.execute database script <| .drop functions (_GetWatchlist, _ASIM_GetUsernameType, _ASIM_GetWindowsUserType, _ASIM_ResolveDstFQDN, _ASIM_ResolveDvcFQDN, _ASIM_ResolveFQDN, _ASIM_ResolveSrcFQDN, ASimAuditEvent, ASimAuditEventMicrosoftSecurityEvents, ASimAuditEventMicrosoftWindowsEvents, imAuditEvent, vimAuditEventEmpty, vimAuditEventMicrosoftSecurityEvents, vimAuditEventMicrosoftWindowsEvents, ASimAuthentication, ASimAuthenticationMicrosoftWindowsEvent, imAuthentication, vimAuthenticationEmpty, vimAuthenticationMicrosoftWindowsEvent, ASimDns, ASimDnsCorelightZeek, ASimDnsMicrosoft365Defender, ASimDnsMicrosoftSysmonWindowsEvent, imDns, vimDnsCorelightZeek, vimDnsEmpty, vimDnsMicrosoft365Defender, vimDnsMicrosoftSysmonWindowsEvent, ASimFileEvent, ASimFileEventMicrosoftSecurityEvents, ASimFileEventMicrosoftSysmonWindowsEvent, ASimFileEventMicrosoftWindowsEvents, imFileEvent, vimFileEventEmpty, vimFileEventMicrosoftSecurityEvents, vimFileEventMicrosoftSysmonWindowsEvent, vimFileEventMicrosoftWindowsEvents, ASimNetworkSession, ASimNetworkSessionCorelightZeek, ASimNetworkSessionMicrosoft365Defender, ASimNetworkSessionMicrosoftSecurityEventFirewall, ASimNetworkSessionMicrosoftSysmonWindowsEvent, ASimNetworkSessionMicrosoftWindowsEventFirewall, imNetworkSession, vimNetworkSessionCorelightZeek, vimNetworkSessionEmpty, vimNetworkSessionMicrosoft365Defender, vimNetworkSessionMicrosoftSecurityEventFirewall, vimNetworkSessionMicrosoftSysmonWindowsEvent, vimNetworkSessionMicrosoftWindowsEventFirewall, ASimProcessCreateMicrosoftSecurityEvents, ASimProcessCreateMicrosoftWindowsEvents, ASimProcessEvent, ASimProcessEventCreate, ASimProcessEventCreateMicrosoftSysmonWindowsEvent, ASimProcessEventMicrosoft365D, ASimProcessEventTerminate, ASimProcessEventTerminateMicrosoftSysmonWindowsEvent, ASimProcessTerminateMicrosoftSecurityEvents, ASimProcessTerminateMicrosoftWindowsEvents, imProcessCreate, imProcessEvent, imProcessTerminate, vimProcessCreateMicrosoftSecurityEvents, vimProcessCreateMicrosoftWindowsEvents, vimProcessEmpty, vimProcessEventCreateMicrosoftSysmonWindowsEvent, vimProcessEventMicrosoft365D, vimProcessEventTerminateMicrosoftSysmonWindowsEvent, vimProcessTerminateMicrosoftSecurityEvents, vimProcessTerminateMicrosoftWindowsEvents, ASimRegistry, ASimRegistryEventMicrosoftSecurityEvent, ASimRegistryEventMicrosoftSysmonWindowsEvent, ASimRegistryEventMicrosoftWindowsEvent, imRegistry, vimRegistryEventEmpty, vimRegistryEventMicrosoftSecurityEvent, vimRegistryEventMicrosoftSysmonWindowsEvent, vimRegistryEventMicrosoftWindowsEvent, _ASim_Authentication, _ASim_Dns, _ASim_NetworkSession, _ASim_ProcessEvent, _ASim_ProcessCreate, _ASim_ProcessTerminate, _ASim_FileEvent, _ASim_RegistryEvent, _ASim_AuditEvent, _Im_Authentication, _Im_Dns, _Im_NetworkSession, _Im_ProcessEvent, _Im_ProcessCreate, _Im_ProcessTerminate, _Im_FileEvent, _Im_RegistryEvent, _Im_AuditEvent) ifexists .drop tables (Corelight_CL, DeviceEvents, DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, DeviceLogonEvents, DeviceImageLoadEvents, DeviceRegistryEvents, DeviceInfo, DeviceNetworkInfo, DeviceFileCertificateInfo, AlertInfo, AlertEvidence, BehaviorInfo, BehaviorEntities, IdentityLogonEvents, IdentityQueryEvents, IdentityDirectoryEvents, DeviceTvmSecureConfigurationAssessment, SecurityEvent, Suricata_CL, WindowsEvent) ifexists .create-merge table Corelight_CL ( TimeGenerated: datetime, log_type: string, uid: string, id_orig_h: string, id_orig_p: int, id_resp_h: string, id_resp_p: int, proto: string, community_id: string, Message: string, ParsedMessage: dynamic ) .create-merge table DeviceEvents ( Timestamp: datetime, DeviceId: string, DeviceName: string, ActionType: string, FileName: string, FolderPath: string, SHA1: string, SHA256: string, MD5: string, FileSize: long, AccountDomain: string, AccountName: string, AccountSid: string, AccountObjectId: string, RemoteUrl: string, RemoteDeviceName: string, ProcessId: long, ProcessCommandLine: string, ProcessCreationTime: datetime, ProcessTokenElevation: string, LogonId: long, RegistryKey: string, RegistryValueName: string, RegistryValueData: string, RemoteIP: string, RemotePort: int, LocalIP: string, LocalPort: int, FileOriginUrl: string, FileOriginIP: string, FileOriginReferrerUrl: string, InitiatingProcessAccountDomain: string, InitiatingProcessAccountName: string, InitiatingProcessAccountSid: string, InitiatingProcessAccountObjectId: string, InitiatingProcessAccountUpn: string, InitiatingProcessVersionInfoCompanyName: string, InitiatingProcessVersionInfoProductName: string, InitiatingProcessVersionInfoProductVersion: string, InitiatingProcessVersionInfoInternalFileName: string, InitiatingProcessVersionInfoOriginalFileName: string, InitiatingProcessVersionInfoFileDescription: string, InitiatingProcessId: long, InitiatingProcessCommandLine: string, InitiatingProcessCreationTime: datetime, InitiatingProcessFolderPath: string, InitiatingProcessParentId: long, InitiatingProcessParentFileName: string, InitiatingProcessParentCreationTime: datetime, InitiatingProcessMD5: string, InitiatingProcessSHA1: string, InitiatingProcessSHA256: string, InitiatingProcessFileName: string, InitiatingProcessFileSize: long, InitiatingProcessSignerType: string, InitiatingProcessSignatureStatus: string, InitiatingProcessLogonId: long, InitiatingProcessIntegrityLevel: string, ReportId: long, AppGuardContainerId: string, AdditionalFields: dynamic ) .create-or-alter table DeviceEvents ingestion json mapping 'DeviceEventsMapping' ``` [ {"column":"Timestamp","path":"$.Timestamp","datatype":"datetime"}, {"column":"DeviceId","path":"$.DeviceId","datatype":"string"}, {"column":"DeviceName","path":"$.DeviceName","datatype":"string"}, {"column":"ActionType","path":"$.ActionType","datatype":"string"}, {"column":"FileName","path":"$.FileName","datatype":"string"}, {"column":"FolderPath","path":"$.FolderPath","datatype":"string"}, {"column":"SHA1","path":"$.SHA1","datatype":"string"}, {"column":"SHA256","path":"$.SHA256","datatype":"string"}, {"column":"MD5","path":"$.MD5","datatype":"string"}, {"column":"FileSize","path":"$.FileSize","datatype":"long"}, {"column":"AccountDomain","path":"$.AccountDomain","datatype":"string"}, {"column":"AccountName","path":"$.AccountName","datatype":"string"}, {"column":"AccountSid","path":"$.AccountSid","datatype":"string"}, {"column":"AccountObjectId","path":"$.AccountObjectId","datatype":"string"}, {"column":"RemoteUrl","path":"$.RemoteUrl","datatype":"string"}, {"column":"RemoteDeviceName","path":"$.RemoteDeviceName","datatype":"string"}, {"column":"ProcessId","path":"$.ProcessId","datatype":"long"}, {"column":"ProcessCommandLine","path":"$.ProcessCommandLine","datatype":"string"}, {"column":"ProcessCreationTime","path":"$.ProcessCreationTime","datatype":"datetime"}, {"column":"ProcessTokenElevation","path":"$.ProcessTokenElevation","datatype":"string"}, {"column":"LogonId","path":"$.LogonId","datatype":"long"}, {"column":"RegistryKey","path":"$.RegistryKey","datatype":"string"}, {"column":"RegistryValueName","path":"$.RegistryValueName","datatype":"string"}, {"column":"RegistryValueData","path":"$.RegistryValueData","datatype":"string"}, {"column":"RemoteIP","path":"$.RemoteIP","datatype":"string"}, {"column":"RemotePort","path":"$.RemotePort","datatype":"int"}, {"column":"LocalIP","path":"$.LocalIP","datatype":"string"}, {"column":"LocalPort","path":"$.LocalPort","datatype":"int"}, {"column":"FileOriginUrl","path":"$.FileOriginUrl","datatype":"string"}, {"column":"FileOriginIP","path":"$.FileOriginIP","datatype":"string"}, {"column":"FileOriginReferrerUrl","path":"$.FileOriginReferrerUrl","datatype":"string"}, {"column":"InitiatingProcessAccountDomain","path":"$.InitiatingProcessAccountDomain","datatype":"string"}, {"column":"InitiatingProcessAccountName","path":"$.InitiatingProcessAccountName","datatype":"string"}, {"column":"InitiatingProcessAccountSid","path":"$.InitiatingProcessAccountSid","datatype":"string"}, {"column":"InitiatingProcessAccountObjectId","path":"$.InitiatingProcessAccountObjectId","datatype":"string"}, {"column":"InitiatingProcessAccountUpn","path":"$.InitiatingProcessAccountUpn","datatype":"string"}, {"column":"InitiatingProcessVersionInfoCompanyName","path":"$.InitiatingProcessVersionInfoCompanyName","datatype":"string"}, {"column":"InitiatingProcessVersionInfoProductName","path":"$.InitiatingProcessVersionInfoProductName","datatype":"string"}, {"column":"InitiatingProcessVersionInfoProductVersion","path":"$.InitiatingProcessVersionInfoProductVersion","datatype":"string"}, {"column":"InitiatingProcessVersionInfoInternalFileName","path":"$.InitiatingProcessVersionInfoInternalFileName","datatype":"string"}, {"column":"InitiatingProcessVersionInfoOriginalFileName","path":"$.InitiatingProcessVersionInfoOriginalFileName","datatype":"string"}, {"column":"InitiatingProcessVersionInfoFileDescription","path":"$.InitiatingProcessVersionInfoFileDescription","datatype":"string"}, {"column":"InitiatingProcessId","path":"$.InitiatingProcessId","datatype":"long"}, {"column":"InitiatingProcessCommandLine","path":"$.InitiatingProcessCommandLine","datatype":"string"}, {"column":"InitiatingProcessCreationTime","path":"$.InitiatingProcessCreationTime","datatype":"datetime"}, {"column":"InitiatingProcessFolderPath","path":"$.InitiatingProcessFolderPath","datatype":"string"}, {"column":"InitiatingProcessParentId","path":"$.InitiatingProcessParentId","datatype":"long"}, {"column":"InitiatingProcessParentFileName","path":"$.InitiatingProcessParentFileName","datatype":"string"}, {"column":"InitiatingProcessParentCreationTime","path":"$.InitiatingProcessParentCreationTime","datatype":"datetime"}, {"column":"InitiatingProcessMD5","path":"$.InitiatingProcessMD5","datatype":"string"}, {"column":"InitiatingProcessSHA1","path":"$.InitiatingProcessSHA1","datatype":"string"}, {"column":"InitiatingProcessSHA256","path":"$.InitiatingProcessSHA256","datatype":"string"}, {"column":"InitiatingProcessFileName","path":"$.InitiatingProcessFileName","datatype":"string"}, {"column":"InitiatingProcessFileSize","path":"$.InitiatingProcessFileSize","datatype":"long"}, {"column":"InitiatingProcessSignerType","path":"$.InitiatingProcessSignerType","datatype":"string"}, {"column":"InitiatingProcessSignatureStatus","path":"$.InitiatingProcessSignatureStatus","datatype":"string"}, {"column":"InitiatingProcessLogonId","path":"$.InitiatingProcessLogonId","datatype":"long"}, {"column":"InitiatingProcessIntegrityLevel","path":"$.InitiatingProcessIntegrityLevel","datatype":"string"}, {"column":"ReportId","path":"$.ReportId","datatype":"long"}, {"column":"AppGuardContainerId","path":"$.AppGuardContainerId","datatype":"string"}, {"column":"AdditionalFields","path":"$.AdditionalFields","datatype":"dynamic"} ] ``` .create-merge table DeviceProcessEvents ( Timestamp: datetime, DeviceId: string, DeviceName: string, ActionType: string, FileName: string, FolderPath: string, SHA1: string, SHA256: string, MD5: string, FileSize: long, ProcessVersionInfoCompanyName: string, ProcessVersionInfoProductName: string, ProcessVersionInfoProductVersion: string, ProcessVersionInfoInternalFileName: string, ProcessVersionInfoOriginalFileName: string, ProcessVersionInfoFileDescription: string, ProcessId: long, ProcessCommandLine: string, ProcessIntegrityLevel: string, ProcessTokenElevation: string, ProcessCreationTime: datetime, AccountDomain: string, AccountName: string, AccountSid: string, AccountObjectId: string, AccountUpn: string, LogonId: long, InitiatingProcessAccountDomain: string, InitiatingProcessAccountName: string, InitiatingProcessAccountSid: string, InitiatingProcessAccountObjectId: string, InitiatingProcessAccountUpn: string, InitiatingProcessLogonId: long, InitiatingProcessIntegrityLevel: string, InitiatingProcessTokenElevation: string, InitiatingProcessSHA1: string, InitiatingProcessSHA256: string, InitiatingProcessMD5: string, InitiatingProcessFileName: string, InitiatingProcessFileSize: long, InitiatingProcessVersionInfoCompanyName: string, InitiatingProcessVersionInfoProductName: string, InitiatingProcessVersionInfoProductVersion: string, InitiatingProcessVersionInfoInternalFileName: string, InitiatingProcessVersionInfoOriginalFileName: string, InitiatingProcessVersionInfoFileDescription: string, InitiatingProcessId: long, InitiatingProcessCommandLine: string, InitiatingProcessCreationTime: datetime, InitiatingProcessFolderPath: string, InitiatingProcessParentId: long, InitiatingProcessParentFileName: string, InitiatingProcessParentCreationTime: datetime, InitiatingProcessSignerType: string, InitiatingProcessSignatureStatus: string, ReportId: long, AppGuardContainerId: string, AdditionalFields: dynamic ) .create-or-alter table DeviceProcessEvents ingestion json mapping 'DeviceProcessEventsMapping' ``` [ {"column":"Timestamp","path":"$.Timestamp","datatype":"datetime"}, {"column":"DeviceId","path":"$.DeviceId","datatype":"string"}, {"column":"DeviceName","path":"$.DeviceName","datatype":"string"}, {"column":"ActionType","path":"$.ActionType","datatype":"string"}, {"column":"FileName","path":"$.FileName","datatype":"string"}, {"column":"FolderPath","path":"$.FolderPath","datatype":"string"}, {"column":"SHA1","path":"$.SHA1","datatype":"string"}, {"column":"SHA256","path":"$.SHA256","datatype":"string"}, {"column":"MD5","path":"$.MD5","datatype":"string"}, {"column":"FileSize","path":"$.FileSize","datatype":"long"}, {"column":"ProcessVersionInfoCompanyName","path":"$.ProcessVersionInfoCompanyName","datatype":"string"}, {"column":"ProcessVersionInfoProductName","path":"$.ProcessVersionInfoProductName","datatype":"string"}, {"column":"ProcessVersionInfoProductVersion","path":"$.ProcessVersionInfoProductVersion","datatype":"string"}, {"column":"ProcessVersionInfoInternalFileName","path":"$.ProcessVersionInfoInternalFileName","datatype":"string"}, {"column":"ProcessVersionInfoOriginalFileName","path":"$.ProcessVersionInfoOriginalFileName","datatype":"string"}, {"column":"ProcessVersionInfoFileDescription","path":"$.ProcessVersionInfoFileDescription","datatype":"string"}, {"column":"ProcessId","path":"$.ProcessId","datatype":"long"}, {"column":"ProcessCommandLine","path":"$.ProcessCommandLine","datatype":"string"}, {"column":"ProcessIntegrityLevel","path":"$.ProcessIntegrityLevel","datatype":"string"}, {"column":"ProcessTokenElevation","path":"$.ProcessTokenElevation","datatype":"string"}, {"column":"ProcessCreationTime","path":"$.ProcessCreationTime","datatype":"datetime"}, {"column":"AccountDomain","path":"$.AccountDomain","datatype":"string"}, {"column":"AccountName","path":"$.AccountName","datatype":"string"}, {"column":"AccountSid","path":"$.AccountSid","datatype":"string"}, {"column":"AccountObjectId","path":"$.AccountObjectId","datatype":"string"}, {"column":"AccountUpn","path":"$.AccountUpn","datatype":"string"}, {"column":"LogonId","path":"$.LogonId","datatype":"long"}, {"column":"InitiatingProcessAccountDomain","path":"$.InitiatingProcessAccountDomain","datatype":"string"}, {"column":"InitiatingProcessAccountName","path":"$.InitiatingProcessAccountName","datatype":"string"}, {"column":"InitiatingProcessAccountSid","path":"$.InitiatingProcessAccountSid","datatype":"string"}, {"column":"InitiatingProcessAccountObjectId","path":"$.InitiatingProcessAccountObjectId","datatype":"string"}, {"column":"InitiatingProcessAccountUpn","path":"$.InitiatingProcessAccountUpn","datatype":"string"}, {"column":"InitiatingProcessLogonId","path":"$.InitiatingProcessLogonId","datatype":"long"}, {"column":"InitiatingProcessIntegrityLevel","path":"$.InitiatingProcessIntegrityLevel","datatype":"string"}, {"column":"InitiatingProcessTokenElevation","path":"$.InitiatingProcessTokenElevation","datatype":"string"}, {"column":"InitiatingProcessSHA1","path":"$.InitiatingProcessSHA1","datatype":"string"}, {"column":"InitiatingProcessSHA256","path":"$.InitiatingProcessSHA256","datatype":"string"}, {"column":"InitiatingProcessMD5","path":"$.InitiatingProcessMD5","datatype":"string"}, {"column":"InitiatingProcessFileName","path":"$.InitiatingProcessFileName","datatype":"string"}, {"column":"InitiatingProcessFileSize","path":"$.InitiatingProcessFileSize","datatype":"long"}, {"column":"InitiatingProcessVersionInfoCompanyName","path":"$.InitiatingProcessVersionInfoCompanyName","datatype":"string"}, {"column":"InitiatingProcessVersionInfoProductName","path":"$.InitiatingProcessVersionInfoProductName","datatype":"string"}, {"column":"InitiatingProcessVersionInfoProductVersion","path":"$.InitiatingProcessVersionInfoProductVersion","datatype":"string"}, {"column":"InitiatingProcessVersionInfoInternalFileName","path":"$.InitiatingProcessVersionInfoInternalFileName","datatype":"string"}, {"column":"InitiatingProcessVersionInfoOriginalFileName","path":"$.InitiatingProcessVersionInfoOriginalFileName","datatype":"string"}, {"column":"InitiatingProcessVersionInfoFileDescription","path":"$.InitiatingProcessVersionInfoFileDescription","datatype":"string"}, {"column":"InitiatingProcessId","path":"$.InitiatingProcessId","datatype":"long"}, {"column":"InitiatingProcessCommandLine","path":"$.InitiatingProcessCommandLine","datatype":"string"}, {"column":"InitiatingProcessCreationTime","path":"$.InitiatingProcessCreationTime","datatype":"datetime"}, {"column":"InitiatingProcessFolderPath","path":"$.InitiatingProcessFolderPath","datatype":"string"}, {"column":"InitiatingProcessParentId","path":"$.InitiatingProcessParentId","datatype":"long"}, {"column":"InitiatingProcessParentFileName","path":"$.InitiatingProcessParentFileName","datatype":"string"}, {"column":"InitiatingProcessParentCreationTime","path":"$.InitiatingProcessParentCreationTime","datatype":"datetime"}, {"column":"InitiatingProcessSignerType","path":"$.InitiatingProcessSignerType","datatype":"string"}, {"column":"InitiatingProcessSignatureStatus","path":"$.InitiatingProcessSignatureStatus","datatype":"string"}, {"column":"ReportId","path":"$.ReportId","datatype":"long"}, {"column":"AppGuardContainerId","path":"$.AppGuardContainerId","datatype":"string"}, {"column":"AdditionalFields","path":"$.AdditionalFields","datatype":"dynamic"} ] ``` .create-merge table DeviceNetworkEvents ( Timestamp: datetime, DeviceId: string, DeviceName: string, ActionType: string, RemoteIP: string, RemotePort: int, RemoteUrl: string, LocalIP: string, LocalPort: int, Protocol: string, LocalIPType: string, RemoteIPType: string, InitiatingProcessAccountDomain: string, InitiatingProcessAccountName: string, InitiatingProcessAccountSid: string, InitiatingProcessAccountObjectId: string, InitiatingProcessAccountUpn: string, InitiatingProcessId: long, InitiatingProcessCommandLine: string, InitiatingProcessCreationTime: datetime, InitiatingProcessFolderPath: string, InitiatingProcessParentFileName: string, InitiatingProcessParentId: long, InitiatingProcessParentCreationTime: datetime, InitiatingProcessFileName: string, InitiatingProcessFileSize: long, InitiatingProcessVersionInfoCompanyName: string, InitiatingProcessVersionInfoProductName: string, InitiatingProcessVersionInfoProductVersion: string, InitiatingProcessVersionInfoInternalFileName: string, InitiatingProcessVersionInfoOriginalFileName: string, InitiatingProcessVersionInfoFileDescription: string, InitiatingProcessMD5: string, InitiatingProcessSHA1: string, InitiatingProcessSHA256: string, InitiatingProcessIntegrityLevel: string, InitiatingProcessTokenElevation: string, InitiatingProcessLogonId: long, InitiatingProcessSignerType: string, InitiatingProcessSignatureStatus: string, ReportId: long, AppGuardContainerId: string, AdditionalFields: dynamic ) .create-or-alter table DeviceNetworkEvents ingestion json mapping 'DeviceNetworkEventsMapping' ``` [ {"column":"Timestamp","path":"$.Timestamp","datatype":"datetime"}, {"column":"DeviceId","path":"$.DeviceId","datatype":"string"}, {"column":"DeviceName","path":"$.DeviceName","datatype":"string"}, {"column":"ActionType","path":"$.ActionType","datatype":"string"}, {"column":"RemoteIP","path":"$.RemoteIP","datatype":"string"}, {"column":"RemotePort","path":"$.RemotePort","datatype":"int"}, {"column":"RemoteUrl","path":"$.RemoteUrl","datatype":"string"}, {"column":"LocalIP","path":"$.LocalIP","datatype":"string"}, {"column":"LocalPort","path":"$.LocalPort","datatype":"int"}, {"column":"Protocol","path":"$.Protocol","datatype":"string"}, {"column":"LocalIPType","path":"$.LocalIPType","datatype":"string"}, {"column":"RemoteIPType","path":"$.RemoteIPType","datatype":"string"}, {"column":"InitiatingProcessAccountDomain","path":"$.InitiatingProcessAccountDomain","datatype":"string"}, {"column":"InitiatingProcessAccountName","path":"$.InitiatingProcessAccountName","datatype":"string"}, {"column":"InitiatingProcessAccountSid","path":"$.InitiatingProcessAccountSid","datatype":"string"}, {"column":"InitiatingProcessAccountObjectId","path":"$.InitiatingProcessAccountObjectId","datatype":"string"}, {"column":"InitiatingProcessAccountUpn","path":"$.InitiatingProcessAccountUpn","datatype":"string"}, {"column":"InitiatingProcessId","path":"$.InitiatingProcessId","datatype":"long"}, {"column":"InitiatingProcessCommandLine","path":"$.InitiatingProcessCommandLine","datatype":"string"}, {"column":"InitiatingProcessCreationTime","path":"$.InitiatingProcessCreationTime","datatype":"datetime"}, {"column":"InitiatingProcessFolderPath","path":"$.InitiatingProcessFolderPath","datatype":"string"}, {"column":"InitiatingProcessParentFileName","path":"$.InitiatingProcessParentFileName","datatype":"string"}, {"column":"InitiatingProcessParentId","path":"$.InitiatingProcessParentId","datatype":"long"}, {"column":"InitiatingProcessParentCreationTime","path":"$.InitiatingProcessParentCreationTime","datatype":"datetime"}, {"column":"InitiatingProcessFileName","path":"$.InitiatingProcessFileName","datatype":"string"}, {"column":"InitiatingProcessFileSize","path":"$.InitiatingProcessFileSize","datatype":"long"}, {"column":"InitiatingProcessVersionInfoCompanyName","path":"$.InitiatingProcessVersionInfoCompanyName","datatype":"string"}, {"column":"InitiatingProcessVersionInfoProductName","path":"$.InitiatingProcessVersionInfoProductName","datatype":"string"}, {"column":"InitiatingProcessVersionInfoProductVersion","path":"$.InitiatingProcessVersionInfoProductVersion","datatype":"string"}, {"column":"InitiatingProcessVersionInfoInternalFileName","path":"$.InitiatingProcessVersionInfoInternalFileName","datatype":"string"}, {"column":"InitiatingProcessVersionInfoOriginalFileName","path":"$.InitiatingProcessVersionInfoOriginalFileName","datatype":"string"}, {"column":"InitiatingProcessVersionInfoFileDescription","path":"$.InitiatingProcessVersionInfoFileDescription","datatype":"string"}, {"column":"InitiatingProcessMD5","path":"$.InitiatingProcessMD5","datatype":"string"}, {"column":"InitiatingProcessSHA1","path":"$.InitiatingProcessSHA1","datatype":"string"}, {"column":"InitiatingProcessSHA256","path":"$.InitiatingProcessSHA256","datatype":"string"}, {"column":"InitiatingProcessIntegrityLevel","path":"$.InitiatingProcessIntegrityLevel","datatype":"string"}, {"column":"InitiatingProcessTokenElevation","path":"$.InitiatingProcessTokenElevation","datatype":"string"}, {"column":"InitiatingProcessLogonId","path":"$.InitiatingProcessLogonId","datatype":"long"}, {"column":"InitiatingProcessSignerType","path":"$.InitiatingProcessSignerType","datatype":"string"}, {"column":"InitiatingProcessSignatureStatus","path":"$.InitiatingProcessSignatureStatus","datatype":"string"}, {"column":"ReportId","path":"$.ReportId","datatype":"long"}, {"column":"AppGuardContainerId","path":"$.AppGuardContainerId","datatype":"string"}, {"column":"AdditionalFields","path":"$.AdditionalFields","datatype":"dynamic"} ] ``` .create-merge table SecurityEvent ( TimeGenerated: datetime, SourceComputerId: string, Type: string, EventOriginId: string, Computer: string, Provider: string, EventSourceName: string, ProcessId: int, Activity: string, SubjectUserSid: string, SubjectUserName: string, SubjectDomainName: string, SubjectLogonId: string, SubjectAccount: string, TargetUserSid: string, TargetUserName: string, TargetDomainName: string, TargetLogonId: string, TargetAccount: string, UserId: string, AccountType: string, LogonType: int, LogonGuid: string, AuthenticationPackageName: string, TokenElevationType: string, MandatoryLabel: string, IpAddress: string, WorkstationName: string, Protocol: string, ProcessName: string, Process: string, NewProcessId: string, NewProcessName: string, ParentProcessName: string, CommandLine: string, User: string, ObjectName: string, ObjectType: string, ObjectValueName: string, AccessMask: string, HandleId: string, OperationType: string, OldValue: string, NewValue: string, OldValueType: string, NewValueType: string, Task: string, TaskName: string, TaskContent: string, Status: string, SubStatus: string, Operation: string, EventData: dynamic, SourceAddress: string, DestAddress: string, EventID: int, _ResourceId: string, _SubscriptionId: string, _ItemId: string ) .create-merge table Suricata_CL ( TimeGenerated: datetime, EventType: string, CommunityId: string, FlowId: long, Interface: string, Protocol: string, SrcIp: string, SrcPort: int, DestIp: string, DestPort: int, AppProto: string, EventData: dynamic ) .create-merge table WindowsEvent ( TimeGenerated: datetime, Computer: string, Channel: string, Provider: string, EventID: int, EventLevel: int, EventLevelName: string, EventRecordId: string, Correlation: string, Keywords: string, Opcode: string, Task: int, Version: int, SystemProcessId: int, SystemThreadId: int, SystemUserId: string, EventOriginId: string, ManagementGroupName: string, SourceSystem: string, EventData: dynamic, SourceAddress: string, DestAddress: string, RawEventData: string, Type: string, _ItemId: string, TenantId: string, _ResourceId: string, _SubscriptionId: string, MG: string, Data: string, TimeCollected: string, TimeCreated: datetime ) .alter table Corelight_CL policy roworder (TimeGenerated asc) .alter table Corelight_CL policy merge @'{"AllowRebuild": true, "AllowMerge": true}' .alter table Corelight_CL policy ingestionbatching @'{"MaximumBatchingTimeSpan": "00:00:30", "MaximumNumberOfItems": 500, "MaximumRawDataSizeMB": 1024}' .alter table DeviceEvents policy roworder (Timestamp asc) .alter table DeviceEvents policy merge @'{"AllowRebuild": true, "AllowMerge": true}' .alter table DeviceEvents policy ingestionbatching @'{"MaximumBatchingTimeSpan": "00:00:30", "MaximumNumberOfItems": 500, "MaximumRawDataSizeMB": 1024}' .alter column DeviceEvents.DeviceId policy encoding type = 'Identifier' .alter column DeviceEvents.AccountSid policy encoding type = 'Identifier' .alter column DeviceEvents.AccountObjectId policy encoding type = 'Identifier' .alter column DeviceEvents.InitiatingProcessAccountSid policy encoding type = 'Identifier' .alter column DeviceEvents.InitiatingProcessAccountObjectId policy encoding type = 'Identifier' .alter table DeviceProcessEvents policy roworder (Timestamp asc) .alter table DeviceProcessEvents policy merge @'{"AllowRebuild": true, "AllowMerge": true}' .alter table DeviceProcessEvents policy ingestionbatching @'{"MaximumBatchingTimeSpan": "00:00:30", "MaximumNumberOfItems": 500, "MaximumRawDataSizeMB": 1024}' .alter column DeviceProcessEvents.DeviceId policy encoding type = 'Identifier' .alter column DeviceProcessEvents.AccountSid policy encoding type = 'Identifier' .alter column DeviceProcessEvents.AccountObjectId policy encoding type = 'Identifier' .alter column DeviceProcessEvents.InitiatingProcessAccountSid policy encoding type = 'Identifier' .alter column DeviceProcessEvents.InitiatingProcessAccountObjectId policy encoding type = 'Identifier' .alter table DeviceNetworkEvents policy roworder (Timestamp asc) .alter table DeviceNetworkEvents policy merge @'{"AllowRebuild": true, "AllowMerge": true}' .alter table DeviceNetworkEvents policy ingestionbatching @'{"MaximumBatchingTimeSpan": "00:00:30", "MaximumNumberOfItems": 500, "MaximumRawDataSizeMB": 1024}' .alter column DeviceNetworkEvents.DeviceId policy encoding type = 'Identifier' .alter column DeviceNetworkEvents.InitiatingProcessAccountSid policy encoding type = 'Identifier' .alter column DeviceNetworkEvents.InitiatingProcessAccountObjectId policy encoding type = 'Identifier' .alter table SecurityEvent policy roworder (TimeGenerated asc, EventID asc) .alter table SecurityEvent policy merge @'{"AllowRebuild": true, "AllowMerge": true}' .alter table SecurityEvent policy ingestionbatching @'{"MaximumBatchingTimeSpan": "00:00:30", "MaximumNumberOfItems": 500, "MaximumRawDataSizeMB": 1024}' .alter column SecurityEvent.SubjectUserSid policy encoding type = 'Identifier' .alter column SecurityEvent.TargetUserSid policy encoding type = 'Identifier' .alter column SecurityEvent.LogonGuid policy encoding type = 'Identifier' .alter column SecurityEvent.SourceComputerId policy encoding type = 'Identifier' .alter column SecurityEvent.EventOriginId policy encoding type = 'Identifier' .alter table Suricata_CL policy roworder (TimeGenerated asc) .alter table Suricata_CL policy merge @'{"AllowRebuild": true, "AllowMerge": true}' .alter table Suricata_CL policy ingestionbatching @'{"MaximumBatchingTimeSpan": "00:00:30", "MaximumNumberOfItems": 500, "MaximumRawDataSizeMB": 1024}' .alter table WindowsEvent policy roworder (TimeGenerated asc, Provider asc, EventID asc) .alter table WindowsEvent policy merge @'{"AllowRebuild": true, "AllowMerge": true}' .alter table WindowsEvent policy ingestionbatching @'{"MaximumBatchingTimeSpan": "00:00:30", "MaximumNumberOfItems": 500, "MaximumRawDataSizeMB": 1024}' .alter column WindowsEvent.SystemUserId policy encoding type = 'Identifier' .alter column WindowsEvent.EventOriginId policy encoding type = 'Identifier' .alter column WindowsEvent.TenantId policy encoding type = 'Identifier' .alter table Corelight_CL policy retention @'{"SoftDeletePeriod": "30.00:00:00"}' .alter table DeviceEvents policy retention @'{"SoftDeletePeriod": "30.00:00:00"}' .alter table DeviceProcessEvents policy retention @'{"SoftDeletePeriod": "30.00:00:00"}' .alter table DeviceNetworkEvents policy retention @'{"SoftDeletePeriod": "30.00:00:00"}' .alter table SecurityEvent policy retention @'{"SoftDeletePeriod": "30.00:00:00"}' .alter table Suricata_CL policy retention @'{"SoftDeletePeriod": "30.00:00:00"}' .alter table WindowsEvent policy retention @'{"SoftDeletePeriod": "30.00:00:00"}' .create-or-alter function with (skipvalidation=true) _GetWatchlist( ['watchlistAlias']:string, ['keys']:dynamic=dynamic([]) ) { datatable(SearchKey:string, WatchlistItem:dynamic)[] } .create-or-alter function with (skipvalidation=true, docstring="An ASIM function sets the UsernameType based on the username", folder="ASIM") _ASIM_GetUsernameType(username:string) { let ASIM_GetUsernameType = (username:string) { case ( username contains "@" , "UPN", username contains "\\", "Windows", (username has "CN=" or username has "OU=" or username has "DC="), "DN", isempty(username), "", "Simple" ) }; ASIM_GetUsernameType (username) } .create-or-alter function with (skipvalidation=true, docstring="An ASIM function sets the UserType for Windows systems based on the username and sid", folder="ASIM") _ASIM_GetWindowsUserType(username:string, sid:string) { let ASIM_GetWindowsUserType = (username:string, sid:string) { case ( sid startswith "S-1-5-80", "Service", sid startswith "S-1-5-21", case ( sid endswith "-500", "Admin", sid endswith "-501", "Guest", sid endswith "-502", "Service", username contains "admin", "Admin", username endswith "$", "Machine", "Regular"), username endswith "$", "Machine", sid == "S-1-5-113", "Other", sid == "S-1-5-7", "Anonymous", sid == "S-1-5-17", "Service", sid == "S-1-5-18", "System", sid == "S-1-5-19", "Service", sid == "S-1-5-20", "Service" , isempty(username), "", "Other" ) }; ASIM_GetWindowsUserType(username,sid) } .create-or-alter function with (skipvalidation=true, docstring="An ASIM function sets DstHostname, DstDomain, DstDomainType and DstFQDN based for an FQDN or hostname provided as a parameter", folder="ASIM") _ASIM_ResolveDstFQDN(T:(*), field:string) { T | invoke _ASIM_ResolveFQDN (field) | project-rename DstHostname = ExtractedHostname, DstDomain = Domain, DstFQDN = FQDN, DstDomainType = DomainType } .create-or-alter function with (skipvalidation=true, docstring="An ASIM function sets DvcHostname, DvcDomain, DvcDomainType and DvcFQDN based for an FQDN or hostname provided as a parameter", folder="ASIM") _ASIM_ResolveDvcFQDN(T:(*), field:string) { T | invoke _ASIM_ResolveFQDN (field) | project-rename DvcHostname = ExtractedHostname, DvcDomain = Domain, DvcFQDN = FQDN, DvcDomainType = DomainType } .create-or-alter function with (skipvalidation=true, docstring="An ASIM function sets Hostname, Domain, DomainType and FQDN based for an FQDN or hostname provided as a parameter", folder="ASIM") _ASIM_ResolveFQDN(T:(*), field:string) { T | extend ExtractedHostname = column_ifexists (field,'') | extend DotSplitHostname = split(ExtractedHostname,".") | extend SlashSplitHostname = split(ExtractedHostname,"\\") | extend DomainType = case( array_length(SlashSplitHostname) > 1, "Windows", array_length(DotSplitHostname) > 1, "FQDN", "" ) | extend FQDN = iif (DomainType == '', '', ExtractedHostname), Domain = case ( DomainType == "Windows", SlashSplitHostname[0], DomainType == "FQDN", tostring(strcat_array(array_slice(DotSplitHostname, 1, -1), '.')), ""), ExtractedHostname = case ( DomainType == "Windows", SlashSplitHostname[1], DomainType == "FQDN", DotSplitHostname[0], ExtractedHostname) | project-away DotSplitHostname, SlashSplitHostname } .create-or-alter function with (skipvalidation=true, docstring="An ASIM function sets SrcHostname, SrcDomain, SrcDomainType and SrcFQDN based for an FQDN or hostname provided as a parameter", folder="ASIM") _ASIM_ResolveSrcFQDN(T:(*), field:string) { T | invoke _ASIM_ResolveFQDN (field) | project-rename SrcHostname = ExtractedHostname, SrcDomain = Domain, SrcFQDN = FQDN, SrcDomainType = DomainType } .create-or-alter function with (skipvalidation=true) ASimAuditEvent( ['pack']:bool=false) { let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuditEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser); let BuiltInDisabled=toscalar('ExcludeASimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); union vimAuditEventEmpty, ASimAuditEventMicrosoftWindowsEvents (disabled=BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftWindowsEvents' in (DisabledParsers))), ASimAuditEventMicrosoftSecurityEvents (disabled=BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftSecurityEvents' in (DisabledParsers))) } .create-or-alter function with (skipvalidation=true) ASimAuditEventMicrosoftSecurityEvents(['disabled']:bool=false) { vimAuditEventMicrosoftSecurityEvents(disabled=disabled) } .create-or-alter function with (skipvalidation=true) ASimAuditEventMicrosoftWindowsEvents(['disabled']:bool=false) { vimAuditEventMicrosoftWindowsEvents(disabled=disabled) } .create-or-alter function with (skipvalidation=true) imAuditEvent( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['operation_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['object_has_any']:dynamic=dynamic([]), ['newvalue_has_any']:dynamic=dynamic([]), ['pack']:bool=false) { let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimAuditEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '') | distinct SourceSpecificParser); let BuiltInDisabled=toscalar('ExcludevimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); union vimAuditEventEmpty, vimAuditEventMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventMicrosoftWindowsEvents' in (DisabledParsers)))), vimAuditEventMicrosoftSecurityEvents (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventMicrosoftSecurityEvents' in (DisabledParsers)))) } .create-or-alter function with (skipvalidation=true) vimAuditEventEmpty { let EmptyAuditEvents =datatable ( ActorUserType:string, ActorUsernameType:string, ActorUserIdType:string, EventResult:string, EventType:string, EventSchema:string, ValueType:string, EventSeverity:string, EventVendor:string, EventProduct:string, SrcDvcIdType:string, TargetDvcIdType:string, SrcDomainType:string, TargetDomainType:string, SrcDeviceType:string, TargetDeviceType:string, ObjectType:string, OriginalObjectType:string, TargetAppType:string, TargetOriginalAppType:string, ActingAppType:string, ActingOriginalAppType:string, ThreatConfidence:int, SrcGeoCountry:string, TargetGeoCountry:string, EventSubType:string, EventResultDetails:string, SrcHostname:string, TargetHostname:string, SrcIpAddr:string, TargetIpAddr:string, SrcGeoRegion:string, SrcGeoCity:string, TargetGeoRegion:string, TargetGeoCity:string, ThreatRiskLevel:int, EventSchemaVersion:string, EventReportUrl:string, User:string, ActorUsername:string, Application:string, Process:string, Operation:string, Object:string, ObjectId:string, OldValue:string, NewValue:string, Value:string, TimeGenerated:datetime, _ResourceId:string, Type:string, AdditionalFields:dynamic, EventMessage:string, EventCount:int, EventStartTime:datetime, EventEndTime:datetime, EventOriginalUid:string, EventOriginalType:string, EventOriginalSubType:string, EventOriginalResultDetails:string, EventOriginalSeverity:string, EventProductVersion:string, EventOwner:string, Rule:string, RuleName:string, RuleNumber:int, ThreatId:string, ThreatName:string, ThreatCategory:string, ThreatOriginalRiskLevel:string, ThreatOriginalConfidence:string, ThreatIsActive:bool, ThreatIpAddr:string, ThreatField:string, ThreatFirstReportedTime:datetime, ThreatLastReportedTime:datetime, ActorUserId:string, ActorScopeId:string, ActorScope:string, ActorOriginalUserType:string, ActorSessionId:string, TargetAppId:string, TargetAppName:string, TargetUrl:string, ActingAppId:string, ActingAppName:string, HttpUserAgent:string, Src:string, SrcPortNumber:int, SrcDomain:string, SrcFQDN:string, SrcDvcDescription:string, SrcDvcId:string, SrcDvcScopeId:string, SrcDvcScope:string, SrcGeoLatitude:real, SrcGeoLongitude:real, Dst:string, TargetPortNumber:int, TargetDomain:string, TargetFQDN:string, TargetDvcDescription:string, TargetDvcId:string, TargetDvcScopeId:string, TargetDvcScope:string, TargetGeoLatitude:real, TargetGeoLongitude:real, Dvc: string, DvcId: string, DvcIpAddr: string, DvcHostname: string, DvcDomain:string, DvcDomainType:string, DvcFQDN:string, DvcDescription:string, DvcIdType:string, DvcMacAddr:string, DvcZone:string, DvcOs:string, DvcOsVersion:string, DvcAction:string, DvcOriginalAction:string, DvcScope:string, DvcScopeOd:string )[]; EmptyAuditEvents } .create-or-alter function with (skipvalidation=true) vimAuditEventMicrosoftSecurityEvents( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['operation_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['object_has_any']:dynamic=dynamic([]), ['newvalue_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) { let parser = ( starttime: datetime=datetime(null), endtime: datetime=datetime(null), srcipaddr_has_any_prefix: dynamic=dynamic([]), eventtype_in: dynamic=dynamic([]), eventresult: string='*', actorusername_has_any: dynamic=dynamic([]), operation_has_any: dynamic=dynamic([]), object_has_any: dynamic=dynamic([]), newvalue_has_any: dynamic=dynamic([]), disabled: bool = false ) { let EventlogEventIds = dynamic([1102]); let ScheduledTaskEventIds = dynamic([4698, 4699, 4700, 4701, 4702]); let ActiveDirectoryReplicaIds = dynamic([4929]); let FirewallEventIds = dynamic([5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037]); let ServiceEventIds = dynamic([7035, 7036, 7040, 7045, 2009]); let DirectoryServiceIds = dynamic([5136]); let AuditLogClearedEventID = dynamic([1102]); let EventIDLookup = datatable( EventID: int, Operation: string, EventType: string, Object: string, ObjectType: string, EventResult: string ) [ 1102, "Delete Logs", "Delete", "Security Logs", "Event Log", "Success", 4698, "Create Scheduled Task", "Create", "", "Scheduled Task", "Success", 4699, "Delete Scheduled Task", "Delete", "", "Scheduled Task", "Success", 4700, "Enable Scheduled Task", "Enable", "", "Scheduled Task", "Success", 4701, "Disable Scheduled Task ", "Disable", "", "Scheduled Task", "Success", 4702, "Update Scheduled Task", "Set", "", "Scheduled Task", "Success", 4929, "Remove Active Directory Replica Source Naming Context", "Delete", "", "Other", "Success", 5025, "Stop Firewall Service", "Disable", "Firewall Service", "Service", "Success", 5027, "Retrieve the Security Policy From The Local Storage", "Read", "Firewall Service", "Service", "Failure", 5028, "Parse the new Security Policy", "Set", "Firewall Service", "Service", "Failure", 5029, "Initialize the Firewall Driver", "Initialize", "Firewall Service", "Service", "Failure", 5030, "Start the Firewall Service", "Start", "Firewall Service", "Service", "Failure", 5034, "Stop Firewall Driver", "Stop", "Firewall Driver", "Driver", "Failure", 5035, "Start Firewall Driver", "Start", "Firewall Driver", "Driver", "Failure", 5037, "Terminating Firewall Driver", "Terminate", "Firewall Driver", "Driver", "Failure", 7035, "Start Control Sent", "Execute", "Service", "Service", "Success", 7036, "Enter Stop State", "Stop", "Service", "Service", "Success", 7040, "Changed Service Settings", "Set", "Service", "Service", "Success", 7045, "Install Service", "Install", "Service", "Service", "Success", 2009, "Load Group Policy", "Other", "Service", "Service", "Failure", 5136, "Modified Directory Services Object", "Set", "", "Directory Service Object", "Success" ]; let FilteredEventIds = toscalar(EventIDLookup | where (array_length(eventtype_in) == 0 or EventType in (eventtype_in)) and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any)) and (eventresult == '*' or EventResult == eventresult) and EventID != 1102 | summarize make_set(EventID) ); let ParsedEvents = materialize( union ( SecurityEvent | where not(disabled) | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) and EventID in(FilteredEventIds) | where (array_length(srcipaddr_has_any_prefix) == 0) and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any)) and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any)) | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId | parse-kv EventData as ( SubjectUserSid: string, SubjectUserName: string, SubjectDomainName: string, SubjectLogonId: string, TaskName: string, TaskContent: string, TaskContentNew: string, ClientProcessId: string, DestinationDRA: string, SourceDRA: string, SourceAddr: string, ObjectDN: string, AttributeValue: string ) with (regex=@'{?([^<]*?)}?') | where array_length(actorusername_has_any) == 0 or SubjectUserName has_any (actorusername_has_any) or SubjectDomainName has_any (actorusername_has_any) | project-away EventData ), ( SecurityEvent | where EventID in (AuditLogClearedEventID) and EventSourceName == "Microsoft-Windows-Eventlog" | where (array_length(eventtype_in) == 0 or 'Delete' in (eventtype_in)) and (array_length(operation_has_any) == 0 or 'Delete Logs' has_any (operation_has_any)) and (eventresult == '*' or 'Success' =~ eventresult) | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId | extend Parsed_EventData = parse_xml(EventData) | extend SubjectUserSid = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectUserSid), SubjectUserName = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectUserName), SubjectDomainName = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectDomainName), SubjectLogonId = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectLogonId) | where array_length(actorusername_has_any) == 0 or SubjectUserName has_any (actorusername_has_any) or SubjectDomainName has_any (actorusername_has_any) or (strcat(SubjectDomainName, '\\', SubjectUserName)) has_any (actorusername_has_any) | project-away EventData, Parsed_EventData ) | lookup EventIDLookup on EventID ); let EventLog = ParsedEvents | where EventID in(EventlogEventIds) and (array_length(object_has_any) == 0 or Object has_any (object_has_any)) | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue; let ScheduledTask = ParsedEvents | where EventID in(ScheduledTaskEventIds) | where (array_length(object_has_any) == 0 or TaskName has_any (object_has_any)) | extend Object = TaskName, NewValue = coalesce( TaskContent, TaskContentNew ) | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any)) | extend Value = NewValue | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue ; let ActiveDirectoryReplica = ParsedEvents | where EventID in(ActiveDirectoryReplicaIds) | where (array_length(object_has_any) == 0 or DestinationDRA has_any (object_has_any)) | extend NewValue = SourceDRA, OldValue = DestinationDRA, SrcFQDN = SourceAddr | extend Value = NewValue, Object = OldValue | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue ; let WindowsFirewall = ParsedEvents | where EventID in(FirewallEventIds) | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue ; let ServiceEvent = ParsedEvents | where EventID in(ServiceEventIds) | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue ; let DirectoryService = ParsedEvents | where EventID in(DirectoryServiceIds) and (array_length(object_has_any) == 0 or ObjectDN has_any (object_has_any)) | extend Object = ObjectDN | project-rename NewValue = AttributeValue | extend Value = NewValue | project-away Task*, *DRA, SourceAddr, ObjectDN ; union EventLog, ScheduledTask, ActiveDirectoryReplica, WindowsFirewall, ServiceEvent, DirectoryService | invoke _ASIM_ResolveDvcFQDN("Computer") | project-rename ActorUserId = SubjectUserSid, ActorSessionId = SubjectLogonId, DvcId = _ResourceId, ActingAppId = ClientProcessId, EventUid = _ItemId | extend EventCount = int(1), EventStartTime = TimeGenerated, EventEndTime= TimeGenerated, EventProduct = 'Security Events', EventVendor = 'Microsoft', EventSchemaVersion = '0.1.0', EventSchema = 'AuditEvent', EventOriginalType = tostring(EventID), DvcIdType = iff (DvcId == "", "", "AzureResourceID"), ActorUsername = iff (SubjectDomainName == "", SubjectUserName, strcat (SubjectDomainName, '\\', SubjectUserName)), ActorUsernameType = iff (SubjectDomainName == "", 'Simple', 'Windows'), ActorUserIdType = iff (ActorUserId == "", "", "SID"), ActingAppType = "Process", User = iff (SubjectDomainName == "", SubjectUserName, strcat (SubjectDomainName, '\\', SubjectUserName)), Dvc = coalesce(DvcFQDN, DvcHostname) | project-away Subject*, EventID, Computer,NewValue,ObjectType,Object,OldValue,Value }; parser ( starttime = starttime, endtime = endtime, srcipaddr_has_any_prefix = srcipaddr_has_any_prefix, actorusername_has_any = actorusername_has_any, eventtype_in = eventtype_in, eventresult = eventresult, operation_has_any = operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=disabled ) } .create-or-alter function with (skipvalidation=true) vimAuditEventMicrosoftWindowsEvents( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['operation_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['object_has_any']:dynamic=dynamic([]), ['newvalue_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) { let parser = ( starttime: datetime=datetime(null), endtime: datetime=datetime(null), srcipaddr_has_any_prefix: dynamic=dynamic([]), eventtype_in: dynamic=dynamic([]), eventresult: string='*', actorusername_has_any: dynamic=dynamic([]), operation_has_any: dynamic=dynamic([]), object_has_any: dynamic=dynamic([]), newvalue_has_any: dynamic=dynamic([]), disabled: bool = false ) { let EventlogEventIds = dynamic([1102]); let ScheduledTaskEventIds = dynamic([4698, 4699, 4700, 4701, 4702]); let ActiveDirectoryReplicaIds = dynamic([4929]); let FirewallEventIds = dynamic([5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037]); let ServiceEventIds = dynamic([7035, 7036, 7040, 7045, 2009]); let DirectoryServiceIds = dynamic([5136]); let AuditLogClearedEventID = dynamic([1102]); let EventIDLookup = datatable( EventID: int, Operation: string, EventType: string, Object: string, ObjectType: string, EventResult: string ) [ 1102, "Delete Logs", "Delete", "Security Logs", "Event Log", "Success", 4698, "Create Scheduled Task", "Create", "", "Scheduled Task", "Success", 4699, "Delete Scheduled Task", "Delete", "", "Scheduled Task", "Success", 4700, "Enable Scheduled Task", "Enable", "", "Scheduled Task", "Success", 4701, "Disable Scheduled Task ", "Disable", "", "Scheduled Task", "Success", 4702, "Update Scheduled Task", "Set", "", "Scheduled Task", "Success", 4929, "Remove Active Directory Replica Source Naming Context", "Delete", "", "Other", "Success", 5025, "Stop Firewall Service", "Disable", "Firewall Service", "Service", "Success", 5027, "Retrieve the Security Policy From The Local Storage", "Read", "Firewall Service", "Service", "Failure", 5028, "Parse the new Security Policy", "Set", "Firewall Service", "Service", "Failure", 5029, "Initialize the Firewall Driver", "Initialize", "Firewall Service", "Service", "Failure", 5030, "Start the Firewall Service", "Start", "Firewall Service", "Service", "Failure", 5034, "Stop Firewall Driver", "Stop", "Firewall Driver", "Driver", "Failure", 5035, "Start Firewall Driver", "Start", "Firewall Driver", "Driver", "Failure", 5037, "Terminating Firewall Driver", "Terminate", "Firewall Driver", "Driver", "Failure", 7035, "Start Control Sent", "Execute", "Service", "Service", "Success", 7036, "Enter Stop State", "Stop", "Service", "Service", "Success", 7040, "Changed Service Settings", "Set", "Service", "Service", "Success", 7045, "Install Service", "Install", "Service", "Service", "Success", 2009, "Load Group Policy", "Other", "Service", "Service", "Failure", 5136, "Modified Directory Services Object", "Set", "", "Directory Service Object", "Success" ]; let FilteredEventIds = toscalar(EventIDLookup | where (array_length(eventtype_in) == 0 or EventType in (eventtype_in)) and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any)) and (eventresult == '*' or EventResult == eventresult) and EventID != 1102 | summarize make_set(EventID) ); let ParsedEvents = materialize( union ( WindowsEvent | where not(disabled) | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) and EventID in(FilteredEventIds) | where (array_length(srcipaddr_has_any_prefix) == 0) and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any)) and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any)) | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId | extend SubjectUserSid = tostring(EventData.SubjectUserSid), SubjectUserName = tostring(EventData.SubjectUserName), SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectLogonId = tostring(EventData.SubjectLogonId), TaskName = tostring(EventData.TaskName), TaskContent = tostring(EventData.TaskContent), TaskContentNew = tostring(EventData.TaskContentNew), ClientProcessId = tostring(EventData.ClientProcessId), DestinationDRA = tostring(EventData.DestinationDRA), SourceDRA = tostring(EventData.SourceDRA), SourceAddr = tostring(EventData.SourceAddr), ObjectDN = tostring(EventData.ObjectDN), AttributeValue = tostring(EventData.AttributeValue) | where array_length(actorusername_has_any) == 0 or SubjectUserName has_any (actorusername_has_any) or SubjectUserName has_any (actorusername_has_any) | project-away EventData ), ( WindowsEvent | where EventID in (AuditLogClearedEventID) and Provider == "Microsoft-Windows-Eventlog" | where (array_length(eventtype_in) == 0 or 'Delete' in (eventtype_in)) and (array_length(operation_has_any) == 0 or 'Delete Logs' has_any (operation_has_any)) and (eventresult == '*' or 'Success' =~ eventresult) | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId | extend SubjectUserSid = tostring(EventData.SubjectUserSid), SubjectUserName = tostring(EventData.SubjectUserName), SubjectDomainName = tostring(EventData.SubjectDomainName), SubjectLogonId = tostring(EventData.SubjectLogonId) | where array_length(actorusername_has_any) == 0 or SubjectUserName has_any (actorusername_has_any) or SubjectDomainName has_any (actorusername_has_any) or (strcat(SubjectDomainName, '\\', SubjectUserName)) has_any (actorusername_has_any) | project-away EventData ) | lookup EventIDLookup on EventID ); let EventLog = ParsedEvents | where EventID in(EventlogEventIds) and (array_length(object_has_any) == 0 or Object has_any (object_has_any)) | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue; let ScheduledTask = ParsedEvents | where EventID in(ScheduledTaskEventIds) | where (array_length(object_has_any) == 0 or TaskName has_any (object_has_any)) | extend Object = TaskName, NewValue = coalesce( TaskContent, TaskContentNew ) | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any)) | extend Value = NewValue | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue ; let ActiveDirectoryReplica = ParsedEvents | where EventID in(ActiveDirectoryReplicaIds) | where (array_length(object_has_any) == 0 or DestinationDRA has_any (object_has_any)) | extend NewValue = SourceDRA, OldValue = DestinationDRA, SrcFQDN = SourceAddr | extend Value = NewValue, Object = OldValue | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue ; let WindowsFirewall = ParsedEvents | where EventID in(FirewallEventIds) | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue ; let ServiceEvent = ParsedEvents | where EventID in(ServiceEventIds) | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue ; let DirectoryService = ParsedEvents | where EventID in(DirectoryServiceIds) and (array_length(object_has_any) == 0 or ObjectDN has_any (object_has_any)) | extend Object = ObjectDN | project-rename NewValue = AttributeValue | extend Value = NewValue | project-away Task*, *DRA, SourceAddr, ObjectDN ; union EventLog, ScheduledTask, ActiveDirectoryReplica, WindowsFirewall, ServiceEvent, DirectoryService | invoke _ASIM_ResolveDvcFQDN("Computer") | project-rename ActorUserId = SubjectUserSid, ActorSessionId = SubjectLogonId, DvcId = _ResourceId, ActingAppId = ClientProcessId, EventUid = _ItemId | extend EventCount = int(1), EventStartTime = TimeGenerated, EventEndTime= TimeGenerated, EventProduct = 'Security Events', EventVendor = 'Microsoft', EventSchemaVersion = '0.1.0', EventSchema = 'AuditEvent', EventOriginalType = tostring(EventID), DvcIdType = iff (DvcId == "", "", "AzureResourceID"), ActorUsername = iff (SubjectDomainName == "", SubjectUserName, strcat (SubjectDomainName, '\\', SubjectUserName)), ActorUsernameType = iff (SubjectDomainName == "", 'Simple', 'Windows'), ActorUserIdType = iff (ActorUserId == "", "", "SID"), ActingAppType = "Process", User = iff (SubjectDomainName == "", SubjectUserName, strcat (SubjectDomainName, '\\', SubjectUserName)), Dvc = coalesce(DvcFQDN, DvcHostname) | project-away Subject*, EventID, Computer }; parser ( starttime = starttime, endtime = endtime, srcipaddr_has_any_prefix = srcipaddr_has_any_prefix, actorusername_has_any = actorusername_has_any, eventtype_in = eventtype_in, eventresult = eventresult, operation_has_any = operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=disabled ) } .create-or-alter function with (skipvalidation=true) ASimAuthentication( ['disabled']:bool=false) { let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser); let ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); union vimAuthenticationEmpty, ASimAuthenticationMicrosoftWindowsEvent (disabled=ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )) } .create-or-alter function with (skipvalidation=true) ASimAuthenticationMicrosoftWindowsEvent( ['disabled']:bool=false) { let LogonEvents=dynamic([4624, 4625]); let LogoffEvents=dynamic([4634, 4647]); let LogonTypes=datatable(LogonType: int, EventSubType: string)[ 2, 'Interactive', 3, 'Remote', 4, 'System', 5, 'Service', 7, 'Interactive', 8, 'NetworkCleartext', 9, 'AssumeRole', 10, 'RemoteInteractive', 11, 'Interactive' ]; let LogonStatus=datatable ( EventStatus: string, EventOriginalResultDetails: string, EventResultDetails: string )[ '0x80090325', 'SEC_E_UNTRUSTED_ROOT', 'Other', '0xc0000064', 'STATUS_NO_SUCH_USER', 'No such user or password', '0xc000006f', 'STATUS_INVALID_LOGON_HOURS', 'Logon violates policy', '0xc0000070', 'STATUS_INVALID_WORKSTATION', 'Logon violates policy', '0xc0000071', 'STATUS_PASSWORD_EXPIRED', 'Password expired', '0xc0000072', 'STATUS_ACCOUNT_DISABLED', 'User disabled', '0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC', 'Other', '0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE', 'Other', '0xc0000193', 'STATUS_ACCOUNT_EXPIRED', 'Account expired', '0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN', 'Other', '0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED', 'Other', '0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED', 'Other', '0xc0000383', 'STATUS_SMARTCARD_NO_CARD', 'Other', '0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER', 'Other', '0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE', 'Other', '0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET', 'Other', '0xc0000387', 'STATUS_SMARTCARD_IO_ERROR', 'Other', '0xc0000388', 'STATUS_DOWNGRADE_DETECTED', 'Other', '0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED', 'Other', '0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION', 'Other', '0x80090308', 'SEC_E_INVALID_TOKEN', 'Other', '0x8009030e', 'SEC_E_NO_CREDENTIALS', 'Other', '0xc0000008', 'STATUS_INVALID_HANDLE', 'Other', '0xc0000017', 'STATUS_NO_MEMORY', 'Other', '0xc0000022', 'STATUS_ACCESS_DENIED', 'Other', '0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND', 'Other', '0xc000005e', 'STATUS_NO_LOGON_SERVERS', 'Other', '0xc000006a', 'STATUS_WRONG_PASSWORD', 'Incorrect password', '0xc000006d', 'STATUS_LOGON_FAILURE', 'Other', '0xc000006e', 'STATUS_ACCOUNT_RESTRICTION', 'Logon violates policy', '0xc0000073', 'STATUS_NONE_MAPPED', 'Other', '0xc00000fe', 'STATUS_NO_SUCH_PACKAGE', 'Other', '0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES', 'Other', '0xc00000dc', 'STATUS_INVALID_SERVER_STATE', 'Other', '0xc0000106', 'STATUS_NAME_TOO_LONG', 'Other', '0xc000010b', 'STATUS_INVALID_LOGON_TYPE', 'Logon violates policy', '0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED', 'Logon violates policy', '0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT', 'Logon violates policy', '0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE', 'Other', '0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT', 'User locked', '0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED', 'Other' ]; let WinLogon=(disabled: bool=false) { WindowsEvent | where not(disabled) | where Provider == 'Microsoft-Windows-Security-Auditing' | where EventID in (LogonEvents) or EventID in (LogoffEvents) | project EventData, EventID, EventOriginId, Computer, TimeGenerated, _ItemId, Type | extend LogonProtocol = tostring(EventData.AuthenticationPackageName), SrcIpAddr = tostring(EventData.IpAddress), TargetPortNumber = toint(EventData.IpPort), LogonGuid = tostring(EventData.LogonGuid), LogonType = toint(EventData.LogonType), ActingProcessCreationTime = EventData.ProcessCreationTime, ActingProcessId = tostring(toint(EventData.ProcessId)), ActingProcessName = tostring(EventData.ProcessName), Status = tostring(EventData.Status), ActorSessionId = tostring(EventData.SubjectLogonId), SubjectDomainName = tostring(EventData.SubjectDomainName), ActorUsername = tostring(iff (EventData.SubjectDomainName in ('-', ''), EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @"\", EventData.SubjectUserName))), ActorUserId = tostring(EventData.SubjectUserSid), SubStatus = tostring(EventData.SubStatus), TargetDomainName = tostring(EventData.TargetDomainName), TargetSessionId = tostring(EventData.TargetLogonId), TargetUserId = tostring(EventData.TargetUserSid), TargetUsername = tostring(iff (EventData.TargetDomainName in ('-', ''), EventData.TargetUserName, strcat(EventData.TargetDomainName, @"\", EventData.TargetUserName))), WorkstationName = tostring(EventData.WorkstationName) | project-away EventData | extend SrcHostname = iff(WorkstationName in ('-', ''), Computer, WorkstationName), EventProduct = "Security Events", EventStatus = iff(SubStatus == '0x0', Status, SubStatus), EventMessage = case ( EventID == 4634, "4634 - An account was logged off.", EventID == 4625, "4625 - An account failed to log on.", EventID == 4624, "4624 - An account was successfully logged on.", "4647 - User initiated logoff." ), EventResult = iff(EventID == 4625, 'Failure', 'Success') | project-rename TargetDvcHostname = Computer, EventOriginalUid = EventOriginId, EventOriginalType = EventID, EventUid = _ItemId | extend EventCount = int(1), EventSchema = 'Authentication', EventSchemaVersion = '0.1.3', ActorUserIdType = 'SID', TargetUserIdType = 'SID', EventVendor = 'Microsoft', EventStartTime = TimeGenerated, EventEndTime = TimeGenerated, EventType = iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon'), ActorUsernameType = iff(SubjectDomainName in ('-', ''), 'Simple', 'Windows'), TargetUsernameType = iff(TargetDomainName in ('-', ''), 'Simple', 'Windows'), SrcDvcOs = 'Windows', EventStatus = iff(SubStatus == '0x0', Status, SubStatus), ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId), TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId), EventOriginalType = tostring(EventOriginalType) | lookup LogonStatus on EventStatus | lookup LogonTypes on LogonType | extend User = TargetUsername, LogonTarget = TargetDvcHostname, Dvc = SrcHostname, DvcHostName = SrcHostname, IpAddr = SrcIpAddr | project-away LogonGuid, EventStatus, LogonType, Status, SubStatus, SubjectDomainName, TargetDomainName, TargetDvcHostname, WorkstationName }; let SecEventLogon=(disabled: bool=false) { SecurityEvent | project SubjectLogonId, SubjectUserSid, Activity, EventID, EventOriginId, AuthenticationPackageName, WorkstationName, IpAddress, Computer, TargetLogonId, TargetUserSid, SubjectDomainName, SubjectUserName, SubjectAccount, TimeGenerated, SubStatus, TargetDomainName, TargetUserName, AccountType, TargetAccount, Status, LogonType, Type, _ItemId | project-rename EventMessage = Activity, ActorSessionId = SubjectLogonId, TargetSessionId = TargetLogonId, ActorUserId = SubjectUserSid, TargetUserId = TargetUserSid, TargetDvcHostname = Computer, EventOriginalUid = EventOriginId, LogonProtocol = AuthenticationPackageName, SrcIpAddr = IpAddress, EventOriginalType = EventID, EventUid = _ItemId | extend EventResult = iff(EventOriginalType == 4625, 'Failure', 'Success'), EventCount = int(1), EventSchema = 'Authentication', EventSchemaVersion = '0.1.0', EventProduct = "Security Events", ActorUserIdType = 'SID', TargetUserIdType = 'SID', EventVendor = 'Microsoft', EventStartTime = TimeGenerated, EventEndTime = TimeGenerated, EventType = iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon'), ActorUsername = iff (SubjectDomainName in ('-', ''), SubjectUserName, SubjectAccount), ActorUsernameType = iff(SubjectDomainName in ('-', ''), 'Simple', 'Windows'), TargetUsername = iff (TargetDomainName in ('-', ''), trim(@'\\', TargetUserName), trim(@'\\', TargetAccount)), TargetUsernameType = iff (TargetDomainName in ('-', ''), 'Simple', 'Windows'), SrcDvcOs = 'Windows', SrcHostname = iff (WorkstationName in ('-', ''), TargetDvcHostname, WorkstationName), EventStatus = iff(SubStatus == '0x0', Status, SubStatus) | project-away TargetUserName, AccountType | extend ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId), TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId), EventOriginalType = tostring(EventOriginalType) | lookup LogonStatus on EventStatus | lookup LogonTypes on LogonType | extend User = TargetUsername, LogonTarget = TargetDvcHostname, Dvc = SrcHostname, DvcHostName = SrcHostname, IpAddr = SrcIpAddr | project-away EventStatus, LogonType, Status, SubStatus, SubjectAccount, SubjectDomainName, SubjectUserName, EventStatus, TargetAccount, TargetDomainName, TargetDvcHostname }; union SecEventLogon(disabled=disabled), WinLogon(disabled=disabled) } .create-or-alter function with (skipvalidation=true) imAuthentication( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['username_has_any']:dynamic=dynamic([]), ['targetappname_has_any']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['srchostname_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresultdetails_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['pack']:bool=false) { let Generic=(starttime: datetime=datetime(null), endtime: datetime=datetime(null), username_has_any: dynamic = dynamic([]), targetappname_has_any: dynamic = dynamic([]), srcipaddr_has_any_prefix: dynamic = dynamic([]), srchostname_has_any: dynamic = dynamic([]), eventtype_in: dynamic = dynamic([]), eventresultdetails_in: dynamic = dynamic([]), eventresult: string = '*', pack: bool=false) { let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser); let imAuthenticationBuiltInDisabled=toscalar('ExcludeimAuthenticationBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); union vimAuthenticationEmpty, vimAuthenticationMicrosoftWindowsEvent (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) ))) }; Generic(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, pack=pack) } .create-or-alter function with (skipvalidation=true) vimAuthenticationEmpty { let EmptyAuthenticationTable=datatable( EventProduct:string, EventProductVersion: string, EventVendor:string, EventCount:int, EventReportUrl:string, EventSchemaVersion:string, EventSchema:string, TimeGenerated:datetime, EventOriginalUid:string, EventOriginalType:string, EventOriginalSubType:string, EventMessage:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string, EventStartTime:datetime, EventEndTime:datetime, EventType:string, EventSubType:string, EventUid:string, EventSeverity:string, EventOriginalSeverity:string, EventOwner:string, ActorSessionId:string, TargetSessionId:string, ActorUserId:string, ActorUsername:string, ActorUserType:string, ActorUserIdType:string, ActorUsernameType:string, ActorScopeId:string, ActorOriginalUserType:string, TargetUserId:string, TargetUsername:string, TargetUserType:string, SrcDvcId:string, SrcDvcIdType:string, SrcDeviceType:string, SrcDvcOs:string, HttpUserAgent:string, SrcIsp:string, SrcGeoCity:string, SrcGeoCountry:string, SrcGeoRegion:string, SrcGeoLatitude:real, SrcGeoLongitude:real, SrcIpAddr:string, SrcPortNumber:string, SrcHostname:string, SrcDomain:string, SrcDomainType:string, SrcFQDN:string, SrcDescription:string, SrcDvcScopeId:string, SrcRiskLevel:int, SrcOriginalRiskLevel:string, ActingAppId:string, ActingAppName:string, ActingAppType:string, ActingOriginalAppType:string, TargetAppId:string, TargetAppName:string, TargetAppType:string, TargetOriginalAppType:string, TargetDvcId:string, TargetDvcIdType:string, TargetHostname:string, TargetDomain:string, TargetDomainType:string, TargetFQDN:string, TargetDescription:string, TargetDeviceType:string, TargetIpAddr:string, TargetDvcOs:string, TargetUrl:string, TargetPortNumber:int, TargetDvcScope:string, TargetDvcScopeId:string, TargetGeoCity:string, TargetGeoCountry:string, TargetGeoRegion:string, TargetGeoLatitude:real, TargetGeoLongitude:real, LogonMethod: string, LogonProtocol: string, TargetUserIdType: string, TargetUsernameType: string, UserScope:string, UserScopeId:string, TargetOriginalUserType:string, TargetUserSessionId:string, User: string, IpAddr: string, SrcDvcHostnameType: string, LogonTarget: string, Dvc: string, DvcId: string, DvcIpAddr: string, DvcHostname: string, DvcDomain:string, DvcDomainType:string, DvcFQDN:string, DvcDescription:string, DvcIdType:string, DvcMacAddr:string, DvcZone:string, DvcOs:string, DvcOsVersion:string, DvcAction:string, DvcOriginalAction:string, DvcScope:string, DvcScopeOd:string, AdditionalFields:dynamic, Type:string, Src:string, Dst:string, Rule:string, RuleName:string, RuleNumber:int, ThreatId:string, ThreatName:string, ThreatCategory:string, ThreatOriginalRiskLevel:string, ThreatOriginalConfidence:string, ThreatIsActive:bool, ThreatField:string, ThreatConfidence:int, ThreatRiskLevel:string, ThreatFirstReportedTime:datetime, ThreatLastReportedTime:datetime, Application:string )[]; EmptyAuthenticationTable } .create-or-alter function with (skipvalidation=true) vimAuthenticationMicrosoftWindowsEvent( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['username_has_any']:dynamic=dynamic([]), ['targetappname_has_any']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['srchostname_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresultdetails_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) { let LogonEvents=dynamic([4624, 4625]); let LogoffEvents=dynamic([4634, 4647]); let LogonTypes=datatable(LogonType: int, EventSubType: string) [ 2, 'Interactive', 3, 'Remote', 4, 'System', 5, 'Service', 7, 'Interactive', 8, 'NetworkCleartext', 9, 'AssumeRole', 10, 'RemoteInteractive', 11, 'Interactive' ]; let LogonStatus=datatable ( EventStatus: string, EventOriginalResultDetails: string, EventResultDetails: string ) [ '0x80090325', 'SEC_E_UNTRUSTED_ROOT', 'Other', '0xc0000064', 'STATUS_NO_SUCH_USER', 'No such user or password', '0xc000006f', 'STATUS_INVALID_LOGON_HOURS', 'Logon violates policy', '0xc0000070', 'STATUS_INVALID_WORKSTATION', 'Logon violates policy', '0xc0000071', 'STATUS_PASSWORD_EXPIRED', 'Password expired', '0xc0000072', 'STATUS_ACCOUNT_DISABLED', 'User disabled', '0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC', 'Other', '0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE', 'Other', '0xc0000193', 'STATUS_ACCOUNT_EXPIRED', 'Account expired', '0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN', 'Other', '0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED', 'Other', '0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED', 'Other', '0xc0000383', 'STATUS_SMARTCARD_NO_CARD', 'Other', '0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER', 'Other', '0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE', 'Other', '0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET', 'Other', '0xc0000387', 'STATUS_SMARTCARD_IO_ERROR', 'Other', '0xc0000388', 'STATUS_DOWNGRADE_DETECTED', 'Other', '0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED', 'Other', '0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION', 'Other', '0x80090308', 'SEC_E_INVALID_TOKEN', 'Other', '0x8009030e', 'SEC_E_NO_CREDENTIALS', 'Other', '0xc0000008', 'STATUS_INVALID_HANDLE', 'Other', '0xc0000017', 'STATUS_NO_MEMORY', 'Other', '0xc0000022', 'STATUS_ACCESS_DENIED', 'Other', '0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND', 'Other', '0xc000005e', 'STATUS_NO_LOGON_SERVERS', 'Other', '0xc000006a', 'STATUS_WRONG_PASSWORD', 'Incorrect password', '0xc000006d', 'STATUS_LOGON_FAILURE', 'Other', '0xc000006e', 'STATUS_ACCOUNT_RESTRICTION', 'Logon violates policy', '0xc0000073', 'STATUS_NONE_MAPPED', 'Other', '0xc00000fe', 'STATUS_NO_SUCH_PACKAGE', 'Other', '0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES', 'Other', '0xc00000dc', 'STATUS_INVALID_SERVER_STATE', 'Other', '0xc0000106', 'STATUS_NAME_TOO_LONG', 'Other', '0xc000010b', 'STATUS_INVALID_LOGON_TYPE', 'Logon violates policy', '0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED', 'Logon violates policy', '0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT', 'Logon violates policy', '0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE', 'Other', '0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT', 'User locked', '0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED', 'Other' ]; let WinLogon=( starttime: datetime=datetime(null), endtime: datetime=datetime(null), username_has_any: dynamic = dynamic([]), targetappname_has_any: dynamic = dynamic([]), srcipaddr_has_any_prefix: dynamic = dynamic([]), srchostname_has_any: dynamic = dynamic([]), eventtype_in: dynamic = dynamic([]), eventresultdetails_in: dynamic = dynamic([]), eventresult: string = '*', disabled: bool=false) { WindowsEvent | where not(disabled) | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) and ((array_length(username_has_any) == 0) or (tostring(EventData.TargetUserName) has_any (username_has_any)) or (tostring(EventData.TargetDomainName) has_any (username_has_any)) or (strcat(tostring(EventData.TargetDomainName), '\\', tostring(EventData.TargetUserName)) has_any (username_has_any)) or (tostring(EventData.SubjectUserName) has_any (username_has_any)) or (tostring(EventData.SubjectDomainName) has_any (username_has_any)) or (strcat(tostring(EventData.SubjectDomainName), '\\', tostring(EventData.SubjectUserName)) has_any (username_has_any))) and (array_length(targetappname_has_any) == 0) and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(tostring(EventData.IpAddress), srcipaddr_has_any_prefix))) and (array_length(srchostname_has_any) == 0 or tostring(EventData.WorkstationName) has_any (srchostname_has_any) or Computer has_any (srchostname_has_any)) | where Provider == 'Microsoft-Windows-Security-Auditing' | where EventID in (LogonEvents) or EventID in (LogoffEvents) | project EventData, EventID, EventOriginId, Computer, TimeGenerated, _ItemId, Type | extend LogonProtocol = tostring(EventData.AuthenticationPackageName), SrcIpAddr = tostring(EventData.IpAddress), TargetPortNumber = toint(EventData.IpPort), LogonGuid = tostring(EventData.LogonGuid), LogonType = toint(EventData.LogonType), ActingProcessCreationTime = EventData.ProcessCreationTime, ActingProcessId = tostring(toint(EventData.ProcessId)), ActingProcessName = tostring(EventData.ProcessName), Status = tostring(EventData.Status), ActorSessionId = tostring(EventData.SubjectLogonId), SubjectDomainName = tostring(EventData.SubjectDomainName), ActorUsername = tostring(iff (EventData.SubjectDomainName in ('-', ''), EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @"\", EventData.SubjectUserName))), ActorUserId = tostring(EventData.SubjectUserSid), SubStatus = tostring(EventData.SubStatus), TargetDomainName = tostring(EventData.TargetDomainName), TargetSessionId = tostring(EventData.TargetLogonId), TargetUserId = tostring(EventData.TargetUserSid), TargetUsername = tostring(iff (EventData.TargetDomainName in ('-', ''), EventData.TargetUserName, strcat(EventData.TargetDomainName, @"\", EventData.TargetUserName))), WorkstationName = tostring(EventData.WorkstationName) | project-away EventData | extend ASimMatchingUsername = case ( array_length(username_has_any) == 0, "-", TargetUsername has_any(username_has_any) and ActorUsername has_any(username_has_any), "Both", TargetUsername has_any(username_has_any), "TargetUsername", ActorUsername has_any(username_has_any), "ActorUsername", "No match" ), SrcHostname = iff(WorkstationName in ('-', ''), Computer, WorkstationName), EventProduct = "Security Events" | where (array_length(srchostname_has_any) == 0 or SrcHostname has_any (srchostname_has_any)) | extend EventStatus= iff(SubStatus == '0x0', Status, SubStatus), EventMessage = case ( EventID == 4634, "4634 - An account was logged off.", EventID == 4625, "4625 - An account failed to log on.", EventID == 4624, "4624 - An account was successfully logged on.", "4647 - User initiated logoff." ), EventResult = iff(EventID == 4625, 'Failure', 'Success') | where (eventresult == "*" or (EventResult == eventresult)) and ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any))) | project-rename TargetDvcHostname = Computer , EventOriginalUid = EventOriginId , EventOriginalType=EventID , EventUid = _ItemId | extend EventCount=int(1) , EventSchema = 'Authentication' , EventSchemaVersion='0.1.3' , ActorUserIdType='SID' , TargetUserIdType='SID' , EventVendor='Microsoft' , EventStartTime =TimeGenerated , EventEndTime=TimeGenerated , EventType=iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon') , ActorUsernameType= iff(SubjectDomainName in ('-', ''), 'Simple', 'Windows') , TargetUsernameType=iff (TargetDomainName in ('-', ''), 'Simple', 'Windows') , SrcDvcOs = 'Windows' , EventStatus= iff(SubStatus == '0x0', Status, SubStatus) | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)) | extend ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId) , TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId) , EventOriginalType = tostring(EventOriginalType) | lookup LogonStatus on EventStatus | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in)) | lookup LogonTypes on LogonType | extend User=TargetUsername, LogonTarget=TargetDvcHostname, Dvc=SrcHostname, DvcHostName=SrcHostname, IpAddr=SrcIpAddr | project-away LogonGuid, EventStatus, LogonType, Status, SubStatus, SubjectDomainName, TargetDomainName, TargetDvcHostname }; let SecEventLogon =(starttime: datetime=datetime(null), endtime: datetime=datetime(null), username_has_any: dynamic = dynamic([]), targetappname_has_any: dynamic = dynamic([]), srcipaddr_has_any_prefix: dynamic = dynamic([]), srchostname_has_any: dynamic = dynamic([]), eventtype_in: dynamic = dynamic([]), eventresultdetails_in: dynamic = dynamic([]), eventresult: string = '*', disabled: bool=false) { SecurityEvent | where ((array_length(username_has_any) == 0) or (TargetUserName has_any (username_has_any)) or (TargetDomainName has_any (username_has_any)) or (strcat(TargetDomainName, '\\', TargetUserName) has_any (username_has_any)) or (SubjectUserName has_any (username_has_any)) or (SubjectDomainName has_any (username_has_any)) or (strcat(SubjectDomainName, '\\', SubjectUserName) has_any (username_has_any))) and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(IpAddress, srcipaddr_has_any_prefix)) and ((array_length(srchostname_has_any) == 0) or (WorkstationName has_any (srchostname_has_any)) or (Computer has_any (srchostname_has_any))) | project SubjectLogonId, SubjectUserSid, Activity, EventID, EventOriginId, AuthenticationPackageName, WorkstationName, IpAddress, Computer, TargetLogonId, TargetUserSid, SubjectDomainName, SubjectUserName, SubjectAccount, TimeGenerated, SubStatus, TargetDomainName, TargetUserName, AccountType, TargetAccount, Status, LogonType, Type, _ItemId | project-rename EventMessage = Activity , ActorSessionId=SubjectLogonId , TargetSessionId=TargetLogonId , ActorUserId=SubjectUserSid , TargetUserId =TargetUserSid , TargetDvcHostname = Computer , EventOriginalUid = EventOriginId , LogonProtocol=AuthenticationPackageName , SrcIpAddr=IpAddress , EventOriginalType=EventID , EventUid = _ItemId | extend EventResult = iff(EventOriginalType == 4625, 'Failure', 'Success') , EventCount=int(1) , EventSchema = 'Authentication' , EventSchemaVersion='0.1.3' , EventProduct = "Security Events" , ActorUserIdType='SID' , TargetUserIdType='SID' , EventVendor='Microsoft' , EventStartTime =TimeGenerated , EventEndTime=TimeGenerated , EventType=iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon') , ActorUsername = iff (SubjectDomainName in ('-', ''), SubjectUserName, SubjectAccount) , ActorUsernameType= iff(SubjectDomainName in ('-', ''), 'Simple', 'Windows') , TargetUsername = iff (TargetDomainName in ('-', ''), trim(@'\\', TargetUserName), trim(@'\\', TargetAccount)) , TargetUsernameType=iff (TargetDomainName in ('-', ''), 'Simple', 'Windows') , SrcDvcOs = 'Windows' , SrcHostname = iff (WorkstationName in ('-', ''), TargetDvcHostname, WorkstationName) , EventStatus= iff(SubStatus == '0x0', Status, SubStatus) | extend ASimMatchingUsername = case ( array_length(username_has_any) == 0, "-", TargetUsername has_any(username_has_any) and ActorUsername has_any(username_has_any), "Both", TargetUsername has_any(username_has_any), "TargetUsername", ActorUsername has_any(username_has_any), "ActorUsername", "No match" ) | project-away TargetUserName, AccountType | extend ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId) , TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId) , EventOriginalType = tostring(EventOriginalType) | lookup LogonStatus on EventStatus | lookup LogonTypes on LogonType | extend User=TargetUsername, LogonTarget=TargetDvcHostname, Dvc=SrcHostname, DvcHostName = SrcHostname, IpAddr=SrcIpAddr | project-away EventStatus, LogonType, Status, SubStatus, SubjectAccount, SubjectDomainName, SubjectUserName, EventStatus, TargetAccount, TargetDomainName, TargetDvcHostname }; union SecEventLogon(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled), WinLogon(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled) } .create-or-alter function with (skipvalidation=true) ASimDns( ['pack']:bool=false) { let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimDns') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser); let imDnsBuiltInDisabled=toscalar('ExcludeASimDnsBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); union vimDnsEmpty, ASimDnsCorelightZeek (disabled=imDnsBuiltInDisabled or ('ExcludeASimDnsCorelightZeek' in (DisabledParsers) )), ASimDnsMicrosoftSysmonWindowsEvent (disabled=imDnsBuiltInDisabled or ('ExcludeASimDnsMicrosoftSysmonWindowsEvent' in (DisabledParsers) )), ASimDnsMicrosoft365Defender (disabled=imDnsBuiltInDisabled or ('ExcludeASimDnsMicrosoft365Defender' in (DisabledParsers) )) } .create-or-alter function with (skipvalidation=true) ASimDnsCorelightZeek(['disabled']:bool=false) { vimDnsCorelightZeek(disabled=disabled) } .create-or-alter function with (skipvalidation=true) ASimDnsMicrosoft365Defender(['disabled']:bool=false) { vimDnsMicrosoft365Defender(disabled=disabled) } .create-or-alter function with (skipvalidation=true) ASimDnsMicrosoftSysmonWindowsEvent(['disabled']:bool=false) { vimDnsMicrosoftSysmonWindowsEvent(disabled=disabled) } .create-or-alter function with (skipvalidation=true) imDns( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr']:string='*', ['domain_has_any']:dynamic=dynamic([]), ['responsecodename']:string='*', ['response_has_ipv4']:string='*', ['response_has_any_prefix']:dynamic=dynamic([]), ['eventtype']:string='lookup', ['pack']:bool=false) { let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null) , srcipaddr:string='*' , domain_has_any:dynamic=dynamic([]) , responsecodename:string='*', response_has_ipv4:string='*' , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='lookup', pack:bool=false ){ let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimDns') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser); let imDnsBuiltInDisabled=toscalar('ExcludeimDnsBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); union vimDnsEmpty, vimDnsCorelightZeek (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=(imDnsBuiltInDisabled or('ExcludevimDnsCorelightZeek' in (DisabledParsers) ))), vimDnsMicrosoftSysmonWindowsEvent (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=(imDnsBuiltInDisabled or('ExcludevimDnsMicrosoftSysmonWindowsevent' in (DisabledParsers) ))), vimDnsMicrosoft365Defender (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=(imDnsBuiltInDisabled or('ExcludevimDnsMicrosoft365Defender' in (DisabledParsers) ))) }; Generic( starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, pack=pack) } .create-or-alter function with (skipvalidation=true) vimDnsCorelightZeek( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr']:string='*', ['domain_has_any']:dynamic=dynamic([]), ['responsecodename']:string='*', ['response_has_ipv4']:string='*', ['response_has_any_prefix']:dynamic=dynamic([]), ['eventtype']:string='Query', ['disabled']:bool=false) { let query_type_lookup=datatable(DnsQueryType:int,DnsQueryTypeName:string)[ 0, "Reserved", 1, "A", 2, "NS", 3, "MD", 4, "MF", 5, "CNAME", 6, "SOA", 7, "MB", 8, "MG", 9, "MR", 10, "NULL", 11, "WKS", 12, "PTR", 13, "HINFO", 14, "MINFO", 15, "MX", 16, "TXT", 17, "RP", 18, "AFSDB", 19, "X25", 20, "ISDN", 21, "RT", 22, "NSAP", 23, "NSAP-PTR", 24, "SIG", 25, "KEY", 26, "PX", 27, "GPOS", 28, "AAAA", 29, "LOC", 30, "NXT", 31, "EID", 32, "NIMLOC", 33, "SRV", 34, "ATMA", 35, "NAPTR", 36, "KX", 37, "CERT", 38, "A6", 39, "DNAME", 40, "SINK", 41, "OPT", 42, "APL", 43, "DS", 44, "SSHFP", 45, "IPSECKEY", 46, "RRSIG", 47, "NSEC", 48, "DNSKEY", 49, "DHCID", 50, "NSEC3", 51, "NSEC3PARAM", 52, "TLSA", 53, "SMIMEA", 54, "Unassigned", 55, "HIP", 56, "NINFO", 57, "RKEY", 58, "TALINK", 59, "CDS", 60, "CDNSKEY", 61, "OPENPGPKEY", 62, "CSYNC", 99, "SPF", 100, "UINFO", 101, "UID", 102, "GID", 103, "UNSPEC", 104, "NID", 105, "L32", 106, "L64", 107, "LP", 108, "EUI48", 109, "EUI64", 249, "TKEY", 250, "TSIG", 251, "IXFR", 252, "AXFR", 253, "MAILB", 254, "MAILA", 255, "ANY", 256, "URI", 257, "CAA", 258, "AVC", 259, "DOA", 32768, "TA", 32769, "DLV"]; let class_lookup = datatable(DnsQueryClass:int, DnsQueryClassName: string)[ 0, 'Reserved', 1, 'IN', 2, 'Unassigned', 3, 'CH', 4, 'HS', 254, 'None', 255, 'Any']; let parser=( starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr:string='*', domain_has_any:dynamic=dynamic([]), responsecodename:string='*', response_has_ipv4:string='*', response_has_any_prefix:dynamic=dynamic([]), eventtype:string='Query', disabled:bool=false ){ Corelight_CL | where not(disabled) | where (eventtype in~ ('lookup', 'Query')) and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) and log_type in ("dns", "dns_red") and (srcipaddr=='*' or id_orig_h == srcipaddr) and (array_length(domain_has_any)==0 or tostring(ParsedMessage.query) has_any (domain_has_any)) and (responsecodename=='*' or tostring(ParsedMessage.rcode_name) has responsecodename) and (response_has_ipv4=='*' or has_ipv4(tostring(ParsedMessage.answers), response_has_ipv4)) and (array_length(response_has_any_prefix)==0 or has_any_ipv4_prefix(tostring(ParsedMessage.answers), response_has_any_prefix)) | project TimeGenerated, ParsedMessage, uid, id_orig_h, id_orig_p, id_resp_h, id_resp_p, proto | extend DvcHostname = coalesce(tostring(ParsedMessage.["_system_name"]), tostring(ParsedMessage.host.hostname)), EventStartTime = todatetime(ParsedMessage.ts), EventEndTime = todatetime(ParsedMessage.["_write_ts"]), EventOriginalUid = uid, SrcIpAddr = id_orig_h, SrcPortNumber = id_orig_p, DstIpAddr = id_resp_h, DstPortNumber = id_resp_p, NetworkProtocol = proto, DnsQuery = tostring(ParsedMessage.query), DnsResponseCode = toint(ParsedMessage.rcode), EventResultDetails = tostring(ParsedMessage.rcode_name), DnsFlagsAuthoritative = tobool(ParsedMessage.AA), DnsFlagsTruncated = tobool(ParsedMessage.TC), DnsFlagsRecursionDesired = tobool(ParsedMessage.RD), DnsFlagsCheckingDisabled = tobool(ParsedMessage.CD), DnsFlagsRecursionAvailable = tobool(ParsedMessage.RA), DnsQueryClass = toint(ParsedMessage.qclass), DnsQueryType = toint(ParsedMessage.qtype), rtt = toreal(ParsedMessage.rtt), Z = toint(ParsedMessage.Z), trans_id = toint(ParsedMessage.trans_id), rejected = tobool(ParsedMessage.rejected), answers = ParsedMessage.answers, TTLs = ParsedMessage.TTLs | project-away ParsedMessage, uid, id_orig_h, id_orig_p, id_resp_h, id_resp_p, proto | where (srcipaddr=="*" or srcipaddr==SrcIpAddr) and (array_length(domain_has_any)==0 or DnsQuery has_any (domain_has_any)) and (responsecodename=="*" or EventResultDetails has responsecodename) and (response_has_ipv4=='*' or has_ipv4(tostring(answers), response_has_ipv4)) and (array_length(response_has_any_prefix)==0 or has_any_ipv4_prefix(tostring(answers), response_has_any_prefix)) | extend EventCount=int(1), EventProduct="Zeek", EventVendor="Corelight", EventSchema = "Dns", EventSchemaVersion="0.1.4", EventType="Query" | lookup query_type_lookup on DnsQueryType | lookup class_lookup on DnsQueryClass | extend EventSubType=iff(isnull(DnsResponseCode),'request','response'), DnsNetworkDuration = toint(rtt*1000), EventResult = iff (EventResultDetails!~'NOERROR' or rejected,'Failure','Success'), DnsQueryTypeName = case (DnsQueryTypeName == "" and not(isnull(DnsQueryType)), strcat("TYPE", DnsQueryType), DnsQueryTypeName), DnsQueryClassName = case (DnsQueryClassName == "" and not(isnull(DnsQueryClass)), strcat("CLASS", DnsQueryClass), DnsQueryClassName), TransactionIdHex = tohex(toint(trans_id)), DnsFlagsZ = (Z != 0), DnsResponseName = iff(isnull(answers) or array_length(answers) == 0, "", strcat_array(answers, ";")) | extend DnsResponseCodeName=EventResultDetails, Domain=DnsQuery, IpAddr=SrcIpAddr, Src=SrcIpAddr, Duration=DnsNetworkDuration, Dst=DstIpAddr, Dvc=DvcHostname | project-away Z, TTLs, answers, trans_id, rejected, rtt }; parser (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, disabled=disabled) } .create-or-alter function with (skipvalidation=true) vimDnsEmpty { let EmptyNewDnsEvents=datatable( _ResourceId: string, AdditionalFields: dynamic, DnsFlags: string, DnsFlagsAuthenticated: bool, DnsFlagsAuthoritative: bool, DnsFlagsCheckingDisabled: bool, DnsFlagsRecursionAvailable: bool, DnsFlagsRecursionDesired: bool, DnsFlagsTruncated: bool, DnsFlagsZ: bool, DnsNetworkDuration: int, DnsQuery: string, DnsQueryClass: int, DnsQueryClassName: string, DnsQueryType: int, DnsQueryTypeName: string, DnsResponseCode: int, DnsResponseCodeName: string, DnsResponseIpCity: string, DnsResponseIpCountry: string, DnsResponseIpLatitude: real, DnsResponseIpLongitude: real, DnsResponseIpRegion: string, DnsResponseName: string, DnsSessionId: string, Domain: string, DomainCategory: string, Dst: string, DstDescription: string, DstDeviceType: string, DstDomain: string, DstDomainType: string, DstDvcId: string, DstDvcIdType: string, DstDvcScopeId: string, DstDvcScope: string, DstFQDN: string, DstGeoCity: string, DstGeoCountry: string, DstGeoLatitude: real, DstGeoLongitude: real, DstGeoRegion: string, DstHostname: string, DstIpAddr: string, DstPortNumber: int, DstRiskLevel: int, DstOriginalRiskLevel: string, Duration: int, Dvc: string, DvcAction: string, DvcDescription: string, DvcDomain: string, DvcDomainType: string, DvcFQDN: string, DvcHostname: string, DvcId: string, DvcIdType: string, DvcInterface: string, DvcIpAddr: string, DvcMacAddr: string, DvcOriginalAction: string, DvcOs: string, DvcOsVersion: string, DvcScope: string, DvcScopeId: string, DvcZone: string, EventCount: int, EventEndTime: datetime, EventMessage: string, EventOriginalSeverity: string, EventOriginalSubType: string, EventOriginalType: string, EventOriginalUid: string, EventOwner: string, EventProduct: string, EventProductVersion: string, EventReportUrl: string, EventResult: string, EventResultDetails: string, EventSchema: string, EventSchemaVersion: string, EventSeverity: string, EventStartTime: datetime, EventSubType: string, EventType: string, EventUid: string, EventVendor: string, Hostname: string, IpAddr: string, NetworkProtocol: string, NetworkProtocolVersion: string, Process: string, Rule: string, RuleName: string, RuleNumber: int, SessionId: string, Src: string, SrcDescription: string, SrcDeviceType: string, SrcDomain: string, SrcDomainType: string, SrcDvcId: string, SrcDvcIdType: string, SrcDvcScope: string, SrcDvcScopeId: string, SrcFQDN: string, SrcGeoCity: string, SrcGeoCountry: string, SrcGeoLatitude: real, SrcGeoLongitude: real, SrcGeoRegion: string, SrcHostname: string, SrcIpAddr: string, SrcOriginalRiskLevel: string, SrcOriginalUserType: string, SrcPortNumber: int, SrcProcessGuid: string, SrcProcessId: string, SrcProcessName: string, SrcRiskLevel: int, SrcUserId: string, SrcUserAadId: string, SrcUserSid: string, SrcUserAWSId: string, SrcUserOktaId: string, SrcUserUid: string, SrcUserIdType: string, SrcUserScope: string, SrcUserScopeId: string, SrcUsername: string, SrcUsernameType: string, SrcUserType: string, SrcUserSessionId: string, TenantId: string, ThreatCategory: string, ThreatConfidence: int, ThreatField: string, ThreatFirstReportedTime: datetime, ThreatId: string, ThreatIpAddr: string, ThreatIsActive: bool, ThreatLastReportedTime: datetime, ThreatName: string, ThreatOriginalConfidence: string, ThreatOriginalRiskLevel: string, ThreatRiskLevel: int, TimeGenerated: datetime, TransactionIdHex: string, Type: string, UrlCategory: string, User: string )[]; EmptyNewDnsEvents } .create-or-alter function with (skipvalidation=true) vimDnsMicrosoft365Defender( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr']:string='*', ['domain_has_any']:dynamic=dynamic([]), ['responsecodename']:string='*', ['response_has_ipv4']:string='*', ['response_has_any_prefix']:dynamic=dynamic([]), ['eventtype']:string='Query', ['disabled']:bool=false) { let parser=( starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr:string='*', domain_has_any:dynamic=dynamic([]), responsecodename:string='*', response_has_ipv4:string='*', response_has_any_prefix:dynamic=dynamic([]), eventtype:string='Query', disabled:bool=false ){ DeviceNetworkEvents | where not(disabled) | where RemoteUrl != "" | where (eventtype in~ ('lookup', 'Query')) and (isnull(starttime) or Timestamp >= starttime) and (isnull(endtime) or Timestamp <= endtime) and (srcipaddr == '*' or LocalIP == srcipaddr) and (array_length(domain_has_any) == 0 or RemoteUrl has_any (domain_has_any)) and (responsecodename == '*' or (responsecodename =~ 'NOERROR' and ActionType != 'ConnectionFailed') or (responsecodename =~ 'NXDOMAIN' and ActionType == 'ConnectionFailed')) and (response_has_ipv4 == '*' or has_ipv4(RemoteIP, response_has_ipv4)) and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(RemoteIP, response_has_any_prefix)) | project Timestamp, ActionType, DeviceId, DeviceName, ReportId, Protocol, LocalIP, LocalPort, RemoteIP, RemoteUrl, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, InitiatingProcessAccountObjectId, InitiatingProcessAccountUpn, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessCreationTime, InitiatingProcessId | extend EventCount = int(1), EventProduct = 'M365 Defender for Endpoint', EventVendor = 'Microsoft', EventSchema = 'Dns', EventSchemaVersion = '0.1.4', EventType = 'Query', EventSubType = 'response', EventStartTime = Timestamp, EventEndTime = Timestamp, TimeGenerated = Timestamp, EventSeverity = "Informational", EventOriginalUid = tostring(ReportId), EventResult = iff(ActionType == 'ConnectionFailed', 'Failure', 'Success'), EventResultDetails = iff(ActionType == 'ConnectionFailed', 'NXDOMAIN', 'NOERROR'), DnsResponseCodeName = iff(ActionType == 'ConnectionFailed', 'NXDOMAIN', 'NOERROR'), DnsResponseCode = iff(ActionType == 'ConnectionFailed', 3, 0), DnsQuery = RemoteUrl, DnsResponseName = RemoteIP, SrcIpAddr = LocalIP, SrcPortNumber = LocalPort, DvcIdType = 'MDEid', NetworkProtocol = case( Protocol startswith "Tcp", "TCP", Protocol startswith "Udp", "UDP", Protocol == "Unknown", "", toupper(Protocol) ), SplitHostname = split(DeviceName, "."), User = iff(InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\', InitiatingProcessAccountName)), SrcUsernameType = iff(InitiatingProcessAccountDomain == '', 'Simple', 'Windows') | extend DvcHostname = tostring(SplitHostname[0]), DvcDomain = tostring(strcat_array(array_slice(SplitHostname, 1, -1), '.')), DvcFQDN = iff(DeviceName contains ".", DeviceName, ""), DvcDomainType = iff(DeviceName contains ".", "FQDN", ""), DvcIpAddr = SrcIpAddr, Dvc = tostring(SplitHostname[0]), SrcProcessId = tostring(InitiatingProcessId), SrcProcessName = InitiatingProcessFileName, SrcUsername = User, SrcUserId = iff(InitiatingProcessAccountSid <> "S-1-0-0", InitiatingProcessAccountSid, ""), SrcUserIdType = iff(InitiatingProcessAccountSid <> "S-1-0-0", "SID", ""), SrcUserAadId = InitiatingProcessAccountObjectId, SrcUserUpn = InitiatingProcessAccountUpn | project-rename DvcId = DeviceId, EventOriginalResultDetails = ActionType, SrcProcessCommandLine = InitiatingProcessCommandLine, SrcProcessCreationTime = InitiatingProcessCreationTime | project-away SplitHostname, DeviceName, Protocol, RemoteUrl, RemoteIP, LocalIP, LocalPort, InitiatingProcess*, ReportId, Timestamp | extend Domain = DnsQuery, IpAddr = SrcIpAddr, Src = SrcIpAddr, Hostname = DvcHostname, Process = SrcProcessName, User = SrcUsername, SessionId = EventOriginalUid }; parser(starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=disabled) } .create-or-alter function with (skipvalidation=true) vimDnsMicrosoftSysmonWindowsEvent( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr']:string='*', ['domain_has_any']:dynamic=dynamic([]), ['responsecodename']:string='*', ['response_has_ipv4']:string='*', ['response_has_any_prefix']:dynamic=dynamic([]), ['eventtype']:string='lookup', ['disabled']:bool=false) { let RCodeTable=datatable(DnsResponseCode:int,DnsResponseCodeName:string)[ 0, 'NOERROR', 9001, "FORMERR", 9002,"SERVFAIL", 9003,'NXDOMAIN', 9004,'NOTIMP', 9005,'REFUSED', 9006,'YXDOMAIN', 9007,'YXRRSET', 9008,'NXRRSET', 9009,'NOTAUTH', 9010,'NOTZONE', 9011,'DSOTYPENI', 9016,'BADVERS', 9016,'BADSIG', 9017,'BADKEY', 9018,'BADTIME', 9019,'BADMODE', 9020,'BADNAME', 9021,'BADALG', 9022,'BADTRUNC', 9023,'BADCOOKIE', 1460, 'TIMEOUT' ]; let ParsedDnsEvent_WindowsEvent =( starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr:string='*', domain_has_any:dynamic=dynamic([]), responsecodename:string='*', response_has_ipv4:string='*', response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='lookup', disabled:bool=false ) { WindowsEvent | where not(disabled) | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Provider, Type , _ItemId | where Provider == "Microsoft-Windows-Sysmon" and EventID == 22 | project-away Provider, EventID | where (eventtype=='lookup') and (srcipaddr=='*') and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) and (array_length(domain_has_any) ==0 or EventData has_any (domain_has_any)) and (response_has_ipv4=='*' or has_ipv4(EventData,response_has_ipv4) ) and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(EventData, response_has_any_prefix)) | extend DnsResponseCode = toint(EventData.QueryStatus) | lookup RCodeTable on DnsResponseCode | where (responsecodename=="*" or DnsResponseCodeName has responsecodename) | extend RuleName = tostring(EventData.RuleName), EventEndTime = todatetime(EventData.UtcTime), SrcProcessGuid = tostring(EventData.ProcessGuid), SrcProcessId = tostring(EventData.ProcessId), DnsQuery = tostring(EventData.QueryName), DnsResponseName = tostring(EventData.QueryResults), SrcProcessName = tostring(EventData.Image), SrcUsername = tostring(EventData.User), EventUid = _ItemId | project-away EventData | parse SrcProcessGuid with '{' SrcProcessGuid '}' }; let ParsedDnsEvent=( starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr:string='*', domain_has_any:dynamic=dynamic([]), responsecodename:string='*', response_has_ipv4:string='*', response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='lookup', disabled:bool=false ) { ParsedDnsEvent_WindowsEvent (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled) | where (array_length(domain_has_any) == 0 or DnsQuery has_any (domain_has_any)) and (response_has_ipv4=='*' or has_ipv4(DnsResponseName,response_has_ipv4) ) and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(DnsResponseName, response_has_any_prefix)) | project-rename DvcHostname = Computer, DvcScopeId = _SubscriptionId, DvcId = _ResourceId | extend EventOriginalType = '22', EventCount=int(1), EventProduct = 'Sysmon', EventVendor = 'Microsoft', EventSchema = 'Dns', EventSchemaVersion="0.1.6", EventType = 'Query', EventResult = iff (DnsResponseCode == 0,'Success','Failure'), EventStartTime = EventEndTime, EventSubType= 'response', EventSeverity= iif (DnsResponseCode == 0, 'Informational', 'Low'), SrcUsernameType = 'Windows', RuleName = iff (RuleName == "-", "", RuleName), DnsResponseName = iff (DnsResponseName == "-", "", DnsResponseName), DnsResponseCodeName = iff (DnsResponseCodeName == "", "NA", DnsResponseCodeName), DvcIdType = iff (DvcId != "", "AzureResourceId", "") | extend EventResultDetails = DnsResponseCodeName, Domain = DnsQuery, Dvc = DvcHostname, SrcHostname = DvcHostname, Src = DvcHostname, Hostname=DvcHostname, DnsResponseCode = toint(iff (DnsResponseCode > 9000 and DnsResponseCode < 9100, DnsResponseCode-9000, DnsResponseCode)), User = SrcUsername, Process = SrcProcessName, Rule = RuleName }; ParsedDnsEvent (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=disabled) } .create-or-alter function with (skipvalidation=true) ASimFileEvent( ['pack']:bool=false) { let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimFile') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser)); let ASimBuiltInDisabled=toscalar('ExcludeASimFileEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); let parser=(pack:bool=false){ union vimFileEventEmpty, ASimFileEventMicrosoftSysmonWindowsEvent(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))), ASimFileEventMicrosoftWindowsEvents(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftWindowsEvents' in (DisabledParsers) ))), ASimFileEventMicrosoftSecurityEvents(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSecurityEvents' in (DisabledParsers) ))) }; parser (pack=pack) } .create-or-alter function with (skipvalidation=true) ASimFileEventMicrosoftSecurityEvents(['disabled']:bool=false) { vimFileEventMicrosoftSecurityEvents(disabled=disabled) } .create-or-alter function with (skipvalidation=true) ASimFileEventMicrosoftSysmonWindowsEvent(['disabled']:bool=false) { vimFileEventMicrosoftSysmonWindowsEvent(disabled=disabled) } .create-or-alter function with (skipvalidation=true) ASimFileEventMicrosoftWindowsEvents(['disabled']:bool=false) { vimFileEventMicrosoftWindowsEvents(disabled=disabled) } .create-or-alter function with (skipvalidation=true) imFileEvent( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['targetfilepath_has_any']:dynamic=dynamic([]), ['srcfilepath_has_any']:dynamic=dynamic([]), ['hashes_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false, ['pack']:bool=false) { let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimFile') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser)); let vimBuiltInDisabled=toscalar('ExcludevimFileEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); let parser=( starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), targetfilepath_has_any: dynamic=dynamic([]), srcfilepath_has_any: dynamic=dynamic([]), hashes_has_any: dynamic=dynamic([]), dvchostname_has_any: dynamic=dynamic([]), pack: bool=false ) { union vimFileEventEmpty, vimFileEventMicrosoftSysmonWindowsEvent(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSysmonWindowsEvent' in (DisabledParsers)))), vimFileEventMicrosoftWindowsEvents(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftWindowsEvents' in (DisabledParsers)))), vimFileEventMicrosoftSecurityEvents(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSecurityEvents' in (DisabledParsers)))) }; parser(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, pack=pack) } .create-or-alter function with (skipvalidation=true) vimFileEventEmpty { let FileEvent=datatable( _ResourceId:string, ActingProcessCommandLine:string, ActingProcessGuid:string, ActingProcessId:string, ActingProcessName:string, ActorOriginalUserType:string, ActorScope:string, ActorScopeId:string, ActorSessionId:string, ActorUserAadId:string, ActorUserId:string, ActorUserIdType:string, ActorUsername:string, ActorUsernameType:string, ActorUserSid:string, ActorUserType:string, AdditionalFields:dynamic, Application:string, Dvc:string, DvcAction:string, DvcDescription:string, DvcDomain:string, DvcDomainType:string, DvcFQDN:string, DvcHostname:string, DvcId:string, DvcIdType:string, DvcInterface:string, DvcIpAddr:string, DvcMacAddr:string, DvcOriginalAction:string, DvcOs:string, DvcOsVersion:string, DvcScopeId:string, DvcScope:string, DvcZone:string, EventCount:int, EventEndTime:datetime, EventMessage:string, EventOriginalResultDetails:string, EventOriginalSeverity:string, EventOriginalSubType:string, EventOriginalType:string, EventOriginalUid:string, EventOwner:string, EventProduct:string, EventProductVersion:string, EventReportUrl:string, EventResult:string, EventSchema:string, EventSchemaVersion:string, EventSeverity:string, EventStartTime:datetime, EventType:string, EventUid:string, EventVendor:string, EventSubType:string, EventResultDetails:string, FileName:string, FilePath:string, Hash:string, HashType:string, HttpUserAgent:string, IpAddr:string, NetworkApplicationProtocol:string, Process:string, Rule:string, RuleName:string, RuleNumber:int, Src:string, SrcDescription:string, SrcDeviceType:string, SrcDomain:string, SrcDomainType:string, SrcDvcId:string, SrcDvcIdType:string, SrcDvcScope:string, SrcDvcScopeId:string, SrcFileCreationTime:datetime, SrcFileDirectory:string, SrcFileExtension:string, SrcFileMD5:string, SrcFileMimeType:string, SrcFileName:string, SrcFilePath:string, SrcFilePathType:string, SrcFileSHA1:string, SrcFileSHA256:string, SrcFileSHA512:string, SrcFileSize:long, SrcFQDN:string, SrcGeoCity:string, SrcGeoCountry:string, SrcGeoLatitude:real, SrcGeoLongitude:real, SrcGeoRegion:string, SrcHostname:string, SrcIpAddr:string, SrcPortNumber:int, SrcMacAddr:string, SrcRiskLevel:int, SrcOriginalRiskLevel:string, TargetAppId:string, TargetAppName:string, TargetAppType:string, TargetOriginalAppType:string, TargetFileCreationTime:datetime, TargetFileDirectory:string, TargetFileExtension:string, TargetFileMD5:string, TargetFileMimeType:string, TargetFileName:string, TargetFilePath:string, TargetFilePathType:string, TargetFileSHA1:string, TargetFileSHA256:string, TargetFileSHA512:string, TargetFileSize:long, TargetUrl:string, ThreatCategory:string, ThreatConfidence:int, ThreatField:string, ThreatFilePath:string, ThreatFirstReportedTime:datetime, ThreatId:string, ThreatIpAddr:string, ThreatIsActive:bool, ThreatLastReportedTime:datetime, ThreatName:string, ThreatOriginalConfidence:string, ThreatOriginalRiskLevel:string, ThreatRiskLevel:int, TimeGenerated:datetime, Type:string, Url:string, User:string, ActorUserPuid:string, ActorUpn:string, Dst:string )[]; FileEvent } .create-or-alter function with (skipvalidation=true) vimFileEventMicrosoftSecurityEvents( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['targetfilepath_has_any']:dynamic=dynamic([]), ['srcfilepath_has_any']:dynamic=dynamic([]), ['hashes_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) { let Parser=( starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), targetfilepath_has_any: dynamic=dynamic([]), srcfilepath_has_any: dynamic=dynamic([]), hashes_has_any: dynamic=dynamic([]), dvchostname_has_any: dynamic=dynamic([]), disabled: bool=false ) { let EventTypeLookup = datatable (AccessMask: string, EventType: string) [ "0x1", "ObjectAccessed" , "0x10", "MetadataModified" , "0x100", "MetadataModified" , "0x10000", "ObjectDeleted" , "0x2", "ObjectModified" , "0x20000", "MetadataAccessed" , "0x4", "ObjectModified" , "0x40", "ObjectDeleted" , "0x40000", "MetadataModified" , "0x6", "ObjectModified" , "0x8", "MetadataAccessed" , "0x80", "MetadataAccessed" , "0x80000", "MetadataModified" ]; let UserTypeLookup = datatable (AccountType: string, ActorUserType: string) [ 'User', 'Regular', 'Machine', 'Machine' ]; let KnownSIDs = datatable (sid: string, username: string, type: string) [ 'S-1-5-18', 'Local System', 'Simple', 'S-1-0-0', 'Nobody', 'Simple' ]; SecurityEvent | where not(disabled) | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) | where EventID == 4663 and ObjectType == "File" and ObjectName !startswith @"\Device\" | where (array_length(srcipaddr_has_any_prefix) == 0) and ((array_length(targetfilepath_has_any) == 0) or (ObjectName has_any (targetfilepath_has_any))) and (array_length(srcfilepath_has_any) == 0) and (array_length(hashes_has_any) == 0) and (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any)) | project TimeGenerated, EventID, AccessMask, ProcessName, SubjectUserSid, AccountType, Computer, ObjectName, ProcessId, SubjectUserName, SubjectAccount, SubjectLogonId, HandleId, Type | lookup EventTypeLookup on AccessMask | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))) | lookup UserTypeLookup on AccountType | lookup KnownSIDs on $left.SubjectUserSid == $right.sid | extend ActingProcessName = ProcessName , ActorUsername = iff (SubjectUserName == "-", username, SubjectAccount) , ActorUsernameType = iff(SubjectUserName == '-', type, 'Windows') , EventStartTime = TimeGenerated , EventEndTime = TimeGenerated , TargetFilePath = ObjectName , TargetFilePathFormat = "Windows Local" , ActingProcessId = tostring(ProcessId) , EventOriginalType = tostring(EventID) | where (array_length(actorusername_has_any) == 0) or (ActorUsername has_any (actorusername_has_any)) | project-away EventID, ProcessId, AccountType, username | project-rename ActorUserId = SubjectUserSid , DvcHostname = Computer , Process = ProcessName , FilePath = ObjectName , ActorSessionId = SubjectLogonId , FileSessionId = HandleId | extend EventSchema = "FileEvent" , EventSchemaVersion = "0.1.1" , EventResult = "Success" , EventCount = int(1) , EventVendor = 'Microsoft' , EventProduct = 'Security Events' , Dvc = DvcHostname , ActorWindowsUsername = ActorUsername , User = ActorUsername , ActorUserSid = ActorUserId, ActorUserIdType="SID", TargetFilePathType="Windows Local" | project-away AccessMask,ActorWindowsUsername,FileSessionId,SubjectAccount,SubjectUserName,TargetFilePathFormat,type }; Parser ( starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=disabled ) } .create-or-alter function with (skipvalidation=true) vimFileEventMicrosoftSysmonWindowsEvent( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['targetfilepath_has_any']:dynamic=dynamic([]), ['srcfilepath_has_any']:dynamic=dynamic([]), ['hashes_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) { let parser = ( starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), targetfilepath_has_any: dynamic=dynamic([]), srcfilepath_has_any: dynamic=dynamic([]), hashes_has_any: dynamic=dynamic([]), dvchostname_has_any: dynamic=dynamic([]), disabled: bool=false ) { let WindowsEventParser=() { WindowsEvent | where not(disabled) | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Provider, Type, _ItemId | where Provider == "Microsoft-Windows-Sysmon" and EventID in (11, 23, 26) | project-away Provider | where ((array_length(eventtype_in) == 0 or (iff (EventID == 11, 'FileCreated', 'FileDeleted') in~ (eventtype_in)))) and (array_length(srcipaddr_has_any_prefix) == 0) and ((array_length(actorusername_has_any) == 0) or (tostring(EventData.User) has_any (actorusername_has_any))) and ((array_length(targetfilepath_has_any) == 0) or (tostring(EventData.TargetFilename) has_any (targetfilepath_has_any))) and ((array_length(srcfilepath_has_any) == 0)) and ((array_length(dvchostname_has_any) == 0) or Computer has_any (dvchostname_has_any)) | extend TargetFileCreationTime=todatetime(EventData.CreationUtcTime), TargetFilePath=tostring(EventData.TargetFilename), ActingProcessName = tostring(EventData.Image), ActingProcessId = tostring(EventData.ProcessId), ActingProcessGuid = tostring(EventData.ProcessGuid), ActorUsername = tostring(EventData.User), EventStartTime = todatetime(EventData.UtcTime), RuleName = tostring(EventData.RuleName), Hashes = tostring(EventData.Hashes) | parse ActingProcessGuid with "{" ActingProcessGuid "}" | project-away EventData }; WindowsEventParser | project-rename DvcHostname = Computer, DvcScopeId = _SubscriptionId, DvcId = _ResourceId | extend EventType=iff (EventID == 11, 'FileCreated', 'FileDeleted'), EventProduct = 'Sysmon', EventVendor = 'Microsoft', EventSchema = 'FileEvent', EventSchemaVersion = '0.2.1', EventResult = 'Success', EventSeverity = 'Informational', DvcOs='Windows', TargetFilePathType = 'Windows', DvcIdType = iff (DvcId != "", "AzureResourceId", ""), EventCount = int(1), EventEndTime = EventStartTime, EventOriginalType = tostring(EventID), TargetFileName = tostring(split(TargetFilePath, '\\')[-1]), ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''), RuleName = iff (RuleName == "-", "", RuleName), EventUid = _ItemId | parse-kv Hashes as ( MD5: string, SHA1: string, IMPHASH: string, SHA256: string ) | project-rename TargetFileMD5 = MD5, TargetFileSHA1 = SHA1, TargetFileIMPHASH = IMPHASH, TargetFileSHA256 = SHA256 | where (array_length(hashes_has_any) == 0) or (TargetFileMD5 has_any (hashes_has_any)) or (TargetFileSHA1 has_any (hashes_has_any)) or (TargetFileIMPHASH has_any (hashes_has_any)) or (TargetFileSHA256 has_any (hashes_has_any)) | extend Hash=coalesce(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH) | extend HashType = tostring(dynamic(["SHA256", "SHA1", "MD5", "IMPHASH"])[array_index_of(pack_array(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH), Hash)]), ActorWindowsUsername = ActorUsername, Process = ActingProcessName, Dvc = DvcHostname, FilePath = TargetFilePath, FileName = TargetFileName, User = ActorUsername | project-away EventID, Hashes,ActorWindowsUsername,TargetFileIMPHASH }; parser ( starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=disabled ) } .create-or-alter function with (skipvalidation=true) vimFileEventMicrosoftWindowsEvents( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['targetfilepath_has_any']:dynamic=dynamic([]), ['srcfilepath_has_any']:dynamic=dynamic([]), ['hashes_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) { let Parser=( starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), targetfilepath_has_any: dynamic=dynamic([]), srcfilepath_has_any: dynamic=dynamic([]), hashes_has_any: dynamic=dynamic([]), dvchostname_has_any: dynamic=dynamic([]), disabled: bool=false ) { let EventTypeLookup = datatable (AccessMask: string, EventType: string) [ "0x1", "ObjectAccessed" , "0x10", "MetadataModified" , "0x100", "MetadataModified" , "0x10000", "ObjectDeleted" , "0x2", "ObjectModified" , "0x20000", "MetadataAccessed" , "0x4", "ObjectModified" , "0x40", "ObjectDeleted" , "0x40000", "MetadataModified" , "0x6", "ObjectModified" , "0x8", "MetadataAccessed" , "0x80", "MetadataAccessed" , "0x80000", "MetadataModified" ]; let UserTypeLookup = datatable (AccountType: string, ActorUserType: string) [ 'User', 'Regular', 'Machine', 'Machine' ]; let KnownSIDs = datatable (sid: string, username: string, type: string) [ 'S-1-5-18', 'Local System', 'Simple', 'S-1-0-0', 'Nobody', 'Simple' ]; WindowsEvent | where EventID == 4663 and EventData.ObjectType == "File" and EventData.ObjectName !startswith @"\Device\" | extend ActorUserIdType="SID", TargetFilePathType="Windows Local" | project TimeGenerated , EventID, AccessMask = tostring(EventData.AccessMask) , ProcessName = tostring(EventData.ProcessName) , SubjectUserSid = tostring(EventData.SubjectUserSid) , AccountType = tostring(EventData.AccountType) , Computer = tostring(EventData.Computer) , ObjectName = tostring(EventData.ObjectName) , ProcessId = tostring(EventData.ProcessId) , SubjectUserName = tostring(EventData.SubjectUserName) , SubjectAccount = tostring(EventData.SubjectAccount) , SubjectLogonId = tostring(EventData.SubjectLogonId) , HandleId = tostring(EventData.HandleId) , Type | lookup EventTypeLookup on AccessMask | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))) | lookup UserTypeLookup on AccountType | lookup KnownSIDs on $left.SubjectUserSid == $right.sid | extend ActingProcessName = ProcessName , ActorUsername = iff (SubjectUserName == "-", username, SubjectAccount) , ActorUsernameType = iff(SubjectUserName == '-', type, 'Windows') , EventStartTime = TimeGenerated , EventEndTime = TimeGenerated , TargetFilePath = ObjectName , TargetFilePathFormat = "Windows Local" , ActingProcessId = tostring(toint(ProcessId)) , EventOriginalType = tostring(EventID) | where (array_length(actorusername_has_any) == 0) or (ActorUsername has_any (actorusername_has_any)) | project-away EventID, ProcessId, AccountType, username | project-rename ActorUserId = SubjectUserSid , DvcHostname = Computer , Process = ProcessName , FilePath = ObjectName , ActorSessionId = SubjectLogonId , FileSessionId = HandleId | extend EventSchema = "FileEvent" , EventSchemaVersion = "0.1.1" , EventResult = "Success" , EventCount = int(1) , EventVendor = 'Microsoft' , EventProduct = 'Security Events' , Dvc = DvcHostname , ActorWindowsUsername = ActorUsername , User = ActorUsername , ActorUserSid = ActorUserId, ActorUserIdType="SID", TargetFilePathType="Windows Local" | project-away AccessMask,ActorWindowsUsername,FileSessionId,SubjectAccount,SubjectUserName,TargetFilePathFormat,type }; Parser ( starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=disabled ) } .create-or-alter function with (skipvalidation=true) ASimNetworkSession( ['pack']:bool=false) { let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser); let ASimBuiltInDisabled=toscalar('ExcludeASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); let NetworkSessionsGeneric=(pack:bool=false){ union vimNetworkSessionEmpty, ASimNetworkSessionMicrosoft365Defender (disabled=ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoft365Defender' in (DisabledParsers) )), ASimNetworkSessionMicrosoftWindowsEventFirewall (disabled=ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) )), ASimNetworkSessionMicrosoftSecurityEventFirewall (disabled=ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSecurityEventFirewall' in (DisabledParsers) )), ASimNetworkSessionCorelightZeek (disabled=ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCorelightZeek' in (DisabledParsers) )), ASimNetworkSessionMicrosoftSysmonWindowsEvent (disabled=ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSysmonWindowsEvent' in (DisabledParsers) )) }; NetworkSessionsGeneric (pack=pack) } .create-or-alter function with (skipvalidation=true) ASimNetworkSessionCorelightZeek(['disabled']:bool=false) { vimNetworkSessionCorelightZeek(disabled=disabled) } .create-or-alter function with (skipvalidation=true) ASimNetworkSessionMicrosoft365Defender(['disabled']:bool=false) { vimNetworkSessionMicrosoft365Defender(disabled=disabled) } .create-or-alter function with (skipvalidation=true) ASimNetworkSessionMicrosoftSecurityEventFirewall(['disabled']:bool=false) { vimNetworkSessionMicrosoftSecurityEventFirewall(disabled=disabled) } .create-or-alter function with (skipvalidation=true) ASimNetworkSessionMicrosoftSysmonWindowsEvent(['disabled']:bool=false) { vimNetworkSessionMicrosoftSysmonWindowsEvent(disabled=disabled) } .create-or-alter function with (skipvalidation=true) ASimNetworkSessionMicrosoftWindowsEventFirewall(['disabled']:bool=false) { vimNetworkSessionMicrosoftWindowsEventFirewall(disabled=disabled) } .create-or-alter function with (skipvalidation=true) imNetworkSession( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['pack']:bool=false) { let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser)); let ASimBuiltInDisabled=toscalar('ExcludevimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); let NetworkSessionsGeneric=( starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', pack:bool=false) { union vimNetworkSessionEmpty, vimNetworkSessionMicrosoft365Defender (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoft365Defender' in (DisabledParsers) )), vimNetworkSessionMicrosoftWindowsEventFirewall (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) )), vimNetworkSessionMicrosoftSecurityEventFirewall (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftSecurityEventFirewall' in (DisabledParsers) )), vimNetworkSessionCorelightZeek (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=ASimBuiltInDisabled or ('ExcludevimNetworkSessionCorelightZeek' in (DisabledParsers) )), vimNetworkSessionMicrosoftSysmonWindowsEvent (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, dvcaction=hostname_has_any, hostname_has_any=dvcaction, eventresult=eventresult, disabled=ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftSysmonWindowsEvent' in (DisabledParsers) )) }; NetworkSessionsGeneric(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, pack=pack) } .create-or-alter function with (skipvalidation=true) vimNetworkSessionCorelightZeek( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) { let NetworkDirectionLookup = datatable(local_orig: bool, local_resp: bool, NetworkDirection: string) [ false, true, 'Inbound', true, false, 'Outbound', true, true, 'Local', false, false, 'External' ]; let ResultLookup = datatable (conn_state:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string, EventSeverity:string) [ 'S0', 'Success', '', 'Connection attempt seen, no reply', 'Informational', 'S1', 'Success', '', 'Connection established, not terminated', 'Informational', 'SF', 'Success', 'Terminated', 'Normal establishment and termination', 'Informational', 'REJ', 'Failure', 'Rejected', 'Connection attempt rejected', 'Low', 'S2', 'Failure', 'Terminated', 'Connection established and close attempt by originator seen (but no reply from responder)', 'Low', 'S3', 'Failure', 'Terminated', 'Connection established and close attempt by responder seen (but no reply from originator)', 'Low', 'RSTO', 'Failure', 'Reset', 'Connection established, originator aborted (sent a RST)', 'Low', 'RSTR', 'Failure', 'Reset', 'Responder sent a RST', 'Low', 'RSTOS0', 'Failure', 'Reset', 'Originator sent a SYN followed by a RST, no SYN-ACK from the responder','Low', 'RSTRH', 'Failure', 'Reset', 'Responder sent a SYN ACK followed by a RST, no SYN from the originator','Low', 'SH', 'Failure', 'Timeout', 'Originator sent a SYN followed by a FIN, no SYN ACK from the responder', 'Low', 'SHR', 'Failure', 'Timeout', 'Responder sent a SYN ACK followed by a FIN, no SYN from the originator', 'Low', 'OTH', 'Success', '', 'No SYN seen, just midstream traffic', 'Informational' ]; let parser = ( starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false ) { let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); let ip_any = set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix); Corelight_CL | where (isnull(starttime) or TimeGenerated>=starttime) and (isnull(endtime) or TimeGenerated<=endtime) and not(disabled) and (array_length(hostname_has_any) == 0) and (array_length(dvcaction) == 0) and log_type in ("conn", "conn_red") and (array_length(ip_any)==0 or has_any_ipv4_prefix(id_orig_h, ip_any) or has_any_ipv4_prefix(id_resp_h, ip_any)) and (isnull(dstportnumber) or id_resp_p == dstportnumber) | project TimeGenerated, ParsedMessage, uid, id_orig_h, id_orig_p, id_resp_h, id_resp_p, proto, community_id | extend conn_state = tostring(ParsedMessage.conn_state) | lookup ResultLookup on conn_state | where (eventresult == "*" or eventresult == EventResult) | extend DvcHostname = coalesce(tostring(ParsedMessage.["_system_name"]), tostring(ParsedMessage.host.hostname)), EventStartTime = todatetime(ParsedMessage.ts), EventEndTime = todatetime(ParsedMessage.["_write_ts"]), EventOriginalUid = uid, SrcIpAddr = id_orig_h, SrcPortNumber = id_orig_p, DstIpAddr = id_resp_h, DstPortNumber = id_resp_p, NetworkProtocol = proto, NetworkApplicationProtocol = tostring(ParsedMessage.service), NetworkDuration = toint(ParsedMessage.duration), SrcBytes = tolong(ParsedMessage.orig_bytes), DstBytes = tolong(ParsedMessage.resp_bytes), local_orig = tobool(ParsedMessage.local_orig), local_resp = tobool(ParsedMessage.local_resp), FlowMissedBytes = tolong(ParsedMessage.missed_bytes), FlowHistory = tostring(ParsedMessage.history), SrcPackets = tolong(ParsedMessage.orig_pkts), DstPackets = tolong(ParsedMessage.resp_pkts), SrcMacAddr = tostring(ParsedMessage.orig_l2_addr), DstMacAddr = tostring(ParsedMessage.resp_l2_addr), NetworkSessionId = community_id, DstVlanId = tostring(ParsedMessage.vlan), SrcVlanId = tostring(ParsedMessage.inner_vlan) | project-away ParsedMessage, uid, id_orig_h, id_orig_p, id_resp_h, id_resp_p, proto, community_id | extend EventCount=int(1), EventProduct="Zeek", EventVendor="Corelight", EventSchema = "NetworkSession", EventSchemaVersion="0.2.4", EventType="Flow", ASimMatchingIpAddr = case( array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, "-", has_any_ipv4_prefix(SrcIpAddr,src_or_any) and has_any_ipv4_prefix(DstIpAddr,dst_or_any), "Both", has_any_ipv4_prefix(SrcIpAddr,src_or_any), "SrcIpAddr", has_any_ipv4_prefix(DstIpAddr,dst_or_any), "DstIpAddr", "No match" ) | where ASimMatchingIpAddr != "No match" | lookup NetworkDirectionLookup on local_orig, local_resp | extend NetworkBytes = SrcBytes + DstBytes, NetworkPackets = SrcPackets + DstPackets, NetworkProtocol = toupper(NetworkProtocol), IpAddr=SrcIpAddr, Src=SrcIpAddr, Duration=NetworkDuration, SessionId = NetworkSessionId, InnerVlanId = SrcVlanId, OuterVlanId = DstVlanId, Dst=DstIpAddr, Dvc=DvcHostname | project-away local_orig, local_resp, conn_state }; parser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled) } .create-or-alter function with (skipvalidation=true) vimNetworkSessionEmpty { let parser=datatable( TimeGenerated:datetime, _ResourceId:string, Type:string, EventMessage:string, EventStartTime:datetime, EventType:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string, EventSeverity:string, EventOriginalSeverity:string, EventOriginalUid:string, EventOriginalType:string, EventOriginalSubType:string, EventProductVersion:string, EventSchema:string, EventSchemaVersion:string, Dvc:string, DvcHostname:string, DvcDomainType:string, DvcId:string, DvcMacAddr:string, DvcDescription:string, Dst:string, DstPortNumber:int, Hostname:string, DstDomain:string, DstDomainType:string, DstDvcId:string, DstDeviceType:string, DstUserIdType:string, User:string, DstUserType:string, DstOriginalUserType:string, DstAppName:string, DstAppType:string, DstInterfaceName:string, DstInterfaceGuid:string, DstGeoCountry:string, DstGeoCity:string, DstGeoLongitude:real, SrcIpAddr:string, SrcHostname:string, SrcDomain:string, SrcDomainType:string, SrcDvcId:string, SrcDeviceType:string, SrcUserIdType:string, SrcUsernameType:string, SrcOriginalUserType:string, SrcAppName:string, IpAddr:string, SrcZone:string, SrcInterfaceName:string, SrcInterfaceGuid:string, SrcGeoCountry:string, SrcGeoRegion: string, SrcGeoLongitude:real, NetworkApplicationProtocol:string, NetworkProtocol:string, NetworkProtocolVersion:string, NetworkDirection:string, Duration:int, NetworkIcmpType:string, SrcBytes:long, DstPackets:long, NetworkPackets:long, NetworkSessionId:string, NetworkConnectionHistory:string, DstVlanId:string, OuterVlanId: string, DstNatIpAddr:string, SrcNatIpAddr:string, DvcInboundInterface:string, DvcOutboundInterface:string, NetworkRuleNumber:int, DvcAction:string, DvcOriginalAction:string, ThreatName:string, ThreatRiskLevel:int, ThreatOriginalRiskLevel:string, DvcSubscriptionId:string, SrcSubscriptionId:string, DstSubscriptionId:string )[]; parser } .create-or-alter function with (skipvalidation=true) vimNetworkSessionMicrosoft365Defender( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) { let M365Defender= (starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false ){ let DirectionLookup=datatable(ActionType:string,NetworkDirection:string,Outbound:boolean)[ 'ConnectionSuccess','Outbound', true ,'ConnectionFailed', 'Outbound', true ,'ConnectionRequest','Outbound', true ,'InboundConnectionAccepted', 'Inbound', false ,'ConnectionFound', 'Unknown', false ,'ListeningConnectionCreated', 'Listen', false ]; let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); let RawNetworkEvents = (select_outbound:boolean) { DeviceNetworkEvents | where (isnull(starttime) or Timestamp>=starttime) and (isnull(endtime) or Timestamp<=endtime) | where not(disabled) | lookup DirectionLookup on ActionType | where Outbound == select_outbound | project-away AppGuardContainerId, LocalIPType, RemoteIPType |where (array_length(dvcaction)==0 ) and (isnull(dstportnumber) or dstportnumber == LocalPort or dstportnumber == RemotePort) and (array_length(hostname_has_any)==0 or RemoteUrl has_any(hostname_has_any) or DeviceName has_any(hostname_has_any) ) | extend ASimMatchingIpAddr = case( array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, "-", ((Outbound and has_any_ipv4_prefix(LocalIP,src_or_any)) or (not(Outbound) and has_any_ipv4_prefix(RemoteIP,src_or_any))) and ((not(Outbound) and has_any_ipv4_prefix(LocalIP,dst_or_any)) or (Outbound and has_any_ipv4_prefix(RemoteIP,dst_or_any))), "Both", (Outbound and has_any_ipv4_prefix(LocalIP,src_or_any)) or (not(Outbound) and has_any_ipv4_prefix(RemoteIP,src_or_any)), "SrcIpAddr", (not(Outbound) and has_any_ipv4_prefix(LocalIP,dst_or_any)) or (Outbound and has_any_ipv4_prefix(RemoteIP,dst_or_any)), "DstIpAddr", "No match" ) | where ASimMatchingIpAddr != "No match" | extend EventResult = iff(ActionType=='ConnectionFailed','Failure','Success') | where (eventresult=='*' or EventResult==eventresult) | extend EventOriginalUid = tostring(ReportId), EventCount = int(1), EventProduct = 'M365 Defender for Endpoint', EventVendor = 'Microsoft', EventSchema = 'NetworkSession', EventSchemaVersion = '0.2.3', EventStartTime = Timestamp, EventEndTime = Timestamp, TimeGenerated = Timestamp, EventType = 'NetworkSession', EventSeverity = "Informational", DvcIdType = 'MDEid' | project-away ReportId, Outbound | project-rename EventOriginalResultDetails = ActionType | extend RemoteUrl = extract (@"(?:https?://)?(.*)", 1, RemoteUrl) | extend User = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\', InitiatingProcessAccountName)), UsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'), SplitHostname = split(DeviceName,"."), SplitUrl = split(RemoteUrl,"."), NetworkProtocol = case ( Protocol startswith "Tcp", "TCP", Protocol == "Unknown", "", toupper(Protocol) ) | project-away Protocol | extend DvcHostname = tostring(SplitHostname[0]), DvcDomain = tostring(strcat_array(array_slice(SplitHostname, 1, -1), '.')), DvcFQDN = iif (DeviceName contains ".", DeviceName, ""), UrlHostname = tostring(SplitUrl[0]), UrlDomain = tostring(strcat_array(array_slice(SplitUrl, 1, -1), '.')), UrlFQDN = iif(RemoteUrl contains ".", RemoteUrl, "") | project-away RemoteUrl, DeviceName | extend DvcDomainType = iif(DvcFQDN != "", "FQDN", ""), UrlDomainType = iff(UrlFQDN != "", "FQDN", ""), DvcIpAddr = LocalIP, Dvc = DvcHostname | project-rename DvcId = DeviceId | project-away SplitUrl, SplitHostname }; let OutboundNetworkEvents = RawNetworkEvents (true) | where (isnull(dstportnumber) or dstportnumber==RemotePort) | extend ASimMatchingHostname = case(array_length(hostname_has_any) == 0 ,"-", UrlHostname has_any(hostname_has_any) and DvcHostname has_any(hostname_has_any), "Both", UrlHostname has_any(hostname_has_any), "DstHostname", DvcHostname has_any(hostname_has_any), "SrcHostname", "No match" ) | where ASimMatchingHostname != "No match" | project-rename DstIpAddr = RemoteIP, SrcIpAddr = LocalIP, DstPortNumber = RemotePort, SrcPortNumber = LocalPort, SrcUsernameType = UsernameType, SrcUserAadId = InitiatingProcessAccountObjectId, SrcUserId = InitiatingProcessAccountSid, SrcUserUpn = InitiatingProcessAccountUpn | extend SrcUsername = User, SrcDvcId = DvcId, SrcDvcIdType = 'MDEid', SrcUserIdType = iff (SrcUserId <> "S-1-0-0", "SID", ""), SrcUserId = iff (SrcUserId <> "S-1-0-0", SrcUserId, ""), DstHostname = UrlHostname | project-rename DstDomain = UrlDomain, DstFQDN = UrlFQDN, DstDomainType = UrlDomainType | extend SrcHostname = DvcHostname, SrcDomain = DvcDomain, SrcFQDN = DvcFQDN, SrcDomainType = DvcDomainType, SrcProcessId = tostring(InitiatingProcessId), ParentProcessId = tostring(InitiatingProcessParentId) | project-rename SrcProcessName = InitiatingProcessFileName, SrcProcessCommandLine = InitiatingProcessCommandLine, SrcProcessCreationTime = InitiatingProcessCreationTime, SrcProcessIntegrityLevel = InitiatingProcessIntegrityLevel, SrcProcessTokenElevation = InitiatingProcessTokenElevation, ParentProcessName = InitiatingProcessParentFileName, ParentProcessCreationTime = InitiatingProcessParentCreationTime | extend Process = SrcProcessName, ProcessId = SrcProcessId, SrcAppName = SrcProcessName, SrcAppType = "Process" ; let InboundNetworkEvents = RawNetworkEvents (false) | where (isnull(dstportnumber) or dstportnumber==LocalPort) |extend ASimMatchingHostname = case(array_length(hostname_has_any) == 0 ,"", UrlHostname has_any(hostname_has_any), "SrcHostname", DvcHostname has_any(hostname_has_any), "DstHostname", "No match" ) | project-rename SrcIpAddr = RemoteIP, DstIpAddr = LocalIP, SrcPortNumber = RemotePort, DstPortNumber = LocalPort, DstUsernameType = UsernameType, DstUserAadId = InitiatingProcessAccountObjectId, DstUserId = InitiatingProcessAccountSid, DstUserUpn = InitiatingProcessAccountUpn, SrcDomain = UrlDomain, SrcFQDN = UrlFQDN, SrcDomainType = UrlDomainType | extend DstUsername = User, DstDvcId = DvcId, DstDvcIdType = 'MDEid', DstUserIdType = 'SID', SrcHostname = UrlHostname, DstHostname = DvcHostname, DstDomain = DvcDomain, DstFQDN = DvcFQDN, DstProcessId = tostring(InitiatingProcessId), ParentProcessId = tostring(InitiatingProcessParentId) | project-rename DstProcessName = InitiatingProcessFileName, DstProcessCommandLine = InitiatingProcessCommandLine, DstProcessCreationTime = InitiatingProcessCreationTime, DstProcessIntegrityLevel = InitiatingProcessIntegrityLevel, DstProcessTokenElevation = InitiatingProcessTokenElevation, ParentProcessName = InitiatingProcessParentFileName, ParentProcessCreationTime = InitiatingProcessParentCreationTime | extend Process = DstProcessName, DstAppName = DstProcessName, DstAppType = "Process" ; union InboundNetworkEvents, OutboundNetworkEvents | project-rename Hostname = UrlHostname | extend IpAddr = SrcIpAddr, Src = SrcIpAddr, Dst = DstIpAddr }; M365Defender (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled) } .create-or-alter function with (skipvalidation=true) vimNetworkSessionMicrosoftSecurityEventFirewall( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) { let LayerCodeTable = datatable (LayerCode:string,LayerName:string)[ '%%14596', 'IP Packet', '%%14597', 'Transport', '%%14598', 'Forward', '%%14599', 'Stream', '%%14600', 'Datagram Data', '%%14601', 'ICMP Error', '%%14602', 'MAC 802.3', '%%14603', 'MAC Native', '%%14604', 'vSwitch', '%%14608', 'Resource Assignment', '%%14609', 'Listen', '%%14610', 'Receive/Accept', '%%14611', 'Connect', '%%14612', 'Flow Established', '%%14614', 'Resource Release', '%%14615', 'Endpoint Closure', '%%14616', 'Connect Redirect', '%%14617', 'Bind Redirect', '%%14624', 'Stream Packet']; let ProtocolTable = datatable (Protocol:int, NetworkProtocol: string)[ 1, 'ICMP', 3, 'GGP', 6, 'TCP', 8, 'EGP', 12, 'PUP', 17, 'UDP', 20, 'HMP', 27, 'RDP', 46, 'RSVP', 47, 'PPTP data over GRE', 50, 'ESP', 51, 'AH', 66, 'RVD', 88, 'IGMP', 89, 'OSPF']; let Directions = datatable (DirectionCode:string,NetworkDirection:string, isOutBound:bool)[ '%%14592', 'Inbound', false, '%%14593', 'Outbound', true, '%%14594', 'Forward',false, '%%14595', 'Bidirectional', false, '%%14609', 'Listen', false]; let parser = (starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]),eventresult:string='*', disabled:bool=false ) { let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); let ip_any =set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix); let SecurityEventProjected = SecurityEvent | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Type, SourceAddress, DestAddress ; let SecurityEvent_5152 = SecurityEventProjected | where not(disabled) | where (isnull(starttime) or TimeGenerated>=starttime) and (isnull(endtime) or TimeGenerated<=endtime) | where EventID==5152 |where (isnull(dstportnumber) or EventData has tostring(dstportnumber) ) and (array_length(ip_any)==0 or has_any_ipv4_prefix(SourceAddress, ip_any) or has_any_ipv4_prefix(DestAddress, ip_any) or (isempty(SourceAddress) and isempty(DestAddress) and has_any_ipv4_prefix(EventData, ip_any)) ) and (array_length(dvcaction)==0 or (dvcaction=='Deny') ) and (array_length(hostname_has_any)==0 ) and (eventresult=='*' or eventresult=='Failure') | extend EventResult = "Failure", ProcessId = tostring(EventData.ProcessId), Application = tostring(EventData.Application), DirectionCode = tostring(EventData.Direction), SrcIpAddr = tostring(EventData.SourceAddress), SrcPortNumber = toint(EventData.SourcePort), DstIpAddr = tostring(EventData.DestAddress), DstPortNumber = toint(EventData.DestPort), Protocol = toint(EventData.Protocol), NetworkRuleNumber = toint(EventData.FilterRTID), LayerCode = tostring(EventData.LayerName), LayerRTID = tostring(EventData.LayerRTID) | extend ASimMatchingIpAddr = case( array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, "-", has_any_ipv4_prefix(SrcIpAddr,src_or_any) and has_any_ipv4_prefix(DstIpAddr,dst_or_any), "Both", has_any_ipv4_prefix(SrcIpAddr,src_or_any), "SrcIpAddr", has_any_ipv4_prefix(DstIpAddr,dst_or_any), "DstIpAddr", "No match" ) | where ASimMatchingIpAddr != "No match" | project-away EventData ; let SecurityEvent_5154_5155_5158_5159 = SecurityEventProjected | where EventID in (5154, 5155, 5158, 5159) |where (array_length(dstipaddr_has_any_prefix)==0 ) and (isnull(dstportnumber) ) and (array_length(ip_any)==0 or has_any_ipv4_prefix(EventData ,ip_any) ) and (array_length(dvcaction)==0 or (dvcaction=='Allow' and EventID in (5154,5158)) or (dvcaction=='Deny' and EventID !in (5154,5158)) ) | extend EventResult = iff(EventID in (5154, 5158), "Success", "Failure") | where (eventresult=='*' or EventResult==eventresult) | extend ProcessId = tostring(EventData.ProcessId), Application = tostring(EventData.Application), SrcIpAddr = tostring(EventData.SourceAddress), SrcPortNumber = toint(EventData.SourcePort), Protocol = toint(EventData.Protocol), NetworkRuleNumber = toint(EventData.FilterRTID), LayerCode = tostring(EventData.LayerName), LayerRTID = tostring(EventData.LayerRTID), DirectionCode = "%%14609" | extend ASimMatchingIpAddr = case( array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, "-", has_any_ipv4_prefix(SrcIpAddr,src_or_any), "SrcIpAddr", "No match" ) | project-away EventData ; let SecurityEvent_5156_5157 = SecurityEventProjected | where EventID in (5156, 5157) | extend EventResult = iff(EventID == 5156, "Success", "Failure") | where (array_length(dvcaction)==0 or (dvcaction=='Allow' and EventID == 5156) or (dvcaction=='Deny' and EventID <> 5156) ) | extend ProcessId = tostring(EventData.ProcessID), Application = tostring(EventData.Application), DirectionCode = tostring(EventData.Direction), SrcIpAddr = tostring(EventData.SourceAddress), SrcPortNumber = toint(EventData.SourcePort), DstIpAddr = tostring(EventData.DestAddress), DstPortNumber = toint(EventData.DestPort), Protocol = toint(EventData.Protocol), NetworkRuleNumber = toint(EventData.FilterRTID), LayerCode = tostring(EventData.LayerName), LayerRTID = tostring(EventData.LayerRTID), RemoteUserID = tostring(EventData.RemoteUserID), RemoteMachineID = tostring(EventData.RemoteMachineID) | project-away EventData | extend ASimMatchingIpAddr = case( array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, "-", has_any_ipv4_prefix(SrcIpAddr,src_or_any) and has_any_ipv4_prefix(DstIpAddr,dst_or_any), "Both", has_any_ipv4_prefix(SrcIpAddr,src_or_any), "SrcIpAddr", has_any_ipv4_prefix(DstIpAddr,dst_or_any), "DstIpAddr", "No match" ) | where ASimMatchingIpAddr != "No match" ; union SecurityEvent_5154_5155_5158_5159, SecurityEvent_5156_5157, SecurityEvent_5152 | lookup Directions on DirectionCode | project-rename DvcHostname = Computer | extend SrcAppName = iff(isOutBound, Application, ""), DstAppName = iff(not(isOutBound), Application, ""), SrcDvcId = iff(isOutBound, RemoteMachineID, ""), DstDvcId = iff(not(isOutBound), RemoteMachineID, ""), SrcProcessId = iff(isOutBound, tostring(ProcessId), ""), DstProcessId = iff(not(isOutBound), tostring(ProcessId), ""), DstUserId = iff(isOutBound, RemoteUserID, ""), SrcUserId = iff(not(isOutBound), RemoteUserID, ""), DstHostname = iff(isOutBound, "", DvcHostname), SrcHostname = iff(isOutBound, DvcHostname, "") | project-away Application, RemoteMachineID, ProcessId, RemoteUserID | where (isnull(dstportnumber) or DstPortNumber == dstportnumber ) | extend DvcAction = iff(EventID in (5154, 5156, 5158), "Allow", "Deny"), DvcOs = 'Windows', DstAppType = "Process", SrcUserIdType = iff (SrcUserId <> "S-1-0-0", "SID", ""), SrcUserId = iff (SrcUserId <> "S-1-0-0", SrcUserId, ""), DstUserIdType = iff (DstUserId <> "S-1-0-0", "SID", ""), DstUserId = iff (DstUserId <> "S-1-0-0", DstUserId, ""), SrcAppType = "Process", EventType = "NetworkSession", EventSchema = "NetworkSession", EventSchemaVersion="0.2.3", EventCount=toint(1), EventVendor = "Microsoft", EventProduct = "Windows Firewall", EventStartTime = TimeGenerated, EventEndTime = TimeGenerated, EventSeverity = iff(EventID in (5154, 5156, 5158), "Informational", "Low"), Dvc = DvcHostname, Hostname = DvcHostname, IpAddr = SrcIpAddr, Src = SrcIpAddr, Dst = DstIpAddr, Rule = tostring(NetworkRuleNumber), DstDvcIdType = iff (DstDvcId != "", "SID", ""), SrcDvcIdType = iff (SrcDvcId != "", "SID", "") | lookup LayerCodeTable on LayerCode | lookup ProtocolTable on Protocol | project-away LayerCode, DirectionCode, Protocol, isOutBound, LayerName, EventID, LayerRTID,_ResourceId,_SubscriptionId }; parser(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled) } .create-or-alter function with (skipvalidation=true) vimNetworkSessionMicrosoftSysmonWindowsEvent( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['dvcaction']:dynamic=dynamic([]), ['hostname_has_any']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) { let parser = ( starttime: datetime=datetime(null), endtime: datetime=datetime(null), srcipaddr_has_any_prefix: dynamic=dynamic([]), dstipaddr_has_any_prefix: dynamic=dynamic([]), ipaddr_has_any_prefix: dynamic=dynamic([]), dstportnumber: int=int(null), hostname_has_any: dynamic=dynamic([]), dvcaction: dynamic=dynamic([]), eventresult: string='*', disabled: bool=false ) { let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); let ip_any =set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix); let Sysmon3_WindowsEvent=WindowsEvent | where not(disabled) | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) | where (eventresult == '*' or eventresult == 'Success') and array_length(dvcaction) == 0 | where Provider == "Microsoft-Windows-Sysmon" and EventID == 3 | project EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId | extend SourceIp = tostring(EventData.SourceIp), DestinationIp = tostring(EventData.DestinationIp), DstHostname = tostring(EventData.DestinationHostname), SrcHostname = tostring(EventData.SrcHostname), RuleName = tostring(EventData.RuleName), UtcTime = todatetime(EventData.UtcTime), ProcessId = tostring(EventData.ProcessId), Image = tostring(EventData.Image), User = tostring(EventData.User), Protocol = tostring(EventData.Protocol), Initiated = tobool(EventData.Initiated), SourceIsIpv6 = tobool(EventData.SourceIsIpv6), SourcePort = toint(EventData.SourcePort), SourcePortName = tostring(EventData.SourcePortName), DestinationIsIpv6 = tobool(EventData.DestinationIsIpv6), DestinationPort = toint(EventData.DestinationPort), DestinationPortName = tostring(EventData.DestinationPortName) | where (array_length(ip_any) == 0 or has_any_ipv4_prefix(EventData, ip_any) ) and (isnull(dstportnumber)) or dstportnumber == DestinationPort and (array_length(hostname_has_any) == 0) or SrcHostname has_any (hostname_has_any) or DstHostname has_any (hostname_has_any) | extend ASimMatchingIpAddr = case( array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, "-" , has_any_ipv4_prefix(SourceIp, src_or_any) and has_any_ipv4_prefix(DestinationIp, dst_or_any), "Both" , has_any_ipv4_prefix(SourceIp, src_or_any), "SrcIpAddr" , has_any_ipv4_prefix(DestinationIp, dst_or_any), "DstIpAddr" , "No match" ) | where ASimMatchingIpAddr != "No match" | parse EventData.ProcessGuid with "{" ProcessGuid "}" | project-away EventData; Sysmon3_WindowsEvent | extend AppName = tostring(split(Image, "\\")[-1]) | extend SrcUsernameType = iff(not(Initiated), "Windows", ""), SrcUsername = iff(not(Initiated), tostring(User), ""), SrcProcessId = iff(not(Initiated), tostring(ProcessId), ""), SrcProcessGuid = iff(not(Initiated), ProcessGuid, ""), SrcProcessName = iff(not(Initiated), tostring(Image), ""), SrcAppName = iff(not(Initiated), AppName, ""), SrcAppType = iff(not(Initiated), 'Process', ""), DstUsernameType = iff(Initiated, "Windows", ""), DstUsername = iff(Initiated, tostring(User), ""), DstProcessId = iff(Initiated, tostring(ProcessId), ""), DstProcessGuid = iff(Initiated, ProcessGuid, ""), DstProcessName = iff(Initiated, tostring(Image), ""), DstAppName = iff(Initiated, AppName, ""), DstAppType = iff(Initiated, 'Process', "") | project-away ProcessId, ProcessGuid, Image, AppName | project-rename EventStartTime = UtcTime, Dvc = Computer, SrcIpAddr = SourceIp, DstIpAddr = DestinationIp, DstPortNumber = DestinationPort, SrcPortNumber = SourcePort, NetworkRuleName = RuleName | extend EventEndTime = EventStartTime, Hostname = case( Initiated, DstHostname, not(Initiated), SrcHostname, Dvc ), Src = SrcIpAddr, Dst = DstIpAddr, DvcIpAddr = iff(Initiated, SrcIpAddr, DstIpAddr), IpAddr = SrcIpAddr, EventType = 'EndpointNetworkSession', EventCount = int(1), EventVendor = 'Microsoft', EventSchemaVersion = '0.2.5', EventSchema = 'NetworkSession', EventProduct = 'Sysmon', EventResult = 'Success', EventSeverity = 'Informational', DvcOs = 'Windows', Protocol = toupper(Protocol), EventOriginalType = '3' | extend DvcHostname = Hostname | extend SrcHostname = iff(SrcHostname == "-", "", SrcHostname), DvcHostname = iff(DvcHostname == "-", "", DvcHostname), DstHostname = iff(DstHostname == "-", "", DstHostname) | project-rename TmpSrcHostname = SrcHostname, TmpDvcHostname = DvcHostname, TmpDstHostname = DstHostname | invoke _ASIM_ResolveSrcFQDN('TmpSrcHostname') | invoke _ASIM_ResolveDvcFQDN('TmpDvcHostname') | invoke _ASIM_ResolveDstFQDN('TmpDstHostname') | project-away TmpSrcHostname, TmpDvcHostname, TmpDstHostname | extend NetworkProtocolVersion = iff((DestinationIsIpv6) or (SourceIsIpv6), "IPV6", "IPV4"), NetworkProtocol = toupper(Protocol) | project-away Destination*, Initiated, Protocol, Source*, _ResourceId }; parser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix,dstportnumber, hostname_has_any, dvcaction, eventresult, disabled) } .create-or-alter function with (skipvalidation=true) vimNetworkSessionMicrosoftWindowsEventFirewall( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['disabled']:bool=false) { let LayerCodeTable = datatable (LayerCode:string,LayerName:string)[ '%%14596', 'IP Packet', '%%14597', 'Transport', '%%14598', 'Forward', '%%14599', 'Stream', '%%14600', 'Datagram Data', '%%14601', 'ICMP Error', '%%14602', 'MAC 802.3', '%%14603', 'MAC Native', '%%14604', 'vSwitch', '%%14608', 'Resource Assignment', '%%14609', 'Listen', '%%14610', 'Receive/Accept', '%%14611', 'Connect', '%%14612', 'Flow Established', '%%14614', 'Resource Release', '%%14615', 'Endpoint Closure', '%%14616', 'Connect Redirect', '%%14617', 'Bind Redirect', '%%14624', 'Stream Packet']; let ProtocolTable = datatable (Protocol:int, NetworkProtocol: string)[ 1, 'ICMP', 3, 'GGP', 6, 'TCP', 8, 'EGP', 12, 'PUP', 17, 'UDP', 20, 'HMP', 27, 'RDP', 46, 'RSVP', 47, 'PPTP data over GRE', 50, 'ESP', 51, 'AH', 66, 'RVD', 88, 'IGMP', 89, 'OSPF']; let Directions = datatable (DirectionCode:string,NetworkDirection:string, isOutBound:bool)[ '%%14592', 'Inbound', false, '%%14593', 'Outbound', true, '%%14594', 'Forward',false, '%%14595', 'Bidirectional', false, '%%14609', 'Listen', false]; let parser = (starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]),eventresult:string='*', disabled:bool=false) { let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); let ip_any =set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix); WindowsEvent | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Type, SourceAddress, DestAddress | where (isnull(starttime) or TimeGenerated>=starttime) and (isnull(endtime) or TimeGenerated<=endtime) |where not(disabled) | where EventID between (5150 .. 5159) | extend EventResult = iff(EventID in (5154, 5156, 5158), "Success", "Failure") | where (isnull(dstportnumber) or EventData has tostring(dstportnumber)) and (array_length(ip_any)==0 or has_any_ipv4_prefix(SourceAddress, ip_any) or has_any_ipv4_prefix(DestAddress, ip_any) or (isempty(SourceAddress) and isempty(DestAddress) and has_any_ipv4_prefix(EventData, ip_any))) and (array_length(hostname_has_any)==0 ) and (array_length(dvcaction)==0 ) and (eventresult=='*' or EventResult==eventresult) | extend SrcIpAddr = tostring(EventData.SourceAddress), DstIpAddr = tostring(EventData.DestAddress) | extend ASimMatchingIpAddr = case( array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, "-", has_any_ipv4_prefix(SrcIpAddr,src_or_any) and has_any_ipv4_prefix(DstIpAddr,dst_or_any), "Both", has_any_ipv4_prefix(SrcIpAddr,src_or_any), "SrcIpAddr", has_any_ipv4_prefix(DstIpAddr,dst_or_any), "DstIpAddr", "No match" ) | where ASimMatchingIpAddr != "No match" | extend EventSeverity=tostring(EventData.Severity), LayerCode = tostring(EventData.LayerName), NetworkRuleNumber = toint(EventData.FilterRTID), Protocol = toint(EventData.Protocol), DirectionCode = iff(EventID in (5154, 5155, 5158, 5159), "%%14609",tostring(EventData.Direction)) | lookup Directions on DirectionCode | project-rename DvcHostname = Computer | extend SrcAppName = iff(isOutBound, tostring(EventData.Application), ""), DstAppName = iff(not(isOutBound), tostring(EventData.Application), ""), SrcDvcId = iff(isOutBound, tostring(EventData.RemoteMachineID), ""), DstDvcId = iff(not(isOutBound), tostring(EventData.RemoteMachineID), ""), SrcPortNumber = toint(EventData.SourcePort), DstPortNumber = toint(EventData.DestPort), SrcProcessId = iff(isOutBound, tostring(EventData.ProcessId), ""), DstProcessId = iff(not(isOutBound), tostring(EventData.ProcessId), ""), DstUserId = iff(isOutBound, tostring(EventData.RemoteUserID), ""), SrcUserId = iff(not(isOutBound), tostring(EventData.RemoteUserID), ""), DstHostname = iff(isOutBound, "", DvcHostname), SrcHostname = iff(isOutBound, DvcHostname, "") | project-away EventData | where (isnull(dstportnumber) or DstPortNumber == dstportnumber ) | extend DvcAction = iff(EventID in (5154, 5156, 5158), "Allow", "Deny"), DvcOs = 'Windows', DstAppType = "Process", SrcUserIdType = iff (SrcUserId <> "S-1-0-0", "SID", ""), SrcUserId = iff (SrcUserId <> "S-1-0-0", SrcUserId, ""), DstUserIdType = iff (DstUserId <> "S-1-0-0", "SID", ""), DstUserId = iff (DstUserId <> "S-1-0-0", DstUserId, ""), SrcAppType = "Process", EventType = "NetworkSession", EventSchema = "NetworkSession", EventSchemaVersion="0.2.3", EventCount=toint(1), EventVendor = "Microsoft", EventProduct = "Windows Firewall", EventStartTime = TimeGenerated, EventEndTime = TimeGenerated, EventSeverity = iff(EventID in (5154, 5156, 5158), "Informational", "Low"), Dvc = DvcHostname, Hostname = DvcHostname, IpAddr = SrcIpAddr, Src = SrcIpAddr, Dst = DstIpAddr, Rule = tostring(NetworkRuleNumber), DstDvcIdType = iff (DstDvcId != "", "SID", ""), SrcDvcIdType = iff (SrcDvcId != "", "SID", "") | lookup LayerCodeTable on LayerCode | lookup ProtocolTable on Protocol | project-away LayerCode, DirectionCode, Protocol, isOutBound, LayerName, EventID,_ResourceId,_SubscriptionId }; parser( starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled) } .create-or-alter function with (skipvalidation=true) ASimProcessCreateMicrosoftSecurityEvents(['disabled']:bool=false) { vimProcessCreateMicrosoftSecurityEvents(disabled=disabled) } .create-or-alter function with (skipvalidation=true) ASimProcessCreateMicrosoftWindowsEvents(['disabled']:bool=false) { vimProcessCreateMicrosoftWindowsEvents(disabled=disabled) } .create-or-alter function with (skipvalidation=true) ASimProcessEvent { let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser); let imProcessEventBuiltInDisabled=toscalar('ExcludeASimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); union vimProcessEmpty, ASimProcessEventMicrosoft365D (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMicrosoft365D' in (DisabledParsers) )), ASimProcessEventCreateMicrosoftSysmonWindowsEvent (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventCreateMicrosoftSysmonWindowsEvent' in (DisabledParsers) )), ASimProcessEventTerminateMicrosoftSysmonWindowsEvent (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessASimProcessEventTerminateMicrosoftSysmonWindowsEvent' in (DisabledParsers) )), ASimProcessCreateMicrosoftSecurityEvents (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) )), ASimProcessTerminateMicrosoftSecurityEvents (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) )), ASimProcessTerminateMicrosoftWindowsEvents (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) )), ASimProcessCreateMicrosoftWindowsEvents (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) )) } .create-or-alter function with (skipvalidation=true) ASimProcessEventCreate { let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcessEventCreate') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser); let imProcessEventBuiltInDisabled=toscalar('ExcludeASimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); union vimProcessEmpty, ASimProcessEventMicrosoft365D (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMicrosoft365D' in (DisabledParsers) )), ASimProcessCreateMicrosoftSecurityEvents (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) )), ASimProcessCreateMicrosoftWindowsEvents (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) )) } .create-or-alter function with (skipvalidation=true) ASimProcessEventCreateMicrosoftSysmonWindowsEvent(['disabled']:bool=false) { vimProcessEventCreateMicrosoftSysmonWindowsEvent(disabled=disabled) } .create-or-alter function with (skipvalidation=true) ASimProcessEventMicrosoft365D(['disabled']:bool=false) { vimProcessEventMicrosoft365D(disabled=disabled) } .create-or-alter function with (skipvalidation=true) ASimProcessEventTerminate { let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser); let imProcessEventBuiltInDisabled=toscalar('ExcludeASimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); union vimProcessEmpty, ASimProcessEventMicrosoft365D (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMicrosoft365D' in (DisabledParsers) )), ASimProcessTerminateMicrosoftSecurityEvents (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) )), ASimProcessTerminateMicrosoftWindowsEvents (disabled=imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) )) } .create-or-alter function with (skipvalidation=true) ASimProcessEventTerminateMicrosoftSysmonWindowsEvent(['disabled']:bool=false) { vimProcessEventTerminateMicrosoftSysmonWindowsEvent(disabled=disabled) } .create-or-alter function with (skipvalidation=true) ASimProcessTerminateMicrosoftSecurityEvents(['disabled']:bool=false) { vimProcessTerminateMicrosoftSecurityEvents(disabled=disabled) } .create-or-alter function with (skipvalidation=true) ASimProcessTerminateMicrosoftWindowsEvents(['disabled']:bool=false) { vimProcessTerminateMicrosoftWindowsEvents(disabled=disabled) } .create-or-alter function with (skipvalidation=true) imProcessCreate( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['targetusername']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvcname_has_any']:dynamic=dynamic([]), ['hashes_has_any']:dynamic=dynamic([]), ['eventtype']:string='*') { let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), targetusername:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvcname_has_any:dynamic=dynamic([]), hashes_has_any:dynamic=dynamic([]), eventtype:string='*'){ let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimProcessCreate') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser); let imBuiltInDisabled=toscalar('ExcludevimProcessCreateBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); union vimProcessEmpty, vimProcessEventMicrosoft365D (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessEventMicrosoft365D' in (DisabledParsers) ))), vimProcessEventCreateMicrosoftSysmonWindowsEvent (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessEventCreateMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))), vimProcessCreateMicrosoftSecurityEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) ))), vimProcessCreateMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) ))) }; Generic(starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcipaddr_has_any_prefix, hashes_has_any=hashes_has_any, eventtype=eventtype) } .create-or-alter function with (skipvalidation=true) imProcessEvent( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['actorusername']:string='*', ['targetusername']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvcname_has_any']:dynamic=dynamic([]), ['hashes_has_any']:dynamic=dynamic([]), ['eventtype']:string='*') { let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), actorusername:string='*', targetusername:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvcname_has_any:dynamic=dynamic([]), hashes_has_any:dynamic=dynamic([]), eventtype:string='*'){ let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser); let imBuiltInDisabled=toscalar('ExcludevimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); union vimProcessEmpty, vimProcessEventMicrosoft365D (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessEventMicrosoft365D' in (DisabledParsers) ))), vimProcessEventCreateMicrosoftSysmonWindowsEvent (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessEventCreateMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))), vimProcessEventTerminateMicrosoftSysmonWindowsEvent (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername_has=actorusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessEventTerminateMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))), vimProcessCreateMicrosoftSecurityEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) ))), vimProcessTerminateMicrosoftSecurityEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername=actorusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) ))), vimProcessTerminateMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername_has=actorusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=dynamic([]), disabled=(imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) ))), vimProcessCreateMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) ))) }; Generic(starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any,actorusername=actorusername, targetusername=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcname_has_any, hashes_has_any=hashes_has_any, eventtype=eventtype) } .create-or-alter function with (skipvalidation=true) imProcessTerminate( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['actorusername']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvcname_has_any']:dynamic=dynamic([]), ['eventtype']:string='*') { let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), actorusername:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvcname_has_any:dynamic=dynamic([]), eventtype:string='*'){ let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimProcessTerminate') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser); let imBuiltInDisabled=toscalar('ExcludevimProcessTerminateBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); union vimProcessEmpty, vimProcessEventTerminateMicrosoftSysmonWindowsEvent (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername_has=actorusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessEventTerminateMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))), vimProcessTerminateMicrosoftSecurityEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername=actorusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) ))), vimProcessTerminateMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername_has=actorusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=dynamic([]), disabled=(imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) ))) }; Generic(starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype) } .create-or-alter function with (skipvalidation=true) vimProcessCreateMicrosoftSecurityEvents( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['targetusername_has']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['eventtype']:string='*', ['disabled']:bool=false) { let MandatoryLabelLookup = datatable (MandatoryLabel:string,MandatoryLabelRid:string, MandatoryLabelText:string, MandatoryLabelMeaning:string) [ 'S-1-16-0', '0x00000000', 'SECURITY_MANDATORY_UNTRUSTED_RID', 'Untrusted', 'S-1-16-4096', '0x00001000', 'SECURITY_MANDATORY_LOW_RID', 'Low integrity', 'S-1-16-8192', '0x00002000', 'SECURITY_MANDATORY_MEDIUM_RID', 'Medium integrity', 'S-1-16-8448', '0x00002100', 'SECURITY_MANDATORY_MEDIUM_PLUS_RID', 'Medium high integrity', 'S-1-16-12288', '0X00003000', 'SECURITY_MANDATORY_HIGH_RID', 'High integrity', 'S-1-16-16384', '0x00004000', 'SECURITY_MANDATORY_SYSTEM_RID', 'System integrity', 'S-1-16-20480', '0x00005000', 'SECURITY_MANDATORY_PROTECTED_PROCESS_RID', 'Protected process' ]; let KnownSIDs = datatable (sid:string, username:string, type:string) [ 'S-1-5-18', 'Local System', 'Simple', 'S-1-0-0', 'Nobody', 'Simple' ]; let UserTypeLookup = datatable (AccountType:string, ActorUserType:string) [ 'User', 'Regular', 'Machine', 'Machine' ]; let parser=( starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), targetusername_has:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvchostname_has_any:dynamic=dynamic([]), eventtype:string='*', disabled:bool=false ) { SecurityEvent | where (isnull(starttime) or TimeGenerated >= starttime ) and (isnull(endtime) or TimeGenerated <= endtime ) and not(disabled) | where EventID == 4688 | where (eventtype=='*' or eventtype=='ProcessCreated') and (array_length(commandline_has_all)==0 or CommandLine has_all (commandline_has_all)) and (array_length(commandline_has_any)==0 or CommandLine has_any (commandline_has_any)) and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(CommandLine, commandline_has_any_ip_prefix) ) and (array_length(actingprocess_has_any)==0 or ParentProcessName has_any (actingprocess_has_any)) and (array_length(targetprocess_has_any)==0 or NewProcessName has_any (targetprocess_has_any)) and (array_length(parentprocess_has_any)==0) and (targetusername_has=='*' or TargetAccount has targetusername_has) and (array_length(dvcipaddr_has_any_prefix)==0) and (array_length(dvchostname_has_any)==0 or Computer has_any (dvchostname_has_any)) | project TimeGenerated, EventID, CommandLine, ParentProcessName, NewProcessName, TargetAccount, Computer, SubjectUserSid, SubjectUserName, SubjectAccount, SubjectDomainName, SubjectLogonId, TargetUserSid, TargetUserName, TargetDomainName, TargetLogonId, AccountType, ProcessId, NewProcessId, SourceComputerId, EventOriginId, TokenElevationType, MandatoryLabel, Type, _ResourceId | extend EventCount = int(1), EventVendor = 'Microsoft', EventProduct = 'Security Events', EventSchemaVersion = '0.1.3', EventSchema = 'ProcessEvent', EventResult = 'Success', EventStartTime = TimeGenerated, EventEndTime = TimeGenerated, EventType = 'ProcessCreated', EventOriginalType = tostring(EventID), DvcOs = 'Windows' | lookup KnownSIDs on $left.SubjectUserSid == $right.sid | extend ActorUsername = iff (SubjectUserName == "-", username, SubjectAccount), ActorUsernameType = iff(SubjectUserName == '-',type, 'Windows') | lookup KnownSIDs on $left.TargetUserSid == $right.sid | extend TargetUsername = iff (TargetUserName == "-", username, TargetAccount), TargetUsernameType = iff(TargetDomainName == '-',type, 'Windows') | lookup UserTypeLookup on AccountType | extend ActorUserIdType = 'SID', TargetUserIdType = 'SID', ActingProcessId = tostring(ProcessId), TargetProcessId = NewProcessId, TargetProcessCommandLine = CommandLine | project-rename DvcId = SourceComputerId, DvcHostname = Computer, ActingProcessName = ParentProcessName, TargetProcessName = NewProcessName, ActorDomainName = SubjectDomainName, ActorUserId = SubjectUserSid, ActorSessionId = SubjectLogonId, TargetUserId =TargetUserSid, TargetUserSessionId = TargetLogonId, EventOriginalUid = EventOriginId, TargetProcessTokenElevation = TokenElevationType | lookup MandatoryLabelLookup on MandatoryLabel | extend User = TargetUsername, Dvc = DvcHostname, Process = TargetProcessName | project-keep Event*, Dvc*, Actor*, Target*, Acting*, User, Dvc, Process, CommandLine, TimeGenerated, Type, _ResourceId | project-away TargetDomainName, TargetUserName, TargetAccount, EventID }; parser ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=disabled ) } .create-or-alter function with (skipvalidation=true) vimProcessCreateMicrosoftWindowsEvents( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['targetusername_has']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['eventtype']:string='*', ['hashes_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) { let ASIM_GetFilenamePart = (path:string) { tostring(split(path,@'\')[-1]) }; let MandatoryLabelLookup = datatable (MandatoryLabel:string,MandatoryLabelRid:string, MandatoryLabelText:string, MandatoryLabelMeaning:string) [ 'S-1-16-0', '0x00000000', 'SECURITY_MANDATORY_UNTRUSTED_RID', 'Untrusted', 'S-1-16-4096', '0x00001000', 'SECURITY_MANDATORY_LOW_RID', 'Low integrity', 'S-1-16-8192', '0x00002000', 'SECURITY_MANDATORY_MEDIUM_RID', 'Medium integrity', 'S-1-16-8448', '0x00002100', 'SECURITY_MANDATORY_MEDIUM_PLUS_RID', 'Medium high integrity', 'S-1-16-12288', '0X00003000', 'SECURITY_MANDATORY_HIGH_RID', 'High integrity', 'S-1-16-16384', '0x00004000', 'SECURITY_MANDATORY_SYSTEM_RID', 'System integrity', 'S-1-16-20480', '0x00005000', 'SECURITY_MANDATORY_PROTECTED_PROCESS_RID', 'Protected process' ]; let parser = ( starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), targetusername_has:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvchostname_has_any:dynamic=dynamic([]), eventtype:string='*', hashes_has_any:dynamic=dynamic([]), disabled:bool=false ) { WindowsEvent | where (isnull(starttime) or TimeGenerated >= starttime ) and (isnull(endtime) or TimeGenerated <= endtime ) and EventID == 4688 and not(disabled) and (eventtype=='*' or eventtype=='ProcessCreated') and (array_length(parentprocess_has_any)==0) and (array_length(hashes_has_any) == 0) and (array_length(dvcipaddr_has_any_prefix)==0) and (array_length(commandline_has_all)==0 or EventData.CommandLine has_all (commandline_has_all)) and (array_length(commandline_has_any)==0 or EventData.CommandLine has_any (commandline_has_any)) and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(EventData.CommandLine, commandline_has_any_ip_prefix) ) and (array_length(actingprocess_has_any)==0 or EventData.ParentProcessName has_any (actingprocess_has_any)) and (array_length(targetprocess_has_any)==0 or EventData.NewProcessName has_any (targetprocess_has_any)) and (targetusername_has=='*' or EventData has targetusername_has) and (array_length(dvchostname_has_any)==0 or Computer has_any (dvchostname_has_any)) | project EventID, EventData, Computer, TimeGenerated | project-rename DvcHostname = Computer | extend EventCount = int(1), EventVendor = 'Microsoft', EventProduct = 'Security Events', EventSchemaVersion = '0.1.0', EventSchema = 'ProcessEvent', EventResult = 'Success', EventStartTime = TimeGenerated, EventEndTime = TimeGenerated, EventType = 'ProcessCreated', EventOriginalType = tostring(EventID), DvcOs = 'Windows', ActorUsername = strcat(EventData.SubjectDomainName, @'\', EventData.SubjectUserName), ActorUserId = tostring(EventData.SubjectUserSid) | extend ActorUserIdType = iff (ActorUserId <> "S-1-0-0", "SID", ""), ActorUserId = iff (ActorUserId <> "S-1-0-0", ActorUserId, ""), ActorUsernameType = "Windows", username = tostring(EventData.TargetUserName) | extend TargetUsername = iff(username == "-", ActorUsername, strcat(EventData.SubjectDomainName, @'\', username)) | where (targetusername_has=='*' or TargetUsername has targetusername_has) | extend TargetUserId = iff(username == "-", ActorUserId, tostring(EventData.TargetUserSid)) | extend TargetUserIdType = iff (TargetUserId <> "S-1-0-0", "SID", ""), TargetUserId = iff (TargetUserId <> "S-1-0-0", TargetUserId, ""), TargetUsernameType = "Windows" | project-away username | extend TargetUserSid = TargetUserId, ActorUserSid = ActorUserId, ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId), TargetUserType = _ASIM_GetWindowsUserType(TargetUsername, TargetUserId), ActorSessionId = tostring(toint(EventData.SubjectLogonId)), TargetUserSessionId = tostring(toint(EventData.TargetLogonId)), ActingProcessId = tostring(toint(EventData.ProcessId)), ActingProcessName = tostring(EventData.ParentProcessName), TargetProcessId = tostring(toint(EventData.NewProcessId)), TargetProcessName = tostring(EventData.NewProcessName), TargetProcessCommandLine = tostring(EventData.CommandLine), TargetProcessTokenElevation = tostring(EventData.TokenElevationType), MandatoryLabel = tostring(EventData.MandatoryLabel) | project-away EventData| extend ActingProcessFilename = ASIM_GetFilenamePart(ActingProcessName), TargetProcessFilename = ASIM_GetFilenamePart(TargetProcessName) | lookup MandatoryLabelLookup on MandatoryLabel | extend User = TargetUsername, Dvc = DvcHostname, Process = TargetProcessName, CommandLine = TargetProcessCommandLine | project-away EventID }; parser ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=disabled )} .create-or-alter function with (skipvalidation=true) vimProcessEmpty { let EmptyNewProcessEvents = datatable( TimeGenerated:datetime, Type:string, EventType:string, EventProduct:string, EventProductVersion:string, EventCount:int, EventMessage:string, EventVendor:string, EventSchema:string, EventSchemaVersion:string, EventSeverity:string, EventSubType:string, EventOriginalUid:string, EventOriginalType:string, EventOriginalResultDetails:string, EventOriginalSeverity:string, EventOriginalSubType:string, EventStartTime:datetime, EventEndTime:datetime, EventReportUrl:string, EventResult: string, EventResultDetails: string, AdditionalFields:dynamic, EventOwner:string, DvcHostname:string, DvcDomain:string, DvcDomainType:string, DvcFQDN:string, DvcIpAddr:string, DvcOs:string, DvcOsVersion:string, DvcMacAddr:string, DvcAction:string, DvcOriginalAction:string, DvcDescription: string, DvcIdType: string, DvcInterface: string, DvcZone: string, DvcScopeId:string, DvcScope:string, TargetUsernameType:string, TargetOriginalUserType:string, TargetUserId:string, TargetUserIdType:string, TargetUserType:string, TargetUserSessionId:string, TargetUserUid:string, TargetUserScopeId:string, TargetUserScope:string, TargetProcessName:string, TargetProcessFileDescription:string, TargetProcessFileProduct:string, TargetProcessFileVersion:string, TargetProcessFileCompany: string, TargetProcessFileInternalName: string, TargetProcessFileOriginalName: string, TargetProcessFileSize: long, TargetProcessCurrentDirectory: string, TargetProcessIsHidden:bool, TargetProcessInjectedAddress:string, TargetProcessMD5:string, TargetProcessSHA1:string, TargetProcessSHA256:string, TargetProcessSHA512:string, TargetProcessIMPHASH:string, TargetProcessCommandLine:string, TargetProcessCreationTime:datetime, TargetProcessId:string, TargetProcessGuid:string, TargetProcessIntegrityLevel:string, TargetProcessTokenElevation:string, ActorUsername:string, ActorUsernameType:string, ActorUserId:string, ActorUserIdType:string, ActorUserType:string, ActorOriginalUserType:string, ActorSessionId:string, ActorUserAadId:string, ActorUserSid:string, ActorScopeId:string, ActorScope:string, ActingProcessCommandLine:string, ActingProcessName:string, ActingProcessFileDescription:string, ActingProcessFileProduct:string, ActingProcessFileCompany: string, ActingProcessFileInternalName: string, ActingProcessFileOriginalName: string, ActingProcessFileSize: long, ActingProcessFileVersion:string, ActingProcessIsHidden:bool, ActingProcessTokenElevation: string, ActingProcessInjectedAddress:string, ActingProcessId:string, ActingProcessGuid:string, ActingProcessIntegrityLevel:string, ActingProcessMD5:string, ActingProcessSHA1:string, ActingProcessSHA256:string, ActingProcessSHA512:string, ActingProcessIMPHASH:string, ActingProcessCreationTime:datetime, ParentProcessName:string, ParentProcessFileDescription:string, ParentProcessFileProduct:string, ParentProcessFileVersion:string, ParentProcessFileCompany: string, ParentProcessTokenElevation:string, ParentProcessIsHidden:bool, ParentProcessInjectedAddress:string, ParentProcessId:string, ParentProcessGuid:string, ParentProcessIntegrityLevel:string, ParentProcessMD5:string, ParentProcessSHA1:string, ParentProcessSHA256:string, ParentProcessSHA512:string, ParentProcessIMPHASH:string, ParentProcessCreationTime:datetime, ParentProcessCommandLine:string, ParentProcessFileInternalName: string, ParentProcessFileOriginalName: string, ParentProcessFileSize: long, RuleName:string, RuleNumber:int, ThreatId:string, ThreatName:string, ThreatCategory:string, ThreatRiskLevel:int, ThreatOriginalRiskLevel:string, ThreatConfidence:int, ThreatOriginalConfidence:string, ThreatIsActive:bool, ThreatFirstReportedTime:datetime, ThreatLastReportedTime:datetime, ThreatField:string, Dvc:string, Src:string, Dst:string, User:string, Process:string, CommandLine:string, Hash:string, HashType:string )[]; EmptyNewProcessEvents } .create-or-alter function with (skipvalidation=true) vimProcessEventCreateMicrosoftSysmonWindowsEvent( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['targetusername_has']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['eventtype']:string='*', ['disabled']:bool=false) { let parser = ( starttime: datetime=datetime(null), endtime: datetime=datetime(null), commandline_has_any: dynamic=dynamic([]), commandline_has_all: dynamic=dynamic([]), commandline_has_any_ip_prefix: dynamic=dynamic([]), actingprocess_has_any: dynamic=dynamic([]), targetprocess_has_any: dynamic=dynamic([]), parentprocess_has_any: dynamic=dynamic([]), targetusername_has: string='*', dvcipaddr_has_any_prefix: dynamic=dynamic([]), dvchostname_has_any: dynamic=dynamic([]), eventtype: string='*', disabled: bool=false ) { let parser_WindowsEvent= WindowsEvent | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) and not(disabled) and (eventtype == '*' or eventtype == 'ProcessCreated') and Provider == "Microsoft-Windows-Sysmon" and EventID == 1 and (array_length(commandline_has_all) == 0 or EventData.CommandLine has_all (commandline_has_all)) and (array_length(commandline_has_any) == 0 or EventData.CommandLine has_any (commandline_has_any)) and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(EventData.CommandLine, commandline_has_any_ip_prefix)) and (array_length(actingprocess_has_any) == 0 or EventData.ParentImage has_any (actingprocess_has_any)) and (array_length(targetprocess_has_any) == 0 or EventData.Image has_any (targetprocess_has_any)) and (array_length(parentprocess_has_any) == 0) and (targetusername_has == '*' or EventData.User has targetusername_has) and (array_length(dvcipaddr_has_any_prefix) == 0) and (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any)) | project EventID, EventData, Computer, TimeGenerated, _ItemId, EventOriginId | parse-kv tostring(EventData.Hashes) as (MD5: string, SHA1: string, SHA256: string, IMPHASH: string) with (quote='"') | extend Hash = coalesce (SHA256, SHA1, IMPHASH, MD5, "") | extend HashType = tostring(dynamic(["SHA256", "SHA1", "IMPHASH", "MD5"])[array_index_of(pack_array(SHA256, SHA1, IMPHASH, MD5), Hash)]) | project-rename TargetProcessMD5 = MD5, TargetProcessSHA1 = SHA1, TargetProcessSHA256 = SHA256, TargetProcessIMPHASH = IMPHASH | extend EventOriginalType = tostring(EventID), TargetUserSessionId = tostring(EventData.LogonId), TargetUsername = tostring(EventData.User), TargetProcessCommandLine = tostring(EventData.CommandLine), TargetProcessCurrentDirectory = tostring(EventData.CurrentDirectory), TargetUserSessionGuid = tostring(EventData.LogonGuid), TargetProcessId = tostring(EventData.ProcessId), TargetProcessGuid = tostring(EventData.ProcessGuid), TargetProcessName = tostring(EventData.Image), TargetProcessFilename = tostring(EventData.OriginalFileName), TargetProcessIntegrityLevel = tostring(EventData.IntegrityLevel), TargetProcessFileCompany = tostring(EventData.Company), TargetProcessFileDescription = tostring(EventData.Description), TargetProcessFileVersion = tostring(EventData.FileVersion), TargetProcessFileProduct = tostring(EventData.Product), ActingProcessId = tostring(EventData.ParentProcessId), ActingProcessGuid = tostring(EventData.ParentProcessGuid), ActingProcessCommandLine = tostring(EventData.ParentCommandLine), ActingProcessName = tostring(EventData.ParentImage), ActorUsername = tostring(EventData.ParentUser) | project-away EventData | where (array_length(commandline_has_any) == 0 or TargetProcessCommandLine has_any (commandline_has_any)) and (array_length(commandline_has_all) == 0 or TargetProcessCommandLine has_all (commandline_has_all)) and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(TargetProcessCommandLine, commandline_has_any_ip_prefix)) and (array_length(actingprocess_has_any) == 0 or ActingProcessName has_any (actingprocess_has_any)) and (targetusername_has == '*' or TargetUsername has targetusername_has) and (array_length(targetprocess_has_any) == 0 or TargetProcessName has_any (targetprocess_has_any)) | extend TargetUsernameType = iff(isnotempty(TargetUsername), 'Windows', ''), ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''), EventProduct = "Security Events" | project-rename DvcHostname = Computer, EventOriginalUid = EventOriginId | extend Dvc = DvcHostname, User = TargetUsername, CommandLine = TargetProcessCommandLine, Process = TargetProcessName, EventUid = _ItemId | project-away EventID, _ItemId | extend EventType = "ProcessCreated", EventOriginalType = "1", EventStartTime = TimeGenerated, EventEndTime = TimeGenerated, EventCount = int(1), EventVendor = "Microsoft", EventSchemaVersion = "0.1.0", EventSchema = 'ProcessEvent', EventResult = 'Success', DvcOs = "Windows", TargetUsernameType = "Windows", ActorUsernameType = "Windows"; parser_WindowsEvent }; parser ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=disabled ) } .create-or-alter function with (skipvalidation=true) vimProcessEventMicrosoft365D( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['targetusername_has']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['eventtype']:string='*', ['hashes_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) { let parser = ( starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), targetusername_has:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvchostname_has_any:dynamic=dynamic([]), eventtype:string='*', hashes_has_any:dynamic=dynamic([]), disabled:bool=false ) { DeviceProcessEvents | where (isnull(starttime) or Timestamp >= starttime ) and (isnull(endtime) or Timestamp <= endtime ) and not(disabled) and (array_length(dvcipaddr_has_any_prefix)==0) and (array_length(commandline_has_all)==0 or ProcessCommandLine has_all (commandline_has_all)) and (array_length(commandline_has_any)==0 or ProcessCommandLine has_any (commandline_has_any)) and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(ProcessCommandLine, commandline_has_any_ip_prefix) ) and (array_length(actingprocess_has_any)==0 or InitiatingProcessFolderPath has_any (actingprocess_has_any)) and (array_length(targetprocess_has_any)==0 or FolderPath has_any (targetprocess_has_any)) and (array_length(parentprocess_has_any)==0 or InitiatingProcessParentFileName has_any (parentprocess_has_any)) and (targetusername_has=='*' or AccountName has targetusername_has or AccountDomain has targetusername_has) and (array_length(dvchostname_has_any)==0 or DeviceName has_any (dvchostname_has_any)) and (array_length(hashes_has_any)==0 or SHA256 in (hashes_has_any) or SHA1 in (hashes_has_any) or MD5 in (hashes_has_any)) and (eventtype=='*' or eventtype=='ProcessCreated') | extend Type = "DeviceProcessEvents", EventOriginalUid = tostring(ReportId), EventCount = int(1), EventProduct = 'M365 Defender for Endpoint', EventVendor = 'Microsoft', EventSchemaVersion = '0.1.4', EventSchema = 'ProcessEvent', EventStartTime = Timestamp, EventEndTime = Timestamp, EventResult = 'Success', ActorUsername = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\', InitiatingProcessAccountName)), TargetUsername = iff (AccountDomain == '', AccountName, strcat(AccountDomain, '\\', AccountName)), TargetUsernameType = iff(AccountDomain == '','Simple', 'Windows'), ActorUsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'), ActorUserIdType = 'SID', TargetUserIdType = 'SID', ActorSessionId = tostring(InitiatingProcessLogonId), TargetUserSessionId = tostring(LogonId), Hash = coalesce (SHA256, SHA1, MD5, ""), TargetProcessId = tostring(ProcessId), ActingProcessId = tostring(InitiatingProcessId), ParentProcessId = tostring(InitiatingProcessParentId), DvcOs = iff (AdditionalFields has "ProcessPosixProcessGroupId", "Linux", "Windows") | project-away InitiatingProcessAccountDomain, InitiatingProcessAccountName, AccountDomain, AccountName, ProcessId, InitiatingProcessId, InitiatingProcessParentId, LogonId, InitiatingProcessLogonId, ReportId | extend HashType = tostring(dynamic(["SHA256", "SHA1", "MD5"])[array_index_of(pack_array(SHA256, SHA1, MD5),Hash)]) | invoke _ASIM_ResolveDvcFQDN('DeviceName') | project-rename DvcId = DeviceId, EventType = ActionType, ActorUserId = InitiatingProcessAccountSid, ActorUserAadId = InitiatingProcessAccountObjectId, ActorUserUpn = InitiatingProcessAccountUpn, TargetUserId = AccountSid, TargetUserAadId = AccountObjectId, TargetUserUpn = AccountUpn, ParentProcessName = InitiatingProcessParentFileName, TargetProcessFilename = FileName, ParentProcessCreationTime = InitiatingProcessParentCreationTime, TargetProcessName = FolderPath, TargetProcessCommandLine = ProcessCommandLine, TargetProcessMD5 = MD5, TargetProcessSHA1 = SHA1, TargetProcessSHA256 = SHA256, TargetProcessIntegrityLevel = ProcessIntegrityLevel, TargetProcessTokenElevation = ProcessTokenElevation, TargetProcessCreationTime = ProcessCreationTime, ActingProcessName = InitiatingProcessFolderPath, ActingProcessFilename = InitiatingProcessFileName, ActingProcessCommandLine = InitiatingProcessCommandLine, ActingProcessMD5 = InitiatingProcessMD5, ActingProcessSHA1 = InitiatingProcessSHA1, ActingProcessSHA256 = InitiatingProcessSHA256, ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel, ActingProcessTokenElevation = InitiatingProcessTokenElevation, ActingProcessCreationTime = InitiatingProcessCreationTime | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername), TargetUsernameType = _ASIM_GetUsernameType(TargetUsername), User = coalesce(TargetUsername, ActorUsername), CommandLine = TargetProcessCommandLine, Process = TargetProcessName, Dvc = DvcHostname | project TimeGenerated = Timestamp, Type, EventOriginalUid, EventCount, EventProduct, EventVendor, EventSchemaVersion, EventSchema, EventStartTime, EventEndTime, EventResult, ActorUsername, ActorUserIdType, TargetUserIdType, ActorUsernameType, TargetUsername, TargetUsernameType, ActorSessionId, Hash, TargetProcessId, ActingProcessId, ParentProcessId, DvcOs, HashType, DvcId, EventType, ActorUserId, ActorUserAadId, ActorUserUpn, TargetUserId, TargetUserAadId, TargetUserUpn, ParentProcessName, TargetProcessFilename, ParentProcessCreationTime, TargetProcessName, TargetProcessCommandLine, TargetProcessMD5, TargetProcessSHA1, TargetProcessSHA256, TargetProcessIntegrityLevel, TargetProcessTokenElevation, TargetProcessCreationTime, ActingProcessName, ActingProcessFilename, ActingProcessCommandLine, ActingProcessMD5, ActingProcessSHA1, ActingProcessSHA256, ActingProcessIntegrityLevel, ActingProcessTokenElevation, ActingProcessCreationTime, User, CommandLine, Process, Dvc }; parser ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=disabled ) } .create-or-alter function with (skipvalidation=true) vimProcessEventTerminateMicrosoftSysmonWindowsEvent( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['actorusername_has']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['eventtype']:string='*', ['disabled']:bool=false) { let parser = ( starttime: datetime=datetime(null), endtime: datetime=datetime(null), commandline_has_any: dynamic=dynamic([]), commandline_has_all: dynamic=dynamic([]), commandline_has_any_ip_prefix: dynamic=dynamic([]), actingprocess_has_any: dynamic=dynamic([]), targetprocess_has_any: dynamic=dynamic([]), parentprocess_has_any: dynamic=dynamic([]), actorusername_has: string='*', dvcipaddr_has_any_prefix: dynamic=dynamic([]), dvchostname_has_any: dynamic=dynamic([]), eventtype: string='*', disabled: bool=false ) { let parser_WindowsEvent= WindowsEvent | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) and not(disabled) and Provider == "Microsoft-Windows-Sysmon" and EventID == 5 and (eventtype == '*' or eventtype == 'ProcessTerminated') and (array_length(commandline_has_all) == 0) and (array_length(commandline_has_any) == 0) and (array_length(commandline_has_any_ip_prefix) == 0) and (array_length(actingprocess_has_any) == 0) and (array_length(parentprocess_has_any) == 0) and (array_length(targetprocess_has_any) == 0 or EventData has_any (targetprocess_has_any)) and (actorusername_has == '*' or EventData has actorusername_has) and (array_length(dvcipaddr_has_any_prefix) == 0) and (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any)) | project EventData, Computer, TimeGenerated, EventOriginId, EventID | extend EventProduct = "Security Events", ActorUsername = tostring(EventData.User), TargetProcessName = tostring(EventData.Image), TargetProcessId = tostring(EventData.ProcessId), TargetProcessGuid = extract ('^{(.*)}$', 1, tostring(EventData.ProcessGuid), typeof(string)) | where (actorusername_has == '*' or ActorUsername has actorusername_has) and (array_length(targetprocess_has_any) == 0 or TargetProcessName has_any (targetprocess_has_any)) | project-rename DvcHostname = Computer, EventOriginalUid = EventOriginId | project-away EventData | extend EventType = "ProcessTerminated", EventStartTime = TimeGenerated, EventEndTime = TimeGenerated, EventCount = int(1), EventVendor = "Microsoft", EventSchemaVersion = "0.1.0", EventSchema = 'ProcessEvent', EventOriginalType=tostring(EventID), EventResult = 'Success', DvcOs = "Windows", ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''), User = ActorUsername, Process = TargetProcessName, Dvc = DvcHostname | project-away EventID ; parser_WindowsEvent }; parser ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername_has=actorusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=disabled ) } .create-or-alter function with (skipvalidation=true) vimProcessTerminateMicrosoftSecurityEvents( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['actorusername']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvcname_has_any']:dynamic=dynamic([]), ['eventtype']:string='*', ['disabled']:bool=false) { let ProcessEvents=(){ SecurityEvent | where EventID == 4689 | where (isnull(starttime) or TimeGenerated >= starttime ) and (isnull(endtime) or TimeGenerated <= endtime ) and not(disabled) and (array_length(actingprocess_has_any)==0 ) and (array_length(parentprocess_has_any)==0) and (array_length(dvcipaddr_has_any_prefix)==0) and (eventtype=='*' or eventtype=='ProcessTerminated') and (array_length(commandline_has_any)==0 or CommandLine has_any (commandline_has_any)) and (array_length(commandline_has_all)==0 or CommandLine has_all (commandline_has_all)) and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(CommandLine, commandline_has_any_ip_prefix) ) and (array_length(targetprocess_has_any)==0 or ProcessName has_any (targetprocess_has_any)) and (actorusername=='*' or SubjectAccount has actorusername) and (array_length(dvcname_has_any)==0 or Computer has_any (dvcname_has_any)) | project TimeGenerated, EventID, CommandLine, ProcessName, SubjectAccount, Computer, SubjectUserSid, SubjectUserName, SubjectDomainName, SubjectLogonId, ProcessId, SourceComputerId, EventOriginId, TokenElevationType, Status | extend EventCount = int(1), EventVendor = "Microsoft", EventProduct = "Security Events", EventSchemaVersion = "0.1.0", EventSchema = 'ProcessEvent', EventStartTime = TimeGenerated, EventEndTime = TimeGenerated, EventType = "ProcessTerminated", EventResult = 'Success', EventOriginalType = tostring(EventID), EventOriginalUid = EventOriginId, EventResultDetails = Status, EventOriginalResultDetails = Status, DvcId = SourceComputerId, DvcHostname = Computer, DvcOs = "Windows", ActorUserIdType = iff (SubjectUserSid <> "S-1-0-0", "SID", ""), ActorUserId = iff (SubjectUserSid <> "S-1-0-0", SubjectUserSid, ""), ActorUsername = iff (SubjectDomainName == '-', SubjectUserName, SubjectAccount), ActorUsernameType = iff(SubjectDomainName == '-','Simple', 'Windows'), ActorSessionId = SubjectLogonId, ActorDomainName = SubjectDomainName, TargetProcessId = tostring(ProcessId), TargetProcessName = ProcessName, TargetProcessCommandLine = CommandLine, TargetProcessTokenElevation = TokenElevationType, Process = ProcessName | extend User = ActorUsername, Dvc = DvcHostname, Process = TargetProcessName }; ProcessEvents } .create-or-alter function with (skipvalidation=true) vimProcessTerminateMicrosoftWindowsEvents( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['actorusername_has']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['eventtype']:string='*', ['hashes_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) { let ASIM_GetFilenamePart = (path:string) { tostring(split(path,@'\')[-1]) }; let parser = ( starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), actorusername_has:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvchostname_has_any:dynamic=dynamic([]), eventtype:string='*', hashes_has_any:dynamic=dynamic([]), disabled:bool=false ) { WindowsEvent | where (isnull(starttime) or TimeGenerated >= starttime ) and (isnull(endtime) or TimeGenerated <= endtime ) and not(disabled) and EventID == 4689 and (array_length(actingprocess_has_any)==0) and (array_length(parentprocess_has_any)==0) and (array_length(dvcipaddr_has_any_prefix)==0) and (eventtype=='*' or eventtype=='ProcessTerminated') and (array_length(commandline_has_all)==0) and (array_length(commandline_has_any)==0) and (array_length(commandline_has_any_ip_prefix)==0) and (array_length(hashes_has_any)==0) and (array_length(targetprocess_has_any)==0 or EventData.ProcessName has_any (targetprocess_has_any)) and (actorusername_has=='*' or EventData has actorusername_has) and (array_length(dvchostname_has_any)==0 or Computer has_any (dvchostname_has_any)) | project EventID, EventData, Computer, TimeGenerated | project-rename DvcHostname = Computer | extend EventCount = int(1), EventVendor = 'Microsoft', EventProduct = 'Security Events', EventSchemaVersion = '0.1.0', EventSchema = 'ProcessEvent', EventResult = 'Success', EventStartTime = TimeGenerated, EventEndTime = TimeGenerated, EventType = 'ProcessTerminated', EventOriginalType = tostring(EventID), DvcOs = 'Windows', ActorUsername = strcat(EventData.SubjectDomainName, @'\', EventData.SubjectUserName), ActorUserId = tostring(EventData.SubjectUserSid) | extend ActorUserIdType = iff (ActorUserId <> "S-1-0-0", "SID", ""), ActorUserId = iff (ActorUserId <> "S-1-0-0", ActorUserId, ""), ActorUsernameType = "Windows" | where (actorusername_has=='*' or ActorUsername has actorusername_has) | extend ActorUserSid = ActorUserId, ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId), ActorSessionId = tostring(toint(EventData.SubjectLogonId)), TargetProcessId = tostring(toint(EventData.ProcessId)), TargetProcessName = tostring(EventData.ProcessName), TargetProcessStatusCode = tostring(EventData.Status) | extend TargetProcessFilename = ASIM_GetFilenamePart(TargetProcessName), User = ActorUsername, Dvc = DvcHostname, Process = TargetProcessName | project-away EventData, EventID }; parser ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername_has=actorusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=disabled ) } .create-or-alter function with (skipvalidation=true) ASimRegistry( ['pack']:bool=false) { let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimRegistry') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser)); let ASimBuiltInDisabled=toscalar('ExcludeASimRegistryEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); let parser=(pack:bool=false){ union vimRegistryEventEmpty, ASimRegistryEventMicrosoftWindowsEvent(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoftWindowsEvent' in (DisabledParsers) ))), ASimRegistryEventMicrosoftSysmonWindowsEvent(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))), ASimRegistryEventMicrosoftSecurityEvent(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoftSecurityEvent' in (DisabledParsers) ))) }; parser (pack=pack) } .create-or-alter function with (skipvalidation=true) ASimRegistryEventMicrosoftSecurityEvent(['disabled']:bool=false) { vimRegistryEventMicrosoftSecurityEvent(disabled=disabled) } .create-or-alter function with (skipvalidation=true) ASimRegistryEventMicrosoftSysmonWindowsEvent(['disabled']:bool=false) { vimRegistryEventMicrosoftSysmonWindowsEvent(disabled=disabled) } .create-or-alter function with (skipvalidation=true) ASimRegistryEventMicrosoftWindowsEvent(['disabled']:bool=false) { vimRegistryEventMicrosoftWindowsEvent(disabled=disabled) } .create-or-alter function with (skipvalidation=true) imRegistry( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['registrykey_has_any']:dynamic=dynamic([]), ['registryvalue_has_any']:dynamic=dynamic([]), ['registrydata_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false, ['pack']:bool=false) { let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimRegistry') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser)); let vimBuiltInDisabled=toscalar('ExcludevimRegistryEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); let parser = ( starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventtype_in: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), registrykey_has_any: dynamic =dynamic([]), registryvalue_has_any: dynamic =dynamic([]), registrydata_has_any: dynamic =dynamic([]), dvchostname_has_any: dynamic=dynamic([]), pack:bool=false ) { union vimRegistryEventEmpty, vimRegistryEventMicrosoftSysmonWindowsEvent(starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))), vimRegistryEventMicrosoftWindowsEvent (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoftWindowsEvent' in (DisabledParsers) ))), vimRegistryEventMicrosoftSecurityEvent (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoftSecurityEvent' in (DisabledParsers) ))) }; parser(starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, pack=pack) } .create-or-alter function with (skipvalidation=true) vimRegistryEventEmpty { let EmptyNewRegistryEvents = datatable( TimeGenerated:datetime, Type:string, EventType:string, EventSubType:string, EventProduct:string, EventResult:string, EventResultDetails:string, EventOriginalSubType:string, EventOriginalResultDetails:string, EventSeverity:string, EventOriginalSeverity:string, EventSchema:string, EventOwner:string, EventProductVersion:string, EventCount:int, EventMessage:string, EventVendor:string, EventSchemaVersion:string, EventOriginalUid:string, EventOriginalType:string, EventStartTime:datetime, EventEndTime:datetime, EventReportUrl:string, AdditionalFields:dynamic, RegistryValue:string, RegistryValueType:string, RegistryValueData:string, RegistryPreviousKey:string, RegistryPreviousValue:string, RegistryPreviousValueType:string, RegistryPreviousValueData:string, DvcId:string, DvcHostname:string, DvcIpAddr:string, DvcOs:string, DvcOsVersion:string, DvcMacAddr:string, DvcFQDN:string, DvcDomain:string, DvcDomainType:string, DvcDescription:string, DvcZone:string, DvcAction:string, DvcOriginalAction:string, DvcInterface:string, DvcScopeId:string, DvcScope:string, DvcIdType:string, ActorUsername:string, ActorUsernameType:string, ActorUserId:string, ActorUserIdType:string, ActorSessionId:string, ActorUserAadId:string, ActorUserSid:string, ActorScopeId:string, ActorScope:string, ActorUserType:string, ActorOriginalUserType:string, ActingProcessCommandLine:string, ActingProcessId:string, ActingProcessGuid:string, ParentProcessName:string, ParentProcessId:string, ParentProcessGuid:string, ParentProcessCommandLine:string, RuleNumber:int, ThreatId:string, ThreatName:string, ThreatCategory:string, ThreatRiskLevel:int, ThreatOriginalRiskLevel:string, ThreatConfidence:int, ThreatOriginalConfidence:string, ThreatIsActive:bool, ThreatFirstReportedTime:datetime, ThreatLastReportedTime:datetime, ThreatField:string, User:string, Process:string, Src:string, Dst:string )[]; EmptyNewRegistryEvents } .create-or-alter function with (skipvalidation=true) vimRegistryEventMicrosoftSecurityEvent( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['registrykey_has_any']:dynamic=dynamic([]), ['registryvalue_has_any']:dynamic=dynamic([]), ['registrydata_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) { let parser = ( starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventtype_in: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), registrykey_has_any: dynamic =dynamic([]), registryvalue_has_any: dynamic =dynamic([]), registrydata_has_any: dynamic =dynamic([]), dvchostname_has_any: dynamic=dynamic([]), disabled: bool=false ) { let ASIM_GetAccountType = (sid: string) { iif ( sid in ("S-1-0-0", "S-1-5-18", "S-1-5-19", "S-1-5-20"), "Simple" , "Windows" ) }; let ASIM_ParseSecurityEvents = (SecurityEvent: (SubjectDomainName: string, SubjectUserName: string, ProcessId: int, ObjectName: string, SubjectUserSid: string, SubjectLogonId: string, ProcessName: string)) { SecurityEvent | project-rename ActorUsername = SubjectUserName , ActorUserId = SubjectUserSid , ActorSessionId = SubjectLogonId , ActingProcessName = ProcessName , ActorDomainName = SubjectDomainName | extend ActorUsername = iif(isnotempty(ActorDomainName), strcat(ActorDomainName, @'\', ActorUsername), ActorUsername) , ActingProcessId = tostring(ProcessId) , RegistryKey = iif( ObjectName startswith @"\REGISTRY\MACHINE", replace_string(ObjectName, @"\REGISTRY\MACHINE", "HKEY_LOCAL_MACHINE") , replace_string(ObjectName, @"\REGISTRY\USER", "HKEY_USERS") ) }; let Event4663TypeLookup = datatable (AccessMask: string, EventType: string) [ "0x1", "RegistryValueRead" , "0x10", "RegistryKeyNotify" , "0x10000", "RegistryKeyDeleted" , "0x2", "RegistryValueSet" , "0x20000", "MetadataAccessed" , "0x20006", "RegistryValueSet" , "0x40000", "MetadataModified" , "0x8", "RegistrySubkeyEnumerated" ]; let Event4567TypeLookup = datatable (EventOriginalSubType: string, EventType: string) [ "%%1904", "RegistryValueSet" , "%%1905", "RegistryValueSet" , "%%1906", "RegistryValueDeleted" ]; let RegistryType = datatable (TypeCode: string, TypeName: string) [ "%%1872", "REG_NONE" , "%%1873", "REG_SZ" , "%%1874", "REG_EXPAND_SZ" , "%%1875", "REG_BINARY" , "%%1876", "REG_DWORD" , "%%1879", "REG_MULTI_SZ" , "%%1883", "REG_QWORD" ]; union isfuzzy=false ( SecurityEvent | where not(disabled) | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) | where EventID == 4663 and ObjectType == "Key" | where (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or (strcat(SubjectDomainName, '\\', SubjectUserName) has_any (actorusername_has_any))) and (array_length(registryvalue_has_any) == 0) and (array_length(registrydata_has_any) == 0) and (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any)) | project TimeGenerated, EventID, AccessMask, SubjectDomainName, SubjectUserName, ProcessId, ObjectName, SubjectUserSid, SubjectLogonId, ProcessName, Computer, _ResourceId, Type | lookup Event4663TypeLookup on AccessMask | extend EventType = iif(isempty(EventType), "Other", EventType) | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)) | invoke ASIM_ParseSecurityEvents() | where (array_length(registrykey_has_any) == 0 or RegistryKey has_any (registrykey_has_any)) | project TimeGenerated, Computer, EventID, EventType, ActorUsername, ActorDomainName, ActorUserId, ActorSessionId, ActingProcessName, ActingProcessId, RegistryKey, _ResourceId, Type ), ( SecurityEvent | where EventID == 4657 | where (array_length(registryvalue_has_any) == 0 or (ObjectValueName) has_any (registrydata_has_any)) and (array_length(registrydata_has_any) == 0 or (NewValue) has_any (registrydata_has_any)) | project TimeGenerated, EventID, SubjectDomainName, SubjectUserName, ProcessId, ObjectName, SubjectUserSid, SubjectLogonId, ProcessName, Computer, _ResourceId, Type, OperationType, ObjectValueName, OldValueType, NewValueType, OldValue, NewValue | invoke ASIM_ParseSecurityEvents() | extend EventOriginalSubType = OperationType , RegistryValue = ObjectValueName | lookup Event4567TypeLookup on EventOriginalSubType | extend EventType = iif(isempty(EventType), "Other", EventType) | project TimeGenerated, Computer, EventID, EventType, ActorUsername, ActorDomainName, ActorUserId, ActorSessionId, ActingProcessName, ActingProcessId, RegistryKey, _ResourceId, Type, NewValueType, OldValueType, EventOriginalSubType, OldValue, NewValue, RegistryValue ) | lookup RegistryType on $left.NewValueType == $right.TypeCode | project-rename RegistryValueType = TypeName | lookup RegistryType on $left.OldValueType == $right.TypeCode | project-rename RegistryPreviousValueType = TypeName | extend RegistryValueData = iff (EventOriginalSubType == "%%1906", OldValue, NewValue) , RegistryPreviousKey = iff (EventOriginalSubType == "%%1905", RegistryKey, "") , RegistryPreviousValue = iff (EventOriginalSubType == "%%1905", RegistryValue, "") , RegistryPreviousValueData = iff (EventOriginalSubType == "%%1905", OldValue, "") | project-away NewValueType, OldValueType, EventOriginalSubType, OldValue, NewValue | invoke _ASIM_ResolveFQDN ("Computer") | extend ActorUserIdType = iff (ActorUserId <> "S-1-0-0", "SID", ""), ActorUserId = iff (ActorUserId <> "S-1-0-0", ActorUserId, "") | project-rename DvcDomainType = DomainType, DvcHostname = ExtractedHostname | extend DvcFQDN = iif(DvcDomainType == "FQDN", FQDN, ""), DvcDomain = iif(isnotempty(Domain), Domain, ""), Dvc = iif(DvcDomainType == "FQDN", FQDN, DvcHostname), ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId), ActorUsernameType = ASIM_GetAccountType(ActorUserId), User = ActorUsername, UserId = ActorUserId, ActorUserSid = ActorUserId, Process = ActingProcessName, EventStartTime = TimeGenerated, EventEndTime = TimeGenerated, EventOriginalType = tostring(EventID), EventSchemaVersion = "0.1", EventSchema = "RegistryEvent", EventCount = toint(1), EventResult = "Success", EventVendor = "Microsoft", EventProduct = "Security Events", DvcOs = "Windows" | project-away ActorDomainName,ActorUserSid,ActorUserType,Computer,Domain,DvcDomainType,DvcDomain,DvcFQDN,EventID,FQDN,UserId,_ResourceId }; parser ( starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled = disabled ) } .create-or-alter function with (skipvalidation=true) vimRegistryEventMicrosoftSysmonWindowsEvent( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['registrykey_has_any']:dynamic=dynamic([]), ['registryvalue_has_any']:dynamic=dynamic([]), ['registrydata_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) { let parser = ( starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventtype_in: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), registrykey_has_any: dynamic =dynamic([]), registryvalue_has_any: dynamic =dynamic([]), registrydata_has_any: dynamic =dynamic([]), dvchostname_has_any: dynamic=dynamic([]), disabled: bool=false ) { let RegistryAction = datatable (EventType: string, NewEventType: string) [ "CreateKey", "RegistryKeyCreated", "DeleteKey", "RegistryKeyDeleted", "DeleteValue", "RegistryValueDeleted", "SetValue", "RegistryValueSet", "RenameKey", "RegistryKeyRenamed" ]; let Hives = datatable (KeyPrefix: string, Hive: string) [ "HKLM", "HKEY_LOCAL_MACHINE", "HKU", "HKEY_USERS", "HKCR", "HKEY_LOCAL_MACHINE\\Classes" ]; let ParsedRegistryEvent_WindowsEvent=() { WindowsEvent | where not(disabled) | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) | where Provider == "Microsoft-Windows-Sysmon" and EventID in (12, 13, 14) | project EventID, EventData, Computer, TimeGenerated | where (array_length(actorusername_has_any) == 0 or (tostring(EventData.User) has_any (actorusername_has_any))) and (array_length(registrydata_has_any) == 0 or (tostring(EventData.Parameter) has_any (registrydata_has_any))) and (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any)) | extend EventStartTime = TimeGenerated, EventEndTime = TimeGenerated, EventCount = int(1), EventVendor = "Microsoft", EventSchemaVersion = "0.1.0", EventProduct = "Sysmon", EventOriginalType = tostring(EventID), EventType = tostring(EventData.EventType), DvcOs = "Windows", EventMessage = tostring(EventData.RenderedDescription), ActorUsername = tostring(EventData.User), ActingProcessId = tostring(EventData.ProcessId), ActingProcessGuid = extract ('^{(.*)}$', 1, tostring(EventData.ProcessGuid), typeof(string)), ActingProcessName = tostring(EventData.Image), TargetObject = tostring(EventData.TargetObject), Parameter = tostring(EventData.Parameter) | project-away EventData | project-rename DvcHostName = Computer | lookup RegistryAction on EventType | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)) | project-rename EventOriginalSubType = EventType | project-rename EventType = NewEventType | parse TargetObject with KeyPrefix "\\" KeyMain | lookup Hives on KeyPrefix | extend Key = strcat (Hive, "\\", KeyMain) | parse Parameter with KeyPrefix "\\" KeyMain | lookup Hives on KeyPrefix | extend NewName = strcat (Hive, "\\", KeyMain) | project-away KeyPrefix, KeyMain, Hive | extend ParsedKey = extract_all (@"^(.+)\\(.+)$", Key) | extend Key = iff (EventType in ("RegistryValueSet", "RegistryValueDeleted"), ParsedKey[0][0], Key), Value = iff (EventType in ("RegistryValueSet", "RegistryValueDeleted"), ParsedKey[0][1], ""), ParsedKey = extract_all (@"^(.+)\\(.+)$", NewName) | extend NewKey = ParsedKey[0][0], NewValue = ParsedKey[0][1] | project-away ParsedKey, TargetObject, NewName | extend RegistryKey = iff (EventType == "RegistryKeyRenamed", NewKey, Key), RegistryKeyModified = iff (EventType in ("RegistryKeyRenamed", "RegistryValueSet"), Key, ""), RegistryValue = iff (EventType in ("RegistryValueSet", "RegistryValueDeleted"), Value, ""), RegistryValueModified = iff (EventType == "RegistryValueSet", Value, ""), RegistryValueData = iff (EventType == "RegistryValueSet", Parameter, ""), ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', '') | where (array_length(registrykey_has_any) == 0 or (RegistryKey has_any (registrykey_has_any))) and (array_length(registryvalue_has_any) == 0 or (RegistryValue has_any (registryvalue_has_any))) and (array_length(registrydata_has_any) == 0 or RegistryValueData has_any (registrydata_has_any)) | extend User = ActorUsername, Process = ActingProcessName, Dvc = DvcHostName, EventResult = "Success", EventSchema = "RegistryEvent" | project-away Parameter, Value, Key, NewKey, NewValue, DvcHostName, EventID, RegistryKeyModified, RegistryValueModified }; ParsedRegistryEvent_WindowsEvent }; parser ( starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled = disabled )} .create-or-alter function with (skipvalidation=true) vimRegistryEventMicrosoftWindowsEvent( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['registrykey_has_any']:dynamic=dynamic([]), ['registryvalue_has_any']:dynamic=dynamic([]), ['registrydata_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false) { let parser = ( starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventtype_in: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), registrykey_has_any: dynamic =dynamic([]), registryvalue_has_any: dynamic =dynamic([]), registrydata_has_any: dynamic =dynamic([]), dvchostname_has_any: dynamic=dynamic([]), disabled: bool=false ) { let ASIM_GetAccountType = (sid: string) { iif ( sid in ("S-1-0-0", "S-1-5-18", "S-1-5-19", "S-1-5-20"), "Simple" , "Windows" ) }; let ASIM_ParseWindowsEvents = (WindowsEvent: (EventData: dynamic)) { WindowsEvent | extend ActorUsername = iif(isnotempty(EventData.SubjectDomainName), strcat(EventData.SubjectDomainName, @'\', EventData.SubjectUserName), EventData.SubjectUserName) , ActorDomainName = tostring(EventData.SubjectDomainName) , ActorUserId = tostring(EventData.SubjectUserSid) , ActorSessionId = tostring(EventData.SubjectLogonId) , ActingProcessName = tostring(EventData.ProcessName) , ActingProcessId = tostring(toint(EventData.ProcessId)) , RegistryKey = iif( EventData.ObjectName startswith @"\REGISTRY\MACHINE", replace_string(tostring(EventData.ObjectName), @"\REGISTRY\MACHINE", "HKEY_LOCAL_MACHINE") , replace_string(tostring(EventData.ObjectName), @"\REGISTRY\USER", "HKEY_USERS") ) }; let Event4663TypeLookup = datatable (AccessMask: string, EventType: string) [ "0x1", "RegistryValueRead" , "0x10", "RegistryKeyNotify" , "0x10000", "RegistryKeyDeleted" , "0x2", "RegistryValueSet" , "0x20000", "MetadataAccessed" , "0x20006", "RegistryValueSet" , "0x40000", "MetadataModified" , "0x8", "RegistrySubkeyEnumerated" ]; let Event4567TypeLookup = datatable (EventOriginalSubType: string, EventType: string) [ "%%1904", "RegistryValueSet" , "%%1905", "RegistryValueSet" , "%%1906", "RegistryValueDeleted" ]; let RegistryType = datatable (TypeCode: string, TypeName: string) [ "%%1872", "REG_NONE" , "%%1873", "REG_SZ" , "%%1874", "REG_EXPAND_SZ" , "%%1875", "REG_BINARY" , "%%1876", "REG_DWORD" , "%%1879", "REG_MULTI_SZ" , "%%1883", "REG_QWORD" ]; union isfuzzy=false ( WindowsEvent | where not(disabled) | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) | where EventID == 4663 and EventData.ObjectType == "Key" | where (array_length(actorusername_has_any) == 0 or (EventData.SubjectDomainName has_any (actorusername_has_any)) or (EventData.SubjectUserName has_any (actorusername_has_any)) or (strcat(EventData.SubjectDomainName, '\\', EventData.SubjectUserName) has_any (actorusername_has_any))) and (array_length(registryvalue_has_any) == 0) and (array_length(registrydata_has_any) == 0) and (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any)) | extend AccessMask = tostring(EventData.AccessMask) , Type = "WindowsEvent" | lookup Event4663TypeLookup on AccessMask | extend EventType = iif(isempty(EventType), "Other", EventType) | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)) | invoke ASIM_ParseWindowsEvents() | where (array_length(registrykey_has_any) == 0 or RegistryKey has_any (registrykey_has_any)) | project TimeGenerated, Computer, EventID, EventType, ActorUsername, ActorDomainName, ActorUserId, ActorSessionId, ActingProcessName, ActingProcessId, RegistryKey, _ResourceId, Type ), ( union isfuzzy=false ( WindowsEvent | where EventID == 4657 | where (array_length(registryvalue_has_any) == 0 or (EventData.ObjectValueName) has_any (registryvalue_has_any)) and (array_length(registrydata_has_any) == 0 or (EventData.NewValue) has_any (registrydata_has_any)) | invoke ASIM_ParseWindowsEvents() | extend EventOriginalSubType = tostring(EventData.OperationType) , OldValue = tostring(EventData.OldValue) , NewValue = tostring(EventData.NewValue) , RegistryValue = tostring(EventData.ObjectValueName) , NewValueType = tostring(EventData.NewValueType) , OldValueType = tostring(EventData.OldValueType) | lookup Event4567TypeLookup on EventOriginalSubType | extend EventType = iif(isempty(EventType), "Other", EventType) | project TimeGenerated, Computer, EventID, EventType, ActorUsername, ActorDomainName, ActorUserId, ActorSessionId, ActingProcessName, ActingProcessId, RegistryKey, _ResourceId, RegistryValue, Type, NewValueType, OldValueType, EventOriginalSubType, OldValue, NewValue ) | lookup RegistryType on $left.NewValueType == $right.TypeCode | project-rename RegistryValueType = TypeName | lookup RegistryType on $left.OldValueType == $right.TypeCode | project-rename RegistryPreviousValueType = TypeName | extend RegistryValueData = iff (EventOriginalSubType == "%%1906", OldValue, NewValue) , RegistryPreviousKey = iff (EventOriginalSubType == "%%1905", RegistryKey, "") , RegistryPreviousValue = iff (EventOriginalSubType == "%%1905", RegistryValue, "") , RegistryPreviousValueData = iff (EventOriginalSubType == "%%1905", OldValue, "") | project-away NewValueType, OldValueType, EventOriginalSubType, OldValue, NewValue ) | invoke _ASIM_ResolveFQDN ("Computer") | extend ActorUserIdType = iff (ActorUserId <> "S-1-0-0", "SID", ""), ActorUserId = iff (ActorUserId <> "S-1-0-0", ActorUserId, "") | project-rename DvcDomainType = DomainType , DvcHostname = ExtractedHostname | extend DvcFQDN = iif(DvcDomainType == "FQDN", FQDN, ""), DvcDomain = iif(isnotempty(Domain), Domain, ""), ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId), ActorUsernameType = ASIM_GetAccountType(ActorUserId), User = ActorUsername, UserId = ActorUserId, ActorUserSid = ActorUserId, Process = ActingProcessName, Dvc = iif(DvcDomainType == "FQDN", Computer, ""), EventStartTime = TimeGenerated, EventEndTime = TimeGenerated, EventOriginalType = tostring(EventID), EventSchemaVersion = "0.1", EventSchema = "RegistryEvent", EventCount = toint(1), EventResult = "Success", EventVendor = "Microsoft", EventProduct = "Security Events", DvcOs = "Windows" | project-away ActorDomainName,ActorUserSid,ActorUserType,Computer,Domain,DvcDomainType,DvcDomain,DvcFQDN,EventID,FQDN,UserId,_ResourceId }; parser ( starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled = disabled ) } .create-or-alter function with (skipvalidation=true) _ASim_Authentication() { ASimAuthentication } .create-or-alter function with (skipvalidation=true) _ASim_Dns() { ASimDns } .create-or-alter function with (skipvalidation=true) _ASim_NetworkSession() { ASimNetworkSession } .create-or-alter function with (skipvalidation=true) _ASim_ProcessEvent() { ASimProcessEvent } .create-or-alter function with (skipvalidation=true) _ASim_ProcessCreate() { ASimProcessEventCreate } .create-or-alter function with (skipvalidation=true) _ASim_ProcessTerminate() { ASimProcessEventTerminate } .create-or-alter function with (skipvalidation=true) _ASim_FileEvent() { ASimFileEvent } .create-or-alter function with (skipvalidation=true) _ASim_RegistryEvent() { ASimRegistry } .create-or-alter function with (skipvalidation=true) _ASim_AuditEvent() { ASimAuditEvent } .create-or-alter function with (skipvalidation=true) _Im_Authentication( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['username_has_any']:dynamic=dynamic([]), ['targetappname_has_any']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['srchostname_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresultdetails_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['pack']:bool=false) { imAuthentication(starttime, endtime, username_has_any, targetappname_has_any, srcipaddr_has_any_prefix, srchostname_has_any, eventtype_in, eventresultdetails_in, eventresult, pack) } .create-or-alter function with (skipvalidation=true) _Im_Dns( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr']:string='*', ['domain_has_any']:dynamic=dynamic([]), ['responsecodename']:string='*', ['response_has_ipv4']:string='*', ['response_has_any_prefix']:dynamic=dynamic([]), ['eventtype']:string='lookup', ['pack']:bool=false) { imDns(starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, pack) } .create-or-alter function with (skipvalidation=true) _Im_NetworkSession( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstipaddr_has_any_prefix']:dynamic=dynamic([]), ['ipaddr_has_any_prefix']:dynamic=dynamic([]), ['dstportnumber']:int=int(null), ['hostname_has_any']:dynamic=dynamic([]), ['dvcaction']:dynamic=dynamic([]), ['eventresult']:string='*', ['pack']:bool=false) { imNetworkSession(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, pack) } .create-or-alter function with (skipvalidation=true) _Im_ProcessEvent( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['actorusername']:string='*', ['targetusername']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvcname_has_any']:dynamic=dynamic([]), ['hashes_has_any']:dynamic=dynamic([]), ['eventtype']:string='*') { imProcessEvent(starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, hashes_has_any, eventtype) } .create-or-alter function with (skipvalidation=true) _Im_ProcessCreate( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['targetusername']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvcname_has_any']:dynamic=dynamic([]), ['hashes_has_any']:dynamic=dynamic([]), ['eventtype']:string='*') { imProcessCreate(starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, hashes_has_any, eventtype) } .create-or-alter function with (skipvalidation=true) _Im_ProcessTerminate( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['commandline_has_any']:dynamic=dynamic([]), ['commandline_has_all']:dynamic=dynamic([]), ['commandline_has_any_ip_prefix']:dynamic=dynamic([]), ['actingprocess_has_any']:dynamic=dynamic([]), ['targetprocess_has_any']:dynamic=dynamic([]), ['parentprocess_has_any']:dynamic=dynamic([]), ['actorusername']:string='*', ['dvcipaddr_has_any_prefix']:dynamic=dynamic([]), ['dvcname_has_any']:dynamic=dynamic([]), ['eventtype']:string='*') { imProcessTerminate(starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype) } .create-or-alter function with (skipvalidation=true) _Im_FileEvent( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['targetfilepath_has_any']:dynamic=dynamic([]), ['srcfilepath_has_any']:dynamic=dynamic([]), ['hashes_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false, ['pack']:bool=false) { imFileEvent(starttime, endtime, eventtype_in, srcipaddr_has_any_prefix, actorusername_has_any, targetfilepath_has_any, srcfilepath_has_any, hashes_has_any, dvchostname_has_any, disabled, pack) } .create-or-alter function with (skipvalidation=true) _Im_RegistryEvent( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['eventtype_in']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['registrykey_has_any']:dynamic=dynamic([]), ['registryvalue_has_any']:dynamic=dynamic([]), ['registrydata_has_any']:dynamic=dynamic([]), ['dvchostname_has_any']:dynamic=dynamic([]), ['disabled']:bool=false, ['pack']:bool=false) { imRegistry(starttime, endtime, eventtype_in, actorusername_has_any, registrykey_has_any, registryvalue_has_any, registrydata_has_any, dvchostname_has_any, disabled, pack) } .create-or-alter function with (skipvalidation=true) _Im_AuditEvent( ['starttime']:datetime=datetime(null), ['endtime']:datetime=datetime(null), ['srcipaddr_has_any_prefix']:dynamic=dynamic([]), ['actorusername_has_any']:dynamic=dynamic([]), ['operation_has_any']:dynamic=dynamic([]), ['eventtype_in']:dynamic=dynamic([]), ['eventresult']:string='*', ['object_has_any']:dynamic=dynamic([]), ['newvalue_has_any']:dynamic=dynamic([]), ['pack']:bool=false) { imAuditEvent(starttime, endtime, srcipaddr_has_any_prefix, actorusername_has_any, operation_has_any, eventtype_in, eventresult, object_has_any, newvalue_has_any, pack) } .ingest async into table Corelight_CL (@'https://raw.githubusercontent.com/ksyeung/DetLabs/refs/heads/main/ksldump/Corelight_CL.parquet') with (format='parquet') .ingest async into table DeviceEvents (@'https://raw.githubusercontent.com/ksyeung/DetLabs/refs/heads/main/ksldump/DeviceEvents.parquet') with (format='parquet') .ingest async into table DeviceNetworkEvents (@'https://raw.githubusercontent.com/ksyeung/DetLabs/refs/heads/main/ksldump/DeviceNetworkEvents.parquet') with (format='parquet') .ingest async into table DeviceProcessEvents (@'https://raw.githubusercontent.com/ksyeung/DetLabs/refs/heads/main/ksldump/DeviceProcessEvents.parquet') with (format='parquet') .ingest async into table SecurityEvent (@'https://raw.githubusercontent.com/ksyeung/DetLabs/refs/heads/main/ksldump/SecurityEvent.parquet') with (format='parquet') .ingest async into table Suricata_CL (@'https://raw.githubusercontent.com/ksyeung/DetLabs/refs/heads/main/ksldump/Suricata_CL.parquet') with (format='parquet') .ingest async into table WindowsEvent (@'https://raw.githubusercontent.com/ksyeung/DetLabs/refs/heads/main/ksldump/WindowsEvent.parquet') with (format='parquet')