventEndTime = TimeGenerated , TargetFilePath = ObjectName , TargetFilePathFormat = "Windows Local" , ActingProcessId = tostring(toint(ProcessId)) , EventOriginalType = tostring(EventID)
| where (array_length(actorusername_has_any) == 0) or (ActorUsername has_any (actorusername_has_any))
| project-away EventID, ProcessId, AccountType, username
| project-rename ActorUserId = SubjectUserSid , DvcHostname = Computer , Process = ProcessName , FilePath = ObjectName , ActorSessionId = SubjectLogonId , FileSessionId = HandleId
| extend EventSchema = "FileEvent" , EventSchemaVersion = "0.1.1" , EventResult = "Success" , EventCount = int(1) , EventVendor = 'Microsoft' , EventProduct = 'Security Events' , Dvc = DvcHostname , ActorWindowsUsername = ActorUsername , User = ActorUsername , ActorUserSid = ActorUserId, ActorUserIdType="SID", TargetFilePathType="Windows Local"
| project-away AccessMask,ActorWindowsUsername,FileSessionId,SubjectAccount,SubjectUserName,TargetFilePathFormat,type
}; Parser ( starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=disabled )
}
.create-or-alter function with (skipvalidation=true) vimFileEventMicrosoftSysmonWindowsEvent( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['targetfilepath_has_any']:dynamic=dynamic([]), ['srcfilepath_has_any']:dynamic=dynamic([]), ['hashes_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
let parser = ( starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), targetfilepath_has_any: dynamic=dynamic([]), srcfilepath_has_any: dynamic=dynamic([]), hashes_has_any: dynamic=dynamic([]), dvchostname_has_any: dynamic=dynamic([]), disabled: bool=false ) {
let WindowsEventParser=() { WindowsEvent
| where not(disabled)
| where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)
| project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Provider, Type, _ItemId
| where Provider == "Microsoft-Windows-Sysmon" and EventID in (11, 23, 26)
| project-away Provider
| where ((array_length(eventtype_in) == 0 or (iff (EventID == 11, 'FileCreated', 'FileDeleted') in~ (eventtype_in)))) and (array_length(srcipaddr_has_any_prefix) == 0) and ((array_length(actorusername_has_any) == 0) or (tostring(EventData.User) has_any (actorusername_has_any))) and ((array_length(targetfilepath_has_any) == 0) or (tostring(EventData.TargetFilename) has_any (targetfilepath_has_any))) and ((array_length(srcfilepath_has_any) == 0)) and ((array_length(dvchostname_has_any) == 0) or Computer has_any (dvchostname_has_any))
| extend TargetFileCreationTime=todatetime(EventData.CreationUtcTime), TargetFilePath=tostring(EventData.TargetFilename), ActingProcessName = tostring(EventData.Image), ActingProcessId = tostring(EventData.ProcessId), ActingProcessGuid = tostring(EventData.ProcessGuid), ActorUsername = tostring(EventData.User), EventStartTime = todatetime(EventData.UtcTime), RuleName = tostring(EventData.RuleName), Hashes = tostring(EventData.Hashes)
| parse ActingProcessGuid with "{" ActingProcessGuid "}"
| project-away EventData
}; WindowsEventParser
| project-rename DvcHostname = Computer, DvcScopeId = _SubscriptionId, DvcId = _ResourceId
| extend EventType=iff (EventID == 11, 'FileCreated', 'FileDeleted'), EventProduct = 'Sysmon', EventVendor = 'Microsoft', EventSchema = 'FileEvent', EventSchemaVersion = '0.2.1', EventResult = 'Success', EventSeverity = 'Informational', DvcOs='Windows', TargetFilePathType = 'Windows', DvcIdType = iff (DvcId != "", "AzureResourceId", ""), EventCount = int(1), EventEndTime = EventStartTime, EventOriginalType = tostring(EventID), TargetFileName = tostring(split(TargetFilePath, '\\')[-1]), ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''), RuleName = iff (RuleName == "-", "", RuleName), EventUid = _ItemId
| parse-kv Hashes as ( MD5: string, SHA1: string, IMPHASH: string, SHA256: string )
| project-rename TargetFileMD5 = MD5, TargetFileSHA1 = SHA1, TargetFileIMPHASH = IMPHASH, TargetFileSHA256 = SHA256
| where (array_length(hashes_has_any) == 0) or (TargetFileMD5 has_any (hashes_has_any)) or (TargetFileSHA1 has_any (hashes_has_any)) or (TargetFileIMPHASH has_any (hashes_has_any)) or (TargetFileSHA256 has_any (hashes_has_any))
| extend Hash=coalesce(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH)
| extend HashType = iff(isempty(Hash), "", tostring(dynamic(["SHA256", "SHA1", "MD5", "IMPHASH"])[array_index_of(pack_array(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH), Hash)]))
| extend ActorWindowsUsername = ActorUsername
| extend Process = ActingProcessName, Dvc = DvcHostname, FilePath = TargetFilePath, FileName = TargetFileName, User = ActorUsername
| project-away EventID, Hashes,ActorWindowsUsername,TargetFileIMPHASH
}; parser ( starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=disabled )
}
.create-or-alter function with (skipvalidation=true) vimFileEventMicrosoftWindowsEvents( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['targetfilepath_has_any']:dynamic=dynamic([]), ['srcfilepath_has_any']:dynamic=dynamic([]), ['hashes_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
let Parser=( starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), targetfilepath_has_any: dynamic=dynamic([]), srcfilepath_has_any: dynamic=dynamic([]), hashes_has_any: dynamic=dynamic([]), dvchostname_has_any: dynamic=dynamic([]), disabled: bool=false ) {
let EventTypeLookup = datatable (AccessMask: string, EventType: string) [ "0x1", "ObjectAccessed" , "0x10", "MetadataModified" , "0x100", "MetadataModified" , "0x10000", "ObjectDeleted" , "0x2", "ObjectModified" , "0x20000", "MetadataAccessed" , "0x4", "ObjectModified" , "0x40", "ObjectDeleted" , "0x40000", "MetadataModified" , "0x6", "ObjectModified" , "0x8", "MetadataAccessed" , "0x80", "MetadataAccessed" , "0x80000", "MetadataModified" ];
let UserTypeLookup = datatable (AccountType: string, ActorUserType: string) [ 'User', 'Regular', 'Machine', 'Machine' ];
let KnownSIDs = datatable (sid: string, username: string, type: string) [ 'S-1-5-18', 'Local System', 'Simple', 'S-1-0-0', 'Nobody', 'Simple' ]; WindowsEvent
| where EventID == 4663 and EventData.ObjectType == "File" and EventData.ObjectName !startswith @"\Device\"
| extend ActorUserIdType="SID", TargetFilePathType="Windows Local"
| project TimeGenerated , EventID, AccessMask = tostring(EventData.AccessMask) , ProcessName = tostring(EventData.ProcessName) , SubjectUserSid = tostring(EventData.SubjectUserSid) , AccountType = tostring(EventData.AccountType) , Computer = tostring(EventData.Computer) , ObjectName = tostring(EventData.ObjectName) , ProcessId = tostring(EventData.ProcessId) , SubjectUserName = tostring(EventData.SubjectUserName) , SubjectAccount = tostring(EventData.SubjectAccount) , SubjectLogonId = tostring(EventData.SubjectLogonId) , HandleId = tostring(EventData.HandleId) , Type
| lookup EventTypeLookup on AccessMask
| where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)))
| lookup UserTypeLookup on AccountType
| lookup KnownSIDs on $left.SubjectUserSid == $right.sid
| extend ActingProcessName = ProcessName , ActorUsername = iff (SubjectUserName == "-", username, SubjectAccount) , ActorUsernameType = iff(SubjectUserName == '-', type, 'Windows') , EventStartTime = TimeGenerated , EventEndTime = TimeGenerated , TargetFilePath = ObjectName , TargetFilePathFormat = "Windows Local" , ActingProcessId = tostring(toint(ProcessId)) , EventOriginalType = tostring(EventID)
| where (array_length(actorusername_has_any) == 0) or (ActorUsername has_any (actorusername_has_any))
| project-away EventID, ProcessId, AccountType, username
| project-rename ActorUserId = SubjectUserSid , DvcHostname = Computer , Process = ProcessName , FilePath = ObjectName , ActorSessionId = SubjectLogonId , FileSessionId = HandleId
| extend EventSchema = "FileEvent" , EventSchemaVersion = "0.1.1" , EventResult = "Success" , EventCount = int(1) , EventVendor = 'Microsoft' , EventProduct = 'Security Events' , Dvc = DvcHostname , ActorWindowsUsername = ActorUsername , User = ActorUsername , ActorUserSid = ActorUserId , ActorUserIdType="SID" , TargetFilePathType="Windows Local"
| project-away AccessMask,ActorWindowsUsername,FileSessionId,SubjectAccount,SubjectUserName,TargetFilePathFormat,type
}; Parser ( starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=disabled )
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSession( ['pack']:bool=false) {
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')
| where SearchKey in ('Any', 'ExcludeASimNetworkSession')
| extend SourceSpecificParser=column_ifexists('SourceSpecificParser','')
| distinct SourceSpecificParser);
let ASimBuiltInDisabled=toscalar('ExcludeASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers));
let NetworkSessionsGeneric=(pack:bool=false){ union isfuzzy=true vimNetworkSessionEmpty , ASimNetworkSessionLinuxSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionLinuxSysmon' in (DisabledParsers) )) , ASimNetworkSessionMicrosoft365Defender (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoft365Defender' in (DisabledParsers) )) , ASimNetworkSessionMD4IoTSensor (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoTSSensor' in (DisabledParsers) )) , ASimNetworkSessionMD4IoTAgent (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoTAgent' in (DisabledParsers) )) , ASimNetworkSessionMicrosoftWindowsEventFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) )) , ASimNetworkSessionMicrosoftSecurityEventFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSecurityEventFirewall' in (DisabledParsers) )) , ASimNetworkSessionPaloAltoCEF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCEF' in (DisabledParsers) )) , ASimNetworkSessionVMConnection (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMConnection' in (DisabledParsers) )) , ASimNetworkSessionAWSVPC (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAWSVPC' in (DisabledParsers) )) , ASimNetworkSessionAzureFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureFirewall' in (DisabledParsers) )) , ASimNetworkSessionAzureNSG (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureNSG' in (DisabledParsers) )) , ASimNetworkSessionVectraAI (pack=pack, disabled=(ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVectraAI' in (DisabledParsers) ))) , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) )) , ASimNetworkSessionCiscoMerakiSyslog (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMerakiSyslog' in (DisabledParsers) )) , ASimNetworkSessionAppGateSDP (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAppGateSDP' in (DisabledParsers) )) , ASimNetworkSessionFortinetFortiGate (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionFortinetFortiGate' in (DisabledParsers) )) , ASimNetworkSessionCorelightZeek (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCorelightZeek' in (DisabledParsers) )) , ASimNetworkSessionCheckPointFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCheckPointFirewall' in (DisabledParsers) )) , ASimNetworkSessionCiscoASA (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoASA' in (DisabledParsers) )) , ASimNetworkSessionWatchGuardFirewareOS (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionWatchGuardFirewareOS' in (DisabledParsers) )) , ASimNetworkSessionMicrosoftSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSysmon' in (DisabledParsers) )) , ASimNetworkSessionMicrosoftSysmonWindowsEvent (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSysmonWindowsEvent' in (DisabledParsers) )) , ASimNetworkSessionForcePointFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionForcePointFirewall' in (DisabledParsers) )) , ASimNetworkSessionNative (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionNative' in (DisabledParsers) )) , ASimNetworkSessionSentinelOne (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionSentinelOne' in (DisabledParsers) )) , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) )) , ASimNetworkSessionCiscoISE (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoISE' in (DisabledParsers) )) , ASimNetworkSessionBarracudaWAF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionBarracudaWAF' in (DisabledParsers) )) , ASimNetworkSessionBarracudaCEF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionBarracudaCEF' in (DisabledParsers) )) , ASimNetworkSessionCiscoFirepower (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoFirepower' in (DisabledParsers) )) , ASimNetworkSessionCrowdStrikeFalconHost (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCrowdStrikeFalconHost' in (DisabledParsers) )) , ASimNetworkSessionVMwareCarbonBlackCloud (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMwareCarbonBlackCloud' in (DisabledParsers) )) , ASimNetworkSessionPaloAltoCortexDataLake (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCortexDataLake' in (DisabledParsers) )) , ASimNetworkSessionSonicWallFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionSonicWallFirewall' in (DisabledParsers) )) , ASimNetworkSessionIllumioSaaSCore (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionIllumioSaaSCore' in (DisabledParsers) )) , ASimNetworkSessionNTANetAnalytics (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionNTANetAnalytics' in (DisabledParsers) ))
}; NetworkSessionsGeneric (pack=pack)
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionCorelightZeek(['disabled']:bool=false) {
 vimNetworkSessionCorelightZeek(disabled=disabled)
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionMicrosoft365Defender(['disabled']:bool=false) {
 vimNetworkSessionMicrosoft365Defender(disabled=disabled)
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionMicrosoftSecurityEventFirewall(['disabled']:bool=false) {
 vimNetworkSessionMicrosoftSecurityEventFirewall(disabled=disabled)
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionMicrosoftSysmonWindowsEvent(['disabled']:bool=false) {
 vimNetworkSessionMicrosoftSysmonWindowsEvent(disabled=disabled)
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionMicrosoftWindowsEventFirewall(['disabled']:bool=false) {
 vimNetworkSessionMicrosoftWindowsEventFirewall(disabled=disabled)
}
.create-or-alter function with (skipvalidation=true) imNetworkSession( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['pack']:bool=false) {
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')
| where SearchKey in ('Any', 'ExcludevimNetworkSession')
| extend SourceSpecificParser=column_ifexists('SourceSpecificParser','')
| distinct SourceSpecificParser
| where isnotempty(SourceSpecificParser));
let ASimBuiltInDisabled=toscalar('ExcludevimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers));
let NetworkSessionsGeneric=( starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', pack:bool=false) { union isfuzzy=true vimNetworkSessionEmpty , vimNetworkSessionLinuxSysmon (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionLinuxSysmon' in (DisabledParsers) )) , vimNetworkSessionMicrosoft365Defender (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoft365Defender' in (DisabledParsers) )) , vimNetworkSessionMD4IoTAgent (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMD4IoTAgent' in (DisabledParsers) )) , vimNetworkSessionMicrosoftWindowsEventFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) )) , vimNetworkSessionMicrosoftSecurityEventFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftSecurityEventFirewall' in (DisabledParsers) )) , vimNetworkSessionPaloAltoCEF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionPaloAltoCEF' in (DisabledParsers) )) , vimNetworkSessionVMConnection (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVMConnection' in (DisabledParsers) )) , vimNetworkSessionAWSVPC (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAWSVPC' in (DisabledParsers) )) , vimNetworkSessionAzureFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureFirewall' in (DisabledParsers) )) , vimNetworkSessionAzureNSG (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureNSG' in (DisabledParsers) )) , vimNetworkSessionVectraAI (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, pack=pack, disabled=(ASimBuiltInDisabled or ('ExcludevimNetworkSessionVectraAI' in (DisabledParsers) ))) , vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) )) , vimNetworkSessionCiscoMerakiSyslog (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMerakiSyslog' in (DisabledParsers) )) , vimNetworkSessionAppGateSDP (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAppGateSDP' in (DisabledParsers) )) , vimNetworkSessionFortinetFortiGate (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionFortinetFortiGate' in (DisabledParsers) )) , vimNetworkSessionCorelightZeek (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCorelightZeek' in (DisabledParsers) )) , vimNetworkSessionCheckPointFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCheckPointFirewall' in (DisabledParsers) )) , vimNetworkSessionWatchGuardFirewareOS (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionWatchGuardFirewareOS' in (DisabledParsers) )) , vimNetworkSessionCiscoASA (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoASA' in (DisabledParsers) )) , vimNetworkSessionForcePointFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionForcePointFirewall' in (DisabledParsers) )) , vimNetworkSessionNative (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionNative' in (DisabledParsers) )) , vimNetworkSessionSentinelOne (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionSentinelOne' in (DisabledParsers) )) , vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) )) , vimNetworkSessionCiscoISE (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoISE' in (DisabledParsers) )) , vimNetworkSessionBarracudaWAF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionBarracudaWAF' in (DisabledParsers) )) , vimNetworkSessionBarracudaCEF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionBarracudaCEF' in (DisabledParsers) )) , vimNetworkSessionCiscoFirepower (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoFirepower' in (DisabledParsers) )) , vimNetworkSessionCrowdStrikeFalconHost (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCrowdStrikeFalconHost' in (DisabledParsers) )) , vimNetworkSessionVMwareCarbonBlackCloud (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVMwareCarbonBlackCloud' in (DisabledParsers) )) , vimNetworkSessionPaloAltoCortexDataLake (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionPaloAltoCortexDataLake' in (DisabledParsers) )) , vimNetworkSessionSonicWallFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionSonicWallFirewall' in (DisabledParsers) )) , vimNetworkSessionMicrosoftSysmon (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftSysmon' in (DisabledParsers) )) , vimNetworkSessionMicrosoftSysmonWindowsEvent (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftSysmonWindowsEvent' in (DisabledParsers) )) , vimNetworkSessionIllumioSaaSCore (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionIllumioSaaSCore' in (DisabledParsers) )) , vimNetworkSessionNTANetAnalytics (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionNTANetAnalytics' in (DisabledParsers) ))
}; NetworkSessionsGeneric(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, pack=pack)
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionCorelightZeek( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
let NetworkDirectionLookup = datatable(local_orig: bool, local_resp: bool, NetworkDirection: string) [ false, true, 'Inbound', true, false, 'Outbound', true, true, 'Local', false, false, 'External' ];
let ResultLookup = datatable (conn_state:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string, EventSeverity:string) [ 'S0', 'Success', '', 'Connection attempt seen, no reply', 'Informational', 'S1', 'Success', '', 'Connection established, not terminated', 'Informational', 'SF', 'Success', 'Terminated', 'Normal establishment and termination', 'Informational', 'REJ', 'Failure', 'Rejected', 'Connection attempt rejected', 'Low', 'S2', 'Failure', 'Terminated', 'Connection established and close attempt by originator seen (but no reply from responder)', 'Low', 'S3', 'Failure', 'Terminated', 'Connection established and close attempt by responder seen (but no reply from originator)', 'Low', 'RSTO', 'Failure', 'Reset', 'Connection established, originator aborted (sent a RST)', 'Low', 'RSTR', 'Failure', 'Reset', 'Responder sent a RST', 'Low', 'RSTOS0', 'Failure', 'Reset', 'Originator sent a SYN followed by a RST, no SYN-ACK from the responder','Low', 'RSTRH', 'Failure', 'Reset', 'Responder sent a SYN ACK followed by a RST, no SYN from the originator','Low', 'SH', 'Failure', 'Timeout', 'Originator sent a SYN followed by a FIN, no SYN ACK from the responder', 'Low', 'SHR', 'Failure', 'Timeout', 'Responder sent a SYN ACK followed by a FIN, no SYN from the originator', 'Low', 'OTH', 'Success', '', 'No SYN seen, just midstream traffic', 'Informational' ];
let parser = ( starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false ) {
let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);
let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);
let ip_any = set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix); Corelight_CL
| where (isnull(starttime) or TimeGenerated>=starttime) and (isnull(endtime) or TimeGenerated<=endtime) and not(disabled) and (array_length(hostname_has_any) == 0) and (array_length(dvcaction) == 0) and (Message has '"_path":"conn"' or Message has '"conn_red"') and (array_length(ip_any)==0 or has_any_ipv4_prefix(Message,ip_any)) and (isnull(dstportnumber) or Message has (strcat('"id.resp_p":', tostring(dstportnumber))))
| project Message, TimeGenerated
| parse Message with * '"conn_state":"' conn_state '",' *
| lookup ResultLookup on conn_state
| where (eventresult == "*" or eventresult == EventResult)
| extend parsed_msg = parse_json(Message)
| extend Dvc = tostring(parsed_msg.host.name)
| parse-kv Message as ( ['"_write_ts"']:datetime, ['"ts"']:datetime, ['"uid"']:string, ['"id.orig_h"']:string, ['"id.orig_p"']:int, ['"id.resp_h"']:string, ['"id.resp_p"']:int, ['"proto"']:string, ['"service"']:string, ['"duration"']:int, ['"orig_bytes"']:long, ['"resp_bytes"']:long, ['"local_orig"']:bool, ['"local_resp"']:bool, ['"missed_bytes"']:long, ['"history"']:string, ['"orig_pkts"']:long, ['"resp_pkts"']:long, ['"orig_l2_addr"']:string, ['"resp_l2_addr"']:string, ['"community_id"']:string, ['"vlan"']:string, ['"inner_vlan"']:string ) with (quote = '"')
| extend EventCount=int(1), EventProduct="Zeek", EventVendor="Corelight", EventSchema = "NetworkSession", EventSchemaVersion="0.2.4", EventType="Flow"
| project-rename EventStartTime= ['"ts"'], EventEndTime = ['"_write_ts"'], EventOriginalUid = ['"uid"'], SrcIpAddr = ['"id.orig_h"'], SrcPortNumber = ['"id.orig_p"'], DstIpAddr = ['"id.resp_h"'], DstPortNumber = ['"id.resp_p"'], NetworkProtocol = ['"proto"'], NetworkApplicationProtocol = ['"service"'], NetworkDuration = ['"duration"'], SrcBytes = ['"orig_bytes"'], DstBytes = ['"resp_bytes"'], local_orig = ['"local_orig"'], local_resp = ['"local_resp"'], FlowMissedBytes = ['"missed_bytes"'], SrcPackets = ['"orig_pkts"'], DstPackets = ['"resp_pkts"'], SrcMacAddr = ['"orig_l2_addr"'], DstMacAddr = ['"resp_l2_addr"'], DstVlanId = ['"vlan"'], SrcVlanId = ['"inner_vlan"'], FlowHistory = ['"history"'], NetworkSessionId = ['"community_id"']
| extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)
| extend ASimMatchingIpAddr = case( array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, "-" , (temp_isSrcMatch and temp_isDstMatch), "Both" , temp_isSrcMatch, "SrcIpAddr" , temp_isDstMatch, "DstIpAddr" , "No match" )
| project-away temp*
| where ASimMatchingIpAddr != "No match"
| lookup NetworkDirectionLookup on local_orig, local_resp
| extend NetworkBytes = SrcBytes + DstBytes, NetworkPackets = SrcPackets + DstPackets, NetworkProtocol = toupper(NetworkProtocol)
| extend IpAddr=SrcIpAddr, Src=SrcIpAddr, Duration=NetworkDuration, SessionId = NetworkSessionId, InnerVlanId = SrcVlanId, OuterVlanId = DstVlanId, Dst=DstIpAddr
| project-away Message, local_orig, local_resp, conn_state, parsed_msg
}; parser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionEmpty {
let parser=datatable( TimeGenerated:datetime , _ResourceId:string , Type:string , EventMessage:string , EventCount:int , EventStartTime:datetime , EventEndTime:datetime , EventType:string , EventSubType:string , EventResult:string , EventResultDetails:string , EventOriginalResultDetails:string , EventSeverity:string , EventOriginalSeverity:string , EventOriginalUid:string , EventOriginalType:string , EventOriginalSubType:string , EventProduct:string , EventProductVersion:string , EventVendor:string , EventSchema:string , EventSchemaVersion:string , EventReportUrl:string , Dvc:string , DvcIpAddr:string , DvcHostname:string , DvcDomain:string , DvcDomainType:string , DvcFQDN:string , DvcId:string , DvcIdType:string , DvcMacAddr:string , DvcZone:string , DvcDescription:string , Dst:string , DstIpAddr:string , DstPortNumber:int , DstHostname:string , Hostname:string , DstDescription:string , DstDomain:string , DstDomainType:string , DstFQDN:string , DstDvcId:string , DstDvcIdType:string , DstDeviceType:string , DstUserId:string , DstUserIdType:string , DstUsername:string , User:string , DstUsernameType:string , DstUserType:string , DstOriginalUserType:string , DstUserDomain:string , DstAppName:string , DstAppId:string , DstAppType:string , DstZone:string , DstInterfaceName:string , DstInterfaceGuid:string , DstMacAddr:string , DstGeoCountry:string , DstGeoRegion: string , DstGeoCity:string , DstGeoLatitude:real , DstGeoLongitude:real , Src:string , SrcIpAddr:string , SrcPortNumber:int , SrcHostname:string , SrcDescription:string , SrcDomain:string , SrcDomainType:string , SrcFQDN:string , SrcDvcId:string , SrcDvcIdType:string , SrcDeviceType:string , SrcUserId:string , SrcUserIdType:string , SrcUsername:string , SrcUsernameType:string , SrcUserType:string , SrcOriginalUserType:string , SrcUserDomain:string , SrcAppName:string , SrcAppId:string , IpAddr:string , SrcAppType:string , SrcZone:string , SrcInterfaceName:string , SrcInterfaceGuid:string , SrcMacAddr:string , SrcGeoCountry:string , SrcGeoCity:string , SrcGeoRegion: string , SrcGeoLatitude:real , SrcGeoLongitude:real , NetworkApplicationProtocol:string , NetworkProtocol:string , NetworkProtocolVersion:string , NetworkDirection:string , NetworkDuration:int , Duration:int , NetworkIcmpCode:int , NetworkIcmpType:string , DstBytes:long , SrcBytes:long , NetworkBytes:long , DstPackets:long , SrcPackets:long , NetworkPackets:long , NetworkSessionId:string , SessionId:string , NetworkConnectionHistory:string , SrcVlanId:string , DstVlanId:string , InnerVlanId:string , OuterVlanId: string , DstNatIpAddr:string , DstNatPortNumber:int , SrcNatIpAddr:string , SrcNatPortNumber:int , DvcInboundInterface:string , DvcOutboundInterface:string , DvcInterface:string , NetworkRuleName:string , NetworkRuleNumber:int , Rule:string , DvcAction:string , DvcOriginalAction:string , ThreatId:string , ThreatName:string , ThreatCategory:string , ThreatRiskLevel:int , ThreatOriginalRiskLevel:string , DvcSubscriptionId:string , SrcSubscriptionId:string , DstSubscriptionId:string )[]; parser
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionMicrosoft365Defender( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
let M365Defender= (starttime:datetime=datetime(null) , endtime:datetime=datetime(null) , srcipaddr_has_any_prefix:dynamic=dynamic([]) , dstipaddr_has_any_prefix:dynamic=dynamic([]) , ipaddr_has_any_prefix:dynamic=dynamic([]) , dstportnumber:int=int(null) , hostname_has_any:dynamic=dynamic([]) , dvcaction:dynamic=dynamic([]) , eventresult:string='*' , disabled:bool=false ){
let DirectionLookup=datatable(ActionType:string,NetworkDirection:string,Outbound:boolean)[ 'ConnectionSuccess','Outbound', true ,'ConnectionFailed', 'Outbound', true ,'ConnectionRequest','Outbound', true ,'InboundConnectionAccepted', 'Inbound', false ,'ConnectionFound', 'Unknown', false ,'ListeningConnectionCreated', 'Listen', false ];
let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);
let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);
let RawNetworkEvents = (select_outbound:boolean) { DeviceNetworkEvents
| where (isnull(starttime) or Timestamp>=starttime) and (isnull(endtime) or Timestamp<=endtime)
| where not(disabled)
| lookup DirectionLookup on ActionType
| where Outbound == select_outbound
| project-away AppGuardContainerId, LocalIPType, RemoteIPType |where (array_length(dvcaction)==0 ) and (isnull(dstportnumber) or dstportnumber == LocalPort or dstportnumber == RemotePort) and (array_length(hostname_has_any)==0 or RemoteUrl has_any(hostname_has_any) or DeviceName has_any(hostname_has_any) )
| extend temp_isSrcMatch=( (Outbound and has_any_ipv4_prefix(LocalIP,src_or_any)) or (not(Outbound) and has_any_ipv4_prefix(RemoteIP,src_or_any)) ) , temp_isDstMatch=( (not(Outbound) and has_any_ipv4_prefix(LocalIP,dst_or_any)) or (Outbound and has_any_ipv4_prefix(RemoteIP,dst_or_any)) )
| extend ASimMatchingIpAddr = case( array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, "-" , (temp_isSrcMatch and temp_isDstMatch), "Both" , temp_isSrcMatch, "SrcIpAddr" , temp_isDstMatch, "DstIpAddr" , "No match" )
| where ASimMatchingIpAddr != "No match"
| project-away temp_*
| extend EventResult = iff(ActionType=='ConnectionFailed','Failure','Success')
| where (eventresult=='*' or EventResult==eventresult)
| extend EventOriginalUid = tostring(ReportId), EventCount = int(1), EventProduct = 'M365 Defender for Endpoint', EventVendor = 'Microsoft', EventSchema = 'NetworkSession', EventSchemaVersion = '0.2.3', EventStartTime = Timestamp, EventEndTime = Timestamp, TimeGenerated = Timestamp, EventType = 'NetworkSession', EventSeverity = "Informational", DvcIdType = 'MDEid'
| project-away ReportId, Outbound
| project-rename EventOriginalResultDetails = ActionType
| extend RemoteUrl = extract (@"(?:https?://)?(.*)", 1, RemoteUrl)
| extend User = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\', InitiatingProcessAccountName)), UsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'), SplitHostname = split(DeviceName,"."), SplitUrl = split(RemoteUrl,"."), NetworkProtocol = case ( Protocol startswith "Tcp", "TCP", Protocol == "Unknown", "", toupper(Protocol) )
| project-away Protocol
| extend DvcHostname = tostring(SplitHostname[0]), DvcDomain = tostring(strcat_array(array_slice(SplitHostname, 1, -1), '.')), DvcFQDN = iif (DeviceName contains ".", DeviceName, ""), UrlHostname = tostring(SplitUrl[0]), UrlDomain = tostring(strcat_array(array_slice(SplitUrl, 1, -1), '.')), UrlFQDN = iif(RemoteUrl contains ".", RemoteUrl, "")
| project-away RemoteUrl, DeviceName
| extend DvcDomainType = iif(DvcFQDN != "", "FQDN", ""), UrlDomainType = iff(UrlFQDN != "", "FQDN", ""), DvcIpAddr = LocalIP
| extend Dvc = DvcHostname
| project-rename DvcId = DeviceId
| project-away SplitUrl, SplitHostname
};
let OutboundNetworkEvents = RawNetworkEvents (true)
| where (isnull(dstportnumber) or dstportnumber==RemotePort)
| extend temp_isMatchSrcHostname=DvcHostname has_any(hostname_has_any) , temp_isMatchDstHostname=UrlHostname has_any(hostname_has_any) |extend ASimMatchingHostname = case(array_length(hostname_has_any) == 0 ,"-", temp_isMatchDstHostname and temp_isMatchSrcHostname, "Both", temp_isMatchDstHostname, "DstHostname", temp_isMatchSrcHostname, "SrcHostname", "No match" )
| project-away temp*
| where ASimMatchingHostname != "No match"
| project-rename DstIpAddr = RemoteIP, SrcIpAddr = LocalIP, DstPortNumber = RemotePort, SrcPortNumber = LocalPort, SrcUsernameType = UsernameType, SrcUserAadId = InitiatingProcessAccountObjectId, SrcUserId = InitiatingProcessAccountSid, SrcUserUpn = InitiatingProcessAccountUpn
| extend SrcUsername = User, SrcDvcId = DvcId, SrcDvcIdType = 'MDEid', SrcUserIdType = iff (SrcUserId <> "S-1-0-0", "SID", ""), SrcUserId = iff (SrcUserId <> "S-1-0-0", SrcUserId, ""), DstHostname = UrlHostname
| project-rename DstDomain = UrlDomain, DstFQDN = UrlFQDN, DstDomainType = UrlDomainType
| extend SrcHostname = DvcHostname, SrcDomain = DvcDomain, SrcFQDN = DvcFQDN, SrcDomainType = DvcDomainType
| extend SrcProcessId = tostring(InitiatingProcessId), ParentProcessId = tostring(InitiatingProcessParentId)
| project-rename SrcProcessName = InitiatingProcessFileName, SrcProcessCommandLine = InitiatingProcessCommandLine, SrcProcessCreationTime = InitiatingProcessCreationTime, SrcProcessIntegrityLevel = InitiatingProcessIntegrityLevel, SrcProcessTokenElevation = InitiatingProcessTokenElevation, ParentProcessName = InitiatingProcessParentFileName, ParentProcessCreationTime = InitiatingProcessParentCreationTime
| extend Process = SrcProcessName, ProcessId = SrcProcessId, SrcAppName = SrcProcessName, SrcAppType = "Process" ;
let InboundNetworkEvents = RawNetworkEvents (false)
| where (isnull(dstportnumber) or dstportnumber==LocalPort) |extend ASimMatchingHostname = case(array_length(hostname_has_any) == 0 ,"", UrlHostname has_any(hostname_has_any), "SrcHostname", DvcHostname has_any(hostname_has_any), "DstHostname", "No match" )
| where ASimMatchingHostname != "No match"
| project-rename SrcIpAddr = RemoteIP, DstIpAddr = LocalIP, SrcPortNumber = RemotePort, DstPortNumber = LocalPort, DstUsernameType = UsernameType, DstUserAadId = InitiatingProcessAccountObjectId, DstUserId = InitiatingProcessAccountSid, DstUserUpn = InitiatingProcessAccountUpn, SrcDomain = UrlDomain, SrcFQDN = UrlFQDN, SrcDomainType = UrlDomainType
| extend DstUsername = User, DstDvcId = DvcId, DstDvcIdType = 'MDEid', DstUserIdType = 'SID', SrcHostname = UrlHostname
| extend DstHostname = DvcHostname, DstDomain = DvcDomain, DstFQDN = DvcFQDN
| extend DstProcessId = tostring(InitiatingProcessId), ParentProcessId = tostring(InitiatingProcessParentId)
| project-rename DstProcessName = InitiatingProcessFileName, DstProcessCommandLine = InitiatingProcessCommandLine, DstProcessCreationTime = InitiatingProcessCreationTime, DstProcessIntegrityLevel = InitiatingProcessIntegrityLevel, DstProcessTokenElevation = InitiatingProcessTokenElevation, ParentProcessName = InitiatingProcessParentFileName, ParentProcessCreationTime = InitiatingProcessParentCreationTime
| extend Process = DstProcessName, DstAppName = DstProcessName, DstAppType = "Process" ; union InboundNetworkEvents, OutboundNetworkEvents
| project-rename Hostname = UrlHostname
| extend IpAddr = SrcIpAddr, Src = SrcIpAddr, Dst = DstIpAddr
}; M365Defender (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionMicrosoftSecurityEventFirewall( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
let LayerCodeTable = datatable (LayerCode:string,LayerName:string)[ '%%14596', 'IP Packet', '%%14597', 'Transport', '%%14598', 'Forward', '%%14599', 'Stream', '%%14600', 'Datagram Data', '%%14601', 'ICMP Error', '%%14602', 'MAC 802.3', '%%14603', 'MAC Native', '%%14604', 'vSwitch', '%%14608', 'Resource Assignment', '%%14609', 'Listen', '%%14610', 'Receive/Accept', '%%14611', 'Connect', '%%14612', 'Flow Established', '%%14614', 'Resource Release', '%%14615', 'Endpoint Closure', '%%14616', 'Connect Redirect', '%%14617', 'Bind Redirect', '%%14624', 'Stream Packet'];
let ProtocolTable = datatable (Protocol:int, NetworkProtocol: string)[ 1, 'ICMP', 3, 'GGP', 6, 'TCP', 8, 'EGP', 12, 'PUP', 17, 'UDP', 20, 'HMP', 27, 'RDP', 46, 'RSVP', 47, 'PPTP data over GRE', 50, 'ESP', 51, 'AH', 66, 'RVD', 88, 'IGMP', 89, 'OSPF'];
let Directions = datatable (DirectionCode:string,NetworkDirection:string, isOutBound:bool)[ '%%14592', 'Inbound', false, '%%14593', 'Outbound', true, '%%14594', 'Forward',false, '%%14595', 'Bidirectional', false, '%%14609', 'Listen', false, 'Inbound','Inbound',false, 'Outbound','Outbound',true, 'Forward','Forward',false, 'Bidirectional','Bidirectional',false, 'Listen','Listen',false];
let parser = (starttime:datetime=datetime(null), endtime:datetime=datetime(null) , srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null) , hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]),eventresult:string='*', disabled:bool=false ) {
let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);
let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);
let ip_any =set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix);
let SecurityEventProjected = SecurityEvent
| project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Type ;
let SecurityEvent_5152 = SecurityEventProjected
| where not(disabled)
| where (isnull(starttime) or TimeGenerated>=starttime) and (isnull(endtime) or TimeGenerated<=endtime)
| where EventID==5152 |where (isnull(dstportnumber) or EventData has tostring(dstportnumber) ) and (array_length(ip_any)==0 or has_any_ipv4_prefix(EventData ,ip_any) ) and (array_length(dvcaction)==0 or (dvcaction=='Deny') ) and (array_length(hostname_has_any)==0 ) and (eventresult=='*' or eventresult=='Failure')
| extend EventResult = "Failure"
| extend ProcessId = tostring(EventData.ProcessId), Application = tostring(EventData.Application), DirectionCode = tostring(EventData.Direction), SrcIpAddr = tostring(EventData.SourceAddress), SrcPortNumber = toint(EventData.SourcePort), DstIpAddr = tostring(EventData.DestAddress), DstPortNumber = toint(EventData.DestPort), Protocol = toint(EventData.Protocol), NetworkRuleNumber = toint(EventData.FilterRTID), LayerCode = tostring(EventData.LayerName), LayerRTID = tostring(EventData.LayerRTID)
| extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any) , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)
| extend ASimMatchingIpAddr = case( array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, "-" , (temp_isSrcMatch and temp_isDstMatch), "Both" , temp_isSrcMatch, "SrcIpAddr" , temp_isDstMatch, "DstIpAddr" , "No match" )
| where ASimMatchingIpAddr != "No match"
| project-away temp_*, EventData ;
let SecurityEvent_5154_5155_5158_5159 = SecurityEventProjected
| where not(disabled)
| where (isnull(starttime) or TimeGenerated>=starttime) and (isnull(endtime) or TimeGenerated<=endtime)
| where EventID in (5154, 5155, 5158, 5159) |where (array_length(dstipaddr_has_any_prefix)==0 ) and (array_length(hostname_has_any)==0 ) and (isnull(dstportnumber) ) and (array_length(ip_any)==0 or has_any_ipv4_prefix(EventData ,ip_any) ) and (array_length(dvcaction)==0 or (dvcaction=='Allow' and EventID in (5154,5158)) or (dvcaction=='Deny' and EventID !in (5154,5158)) )
| extend EventResult = iff(EventID in (5154, 5158), "Success", "Failure")
| where (eventresult=='*' or EventResult==eventresult)
| extend ProcessId = tostring(EventData.ProcessId), Application = tostring(EventData.Application), SrcIpAddr = tostring(EventData.SourceAddress), SrcPortNumber = toint(EventData.SourcePort), Protocol = toint(EventData.Protocol), NetworkRuleNumber = toint(EventData.FilterRTID), LayerCode = tostring(EventData.LayerName), LayerRTID = tostring(EventData.LayerRTID)
| extend DirectionCode = "%%14609"
| extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any) , temp_isDstMatch=false
| extend ASimMatchingIpAddr = case( array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, "-" , (temp_isSrcMatch and temp_isDstMatch), "Both" , temp_isSrcMatch, "SrcIpAddr" , temp_isDstMatch, "DstIpAddr" , "No match" )
| where ASimMatchingIpAddr != "No match"
| project-away temp_* , EventData ;
let SecurityEvent_5156_5157 = SecurityEventProjected
| where not(disabled)
| where EventID in (5156, 5157)
| extend EventResult = iff(EventID == 5156, "Success", "Failure")
| where (isnull(starttime) or TimeGenerated>=starttime) and (isnull(endtime) or TimeGenerated<=endtime) and (array_length(ip_any)==0 or has_any_ipv4_prefix(EventData ,ip_any) ) and (isnull(dstportnumber) or EventData has tostring(dstportnumber) ) and (array_length(dvcaction)==0 or (dvcaction=='Allow' and EventID == 5156) or (dvcaction=='Deny' and EventID <> 5156) ) and (array_length(hostname_has_any)==0 ) and (eventresult=='*' or EventResult==eventresult)
| extend ProcessId = tostring(EventData.ProcessID), Application = tostring(EventData.Application), DirectionCode = tostring(EventData.Direction), SrcIpAddr = tostring(EventData.SourceAddress), SrcPortNumber = toint(EventData.SourcePort), DstIpAddr = tostring(EventData.DestAddress), DstPortNumber = toint(EventData.DestPort), Protocol = toint(EventData.Protocol), NetworkRuleNumber = toint(EventData.FilterRTID), LayerCode = tostring(EventData.LayerName), LayerRTID = tostring(EventData.LayerRTID), RemoteUserID = tostring(EventData.RemoteUserID), RemoteMachineID = tostring(EventData.RemoteMachineID)
| project-away EventData
| extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)
| extend ASimMatchingIpAddr = case( array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, "-" , (temp_isSrcMatch and temp_isDstMatch), "Both" , temp_isSrcMatch, "SrcIpAddr" , temp_isDstMatch, "DstIpAddr" , "No match" )
| where ASimMatchingIpAddr != "No match"
| project-away temp_* ; union SecurityEvent_5154_5155_5158_5159, SecurityEvent_5156_5157, SecurityEvent_5152
| lookup Directions on DirectionCode
| project-rename DvcHostname = Computer
| extend SrcAppName = iff(isOutBound, Application, ""), DstAppName = iff(not(isOutBound), Application, ""), SrcDvcId = iff(isOutBound, RemoteMachineID, ""), DstDvcId = iff(not(isOutBound), RemoteMachineID, ""), SrcProcessId = iff(isOutBound, tostring(ProcessId), ""), DstProcessId = iff(not(isOutBound), tostring(ProcessId), ""), DstUserId = iff(isOutBound, RemoteUserID, ""), SrcUserId = iff(not(isOutBound), RemoteUserID, ""), DstHostname = iff(isOutBound, "", DvcHostname), SrcHostname = iff(isOutBound, DvcHostname, "")
| project-away Application, RemoteMachineID, ProcessId, RemoteUserID
| where (isnull(dstportnumber) or DstPortNumber == dstportnumber )
| extend DvcAction = iff(EventID in (5154, 5156, 5158), "Allow", "Deny"), DvcOs = 'Windows', DstAppType = "Process", SrcUserIdType = iff (SrcUserId <> "S-1-0-0", "SID", ""), SrcUserId = iff (SrcUserId <> "S-1-0-0", SrcUserId, ""), DstUserIdType = iff (DstUserId <> "S-1-0-0", "SID", ""), DstUserId = iff (DstUserId <> "S-1-0-0", DstUserId, ""), SrcAppType = "Process", EventType = "NetworkSession", EventSchema = "NetworkSession", EventSchemaVersion="0.2.3", EventCount=toint(1), EventVendor = "Microsoft", EventProduct = "Windows Firewall", EventStartTime = TimeGenerated, EventEndTime = TimeGenerated, EventSeverity = iff(EventID in (5154, 5156, 5158), "Informational", "Low")
| extend Dvc = DvcHostname, Hostname = DvcHostname, IpAddr = SrcIpAddr, Src = SrcIpAddr, Dst = DstIpAddr, Rule = tostring(NetworkRuleNumber), DstDvcIdType = iff (DstDvcId != "", "SID", ""), SrcDvcIdType = iff (SrcDvcId != "", "SID", "")
| lookup LayerCodeTable on LayerCode
| extend LayerName = iff(isempty(LayerName), LayerCode, LayerName)
| lookup ProtocolTable on Protocol
| project-away LayerCode, DirectionCode, Protocol, isOutBound, EventID, LayerRTID,_ResourceId,_SubscriptionId
}; parser(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionMicrosoftSysmonWindowsEvent( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['dvcaction']:dynamic=dynamic([]), ['hostname_has_any']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
let parser = ( starttime: datetime=datetime(null), endtime: datetime=datetime(null), srcipaddr_has_any_prefix: dynamic=dynamic([]), dstipaddr_has_any_prefix: dynamic=dynamic([]), ipaddr_has_any_prefix: dynamic=dynamic([]), dstportnumber: int=int(null), hostname_has_any: dynamic=dynamic([]), dvcaction: dynamic=dynamic([]), eventresult: string='*', disabled: bool=false ) {
let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);
let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);
let ip_any =set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix);
let Sysmon3_WindowsEvent=WindowsEvent
| where not(disabled)
| where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)
| where (eventresult == '*' or eventresult == 'Success') and array_length(dvcaction) == 0
| where Provider == "Microsoft-Windows-Sysmon" and EventID == 3
| extend SourceIp = tostring(EventData.SourceIp), DestinationIp = tostring(EventData.DestinationIp), DstHostname = tostring(EventData.DestinationHostname), SrcHostname = tostring(EventData.SrcHostname), RuleName = tostring(EventData.RuleName), UtcTime = todatetime(EventData.UtcTime), ProcessId = tostring(EventData.ProcessId), Image = tostring(EventData.Image), User = tostring(EventData.User), Protocol = tostring(EventData.Protocol), Initiated = tobool(EventData.Initiated), SourceIsIpv6 = tobool(EventData.SourceIsIpv6), SourcePort = toint(EventData.SourcePort), SourcePortName = tostring(EventData.SourcePortName), DestinationIsIpv6 = tobool(EventData.DestinationIsIpv6), DestinationPort = toint(EventData.DestinationPort), DestinationPortName = tostring(EventData.DestinationPortName)
| where (array_length(ip_any) == 0 or has_any_ipv4_prefix(EventData, ip_any) ) and (isnull(dstportnumber)) or dstportnumber == DestinationPort and (array_length(hostname_has_any) == 0) or SrcHostname has_any (hostname_has_any) or DstHostname has_any (hostname_has_any)
| extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIp, src_or_any) , temp_isDstMatch=has_any_ipv4_prefix(DestinationIp, dst_or_any)
| extend ASimMatchingIpAddr = case( array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, "-" , (temp_isSrcMatch and temp_isDstMatch), "Both" , temp_isSrcMatch, "SrcIpAddr" , temp_isDstMatch, "DstIpAddr" , "No match" )
| where ASimMatchingIpAddr != "No match"
| parse EventData.ProcessGuid with "{" ProcessGuid "}"
| project-away EventData
| project-away Provider, Channel, Task, Data, RawEventData, EventOriginId; Sysmon3_WindowsEvent
| extend AppName = tostring(split(Image, "\\")[-1])
| extend SrcUsernameType = iff(Initiated, "Windows", ""), SrcUsername = iff(Initiated, tostring(User), ""), SrcProcessId = iff(Initiated, tostring(ProcessId), ""), SrcProcessGuid = iff(Initiated, ProcessGuid, ""), SrcProcessName = iff(Initiated, tostring(Image), ""), SrcAppName = iff(Initiated, AppName, ""), SrcAppType = iff(Initiated, 'Process', ""), DstUsernameType = iff(not(Initiated), "Windows", ""), DstUsername = iff(not(Initiated), tostring(User), ""), DstProcessId = iff(not(Initiated), tostring(ProcessId), ""), DstProcessGuid = iff(not(Initiated), ProcessGuid, ""), DstProcessName = iff(not(Initiated), tostring(Image), ""), DstAppName = iff(not(Initiated), AppName, ""), DstAppType = iff(not(Initiated), 'Process', "")
| project-away ProcessId, ProcessGuid, Image, AppName
| project-rename EventStartTime = UtcTime, Dvc = Computer, SrcIpAddr = SourceIp, DstIpAddr = DestinationIp, DstPortNumber = DestinationPort, SrcPortNumber = SourcePort, NetworkRuleName = RuleName
| extend EventEndTime = EventStartTime, Hostname = case( Initiated, DstHostname, not(Initiated), SrcHostname, Dvc ), Src = SrcIpAddr, Dst = DstIpAddr, DvcIpAddr = iff(Initiated, SrcIpAddr, DstIpAddr), IpAddr = SrcIpAddr, EventType = 'EndpointNetworkSession', EventCount = int(1), EventVendor = 'Microsoft', EventSchemaVersion = '0.2.5', EventSchema = 'NetworkSession', EventProduct = 'Sysmon', EventResult = 'Success', EventSeverity = 'Informational', DvcOs = 'Windows', Protocol = toupper(Protocol), EventOriginalType = '3'
| extend DvcHostname = Hostname
| extend SrcHostname = iff(SrcHostname == "-", "", SrcHostname), DvcHostname = iff(DvcHostname == "-", "", DvcHostname), DstHostname = iff(DstHostname == "-", "", DstHostname)
| project-rename TmpSrcHostname = SrcHostname, TmpDvcHostname = DvcHostname, TmpDstHostname = DstHostname
| invoke _ASIM_ResolveSrcFQDN('TmpSrcHostname')
| invoke _ASIM_ResolveDvcFQDN('TmpDvcHostname')
| invoke _ASIM_ResolveDstFQDN('TmpDstHostname')
| project-away TmpSrcHostname, TmpDvcHostname, TmpDstHostname
| extend NetworkProtocolVersion = iff((DestinationIsIpv6) or (SourceIsIpv6), "IPV6", "IPV4"), NetworkProtocol = toupper(Protocol)
| project-away Destination*, Initiated, ManagementGroupName, TenantId, Protocol, Source*, EventID, EventLevelName, EventLevel, Correlation, EventRecordId, Keywords, Opcode, SystemProcessId, SystemThreadId, SystemUserId, TimeCreated, _ResourceId, Version
}; parser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix,dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionMicrosoftWindowsEventFirewall( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
let LayerCodeTable = datatable (LayerCode:string,LayerName:string)[ '%%14596', 'IP Packet', '%%14597', 'Transport', '%%14598', 'Forward', '%%14599', 'Stream', '%%14600', 'Datagram Data', '%%14601', 'ICMP Error', '%%14602', 'MAC 802.3', '%%14603', 'MAC Native', '%%14604', 'vSwitch', '%%14608', 'Resource Assignment', '%%14609', 'Listen', '%%14610', 'Receive/Accept', '%%14611', 'Connect', '%%14612', 'Flow Established', '%%14614', 'Resource Release', '%%14615', 'Endpoint Closure', '%%14616', 'Connect Redirect', '%%14617', 'Bind Redirect', '%%14624', 'Stream Packet'];
let ProtocolTable = datatable (Protocol:int, NetworkProtocol: string)[ 1, 'ICMP', 3, 'GGP', 6, 'TCP', 8, 'EGP', 12, 'PUP', 17, 'UDP', 20, 'HMP', 27, 'RDP', 46, 'RSVP', 47, 'PPTP data over GRE', 50, 'ESP', 51, 'AH', 66, 'RVD', 88, 'IGMP', 89, 'OSPF'];
let Directions = datatable (DirectionCode:string,NetworkDirection:string, isOutBound:bool)[ '%%14592', 'Inbound', false, '%%14593', 'Outbound', true, '%%14594', 'Forward',false, '%%14595', 'Bidirectional', false, '%%14609', 'Listen', false, 'Inbound','Inbound',false, 'Outbound','Outbound',true, 'Forward','Forward',false, 'Bidirectional','Bidirectional',false, 'Listen','Listen',false];
let parser = (starttime:datetime=datetime(null), endtime:datetime=datetime(null) , srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null) , hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]),eventresult:string='*', disabled:bool=false) {
let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);
let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);
let ip_any =set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix); WindowsEvent
| project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Type
| where (isnull(starttime) or TimeGenerated>=starttime) and (isnull(endtime) or TimeGenerated<=endtime) |where not(disabled)
| where EventID between (5150 .. 5159)
| extend EventResult = iff(EventID in (5154, 5156, 5158), "Success", "Failure")
| where (isnull(dstportnumber) or EventData has tostring(dstportnumber)) and (array_length(ip_any)==0 or has_any_ipv4_prefix(EventData,ip_any)) and (array_length(hostname_has_any)==0 ) and (array_length(dvcaction)==0 ) and (eventresult=='*' or EventResult==eventresult)
| extend SrcIpAddr = tostring(EventData.SourceAddress) , DstIpAddr = tostring(EventData.DestAddress)
| extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any) , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)
| extend ASimMatchingIpAddr = case( array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, "-" , (temp_isSrcMatch and temp_isDstMatch), "Both" , temp_isSrcMatch, "SrcIpAddr" , temp_isDstMatch, "DstIpAddr" , "No match" )
| where ASimMatchingIpAddr != "No match"
| project-away temp_*
| extend EventSeverity=tostring(EventData.Severity), LayerCode = tostring(EventData.LayerName), NetworkRuleNumber = toint(EventData.FilterRTID), Protocol = toint(EventData.Protocol), DirectionCode = iff(EventID in (5154, 5155, 5158, 5159), "%%14609",tostring(EventData.Direction))
| lookup Directions on DirectionCode
| project-rename DvcHostname = Computer
| extend SrcAppName = iff(isOutBound, tostring(EventData.Application), ""), DstAppName = iff(not(isOutBound), tostring(EventData.Application), ""), SrcDvcId = iff(isOutBound, tostring(EventData.RemoteMachineID), ""), DstDvcId = iff(not(isOutBound), tostring(EventData.RemoteMachineID), ""), SrcPortNumber = toint(EventData.SourcePort), DstPortNumber = toint(EventData.DestPort), SrcProcessId = iff(isOutBound, tostring(EventData.ProcessId), ""), DstProcessId = iff(not(isOutBound), tostring(EventData.ProcessId), ""), DstUserId = iff(isOutBound, tostring(EventData.RemoteUserID), ""), SrcUserId = iff(not(isOutBound), tostring(EventData.RemoteUserID), ""), DstHostname = iff(isOutBound, "", DvcHostname), SrcHostname = iff(isOutBound, DvcHostname, "")
| project-away EventData
| where (isnull(dstportnumber) or DstPortNumber == dstportnumber )
| extend DvcAction = iff(EventID in (5154, 5156, 5158), "Allow", "Deny"), DvcOs = 'Windows', DstAppType = "Process", SrcUserIdType = iff (SrcUserId <> "S-1-0-0", "SID", ""), SrcUserId = iff (SrcUserId <> "S-1-0-0", SrcUserId, ""), DstUserIdType = iff (DstUserId <> "S-1-0-0", "SID", ""), DstUserId = iff (DstUserId <> "S-1-0-0", DstUserId, ""), SrcAppType = "Process", EventType = "NetworkSession", EventSchema = "NetworkSession", EventSchemaVersion="0.2.3", EventCount=toint(1), EventVendor = "Microsoft", EventProduct = "Windows Firewall", EventStartTime = TimeGenerated, EventEndTime = TimeGenerated, EventSeverity = iff(EventID in (5154, 5156, 5158), "Informational", "Low")
| extend Dvc = DvcHostname, Hostname = DvcHostname, IpAddr = SrcIpAddr, Src = SrcIpAddr, Dst = DstIpAddr, Rule = tostring(NetworkRuleNumber), DstDvcIdType = iff (DstDvcId != "", "SID", ""), SrcDvcIdType = iff (SrcDvcId != "", "SID", "")
| lookup LayerCodeTable on LayerCode
| extend LayerName = iff(isempty(LayerName), LayerCode, LayerName)
| lookup ProtocolTable on Protocol
| project-away LayerCode, DirectionCode, Protocol, isOutBound, EventID,_ResourceId,_SubscriptionId
}; parser( starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)
}
.create-or-alter function with (skipvalidation=true) ASimProcessCreateMicrosoftSecurityEvents(['disabled']:bool=false) {
 vimProcessCreateMicrosoftSecurityEvents(disabled=disabled)
}
.create-or-alter function with (skipvalidation=true) ASimProcessCreateMicrosoftWindowsEvents(['disabled']:bool=false) {
 vimProcessCreateMicrosoftWindowsEvents(disabled=disabled)
}
.create-or-alter function with (skipvalidation=true) ASimProcessEvent {
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')
| where SearchKey in ('Any', 'ExcludeASimProcess')
| extend SourceSpecificParser=column_ifexists('SourceSpecificParser','')
| distinct SourceSpecificParser);
let imProcessEventBuiltInDisabled=toscalar('ExcludeASimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); union isfuzzy=true vimProcessEmpty, ASimProcessEventMicrosoft365D (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMicrosoft365D' in (DisabledParsers) )), ASimProcessEventCreateMicrosoftSysmon (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventCreateMicrosoftSysmon' in (DisabledParsers) )), ASimProcessEventCreateMicrosoftSysmonWindowsEvent (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventCreateMicrosoftSysmonWindowsEvent' in (DisabledParsers) )), ASimProcessEventTerminateMicrosoftSysmon (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventTerminateMicrosoftSysmon' in (DisabledParsers) )), ASimProcessEventTerminateMicrosoftSysmonWindowsEvent (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessASimProcessEventTerminateMicrosoftSysmonWindowsEvent' in (DisabledParsers) )), ASimProcessCreateMicrosoftSecurityEvents (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) )), ASimProcessTerminateMicrosoftSecurityEvents (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) )), ASimProcessCreateLinuxSysmon (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateLinuxSysmon' in (DisabledParsers) )), ASimProcessTerminateLinuxSysmon (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateLinuxSysmon' in (DisabledParsers) )), ASimProcessTerminateMicrosoftWindowsEvents (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) )), ASimProcessCreateMicrosoftWindowsEvents (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) )), ASimProcessEventMD4IoT (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoTh' in (DisabledParsers) )), ASimProcessCreateSentinelOne (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateSentinelOne' in (DisabledParsers) )), ASimProcessEventNative (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventNative' in (DisabledParsers) )), ASimProcessCreateVMwareCarbonBlackCloud (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateVMwareCarbonBlackCloud' in (DisabledParsers) )), ASimProcessTerminateVMwareCarbonBlackCloud (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateVMwareCarbonBlackCloud' in (DisabledParsers) )), ASimProcessCreateTrendMicroVisionOne (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateTrendMicroVisionOne' in (DisabledParsers) ))
}
.create-or-alter function with (skipvalidation=true) ASimProcessEventCreate {
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')
| where SearchKey in ('Any', 'ExcludeASimProcessEventCreate')
| extend SourceSpecificParser=column_ifexists('SourceSpecificParser','')
| distinct SourceSpecificParser);
let imProcessEventBuiltInDisabled=toscalar('ExcludeASimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); union isfuzzy=true vimProcessEmpty, ASimProcessEventMicrosoft365D (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMicrosoft365D' in (DisabledParsers) )), ASimProcessCreateMicrosoftSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftSysmon' in (DisabledParsers) )), ASimProcessCreateMicrosoftSecurityEvents (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) )), ASimProcessCreateLinuxSysmon (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateLinuxSysmon' in (DisabledParsers) )), ASimProcessCreateMicrosoftWindowsEvents (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) )), ASimProcessCreateSentinelOne (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateSentinelOne' in (DisabledParsers) )), ASimProcessEventMD4IoT (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoT' in (DisabledParsers) )), ASimProcessEventNative (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventNative' in (DisabledParsers) )), ASimProcessCreateVMwareCarbonBlackCloud (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateVMwareCarbonBlackCloud' in (DisabledParsers) )), ASimProcessCreateTrendMicroVisionOne (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateTrendMicroVisionOne' in (DisabledParsers) ))
}
.create-or-alter function with (skipvalidation=true) ASimProcessEventCreateMicrosoftSysmonWindowsEvent(['disabled']:bool=false) {
 vimProcessEventCreateMicrosoftSysmonWindowsEvent(disabled=disabled)
}
.create-or-alter function with (skipvalidation=true) ASimProcessEventMicrosoft365D(['disabled']:bool=false) {
 vimProcessEventMicrosoft365D(disabled=disabled)
}
.create-or-alter function with (skipvalidation=true) ASimProcessEventTerminate {
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')
| where SearchKey in ('Any', 'ExcludeASimProcess')
| extend SourceSpecificParser=column_ifexists('SourceSpecificParser','')
| distinct SourceSpecificParser);
let imProcessEventBuiltInDisabled=toscalar('ExcludeASimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); union isfuzzy=true vimProcessEmpty, ASimProcessEventMicrosoft365D (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMicrosoft365D' in (DisabledParsers) )), ASimProcessTerminateMicrosoftSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftSysmon' in (DisabledParsers) )), ASimProcessTerminateMicrosoftSecurityEvents (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) )), ASimProcessTerminateLinuxSysmon (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateLinuxSysmon' in (DisabledParsers) )), ASimProcessTerminateMicrosoftWindowsEvents (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) )), ASimProcessEventMD4IoT (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoT' in (DisabledParsers) )), ASimProcessEventNative (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventNative' in (DisabledParsers) )), ASimProcessTerminateVMwareCarbonBlackCloud (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateVMwareCarbonBlackCloud' in (DisabledParsers) ))
}
.create-or-alter function with (skipvalidation=true) ASimProcessEventTerminateMicrosoftSysmonWindowsEvent(['disabled']:bool=false) {
 vimProcessEventTerminateMicrosoftSysmonWindowsEvent(disabled=disabled)
}
.create-or-alter function with (skipvalidation=true) ASimProcessTerminateMicrosoftSecurityEvents(['disabled']:bool=false) {
 vimProcessTerminateMicrosoftSecurityEvents(disabled=disabled)
}
.create-or-alter function with (skipvalidation=true) ASimProcessTerminateMicrosoftWindowsEvents(['disabled']:bool=false) {
 vimProcessTerminateMicrosoftWindowsEvents(disabled=disabled)
}
.create-or-alter function with (skipvalidation=true) imProcessCreate( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['targetusername']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvcname_has_any']:dynamic=dynamic([]), ['hashes_has_any']:dynamic=dynamic([]), ['eventtype']:string='*') {
let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), targetusername:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvcname_has_any:dynamic=dynamic([]), hashes_has_any:dynamic=dynamic([]), eventtype:string='*'){
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')
| where SearchKey in ('Any', 'ExcludeimProcessCreate')
| extend SourceSpecificParser=column_ifexists('SourceSpecificParser','')
| distinct SourceSpecificParser);
let imBuiltInDisabled=toscalar('ExcludevimProcessCreateBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); union isfuzzy=true vimProcessEmpty, vimProcessEventMicrosoft365D (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessEventMicrosoft365D' in (DisabledParsers) ))), vimProcessCreateMicrosoftSysmon (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSysmon' in (DisabledParsers) ))), vimProcessEventCreateMicrosoftSysmonWindowsEvent (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessEventCreateMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))), vimProcessCreateMicrosoftSecurityEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) ))), vimProcessCreateLinuxSysmon (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessCreateLinuxSysmon' in (DisabledParsers) ))), vimProcessCreateMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) ))), vimProcessCreateMD4IoT (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessEventMD4IoT' in (DisabledParsers) ))), vimProcessCreateSentinelOne (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=(imBuiltInDisabled or('ExcludevimProcessCreateSentinelOne' in (DisabledParsers) ))), vimProcessEventNative (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=(imBuiltInDisabled or('ExcludevimProcessEventNative' in (DisabledParsers) ))), vimProcessCreateVMwareCarbonBlackCloud (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=(imBuiltInDisabled or('ExcludevimProcessCreateVMwareCarbonBlackCloud' in (DisabledParsers) ))), vimProcessCreateTrendMicroVisionOne (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, hashes_has_any=hashes_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessCreateTrendMicroVisionOne' in (DisabledParsers) )))
}; Generic(starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcname_has_any, hashes_has_any=hashes_has_any, eventtype=eventtype)
}
.create-or-alter function with (skipvalidation=true) imProcessEvent( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['actorusername']:string='*', ['targetusername']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvcname_has_any']:dynamic=dynamic([]), ['hashes_has_any']:dynamic=dynamic([]), ['eventtype']:string='*') {
let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), actorusername:string='*', targetusername:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvcname_has_any:dynamic=dynamic([]), hashes_has_any:dynamic=dynamic([]), eventtype:string='*'){
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')
| where SearchKey in ('Any', 'ExcludeimProcess')
| extend SourceSpecificParser=column_ifexists('SourceSpecificParser','')
| distinct SourceSpecificParser);
let imBuiltInDisabled=toscalar('ExcludevimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); union isfuzzy=true vimProcessEmpty, vimProcessEventMicrosoft365D (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessEventMicrosoft365D' in (DisabledParsers) ))), vimProcessEventCreateMicrosoftSysmon (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessEventCreateMicrosoftSysmonn' in (DisabledParsers) ))), vimProcessEventCreateMicrosoftSysmonWindowsEvent (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessEventCreateMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))), vimProcessEventTerminateMicrosoftSysmon (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername_has=actorusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessEventTerminateMicrosoftSysmon' in (DisabledParsers) ))), vimProcessEventTerminateMicrosoftSysmonWindowsEvent (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername_has=actorusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessEventTerminateMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))), vimProcessCreateMicrosoftSecurityEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) ))), vimProcessTerminateMicrosoftSecurityEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername=actorusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) ))), vimProcessCreateLinuxSysmon (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessCreateLinuxSysmon' in (DisabledParsers) ))), vimProcessTerminateLinuxSysmon (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername=actorusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessTerminateLinuxSysmon' in (DisabledParsers) ))), vimProcessTerminateMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername_has=actorusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) ))), vimProcessCreateMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) ))), vimProcessCreateMD4IoT (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessCreateMD4IoT' in (DisabledParsers) ))), vimProcessTerminateMD4IoT (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername=actorusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessTerminateMD4IoT' in (DisabledParsers) ))), vimProcessEventNative (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, actorusername_has=actorusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessEventNative' in (DisabledParsers) ))), vimProcessCreateSentinelOne (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=(imBuiltInDisabled or('ExcludevimProcessCreateSentinelOne' in (DisabledParsers) ))), vimProcessCreateVMwareCarbonBlackCloud (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, hashes_has_any=hashes_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessCreateVMwareCarbonBlackCloud' in (DisabledParsers) ))), vimProcessTerminateVMwareCarbonBlackCloud (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername_has=actorusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessTerminateVMwareCarbonBlackCloud' in (DisabledParsers) )))
}; Generic(starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any,actorusername=actorusername, targetusername=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcname_has_any, hashes_has_any=hashes_has_any, eventtype=eventtype)
}
.create-or-alter function with (skipvalidation=true) imProcessTerminate( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['actorusername']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvcname_has_any']:dynamic=dynamic([]), ['eventtype']:string='*') {
let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), actorusername:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvcname_has_any:dynamic=dynamic([]), eventtype:string='*'){
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')
| where SearchKey in ('Any', 'ExcludeimProcessTerminate')
| extend SourceSpecificParser=column_ifexists('SourceSpecificParser','')
| distinct SourceSpecificParser);
let imBuiltInDisabled=toscalar('ExcludevimProcessTerminateBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); union isfuzzy=true vimProcessEmpty, vimProcessTerminateMicrosoftSysmon (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername=actorusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSysmon' in (DisabledParsers) ))), vimProcessEventTerminateMicrosoftSysmonWindowsEvent (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername_has=actorusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessEventTerminateMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))), vimProcessTerminateMicrosoftSecurityEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername=actorusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) ))), vimProcessTerminateMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername_has=actorusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) ))), vimProcessTerminateLinuxSysmon (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername=actorusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessTerminateLinuxSysmon' in (DisabledParsers) ))), vimProcessTerminateMD4IoT (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername=actorusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessEventMD4IoT' in (DisabledParsers) ))), vimProcessEventNative (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername_has=actorusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessEventNative' in (DisabledParsers) ))), vimProcessTerminateVMwareCarbonBlackCloud (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername_has=actorusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessTerminateVMwareCarbonBlackCloud' in (DisabledParsers) )))
}; Generic(starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername=actorusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcname_has_any, eventtype=eventtype)
}
.create-or-alter function with (skipvalidation=true) vimProcessCreateMicrosoftSecurityEvents( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['targetusername_has']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['eventtype']:string='*', ['disabled']:bool=false) {
let MandatoryLabelLookup = datatable (MandatoryLabel:string,MandatoryLabelRid:string, MandatoryLabelText:string, MandatoryLabelMeaning:string) [ 'S-1-16-0', '0x00000000', 'SECURITY_MANDATORY_UNTRUSTED_RID', 'Untrusted', 'S-1-16-4096', '0x00001000', 'SECURITY_MANDATORY_LOW_RID', 'Low integrity', 'S-1-16-8192', '0x00002000', 'SECURITY_MANDATORY_MEDIUM_RID', 'Medium integrity', 'S-1-16-8448', '0x00002100', 'SECURITY_MANDATORY_MEDIUM_PLUS_RID', 'Medium high integrity', 'S-1-16-12288', '0X00003000', 'SECURITY_MANDATORY_HIGH_RID', 'High integrity', 'S-1-16-16384', '0x00004000', 'SECURITY_MANDATORY_SYSTEM_RID', 'System integrity', 'S-1-16-20480', '0x00005000', 'SECURITY_MANDATORY_PROTECTED_PROCESS_RID', 'Protected process' ];
let KnownSIDs = datatable (sid:string, username:string, type:string) [ 'S-1-5-18', 'Local System', 'Simple', 'S-1-0-0', 'Nobody', 'Simple' ];
let UserTypeLookup = datatable (AccountType:string, ActorUserType:string) [ 'User', 'Regular', 'Machine', 'Machine' ];
let parser=( starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), targetusername_has:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvchostname_has_any:dynamic=dynamic([]), eventtype:string='*', disabled:bool=false ) { SecurityEvent
| where (isnull(starttime) or TimeGenerated >= starttime ) and (isnull(endtime) or TimeGenerated <= endtime ) and not(disabled)
| where EventID == 4688
| where (eventtype=='*' or eventtype=='ProcessCreated') and (array_length(commandline_has_all)==0 or CommandLine has_all (commandline_has_all)) and (array_length(commandline_has_any)==0 or CommandLine has_any (commandline_has_any)) and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(CommandLine, commandline_has_any_ip_prefix) ) and (array_length(actingprocess_has_any)==0 or ParentProcessName has_any (actingprocess_has_any)) and (array_length(targetprocess_has_any)==0 or NewProcessName has_any (targetprocess_has_any)) and (array_length(parentprocess_has_any)==0) and (targetusername_has=='*' or TargetAccount has targetusername_has) and (array_length(dvcipaddr_has_any_prefix)==0) and (array_length(dvchostname_has_any)==0 or Computer has_any (dvchostname_has_any))
| extend EventCount = int(1), EventVendor = 'Microsoft', EventProduct = 'Security Events', EventSchemaVersion = '0.1.3', EventSchema = 'ProcessEvent', EventResult = 'Success', EventStartTime = todatetime(TimeGenerated), EventEndTime = todatetime(TimeGenerated), EventType = 'ProcessCreated', EventOriginalType = tostring(EventID), DvcOs = 'Windows'
| lookup KnownSIDs on $left.SubjectUserSid == $right.sid
| extend ActorUsername = iff (SubjectUserName == "-", username, SubjectAccount), ActorUsernameType = iff(SubjectUserName == '-',type, 'Windows')
| lookup KnownSIDs on $left.TargetUserSid == $right.sid
| extend TargetUsername = iff (TargetUserName == "-", username, TargetAccount), TargetUsernameType = iff(TargetDomainName == '-',type, 'Windows')
| lookup UserTypeLookup on AccountType
| extend ActorUserIdType = 'SID', TargetUserIdType = 'SID', ActingProcessId = tostring(toint(ProcessId)), TargetProcessId = tostring(toint(NewProcessId)), TargetProcessCommandLine = CommandLine
| project-rename DvcId = SourceComputerId, DvcHostname = Computer, ActingProcessName = ParentProcessName, TargetProcessName = NewProcessName, ActorDomainName = SubjectDomainName, ActorUserId = SubjectUserSid, ActorSessionId = SubjectLogonId, TargetUserId =TargetUserSid, TargetUserSessionId = TargetLogonId, EventOriginalUid = EventOriginId, TargetProcessTokenElevation = TokenElevationType
| lookup MandatoryLabelLookup on MandatoryLabel
| extend User = TargetUsername, Dvc = DvcHostname, Process = TargetProcessName
| project-keep Event*, Dvc*, Actor*, Target*, Acting*, User, Dvc, Process, CommandLine, TimeGenerated, Type, _ResourceId
| project-away TargetDomainName, TargetUserName, TargetAccount, EventID
}; parser ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=disabled )
}
.create-or-alter function with (skipvalidation=true) vimProcessCreateMicrosoftWindowsEvents( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['targetusername_has']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['eventtype']:string='*', ['hashes_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
let ASIM_GetFilenamePart = (path:string) { tostring(split(path,@'\')[-1])
};
let MandatoryLabelLookup = datatable (MandatoryLabel:string,MandatoryLabelRid:string, MandatoryLabelText:string, MandatoryLabelMeaning:string) [ 'S-1-16-0', '0x00000000', 'SECURITY_MANDATORY_UNTRUSTED_RID', 'Untrusted', 'S-1-16-4096', '0x00001000', 'SECURITY_MANDATORY_LOW_RID', 'Low integrity', 'S-1-16-8192', '0x00002000', 'SECURITY_MANDATORY_MEDIUM_RID', 'Medium integrity', 'S-1-16-8448', '0x00002100', 'SECURITY_MANDATORY_MEDIUM_PLUS_RID', 'Medium high integrity', 'S-1-16-12288', '0X00003000', 'SECURITY_MANDATORY_HIGH_RID', 'High integrity', 'S-1-16-16384', '0x00004000', 'SECURITY_MANDATORY_SYSTEM_RID', 'System integrity', 'S-1-16-20480', '0x00005000', 'SECURITY_MANDATORY_PROTECTED_PROCESS_RID', 'Protected process' ];
let parser = ( starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), targetusername_has:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvchostname_has_any:dynamic=dynamic([]), eventtype:string='*', hashes_has_any:dynamic=dynamic([]), disabled:bool=false ) { WindowsEvent
| where (isnull(starttime) or TimeGenerated >= starttime ) and (isnull(endtime) or TimeGenerated <= endtime ) and EventID == 4688 and not(disabled) and (eventtype=='*' or eventtype=='ProcessCreated') and (array_length(parentprocess_has_any)==0) and (array_length(hashes_has_any) == 0) and (array_length(dvcipaddr_has_any_prefix)==0) and (array_length(commandline_has_all)==0 or EventData.CommandLine has_all (commandline_has_all)) and (array_length(commandline_has_any)==0 or EventData.CommandLine has_any (commandline_has_any)) and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(EventData.CommandLine, commandline_has_any_ip_prefix) ) and (array_length(actingprocess_has_any)==0 or EventData.ParentProcessName has_any (actingprocess_has_any)) and (array_length(targetprocess_has_any)==0 or EventData.NewProcessName has_any (targetprocess_has_any)) and (targetusername_has=='*' or EventData has targetusername_has) and (array_length(dvchostname_has_any)==0 or Computer has_any (dvchostname_has_any))
| project-rename DvcHostname = Computer
| extend EventCount = int(1), EventVendor = 'Microsoft', EventProduct = 'Security Events', EventSchemaVersion = '0.1.0', EventSchema = 'ProcessEvent', EventResult = 'Success', EventStartTime = todatetime(TimeGenerated), EventEndTime = todatetime(TimeGenerated), EventType = 'ProcessCreated', EventOriginalType = tostring(EventID), DvcOs = 'Windows'
| extend ActorUsername = strcat(EventData.SubjectDomainName, @'\', EventData.SubjectUserName), ActorUserId = tostring(EventData.SubjectUserSid)
| extend ActorUserIdType = iff (ActorUserId <> "S-1-0-0", "SID", ""), ActorUserId = iff (ActorUserId <> "S-1-0-0", ActorUserId, ""), ActorUsernameType = "Windows", username = tostring(EventData.TargetUserName)
| extend TargetUsername = iff(username == "-", ActorUsername, strcat(EventData.SubjectDomainName, @'\', username))
| where (targetusername_has=='*' or TargetUsername has targetusername_has)
| extend TargetUserId = iff(username == "-", ActorUserId, tostring(EventData.TargetUserSid))
| extend TargetUserIdType = iff (TargetUserId <> "S-1-0-0", "SID", ""), TargetUserId = iff (TargetUserId <> "S-1-0-0", TargetUserId, ""), TargetUsernameType = "Windows"
| project-away username
| extend TargetUserSid = TargetUserId, ActorUserSid = ActorUserId, ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId), TargetUserType = _ASIM_GetWindowsUserType(TargetUsername, TargetUserId)
| extend ActorSessionId = tostring(toint(EventData.SubjectLogonId)), TargetUserSessionId = tostring(toint(EventData.TargetLogonId)), ActingProcessId = tostring(toint(tolong(EventData.ProcessId))), ActingProcessName = tostring(EventData.ParentProcessName), TargetProcessId = tostring(toint(tolong(EventData.NewProcessId))), TargetProcessName = tostring(EventData.NewProcessName), TargetProcessCommandLine = tostring(EventData.CommandLine), TargetProcessTokenElevation = tostring(EventData.TokenElevationType), MandatoryLabel = tostring(EventData.MandatoryLabel)
| extend ActingProcessFilename = ASIM_GetFilenamePart(ActingProcessName), TargetProcessFilename = ASIM_GetFilenamePart(TargetProcessName)
| lookup MandatoryLabelLookup on MandatoryLabel
| extend User = TargetUsername, Dvc = DvcHostname, Process = TargetProcessName, CommandLine = TargetProcessCommandLine
| project-away Channel, EventData, Data, EventID, EventLevelName, EventLevel, Provider, RawEventData, Task, TenantId, ManagementGroupName, SourceSystem, EventOriginId
}; parser ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=disabled )
}
.create-or-alter function with (skipvalidation=true) vimProcessEmpty {
let EmptyNewProcessEvents = datatable( TimeGenerated:datetime, _ResourceId:string, Type:string, EventType:string, EventProduct:string, EventProductVersion:string, EventCount:int, EventMessage:string, EventVendor:string, EventSchema:string, EventSchemaVersion:string, EventSeverity:string, EventSubType:string, EventOriginalUid:string, EventOriginalType:string, EventOriginalResultDetails:string, EventOriginalSeverity:string, EventOriginalSubType:string, EventStartTime:datetime, EventEndTime:datetime, EventReportUrl:string, EventResult: string, EventResultDetails: string, AdditionalFields:dynamic, EventOwner:string, DvcId:string, DvcHostname:string, DvcDomain:string, DvcDomainType:string, DvcFQDN:string, DvcIpAddr:string, DvcOs:string, DvcOsVersion:string, DvcMacAddr:string, DvcAction:string, DvcOriginalAction:string, DvcDescription: string, DvcIdType: string, DvcInterface: string, DvcZone: string, DvcScopeId:string, DvcScope:string, TargetUsername:string, TargetUsernameType:string, TargetOriginalUserType:string, TargetUserId:string, TargetUserIdType:string, TargetUserType:string, TargetUserSessionId:string, TargetUserUid:string, TargetUserScopeId:string, TargetUserScope:string, TargetProcessName:string, TargetProcessFileDescription:string, TargetProcessFileProduct:string, TargetProcessFileVersion:string, TargetProcessFileCompany: string, TargetProcessFileInternalName: string, TargetProcessFileOriginalName: string, TargetProcessFileSize: long, TargetProcessCurrentDirectory: string, TargetProcessIsHidden:bool, TargetProcessInjectedAddress:string, TargetProcessMD5:string, TargetProcessSHA1:string, TargetProcessSHA256:string, TargetProcessSHA512:string, TargetProcessIMPHASH:string, TargetProcessCommandLine:string, TargetProcessCreationTime:datetime, TargetProcessId:string, TargetProcessGuid:string, TargetProcessIntegrityLevel:string, TargetProcessTokenElevation:string, ActorUsername:string, ActorUsernameType:string, ActorUserId:string, ActorUserIdType:string, ActorUserType:string, ActorOriginalUserType:string, ActorSessionId:string, ActorUserAadId:string, ActorUserSid:string, ActorScopeId:string, ActorScope:string, ActingProcessCommandLine:string, ActingProcessName:string, ActingProcessFileDescription:string, ActingProcessFileProduct:string, ActingProcessFileCompany: string, ActingProcessFileInternalName: string, ActingProcessFileOriginalName: string, ActingProcessFileSize: long, ActingProcessFileVersion:string, ActingProcessIsHidden:bool, ActingProcessTokenElevation: string, ActingProcessInjectedAddress:string, ActingProcessId:string, ActingProcessGuid:string, ActingProcessIntegrityLevel:string, ActingProcessMD5:string, ActingProcessSHA1:string, ActingProcessSHA256:string, ActingProcessSHA512:string, ActingProcessIMPHASH:string, ActingProcessCreationTime:datetime, ParentProcessName:string, ParentProcessFileDescription:string, ParentProcessFileProduct:string, ParentProcessFileVersion:string, ParentProcessFileCompany: string, ParentProcessTokenElevation:string, ParentProcessIsHidden:bool, ParentProcessInjectedAddress:string, ParentProcessId:string, ParentProcessGuid:string, ParentProcessIntegrityLevel:string, ParentProcessMD5:string, ParentProcessSHA1:string, ParentProcessSHA256:string, ParentProcessSHA512:string, ParentProcessIMPHASH:string, ParentProcessCreationTime:datetime, ParentProcessCommandLine:string, ParentProcessFileInternalName: string, ParentProcessFileOriginalName: string, ParentProcessFileSize: long, RuleName:string, RuleNumber:int, ThreatId:string, ThreatName:string, ThreatCategory:string, ThreatRiskLevel:int, ThreatOriginalRiskLevel:string, ThreatConfidence:int, ThreatOriginalConfidence:string, ThreatIsActive:bool, ThreatFirstReportedTime:datetime, ThreatLastReportedTime:datetime, ThreatField:string, Dvc:string, Src:string, Dst:string, User:string, Process:string, CommandLine:string, Hash:string, HashType:string )[]; EmptyNewProcessEvents
}
.create-or-alter function with (skipvalidation=true) vimProcessEventCreateMicrosoftSysmonWindowsEvent( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['targetusername_has']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['eventtype']:string='*', ['disabled']:bool=false) {
let parser = ( starttime: datetime=datetime(null), endtime: datetime=datetime(null), commandline_has_any: dynamic=dynamic([]), commandline_has_all: dynamic=dynamic([]), commandline_has_any_ip_prefix: dynamic=dynamic([]), actingprocess_has_any: dynamic=dynamic([]), targetprocess_has_any: dynamic=dynamic([]), parentprocess_has_any: dynamic=dynamic([]), targetusername_has: string='*', dvcipaddr_has_any_prefix: dynamic=dynamic([]), dvchostname_has_any: dynamic=dynamic([]), eventtype: string='*', disabled: bool=false ) {
let parser_WindowsEvent= WindowsEvent
| where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) and not(disabled) and (eventtype == '*' or eventtype == 'ProcessCreated') and Provider == "Microsoft-Windows-Sysmon" and EventID == 1 and (array_length(commandline_has_all) == 0 or EventData.CommandLine has_all (commandline_has_all)) and (array_length(commandline_has_any) == 0 or EventData.CommandLine has_any (commandline_has_any)) and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(EventData.CommandLine, commandline_has_any_ip_prefix)) and (array_length(actingprocess_has_any) == 0 or EventData.ParentImage has_any (actingprocess_has_any)) and (array_length(targetprocess_has_any) == 0 or EventData.Image has_any (targetprocess_has_any)) and (array_length(parentprocess_has_any) == 0) and (targetusername_has == '*' or EventData.User has targetusername_has) and (array_length(dvcipaddr_has_any_prefix) == 0) and (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))
| parse-kv tostring(EventData.Hashes) as (MD5: string, SHA1: string, SHA256: string, IMPHASH: string) with (quote='"')
| extend Hash = coalesce (SHA256, SHA1, IMPHASH, MD5, "")
| extend HashType = iff(isempty(Hash), "", tostring(dynamic(["SHA256", "SHA1", "IMPHASH", "MD5"])[array_index_of(pack_array(SHA256, SHA1, IMPHASH, MD5), Hash)]))
| project-rename TargetProcessMD5 = MD5, TargetProcessSHA1 = SHA1, TargetProcessSHA256 = SHA256, TargetProcessIMPHASH = IMPHASH
| extend EventOriginalType = tostring(EventID), TargetUserSessionId = tostring(EventData.LogonId), TargetUsername = tostring(EventData.User), TargetProcessCommandLine = tostring(EventData.CommandLine), TargetProcessCurrentDirectory = tostring(EventData.CurrentDirectory), TargetUserSessionGuid = tostring(EventData.LogonGuid), TargetProcessId = tostring(EventData.ProcessId), TargetProcessGuid = tostring(EventData.ProcessGuid), TargetProcessName = tostring(EventData.Image), TargetProcessFilename = tostring(EventData.OriginalFileName), TargetProcessIntegrityLevel = tostring(EventData.IntegrityLevel), TargetProcessFileCompany = tostring(EventData.Company), TargetProcessFileDescription = tostring(EventData.Description), TargetProcessFileVersion = tostring(EventData.FileVersion), TargetProcessFileProduct = tostring(EventData.Product), ActingProcessId = tostring(EventData.ParentProcessId), ActingProcessGuid = tostring(EventData.ParentProcessGuid), ActingProcessCommandLine = tostring(EventData.ParentCommandLine), ActingProcessName = tostring(EventData.ParentImage), ActorUsername = tostring(EventData.ParentUser)
| where (array_length(commandline_has_any) == 0 or TargetProcessCommandLine has_any (commandline_has_any)) and (array_length(commandline_has_all) == 0 or TargetProcessCommandLine has_all (commandline_has_all)) and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(TargetProcessCommandLine, commandline_has_any_ip_prefix)) and (array_length(actingprocess_has_any) == 0 or ActingProcessName has_any (actingprocess_has_any)) and (targetusername_has == '*' or TargetUsername has targetusername_has) and (array_length(targetprocess_has_any) == 0 or TargetProcessName has_any (targetprocess_has_any))
| extend TargetUsernameType = iff(isnotempty(TargetUsername), 'Windows', ''), ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''), EventProduct = "Security Events"
| project-rename DvcHostname = Computer, EventOriginalUid = EventOriginId
| extend Dvc = DvcHostname, User = TargetUsername, CommandLine = TargetProcessCommandLine, Process = TargetProcessName, EventUid = _ItemId
| project-away EventData, Provider, ManagementGroupName, RawEventData, SourceSystem, Task, TenantId, EventID, Data, Channel, EventLevel, EventLevelName, Correlation, EventRecordId, Keywords, Opcode, SystemProcessId, SystemThreadId, SystemUserId, TimeCreated, Version, _ResourceId, _ItemId
| extend EventType = "ProcessCreated", EventOriginalType = "1", EventStartTime = todatetime(TimeGenerated), EventEndTime = todatetime(TimeGenerated), EventCount = int(1), EventVendor = "Microsoft", EventSchemaVersion = "0.1.0", EventSchema = 'ProcessEvent', EventResult = 'Success', DvcOs = "Windows", TargetUsernameType = "Windows", ActorUsernameType = "Windows"; parser_WindowsEvent
}; parser ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=disabled )
}
.create-or-alter function with (skipvalidation=true) vimProcessEventMicrosoft365D( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['targetusername_has']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['eventtype']:string='*', ['hashes_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
let parser = ( starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), targetusername_has:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvchostname_has_any:dynamic=dynamic([]), eventtype:string='*', hashes_has_any:dynamic=dynamic([]), disabled:bool=false ) { DeviceProcessEvents
| where (isnull(starttime) or Timestamp >= starttime ) and (isnull(endtime) or Timestamp <= endtime ) and not(disabled) and (array_length(dvcipaddr_has_any_prefix)==0) and (array_length(commandline_has_all)==0 or ProcessCommandLine has_all (commandline_has_all)) and (array_length(commandline_has_any)==0 or ProcessCommandLine has_any (commandline_has_any)) and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(ProcessCommandLine, commandline_has_any_ip_prefix) ) and (array_length(actingprocess_has_any)==0 or InitiatingProcessFolderPath has_any (actingprocess_has_any)) and (array_length(targetprocess_has_any)==0 or FolderPath has_any (targetprocess_has_any)) and (array_length(parentprocess_has_any)==0 or InitiatingProcessParentFileName has_any (parentprocess_has_any)) and (targetusername_has=='*' or AccountName has targetusername_has or AccountDomain has targetusername_has) and (array_length(dvchostname_has_any)==0 or DeviceName has_any (dvchostname_has_any)) and (array_length(hashes_has_any)==0 or SHA256 in (hashes_has_any) or SHA1 in (hashes_has_any) or MD5 in (hashes_has_any)) and (eventtype=='*' or eventtype=='ProcessCreated')
| extend Type = "DeviceProcessEvents", EventOriginalUid = tostring(ReportId), EventCount = int(1), EventProduct = 'M365 Defender for Endpoint', EventVendor = 'Microsoft', EventSchemaVersion = '0.1.4', EventSchema = 'ProcessEvent', EventStartTime = todatetime(Timestamp), EventEndTime = todatetime(Timestamp), EventResult = 'Success', TimeGenerated = todatetime(Timestamp)
| extend ActorUsername = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\', InitiatingProcessAccountName)), TargetUsername = iff (AccountDomain == '', AccountName, strcat(AccountDomain, '\\', AccountName)), TargetUsernameType = iff(AccountDomain == '','Simple', 'Windows'), ActorUsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'), ActorUserIdType = 'SID', TargetUserIdType = 'SID', ActorSessionId = tostring(InitiatingProcessLogonId), TargetUserSessionId = tostring(LogonId), Hash = coalesce (SHA256, SHA1, MD5, ""), TargetProcessId = tostring(ProcessId), ActingProcessId = tostring(InitiatingProcessId), ParentProcessId = tostring(InitiatingProcessParentId), DvcOs = iff (AdditionalFields has "ProcessPosixProcessGroupId", "Linux", "Windows")
| project-away InitiatingProcessAccountDomain, InitiatingProcessAccountName, AccountDomain, AccountName, ProcessId, InitiatingProcessId, InitiatingProcessParentId, LogonId, InitiatingProcessLogonId, ReportId
| extend HashType = iff(isempty(Hash), "", tostring(dynamic(["SHA256", "SHA1", "MD5"])[array_index_of(pack_array(SHA256, SHA1, MD5),Hash)]))
| invoke _ASIM_ResolveDvcFQDN('DeviceName')
| project-rename DvcId = DeviceId, EventType = ActionType, ActorUserId = InitiatingProcessAccountSid, ActorUserAadId = InitiatingProcessAccountObjectId, ActorUserUpn = InitiatingProcessAccountUpn, TargetUserId = AccountSid, TargetUserAadId = AccountObjectId, TargetUserUpn = AccountUpn, ParentProcessName = InitiatingProcessParentFileName, TargetProcessFilename = FileName, ParentProcessCreationTime = InitiatingProcessParentCreationTime, TargetProcessName = FolderPath, TargetProcessCommandLine = ProcessCommandLine, TargetProcessMD5 = MD5, TargetProcessSHA1 = SHA1, TargetProcessSHA256 = SHA256, TargetProcessIntegrityLevel = ProcessIntegrityLevel, TargetProcessTokenElevation = ProcessTokenElevation, TargetProcessCreationTime = ProcessCreationTime, ActingProcessName = InitiatingProcessFolderPath, ActingProcessFilename = InitiatingProcessFileName, ActingProcessCommandLine = InitiatingProcessCommandLine, ActingProcessMD5 = InitiatingProcessMD5, ActingProcessSHA1 = InitiatingProcessSHA1, ActingProcessSHA256 = InitiatingProcessSHA256, ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel, ActingProcessTokenElevation = InitiatingProcessTokenElevation, ActingProcessCreationTime = InitiatingProcessCreationTime
| extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername), TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)
| extend User = coalesce(TargetUsername, ActorUsername), CommandLine = TargetProcessCommandLine, Process = TargetProcessName, Dvc = DvcHostname
| project Timestamp, TimeGenerated, Type, EventOriginalUid, EventCount, EventProduct, EventVendor, EventSchemaVersion, EventSchema, EventStartTime, EventEndTime, EventResult, ActorUsername, ActorUserIdType, TargetUserIdType, ActorUsernameType, TargetUsername, TargetUsernameType, ActorSessionId, Hash, TargetProcessId, ActingProcessId, ParentProcessId, DvcOs, HashType, DvcId, EventType, ActorUserId, ActorUserAadId, ActorUserUpn, TargetUserId, TargetUserAadId, TargetUserUpn, ParentProcessName, TargetProcessFilename, ParentProcessCreationTime, TargetProcessName, TargetProcessCommandLine, TargetProcessMD5, TargetProcessSHA1, TargetProcessSHA256, TargetProcessIntegrityLevel, TargetProcessTokenElevation, TargetProcessCreationTime, ActingProcessName, ActingProcessFilename, ActingProcessCommandLine, ActingProcessMD5, ActingProcessSHA1, ActingProcessSHA256, ActingProcessIntegrityLevel, ActingProcessTokenElevation, ActingProcessCreationTime, User, CommandLine, Process, Dvc
}; parser ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=disabled )
}
.create-or-alter function with (skipvalidation=true) vimProcessEventTerminateMicrosoftSysmonWindowsEvent( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['actorusername_has']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['eventtype']:string='*', ['disabled']:bool=false) {
let parser = ( starttime: datetime=datetime(null), endtime: datetime=datetime(null), commandline_has_any: dynamic=dynamic([]), commandline_has_all: dynamic=dynamic([]), commandline_has_any_ip_prefix: dynamic=dynamic([]), actingprocess_has_any: dynamic=dynamic([]), targetprocess_has_any: dynamic=dynamic([]), parentprocess_has_any: dynamic=dynamic([]), actorusername_has: string='*', dvcipaddr_has_any_prefix: dynamic=dynamic([]), dvchostname_has_any: dynamic=dynamic([]), eventtype: string='*', disabled: bool=false ) {
let parser_WindowsEvent= WindowsEvent
| where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) and not(disabled) and Provider == "Microsoft-Windows-Sysmon" and EventID == 5 and (eventtype == '*' or eventtype == 'ProcessTerminated') and (array_length(commandline_has_all) == 0) and (array_length(commandline_has_any) == 0) and (array_length(commandline_has_any_ip_prefix) == 0) and (array_length(actingprocess_has_any) == 0) and (array_length(parentprocess_has_any) == 0) and (array_length(targetprocess_has_any) == 0 or EventData has_any (targetprocess_has_any)) and (actorusername_has == '*' or EventData has actorusername_has) and (array_length(dvcipaddr_has_any_prefix) == 0) and (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))
| extend EventProduct = "Security Events", ActorUsername = tostring(EventData.User), TargetProcessName = tostring(EventData.Image), TargetProcessId = tostring(EventData.ProcessId), TargetProcessGuid = extract ('^{(.*)}$', 1, tostring(EventData.ProcessGuid), typeof(string))
| where (actorusername_has == '*' or ActorUsername has actorusername_has) and (array_length(targetprocess_has_any) == 0 or TargetProcessName has_any (targetprocess_has_any))
| project-rename DvcHostname = Computer, EventOriginalUid = EventOriginId
| project-away Channel, Data, EventData, EventLevelName, EventLevel, ManagementGroupName, Provider, RawEventData, SourceSystem, Task, TenantId
| extend EventType = "ProcessTerminated", EventStartTime = todatetime(TimeGenerated), EventEndTime = todatetime(TimeGenerated), EventCount = int(1), EventVendor = "Microsoft", EventSchemaVersion = "0.1.0", EventSchema = 'ProcessEvent', EventOriginalType=tostring(EventID), EventResult = 'Success', DvcOs = "Windows", ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''), User = ActorUsername, Process = TargetProcessName, Dvc = DvcHostname
| project-away EventID, Correlation, EventRecordId, Keywords, Opcode, SystemProcessId, SystemThreadId, SystemUserId, TimeCreated, Version, _ResourceId ; parser_WindowsEvent
}; parser ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername_has=actorusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=disabled )
}
.create-or-alter function with (skipvalidation=true) vimProcessTerminateMicrosoftSecurityEvents( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['actorusername']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvcname_has_any']:dynamic=dynamic([]), ['eventtype']:string='*', ['disabled']:bool=false) {
let ProcessEvents=(){ SecurityEvent
| where EventID == 4689
| where (isnull(starttime) or TimeGenerated >= starttime ) and (isnull(endtime) or TimeGenerated <= endtime ) and not(disabled) and (array_length(actingprocess_has_any)==0 ) and (array_length(parentprocess_has_any)==0) and (array_length(dvcipaddr_has_any_prefix)==0) and (eventtype=='*' or eventtype=='ProcessTerminated') and (array_length(commandline_has_any)==0 or CommandLine has_any (commandline_has_any)) and (array_length(commandline_has_all)==0 or CommandLine has_all (commandline_has_all)) and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(CommandLine, commandline_has_any_ip_prefix) ) and (array_length(targetprocess_has_any)==0 or ProcessName has_any (targetprocess_has_any)) and (actorusername=='*' or SubjectAccount has actorusername) and (array_length(dvcname_has_any)==0 or Computer has_any (dvcname_has_any))
| extend EventCount = int(1), EventVendor = "Microsoft", EventProduct = "Security Events", EventSchemaVersion = "0.1.0", EventSchema = 'ProcessEvent', EventStartTime = todatetime(TimeGenerated), EventEndTime = todatetime(TimeGenerated), EventType = "ProcessTerminated", EventResult = 'Success', EventOriginalType = tostring(EventID), EventOriginalUid = EventOriginId, EventResultDetails = Status, EventOriginalResultDetails = Status, DvcId = SourceComputerId, DvcHostname = Computer, DvcOs = "Windows", ActorUserIdType = iff (SubjectUserSid <> "S-1-0-0", "SID", ""), ActorUserId = iff (SubjectUserSid <> "S-1-0-0", SubjectUserSid, ""), ActorUsername = iff (SubjectDomainName == '-', SubjectUserName, SubjectAccount), ActorUsernameType = iff(SubjectDomainName == '-','Simple', 'Windows'), ActorSessionId = SubjectLogonId, ActorDomainName = SubjectDomainName, TargetProcessId = tostring(toint(tolong(ProcessId))), TargetProcessName = ProcessName, TargetProcessCommandLine = CommandLine, TargetProcessTokenElevation = TokenElevationType, Process = ProcessName
| extend User = ActorUsername, Dvc = DvcHostname, Process = TargetProcessName
}; ProcessEvents
}
.create-or-alter function with (skipvalidation=true) vimProcessTerminateMicrosoftWindowsEvents( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['actorusername_has']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['eventtype']:string='*', ['hashes_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
let ASIM_GetFilenamePart = (path:string) { tostring(split(path,@'\')[-1])
};
let parser = ( starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), actorusername_has:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvchostname_has_any:dynamic=dynamic([]), eventtype:string='*', hashes_has_any:dynamic=dynamic([]), disabled:bool=false ) { WindowsEvent
| where (isnull(starttime) or TimeGenerated >= starttime ) and (isnull(endtime) or TimeGenerated <= endtime ) and not(disabled) and EventID == 4689 and (array_length(actingprocess_has_any)==0) and (array_length(parentprocess_has_any)==0) and (array_length(dvcipaddr_has_any_prefix)==0) and (eventtype=='*' or eventtype=='ProcessTerminated') and (array_length(commandline_has_all)==0) and (array_length(commandline_has_any)==0) and (array_length(commandline_has_any_ip_prefix)==0) and (array_length(hashes_has_any)==0) and (array_length(targetprocess_has_any)==0 or EventData.ProcessName has_any (targetprocess_has_any)) and (actorusername_has=='*' or EventData has actorusername_has) and (array_length(dvchostname_has_any)==0 or Computer has_any (dvchostname_has_any))
| project-rename DvcHostname = Computer
| extend EventCount = int(1), EventVendor = 'Microsoft', EventProduct = 'Security Events', EventSchemaVersion = '0.1.0', EventSchema = 'ProcessEvent', EventResult = 'Success', EventStartTime = todatetime(TimeGenerated), EventEndTime = todatetime(TimeGenerated), EventType = 'ProcessTerminated', EventOriginalType = tostring(EventID), DvcOs = 'Windows'
| extend ActorUsername = strcat(EventData.SubjectDomainName, @'\', EventData.SubjectUserName), ActorUserId = tostring(EventData.SubjectUserSid)
| extend ActorUserIdType = iff (ActorUserId <> "S-1-0-0", "SID", ""), ActorUserId = iff (ActorUserId <> "S-1-0-0", ActorUserId, ""), ActorUsernameType = "Windows"
| where (actorusername_has=='*' or ActorUsername has actorusername_has)
| extend ActorUserSid = ActorUserId, ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId)
| extend ActorSessionId = tostring(toint(EventData.SubjectLogonId)), TargetProcessId = tostring(toint(tolong(EventData.ProcessId))), TargetProcessName = tostring(EventData.ProcessName), TargetProcessStatusCode = tostring(EventData.Status)
| extend TargetProcessFilename = ASIM_GetFilenamePart(TargetProcessName)
| extend User = ActorUsername, Dvc = DvcHostname, Process = TargetProcessName
| project-away Channel, EventData, Data, EventID, EventLevelName, EventLevel, Provider, RawEventData, Task, TenantId, ManagementGroupName, SourceSystem, EventOriginId
}; parser ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername_has=actorusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=disabled )
}
.create-or-alter function with (skipvalidation=true) ASimRegistry( ['pack']:bool=false) {
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')
| where SearchKey in ('Any', 'ExcludeASimRegistry')
| extend SourceSpecificParser=column_ifexists('SourceSpecificParser','')
| distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));
let ASimBuiltInDisabled=toscalar('ExcludeASimRegistryEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));
let parser=(pack:bool=false){ union isfuzzy=true vimRegistryEventEmpty, ASimRegistryEventMicrosoft365D(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoft365D' in (DisabledParsers) ))), ASimRegistryEventMicrosoftSysmon(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoftSysmon' in (DisabledParsers) ))), ASimRegistryEventMicrosoftWindowsEvent(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoftWindowsEvent' in (DisabledParsers) ))), ASimRegistryEventMicrosoftSysmonWindowsEvent(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))), ASimRegistryEventMicrosoftSecurityEvent(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoftSecurityEvent' in (DisabledParsers) ))), ASimRegistryEventSentinelOne(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventSentinelOne' in (DisabledParsers) ))), ASimRegistryEventNative(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventNative' in (DisabledParsers) ))), ASimRegistryEventVMwareCarbonBlackCloud(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventVMwareCarbonBlackCloud' in (DisabledParsers) ))), ASimRegistryEventTrendMicroVisionOne(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventTrendMicroVisionOne' in (DisabledParsers) )))
}; parser (pack=pack)
}
.create-or-alter function with (skipvalidation=true) ASimRegistryEventMicrosoft365D(['disabled']:bool=false) {
 vimRegistryEventMicrosoft365D(disabled=disabled)
}
.create-or-alter function with (skipvalidation=true) ASimRegistryEventMicrosoftSysmonWindowsEvent(['disabled']:bool=false) {
 vimRegistryEventMicrosoftSysmonWindowsEvent(disabled=disabled)
}
.create-or-alter function with (skipvalidation=true) ASimRegistryEventMicrosoftWindowsEvent( ['disabled']:bool=false) {
let parser = ( disabled: bool=false ) {
let ASIM_GetAccountType = (sid: string) { iif ( sid in ("S-1-0-0", "S-1-5-18", "S-1-5-19", "S-1-5-20"), "Simple" , "Windows" )
};
let ASIM_ParseWindowsEvents = (WindowsEvent: (EventData: dynamic)) { WindowsEvent
| extend ActorUsername = iif(isnotempty(EventData.SubjectDomainName), strcat(EventData.SubjectDomainName, @'\', EventData.SubjectUserName), EventData.SubjectUserName) , ActorDomainName = tostring(EventData.SubjectDomainName) , ActorUserId = tostring(EventData.SubjectUserSid) , ActorSessionId = tostring(EventData.SubjectLogonId) , ActingProcessName = tostring(EventData.ProcessName) , ActingProcessId = tostring(toint(tolong(EventData.ProcessId))) , RegistryKey = iif( EventData.ObjectName startswith @"\REGISTRY\MACHINE", replace_string(tostring(EventData.ObjectName), @"\REGISTRY\MACHINE", "HKEY_LOCAL_MACHINE") , replace_string(tostring(EventData.ObjectName), @"\REGISTRY\USER", "HKEY_USERS") )
};
let Event4663TypeLookup = datatable (AccessMask: string, EventType: string) [ "0x1", "RegistryValueRead" , "0x10", "RegistryKeyNotify" , "0x10000", "RegistryKeyDeleted" , "0x2", "RegistryValueSet" , "0x20000", "MetadataAccessed" , "0x20006", "RegistryValueSet" , "0x40000", "MetadataModified" , "0x8", "RegistrySubkeyEnumerated" ];
let Event4567TypeLookup = datatable (EventOriginalSubType: string, EventType: string) [ "%%1904", "RegistryValueSet" , "%%1905", "RegistryValueSet" , "%%1906", "RegistryValueDeleted" ];
let RegistryType = datatable (TypeCode: string, TypeName: string) [ "%%1872", "REG_NONE" , "%%1873", "REG_SZ" , "%%1874", "REG_EXPAND_SZ" , "%%1875", "REG_BINARY" , "%%1876", "REG_DWORD" , "%%1879", "REG_MULTI_SZ" , "%%1883", "REG_QWORD" ]; union isfuzzy=false ( WindowsEvent
| where not(disabled)
| where EventID == 4663 and EventData.ObjectType == "Key"
| extend AccessMask = tostring(EventData.AccessMask) , Type = "WindowsEvent"
| lookup Event4663TypeLookup on AccessMask
| extend EventType = iif(isempty(EventType), "Other", EventType)
| invoke ASIM_ParseWindowsEvents()
| project TimeGenerated, Computer, EventID, EventType, ActorUsername, ActorDomainName, ActorUserId, ActorSessionId, ActingProcessName, ActingProcessId, RegistryKey, _ResourceId, Type ), ( WindowsEvent
| where not(disabled)
| where EventID == 4657
| invoke ASIM_ParseWindowsEvents()
| extend EventOriginalSubType = tostring(EventData.OperationType) , OldValue = tostring(EventData.OldValue) , NewValue = tostring(EventData.NewValue) , RegistryValue = tostring(EventData.ObjectValueName) , NewValueType = tostring(EventData.NewValueType) , OldValueType = tostring(EventData.OldValueType)
| lookup Event4567TypeLookup on EventOriginalSubType
| extend EventType = iif(isempty(EventType), "Other", EventType)
| project TimeGenerated, Computer, EventID, EventType, ActorUsername, ActorDomainName, ActorUserId, ActorSessionId, ActingProcessName, ActingProcessId, RegistryKey, _ResourceId, RegistryValue, Type, NewValueType, OldValueType, EventOriginalSubType, OldValue, NewValue
| lookup RegistryType on $left.NewValueType == $right.TypeCode
| project-rename RegistryValueType = TypeName
| lookup RegistryType on $left.OldValueType == $right.TypeCode
| project-rename RegistryPreviousValueType = TypeName
| extend RegistryValueData = iff (EventOriginalSubType == "%%1906", OldValue, NewValue) , RegistryPreviousKey = iff (EventOriginalSubType == "%%1905", RegistryKey, "") , RegistryPreviousValue = iff (EventOriginalSubType == "%%1905", RegistryValue, "") , RegistryPreviousValueData = iff (EventOriginalSubType == "%%1905", OldValue, "")
| project-away NewValueType, OldValueType, EventOriginalSubType, OldValue, NewValue )
| invoke _ASIM_ResolveFQDN ("Computer")
| extend ActorUserIdType = iff (ActorUserId <> "S-1-0-0", "SID", ""), ActorUserId = iff (ActorUserId <> "S-1-0-0", ActorUserId, "")
| project-rename DvcDomainType = DomainType , DvcHostname = ExtractedHostname
| extend DvcFQDN = iif(DvcDomainType == "FQDN", FQDN, "") , DvcDomain = iif(isnotempty(Domain), Domain, "") , Dvc = iif(DvcDomainType == "FQDN", FQDN, "DvcHostname")
| extend ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId) , ActorUsernameType = ASIM_GetAccountType(ActorUserId)
| extend User = ActorUsername , UserId = ActorUserId , ActorUserSid = ActorUserId , Process = ActingProcessName , Dvc = iif(DvcDomainType == "FQDN", Computer, "") , EventStartTime = TimeGenerated , EventEndTime = TimeGenerated , EventOriginalType = tostring(EventID)
| extend EventSchemaVersion = "0.1" , EventSchema = "RegistryEvent" , EventCount = toint(1) , EventResult = "Success" , EventVendor = "Microsoft" , EventProduct = "Security Events" , DvcOs = "Windows"
| project-away ActorDomainName,ActorUserSid,ActorUserType,Computer,Domain,DvcDomainType,DvcDomain,DvcFQDN,EventID,FQDN,UserId,_ResourceId
}; parser ( disabled = disabled )
}
.create-or-alter function with (skipvalidation=true) imRegistry( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['registrykey_has_any']:dynamic=dynamic([]), ['registryvalue_has_any']:dynamic=dynamic([]), ['registrydata_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false, ['pack']:bool=false) {
let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')
| where SearchKey in ('Any', 'ExcludevimRegistry')
| extend SourceSpecificParser=column_ifexists('SourceSpecificParser','')
| distinct SourceSpecificParser
| where isnotempty(SourceSpecificParser));
let vimBuiltInDisabled=toscalar('ExcludevimRegistryEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));
let parser = ( starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventtype_in: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), registrykey_has_any: dynamic =dynamic([]), registryvalue_has_any: dynamic =dynamic([]), registrydata_has_any: dynamic =dynamic([]), dvchostname_has_any: dynamic=dynamic([]), pack:bool=false ) { union isfuzzy=true vimRegistryEventEmpty, vimRegistryEventMicrosoft365D (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoft365D' in (DisabledParsers) ))), vimRegistryEventMicrosoftSysmon(starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoftSysmon' in (DisabledParsers) ))), vimRegistryEventMicrosoftSysmonWindowsEvent(starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))), vimRegistryEventMicrosoftWindowsEvent (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoftWindowsEvent' in (DisabledParsers) ))), vimRegistryEventMicrosoftSecurityEvent (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoftSecurityEvent' in (DisabledParsers) ))), vimRegistryEventSentinelOne (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventSentinelOne' in (DisabledParsers) ))), vimRegistryEventNative (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventNative' in (DisabledParsers) ))), vimRegistryEventVMwareCarbonBlackCloud(starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registryvaluedata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventVMwareCarbonBlackCloud' in (DisabledParsers) ))), vimRegistryEventTrendMicroVisionOne (starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, actorusername_has_any=actorusername_has_any, registrykey_has_any=registrykey_has_any, registryvalue_has_any=registryvalue_has_any, registryvaluedata_has_any=registrydata_has_any, dvchostname_has_any=dvchostname_has_any, disabled= (vimBuiltInDisabled or('ExcludevimRegistryEventTrendMicroVisionOne' in (DisabledParsers) )))
}; parser(starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, pack=pack)
}
.create-or-alter function with (skipvalidation=true) vimRegistryEventEmpty {
let EmptyNewRegistryEvents = datatable( TimeGenerated:datetime, _ResourceId:string, Type:string, EventType:string, EventSubType:string, EventProduct:string, EventResult:string, EventResultDetails:string, EventOriginalSubType:string, EventOriginalResultDetails:string, EventSeverity:string, EventOriginalSeverity:string, EventSchema:string, EventOwner:string, EventProductVersion:string, EventCount:int, EventMessage:string, EventVendor:string, EventSchemaVersion:string, EventOriginalUid:string, EventOriginalType:string, EventStartTime:datetime, EventEndTime:datetime, EventReportUrl:string, AdditionalFields:dynamic, RegistryKey:string, RegistryValue:string, RegistryValueType:string, RegistryValueData:string, RegistryPreviousKey:string, RegistryPreviousValue:string, RegistryPreviousValueType:string, RegistryPreviousValueData:string, DvcId:string, DvcHostname:string, DvcIpAddr:string, DvcOs:string, DvcOsVersion:string, DvcMacAddr:string, DvcFQDN:string, DvcDomain:string, DvcDomainType:string, DvcDescription:string, DvcZone:string, DvcAction:string, DvcOriginalAction:string, DvcInterface:string, DvcScopeId:string, DvcScope:string, DvcIdType:string, ActorUsername:string, ActorUsernameType:string, ActorUserId:string, ActorUserIdType:string, ActorSessionId:string, ActorUserAadId:string, ActorUserSid:string, ActorScopeId:string, ActorScope:string, ActorUserType:string, ActorOriginalUserType:string, ActingProcessCommandLine:string, ActingProcessName:string, ActingProcessId:string, ActingProcessGuid:string, ParentProcessName:string, ParentProcessId:string, ParentProcessGuid:string, ParentProcessCommandLine:string, RuleName:string, RuleNumber:int, ThreatId:string, ThreatName:string, ThreatCategory:string, ThreatRiskLevel:int, ThreatOriginalRiskLevel:string, ThreatConfidence:int, ThreatOriginalConfidence:string, ThreatIsActive:bool, ThreatFirstReportedTime:datetime, ThreatLastReportedTime:datetime, ThreatField:string, Dvc:string, User:string, Process:string, Src:string, Dst:string )[]; EmptyNewRegistryEvents
}
.create-or-alter function with (skipvalidation=true) vimRegistryEventMicrosoft365D( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['registrykey_has_any']:dynamic=dynamic([]), ['registryvalue_has_any']:dynamic=dynamic([]), ['registrydata_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
let RegistryType = datatable (TypeCode: string, TypeName: string) [ "None", "Reg_None", "String", "Reg_Sz", "ExpandString", "Reg_Expand_Sz", "Binary", "Reg_Binary", "Dword", "Reg_DWord", "MultiString", "Reg_Multi_Sz", "QWord", "Reg_QWord" ];
let parser = ( starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventtype_in: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), registrykey_has_any: dynamic =dynamic([]), registryvalue_has_any: dynamic =dynamic([]), registrydata_has_any: dynamic =dynamic([]), dvchostname_has_any: dynamic=dynamic([]), disabled: bool=false ) { DeviceRegistryEvents
| where not(disabled)
| where (isnull(starttime) or Timestamp >= starttime) and (isnull(endtime) or Timestamp <= endtime)
| where (array_length(eventtype_in) == 0 or ActionType in~ (eventtype_in)) and (array_length(actorusername_has_any) == 0 or (InitiatingProcessAccountName has_any (actorusername_has_any)) or (InitiatingProcessAccountDomain has_any (actorusername_has_any)) or (strcat(InitiatingProcessAccountDomain, '\\', InitiatingProcessAccountName) has_any (actorusername_has_any))) and ((array_length(registrykey_has_any)) == 0 or (RegistryKey has_any (registrykey_has_any)) or (PreviousRegistryKey has_any (registrykey_has_any))) and ((array_length(registryvalue_has_any)) == 0 or (RegistryValueName has_any (registryvalue_has_any)) or (PreviousRegistryValueName has_any (registryvalue_has_any))) and (array_length(registrydata_has_any) == 0 or RegistryValueData has_any (registrydata_has_any)) and (array_length(dvchostname_has_any) == 0 or DeviceName has_any (dvchostname_has_any))
| extend EventOriginalUid = tostring(ReportId), EventCount = int(1), EventProduct = 'M365 Defender for Endpoint', EventVendor = 'Microsoft', EventSchemaVersion = '0.1.0', EventResult = 'Success', EventSchema = 'RegistryEvent', TimeGenerated = Timestamp, EventStartTime = Timestamp, EventEndTime = Timestamp, EventType = ActionType, RegistryKey = iff (ActionType in ("RegistryKeyDeleted", "RegistryValueDeleted"), PreviousRegistryKey, RegistryKey), RegistryValue = iff (ActionType == "RegistryValueDeleted", PreviousRegistryValueName, RegistryValueName), RegistryKeyModified = iff (ActionType == "RegistryKeyRenamed", PreviousRegistryKey, ""), RegistryValueModified = iff (ActionType == "RegistryValueSet", PreviousRegistryValueName, ""), RegistryValueDataModified = PreviousRegistryValueData
| where ((array_length(registrykey_has_any)) == 0 or (RegistryKey has_any (registrykey_has_any))) and ((array_length(registryvalue_has_any)) == 0 or (RegistryValue has_any (registryvalue_has_any)))
| lookup RegistryType on $left.RegistryValueType == $right.TypeCode
| extend RegistryValueType = TypeName
| project-away TypeName, PreviousRegistryKey, PreviousRegistryValueName, PreviousRegistryValueData
| extend DvcHostname = DeviceName, DvcId = DeviceId, Dvc = DeviceName
| extend ActorUsername = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\', InitiatingProcessAccountName)), ActorUsernameType = iff(InitiatingProcessAccountDomain == '', 'Simple', 'Windows'), ActorUserIdType = 'SID'
| project-rename ActorUserId = InitiatingProcessAccountSid, ActorUserAadId = InitiatingProcessAccountObjectId, ActorUserUpn = InitiatingProcessAccountUpn
| extend ActingProcessId = tostring(InitiatingProcessId), ParentProcessId = tostring(InitiatingProcessParentId)
| project-away InitiatingProcessId, InitiatingProcessParentId
| project-rename ParentProcessName = InitiatingProcessParentFileName, ParentProcessCreationTime = InitiatingProcessParentCreationTime, ActingProcessName = InitiatingProcessFolderPath, ActingProcessFileName = InitiatingProcessFileName, ActingProcessCommandLine = InitiatingProcessCommandLine, ActingProcessMD5 = InitiatingProcessMD5, ActingProcessSHA1 = InitiatingProcessSHA1, ActingProcessSHA256 = InitiatingProcessSHA256, ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel, ActingProcessTokenElevation = InitiatingProcessTokenElevation, ActingProcessCreationTime = InitiatingProcessCreationTime
| extend Username = ActorUsername, UserId = ActorUserId, UserIdType = ActorUserIdType, User = ActorUsername, CommandLine = ActingProcessCommandLine, Process = ActingProcessName
}; parser ( starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled = disabled )
}
.create-or-alter function with (skipvalidation=true) vimRegistryEventMicrosoftSysmonWindowsEvent( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['registrykey_has_any']:dynamic=dynamic([]), ['registryvalue_has_any']:dynamic=dynamic([]), ['registrydata_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
let parser = ( starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventtype_in: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), registrykey_has_any: dynamic =dynamic([]), registryvalue_has_any: dynamic =dynamic([]), registrydata_has_any: dynamic =dynamic([]), dvchostname_has_any: dynamic=dynamic([]), disabled: bool=false ) {
let RegistryAction = datatable (EventType: string, NewEventType: string) [ "CreateKey", "RegistryKeyCreated", "DeleteKey", "RegistryKeyDeleted", "DeleteValue", "RegistryValueDeleted", "SetValue", "RegistryValueSet", "RenameKey", "RegistryKeyRenamed" ];
let Hives = datatable (KeyPrefix: string, Hive: string) [ "HKLM", "HKEY_LOCAL_MACHINE", "HKU", "HKEY_USERS", "HKCR", "HKEY_LOCAL_MACHINE\\Classes" ];
let ParsedRegistryEvent_WindowsEvent=() { WindowsEvent
| where not(disabled)
| where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)
| where Provider == "Microsoft-Windows-Sysmon" and EventID in (12, 13, 14)
| where (array_length(actorusername_has_any) == 0 or (tostring(EventData.User) has_any (actorusername_has_any))) and (array_length(registrydata_has_any) == 0 or (tostring(EventData.Parameter) has_any (registrydata_has_any))) and (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))
| extend EventStartTime = todatetime(TimeGenerated), EventEndTime = todatetime(TimeGenerated), EventCount = int(1), EventVendor = "Microsoft", EventSchemaVersion = "0.1.0", EventProduct = "Sysmon", EventOriginalType = tostring(EventID), EventType = tostring(EventData.EventType), DvcOs = "Windows", EventMessage = tostring(EventData.RenderedDescription), ActorUsername = tostring(EventData.User), ActingProcessId = tostring(EventData.ProcessId), ActingProcessGuid = extract ('^{(.*)}$', 1, tostring(EventData.ProcessGuid), typeof(string)), ActingProcessName = tostring(EventData.Image), TargetObject = tostring(EventData.TargetObject), Parameter = tostring(EventData.Parameter)
| project-rename DvcHostName = Computer
| lookup RegistryAction on EventType
| where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))
| project-rename EventOriginalSubType = EventType
| project-rename EventType = NewEventType
| parse TargetObject with KeyPrefix "\\" KeyMain
| lookup Hives on KeyPrefix
| extend Key = strcat (Hive, "\\", KeyMain)
| parse Parameter with KeyPrefix "\\" KeyMain
| lookup Hives on KeyPrefix
| extend NewName = strcat (Hive, "\\", KeyMain)
| project-away KeyPrefix, KeyMain, Hive
| extend ParsedKey = extract_all (@"^(.+)\\(.+)$", Key)
| extend Key = iff (EventType in ("RegistryValueSet", "RegistryValueDeleted"), ParsedKey[0][0], Key)
| extend Value = iff (EventType in ("RegistryValueSet", "RegistryValueDeleted"), ParsedKey[0][1], "")
| extend ParsedKey = extract_all (@"^(.+)\\(.+)$", NewName)
| extend NewKey = ParsedKey[0][0]
| extend NewValue = ParsedKey[0][1]
| project-away ParsedKey, TargetObject, NewName
| extend RegistryKey = iff (EventType == "RegistryKeyRenamed", NewKey, Key), RegistryKeyModified = iff (EventType in ("RegistryKeyRenamed", "RegistryValueSet"), Key, ""), RegistryValue = iff (EventType in ("RegistryValueSet", "RegistryValueDeleted"), Value, ""), RegistryValueModified = iff (EventType == "RegistryValueSet", Value, ""), RegistryValueData = iff (EventType == "RegistryValueSet", Parameter, ""), ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', '')
| where (array_length(registrykey_has_any) == 0 or (RegistryKey has_any (registrykey_has_any))) and (array_length(registryvalue_has_any) == 0 or (RegistryValue has_any (registryvalue_has_any))) and (array_length(registrydata_has_any) == 0 or RegistryValueData has_any (registrydata_has_any))
| extend User = ActorUsername, Process = ActingProcessName, Dvc = DvcHostName, EventResult = "Success", EventSchema = "RegistryEvent"
| project-away Parameter, Value, Key, NewKey, NewValue, EventData, Channel,Correlation,Data,DvcHostName,EventID,EventLevelName,EventLevel,EventOriginId,EventRecordId,Hive1,Keywords,ManagementGroupName,_ResourceId,Opcode,Provider,RawEventData,RegistryKeyModified,RegistryValueModified,SourceSystem,SystemProcessId,SystemThreadId,SystemUserId,Task,TenantId,TimeCreated,Version,_ResourceId
}; ParsedRegistryEvent_WindowsEvent
}; parser ( starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled = disabled )
}
.create-or-alter function with (skipvalidation=true) vimRegistryEventMicrosoftWindowsEvent( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['registrykey_has_any']:dynamic=dynamic([]), ['registryvalue_has_any']:dynamic=dynamic([]), ['registrydata_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
let parser = ( starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventtype_in: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), registrykey_has_any: dynamic =dynamic([]), registryvalue_has_any: dynamic =dynamic([]), registrydata_has_any: dynamic =dynamic([]), dvchostname_has_any: dynamic=dynamic([]), disabled: bool=false ) {
let ASIM_GetAccountType = (sid: string) { iif ( sid in ("S-1-0-0", "S-1-5-18", "S-1-5-19", "S-1-5-20"), "Simple" , "Windows" )
};
let ASIM_ParseWindowsEvents = (WindowsEvent: (EventData: dynamic)) { WindowsEvent
| extend ActorUsername = iif(isnotempty(EventData.SubjectDomainName), strcat(EventData.SubjectDomainName, @'\', EventData.SubjectUserName), EventData.SubjectUserName) , ActorDomainName = tostring(EventData.SubjectDomainName) , ActorUserId = tostring(EventData.SubjectUserSid) , ActorSessionId = tostring(EventData.SubjectLogonId) , ActingProcessName = tostring(EventData.ProcessName) , ActingProcessId = tostring(toint(tolong(EventData.ProcessId))) , RegistryKey = iif( EventData.ObjectName startswith @"\REGISTRY\MACHINE", replace_string(tostring(EventData.ObjectName), @"\REGISTRY\MACHINE", "HKEY_LOCAL_MACHINE") , replace_string(tostring(EventData.ObjectName), @"\REGISTRY\USER", "HKEY_USERS") )
};
let Event4663TypeLookup = datatable (AccessMask: string, EventType: string) [ "0x1", "RegistryValueRead" , "0x10", "RegistryKeyNotify" , "0x10000", "RegistryKeyDeleted" , "0x2", "RegistryValueSet" , "0x20000", "MetadataAccessed" , "0x20006", "RegistryValueSet" , "0x40000", "MetadataModified" , "0x8", "RegistrySubkeyEnumerated" ];
let Event4567TypeLookup = datatable (EventOriginalSubType: string, EventType: string) [ "%%1904", "RegistryValueSet" , "%%1905", "RegistryValueSet" , "%%1906", "RegistryValueDeleted" ];
let RegistryType = datatable (TypeCode: string, TypeName: string) [ "%%1872", "REG_NONE" , "%%1873", "REG_SZ" , "%%1874", "REG_EXPAND_SZ" , "%%1875", "REG_BINARY" , "%%1876", "REG_DWORD" , "%%1879", "REG_MULTI_SZ" , "%%1883", "REG_QWORD" ]; union isfuzzy=false ( WindowsEvent
| where not(disabled)
| where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)
| where EventID == 4663 and EventData.ObjectType == "Key"
| where (array_length(actorusername_has_any) == 0 or (EventData.SubjectDomainName has_any (actorusername_has_any)) or (EventData.SubjectUserName has_any (actorusername_has_any)) or (strcat(EventData.SubjectDomainName, '\\', EventData.SubjectUserName) has_any (actorusername_has_any))) and (array_length(registryvalue_has_any) == 0) and (array_length(registrydata_has_any) == 0) and (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))
| extend AccessMask = tostring(EventData.AccessMask) , Type = "WindowsEvent"
| lookup Event4663TypeLookup on AccessMask
| extend EventType = iif(isempty(EventType), "Other", EventType)
| where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))
| invoke ASIM_ParseWindowsEvents()
| where (array_length(registrykey_has_any) == 0 or RegistryKey has_any (registrykey_has_any))
| project TimeGenerated, Computer, EventID, EventType, ActorUsername, ActorDomainName, ActorUserId, ActorSessionId, ActingProcessName, ActingProcessId, RegistryKey, _ResourceId, Type ), ( union isfuzzy=false ( WindowsEvent
| where not(disabled)
| where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)
| where EventID == 4657
| where (array_length(actorusername_has_any) == 0 or (EventData.SubjectDomainName has_any (actorusername_has_any)) or (EventData.SubjectUserName has_any (actorusername_has_any)) or (strcat(EventData.SubjectDomainName, '\\', EventData.SubjectUserName) has_any (actorusername_has_any))) and (array_length(registryvalue_has_any) == 0 or (EventData.ObjectValueName) has_any (registryvalue_has_any)) and (array_length(registrydata_has_any) == 0 or (EventData.NewValue) has_any (registrydata_has_any)) and (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))
| invoke ASIM_ParseWindowsEvents()
| where (array_length(registrykey_has_any) == 0 or RegistryKey has_any (registrykey_has_any))
| extend EventOriginalSubType = tostring(EventData.OperationType) , OldValue = tostring(EventData.OldValue) , NewValue = tostring(EventData.NewValue) , RegistryValue = tostring(EventData.ObjectValueName) , NewValueType = tostring(EventData.NewValueType) , OldValueType = tostring(EventData.OldValueType)
| lookup Event4567TypeLookup on EventOriginalSubType
| extend EventType = iif(isempty(EventType), "Other", EventType)
| where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))
| project TimeGenerated, Computer, EventID, EventType, ActorUsername, ActorDomainName, ActorUserId, ActorSessionId, ActingProcessName, ActingProcessId, RegistryKey, _ResourceId, RegistryValue, Type, NewValueType, OldValueType, EventOriginalSubType, OldValue, NewValue )
| lookup RegistryType on $left.NewValueType == $right.TypeCode
| project-rename RegistryValueType = TypeName
| lookup RegistryType on $left.OldValueType == $right.TypeCode
| project-rename RegistryPreviousValueType = TypeName
| extend RegistryValueData = iff (EventOriginalSubType == "%%1906", OldValue, NewValue) , RegistryPreviousKey = iff (EventOriginalSubType == "%%1905", RegistryKey, "") , RegistryPreviousValue = iff (EventOriginalSubType == "%%1905", RegistryValue, "") , RegistryPreviousValueData = iff (EventOriginalSubType == "%%1905", OldValue, "")
| project-away NewValueType, OldValueType, EventOriginalSubType, OldValue, NewValue )
| invoke _ASIM_ResolveFQDN ("Computer")
| extend ActorUserIdType = iff (ActorUserId <> "S-1-0-0", "SID", ""), ActorUserId = iff (ActorUserId <> "S-1-0-0", ActorUserId, "")
| project-rename DvcDomainType = DomainType , DvcHostname = ExtractedHostname
| extend DvcFQDN = iif(DvcDomainType == "FQDN", FQDN, "") , DvcDomain = iif(isnotempty(Domain), Domain, "") , Dvc = iif(DvcDomainType == "FQDN", FQDN, "DvcHostname")
| extend ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId) , ActorUsernameType = ASIM_GetAccountType(ActorUserId)
| extend User = ActorUsername , UserId = ActorUserId , ActorUserSid = ActorUserId , Process = ActingProcessName , Dvc = iif(DvcDomainType == "FQDN", Computer, "") , EventStartTime = TimeGenerated , EventEndTime = TimeGenerated , EventOriginalType = tostring(EventID)
| extend EventSchemaVersion = "0.1" , EventSchema = "RegistryEvent" , EventCount = toint(1) , EventResult = "Success" , EventVendor = "Microsoft" , EventProduct = "Security Events" , DvcOs = "Windows"
| project-away ActorDomainName,ActorUserSid,ActorUserType,Computer,Domain,DvcDomainType,DvcDomain,DvcFQDN,EventID,FQDN,UserId,_ResourceId
}; parser ( starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled = disabled )
}
.create-or-alter function with (skipvalidation=true) ASimAuditEventAzureActivity(['disabled']:bool=false) {
 vimAuditEventEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuditEventBarracudaCEF(['disabled']:bool=false) {
 vimAuditEventEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuditEventBarracudaWAF(['disabled']:bool=false) {
 vimAuditEventEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuditEventCiscoISE(['disabled']:bool=false) {
 vimAuditEventEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuditEventCiscoMeraki(['disabled']:bool=false) {
 vimAuditEventEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuditEventCiscoMerakiSyslog(['disabled']:bool=false) {
 vimAuditEventEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuditEventCrowdStrikeFalconHost(['disabled']:bool=false) {
 vimAuditEventEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuditEventIllumioSaaSCore(['disabled']:bool=false) {
 vimAuditEventEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuditEventInfobloxBloxOne(['disabled']:bool=false) {
 vimAuditEventEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuditEventMicrosoftEvent(['disabled']:bool=false) {
 vimAuditEventEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuditEventMicrosoftExchangeAdmin365(['disabled']:bool=false) {
 vimAuditEventEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuditEventNative(['disabled']:bool=false) {
 vimAuditEventEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuditEventSentinelOne(['disabled']:bool=false) {
 vimAuditEventEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuditEventVMwareCarbonBlackCloud(['disabled']:bool=false) {
 vimAuditEventEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuditEventVectraXDRAudit(['disabled']:bool=false) {
 vimAuditEventEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuthenticationAADManagedIdentitySignInLogs(['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuthenticationAADNonInteractiveUserSignInLogs(['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuthenticationAADServicePrincipalSignInLogs(['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuthenticationAWSCloudTrail(['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuthenticationBarracudaWAF(['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuthenticationCiscoASA(['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuthenticationCiscoISE(['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuthenticationCiscoMeraki(['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuthenticationCiscoMerakiSyslog(['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuthenticationCrowdStrikeFalconHost(['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuthenticationGoogleWorkspace(['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuthenticationIllumioSaaSCore(['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuthenticationMD4IoT(['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuthenticationNative(['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuthenticationOktaSSO(['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuthenticationOktaV2(['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuthenticationPaloAltoCortexDataLake(['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuthenticationPostgreSQL(['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuthenticationSalesforceSC(['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuthenticationSentinelOne(['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuthenticationSigninLogs(['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuthenticationSshd(['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuthenticationSu(['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuthenticationSudo(['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuthenticationVMwareCarbonBlackCloud(['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) ASimAuthenticationVectraXDRAudit(['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) ASimDnsAzureFirewall(['disabled']:bool=false) {
 vimDnsEmpty
}
.create-or-alter function with (skipvalidation=true) ASimDnsCiscoUmbrella(['disabled']:bool=false) {
 vimDnsEmpty
}
.create-or-alter function with (skipvalidation=true) ASimDnsFortinetFortiGate(['disabled']:bool=false) {
 vimDnsEmpty
}
.create-or-alter function with (skipvalidation=true) ASimDnsGcp(['disabled']:bool=false) {
 vimDnsEmpty
}
.create-or-alter function with (skipvalidation=true) ASimDnsInfobloxBloxOne(['disabled']:bool=false) {
 vimDnsEmpty
}
.create-or-alter function with (skipvalidation=true) ASimDnsInfobloxNIOS(['disabled']:bool=false) {
 vimDnsEmpty
}
.create-or-alter function with (skipvalidation=true) ASimDnsMicrosoftNXlog(['disabled']:bool=false) {
 vimDnsEmpty
}
.create-or-alter function with (skipvalidation=true) ASimDnsMicrosoftOMS(['disabled']:bool=false) {
 vimDnsEmpty
}
.create-or-alter function with (skipvalidation=true) ASimDnsMicrosoftSysmon(['disabled']:bool=false) {
 vimDnsEmpty
}
.create-or-alter function with (skipvalidation=true) ASimDnsNative(['disabled']:bool=false) {
 vimDnsEmpty
}
.create-or-alter function with (skipvalidation=true) ASimDnsSentinelOne(['disabled']:bool=false) {
 vimDnsEmpty
}
.create-or-alter function with (skipvalidation=true) ASimDnsVectraAI(['disabled']:bool=false) {
 vimDnsEmpty
}
.create-or-alter function with (skipvalidation=true) ASimDnsZscalerZIA(['disabled']:bool=false) {
 vimDnsEmpty
}
.create-or-alter function with (skipvalidation=true) ASimFileEventAzureBlobStorage(['disabled']:bool=false) {
 vimFileEventEmpty
}
.create-or-alter function with (skipvalidation=true) ASimFileEventAzureFileStorage(['disabled']:bool=false) {
 vimFileEventEmpty
}
.create-or-alter function with (skipvalidation=true) ASimFileEventAzureQueueStorage(['disabled']:bool=false) {
 vimFileEventEmpty
}
.create-or-alter function with (skipvalidation=true) ASimFileEventAzureTableStorage(['disabled']:bool=false) {
 vimFileEventEmpty
}
.create-or-alter function with (skipvalidation=true) ASimFileEventGoogleWorkspace(['disabled']:bool=false) {
 vimFileEventEmpty
}
.create-or-alter function with (skipvalidation=true) ASimFileEventLinuxSysmonFileCreated(['disabled']:bool=false) {
 vimFileEventEmpty
}
.create-or-alter function with (skipvalidation=true) ASimFileEventLinuxSysmonFileDeleted(['disabled']:bool=false) {
 vimFileEventEmpty
}
.create-or-alter function with (skipvalidation=true) ASimFileEventMicrosoftSharePoint(['disabled']:bool=false) {
 vimFileEventEmpty
}
.create-or-alter function with (skipvalidation=true) ASimFileEventMicrosoftSysmon(['disabled']:bool=false) {
 vimFileEventEmpty
}
.create-or-alter function with (skipvalidation=true) ASimFileEventNative(['disabled']:bool=false) {
 vimFileEventEmpty
}
.create-or-alter function with (skipvalidation=true) ASimFileEventSentinelOne(['disabled']:bool=false) {
 vimFileEventEmpty
}
.create-or-alter function with (skipvalidation=true) ASimFileEventVMwareCarbonBlackCloud(['disabled']:bool=false) {
 vimFileEventEmpty
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionAWSVPC(['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionAppGateSDP(['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionAzureFirewall(['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionAzureNSG(['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionBarracudaCEF(['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionBarracudaWAF(['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionCheckPointFirewall(['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionCiscoASA(['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionCiscoFirepower(['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionCiscoISE(['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionCiscoMeraki(['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionCiscoMerakiSyslog(['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionCrowdStrikeFalconHost(['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionForcePointFirewall(['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionFortinetFortiGate(['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionIllumioSaaSCore(['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionLinuxSysmon(['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionMD4IoTAgent(['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionMD4IoTSensor(['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionMicrosoftSysmon(['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionNTANetAnalytics(['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionNative(['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionPaloAltoCEF(['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionPaloAltoCortexDataLake(['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionSentinelOne(['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionSonicWallFirewall(['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionVMConnection(['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionVMwareCarbonBlackCloud(['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionVectraAI(['disabled']:bool=false, ['pack']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) ASimNetworkSessionWatchGuardFirewareOS(['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) ASimProcessCreateLinuxSysmon(['disabled']:bool=false) {
 vimProcessEmpty
}
.create-or-alter function with (skipvalidation=true) ASimProcessCreateMicrosoftSysmon(['disabled']:bool=false) {
 vimProcessEmpty
}
.create-or-alter function with (skipvalidation=true) ASimProcessCreateSentinelOne(['disabled']:bool=false) {
 vimProcessEmpty
}
.create-or-alter function with (skipvalidation=true) ASimProcessCreateTrendMicroVisionOne(['disabled']:bool=false) {
 vimProcessEmpty
}
.create-or-alter function with (skipvalidation=true) ASimProcessCreateVMwareCarbonBlackCloud(['disabled']:bool=false) {
 vimProcessEmpty
}
.create-or-alter function with (skipvalidation=true) ASimProcessEventCreateMicrosoftSysmon(['disabled']:bool=false) {
 vimProcessEmpty
}
.create-or-alter function with (skipvalidation=true) ASimProcessEventMD4IoT(['disabled']:bool=false) {
 vimProcessEmpty
}
.create-or-alter function with (skipvalidation=true) ASimProcessEventNative(['disabled']:bool=false) {
 vimProcessEmpty
}
.create-or-alter function with (skipvalidation=true) ASimProcessEventTerminateMicrosoftSysmon(['disabled']:bool=false) {
 vimProcessEmpty
}
.create-or-alter function with (skipvalidation=true) ASimProcessTerminateLinuxSysmon(['disabled']:bool=false) {
 vimProcessEmpty
}
.create-or-alter function with (skipvalidation=true) ASimProcessTerminateMicrosoftSysmon(['disabled']:bool=false) {
 vimProcessEmpty
}
.create-or-alter function with (skipvalidation=true) ASimProcessTerminateVMwareCarbonBlackCloud(['disabled']:bool=false) {
 vimProcessEmpty
}
.create-or-alter function with (skipvalidation=true) ASimRegistryEventMicrosoftSecurityEvent(['disabled']:bool=false) {
 vimRegistryEventEmpty
}
.create-or-alter function with (skipvalidation=true) ASimRegistryEventMicrosoftSysmon(['disabled']:bool=false) {
 vimRegistryEventEmpty
}
.create-or-alter function with (skipvalidation=true) ASimRegistryEventNative(['disabled']:bool=false) {
 vimRegistryEventEmpty
}
.create-or-alter function with (skipvalidation=true) ASimRegistryEventSentinelOne(['disabled']:bool=false) {
 vimRegistryEventEmpty
}
.create-or-alter function with (skipvalidation=true) ASimRegistryEventTrendMicroVisionOne(['disabled']:bool=false) {
 vimRegistryEventEmpty
}
.create-or-alter function with (skipvalidation=true) ASimRegistryEventVMwareCarbonBlackCloud(['disabled']:bool=false) {
 vimRegistryEventEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuditEventAzureActivity(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['operation_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['object_has_any']:dynamic=dynamic([]), ['newvalue_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
 vimAuditEventEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuditEventBarracudaCEF(['disabled']:bool=false, ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['newvalue_has_any']:dynamic=dynamic([]), ['operation_has_any']:dynamic=dynamic([])) {
 vimAuditEventEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuditEventBarracudaWAF(['disabled']:bool=false, ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['newvalue_has_any']:dynamic=dynamic([]), ['operation_has_any']:dynamic=dynamic([])) {
 vimAuditEventEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuditEventCiscoISE(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['operation_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['object_has_any']:dynamic=dynamic([]), ['newvalue_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
 vimAuditEventEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuditEventCiscoMeraki(['disabled']:bool=false, ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['operation_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['actorusername_has_any']:dynamic=dynamic([]), ['object_has_any']:dynamic=dynamic([]), ['newvalue_has_any']:dynamic=dynamic([])) {
 vimAuditEventEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuditEventCiscoMerakiSyslog(['disabled']:bool=false, ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['operation_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['actorusername_has_any']:dynamic=dynamic([]), ['object_has_any']:dynamic=dynamic([]), ['newvalue_has_any']:dynamic=dynamic([])) {
 vimAuditEventEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuditEventCrowdStrikeFalconHost(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['actorusername_has_any']:dynamic=dynamic([]), ['operation_has_any']:dynamic=dynamic([]), ['object_has_any']:dynamic=dynamic([]), ['newvalue_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
 vimAuditEventEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuditEventIllumioSaaSCore(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['operation_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['object_has_any']:dynamic=dynamic([]), ['newvalue_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
 vimAuditEventEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuditEventInfbloxBloxOne(['disabled']:bool=false, ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['operation_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['actorusername_has_any']:dynamic=dynamic([]), ['object_has_any']:dynamic=dynamic([]), ['newvalue_has_any']:dynamic=dynamic([])) {
 vimAuditEventEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuditEventMicrosoftEvent(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['operation_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['object_has_any']:dynamic=dynamic([]), ['newvalue_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
 vimAuditEventEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuditEventMicrosoftExchangeAdmin365(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['operation_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['object_has_any']:dynamic=dynamic([]), ['newvalue_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
 vimAuditEventEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuditEventNative(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['operation_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['object_has_any']:dynamic=dynamic([]), ['newvalue_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
 vimAuditEventEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuditEventSentinelOne(['disabled']:bool=false, ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['operation_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['actorusername_has_any']:dynamic=dynamic([]), ['object_has_any']:dynamic=dynamic([]), ['newvalue_has_any']:dynamic=dynamic([])) {
 vimAuditEventEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuditEventVMwareCarbonBlackCloud(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['actorusername_has_any']:dynamic=dynamic([]), ['operation_has_any']:dynamic=dynamic([]), ['object_has_any']:dynamic=dynamic([]), ['newvalue_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
 vimAuditEventEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuditEventVectraXDRAudit(['disabled']:bool=false, ['eventresult']:string='*', ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['actorusername_has_any']:dynamic=dynamic([]), ['operation_has_any']:dynamic=dynamic([]), ['object_has_any']:dynamic=dynamic([])) {
 vimAuditEventEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuthenticationAADManagedIdentitySignInLogs(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['username_has_any']:dynamic=dynamic([]), ['targetappname_has_any']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['srchostname_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresultdetails_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuthenticationAADNonInteractiveUserSignInLogs(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['username_has_any']:dynamic=dynamic([]), ['targetappname_has_any']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['srchostname_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresultdetails_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuthenticationAADServicePrincipalSignInLogs(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['username_has_any']:dynamic=dynamic([]), ['targetappname_has_any']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['srchostname_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresultdetails_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuthenticationAWSCloudTrail(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['username_has_any']:dynamic=dynamic([]), ['targetappname_has_any']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['srchostname_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresultdetails_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuthenticationBarracudaWAF(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['username_has_any']:dynamic=dynamic([]), ['targetappname_has_any']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['srchostname_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresultdetails_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuthenticationCiscoASA(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['username_has_any']:dynamic=dynamic([]), ['targetappname_has_any']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['srchostname_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresultdetails_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuthenticationCiscoISE(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['username_has_any']:dynamic=dynamic([]), ['targetappname_has_any']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['srchostname_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresultdetails_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuthenticationCiscoMeraki(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['username_has_any']:dynamic=dynamic([]), ['targetappname_has_any']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['srchostname_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresultdetails_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuthenticationCiscoMerakiSyslog(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['username_has_any']:dynamic=dynamic([]), ['targetappname_has_any']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['srchostname_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresultdetails_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuthenticationCrowdStrikeFalconHost(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['username_has_any']:dynamic=dynamic([]), ['targetappname_has_any']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['srchostname_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresultdetails_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuthenticationGoogleWorkspace(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['username_has_any']:dynamic=dynamic([]), ['targetappname_has_any']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['srchostname_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresultdetails_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuthenticationIllumioSaaSCore(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['username_has_any']:dynamic=dynamic([]), ['targetappname_has_any']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['srchostname_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresultdetails_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuthenticationMD4IoT(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['username_has_any']:dynamic=dynamic([]), ['targetappname_has_any']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['srchostname_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresultdetails_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuthenticationNative(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['username_has_any']:dynamic=dynamic([]), ['targetappname_has_any']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['srchostname_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresultdetails_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuthenticationOktaSSO(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['username_has_any']:dynamic=dynamic([]), ['targetappname_has_any']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['srchostname_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresultdetails_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuthenticationOktaV2(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['username_has_any']:dynamic=dynamic([]), ['targetappname_has_any']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['srchostname_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresultdetails_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuthenticationPaloAltoCortexDataLake(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['username_has_any']:dynamic=dynamic([]), ['targetappname_has_any']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['srchostname_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresultdetails_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuthenticationPostgreSQL(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['username_has_any']:dynamic=dynamic([]), ['targetappname_has_any']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['srchostname_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresultdetails_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuthenticationSalesforceSC(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['username_has_any']:dynamic=dynamic([]), ['targetappname_has_any']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['srchostname_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresultdetails_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuthenticationSentinelOne(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['username_has_any']:dynamic=dynamic([]), ['targetappname_has_any']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['srchostname_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresultdetails_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuthenticationSigninLogs(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['username_has_any']:dynamic=dynamic([]), ['targetappname_has_any']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['srchostname_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresultdetails_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuthenticationSshd(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['username_has_any']:dynamic=dynamic([]), ['targetappname_has_any']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['srchostname_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresultdetails_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuthenticationSu(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['username_has_any']:dynamic=dynamic([]), ['targetappname_has_any']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['srchostname_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresultdetails_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuthenticationSudo(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['username_has_any']:dynamic=dynamic([]), ['targetappname_has_any']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['srchostname_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresultdetails_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuthenticationVMwareCarbonBlackCloud(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['username_has_any']:dynamic=dynamic([]), ['targetappname_has_any']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['srchostname_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresultdetails_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) vimAuthenticationVectraXDRAudit(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['username_has_any']:dynamic=dynamic([]), ['targetappname_has_any']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['srchostname_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresultdetails_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimAuthenticationEmpty
}
.create-or-alter function with (skipvalidation=true) vimDnsAzureFirewall(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr']:string='*', ['domain_has_any']:dynamic=dynamic([]), ['responsecodename']:string='*', ['response_has_ipv4']:string='*', ['response_has_any_prefix']:dynamic=dynamic([]), ['eventtype']:string='Query', ['disabled']:bool=false) {
 vimDnsEmpty
}
.create-or-alter function with (skipvalidation=true) vimDnsCiscoUmbrella(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr']:string='*', ['domain_has_any']:dynamic=dynamic([]), ['responsecodename']:string='*', ['response_has_ipv4']:string='*', ['response_has_any_prefix']:dynamic=dynamic([]), ['eventtype']:string='Query', ['disabled']:bool=false) {
 vimDnsEmpty
}
.create-or-alter function with (skipvalidation=true) vimDnsFortinetFortiGate(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr']:string='*', ['domain_has_any']:dynamic=dynamic([]), ['responsecodename']:string='*', ['response_has_ipv4']:string='*', ['response_has_any_prefix']:dynamic=dynamic([]), ['eventtype']:string='Query', ['disabled']:bool=false) {
 vimDnsEmpty
}
.create-or-alter function with (skipvalidation=true) vimDnsGcp(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr']:string='*', ['domain_has_any']:dynamic=dynamic([]), ['responsecodename']:string='*', ['response_has_ipv4']:string='*', ['response_has_any_prefix']:dynamic=dynamic([]), ['eventtype']:string='Query', ['disabled']:bool=false) {
 vimDnsEmpty
}
.create-or-alter function with (skipvalidation=true) vimDnsInfobloxBloxOne(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr']:string='*', ['domain_has_any']:dynamic=dynamic([]), ['responsecodename']:string='*', ['response_has_ipv4']:string='*', ['response_has_any_prefix']:dynamic=dynamic([]), ['eventtype']:string='Query', ['disabled']:bool=false) {
 vimDnsEmpty
}
.create-or-alter function with (skipvalidation=true) vimDnsInfobloxNIOS(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr']:string='*', ['domain_has_any']:dynamic=dynamic([]), ['responsecodename']:string='*', ['response_has_ipv4']:string='*', ['response_has_any_prefix']:dynamic=dynamic([]), ['eventtype']:string='Query', ['disabled']:bool=false) {
 vimDnsEmpty
}
.create-or-alter function with (skipvalidation=true) vimDnsMicrosoftNXlog(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr']:string='*', ['domain_has_any']:dynamic=dynamic([]), ['responsecodename']:string='*', ['response_has_ipv4']:string='*', ['response_has_any_prefix']:dynamic=dynamic([]), ['eventtype']:string='Query', ['disabled']:bool=false) {
 vimDnsEmpty
}
.create-or-alter function with (skipvalidation=true) vimDnsMicrosoftOMS(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr']:string='*', ['domain_has_any']:dynamic=dynamic([]), ['responsecodename']:string='*', ['response_has_ipv4']:string='*', ['response_has_any_prefix']:dynamic=dynamic([]), ['eventtype']:string='Query', ['disabled']:bool=false) {
 vimDnsEmpty
}
.create-or-alter function with (skipvalidation=true) vimDnsMicrosoftSysmon(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr']:string='*', ['domain_has_any']:dynamic=dynamic([]), ['responsecodename']:string='*', ['response_has_ipv4']:string='*', ['response_has_any_prefix']:dynamic=dynamic([]), ['eventtype']:string='Query', ['disabled']:bool=false) {
 vimDnsEmpty
}
.create-or-alter function with (skipvalidation=true) vimDnsNative(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr']:string='*', ['domain_has_any']:dynamic=dynamic([]), ['responsecodename']:string='*', ['response_has_ipv4']:string='*', ['response_has_any_prefix']:dynamic=dynamic([]), ['eventtype']:string='Query', ['disabled']:bool=false) {
 vimDnsEmpty
}
.create-or-alter function with (skipvalidation=true) vimDnsSentinelOne(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr']:string='*', ['domain_has_any']:dynamic=dynamic([]), ['responsecodename']:string='*', ['response_has_ipv4']:string='*', ['response_has_any_prefix']:dynamic=dynamic([]), ['eventtype']:string='Query', ['disabled']:bool=false) {
 vimDnsEmpty
}
.create-or-alter function with (skipvalidation=true) vimDnsVectraAI(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr']:string='*', ['domain_has_any']:dynamic=dynamic([]), ['responsecodename']:string='*', ['response_has_ipv4']:string='*', ['response_has_any_prefix']:dynamic=dynamic([]), ['eventtype']:string='Query', ['disabled']:bool=false) {
 vimDnsEmpty
}
.create-or-alter function with (skipvalidation=true) vimDnsZscalerZIA(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr']:string='*', ['domain_has_any']:dynamic=dynamic([]), ['responsecodename']:string='*', ['response_has_ipv4']:string='*', ['response_has_any_prefix']:dynamic=dynamic([]), ['eventtype']:string='Query', ['disabled']:bool=false) {
 vimDnsEmpty
}
.create-or-alter function with (skipvalidation=true) vimFileEventAzureBlobStorage(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['targetfilepath_has_any']:dynamic=dynamic([]), ['srcfilepath_has_any']:dynamic=dynamic([]), ['hashes_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
 vimFileEventEmpty
}
.create-or-alter function with (skipvalidation=true) vimFileEventAzureFileStorage(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['targetfilepath_has_any']:dynamic=dynamic([]), ['srcfilepath_has_any']:dynamic=dynamic([]), ['hashes_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
 vimFileEventEmpty
}
.create-or-alter function with (skipvalidation=true) vimFileEventAzureQueueStorage(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['targetfilepath_has_any']:dynamic=dynamic([]), ['srcfilepath_has_any']:dynamic=dynamic([]), ['hashes_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
 vimFileEventEmpty
}
.create-or-alter function with (skipvalidation=true) vimFileEventAzureTableStorage(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['targetfilepath_has_any']:dynamic=dynamic([]), ['srcfilepath_has_any']:dynamic=dynamic([]), ['hashes_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
 vimFileEventEmpty
}
.create-or-alter function with (skipvalidation=true) vimFileEventGoogleWorkspace(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['targetfilepath_has_any']:dynamic=dynamic([]), ['srcfilepath_has_any']:dynamic=dynamic([]), ['hashes_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
 vimFileEventEmpty
}
.create-or-alter function with (skipvalidation=true) vimFileEventLinuxSysmonFileCreated(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['targetfilepath_has_any']:dynamic=dynamic([]), ['srcfilepath_has_any']:dynamic=dynamic([]), ['hashes_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
 vimFileEventEmpty
}
.create-or-alter function with (skipvalidation=true) vimFileEventLinuxSysmonFileDeleted(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['targetfilepath_has_any']:dynamic=dynamic([]), ['srcfilepath_has_any']:dynamic=dynamic([]), ['hashes_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
 vimFileEventEmpty
}
.create-or-alter function with (skipvalidation=true) vimFileEventMicrosoftSharePoint(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['targetfilepath_has_any']:dynamic=dynamic([]), ['srcfilepath_has_any']:dynamic=dynamic([]), ['hashes_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
 vimFileEventEmpty
}
.create-or-alter function with (skipvalidation=true) vimFileEventMicrosoftSysmon(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['targetfilepath_has_any']:dynamic=dynamic([]), ['srcfilepath_has_any']:dynamic=dynamic([]), ['hashes_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
 vimFileEventEmpty
}
.create-or-alter function with (skipvalidation=true) vimFileEventNative(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['targetfilepath_has_any']:dynamic=dynamic([]), ['srcfilepath_has_any']:dynamic=dynamic([]), ['hashes_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
 vimFileEventEmpty
}
.create-or-alter function with (skipvalidation=true) vimFileEventSentinelOne(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['targetfilepath_has_any']:dynamic=dynamic([]), ['srcfilepath_has_any']:dynamic=dynamic([]), ['hashes_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
 vimFileEventEmpty
}
.create-or-alter function with (skipvalidation=true) vimFileEventVMwareCarbonBlackCloud(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['targetfilepath_has_any']:dynamic=dynamic([]), ['srcfilepath_has_any']:dynamic=dynamic([]), ['hashes_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
 vimFileEventEmpty
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionAWSVPC(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionAppGateSDP(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionAzureFirewall(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionAzureNSG(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionBarracudaCEF(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionBarracudaWAF(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionCheckPointFirewall(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionCiscoASA(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionCiscoFirepower(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionCiscoISE(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionCiscoMeraki(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['dvcaction']:dynamic=dynamic([]), ['hostname_has_any']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionCiscoMerakiSyslog(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['dvcaction']:dynamic=dynamic([]), ['hostname_has_any']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionCrowdStrikeFalconHost(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['dvcaction']:dynamic=dynamic([]), ['hostname_has_any']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionForcePointFirewall(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionFortinetFortiGate(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionIllumioSaaSCore(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionLinuxSysmon(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionMD4IoTAgent(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionMicrosoftSysmon(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['dvcaction']:dynamic=dynamic([]), ['hostname_has_any']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionNTANetAnalytics(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionNative(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionPaloAltoCEF(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionPaloAltoCortexDataLake(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['dvcaction']:dynamic=dynamic([]), ['hostname_has_any']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionSentinelOne(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['dvcaction']:dynamic=dynamic([]), ['hostname_has_any']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionSonicWallFirewall(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionVMConnection(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionVMwareCarbonBlackCloud(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['dvcaction']:dynamic=dynamic([]), ['hostname_has_any']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionVectraAI(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false, ['pack']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) vimNetworkSessionWatchGuardFirewareOS(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) {
 vimNetworkSessionEmpty
}
.create-or-alter function with (skipvalidation=true) vimProcessCreateLinuxSysmon(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['targetusername']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvcname_has_any']:dynamic=dynamic([]), ['eventtype']:string='*', ['disabled']:bool=false) {
 vimProcessEmpty
}
.create-or-alter function with (skipvalidation=true) vimProcessCreateMD4IoT(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['targetusername']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvcname_has_any']:dynamic=dynamic([]), ['eventtype']:string='*', ['disabled']:bool=false) {
 vimProcessEmpty
}
.create-or-alter function with (skipvalidation=true) vimProcessCreateMicrosoftSysmon(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['targetusername_has']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['eventtype']:string='*', ['disabled']:bool=false) {
 vimProcessEmpty
}
.create-or-alter function with (skipvalidation=true) vimProcessCreateSentinelOne(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['targetusername_has']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['eventtype']:string='*', ['hashes_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
 vimProcessEmpty
}
.create-or-alter function with (skipvalidation=true) vimProcessCreateTrendMicroVisionOne(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['targetusername_has']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['hashes_has_any']:dynamic=dynamic([]), ['eventtype']:string='*', ['disabled']:bool=false) {
 vimProcessEmpty
}
.create-or-alter function with (skipvalidation=true) vimProcessCreateVMwareCarbonBlackCloud(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['targetusername_has']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['hashes_has_any']:dynamic=dynamic([]), ['eventtype']:string='*', ['disabled']:bool=false) {
 vimProcessEmpty
}
.create-or-alter function with (skipvalidation=true) vimProcessEventCreateMicrosoftSysmon(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['targetusername_has']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['eventtype']:string='*', ['disabled']:bool=false) {
 vimProcessEmpty
}
.create-or-alter function with (skipvalidation=true) vimProcessEventNative(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['targetusername_has']:string='*', ['actorusername_has']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['eventtype']:string='*', ['hashes_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
 vimProcessEmpty
}
.create-or-alter function with (skipvalidation=true) vimProcessEventTerminateMicrosoftSysmon(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['actorusername_has']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['eventtype']:string='*', ['disabled']:bool=false) {
 vimProcessEmpty
}
.create-or-alter function with (skipvalidation=true) vimProcessTerminateLinuxSysmon(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['actorusername']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvcname_has_any']:dynamic=dynamic([]), ['eventtype']:string='*', ['disabled']:bool=false) {
 vimProcessEmpty
}
.create-or-alter function with (skipvalidation=true) vimProcessTerminateMD4IoT(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['actorusername']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvcname_has_any']:dynamic=dynamic([]), ['eventtype']:string='*', ['disabled']:bool=false) {
 vimProcessEmpty
}
.create-or-alter function with (skipvalidation=true) vimProcessTerminateMicrosoftSysmon(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['actorusername']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvcname_has_any']:dynamic=dynamic([]), ['eventtype']:string='*', ['disabled']:bool=false) {
 vimProcessEmpty
}
.create-or-alter function with (skipvalidation=true) vimProcessTerminateVMwareCarbonBlackCloud(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['actorusername_has']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['eventtype']:string='*', ['disabled']:bool=false) {
 vimProcessEmpty
}
.create-or-alter function with (skipvalidation=true) vimRegistryEventMicrosoftSecurityEvent(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['registrykey_has_any']:dynamic=dynamic([]), ['registryvalue_has_any']:dynamic=dynamic([]), ['registrydata_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
 vimRegistryEventEmpty
}
.create-or-alter function with (skipvalidation=true) vimRegistryEventMicrosoftSysmon(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['registrykey_has_any']:dynamic=dynamic([]), ['registryvalue_has_any']:dynamic=dynamic([]), ['registrydata_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
 vimRegistryEventEmpty
}
.create-or-alter function with (skipvalidation=true) vimRegistryEventNative(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['registrykey_has_any']:dynamic=dynamic([]), ['registryvalue_has_any']:dynamic=dynamic([]), ['registrydata_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
 vimRegistryEventEmpty
}
.create-or-alter function with (skipvalidation=true) vimRegistryEventSentinelOne(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['registrykey_has_any']:dynamic=dynamic([]), ['registryvalue_has_any']:dynamic=dynamic([]), ['registrydata_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
 vimRegistryEventEmpty
}
.create-or-alter function with (skipvalidation=true) vimRegistryEventTrendMicroVisionOne(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['registrykey_has_any']:dynamic=dynamic([]), ['registryvalue_has_any']:dynamic=dynamic([]), ['registryvaluedata_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
 vimRegistryEventEmpty
}
.create-or-alter function with (skipvalidation=true) vimRegistryEventVMwareCarbonBlackCloud(['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['registrykey_has_any']:dynamic=dynamic([]), ['registryvalue_has_any']:dynamic=dynamic([]), ['registryvaluedata_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) {
 vimRegistryEventEmpty
}
.create-or-alter function with (skipvalidation=true) _ASim_Authentication() {
 ASimAuthentication
}
.create-or-alter function with (skipvalidation=true) _ASim_Dns() {
 ASimDns
}
.create-or-alter function with (skipvalidation=true) _ASim_NetworkSession() {
 ASimNetworkSession
}
.create-or-alter function with (skipvalidation=true) _ASim_ProcessEvent() {
 ASimProcessEvent
}
.create-or-alter function with (skipvalidation=true) _ASim_ProcessCreate() {
 ASimProcessEventCreate
}
.create-or-alter function with (skipvalidation=true) _ASim_ProcessTerminate() {
 ASimProcessEventTerminate
}
.create-or-alter function with (skipvalidation=true) _ASim_FileEvent() {
 ASimFileEvent
}
.create-or-alter function with (skipvalidation=true) _ASim_RegistryEvent() {
 ASimRegistry
}
.create-or-alter function with (skipvalidation=true) _ASim_AuditEvent() {
 ASimAuditEvent
}
.create-or-alter function with (skipvalidation=true) _Im_Authentication( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['username_has_any']:dynamic=dynamic([]), ['targetappname_has_any']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['srchostname_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresultdetails_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['pack']:bool=false) {
 imAuthentication(starttime, endtime, username_has_any, targetappname_has_any, srcipaddr_has_any_prefix, srchostname_has_any, eventtype_in, eventresultdetails_in, eventresult, pack)
}
.create-or-alter function with (skipvalidation=true) _Im_Dns( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr']:string='*', ['domain_has_any']:dynamic=dynamic([]), ['responsecodename']:string='*', ['response_has_ipv4']:string='*', ['response_has_any_prefix']:dynamic=dynamic([]), ['eventtype']:string='lookup', ['pack']:bool=false) {
 imDns(starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, pack)
}
.create-or-alter function with (skipvalidation=true) _Im_NetworkSession( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['pack']:bool=false) {
 imNetworkSession(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, pack)
}
.create-or-alter function with (skipvalidation=true) _Im_ProcessEvent( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['actorusername']:string='*', ['targetusername']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvcname_has_any']:dynamic=dynamic([]), ['hashes_has_any']:dynamic=dynamic([]), ['eventtype']:string='*') {
 imProcessEvent(starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, hashes_has_any, eventtype)
}
.create-or-alter function with (skipvalidation=true) _Im_ProcessCreate( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['targetusername']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvcname_has_any']:dynamic=dynamic([]), ['hashes_has_any']:dynamic=dynamic([]), ['eventtype']:string='*') {
 imProcessCreate(starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, hashes_has_any, eventtype)
}
.create-or-alter function with (skipvalidation=true) _Im_ProcessTerminate( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['actorusername']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvcname_has_any']:dynamic=dynamic([]), ['eventtype']:string='*') {
 imProcessTerminate(starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype)
}
.create-or-alter function with (skipvalidation=true) _Im_FileEvent( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['targetfilepath_has_any']:dynamic=dynamic([]), ['srcfilepath_has_any']:dynamic=dynamic([]), ['hashes_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false, ['pack']:bool=false) {
 imFileEvent(starttime, endtime, eventtype_in, srcipaddr_has_any_prefix, actorusername_has_any, targetfilepath_has_any, srcfilepath_has_any, hashes_has_any, dvchostname_has_any, disabled, pack)
}
.create-or-alter function with (skipvalidation=true) _Im_RegistryEvent( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['registrykey_has_any']:dynamic=dynamic([]), ['registryvalue_has_any']:dynamic=dynamic([]), ['registrydata_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false, ['pack']:bool=false) {
 imRegistry(starttime, endtime, eventtype_in, actorusername_has_any, registrykey_has_any, registryvalue_has_any, registrydata_has_any, dvchostname_has_any, disabled, pack)
}
.create-or-alter function with (skipvalidation=true) _Im_AuditEvent( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['operation_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['object_has_any']:dynamic=dynamic([]), ['newvalue_has_any']:dynamic=dynamic([]), ['pack']:bool=false) {
 imAuditEvent(starttime, endtime, srcipaddr_has_any_prefix, actorusername_has_any, operation_has_any, eventtype_in, eventresult, object_has_any, newvalue_has_any, pack)
}
.ingest async into table Corelight_CL (@'https://raw.githubusercontent.com/ksyeung/DetLabs/refs/heads/main/fsquirt_Living_off_the_Land/Corelight_CL_0_cc0fe7a575c442ebbb27059c1159c35b.parquet') with (format='parquet')
.ingest async into table DeviceEvents (@'https://raw.githubusercontent.com/ksyeung/DetLabs/refs/heads/main/fsquirt_Living_off_the_Land/DeviceEvents_0_6ca98837d9fc4cbd8d44c5726b97d32f.parquet') with (format='parquet')
.ingest async into table DeviceFileEvents (@'https://raw.githubusercontent.com/ksyeung/DetLabs/refs/heads/main/fsquirt_Living_off_the_Land/DeviceFileEvents_0_a75bf08098d643269889d3a5f1557b46.parquet') with (format='parquet')
.ingest async into table DeviceImageLoadEvents (@'https://raw.githubusercontent.com/ksyeung/DetLabs/refs/heads/main/fsquirt_Living_off_the_Land/DeviceImageLoadEvents_0_2ecfdebe77dd4f7eb6057280b8e9c2f5.parquet') with (format='parquet')
.ingest async into table DeviceLogonEvents (@'https://raw.githubusercontent.com/ksyeung/DetLabs/refs/heads/main/fsquirt_Living_off_the_Land/DeviceLogonEvents_0_8b7a921f740c4b5f8aa675988faaba08.parquet') with (format='parquet')
.ingest async into table DeviceNetworkEvents (@'https://raw.githubusercontent.com/ksyeung/DetLabs/refs/heads/main/fsquirt_Living_off_the_Land/DeviceNetworkEvents_0_a94ab5a00ae84750882bd771e1c145b5.parquet') with (format='parquet')
.ingest async into table DeviceProcessEvents (@'https://raw.githubusercontent.com/ksyeung/DetLabs/refs/heads/main/fsquirt_Living_off_the_Land/DeviceProcessEvents_0_41d108a491e24ec09382463f3e29fb70.parquet') with (format='parquet')
.ingest async into table DeviceRegistryEvents (@'https://raw.githubusercontent.com/ksyeung/DetLabs/refs/heads/main/fsquirt_Living_off_the_Land/DeviceRegistryEvents_0_940b9fe8588842909c4d962c8358fee7.parquet') with (format='parquet')
.ingest async into table SecurityEvent (@'https://raw.githubusercontent.com/ksyeung/DetLabs/refs/heads/main/fsquirt_Living_off_the_Land/SecurityEvent_0_13abb55b1dcf46ff9a9fe8e8f2af8fd9.parquet') with (format='parquet')
.ingest async into table WindowsEvent (@'https://raw.githubusercontent.com/ksyeung/DetLabs/refs/heads/main/fsquirt_Living_off_the_Land/WindowsEvent_0_498f23a29d8e467d877fe9e98259d2cc.parquet') with (format='parquet')