{ "version": "Notebook/1.0", "items": [ { "type": 9, "content": { "version": "KqlParameterItem/1.0", "crossComponentResources": [ "{Workspace}" ], "parameters": [ { "id": "0e7f7f38-7a2e-4637-9a86-4935053d44d0", "version": "KqlParameterItem/1.0", "name": "Subscription", "type": 6, "typeSettings": { "additionalResourceOptions": [], "includeAll": true }, "value": "" }, { "id": "42a13776-fd30-4506-8ad5-abfd555a9342", "version": "KqlParameterItem/1.0", "name": "Workspace", "type": 5, "isRequired": true, "query": "resources\r\n| where type == 'microsoft.operationalinsights/workspaces'\r\n| project id, name\r\n| order by tolower(name) asc", "crossComponentResources": [ "{Subscription}" ], "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "timeContext": { "durationMs": 86400000 }, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "value": "" }, { "id": "c208ef1f-6126-46d8-9a3e-53fe392a04ce", "version": "KqlParameterItem/1.0", "name": "WSLocation", "type": 1, "query": "resources\r\n| where type == 'microsoft.operationalinsights/workspaces'\r\n| where id == '{Workspace}'\r\n| project location", "crossComponentResources": [ "{Subscription}" ], "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" }, { "id": "e9a4797d-1413-408e-8396-ec2b07b913a8", "version": "KqlParameterItem/1.0", "name": "WSID", "type": 1, "query": "resources\r\n| where type == 'microsoft.operationalinsights/workspaces'\r\n| where id == '{Workspace}'\r\n| project workspaceId = tostring(properties.customerId)", "crossComponentResources": [ "{Subscription}" ], "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" }, { "id": "a54f6525-3350-4f37-b136-638e02adf191", "version": "KqlParameterItem/1.0", "name": "workspaceName", "type": 1, "query": "resources\r\n| where type == 'microsoft.operationalinsights/workspaces'\r\n| where id == '{Workspace}'\r\n| project name", "crossComponentResources": [ "{Subscription}" ], "isHiddenWhenLocked": true, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" }, { "id": "04be620b-976b-4989-8698-2d575cfa6ee4", "version": "KqlParameterItem/1.0", "name": "WSRG", "type": 1, "query": "resources\r\n| where type == 'microsoft.operationalinsights/workspaces'\r\n| where id == '{Workspace}'\r\n| project RG = strcat('/subscriptions/', '{Workspace:subscriptionId}', '/resourcegroups/', '{Workspace:resourceGroup}')", "crossComponentResources": [ "{Subscription}" ], "isHiddenWhenLocked": true, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" }, { "id": "365ed2f7-7752-4734-a0fb-6c73f15e207c", "version": "KqlParameterItem/1.0", "name": "Help", "type": 10, "isRequired": true, "typeSettings": { "additionalResourceOptions": [] }, "jsonData": "[\"On\", \"Off\"]", "value": "Off" } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 6" }, { "type": 11, "content": { "version": "LinkItem/1.0", "style": "tabs", "links": [ { "id": "6e730ea4-5547-4571-8b92-f2c11cd0c1eb", "cellValue": "Tab", "linkTarget": "parameter", "linkLabel": "Data Collection", "subTarget": "2", "style": "link" }, { "id": "f0b3bf93-2965-4644-af34-d097325c3236", "cellValue": "Tab", "linkTarget": "parameter", "linkLabel": "Connector Summary", "subTarget": "1", "style": "primary" }, { "id": "d440efb3-8e86-4f1b-94e4-35e4e76f891c", "cellValue": "Tab", "linkTarget": "parameter", "linkLabel": "Connector Details", "subTarget": "3", "style": "link" }, { "id": "4d680268-c34b-4cf8-940b-df065d49e481", "cellValue": "Tab", "linkTarget": "parameter", "linkLabel": "Deploy", "subTarget": "5", "style": "link" } ] }, "name": "links - 4" }, { "type": 1, "content": { "json": "------------------------------------" }, "name": "text - 6" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "Data Collection Rules and Endpoint", "items": [ { "type": 1, "content": { "json": "### Details\r\n\r\nThis section will serve to set the foundation of the data collection. Filling out this section will create:\r\n1. A data collection endpoint(DCE) that will be used for any and all ingestion.\r\n2. A custom table to house the data for the connector of interest.\r\n3. A data collection rule(DCR) associated with the custom table and the data collection endpoint.\r\n\r\n_Destination_
\r\nThe destination will serve as where the data is going.\r\n- Custom table: A custom table that will be created and remain custom.\r\n- Custom to native table: A custom log source brought in by the connector and will be sent to a built-in table.\r\n- ASIM Parser: An option to normalize the data that the connector is bringing in before it ingests. Also allows for the connector to align data with a main normalized parser.\r\n- UI Only: A connector already exists via Azure Logic App or Azure Function App but does not have a UI. A data connector UI within the Microsoft Sentinel data connector is desired. \r\n\r\nTo create the components:
\r\n1. Select a destination.\r\n2. Follow the instructions listed under the selected destination.\r\n3. Select if a DCE exists.\r\n\t- If no, click on the button to open the UI to create a new DCE.\r\n\t- Once done, make sure to set the 'DCE Already Exists' toggle to yes.\r\n4. Click on the refresh button within the workbook to force it to fetch the new DCE.\r\n5. Click on the drop down to select the DCE to use.\r\n6. Select if a custom table exists.\r\n\t- If no, follow the instructions under the section.\r\n7. Click on the dropdown to select the DCR that was created for the custom table.\r\n8. (Optional) If looking to modify the transformKQL or the output destination of the DCR, set 'Modify Streams' to Yes to open a JSON editor.", "style": "info" }, "conditionalVisibilities": [ { "parameterName": "Help", "comparison": "isEqualTo", "value": "On" }, { "parameterName": "Destination", "comparison": "isNotEqualTo", "value": "UI Only" } ], "name": "text - 4" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "9b15a9a1-5afa-4407-a20a-720c889db8e8", "version": "KqlParameterItem/1.0", "name": "Destination", "type": 10, "isRequired": true, "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "jsonData": "[\"Custom Table\", \"Custom to Native Table\", \"ASIM Parser\", \"UI Only\"]", "timeContext": { "durationMs": 86400000 }, "value": "Custom Table" } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 3" }, { "type": 1, "content": { "json": "---------------------------------------------" }, "conditionalVisibility": { "parameterName": "Destination", "comparison": "isNotEqualTo", "value": "UI Only" }, "name": "text - 6" }, { "type": 1, "content": { "json": "### Details\r\n\r\nThis section will send data to a built-in table as mentioned above. This option requires less work than the custom table route. All that is needed is the data collection endpoint and the data collection rule. \r\n\r\nData collection endpoints in the list are filtered to be in the same region as the workspace selected at the top of the page. Similarly, data collection rules shown are filtered to be within those that are configured to send to the selected DCE.\r\n\r\nIf documentation is needed, please see the following:\r\n- [Data Collection Endpoint](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-endpoint-overview?tabs=portal)\r\n- [Data Collection Rules](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-overview)\r\n\r\n", "style": "info" }, "customWidth": "50", "conditionalVisibilities": [ { "parameterName": "Destination", "comparison": "isEqualTo", "value": "Native Table" }, { "parameterName": "Help", "comparison": "isEqualTo", "value": "On" } ], "name": "text - 6" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 1, "content": { "json": "### Details\r\n\r\nThis section will send data to a custom table or will transform a custom log source to be sent to a native table. Since it will leverage custom resources, they will need to be created before the data collection rule can be deployed. \r\n\r\nIf the a custom table already exists, set the toggle to yes. If no:\r\n1. Set the toggle to no.\r\n2. If using the UI:\r\n\t- Select the first button to open the UI wizard for creating custom tables.\r\n\t- Give the table a name.\r\n\t- If a DCR exists already, select it from the drop down. If not, create a new DCR that contains \ta name that signals what the source is.\r\n\t- Attach the DCR to the DCE for the workspace.\r\n\t- Upload a sample file of the data that will be ingested.\r\n\t- If transformations need to be made, click on the transformations button to open up the editor. When done, click apply.\r\n\t- If done, click review and create > create.\r\n3. If using JSON and API\r\n\t- Click on the second button to expand the builder areas.\r\n\t- Give the table a name. It must have _CL after the title.\r\n\t- Set the table plan.\r\n\t- Set the retention for the table.\r\n\t- Set the table schema. \r\n\t- (Optional) If the table should be kept for more than 90 days in analytics tier, should be sent to basic tier, or should be archived, modify the items within the JSON to configure the table as needed.\r\n\t- Once done, click the button to run the API to create the table. If looking to confirm the creation, click the 'confirm table creation' button to open the tables blade.\r\n\t- Next, a DCR is neeed.\r\n\t- Give the DCR a name that will signal what the data source is.\r\n\t- The remaining components of the DCR will be dynamically populated from the new table values set above.\r\n\t- Click the done button to hide the JSON section.\r\n4. Click refresh at the top of the workbook.\r\n5. Set the custom table exists toggle to yes.\r\n6. Select the DCR needed from the drop down list.\r\n7. If sending custom logs to a native table, set the modify streams or destinations toggle to yes.\r\n\t- Go into the JSON.\r\n\t- If transformKQL and outputStream are not already there, they will need to be added. This will appear as so:\r\n```\r\n \"dataFlows\": [ \r\n { \r\n \"streams\": [ \r\n \"Custom-MyTableRawData\" \r\n ], \r\n \"destinations\": [ \r\n \"clv2ws1\" \r\n ], \r\n \"transformKql\": \"source | project TimeGenerated = Time, Computer, Message = AdditionalContext\", \r\n \"outputStream\": \"Microsoft-Syslog\" \r\n }, \r\n { \r\n \"streams\": [ \r\n \"Custom-MyTableRawData\" \r\n ], \r\n \"destinations\": [ \r\n \"clv2ws1\" \r\n ], \r\n \"transformKql\": \"source | where (AdditionalContext has 'malicious traffic!' | project TimeGenerated = Time, Computer, Subject = AdditionalContext\", \r\n \"outputStream\": \"Microsoft-SecurityEvent\" \r\n } \r\n ] \r\n```\r\n\r\nFor information on what was used in this section, please see:\r\n- [Data Collection Endpoints](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-endpoint-overview?tabs=portal)\r\n- [Data Collection Rules](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-overview)\r\n- [Custom tables](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/create-custom-table?tabs=azure-portal-1%2Cazure-portal-2%2Cazure-portal-3#create-a-custom-table)\r\n- [Ingestion time transformation](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-transformations)", "style": "info" }, "conditionalVisibilities": [ { "parameterName": "Destination", "comparison": "isNotEqualTo", "value": "Native Table" }, { "parameterName": "Help", "comparison": "isEqualTo", "value": "On" }, { "parameterName": "Destination", "comparison": "isNotEqualTo", "value": "UI Only" }, { "parameterName": "Destination", "comparison": "isNotEqualTo", "value": "ASIM Parser" } ], "name": "text - 5" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "cfe4f7aa-d553-4944-9a52-0f88cbe5dd82", "version": "KqlParameterItem/1.0", "name": "dceExists", "label": "DCE Already Exists?", "type": 10, "isRequired": true, "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "jsonData": "[\"Yes\", \"No\"]", "timeContext": { "durationMs": 86400000 }, "value": "Yes" } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "conditionalVisibility": { "parameterName": "Destination", "comparison": "isNotEqualTo", "value": "UI Only" }, "name": "DCECheck" }, { "type": 11, "content": { "version": "LinkItem/1.0", "style": "paragraph", "links": [ { "id": "d2c213b0-c3be-4bc5-b9e6-360062fa5853", "linkTarget": "OpenBlade", "linkLabel": "Create New DCE", "style": "primary", "linkIsContextBlade": true, "bladeOpenContext": { "bladeName": "CreateDataCollectionEndpointViewModel", "extensionName": "Microsoft_Azure_Monitoring", "bladeParameters": [] } } ] }, "conditionalVisibilities": [ { "parameterName": "dceExists", "comparison": "isEqualTo", "value": "No" }, { "parameterName": "Destination", "comparison": "isNotEqualTo", "value": "UI Only" } ], "name": "links - 6 - Copy" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "1854dec4-5e3b-415e-b800-9b53837703d1", "version": "KqlParameterItem/1.0", "name": "DCESelect", "label": "Select DCE", "type": 5, "query": "resources\r\n| where type == 'microsoft.insights/datacollectionendpoints'\r\n| where location == '{WSLocation}'\r\n| extend name = tolower(name)\r\n| project id, name\r\n| order by name asc\r\n", "crossComponentResources": [ "{Subscription}" ], "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "timeContext": { "durationMs": 86400000 }, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "value": null } ], "style": "above", "queryType": 12 }, "conditionalVisibilities": [ { "parameterName": "dceExists", "comparison": "isEqualTo", "value": "Yes" }, { "parameterName": "Destination", "comparison": "isNotEqualTo", "value": "UI Only" } ], "name": "parameters - 14" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "0ef0b9f5-c434-4c32-bd1b-538a8b00a7b9", "version": "KqlParameterItem/1.0", "name": "dceURL", "type": 1, "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"{DCESelect}?api-version=2022-06-01\",\"urlParams\":[],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.properties.logsIngestion\",\"columns\":[{\"path\":\"$.endpoint\",\"columnid\":\"URL\"}]}}]}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "queryType": 12, "value": null } ], "style": "above", "queryType": 12 }, "name": "parameters - 20" }, { "type": 1, "content": { "json": "------------------------------------------------" }, "name": "text - 11" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "031053e4-d647-42dc-8592-9b40592326f8", "version": "KqlParameterItem/1.0", "name": "tableExists", "label": "Custom Table Exists?", "type": 10, "isRequired": true, "typeSettings": { "additionalResourceOptions": [] }, "jsonData": "[\"Yes\",\"No\"]", "timeContext": { "durationMs": 86400000 }, "value": "Yes" } ], "style": "formVertical", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "conditionalVisibility": { "parameterName": "Destination", "comparison": "isNotEqualTo", "value": "UI Only" }, "name": "CTableCheck" }, { "type": 11, "content": { "version": "LinkItem/1.0", "style": "paragraph", "links": [ { "id": "d605ada5-d2a7-48fc-8085-5cba5e2903ea", "linkTarget": "OpenBlade", "linkLabel": "Create Table (Table Wizard)", "style": "primary", "bladeOpenContext": { "bladeName": "CreateCustomLogV2TableBlade", "extensionName": "Microsoft_OperationsManagementSuite_Workspace", "bladeJsonParameters": "{\r\n \"workspaceResourceId\": \"{Workspace}\"\r\n}" } }, { "id": "791ec778-9e6f-41db-9aa7-be7cab969192", "cellValue": "1", "linkTarget": "parameter", "linkLabel": "|", "subTarget": "2", "style": "link" }, { "id": "cf04f9f0-2454-49c7-85ad-befd2c8a866f", "cellValue": "Method", "linkTarget": "parameter", "linkLabel": "Create Table (API Call)", "subTarget": "API", "style": "primary" }, { "id": "e4bd3e6a-36b2-4d2e-8e2e-a8b2a2f5d346", "cellValue": "1", "linkTarget": "parameter", "linkLabel": "|", "subTarget": "2", "style": "link" }, { "id": "f9728a1b-2f4b-4c1e-8723-e129becc2c5e", "cellValue": "NewTable", "linkTarget": "parameter", "linkLabel": "Done", "subTarget": "Yes", "style": "primary" }, { "id": "a7ceb730-fc39-4e48-ba8b-dc73fdc2496a", "cellValue": "1", "linkTarget": "parameter", "linkLabel": "|", "subTarget": "2", "style": "link" }, { "id": "e3b005a2-50db-4eb0-8ccc-3a0d81de5988", "cellValue": "NewTable", "linkTarget": "parameter", "linkLabel": "Reset", "subTarget": "No", "style": "primary" } ] }, "conditionalVisibilities": [ { "parameterName": "Destination", "comparison": "isNotEqualTo", "value": "Native Table" }, { "parameterName": "tableExists", "comparison": "isEqualTo", "value": "No" } ], "name": "links - 5" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "crossComponentResources": [ "{Workspace}" ], "parameters": [ { "id": "3f45b46b-6f31-4811-b63f-1778d3e50516", "version": "KqlParameterItem/1.0", "name": "WSRetention", "type": 1, "query": "resources\r\n| where type == 'microsoft.operationalinsights/workspaces'\r\n| where id == '{Workspace}'\r\n| project properties.retentionInDays", "crossComponentResources": [ "{Subscription}" ], "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "value": "90" }, { "id": "686b0a22-797d-4c35-8705-633c8f4c45f2", "version": "KqlParameterItem/1.0", "name": "TableName", "type": 1, "value": "Basic_CL", "label": "Table Name" }, { "id": "c52228e6-6de9-4bbf-9a02-8d56d73d0224", "version": "KqlParameterItem/1.0", "name": "TablePlan", "label": "Table Plan", "type": 10, "isRequired": true, "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "jsonData": "[\"Analytics\", \"Basic\"]", "timeContext": { "durationMs": 86400000 }, "value": "Analytics" }, { "id": "2e10fded-fd96-4424-ac3f-2cd6463180b2", "version": "KqlParameterItem/1.0", "name": "retentionInDays", "label": "Tier Retention", "type": 1, "criteriaData": [ { "criteriaContext": { "leftOperand": "TablePlan", "operator": "==", "rightValType": "static", "rightVal": "Analytics", "resultValType": "static", "resultVal": "90" } }, { "criteriaContext": { "leftOperand": "TablePlan", "operator": "==", "rightValType": "static", "rightVal": "Basic", "resultValType": "static", "resultVal": "8" } }, { "criteriaContext": { "operator": "Default", "rightValType": "param", "resultValType": "param" } } ] }, { "id": "ea06ed83-cf68-4e64-84f2-57cece44fa00", "version": "KqlParameterItem/1.0", "name": "archiveRetentionInDays", "label": "Archive Retention", "type": 1, "criteriaData": [ { "criteriaContext": { "operator": "Default", "resultValType": "static", "resultVal": "0" } } ] }, { "id": "2b1069fa-c4b5-4d8e-8a3f-3c766a109922", "version": "KqlParameterItem/1.0", "name": "totalRetentionInDays", "label": "Total Data Retention", "type": 1, "criteriaData": [ { "criteriaContext": { "operator": "Default", "resultValType": "expression", "resultVal": "{retentionInDays} + {archiveRetentionInDays}" } } ] }, { "id": "4cb43fc8-38f0-43c4-bdf6-1f3f8b47670d", "version": "KqlParameterItem/1.0", "name": "Schema", "type": 1, "typeSettings": { "multiLineText": true, "editorLanguage": "json", "multiLineHeight": 15 }, "timeContext": { "durationMs": 86400000 }, "value": "[\r\n\t{\r\n\t\t\"name\": \"TimeGenerated\",\r\n\t\t\"type\": \"datetime\"\r\n\t},\r\n\t{\r\n\t\t\"name\": \"RawData\",\r\n\t\t\"type\": \"string\"\r\n\t}\r\n]" }, { "id": "8395521a-7670-41fc-9bc2-38b605cabbf6", "version": "KqlParameterItem/1.0", "name": "checkedTableName", "type": 1, "query": "print '{TableName}'\r\n| project Table = iff(print_0 !has '_CL', strcat(print_0, '_CL'), print_0)", "crossComponentResources": [ "{Workspace}" ], "isHiddenWhenLocked": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" } ], "style": "formHorizontal", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "customWidth": "90", "conditionalVisibilities": [ { "parameterName": "Method", "comparison": "isEqualTo", "value": "API" }, { "parameterName": "NewTable", "comparison": "isNotEqualTo", "value": "Yes" } ], "name": "parameters - 13", "styleSettings": { "padding": "0px 0px 0px 20px", "showBorder": true } }, { "type": 1, "content": { "json": "### Useful Information\r\n\r\nThe following items define the table: \r\n- Table Name: The name the new table will have.\r\n- Table Plan: The ingestion plan for the table.\r\n- Tier Retention: If Analytics, the default will be set to 90 days. If more is needed, the number can be modified. If Basic, the default will be set to 8 days.\r\n- Archive Retetnion: Sets the number of days that the data will be archived after the tier retention expires.\r\n- Total Retention: Sum of the tier retention and archive retention.\r\n- Schema: Schema of the table. This must be specified in JSON format.", "style": "upsell" }, "customWidth": "10", "conditionalVisibilities": [ { "parameterName": "Method", "comparison": "isEqualTo", "value": "API" }, { "parameterName": "NewTable", "comparison": "isNotEqualTo", "value": "Yes" } ], "name": "text - 15" }, { "type": 11, "content": { "version": "LinkItem/1.0", "style": "paragraph", "links": [ { "id": "28d1206b-88c0-4103-a93e-e085fa4e8426", "linkTarget": "ArmAction", "linkLabel": "Deploy Table", "style": "primary", "linkIsContextBlade": true, "armActionContext": { "path": "{Workspace}/tables/{TableName}?api-version=2022-10-01", "headers": [], "params": [], "body": "{\r\n\t\"properties\": {\r\n\t\t\"schema\": {\r\n\t\t\t\"name\" : \"{checkedTableName}\",\r\n\t\t\t\"columns\": {Schema}\r\n\t\t},\r\n\t\t\"provisioningState\": \"Succeeded\",\r\n\t\t\"retentionInDays\": {retentionInDays},\r\n\t\t\"totalRetentionInDays\": {totalRetentionInDays},\r\n\t\t\"archiveRetentionInDays\": {archiveRetentionInDays},\r\n\t\t\"plan\": \"{TablePlan}\"\r\n\t}\r\n}", "httpMethod": "PUT", "title": "Create {checkedTableName}?", "description": "Please review the information below to confirm that the details are correct. If so, proceed with deploying the new table.\n\n```\n{\n\t\"properties\": {\n\t\t\"schema\": {\n\t\t\t\"name\" : \"{checkedTableName}\",\n\t\t\t\"columns\": {Schema}\n\t\t},\n\t\t\"provisioningState\": \"Succeeded\",\n\t\t\"retentionInDays\": {retentionInDays},\n\t\t\"totalRetentionInDays\": {totalRetentionInDays},\n\t\t\"archiveRetentionInDays\": {archiveRetentionInDays},\n\t\t\"plan\": \"{TablePlan}\"\n\t}\n}\n```", "actionName": "Deploying table {checkedTableName}", "runLabel": "Deploy Name" } }, { "id": "39f22f89-3947-4d94-9998-291351f354bb", "linkTarget": "OpenBlade", "linkLabel": "Confirm Table Creation", "style": "primary", "linkIsContextBlade": true, "bladeOpenContext": { "bladeName": "TablesBlade", "extensionName": "Microsoft_OperationsManagementSuite_Workspace", "bladeJsonParameters": "{\r\n \"workspaceResourceId\": \"{Workspace}\"\r\n}" } } ] }, "conditionalVisibilities": [ { "parameterName": "Method", "comparison": "isEqualTo", "value": "API" }, { "parameterName": "NewTable", "comparison": "isNotEqualTo", "value": "Yes" }, { "parameterName": "TablePlan", "comparison": "isEqualTo", "value": "Analytics" } ], "name": "links - 14", "styleSettings": { "padding": "0px 0px 0px 20px" } }, { "type": 11, "content": { "version": "LinkItem/1.0", "style": "paragraph", "links": [ { "id": "a1cec60c-263f-4093-8606-7966a3bd516d", "linkTarget": "ArmAction", "linkLabel": "Deploy Table", "style": "primary", "linkIsContextBlade": true, "armActionContext": { "path": "{Workspace}/tables/{TableName}?api-version=2022-10-01", "headers": [], "params": [], "body": "{\r\n\t\"properties\": {\r\n\t\t\"schema\": {\r\n\t\t\t\"name\" : \"{checkedTableName}\",\r\n\t\t\t\"columns\": {Schema}\r\n\t\t},\r\n\t\t\"provisioningState\": \"Succeeded\",\r\n\t\t\"totalRetentionInDays\": {totalRetentionInDays},\r\n\t\t\"archiveRetentionInDays\": {archiveRetentionInDays},\r\n\t\t\"plan\": \"{TablePlan}\"\r\n\t}\r\n}", "httpMethod": "PUT", "title": "Create {checkedTableName}?", "description": "Please review the information below to confirm that the details are correct. If so, proceed with deploying the new table.\n\n```\n{\n\t\"properties\": {\n\t\t\"schema\": {\n\t\t\t\"name\" : \"{checkedTableName}\",\n\t\t\t\"columns\": {Schema}\n\t\t},\n\t\t\"provisioningState\": \"Succeeded\",\n\t\t\"retentionInDays\": {retentionInDays},\n\t\t\"totalRetentionInDays\": {totalRetentionInDays},\n\t\t\"archiveRetentionInDays\": {archiveRetentionInDays},\n\t\t\"plan\": \"{TablePlan}\"\n\t}\n}\n```", "actionName": "Deploying table {checkedTableName}", "runLabel": "Deploy Name" } }, { "id": "219114ab-f1c7-44f5-b124-b831590d94a3", "linkTarget": "OpenBlade", "linkLabel": "Confirm Table Creation", "style": "primary", "linkIsContextBlade": true, "bladeOpenContext": { "bladeName": "TablesBlade", "extensionName": "Microsoft_OperationsManagementSuite_Workspace", "bladeJsonParameters": "{\r\n \"workspaceResourceId\": \"{Workspace}\"\r\n}" } } ] }, "conditionalVisibilities": [ { "parameterName": "Method", "comparison": "isEqualTo", "value": "API" }, { "parameterName": "NewTable", "comparison": "isNotEqualTo", "value": "Yes" }, { "parameterName": "TablePlan", "comparison": "isEqualTo", "value": "Basic" } ], "name": "links - 14 - Copy", "styleSettings": { "padding": "0px 0px 0px 20px" } }, { "type": 1, "content": { "json": "----------------------------------------------" }, "name": "text - 12" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "80991fc1-8b0f-40ca-958a-6ac71d7ceafe", "version": "KqlParameterItem/1.0", "name": "newDCRName", "label": "New DCR Name", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "BasicAuthTest" } ], "style": "formHorizontal", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "customWidth": "90", "conditionalVisibilities": [ { "parameterName": "Method", "comparison": "isEqualTo", "value": "API" }, { "parameterName": "NewTable", "comparison": "isNotEqualTo", "value": "Yes" } ], "name": "parameters - 18", "styleSettings": { "padding": "0px 0px 0px 20px" } }, { "type": 1, "content": { "json": "### Useful Information\r\n\r\nThis section will just store the name of the new data collection rule. The remaining parts such as the data collection endpoint, schema, workspace resource path, etc, will be pulled from the table creation section above.\r\n\r\nAfter the name is entered. Click the deploy button. Once done, make sure to click done at the top. Then, refresh the workbook so that the new DCR associated with the table appears in the list. Make sure to set the 'custom table exists' to yes.", "style": "upsell" }, "customWidth": "10", "conditionalVisibilities": [ { "parameterName": "Method", "comparison": "isEqualTo", "value": "API" }, { "parameterName": "NewTable", "comparison": "isNotEqualTo", "value": "Yes" } ], "name": "text - 20" }, { "type": 11, "content": { "version": "LinkItem/1.0", "style": "paragraph", "links": [ { "id": "bf01b101-a7fe-416a-b654-21b584d06b32", "linkTarget": "ArmAction", "linkLabel": "Deploy DCR", "style": "primary", "linkIsContextBlade": true, "armActionContext": { "path": "{WSRG}/providers/Microsoft.Insights/dataCollectionRules/{newDCRName}?api-version=2022-06-01", "headers": [], "params": [], "body": "\r\n{\r\n \"location\": \"{WSLocation}\",\r\n \"properties\": {\r\n\t\t\"dataCollectionEndpointId\": \"{DCESelect}\",\r\n\t\t\"streamDeclarations\": {\r\n\t\t\t\"Custom-{checkedTableName}\": {\r\n\t\t\t\t\"columns\": {Schema}\r\n\t\t\t\t}\r\n\t\t},\r\n\t\t\"dataSources\": {},\r\n \"destinations\": {\r\n \"logAnalytics\": [\r\n {\r\n \"workspaceResourceId\": \"{Workspace}\",\r\n \"name\": \"destination\"\r\n }\r\n ]\r\n },\r\n \"dataFlows\": [\r\n {\r\n \"streams\": [\r\n \"Custom-{checkedTableName}\"\r\n ],\r\n \"destinations\": [\r\n \"destination\"\r\n ]\r\n }\r\n ]\r\n }\r\n}", "httpMethod": "PUT", "title": "Create New Data Collection Rule {newDCRName}?", "description": "Please review the information below to confirm that it is correct. If so, proceed with deploying the new DCR.\n\n```\n{\n \"location\": \"{WSLocation}\",\n \"properties\": {\n\t\t\"dataCollectionEndpointId\": \"{DCESelect}\",\n\t\t\"streamDeclarations\": {\n\t\t\t\"Custom-{checkedTableName}\": {\n\t\t\t\t\"columns\": {Schema}\n\t\t\t\t}\n\t\t},\n\t\t\"dataSources\": {},\n \"destinations\": {\n \"logAnalytics\": [\n {\n \"workspaceResourceId\": \"{Workspace}\",\n \"name\": \"destination\"\n }\n ]\n },\n \"dataFlows\": [\n {\n \"streams\": [\n \"Custom-{checkedTableName}\"\n ],\n \"destinations\": [\n \"destination\"\n ]\n }\n ]\n }\n}\n```\n\n", "actionName": "Deploying DCR {newDCRName}", "runLabel": "Deploy DCR" } }, { "id": "7d9f4869-c484-413b-b78c-bc9709cd73f2", "linkTarget": "OpenBlade", "linkLabel": "Confirm DCR Creation", "style": "primary", "linkIsContextBlade": true, "bladeOpenContext": { "bladeName": "AzureMonitoringBrowseBlade", "extensionName": "Microsoft_Azure_Monitoring", "bladeJsonParameters": "{\n \"menuId\": \"dataCollectionRules\"\n}" } } ] }, "conditionalVisibilities": [ { "parameterName": "Method", "comparison": "isEqualTo", "value": "API" }, { "parameterName": "NewTable", "comparison": "isNotEqualTo", "value": "Yes" } ], "name": "links - 20", "styleSettings": { "padding": "0px 0px 0px 20px" } }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "crossComponentResources": [ "{Subscription}" ], "parameters": [ { "id": "9cb8a4f1-5b94-48ea-9644-9f45ec0224e5", "version": "KqlParameterItem/1.0", "name": "DCR2", "label": "DCR To Use", "type": 5, "query": "resources\r\n| where type has 'microsoft.insights/dataCollectionRules'\r\n| where location == '{WSLocation}'\r\n| project id, name\r\n| order by tolower(name) asc", "crossComponentResources": [ "{Subscription}" ], "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "timeContext": { "durationMs": 86400000 }, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "value": null } ], "style": "above", "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" }, "conditionalVisibilities": [ { "parameterName": "tableExists", "comparison": "isNotEqualTo", "value": "No" }, { "parameterName": "Destination", "comparison": "isNotEqualTo", "value": "UI Only" } ], "name": "parameters - 0" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "1c633f6d-da86-4b38-9d46-376fd2d475f3", "version": "KqlParameterItem/1.0", "name": "DCRRG2", "type": 1, "query": "resources\r\n| where type has 'microsoft.insights/dataCollectionRules'\r\n| where id == '{DCR2}'\r\n| project RG = strcat('/subscriptions/', subscriptionId, '/resourceGroups/', resourceGroup)", "crossComponentResources": [ "{Subscription}" ], "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" }, { "id": "8048b9ce-ef9a-44d8-8ef0-dddb9c9ef67f", "version": "KqlParameterItem/1.0", "name": "DCRFetch2", "type": 1, "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"{DCRRG2}/providers/Microsoft.Insights/dataCollectionRules/{DCR2:name}?api-version=2022-06-01\",\"urlParams\":[],\"batchDisabled\":false,\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "queryType": 12, "value": null }, { "id": "880eb2e0-e113-4c8b-8465-4743a3b07fa2", "version": "KqlParameterItem/1.0", "name": "DCRImmutableID", "type": 1, "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"{DCRRG2}/providers/Microsoft.Insights/dataCollectionRules/{DCR2:name}?api-version=2022-06-01\",\"urlParams\":[],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.properties\",\"columns\":[{\"path\":\"$.immutableId\",\"columnid\":\"ImmutableId\"}]}}]}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "queryType": 12, "value": null }, { "id": "b7e2c560-488e-4ec6-b395-ba68152f4003", "version": "KqlParameterItem/1.0", "name": "StreamName", "type": 1, "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"{DCRRG2}/providers/Microsoft.Insights/dataCollectionRules/{DCR2:name}?api-version=2022-06-01\",\"urlParams\":[],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.properties.dataFlows\",\"columns\":[{\"path\":\"$.streams[0]\",\"columnid\":\"StreamName\"}]}}]}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "queryType": 12, "value": null }, { "id": "376b375e-0e67-428d-85af-96f2941b2ad8", "version": "KqlParameterItem/1.0", "name": "FetchTableName", "type": 1, "isGlobal": true, "query": "print Stream = dynamic('{StreamName}')\r\n| project Table = split(Stream, '-')[1]", "crossComponentResources": [ "{Workspace}" ], "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" } ], "style": "above", "queryType": 12 }, "conditionalVisibility": { "parameterName": "Destination", "comparison": "isNotEqualTo", "value": "UI Only" }, "name": "parameters - 1" }, { "type": 1, "content": { "json": "### Now Editing: {DCR2:name}", "style": "info" }, "conditionalVisibility": { "parameterName": "Destination", "comparison": "isEqualTo", "value": "Custom to Native Table" }, "name": "text - 16" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "crossComponentResources": [ "{Workspace}" ], "parameters": [ { "id": "c37715cc-5231-4223-8f02-143682d13495", "version": "KqlParameterItem/1.0", "name": "DCRFetch", "label": "DCR Body", "type": 1, "query": "print rule = dynamic({DCRFetch2})\r\n| evaluate bag_unpack(rule)\r\n| project-away defaultVisualization, etag, type, systemData\r\n| project properties = pack_all()", "crossComponentResources": [ "{Workspace}" ], "typeSettings": { "multiLineText": true, "editorLanguage": "json", "multiLineHeight": 30, "preFormatJsonData": true }, "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "value": null } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "conditionalVisibility": { "parameterName": "Destination", "comparison": "isEqualTo", "value": "Custom to Native Table" }, "name": "DCR Body" }, { "type": 11, "content": { "version": "LinkItem/1.0", "style": "paragraph", "links": [ { "id": "1d19f441-66fc-43bb-96ef-997a3371e765", "linkTarget": "ArmAction", "linkLabel": "Deploy DCR Update", "style": "primary", "linkIsContextBlade": true, "armActionContext": { "path": "{DCR2}?api-version=2021-09-01-preview", "headers": [], "params": [], "body": "{DCRFetch}", "httpMethod": "PUT", "description": "# Actions can potentially modify resources.\n## Please use caution and include a confirmation message in this description when authoring this command." } }, { "id": "e55733cc-c5e4-4b5a-adf7-d5fd857af7c2", "cellValue": "{DCR2}", "linkTarget": "Resource", "linkLabel": "Confirm Change", "subTarget": "exporttemplate", "style": "primary", "linkIsContextBlade": true } ] }, "conditionalVisibility": { "parameterName": "Destination", "comparison": "isEqualTo", "value": "Custom to Native Table" }, "name": "DCR Update" } ], "exportParameters": true }, "conditionalVisibility": { "parameterName": "Destination", "comparison": "isNotEqualTo", "value": "ASIM Table" }, "name": "Custom Tables" }, { "type": 1, "content": { "json": "### Please Note\r\n\r\nDespite the action being successful, the message will claim that it failed regardless. This is an unfortunate limit for some API actions where the portal does not understand how to return a successful call. It is recommended that the 'confirm creation' buttons are used to confirm resource creation. It may take a minute or two to reflect in the UI.", "style": "warning" }, "conditionalVisibilities": [ { "parameterName": "Destination", "comparison": "isNotEqualTo", "value": "UI Only" }, { "parameterName": "tableExists", "comparison": "isEqualTo", "value": "No" } ], "name": "text - 19" }, { "type": 1, "content": { "json": "### Help\r\n\r\nThe UI only option will generate a UI only template that does not contain any architecture for data ingestion as the assumption is that a data stream already exists. The UI only template will simply provide a connector in the Microsoft Sentinel data connector list and will query to see that data is coming in.\r\n\r\nSince the connector produced with this option does not need to have a data collection rule or a data collection endpoint, it does not need to be selected here. The configuration begins within the Connector Summary tab.", "style": "warning" }, "conditionalVisibility": { "parameterName": "Destination", "comparison": "isEqualTo", "value": "UI Only" }, "name": "text - 7" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 1, "content": { "json": "## This section is not fully developed. Please do not use it as it does not work.", "style": "error" }, "name": "text - 13" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "cfe4f7aa-d553-4944-9a52-0f88cbe5dd82", "version": "KqlParameterItem/1.0", "name": "dceExists", "label": "DCE Already Exists?", "type": 10, "isRequired": true, "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "jsonData": "[\"Yes\", \"No\"]", "timeContext": { "durationMs": 86400000 }, "value": "No" } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "DCECheck" }, { "type": 11, "content": { "version": "LinkItem/1.0", "style": "paragraph", "links": [ { "id": "d2c213b0-c3be-4bc5-b9e6-360062fa5853", "linkTarget": "OpenBlade", "linkLabel": "Create New DCE", "style": "primary", "linkIsContextBlade": true, "bladeOpenContext": { "bladeName": "CreateDataCollectionEndpointViewModel", "extensionName": "Microsoft_Azure_Monitoring", "bladeParameters": [] } } ] }, "conditionalVisibility": { "parameterName": "dceExists", "comparison": "isEqualTo", "value": "No" }, "name": "links - 6 - Copy" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "crossComponentResources": [ "{Subscription}" ], "parameters": [ { "id": "1f103018-23bb-43bf-aa0e-4fd1a8e53427", "version": "KqlParameterItem/1.0", "name": "DCE", "label": "DCE to Use", "type": 5, "query": "resources\r\n| where type == 'microsoft.insights/datacollectionendpoints'\r\n| where location == '{WSLocation}'\r\n| project id, name\r\n| order by name asc", "crossComponentResources": [ "{Subscription}" ], "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "timeContext": { "durationMs": 86400000 }, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "value": null } ], "style": "above", "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" }, "conditionalVisibility": { "parameterName": "dceExists", "comparison": "isEqualTo", "value": "Yes" }, "name": "parameters - 12" }, { "type": 1, "content": { "json": "----------------------------" }, "name": "text - 10" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "64e9a6fe-0d5d-4c82-aa35-afd691dc2309", "version": "KqlParameterItem/1.0", "name": "dcrExists", "label": "DCR Already Exists?", "type": 10, "isRequired": true, "typeSettings": { "additionalResourceOptions": [] }, "jsonData": "[\"Yes\", \"No\"]", "timeContext": { "durationMs": 86400000 }, "value": "Yes" } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "DCRCheck" }, { "type": 11, "content": { "version": "LinkItem/1.0", "style": "paragraph", "links": [ { "id": "18dae657-8094-4596-bd3c-db4ffb732ed2", "linkTarget": "OpenBlade", "linkLabel": "Create New DCR", "style": "primary", "linkIsContextBlade": true, "bladeOpenContext": { "bladeName": "CreateDataCollectionRulesViewModel", "extensionName": "Microsoft_Azure_Monitoring", "bladeParameters": [] } } ] }, "conditionalVisibility": { "parameterName": "dcrExists", "comparison": "isEqualTo", "value": "No" }, "name": "links - 6" }, { "type": 1, "content": { "json": "-----------------------------" }, "name": "text - 11" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "crossComponentResources": [ "{Subscription}" ], "parameters": [ { "id": "9cb8a4f1-5b94-48ea-9644-9f45ec0224e5", "version": "KqlParameterItem/1.0", "name": "DCR", "label": "DCR To Use", "type": 5, "query": "resources\r\n| where type has 'microsoft.insights/dataCollectionRules'\r\n| where location == '{WSLocation}'\r\n| project name\r\n| order by tolower(name) asc", "crossComponentResources": [ "{Subscription}" ], "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "timeContext": { "durationMs": 86400000 }, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", "value": null } ], "style": "formVertical", "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" }, "conditionalVisibility": { "parameterName": "dcrExists", "comparison": "isEqualTo", "value": "Yes" }, "name": "parameters - 0" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "9e4b8161-d708-41fe-9c66-3916bb98c51e", "version": "KqlParameterItem/1.0", "name": "ASIMTables", "label": "Destination ASIM Table", "type": 2, "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "jsonData": "[\"ASimAuditEventLogs\", \"ASimAuthenticationEventLogs\", \"ASimDnsActivityLogs\", \"ASimNetworkSessionLogs\", \"ASimWebSessionLogs\"]", "timeContext": { "durationMs": 86400000 }, "value": "ASimAuditEventLogs" }, { "id": "dd930827-39e4-44a5-8e15-7ba8c66aa782", "version": "KqlParameterItem/1.0", "name": "AuditSchema", "type": 1, "query": "let Audit = datatable(Column:string, Class:string, Type:string, Description:string)[\r\n \"EventMessage\", \"Optional\", \"string\", \"A general message or description, either included in or generated from the record.\",\r\n \"EventCount\", \"Mandatory\", \"int\", \"The number of events described by the record.\",\r\n \"EventStartTime\", \"Mandatory\", \"datetime\", \"The time in which the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field.\",\r\n \"EventEndTime\", \"Mandatory\", \"datetime\", \"The time in which the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field.\",\r\n \"EventType\", \"Mandatory\", \"string\", \"Describes the operation reported by the record. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the EventOriginalType field.\",\r\n \"EventSubType\", \"Optional\", \"string\",\"Describes a subdivision of the operation reported in the EventType field. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the EventOriginalSubType field.\",\r\n \"EventResult\", \"Mandatory\", \"string\", \"One of the following values: Success, Partial, Failure, NA (Not Applicable). The value might be provided in the source record by using different terms, which should be normalized to these values. Alternatively, the source might provide only the EventResultDetails field, which should be analyzed to derive the EventResult value.\",\r\n \"EventResultDetails\", \"Recommended\", \"string\", \"Reason or details for the result reported in the EventResult field. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the EventOriginalResultDetails field.\",\r\n \"EventUiid\", \"Recommended\", \"string\", \"The unique ID of the record, as assigned by Microsoft Sentinel. This field is typically mapped to the _ItemId Log Analytics field.\",\r\n \"EventOriginalUid\", \"Optional\", \"string\", \"A unique ID of the original record, if provided by the source.\",\r\n \"EventOriginalType\", \"Optional\", \"string\", \"The original event type or ID, if provided by the source. For example, this field is used to store the original Windows event ID. This value is used to derive EventType, which should have only one of the values documented for each schema.\"\r\n];\r\nAudit\r\n| extend bag = bag_pack(Column, Class, Type, Description)\r\n| summarize schema = make_bag(bag)", "crossComponentResources": [ "{Workspace}" ], "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "76ba5879-9148-4aaa-aa31-287f2b41afbc", "version": "KqlParameterItem/1.0", "name": "AuthenticationSchema", "type": 1, "query": "let Authentication = datatable(Column:string, Class:string, Type:string, Description:string)[\r\n \"This\", \"is\", \"for\", \"authentication\"\r\n];\r\nAuthentication", "crossComponentResources": [ "{Workspace}" ], "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "a75c9b25-0715-4776-8a42-bf55bbccf6fe", "version": "KqlParameterItem/1.0", "name": "ASIMSchema", "type": 1, "isHiddenWhenLocked": true, "criteriaData": [ { "criteriaContext": { "leftOperand": "ASIMTables", "operator": "==", "rightValType": "static", "rightVal": "ASimAuditEventLogs", "resultValType": "param", "resultVal": "AuditSchema" } }, { "criteriaContext": { "leftOperand": "ASIMTables", "operator": "==", "rightValType": "static", "rightVal": "ASimAuthenticationEventLogs", "resultValType": "param", "resultVal": "AuthenticationSchema" } }, { "criteriaContext": { "operator": "Default", "rightValType": "param", "resultValType": "param" } } ], "timeContext": { "durationMs": 86400000 } } ], "style": "formVertical", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "customWidth": "50", "name": "parameters - 12" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "print schema = dynamic('{ASIMSchema}')", "size": 0, "title": "Schema for {ASIMTables}", "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "customWidth": "50", "name": "query - 13" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "crossComponentResources": [ "{Subscription}" ], "parameters": [ { "id": "1c633f6d-da86-4b38-9d46-376fd2d475f3", "version": "KqlParameterItem/1.0", "name": "DCRRG", "type": 1, "query": "resources\r\n| where type has 'microsoft.insights/dataCollectionRules'\r\n| where location == '{WSLocation}'\r\n| where name has '{DCR}'\r\n| project RG = strcat('/subscriptions/', subscriptionId, '/resourceGroups/', resourceGroup)", "crossComponentResources": [ "{Subscription}" ], "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "queryType": 1 }, { "id": "8048b9ce-ef9a-44d8-8ef0-dddb9c9ef67f", "version": "KqlParameterItem/1.0", "name": "DCRFetch", "type": 1, "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"{DCRRG}/providers/Microsoft.Insights/dataCollectionRules/{DCR}?api-version=2022-06-01\",\"urlParams\":[],\"batchDisabled\":false,\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "queryType": 12, "value": null } ], "style": "above", "queryType": 1, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 1" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "crossComponentResources": [ "{Workspace}" ], "parameters": [ { "id": "c37715cc-5231-4223-8f02-143682d13495", "version": "KqlParameterItem/1.0", "name": "DCRFetch", "label": "DCR Body", "type": 1, "query": "print dynamic({DCRFetch})", "crossComponentResources": [ "{Workspace}" ], "typeSettings": { "multiLineText": true, "editorLanguage": "json", "multiLineHeight": 30, "preFormatJsonData": true }, "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "value": null } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "DCR Body" }, { "type": 11, "content": { "version": "LinkItem/1.0", "style": "list", "links": [ { "id": "1d19f441-66fc-43bb-96ef-997a3371e765", "linkTarget": "ArmAction", "linkLabel": "Deploy DCR Update", "style": "primary", "linkIsContextBlade": true, "armActionContext": { "path": "{DCRG}/providers/Microsoft.Insights/dataCollectionRules/{name}?api-version=2021-09-01-preview", "headers": [], "params": [], "body": "{DCRFetch}", "httpMethod": "PUT", "description": "# Actions can potentially modify resources.\n## Please use caution and include a confirmation message in this description when authoring this command." } } ] }, "conditionalVisibility": { "parameterName": "streams", "comparison": "isEqualTo", "value": "Yes" }, "name": "DCR Update" } ] }, "customWidth": "50", "conditionalVisibility": { "parameterName": "Destination", "comparison": "isEqualTo", "value": "ASIM Table" }, "name": "ASIM" } ], "exportParameters": true }, "name": "Data Collection Rules and Endpoint", "styleSettings": { "showBorder": true } }, { "type": 1, "content": { "json": "# ↓" }, "conditionalVisibility": { "parameterName": "Destination", "comparison": "isNotEqualTo", "value": "UI Only" }, "name": "text - 5" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "ASIM Configuration", "items": [ { "type": 9, "content": { "version": "KqlParameterItem/1.0", "crossComponentResources": [ "{Workspace}" ], "parameters": [ { "id": "d0df8e0f-ea3a-43d3-86fa-50f2cb72cdb7", "version": "KqlParameterItem/1.0", "name": "Schema", "type": 2, "typeSettings": { "additionalResourceOptions": [] }, "jsonData": "[\"Audit\", \"Authentication\", \"DNS\", \"DHCP\", \"File Event\", \"Network Session\", \"Process Event Schema\", \"Registry Event\", \"User Management\", \"Web Session\"]", "timeContext": { "durationMs": 86400000 }, "value": "Web Session" } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 0" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{FetchTableName}\r\n| getschema\r\n| project-away ColumnOrdinal", "size": 2, "title": "Schema for {FetchTableName}", "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "filter": true } }, "customWidth": "25", "name": "query - 2" }, { "type": 1, "content": { "json": "
\r\n
\r\n
\r\n
\r\n
\r\n
\r\n
\r\n
\r\n
\r\n
\r\n
\r\n
\r\n
\r\n
\r\n
\r\n
\r\n
\r\n
\r\n# +" }, "customWidth": "5", "name": "text - 4" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let audit = datatable(Field:string, Class:string, Type:string)[\r\n \"EventType\", \"Required\", \"Enumerated\",\r\n \"EventSubType\", \"Optional\", \"String\",\r\n \"EventSchema\", \"Required\", \"String\",\r\n \"EventSchemaVersion\", \"Required\", \"String\",\r\n \"EventCount\", \"Required\", \"Int\",\r\n \"EventStartTime\", \"Required\", \"Datetime\",\r\n \"EventEndTime\", \"Required\", \"Datetime\",\r\n \"EventResult\", \"Required\", \"Enumerated\",\r\n \"EventProduct\", \"Required\", \"String\",\r\n \"Dvc\", \"Required\", \"String\",\r\n \"EventResultDetails\", \"Recommended\", \"Enumerated\",\r\n \"EventSeverity\", \"Recommended\", \"Enumerated\",\r\n \"EventUid\", \"Recommended\", \"String\",\r\n \"DvcIPAddr\", \"Recommended\", \"String\",\r\n \"DvcHostName\", \"Recommended\", \"String\",\r\n \"DvcDomain\", \"Recommneded\", \"String\",\r\n \"DvcDomainType\", \"Recommended\", \"Enumerated\",\r\n \"DvcFQDN\", \"Recommended\", \"String\",\r\n \"DvcId\", \"Recommneded\", \"String\",\r\n \"DvcIdType\", \"Recommended\", \"Enumerated\",\r\n \"DvcAction\", \"Recommended\", \"String\",\r\n \"EventMessage\", \"Optional\", \"String\",\r\n \"EventSubType\", \"Optional\", \"Enumeratred\",\r\n \"EventOriginalUid\", \"Optional\", \"String\",\r\n \"EventOriginalType\", \"Optional\", \"Enumerated\",\r\n \"EventOriginalSubType\", \"Optional\", \"Enumerated\",\r\n \"EventOriginalResultDetails\", \"Optional\", \"String\",\r\n \"EventOriginalSeverity\", \"Optional\", \"String\",\r\n \"EventProductVersion\", \"Optional\", \"String\",\r\n \"EventReportUrl\", \"Optional\", \"String\",\r\n \"EventOwner\", \"Optional\", \"String\",\r\n \"DvcZone\", \"Optional\", \"String\",\r\n \"DvcMacAddr\", \"Optional\", \"String\",\r\n \"DvcOs\", \"Optional\", \"String\",\r\n \"DvcOsVersion\", \"Optional\", \"String\",\r\n \"DvcOriginalAction\", \"Optional\", \"String\",\r\n \"DvcInterface\", \"Optional\", \"String\",\r\n \"AdditionalFields\", \"Optional\", \"Dynamic\",\r\n \"DvcDescrtipoin\", \"Optional\", \"String\",\r\n \"DvcScopeId\", \"Optional\", \"String\",\r\n \"DvcScope\", \"Optional\", \"String\",\r\n \"Operation\", \"Required\", \"String\",\r\n \"Object\", \"Required\", \"String\",\r\n \"ObjectType\", \"Required\", \"Enumerated\",\r\n \"OldValue\", \"Optional\", \"String\",\r\n \"NewValue\", \"Optional\", \"String\",\r\n \"ValueType\", \"Optional\", \"Enumerated\",\r\n \"ActorUserId\", \"Optional\", \"String\",\r\n \"ActorScope\", \"Optional\", \"String\",\r\n \"ActorScopeId\", \"Optional\", \"String\",\r\n \"User\", \"Optional\", \"String\",\r\n \"ActorUserIdType\", \"Optional\", \"String\",\r\n \"ActorUsername\", \"Recommended\", \"String\",\r\n \"ActorUsernameType\", \"Optional\", \"String\",\r\n \"ActorUserType\", \"Optional\", \"String\",\r\n \"ActorSessionId\", \"Optional\", \"String\",\r\n \"TargetAppId\", \"Optional\", \"String\",\r\n \"TargetAppName\", \"Optional\", \"String\",\r\n \"Application\", \"Optional\", \"String\",\r\n \"TargetAppType\", \"Optional\", \"String\",\r\n \"TargetUrl\", \"Optional\", \"String\",\r\n \"Dst\", \"Optional\", \"String\",\r\n \"TargetHostname\", \"Recommended\", \"String\",\r\n \"TargetDomain\", \"Recommended\", \"String\",\r\n \"TargetDomainType\", \"Optional\", \"Enumerated\",\r\n \"TargetFQDN\", \"Optional\", \"String\",\r\n \"TargetDescription\", \"Optional\", \"String\",\r\n \"TargetDvcScopeId\", \"Optional\", \"String\",\r\n \"TargetDvcScope\", \"Optional\", \"String\",\r\n \"TargetDvcIdType\", \"Optional\", \"String\",\r\n \"TargetDeviceType\", \"Optional\", \"Enumerated\",\r\n \"TargetIpAddr\", \"Recommended\", \"String\",\r\n \"TargetDvcOs\", \"Optional\", \"String\",\r\n \"TargetPortNumber\", \"Optional\", \"Int\",\r\n \"ActingAppId\", \"Optional\", \"String\",\r\n \"ActiveAppName\", \"Optional\", \"String\",\r\n \"ActingAppType\", \"Optional\", \"String\",\r\n \"HttpUserAgent\", \"Optional\", \"String\",\r\n \"Src\", \"Optional\", \"String\",\r\n \"SrcIpAddr\", \"Recommended\", \"String\",\r\n \"IpAddr\", \"Recommended\", \"String\",\r\n \"SrcPortNumber\", \"Optional\", \"Integer\",\r\n \"SrcHostname\", \"Recommended\", \"String\",\r\n \"SrcDomain\", \"Recommended\", \"String\",\r\n \"SrcDomainType\", \"Optional\", \"String\",\r\n \"SrcFQDN\", \"Optional\", \"String\",\r\n \"SrcDescription\", \"Optional\", \"String\",\r\n \"SrcDvcId\", \"Optional\", \"String\",\r\n \"SrcDvcScopeId\", \"Optional\", \"String\",\r\n \"SrcDvcScope\", \"Optional\", \"String\",\r\n \"SrcDvcIdType\", \"Optional\", \"String\",\r\n \"SrcDeviceType\", \"Optional\", \"String\",\r\n \"SrcSubscriptionId\", \"Optional\", \"String\",\r\n \"SrcGeoCountry\", \"Optional\", \"String\",\r\n \"SrcGeoRegion\", \"Optional\", \"String\",\r\n \"SrcGeoLongitude\", \"Optional\", \"String\",\r\n \"RuleName\", \"Optional\", \"String\",\r\n \"RuleNumber\", \"Optional\", \"Int\",\r\n \"Rule\", \"Optional\", \"String\",\r\n \"ThreatId\", \"Optional\", \"String\",\r\n \"ThreatName\", \"Optional\", \"String\",\r\n \"ThreatCategory\", \"Optional\", \"String\",\r\n \"ThreatRiskLevel\", \"Optional\", \"Int\",\r\n \"ThreatOriginalRiskLevel\", \"Optional\", \"String\",\r\n \"ThreatConfidence\", \"Optional\", \"Int\",\r\n \"ThreatOriginalConfidence\", \"Optional\", \"String\",\r\n \"ThreatIsActive\", \"Optional\", \"Boolean\",\r\n \"ThreatFirstReportedTime\", \"Optional\", \"Datetime\", \r\n \"ThreatLastReportedTime\", \"Optional\", \"Datetime\",\r\n \"ThreatIpAddr\", \"Optional\", \"String\",\r\n \"ThreatField\", \"Optional\", \"Enumerated\"\r\n];\r\naudit\r\n| order by Field asc", "size": 2, "title": "Schema Options for Audit", "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "filter": true } }, "customWidth": "25", "conditionalVisibility": { "parameterName": "Schema", "comparison": "isEqualTo", "value": "Audit" }, "name": "asimaudit" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let auth = datatable(Field:string, Class:string, Type:string)[\r\n\"EventType\", \"Required\", \"Enumerated\",\r\n \"EventSubType\", \"Optional\", \"String\",\r\n \"EventSchema\", \"Required\", \"String\",\r\n \"EventSchemaVersion\", \"Required\", \"String\",\r\n \"EventCount\", \"Required\", \"Int\",\r\n \"EventStartTime\", \"Required\", \"Datetime\",\r\n \"EventEndTime\", \"Required\", \"Datetime\",\r\n \"EventResult\", \"Required\", \"Enumerated\",\r\n \"EventProduct\", \"Required\", \"String\",\r\n \"Dvc\", \"Required\", \"String\",\r\n \"EventResultDetails\", \"Recommended\", \"Enumerated\",\r\n \"EventSeverity\", \"Recommended\", \"Enumerated\",\r\n \"EventUid\", \"Recommended\", \"String\",\r\n \"DvcIPAddr\", \"Recommended\", \"String\",\r\n \"DvcHostName\", \"Recommended\", \"String\",\r\n \"DvcDomain\", \"Recommneded\", \"String\",\r\n \"DvcDomainType\", \"Recommended\", \"Enumerated\",\r\n \"DvcFQDN\", \"Recommended\", \"String\",\r\n \"DvcId\", \"Recommneded\", \"String\",\r\n \"DvcIdType\", \"Recommended\", \"Enumerated\",\r\n \"DvcAction\", \"Recommended\", \"String\",\r\n \"EventMessage\", \"Optional\", \"String\",\r\n \"EventSubType\", \"Optional\", \"Enumeratred\",\r\n \"EventOriginalUid\", \"Optional\", \"String\",\r\n \"EventOriginalType\", \"Optional\", \"Enumerated\",\r\n \"EventOriginalSubType\", \"Optional\", \"Enumerated\",\r\n \"EventOriginalResultDetails\", \"Optional\", \"String\",\r\n \"EventOriginalSeverity\", \"Optional\", \"String\",\r\n \"EventProductVersion\", \"Optional\", \"String\",\r\n \"EventReportUrl\", \"Optional\", \"String\",\r\n \"EventOwner\", \"Optional\", \"String\",\r\n \"DvcZone\", \"Optional\", \"String\",\r\n \"DvcMacAddr\", \"Optional\", \"String\",\r\n \"DvcOs\", \"Optional\", \"String\",\r\n \"DvcOsVersion\", \"Optional\", \"String\",\r\n \"DvcOriginalAction\", \"Optional\", \"String\",\r\n \"DvcInterface\", \"Optional\", \"String\",\r\n \"AdditionalFields\", \"Optional\", \"Dynamic\",\r\n \"DvcDescrtipoin\", \"Optional\", \"String\",\r\n \"DvcScopeId\", \"Optional\", \"String\",\r\n \"DvcScope\", \"Optional\", \"String\",\r\n \"LogonMethod\", \"Optional\", \"String\",\r\n \"LogonProtocol\", \"Optional\", \"String\",\r\n \"ActorUserId\", \"Optional\", \"String\",\r\n \"ActorScope\", \"Optional\", \"String\",\r\n \"ActorScopeId\", \"Optional\", \"String\",\r\n \"ActorUserIdType\", \"Optional\", \"String\",\r\n \"ActorUsername\", \"Optional\", \"String\",\r\n \"ActorUsernameType\", \"Optional\", \"String\",\r\n \"ActorUserType\", \"Optional\", \"String\",\r\n \"ActorOriginalUserType\", \"Optional\", \"String\",\r\n \"ActorSessionId\", \"Optional\", \"String\",\r\n \"ActingAppId\", \"Optional\", \"String\",\r\n \"ActingAppName\", \"Optional\", \"String\",\r\n \"ActingAppType\", \"Optional\", \"String\",\r\n \"HttpUserAgent\", \"Optional\", \"String\",\r\n \"TargetUserId\", \"Optional\", \"UserId\",\r\n \"TargetUserScope\", \"Optional\", \"String\",\r\n \"TargetUserScopeId\", \"Optional\", \"String\",\r\n \"TargetUserIdType\", \"Optional\", \"String\",\r\n \"TargetUsername\", \"Optional\", \"String\",\r\n \"TargetUsernameType\", \"Optional\", \"String\",\r\n \"TargetUserType\", \"Optional\", \"String\",\r\n \"TargetSessionId\", \"Optional\", \"String\",\r\n \"TargetOriginalUserType\", \"Optional\", \"String\",\r\n \"User\", \"Recommended\", \"String\",\r\n \"Src\", \"Optional\", \"String\",\r\n \"SrcIpAddr\", \"Recommended\", \"String\",\r\n \"IpAddr\", \"Recommended\", \"String\",\r\n \"SrcPortNumber\", \"Optional\", \"Integer\",\r\n \"SrcHostname\", \"Recommended\", \"String\",\r\n \"SrcDomain\", \"Recommended\", \"String\",\r\n \"SrcDomainType\", \"Optional\", \"String\",\r\n \"SrcFQDN\", \"Optional\", \"String\",\r\n \"SrcDescription\", \"Optional\", \"String\",\r\n \"SrcDvcId\", \"Optional\", \"String\",\r\n \"SrcDvcScopeId\", \"Optional\", \"String\",\r\n \"SrcDvcScope\", \"Optional\", \"String\",\r\n \"SrcDvcIdType\", \"Optional\", \"String\",\r\n \"SrcDeviceType\", \"Optional\", \"String\",\r\n \"SrcSubscriptionId\", \"Optional\", \"String\",\r\n \"SrcGeoCountry\", \"Optional\", \"String\",\r\n \"SrcGeoRegion\", \"Optional\", \"String\",\r\n \"SrcGeoLongitude\", \"Optional\", \"String\",\r\n \"SrcGeoLatitude\", \"Optional\", \"String\",\r\n \"SrcRiskLevel\", \"Optional\", \"Int\",\r\n \"SrcOriginalRiskLevel\", \"Optional\", \"Int\",\r\n \"TargetAppId\", \"Optional\", \"String\",\r\n \"TargetAppName\", \"Optional\", \"String\",\r\n \"TargetAppType\", \"Optional\", \"String\",\r\n \"TargetUrl\", \"Optional\", \"String\",\r\n \"LogonTarget\", \"Optional\", \"String\",\r\n \"Dst\", \"Optional\", \"String\",\r\n \"TargetHostname\", \"Recommended\", \"String\",\r\n \"TargetDomain\", \"Recommended\", \"String\",\r\n \"TargetDomainType\", \"Optional\", \"Enumerated\",\r\n \"TargetFQDN\", \"Optional\", \"String\",\r\n \"TargetDescription\", \"Optional\", \"String\",\r\n \"TargetDvcScopeId\", \"Optional\", \"String\",\r\n \"TargetDvcScope\", \"Optional\", \"String\",\r\n \"TargetDvcIdType\", \"Optional\", \"String\",\r\n \"TargetDeviceType\", \"Optional\", \"Enumerated\",\r\n \"TargetIpAddr\", \"Recommended\", \"String\",\r\n \"TargetDvcOs\", \"Optional\", \"String\",\r\n \"TargetPortNumber\", \"Optional\", \"Int\",\r\n \"TargetGeoCountry\", \"Optional\", \"String\",\r\n \"TargetGeoRegion\", \"Optional\", \"String\",\r\n \"TargetGeoCity\", \"Optional\", \"String\",\r\n \"TargetGeoLatitude\", \"Optional\", \"String\",\r\n \"TargetGeoLongitude\", \"Optional\", \"String\",\r\n \"TargetRiskLevel\", \"Optional\", \"Int\",\r\n \"TargetOriginalRiskLevel\", \"Optional\", \"Int\",\r\n \"RuleName\", \"Optional\", \"String\",\r\n \"RuleNumber\", \"Optional\", \"Int\",\r\n \"Rule\", \"Optional\", \"String\",\r\n \"ThreatId\", \"Optional\", \"String\",\r\n \"ThreatName\", \"Optional\", \"String\",\r\n \"ThreatCategory\", \"Optional\", \"String\",\r\n \"ThreatRiskLevel\", \"Optional\", \"Int\",\r\n \"ThreatOriginalRiskLevel\", \"Optional\", \"String\",\r\n \"ThreatConfidence\", \"Optional\", \"Int\",\r\n \"ThreatOriginalConfidence\", \"Optional\", \"String\",\r\n \"ThreatIsActive\", \"Optional\", \"Boolean\",\r\n \"ThreatFirstReportedTime\", \"Optional\", \"Datetime\", \r\n \"ThreatLastReportedTime\", \"Optional\", \"Datetime\",\r\n \"ThreatIpAddr\", \"Optional\", \"String\",\r\n \"ThreatField\", \"Optional\", \"Enumerated\"\r\n];\r\nauth\r\n| order by Field asc", "size": 2, "title": "Schema Options for Auth", "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "filter": true } }, "customWidth": "25", "conditionalVisibility": { "parameterName": "Schema", "comparison": "isEqualTo", "value": "Authentication" }, "name": "asimauth" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let dns = datatable(Field:string, Class:string, Type:string)[\r\n\"EventType\", \"Required\", \"Enumerated\",\r\n \"EventSubType\", \"Optional\", \"String\",\r\n \"EventSchema\", \"Required\", \"String\",\r\n \"EventSchemaVersion\", \"Required\", \"String\",\r\n \"EventCount\", \"Required\", \"Int\",\r\n \"EventStartTime\", \"Required\", \"Datetime\",\r\n \"EventEndTime\", \"Required\", \"Datetime\",\r\n \"EventResult\", \"Required\", \"Enumerated\",\r\n \"EventProduct\", \"Required\", \"String\",\r\n \"Dvc\", \"Required\", \"String\",\r\n \"EventResultDetails\", \"Recommended\", \"Enumerated\",\r\n \"EventSeverity\", \"Recommended\", \"Enumerated\",\r\n \"EventUid\", \"Recommended\", \"String\",\r\n \"DvcIPAddr\", \"Recommended\", \"String\",\r\n \"DvcHostName\", \"Recommended\", \"String\",\r\n \"DvcDomain\", \"Recommneded\", \"String\",\r\n \"DvcDomainType\", \"Recommended\", \"Enumerated\",\r\n \"DvcFQDN\", \"Recommended\", \"String\",\r\n \"DvcId\", \"Recommneded\", \"String\",\r\n \"DvcIdType\", \"Recommended\", \"Enumerated\",\r\n \"DvcAction\", \"Recommended\", \"String\",\r\n \"EventMessage\", \"Optional\", \"String\",\r\n \"EventSubType\", \"Optional\", \"Enumeratred\",\r\n \"EventOriginalUid\", \"Optional\", \"String\",\r\n \"EventOriginalType\", \"Optional\", \"Enumerated\",\r\n \"EventOriginalSubType\", \"Optional\", \"Enumerated\",\r\n \"EventOriginalResultDetails\", \"Optional\", \"String\",\r\n \"EventOriginalSeverity\", \"Optional\", \"String\",\r\n \"EventProductVersion\", \"Optional\", \"String\",\r\n \"EventReportUrl\", \"Optional\", \"String\",\r\n \"EventOwner\", \"Optional\", \"String\",\r\n \"DvcZone\", \"Optional\", \"String\",\r\n \"DvcMacAddr\", \"Optional\", \"String\",\r\n \"DvcOs\", \"Optional\", \"String\",\r\n \"DvcOsVersion\", \"Optional\", \"String\",\r\n \"DvcOriginalAction\", \"Optional\", \"String\",\r\n \"DvcInterface\", \"Optional\", \"String\",\r\n \"AdditionalFields\", \"Optional\", \"Dynamic\",\r\n \"DvcDescrtipoin\", \"Optional\", \"String\",\r\n \"DvcScopeId\", \"Optional\", \"String\",\r\n \"DvcScope\", \"Optional\", \"String\",\r\n \"starttime\", \"Recommended\", \"Datetime\",\r\n \"endtime\", \"Recommended\", \"Datetime\",\r\n \"Src\", \"Optional\", \"String\",\r\n \"SrcIpAddr\", \"Recommended\", \"String\",\r\n \"IpAddr\", \"Recommended\", \"String\",\r\n \"SrcPortNumber\", \"Optional\", \"Integer\",\r\n \"SrcGeoCountry\", \"Optional\", \"String\",\r\n \"SrcGeoRegion\", \"Optional\", \"String\",\r\n \"SrcGeoLongitude\", \"Optional\", \"String\",\r\n \"SrcGeoLatitude\", \"Optional\", \"String\",\r\n \"SrcRiskLevel\", \"Optional\", \"Int\",\r\n \"SrcOriginalRiskLevel\", \"Optional\", \"Int\",\r\n \"SrcDomain\", \"Recommended\", \"String\",\r\n \"SrcDomainType\", \"Optional\", \"String\",\r\n \"SrcFQDN\", \"Optional\", \"String\",\r\n \"SrcDescription\", \"Optional\", \"String\",\r\n \"SrcDvcId\", \"Optional\", \"String\",\r\n \"SrcDvcScopeId\", \"Optional\", \"String\",\r\n \"SrcDvcScope\", \"Optional\", \"String\",\r\n \"SrcDvcIdType\", \"Optional\", \"String\",\r\n \"SrcDeviceType\", \"Optional\", \"String\",\r\n \"SrcUserId\", \"Optional\", \"String\",\r\n \"SrcUserScope\", \"Optional\", \"String\",\r\n \"SrcUserScopeId\", \"Optional\", \"String\",\r\n \"SrcUserIdType\", \"Optional\", \"String\",\r\n \"SrcUsername\", \"Optional\", \"String\",\r\n \"SrcUsernameType\", \"Optional\", \"String\",\r\n \"User\", \"Recommended\", \"String\",\r\n \"SrcUserType\", \"Optional\", \"String\",\r\n \"SrcUserSessionId\", \"Optional\", \"String\",\r\n \"SrcOriginalUserType\", \"Optional\", \"String\",\r\n \"SrcProcessName\", \"Optional\", \"String\",\r\n \"Process\", \"Recommended\", \"String\",\r\n \"SrcProcessId\", \"Optional\", \"String\",\r\n \"SrcProcessGuid\", \"Optional\", \"String\",\r\n \"Dst\", \"Optional\", \"String\",\r\n \"DstIpAddr\", \"Optional\", \"String\",\r\n \"DstGeoCountry\", \"Optional\", \"String\",\r\n \"DstGeoRegion\", \"Optional\", \"String\",\r\n \"DstGeoCity\", \"Optional\", \"String\",\r\n \"DstGeoLatitiude\", \"Optional\", \"String\",\r\n \"DstGeoLongitude\", \"Optional\", \"String\",\r\n \"DstRiskLevel\", \"Optional\", \"String\",\r\n \"DstOriginalRiskLevel\", \"Optional\", \"String\",\r\n \"DstPortNumber\", \"Optional\", \"String\",\r\n \"DstHostname\", \"Optional\", \"String\",\r\n \"DstDomain\", \"Optional\", \"String\",\r\n \"DstDomainType\", \"Optional\", \"String\",\r\n \"DstFQDN\", \"Optional\", \"String\",\r\n \"DstDvcId\", \"Optional\", \"String\",\r\n \"DstDvcScopeId\", \"Optional\", \"String\",\r\n \"DstDvcScope\", \"Optional\", \"String\",\r\n \"DstDvcIdType\", \"Optional\", \"String\",\r\n \"DstDeviceType\", \"Optional\", \"String\",\r\n \"DstDescription\", \"Optional\", \"String\",\r\n \"DnsQuery\", \"Required\", \"String\",\r\n \"Domain\", \"Optional\", \"String\",\r\n \"DnsQueryType\", \"Optional\", \"Int\",\r\n \"DnsQueryTypeName\", \"Recommended\", \"String\",\r\n \"DnsResponseName\", \"Optional\", \"String\",\r\n \"DnsResponseCodeName\", \"Optional\", \"String\",\r\n \"DnsResponseCode\", \"Optional\", \"Int\",\r\n \"TransactionalIdHex\", \"Recommended\", \"String\",\r\n \"NetworkProtocol\", \"Optional\", \"String\",\r\n \"NetworkProtocolVersion\", \"Optional\", \"String\",\r\n \"DnsQueryClass\", \"Optional\", \"Int\", \r\n \"DnsQueryClassName\", \"Optional\", \"String\",\r\n \"DnsFlags\", \"Optional\", \"String\",\r\n \"DnsNetworkDuration\", \"Optional\", \"Int\",\r\n \"Duration\", \"Optional\", \"String\",\r\n \"DnsFlagsAuthenticated\", \"Optional\", \"Boolean\",\r\n \"DnsFlagsAuthoritative\", \"Optional\", \"Boolean\",\r\n \"DnsFlagsCheckingDisabled\", \"Optional\", \"Boolean\",\r\n \"DnsFlagsRecursionAvailable\", \"Optional\", \"Boolean\",\r\n \"DnsFlagsRecursionDesired\", \"Optional\", \"Boolean\",\r\n \"DnsFlagsTruncated\", \"Optional\", \"Boolean\",\r\n \"DnsFlagsZ\", \"Optional\", \"Boolean\",\r\n \"DnsSessionId\", \"Optional\", \"String\",\r\n \"SessionId\", \"Optional\", \"String\",\r\n \"DnsResponseIpCountry\", \"Optional\", \"String\",\r\n \"DnsResponseIpRegion\", \"Optional\", \"String\",\r\n \"DnsResponseIpCity\", \"Optional\", \"String\",\r\n \"DnsResponseIpLatitude\", \"Optional\", \"String\",\r\n \"DnsResponseIpLongitude\", \"Optional\", \"String\",\r\n \"UrlCategory\", \"Optional\", \"String\",\r\n \"DomainCategory\", \"Optional\", \"String\",\r\n \"NetworkRuleName\", \"Optional\", \"String\",\r\n \"NetworkRuleNumber\", \"Optional\", \"Int\",\r\n \"Rule\", \"Optional\", \"String\",\r\n \"ThreatId\", \"Optional\", \"String\",\r\n \"ThreatName\", \"Optional\", \"String\",\r\n \"ThreatCategory\", \"Optional\", \"String\",\r\n \"ThreatRiskLevel\", \"Optional\", \"Int\",\r\n \"ThreatOriginalRiskLevel\", \"Optional\", \"String\",\r\n \"ThreatConfidence\", \"Optional\", \"Int\",\r\n \"ThreatOriginalConfidence\", \"Optional\", \"String\",\r\n \"ThreatIsActive\", \"Optional\", \"Boolean\",\r\n \"ThreatFirstReportedTime\", \"Optional\", \"Datetime\", \r\n \"ThreatLastReportedTime\", \"Optional\", \"Datetime\",\r\n \"ThreatIpAddr\", \"Optional\", \"String\",\r\n \"ThreatField\", \"Optional\", \"Enumerated\"\r\n];\r\ndns\r\n| order by Field asc", "size": 2, "title": "Schema Options for DNS", "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "filter": true } }, "customWidth": "25", "conditionalVisibility": { "parameterName": "Schema", "comparison": "isEqualTo", "value": "DNS" }, "name": "asimdns" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let dhcp = datatable(Field:string, Class:string, Type:string)[\r\n\"EventType\", \"Required\", \"Enumerated\",\r\n \"EventSubType\", \"Optional\", \"String\",\r\n \"EventSchema\", \"Required\", \"String\",\r\n \"EventSchemaVersion\", \"Required\", \"String\",\r\n \"EventCount\", \"Required\", \"Int\",\r\n \"EventStartTime\", \"Required\", \"Datetime\",\r\n \"EventEndTime\", \"Required\", \"Datetime\",\r\n \"EventResult\", \"Required\", \"Enumerated\",\r\n \"EventProduct\", \"Required\", \"String\",\r\n \"Dvc\", \"Required\", \"String\",\r\n \"EventResultDetails\", \"Recommended\", \"Enumerated\",\r\n \"EventSeverity\", \"Recommended\", \"Enumerated\",\r\n \"EventUid\", \"Recommended\", \"String\",\r\n \"DvcIPAddr\", \"Recommended\", \"String\",\r\n \"DvcHostName\", \"Recommended\", \"String\",\r\n \"DvcDomain\", \"Recommneded\", \"String\",\r\n \"DvcDomainType\", \"Recommended\", \"Enumerated\",\r\n \"DvcFQDN\", \"Recommended\", \"String\",\r\n \"DvcId\", \"Recommneded\", \"String\",\r\n \"DvcIdType\", \"Recommended\", \"Enumerated\",\r\n \"DvcAction\", \"Recommended\", \"String\",\r\n \"EventMessage\", \"Optional\", \"String\",\r\n \"EventSubType\", \"Optional\", \"Enumeratred\",\r\n \"EventOriginalUid\", \"Optional\", \"String\",\r\n \"EventOriginalType\", \"Optional\", \"Enumerated\",\r\n \"EventOriginalSubType\", \"Optional\", \"Enumerated\",\r\n \"EventOriginalResultDetails\", \"Optional\", \"String\",\r\n \"EventOriginalSeverity\", \"Optional\", \"String\",\r\n \"EventProductVersion\", \"Optional\", \"String\",\r\n \"EventReportUrl\", \"Optional\", \"String\",\r\n \"EventOwner\", \"Optional\", \"String\",\r\n \"DvcZone\", \"Optional\", \"String\",\r\n \"DvcMacAddr\", \"Optional\", \"String\",\r\n \"DvcOs\", \"Optional\", \"String\",\r\n \"DvcOsVersion\", \"Optional\", \"String\",\r\n \"DvcOriginalAction\", \"Optional\", \"String\",\r\n \"DvcInterface\", \"Optional\", \"String\",\r\n \"AdditionalFields\", \"Optional\", \"Dynamic\",\r\n \"DvcDescrtipoin\", \"Optional\", \"String\",\r\n \"DvcScopeId\", \"Optional\", \"String\",\r\n \"DvcScope\", \"Optional\", \"String\",\r\n \"SrcIpAddr\", \"Recommended\", \"String\",\r\n \"IpAddr\", \"Recommended\", \"String\",\r\n \"RequiredIpAddr\", \"Optional\", \"String\",\r\n \"SrcHostname\", \"Optional\", \"String\",\r\n \"Hostname\", \"Optional\", \"String\",\r\n \"SrcDomain\", \"Recommended\", \"String\",\r\n \"SrcDomainType\", \"Optional\", \"String\",\r\n \"SrcFQDN\", \"Optional\", \"String\",\r\n \"SrcDescription\", \"Optional\", \"String\",\r\n \"SrcDvcId\", \"Optional\", \"String\",\r\n \"SrcDvcScopeId\", \"Optional\", \"String\",\r\n \"SrcDvcScope\", \"Optional\", \"String\",\r\n \"SrcDvcIdType\", \"Optional\", \"String\",\r\n \"SrcDeviceType\", \"Optional\", \"String\",\r\n \"SrcUserId\", \"Optional\", \"String\",\r\n \"SrcUserScope\", \"Optional\", \"String\",\r\n \"SrcUserScopeId\", \"Optional\", \"String\",\r\n \"SrcUserIdType\", \"Optional\", \"String\",\r\n \"SrcUsername\", \"Optional\", \"String\",\r\n \"SrcUsernameType\", \"Optional\", \"String\",\r\n \"Username\", \"Recommended\", \"String\",\r\n \"SrcUserType\", \"Optional\", \"String\",\r\n \"SrcUserSessionId\", \"Optional\", \"String\",\r\n \"SrcOriginalUserType\", \"Optional\", \"String\",\r\n \"SrcMacAddr\", \"Required\", \"String\",\r\n \"DhcpLeaseDuration\", \"Optional\", \"Int\",\r\n \"DhcpSessionId\", \"Optionl\", \"String\",\r\n \"SessionId\", \"Optional\", \"String\",\r\n \"DhcpSessionDuration\", \"Optional\", \"Int\",\r\n \"Duration\", \"Optional\", \"String\",\r\n \"DhcpSrcDHCId\", \"Optional\", \"String\",\r\n \"DhcpCircuitId\", \"Optional\", \"String\",\r\n \"DhcpSubscriberId\", \"Optional\", \"String\",\r\n \"DhcpVendorClassId\", \"Optional\", \"String\",\r\n \"DhcpVendorClass\", \"Optional\", \"String\",\r\n \"DhcpUserClassId\", \"Optional\", \"String\",\r\n \"DhcUserClass\", \"Optional\", \"String\"\r\n];\r\ndhcp\r\n| order by Field asc", "size": 2, "title": "Schema Options for DHCP", "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "filter": true } }, "customWidth": "25", "conditionalVisibility": { "parameterName": "Schema", "comparison": "isEqualTo", "value": "DHCP" }, "name": "asimdhcp" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let file = datatable(Field:string, Class:string, Type:string)[\r\n\"EventType\", \"Required\", \"Enumerated\",\r\n \"EventSubType\", \"Optional\", \"String\",\r\n \"EventSchema\", \"Required\", \"String\",\r\n \"EventSchemaVersion\", \"Required\", \"String\",\r\n \"EventCount\", \"Required\", \"Int\",\r\n \"EventStartTime\", \"Required\", \"Datetime\",\r\n \"EventEndTime\", \"Required\", \"Datetime\",\r\n \"EventResult\", \"Required\", \"Enumerated\",\r\n \"EventProduct\", \"Required\", \"String\",\r\n \"Dvc\", \"Required\", \"String\",\r\n \"EventResultDetails\", \"Recommended\", \"Enumerated\",\r\n \"EventSeverity\", \"Recommended\", \"Enumerated\",\r\n \"EventUid\", \"Recommended\", \"String\",\r\n \"DvcIPAddr\", \"Recommended\", \"String\",\r\n \"DvcHostName\", \"Recommended\", \"String\",\r\n \"DvcDomain\", \"Recommneded\", \"String\",\r\n \"DvcDomainType\", \"Recommended\", \"Enumerated\",\r\n \"DvcFQDN\", \"Recommended\", \"String\",\r\n \"DvcId\", \"Recommneded\", \"String\",\r\n \"DvcIdType\", \"Recommended\", \"Enumerated\",\r\n \"DvcAction\", \"Recommended\", \"String\",\r\n \"EventMessage\", \"Optional\", \"String\",\r\n \"EventSubType\", \"Optional\", \"Enumeratred\",\r\n \"EventOriginalUid\", \"Optional\", \"String\",\r\n \"EventOriginalType\", \"Optional\", \"Enumerated\",\r\n \"EventOriginalSubType\", \"Optional\", \"Enumerated\",\r\n \"EventOriginalResultDetails\", \"Optional\", \"String\",\r\n \"EventOriginalSeverity\", \"Optional\", \"String\",\r\n \"EventProductVersion\", \"Optional\", \"String\",\r\n \"EventReportUrl\", \"Optional\", \"String\",\r\n \"EventOwner\", \"Optional\", \"String\",\r\n \"DvcZone\", \"Optional\", \"String\",\r\n \"DvcMacAddr\", \"Optional\", \"String\",\r\n \"DvcOs\", \"Optional\", \"String\",\r\n \"DvcOsVersion\", \"Optional\", \"String\",\r\n \"DvcOriginalAction\", \"Optional\", \"String\",\r\n \"DvcInterface\", \"Optional\", \"String\",\r\n \"AdditionalFields\", \"Optional\", \"Dynamic\",\r\n \"DvcDescrtipoin\", \"Optional\", \"String\",\r\n \"DvcScopeId\", \"Optional\", \"String\",\r\n \"DvcScope\", \"Optional\", \"String\",\r\n \"TargetFileCreationTime\", \"Optional\", \"Datetime\",\r\n \"TargetFileDirectory\", \"Optional\", \"String\",\r\n \"TargetFileExtension\", \"Optional\", \"String\",\r\n \"TargetFileMimeType\", \"Optional\", \"String\",\r\n \"TargetFileName\", \"Optional\", \"String\",\r\n \"FileName\", \"Optional\", \"String\",\r\n \"TargetFilePath\", \"Required\", \"String\",\r\n \"TargetFilePathType\", \"Required\", \"String\",\r\n \"FilePath\", \"Optional\", \"String\",\r\n \"TargetFileMD5\", \"Optional\", \"Hash\",\r\n \"TargetFileSHA1\", \"Optional\" ,\"Hash\",\r\n \"TargetFileSHA256\", \"Optional\", \"Hash\",\r\n \"TargetFileSHA512\", \"Optional\", \"Hash\",\r\n \"Hash\", \"Optional\", \"Hash\",\r\n \"HashType\", \"Recommended\", \"String\",\r\n \"TargetFileSize\", \"Optional\", \"Long\",\r\n \"SrcFileCreationTime\", \"Optional\", \"Datetime\",\r\n \"SrcFileDirectory\", \"Optional\", \"String\",\r\n \"SrcFileExtension\", \"Optional\", \"String\",\r\n \"SrcFileMimeType\", \"Optional\", \"String\",\r\n \"SrcFileName\", \"Recommended\", \"String\",\r\n \"SrcFilePath\", \"Recommended\", \"String\",\r\n \"SrcFilePathType\", \"Recommended\", \"String\",\r\n \"SrcFileMD5\", \"Optional\", \"Hash\",\r\n \"SrcFileSHA1\", \"Optional\", \"Hash\",\r\n \"SrcFileSHA256\", \"Optional\", \"Hash\",\r\n \"SrcFileSHA512\", \"Optional\", \"Hash\",\r\n \"SrcFileSize\", \"Optional\", \"Long\",\r\n \"ActorUserId\", \"Optional\", \"String\",\r\n \"ActorScope\", \"Optional\", \"String\",\r\n \"ActorScopeId\", \"Optional\", \"String\",\r\n \"ActorUserIdType\", \"Optional\", \"String\",\r\n \"ActorUsername\", \"Optional\", \"String\",\r\n \"User\", \"Optional\", \"String\",\r\n \"ActorUsernameType\", \"Optional\", \"String\",\r\n \"ActorUserType\", \"Optional\", \"String\",\r\n \"ActorOriginalUserType\", \"Optional\", \"String\",\r\n \"ActorSessionId\", \"Optional\", \"String\",\r\n \"ActingProcessCommandLine\", \"Optional\", \"String\",\r\n \"ActingProcessName\", \"Optional\", \"String\",\r\n \"Process\", \"Optional\", \"String\",\r\n \"ActingProcessId\", \"Optional\", \"String\",\r\n \"ActingProcessGuid\", \"Optional\", \"String\",\r\n \"Src\", \"Optional\", \"String\",\r\n \"SrcIpAddr\", \"Recommended\", \"String\",\r\n \"IpAddr\", \"Recommended\", \"String\",\r\n \"SrcPortNumber\", \"Optional\", \"Integer\",\r\n \"SrcHostname\", \"Recommended\", \"String\",\r\n \"SrcDomain\", \"Recommended\", \"String\",\r\n \"SrcDomainType\", \"Optional\", \"String\",\r\n \"SrcFQDN\", \"Optional\", \"String\",\r\n \"SrcDescription\", \"Optional\", \"String\",\r\n \"SrcDvcId\", \"Optional\", \"String\",\r\n \"SrcDvcScopeId\", \"Optional\", \"String\",\r\n \"SrcDvcScope\", \"Optional\", \"String\",\r\n \"SrcDvcIdType\", \"Optional\", \"String\",\r\n \"SrcDeviceType\", \"Optional\", \"String\",\r\n \"SrcSubscriptionId\", \"Optional\", \"String\",\r\n \"SrcGeoCountry\", \"Optional\", \"String\",\r\n \"SrcGeoRegion\", \"Optional\", \"String\",\r\n \"SrcGeoLongitude\", \"Optional\", \"String\",\r\n \"SrcGeoLatitude\", \"Optional\", \"String\",\r\n \"HttpUserAgent\", \"Optional\", \"String\",\r\n \"NetworkApplicationProtocol\", \"Optional\", \"String\",\r\n \"TargetAppName\", \"Optional\", \"String\",\r\n \"Application\", \"Optional\", \"String\",\r\n \"TargetAppId\", \"Optional\", \"String\",\r\n \"TargetAppType\", \"Optional\", \"String\",\r\n \"TargetUrl\", \"Optional\", \"String\",\r\n \"Url\", \"Optional\", \"String\",\r\n \"Rule\", \"Optional\", \"String\",\r\n \"ThreatId\", \"Optional\", \"String\",\r\n \"ThreatName\", \"Optional\", \"String\",\r\n \"ThreatCategory\", \"Optional\", \"String\",\r\n \"ThreatRiskLevel\", \"Optional\", \"Int\",\r\n \"ThreatOriginalRiskLevel\", \"Optional\", \"String\",\r\n \"ThreatConfidence\", \"Optional\", \"Int\",\r\n \"ThreatOriginalConfidence\", \"Optional\", \"String\",\r\n \"ThreatIsActive\", \"Optional\", \"Boolean\",\r\n \"ThreatFirstReportedTime\", \"Optional\", \"Datetime\", \r\n \"ThreatLastReportedTime\", \"Optional\", \"Datetime\",\r\n \"ThreatFilePath\", \"Optional\", \"String\",\r\n \"RuleNumber\", \"Optional\", \"Int\"\r\n];\r\nfile\r\n| order by Field asc", "size": 2, "title": "Schema Options for File Event", "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "filter": true } }, "customWidth": "25", "conditionalVisibility": { "parameterName": "Schema", "comparison": "isEqualTo", "value": "File Event" }, "name": "asimfile" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let network = datatable(Field:string, Class:string, Type:string)[\r\n \"EventType\", \"Required\", \"Enumerated\",\r\n \"EventSubType\", \"Optional\", \"String\",\r\n \"EventSchema\", \"Required\", \"String\",\r\n \"EventSchemaVersion\", \"Required\", \"String\",\r\n \"EventCount\", \"Required\", \"Int\",\r\n \"EventStartTime\", \"Required\", \"Datetime\",\r\n \"EventEndTime\", \"Required\", \"Datetime\",\r\n \"EventResult\", \"Required\", \"Enumerated\",\r\n \"EventProduct\", \"Required\", \"String\",\r\n \"Dvc\", \"Required\", \"String\",\r\n \"EventResultDetails\", \"Recommended\", \"Enumerated\",\r\n \"EventSeverity\", \"Recommended\", \"Enumerated\",\r\n \"EventUid\", \"Recommended\", \"String\",\r\n \"DvcIPAddr\", \"Recommended\", \"String\",\r\n \"DvcHostName\", \"Recommended\", \"String\",\r\n \"DvcDomain\", \"Recommneded\", \"String\",\r\n \"DvcDomainType\", \"Recommended\", \"Enumerated\",\r\n \"DvcFQDN\", \"Recommended\", \"String\",\r\n \"DvcId\", \"Recommneded\", \"String\",\r\n \"DvcIdType\", \"Recommended\", \"Enumerated\",\r\n \"DvcAction\", \"Recommended\", \"String\",\r\n \"EventMessage\", \"Optional\", \"String\",\r\n \"EventSubType\", \"Optional\", \"Enumeratred\",\r\n \"EventOriginalUid\", \"Optional\", \"String\",\r\n \"EventOriginalType\", \"Optional\", \"Enumerated\",\r\n \"EventOriginalSubType\", \"Optional\", \"Enumerated\",\r\n \"EventOriginalResultDetails\", \"Optional\", \"String\",\r\n \"EventOriginalSeverity\", \"Optional\", \"String\",\r\n \"EventProductVersion\", \"Optional\", \"String\",\r\n \"EventReportUrl\", \"Optional\", \"String\",\r\n \"EventOwner\", \"Optional\", \"String\",\r\n \"DvcZone\", \"Optional\", \"String\",\r\n \"DvcMacAddr\", \"Optional\", \"String\",\r\n \"DvcOs\", \"Optional\", \"String\",\r\n \"DvcOsVersion\", \"Optional\", \"String\",\r\n \"DvcOriginalAction\", \"Optional\", \"String\",\r\n \"DvcInterface\", \"Optional\", \"String\",\r\n \"AdditionalFields\", \"Optional\", \"Dynamic\",\r\n \"DvcDescrtipoin\", \"Optional\", \"String\",\r\n \"DvcScopeId\", \"Optional\", \"String\",\r\n \"DvcScope\", \"Optional\", \"String\",\r\n \"NetworkApplicationProtocol\", \"Optional\", \"String\",\r\n \"NetworkProtocol\", \"Optional\", \"String\",\r\n \"NetworkProtocolVersion\", \"Optional\", \"String\",\r\n \"NetworkDirection\", \"Optional\", \"String\",\r\n \"NetworkDuration\", \"Optional\", \"Int\",\r\n \"Duration\", \"Optional\", \"String\",\r\n \"NetworkIcmpType\", \"Optional\", \"String\",\r\n \"NetworkIcmpCode\", \"Optional\", \"Int\",\r\n \"NetworkConnectionHistory\", \"Optional\", \"String\",\r\n \"DstBytes\", \"Recommended\", \"Long\",\r\n \"SrcBytes\", \"Recommended\", \"Long\",\r\n \"NetworkBytes\", \"Optional\", \"Long\",\r\n \"DstPackets\", \"Optional\", \"Long\",\r\n \"SrcPackets\", \"Optional\", \"Long\",\r\n \"NetworkPackets\", \"Optional\", \"Long\",\r\n \"NetworkSessionId\", \"Optional\", \"String\",\r\n \"SessionId\", \"Optional\", \"String\",\r\n \"TcpFlagsAck\", \"Optional\", \"Boolean\",\r\n \"TcpFlagsFin\", \"Optional\", \"Boolean\",\r\n \"TcpFlagsSyn\", \"Optional\", \"Boolean\",\r\n \"TcpFlagsUrg\", \"Optional\", \"Boolean\",\r\n \"TcpFlagsPsh\", \"Optional\", \"Boolean\",\r\n \"TcpFlagsRst\", \"Optional\", \"Boolean\",\r\n \"TcgFlagsEce\", \"Optional\", \"Boolean\", \r\n \"TcgFlagsCwr\", \"Optional\", \"Boolean\",\r\n \"TcpFlagsNs\", \"Optional\", \"Boolean\",\r\n \"OuterVlanId\", \"Optional\", \"String\",\r\n \"DstSubscriptionId\", \"Optional\", \"String\",\r\n \"DstGeoCountry\", \"Optional\", \"String\",\r\n \"DstGeoRegion\", \"Optional\", \"String\",\r\n \"DstGeoCity\", \"Optional\", \"String\",\r\n \"DstGeoLatitude\", \"Optional\", \"String\",\r\n \"DstGeoLongitude\", \"Optional\", \"String\",\r\n \"DstUserId\", \"Optional\", \"String\",\r\n \"DstUserScope\", \"Optional\", \"String\",\r\n \"DstUserScopeId\", \"Optional\", \"String\",\r\n \"DstUserIdType\", \"Optional\", \"String\",\r\n \"DstUsername\", \"Optional\", \"String\",\r\n \"User\", \"Recommended\", \"String\",\r\n \"DstUsernameType\", \"Optional\", \"String\",\r\n \"DstUserType\", \"Optional\", \"String\",\r\n \"DstOriginalUserType\", \"Optional\", \"String\",\r\n \"DstAppName\", \"Optional\", \"String\",\r\n \"DstAppId\", \"Optional\", \"String\",\r\n \"DstAppType\", \"Optional\", \"String\",\r\n \"DstProcessName\", \"Optional\", \"String\",\r\n \"Process\", \"Recommended\", \"String\",\r\n \"DstProcessId\", \"Optional\", \"String\",\r\n \"DstProcessGuid\", \"Optional\", \"String\",\r\n \"Src\", \"Optional\", \"String\",\r\n \"SrcIpAddr\", \"Recommended\", \"String\",\r\n \"SrcPortNumber\", \"Optional\", \"Integer\",\r\n \"SrcHostname\", \"Recommended\", \"String\",\r\n \"SrcGeoCountry\", \"Optional\", \"String\",\r\n \"SrcGeoRegion\", \"Optional\", \"String\",\r\n \"SrcGeoLongitude\", \"Optional\", \"String\",\r\n \"SrcGeoLatitude\", \"Optional\", \"String\",\r\n \"SrcRiskLevel\", \"Optional\", \"Int\",\r\n \"SrcOriginalRiskLevel\", \"Optional\", \"Int\",\r\n \"SrcDomain\", \"Recommended\", \"String\",\r\n \"SrcDomainType\", \"Optional\", \"String\",\r\n \"SrcFQDN\", \"Optional\", \"String\",\r\n \"SrcDescription\", \"Optional\", \"String\",\r\n \"SrcDvcId\", \"Optional\", \"String\",\r\n \"SrcDvcScopeId\", \"Optional\", \"String\",\r\n \"SrcDvcScope\", \"Optional\", \"String\",\r\n \"SrcDvcIdType\", \"Optional\", \"String\",\r\n \"SrcDeviceType\", \"Optional\", \"String\",\r\n \"SrcZone\", \"Optional\", \"String\",\r\n \"SrcInterfaceName\", \"Optional\", \"String\",\r\n \"SrcInterfaceGuid\", \"Optional\", \"String\",\r\n \"SrcMacAddr\", \"Optional\", \"String\",\r\n \"SrcVlanId\", \"Optional\", \"String\",\r\n \"InnerVlanId\", \"Optional\", \"String\",\r\n \"SrcSubscriptionId\", \"Optional\", \"String\",\r\n \"SrcGeoCountry\", \"Optional\", \"String\",\r\n \"SrcGeoLatitude\", \"Optional\", \"String\",\r\n \"SrcGeoLongitude\", \"Optional\", \"String\",\r\n \"SrcUserId\", \"Optional\", \"String\",\r\n \"SrcUserScope\", \"Optional\", \"String\",\r\n \"SrcUserScopeId\", \"Optional\", \"String\",\r\n \"SrcUserIdType\", \"Optional\", \"String\",\r\n \"SrcUsername\", \"Optional\", \"String\",\r\n \"SrcUsernameType\", \"Optional\", \"String\",\r\n \"User\", \"Recommended\", \"String\",\r\n \"SrcUserType\", \"Optional\", \"String\",\r\n \"SrcAppName\", \"Optional\", \"String\",\r\n \"SrcAppId\", \"Optional\", \"String\",\r\n \"SrcAppType\", \"Optional\", \"String\",\r\n \"SrcProcessName\", \"Optional\", \"String\",\r\n \"SrcProcessId\", \"Optional\", \"String\",\r\n \"SrcProcessGuid\", \"Optional\", \"String\",\r\n \"DstNatIpAddr\", \"Optional\", \"String\",\r\n \"DstNatPortNumber\", \"Optional\", \"Int\",\r\n \"SrcNatIpAddr\", \"Optional\", \"String\",\r\n \"SrcNatPortNumber\", \"Optional\", \"Int\",\r\n \"DvcInboundInterface\", \"Optional\", \"String\",\r\n \"DvcOutboundInterface\", \"Optional\", \"String\",\r\n \"NetworkRuleName\", \"Optional\", \"String\",\r\n \"NetworkRuleNumber\", \"Optional\", \"Int\",\r\n \"Dst\", \"Recommended\", \"String\",\r\n \"DstIpAddr\", \"Recommended\", \"String\",\r\n \"DstGeoCountry\", \"Optional\", \"String\",\r\n \"DstGeoRegion\", \"Optional\", \"String\",\r\n \"DstGeoCity\", \"Optional\", \"String\",\r\n \"DstGeoLatitiude\", \"Optional\", \"String\",\r\n \"DstGeoLongitude\", \"Optional\", \"String\",\r\n \"DstRiskLevel\", \"Optional\", \"String\",\r\n \"DstOriginalRiskLevel\", \"Optional\", \"String\",\r\n \"DstPortNumber\", \"Optional\", \"Int\",\r\n \"DstHostname\", \"Recommended\", \"String\",\r\n \"DstDomain\", \"Recommended\", \"String\",\r\n \"DstDomainType\", \"Optional\", \"String\",\r\n \"DstFQDN\", \"Optional\", \"String\",\r\n \"DstDvcId\", \"Optional\", \"String\",\r\n \"DstDvcScopeId\", \"Optional\", \"String\",\r\n \"DstDvcScope\", \"Optional\", \"String\",\r\n \"DstDvcIdType\", \"Optional\", \"String\",\r\n \"DstDeviceType\", \"Optional\", \"String\",\r\n \"DstDescription\", \"Optional\", \"String\",\r\n \"DstZone\", \"Optional\", \"String\",\r\n \"DstInterfaceName\", \"Optional\", \"String\",\r\n \"DstInterfaceGuid\", \"Optional\", \"String\",\r\n \"DstMacAddr\", \"Optional\", \"String\",\r\n \"DstVlanId\", \"Optional\", \"String\",\r\n \"ThreatLastReportedTime\", \"Optional\", \"Datetime\",\r\n \"Rule\", \"Recommended\", \"String\",\r\n \"ThreatId\", \"Optional\", \"String\",\r\n \"ThreatName\", \"Optional\", \"String\",\r\n \"ThreatCategory\", \"Optional\", \"String\",\r\n \"ThreatRiskLevel\", \"Optional\", \"Int\",\r\n \"ThreatOriginalRiskLevel\", \"Optional\", \"String\",\r\n \"ThreatIpAddr\", \"Optional\", \"String\",\r\n \"ThreatField\", \"Optional\", \"String\",\r\n \"ThreatConfidence\", \"Optional\", \"Int\",\r\n \"ThreatOriginalConfidence\", \"Optional\", \"String\",\r\n \"ThreatIsActive\", \"Optional\", \"Boolean\",\r\n \"ThreatFirstReportedTime\", \"Optional\", \"Datetime\",\r\n \"ThreatLastReportedTime\", \"Optional\", \"Datetime\"\r\n];\r\nnetwork\r\n| order by Field asc", "size": 2, "title": "Schema Options for Network Session", "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "filter": true } }, "customWidth": "25", "conditionalVisibility": { "parameterName": "Schema", "comparison": "isEqualTo", "value": "Network Session" }, "name": "asimnetwork" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let process = datatable(Field:string, Class:string, Type:string)[\r\n\"EventType\", \"Required\", \"Enumerated\",\r\n \"EventSubType\", \"Optional\", \"String\",\r\n \"EventSchema\", \"Required\", \"String\",\r\n \"EventSchemaVersion\", \"Required\", \"String\",\r\n \"EventCount\", \"Required\", \"Int\",\r\n \"EventStartTime\", \"Required\", \"Datetime\",\r\n \"EventEndTime\", \"Required\", \"Datetime\",\r\n \"EventResult\", \"Required\", \"Enumerated\",\r\n \"EventProduct\", \"Required\", \"String\",\r\n \"Dvc\", \"Required\", \"String\",\r\n \"EventResultDetails\", \"Recommended\", \"Enumerated\",\r\n \"EventSeverity\", \"Recommended\", \"Enumerated\",\r\n \"EventUid\", \"Recommended\", \"String\",\r\n \"DvcIPAddr\", \"Recommended\", \"String\",\r\n \"DvcHostName\", \"Recommended\", \"String\",\r\n \"DvcDomain\", \"Recommneded\", \"String\",\r\n \"DvcDomainType\", \"Recommended\", \"Enumerated\",\r\n \"DvcFQDN\", \"Recommended\", \"String\",\r\n \"DvcId\", \"Recommneded\", \"String\",\r\n \"DvcIdType\", \"Recommended\", \"Enumerated\",\r\n \"DvcAction\", \"Recommended\", \"String\",\r\n \"EventMessage\", \"Optional\", \"String\",\r\n \"EventSubType\", \"Optional\", \"Enumeratred\",\r\n \"EventOriginalUid\", \"Optional\", \"String\",\r\n \"EventOriginalType\", \"Optional\", \"Enumerated\",\r\n \"EventOriginalSubType\", \"Optional\", \"Enumerated\",\r\n \"EventOriginalResultDetails\", \"Optional\", \"String\",\r\n \"EventOriginalSeverity\", \"Optional\", \"String\",\r\n \"EventProductVersion\", \"Optional\", \"String\",\r\n \"EventReportUrl\", \"Optional\", \"String\",\r\n \"EventOwner\", \"Optional\", \"String\",\r\n \"DvcZone\", \"Optional\", \"String\",\r\n \"DvcMacAddr\", \"Optional\", \"String\",\r\n \"DvcOs\", \"Optional\", \"String\",\r\n \"DvcOsVersion\", \"Optional\", \"String\",\r\n \"DvcOriginalAction\", \"Optional\", \"String\",\r\n \"DvcInterface\", \"Optional\", \"String\",\r\n \"AdditionalFields\", \"Optional\", \"Dynamic\",\r\n \"DvcDescrtipoin\", \"Optional\", \"String\",\r\n \"DvcScopeId\", \"Optional\", \"String\",\r\n \"DvcScope\", \"Optional\", \"String\",\r\n \"ActorUserId\", \"Recommended\", \"String\",\r\n \"ActorUserIdType\", \"Optional\", \"String\",\r\n \"ActorScope\", \"Optional\", \"String\",\r\n \"ActorUsername\", \"Required\", \"String\",\r\n \"ActorUsernameType\", \"Optional\", \"String\",\r\n \"ActorSessionId\", \"Optional\", \"String\",\r\n \"ActorUserType\", \"Optional\", \"String\",\r\n \"ActorOriginalUserType\", \"Optional\", \"String\",\r\n \"ActingProcessCommand\", \"Optional\", \"String\",\r\n \"ActingProcessName\", \"Optional\", \"String\",\r\n \"ActingProcessFileCompany\", \"Optional\", \"String\",\r\n \"ActingProcessFileDescription\", \"Optional\", \"String\",\r\n \"ActingProcessFileProduct\", \"Optional\", \"String\",\r\n \"ActingProcessFileVersion\", \"Optional\", \"String\",\r\n \"ActingProcessFileInternalName\", \"Optional\", \"String\",\r\n \"ActingProcessFileOriginalName\", \"Optional\", \"String\",\r\n \"ActingProcessIsHidden\", \"Optional\", \"Boolean\",\r\n \"ActingProcessInjectedAddress\", \"Optional\", \"String\",\r\n \"ActingProcessId\", \"Required\", \"String\",\r\n \"ActingProcessGuid\", \"Optional\", \"String\",\r\n \"ActingProcessIntegrityLevel\", \"Optional\", \"String\",\r\n \"ActingProcessMD5\", \"Optional\", \"MD5\",\r\n \"ActingProcessSHA1\", \"Optional\", \"SHA1\",\r\n \"ActingProcessSHA256\", \"Optional\", \"SHA256\",\r\n \"ActingProcessSHA512\", \"Optional\", \"SHA521\",\r\n \"ActingProcessIMPHASH\", \"Optional\", \"String\",\r\n \"ActingProcessCreationTime\", \"Optional\", \"Datetime\",\r\n \"ActingProcessTokenElevation\", \"Optional\", \"String\",\r\n \"ActingProcessFileSize\", \"Optional\", \"Long\",\r\n \"ParentProcessName\", \"Optional\", \"String\",\r\n \"ParentProcessFileCompany\", \"Optional\", \"String\",\r\n \"ParentProcessFileDescription\", \"Optional\", \"String\",\r\n \"ParentProcessFileProduct\", \"Optional\", \"String\",\r\n \"ParentProcessFileVersion\", \"Optional\", \"String\",\r\n \"ParentProcessIsHidden\", \"Optional\", \"Boolean\",\r\n \"ParentProcessInjectedAddress\", \"Optional\", \"String\",\r\n \"ParentProcessId\", \"Recommended\", \"String\",\r\n \"ParentProcessGuid\", \"Optional\", \"String\",\r\n \"ParentProcessIntegrityLevel\", \"Optional\", \"String\",\r\n \"ParentProcessMD5\", \"Optional\", \"MD5\",\r\n \"ParentProcessSHA1\", \"Optional\", \"SHA1\",\r\n \"ParentProcessSHA256\", \"Optional\", \"SHA256\",\r\n \"ParentProcessSHA512\", \"Optional\", \"SHA512\",\r\n \"ParentProcessIMPHASH\", \"Optional\", \"String\",\r\n \"ParentProcessTokenElevation\", \"Optional\", \"String\",\r\n \"ParentProcessCreationTime\", \"Optional\", \"Datetime\",\r\n \"TargetUsername\", \"Required\", \"String\",\r\n \"TargetUsernameType\", \"Optional\", \"String\",\r\n \"TargetUserId\", \"Recommended\", \"String\",\r\n \"TargetUserIdType\", \"Optional\", \"String\",\r\n \"TargetUserSessionId\", \"Optional\", \"String\",\r\n \"TargetUserType\", \"Optional\", \"String\",\r\n \"TargetOriginalUserType\", \"Optional\", \"String\",\r\n \"TargetProcessName\", \"Required\", \"String\",\r\n \"TargetProcessFileCompany\", \"Optional\", \"String\",\r\n \"TargetProcessFileDescription\", \"Optional\", \"String\",\r\n \"TargetProcessFileProduct\", \"Optional\", \"String\",\r\n \"TargetProcessFileSize\", \"Optional\", \"String\",\r\n \"TargetProcessFileVersion\", \"Optional\", \"String\",\r\n \"TargetProcessFileInternalName\", \"Optional\", \"String\",\r\n \"TargetProcessFileOriginalName\", \"Optional\", \"String\",\r\n \"TargetProcessIsHidden\", \"Optional\", \"Boolean\",\r\n \"TargetProcessInjectedAddress\", \"Optional\", \"String\",\r\n \"TargetProcessMD5\", \"Optional\", \"MD5\",\r\n \"TargetProcessSHA1\", \"Optional\", \"SHA1\",\r\n \"TargetProcessSHA256\", \"Optional\", \"SHA256\",\r\n \"TargetProcessSHA512\", \"Optioal\", \"SHA512\",\r\n \"TargetProcessIMPHASH\", \"Optional\", \"String\",\r\n \"HashType\", \"Recommended\", \"String\",\r\n \"TargetProcessCommandLine\", \"Required\", \"String\",\r\n \"TargetProcessCurrentDirectory\", \"Optional\", \"String\",\r\n \"TargetProcessCreationTime\", \"Recommended\", \"Datetime\",\r\n \"TargetProcessId\", \"Required\", \"String\",\r\n \"TargetProcessGuid\", \"Optional\", \"String\",\r\n \"TargetProcessIntegrityLevel\", \"Optional\", \"String\",\r\n \"TargetProcessTokenElevation\", \"Optional\", \"String\",\r\n \"TargetProcessStatusCode\", \"Optional\", \"String\"\r\n];\r\nprocess\r\n| sort by Field asc", "size": 2, "title": "Schema Options for Process Event", "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "filter": true } }, "customWidth": "25", "conditionalVisibility": { "parameterName": "Schema", "comparison": "isEqualTo", "value": "Process Event Schema" }, "name": "asimprocess" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let registry = datatable(Field:string, Class:string, Type:string)[\r\n\"EventType\", \"Required\", \"Enumerated\",\r\n \"EventSubType\", \"Optional\", \"String\",\r\n \"EventSchema\", \"Required\", \"String\",\r\n \"EventSchemaVersion\", \"Required\", \"String\",\r\n \"EventCount\", \"Required\", \"Int\",\r\n \"EventStartTime\", \"Required\", \"Datetime\",\r\n \"EventEndTime\", \"Required\", \"Datetime\",\r\n \"EventResult\", \"Required\", \"Enumerated\",\r\n \"EventProduct\", \"Required\", \"String\",\r\n \"Dvc\", \"Required\", \"String\",\r\n \"EventResultDetails\", \"Recommended\", \"Enumerated\",\r\n \"EventSeverity\", \"Recommended\", \"Enumerated\",\r\n \"EventUid\", \"Recommended\", \"String\",\r\n \"DvcIPAddr\", \"Recommended\", \"String\",\r\n \"DvcHostName\", \"Recommended\", \"String\",\r\n \"DvcDomain\", \"Recommneded\", \"String\",\r\n \"DvcDomainType\", \"Recommended\", \"Enumerated\",\r\n \"DvcFQDN\", \"Recommended\", \"String\",\r\n \"DvcId\", \"Recommneded\", \"String\",\r\n \"DvcIdType\", \"Recommended\", \"Enumerated\",\r\n \"DvcAction\", \"Recommended\", \"String\",\r\n \"EventMessage\", \"Optional\", \"String\",\r\n \"EventSubType\", \"Optional\", \"Enumeratred\",\r\n \"EventOriginalUid\", \"Optional\", \"String\",\r\n \"EventOriginalType\", \"Optional\", \"Enumerated\",\r\n \"EventOriginalSubType\", \"Optional\", \"Enumerated\",\r\n \"EventOriginalResultDetails\", \"Optional\", \"String\",\r\n \"EventOriginalSeverity\", \"Optional\", \"String\",\r\n \"EventProductVersion\", \"Optional\", \"String\",\r\n \"EventReportUrl\", \"Optional\", \"String\",\r\n \"EventOwner\", \"Optional\", \"String\",\r\n \"DvcZone\", \"Optional\", \"String\",\r\n \"DvcMacAddr\", \"Optional\", \"String\",\r\n \"DvcOs\", \"Optional\", \"String\",\r\n \"DvcOsVersion\", \"Optional\", \"String\",\r\n \"DvcOriginalAction\", \"Optional\", \"String\",\r\n \"DvcInterface\", \"Optional\", \"String\",\r\n \"AdditionalFields\", \"Optional\", \"Dynamic\",\r\n \"DvcDescrtipoin\", \"Optional\", \"String\",\r\n \"DvcScopeId\", \"Optional\", \"String\",\r\n \"DvcScope\", \"Optional\", \"String\",\r\n \"RegistryKey\", \"Required\", \"String\",\r\n \"RegistryValue\", \"Recommended\", \"String\",\r\n \"RegistryValueType\", \"Recommended\", \"String\",\r\n \"RegistryValueData\", \"Recommended\", \"String\",\r\n \"RegistryPreviousKey\", \"Recommended\", \"String\",\r\n \"RegistryPreviousValue\", \"Recommended\", \"String\",\r\n \"RegistryPreviousValueType\", \"Recommended\", \"String\",\r\n \"RegistryPreviousValueData\", \"Recommended\", \"String\",\r\n \"User\", \"Recommended\", \"String\",\r\n \"Process\", \"Recommended\", \"String\",\r\n \"ActorUsername\", \"Recommended\", \"String\",\r\n \"ActorUsernameType\", \"Optional\", \"String\",\r\n \"ActorUserId\", \"Recommended\", \"String\",\r\n \"ActorScope\", \"Optional\", \"String\",\r\n \"ActorUserIdType\", \"Recommended\", \"String\",\r\n \"ActorSessionId\", \"Optional\", \"String\",\r\n \"ActingProcessName\", \"Optional\", \"String\",\r\n \"ActingProcessId\", \"Require\", \"String\",\r\n \"ActingProcessGuid\", \"Optional\", \"String\",\r\n \"ParentProcessName\", \"Optional\", \"String\",\r\n \"ParentProcessId\", \"Required\", \"String\",\r\n \"ParentProcessGuid\", \"Optional\", \"String\"\r\n];\r\nregistry\r\n| sort by Field asc", "size": 2, "title": "Schema Options for Registry Event", "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "filter": true } }, "customWidth": "25", "conditionalVisibility": { "parameterName": "Schema", "comparison": "isEqualTo", "value": "Registry Event" }, "name": "asimregistry" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let user = datatable(Field:string, Class:string, Type:string)[\r\n\"EventType\", \"Required\", \"Enumerated\",\r\n \"EventSubType\", \"Optional\", \"String\",\r\n \"EventSchema\", \"Required\", \"String\",\r\n \"EventSchemaVersion\", \"Required\", \"String\",\r\n \"EventCount\", \"Required\", \"Int\",\r\n \"EventStartTime\", \"Required\", \"Datetime\",\r\n \"EventEndTime\", \"Required\", \"Datetime\",\r\n \"EventResult\", \"Required\", \"Enumerated\",\r\n \"EventProduct\", \"Required\", \"String\",\r\n \"Dvc\", \"Required\", \"String\",\r\n \"EventResultDetails\", \"Recommended\", \"Enumerated\",\r\n \"EventSeverity\", \"Recommended\", \"Enumerated\",\r\n \"EventUid\", \"Recommended\", \"String\",\r\n \"DvcIPAddr\", \"Recommended\", \"String\",\r\n \"DvcHostName\", \"Recommended\", \"String\",\r\n \"DvcDomain\", \"Recommneded\", \"String\",\r\n \"DvcDomainType\", \"Recommended\", \"Enumerated\",\r\n \"DvcFQDN\", \"Recommended\", \"String\",\r\n \"DvcId\", \"Recommneded\", \"String\",\r\n \"DvcIdType\", \"Recommended\", \"Enumerated\",\r\n \"DvcAction\", \"Recommended\", \"String\",\r\n \"EventMessage\", \"Optional\", \"String\",\r\n \"EventSubType\", \"Optional\", \"Enumeratred\",\r\n \"EventOriginalUid\", \"Optional\", \"String\",\r\n \"EventOriginalType\", \"Optional\", \"Enumerated\",\r\n \"EventOriginalSubType\", \"Optional\", \"Enumerated\",\r\n \"EventOriginalResultDetails\", \"Optional\", \"String\",\r\n \"EventOriginalSeverity\", \"Optional\", \"String\",\r\n \"EventProductVersion\", \"Optional\", \"String\",\r\n \"EventReportUrl\", \"Optional\", \"String\",\r\n \"EventOwner\", \"Optional\", \"String\",\r\n \"DvcZone\", \"Optional\", \"String\",\r\n \"DvcMacAddr\", \"Optional\", \"String\",\r\n \"DvcOs\", \"Optional\", \"String\",\r\n \"DvcOsVersion\", \"Optional\", \"String\",\r\n \"DvcOriginalAction\", \"Optional\", \"String\",\r\n \"DvcInterface\", \"Optional\", \"String\",\r\n \"AdditionalFields\", \"Optional\", \"Dynamic\",\r\n \"DvcDescrtipoin\", \"Optional\", \"String\",\r\n \"DvcScopeId\", \"Optional\", \"String\",\r\n \"DvcScope\", \"Optional\", \"String\",\r\n \"UpdatedPropertyName\", \"Optional\", \"String\",\r\n \"PreviousPropertyValue\", \"Optional\", \"String\",\r\n \"NewPropertyValue\", \"Optional\", \"String\",\r\n \"TargetUserId\", \"Optional\", \"String\",\r\n \"TargetUserIdType\", \"Optional\", \"String\",\r\n \"TargetUsername\", \"Optional\", \"String\",\r\n \"TargetUsernameType\", \"Optional\", \"String\",\r\n \"TargetUserType\", \"Optional\", \"String\",\r\n \"TargetOriginalUserType\", \"Optional\", \"String\",\r\n \"ActorUserId\", \"Optional\", \"String\",\r\n \"ActorUserIdType\", \"Optional\", \"String\",\r\n \"ActorUsername\", \"Required\", \"String\",\r\n \"User\", \"Recommended\", \"String\",\r\n \"ActorUsernameType\", \"Required\", \"String\",\r\n \"ActorUserType\", \"Optional\", \"String\",\r\n \"ActorSessionId\", \"Optional\", \"String\",\r\n \"GroupId\", \"Optional\", \"String\",\r\n \"GroupIdType\", \"Optional\", \"String\",\r\n \"GroupName\", \"Optional\", \"String\",\r\n \"GroupNameType\", \"Optional\", \"String\",\r\n \"GroupType\", \"Optional\", \"String\",\r\n \"Src\", \"Recommended\", \"String\",\r\n \"SrcIpAddr\", \"Recommended\", \"String\",\r\n \"IpAddr\", \"Recommended\", \"String\",\r\n \"SrcHostname\", \"Recommended\", \"String\",\r\n \"SrcDomain\", \"Recommended\", \"String\",\r\n \"SrcDomainType\", \"Recommended\", \"String\",\r\n \"SrcFQDN\", \"Optional\", \"String\",\r\n \"SrcDvcId\", \"Optional\", \"String\",\r\n \"SrcDvcScopeId\", \"Optional\", \"String\",\r\n \"SrcDvcScope\", \"Optional\", \"String\",\r\n \"SrcDvcIdType\", \"Optional\", \"String\",\r\n \"SrcDeviceType\", \"Optional\", \"String\",\r\n \"SrcGeoCountry\", \"Optional\", \"String\",\r\n \"SrcGeoRegion\", \"Optional\", \"String\",\r\n \"SrcGeoCity\", \"Optional\", \"String\",\r\n \"SrcGeoLatitude\", \"Optional\", \"String\",\r\n \"SrcGeoLongitude\", \"Optional\", \"String\",\r\n \"ActingAppId\", \"Optional\", \"String\",\r\n \"ActingAppName\", \"Optional\", \"String\",\r\n \"ActingAppType\", \"Optional\", \"String\",\r\n \"HttpUserAgent\", \"Optional\", \"String\",\r\n \"Hostname\", \"Recommended\", \"String\"\r\n];\r\nuser\r\n| sort by Field asc", "size": 2, "title": "Schema Options for User Management", "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "filter": true } }, "customWidth": "25", "conditionalVisibility": { "parameterName": "Schema", "comparison": "isEqualTo", "value": "User Management" }, "name": "asimuser" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "let web = datatable(Field:string, Class:string, Type:string)[\r\n\"EventType\", \"Required\", \"Enumerated\",\r\n \"EventSubType\", \"Optional\", \"String\",\r\n \"EventSchema\", \"Required\", \"String\",\r\n \"EventSchemaVersion\", \"Required\", \"String\",\r\n \"EventCount\", \"Required\", \"Int\",\r\n \"EventStartTime\", \"Required\", \"Datetime\",\r\n \"EventEndTime\", \"Required\", \"Datetime\",\r\n \"EventResult\", \"Required\", \"Enumerated\",\r\n \"EventProduct\", \"Required\", \"String\",\r\n \"Dvc\", \"Required\", \"String\",\r\n \"EventResultDetails\", \"Recommended\", \"Enumerated\",\r\n \"EventSeverity\", \"Recommended\", \"Enumerated\",\r\n \"EventUid\", \"Recommended\", \"String\",\r\n \"DvcIPAddr\", \"Recommended\", \"String\",\r\n \"DvcHostName\", \"Recommended\", \"String\",\r\n \"DvcDomain\", \"Recommneded\", \"String\",\r\n \"DvcDomainType\", \"Recommended\", \"Enumerated\",\r\n \"DvcFQDN\", \"Recommended\", \"String\",\r\n \"DvcId\", \"Recommneded\", \"String\",\r\n \"DvcIdType\", \"Recommended\", \"Enumerated\",\r\n \"DvcAction\", \"Recommended\", \"String\",\r\n \"EventMessage\", \"Optional\", \"String\",\r\n \"EventSubType\", \"Optional\", \"Enumeratred\",\r\n \"EventOriginalUid\", \"Optional\", \"String\",\r\n \"EventOriginalType\", \"Optional\", \"Enumerated\",\r\n \"EventOriginalSubType\", \"Optional\", \"Enumerated\",\r\n \"EventOriginalResultDetails\", \"Optional\", \"String\",\r\n \"EventOriginalSeverity\", \"Optional\", \"String\",\r\n \"EventProductVersion\", \"Optional\", \"String\",\r\n \"EventReportUrl\", \"Optional\", \"String\",\r\n \"EventOwner\", \"Optional\", \"String\",\r\n \"DvcZone\", \"Optional\", \"String\",\r\n \"DvcMacAddr\", \"Optional\", \"String\",\r\n \"DvcOs\", \"Optional\", \"String\",\r\n \"DvcOsVersion\", \"Optional\", \"String\",\r\n \"DvcOriginalAction\", \"Optional\", \"String\",\r\n \"DvcInterface\", \"Optional\", \"String\",\r\n \"AdditionalFields\", \"Optional\", \"Dynamic\",\r\n \"DvcDescrtipoin\", \"Optional\", \"String\",\r\n \"DvcScopeId\", \"Optional\", \"String\",\r\n \"DvcScope\", \"Optional\", \"String\",\r\n \"Url\", \"Required\", \"String\",\r\n \"UrlCategory\", \"Optional\", \"String\",\r\n \"UrlOriginal\", \"Optional\", \"String\",\r\n \"HttpVersion\", \"Optional\", \"String\",\r\n \"HttpRequestMethod\", \"Recommended\", \"String\",\r\n \"HttpStatusCode\", \"Recommended\", \"String\",\r\n \"HttpContentType\", \"Optional\", \"String\",\r\n \"HttpContentFormat\", \"Optional\", \"String\",\r\n \"HttpReferrer\", \"Optional\", \"String\",\r\n \"HttpUserAgent\", \"Optional\", \"String\",\r\n \"UserAgent\", \"Recommended\", \"String\",\r\n \"HttpRequestXff\", \"Optional\", \"String\",\r\n \"HttpRequestTime\", \"Optional\", \"Int\",\r\n \"HttpResponseTime\", \"Optional\", \"Int\",\r\n \"HttpHost\", \"Optional\", \"String\",\r\n \"FileName\", \"Optional\", \"String\",\r\n \"FileMD5\", \"Optional\", \"MD5\",\r\n \"FileSHA1\", \"Optional\", \"SHA1\",\r\n \"FileSHA256\", \"Optional\", \"SHA256\",\r\n \"FileSHA512\", \"Optional\", \"SHA512\",\r\n \"Hash\", \"Recommended\", \"String\",\r\n \"FileHashType\", \"Optional\", \"String\",\r\n \"FileSize\", \"Optional\", \"Long\",\r\n \"FileContentType\", \"Optional\", \"String\"\r\n];\r\nweb\r\n| sort by Field asc\r\n", "size": 2, "title": "Schema Options for Web Session", "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "filter": true } }, "customWidth": "25", "conditionalVisibility": { "parameterName": "Schema", "comparison": "isEqualTo", "value": "Web Session" }, "name": "asimweb" }, { "type": 1, "content": { "json": "
\r\n
\r\n
\r\n
\r\n
\r\n
\r\n
\r\n
\r\n
\r\n
\r\n
\r\n
\r\n
\r\n
\r\n
\r\n
\r\n
\r\n
\r\n# =" }, "customWidth": "5", "name": "text - 5" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "crossComponentResources": [ "{Workspace}" ], "parameters": [ { "id": "8b72e446-518a-40a8-ac89-6bc2d4bd490b", "version": "KqlParameterItem/1.0", "name": "normalizedSchema", "label": "Area to Create Normalized Schema", "type": 1, "query": "print '{FetchTableName}'", "crossComponentResources": [ "{Workspace}" ], "typeSettings": { "multiLineText": true, "editorLanguage": "kql", "multiLineHeight": 40 }, "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "value": "ActivityLogTest_CL | extend TimeGenerated = eventTimestamp\\n| project-away tenantId\\n| project-rename resourceID = id, User = caller" } ], "style": "formVertical", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "customWidth": "35", "name": "parameters - 3" }, { "type": 1, "content": { "json": "" }, "customWidth": "60", "name": "text - 18" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "6d9d3779-4b69-4bca-bf26-c9ceaa277ff1", "version": "KqlParameterItem/1.0", "name": "ASIMResults", "label": "Show Parser Results?", "type": 10, "isRequired": true, "typeSettings": { "additionalResourceOptions": [] }, "jsonData": "[\"Yes\", \"No\"]", "timeContext": { "durationMs": 86400000 }, "value": "No" } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "customWidth": "8", "name": "parameters - 17" }, { "type": 11, "content": { "version": "LinkItem/1.0", "style": "paragraph", "links": [ { "id": "2de8f499-ab40-4bda-9bec-36fed073087d", "cellValue": "{Workspace}", "linkTarget": "Resource", "linkLabel": "Open Workspace Query Editor", "subTarget": "logs", "style": "primary", "linkIsContextBlade": true } ] }, "customWidth": "25", "name": "links - 15" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{normalizedSchema}", "size": 0, "title": "Results from Normalized Query", "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "query - 0" } ] }, "conditionalVisibility": { "parameterName": "ASIMResults", "comparison": "isEqualTo", "value": "Yes" }, "name": "group - 16" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "172f1a92-b8cb-4fae-90a5-81c163d26d95", "version": "KqlParameterItem/1.0", "name": "beforeorafter", "label": "At Ingest or Query Time?", "type": 10, "isRequired": true, "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "jsonData": "[\"Ingest\", \"Query\"]", "timeContext": { "durationMs": 86400000 }, "value": "Ingest" } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 27" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "crossComponentResources": [ "{Workspace}" ], "parameters": [ { "id": "c37715cc-5231-4223-8f02-143682d13495", "version": "KqlParameterItem/1.0", "name": "DCRFetchASIM", "label": "DCR Body", "type": 1, "query": "print rule = dynamic({DCRFetch2})\r\n| evaluate bag_unpack(rule)\r\n| project-away defaultVisualization, etag, type, systemData\r\n| project properties = pack_all()", "crossComponentResources": [ "{Workspace}" ], "typeSettings": { "multiLineText": true, "editorLanguage": "json", "multiLineHeight": 30, "preFormatJsonData": true }, "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "value": null } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "conditionalVisibilities": [ { "parameterName": "Destination", "comparison": "isEqualTo", "value": "ASIM Parser" }, { "parameterName": "beforeorafter", "comparison": "isEqualTo", "value": "Ingest" } ], "name": "DCR Body" }, { "type": 11, "content": { "version": "LinkItem/1.0", "style": "paragraph", "links": [ { "id": "1d19f441-66fc-43bb-96ef-997a3371e765", "linkTarget": "ArmAction", "linkLabel": "Deploy DCR Update", "style": "primary", "linkIsContextBlade": true, "armActionContext": { "path": "{DCR2}?api-version=2021-09-01-preview", "headers": [], "params": [], "body": "{DCRFetchASIM}", "httpMethod": "PUT", "description": "# Actions can potentially modify resources.\n## Please use caution and include a confirmation message in this description when authoring this command." } }, { "id": "e671f10c-e4bb-4561-93f3-66f775b9b7bd", "cellValue": "{DCR2}", "linkTarget": "Resource", "linkLabel": "Confirm Changes", "subTarget": "exporttemplate", "style": "primary", "linkIsContextBlade": true } ] }, "conditionalVisibilities": [ { "parameterName": "Destination", "comparison": "isEqualTo", "value": "ASIM Parser" }, { "parameterName": "beforeorafter", "comparison": "isEqualTo", "value": "Ingest" } ], "name": "DCR Update" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "ccb29c33-d4e6-452e-bece-b7313df266fc", "version": "KqlParameterItem/1.0", "name": "parserName", "label": "Parser Name", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "ASIMCustomAzureActivity2" }, { "id": "7a21bfce-3a81-4946-afc7-90aba2d89832", "version": "KqlParameterItem/1.0", "name": "parserProperties", "label": "Parser Properties", "type": 1, "typeSettings": { "multiLineText": true, "editorLanguage": "json", "multiLineHeight": 20 }, "timeContext": { "durationMs": 86400000 }, "value": "{\r\n \"properties\": {\r\n \"category\": \"Custom\",\r\n \"displayName\": \"Custom Azure Activity logs\",\r\n \"functionAlias\": \"ASIMCustomAzureActivity2\",\r\n \"query\": \"ActivityLogTest_CL | extend TimeGenerated = eventTimestamp\\n| project-away tenantId\\n| project-rename resourceID = id, User = caller\",\r\n \"tags\": []\r\n }\r\n}" } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "conditionalVisibility": { "parameterName": "beforeorafter", "comparison": "isEqualTo", "value": "Query" }, "name": "parameters - 28" }, { "type": 11, "content": { "version": "LinkItem/1.0", "style": "paragraph", "links": [ { "id": "b63f00c0-61b2-40da-837e-99864861103d", "linkTarget": "ArmAction", "linkLabel": "Deploy Parser", "style": "primary", "linkIsContextBlade": true, "armActionContext": { "path": "{Workspace}/savedSearches/{parserName}?api-version=2020-08-01", "headers": [], "params": [], "body": "{parserProperties}", "httpMethod": "PUT", "description": "# Actions can potentially modify resources.\n## Please use caution and include a confirmation message in this description when authoring this command." } } ] }, "conditionalVisibility": { "parameterName": "beforeorafter", "comparison": "isEqualTo", "value": "Query" }, "name": "links - 29" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "53e78ae0-796c-4ef5-87ca-2693aaafae01", "version": "KqlParameterItem/1.0", "name": "referenceASIM", "label": "Reference ASIM Examples?", "type": 10, "isRequired": true, "typeSettings": { "additionalResourceOptions": [] }, "jsonData": "[\"Yes\", \"No\"]", "timeContext": { "durationMs": 86400000 }, "value": "Yes" } ], "style": "formVertical", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 24" }, { "type": 1, "content": { "json": "### Example Target Parsers for {Schema}" }, "conditionalVisibility": { "parameterName": "referenceASIM", "comparison": "isEqualTo", "value": "Yes" }, "name": "text - 20" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "ba71304b-4186-414f-94c8-f891900cb0d7", "version": "KqlParameterItem/1.0", "name": "auditParsers", "label": "Audit Parsers", "type": 2, "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "jsonData": "[\"_ASim_AuditEvent\",\"_ASim_AuditEvent_AzureActivityV02\",\"_ASim_AuditEven_BarracudaWAFV01\", \"_ASim_AuditEvent_MicrosoftOffice365V01\", \"_ASim_AuditEvent_CiscoISEV01\", \"_ASim_AuditEvent_CiscoMerakiV01\", \"_ASim_AuditEvent_CrowdStrikeFalconHostV01\", \"_ASim_AuditEvent_MicrosoftExchangeAdmin365V02\", \"_ASim_AuditEvent_MicrosoftWindowsEventsV01\", \"_ASim_AuditEvent_VMwareCarbonBlackCloudV01\", \"_ASim_AuditEvent_VectraXDRAuditV01\", \"_ASim_AuditEventBuiltIn\", \"_im_AuditEvent\", \"_Im_AuditEvent_AzureActivityV02\", \"_Im_AuditEvent_BarracudaWAFV01\", \"_Im_AuditEvent_CiscoISEV01\", \"_Im_AuditEvent_CiscoMerakiV01\", \"_Im_AuditEvent_EmptyV02\", \"_Im_AuditEvent_MicrosoftExchangeAdmin365V02\", \"_Im_AuditEvent_MicrosoftWindowsEventsV01\", \"_Im_AuditEvent_VectraXDRAuditV01\", \"_Im_AuditEventBuiltIn\"]", "timeContext": { "durationMs": 86400000 }, "value": null } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "conditionalVisibility": { "parameterName": "Schema", "comparison": "isEqualTo", "value": "Audit" }, "name": "parameters - 19" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{auditParsers}\r\n| getschema\r\n| order by ColumnName asc", "size": 0, "title": "Schema for {auditParsers}", "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ], "gridSettings": { "filter": true } }, "name": "query - 20" } ] }, "customWidth": "75", "conditionalVisibilities": [ { "parameterName": "Schema", "comparison": "isEqualTo", "value": "Audit" }, { "parameterName": "referenceASIM", "comparison": "isEqualTo", "value": "Yes" } ], "name": "auditParserGroup" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "ba71304b-4186-414f-94c8-f891900cb0d7", "version": "KqlParameterItem/1.0", "name": "authenticationParsers", "label": "Authentication Parsers", "type": 2, "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "jsonData": "[\"ASimAuthentication\", \"ASimAuthenticationAADManagedIdentity\", \"ASimAuthenticationAADNonInteractive\", \"ASimAuthenticationAADServicePrincipalSignInLogs\", \"ASimAuthenticationAADSigninLogs\", \"ASimAuthenticationAWSCloudTrail\", \"ASimAuthenticationBarracudaWAF\", \"ASimAuthenticationCiscoASA\", \"ASimAuthenticationCiscoISE\", \"ASimAuthenticationCiscoMeraki\", \"ASimAuthenticationCrowdStrikeFalconHost\", \"ASimAuthenticationM365Defender\", \"ASimAuthenticationMicrosoftMD4IoT\", \"ASimAuthenticationMicrosoftWindowsEvent\", \"ASimAuthenticationOktaOSS\", \"ASimAuthenticationPaloAltoCortexDataLake\", \"ASimAuthenticationPostgreSQL\", \"ASimAuthenticationSentinelOne\", \"ASimAuthenticationSshd\", \"ASimAuthenticationSu\", \"ASimAuthenticationSudo\", \"ASimAuthenticationVMwareCarbonBlackCloud\", \"ASimAuthenticationVectraXDRAudit\", \"imAuthentication\", \"vimAuthenticationAADManagedIdentity\", \"vimAuthenticationAADNonInteractive\", \"vimAuthenticationAADServicePrincipalSignInLogs\", \"vimAuthenticationAADSigninLogs\", \"vimAuthenticationAWSCloudTrail\", \"vimAuthenticationBarracudaWAF\", \"vimAuthenticationCiscoASA\", \"vimAuthenticationCiscoISE\", \"vimAuthenticationCiscoMeraki\", \"vimAuthenticationCrowdStrikeFalconHost\", \"vimAuthenticationEmpty\", \"vimAuthenticationM365Defender\", \"vimAuthenticationMicrosoftMD4IoT\", \"vimAuthenticationMicrosoftWindowsEvent\", \"vimAuthenticationOktaOSS\", \"vimAuthenticationPaloAltoCortexDataLake\", \"vimAuthenticationPostgreSQL\", \"vimAuthenticationSentinelOne\", \"vimAuthenticationSshd\", \"vimAuthenticationSu\", \"vimAuthenticationVMwareCarbonBlackCloud\", \"vimAuthenticationVectraXDRAudit\"]", "timeContext": { "durationMs": 86400000 }, "value": null } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 19" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{authenticationParsers}\r\n| getschema\r\n| order by ColumnName asc", "size": 0, "title": "Schema for {authenticationParsers}", "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "customWidth": "75", "name": "query - 20" } ] }, "conditionalVisibilities": [ { "parameterName": "Schema", "comparison": "isEqualTo", "value": "Authentication" }, { "parameterName": "referenceASIM", "comparison": "isEqualTo", "value": "Yes" } ], "name": "authenticationParserGroup" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "ba71304b-4186-414f-94c8-f891900cb0d7", "version": "KqlParameterItem/1.0", "name": "dnsParsers", "label": "DNS Parsers", "type": 2, "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "jsonData": "[\"_ASim_Dns\", \"_ASim_Dns_AzureFirewallV03\", \"_ASim_Dns_CiscoUmbrellaV03\", \"_ASim_Dns_CorelightZeekV05\", \"_ASim_Dns_GcpV04\", \"_ASim_Dns_InfobloxNIOSV06\", \"_ASim_Dns_MicrosoftNXlogV05\", \"_ASim_Dns_MicrosoftOMSV04\", \"_ASim_Dns_MicrosoftSysmonV04\", \"_ASim_Dns_NativeV06\", \"_ASim_Dns_VectraAIV01\", \"_ASim_Dns_ZscalerZIAV06\", \"_ASim_DnsBuiltIn\", \"_Im_Dns\", \"_Im_Dns_AzureFirewallV03\", \"_Im_Dns_CiscoUmbrellaV03\", \"_Im_Dns_CorelightZeekV05\", \"_Im_Dns_EmptyV04\", \"_Im_Dns_GcpV04\", \"_Im_Dns_InfobloxNIOSV05\", \"_Im_Dns_MicrosoftNXlogV05\", \"_Im_Dns_MicrosoftOMSV04\", \"_Im_Dns_MicrosoftSysmonV04\", \"_Im_Dns_NativeV06\", \"_Im_Dns_VectraAIV01\", \"_Im_Dns_ZscalerZIAV04\", \"_Im_DnsBuiltIn\"\r\n]", "timeContext": { "durationMs": 86400000 }, "value": "_Im_Dns_MicrosoftOMSV04" } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 19" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{dnsParsers}\r\n| getschema\r\n| order by ColumnName asc", "size": 0, "title": "Schema for {dnsParsers}", "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "name": "query - 20" } ] }, "customWidth": "75", "conditionalVisibilities": [ { "parameterName": "Schema", "comparison": "isEqualTo", "value": "DNS" }, { "parameterName": "referenceASIM", "comparison": "isEqualTo", "value": "Yes" } ], "name": "dnsParserGroup" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "ba71304b-4186-414f-94c8-f891900cb0d7", "version": "KqlParameterItem/1.0", "name": "dhcpParsers", "label": "DHCP Parsers", "type": 2, "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "jsonData": "[]", "timeContext": { "durationMs": 86400000 }, "value": null } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 19" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{dhcpParsers}\r\n| getschema\r\n| order by ColumnName asc", "size": 0, "title": "Schema for {dhcpParsers}", "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "name": "query - 20" } ] }, "customWidth": "75", "conditionalVisibilities": [ { "parameterName": "Schema", "comparison": "isEqualTo", "value": "DHCP" }, { "parameterName": "referenceASIM", "comparison": "isEqualTo", "value": "Yes" } ], "name": "dhcpParserGroup" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "ba71304b-4186-414f-94c8-f891900cb0d7", "version": "KqlParameterItem/1.0", "name": "fileParsers", "label": "File Parsers", "type": 2, "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "jsonData": "[\"_ASim_FileEvent\", \"_ASim_FileEvent_AzureBlobStorageV01\", \"_ASim_FileEvent_AzureFileStorageV01\", \"_ASim_FileEvent_AzureQueueStorageV01\", \"_ASim_FileEvent_AzureTableStorageV01\", \"_ASimFileEvent_GoogleWorkspace\", \"_ASim_FileEvent_LinuxSysmonFileCreatedV02\", \"_ASim_FileEvent_LinuxSysmonFileDeletedV02\", \"_ASim_FileEvent_Microsoft365DV02\", \"_ASim_FileEvent_MicrosoftSharePointV03\", \"_ASim_FileEvent_MicrosoftSysmonV04\", \"_ASim_FileEvent_MicrosoftWindowsEventsV01\", \"_ASim_FileEvent_NativeV01\", \"_ASim_FileEvent_SentinelOne\", \"_ASim_FileEvent_VMwareCarbonBlackCloud\", \"_Im_FileEvent\", \"_Im_FileEvent_AzureBlobStorageV01\", \"_Im_FileEvent_AzureFileStorageV01\", \"_Im_FileEvent_AzureQueueStorageV01\", \r\n\"_Im_FileEvent_AzureTableStorageV01\", \"_Im_FileEvent_EmptyV01\", \"_Im_FileEvent_LinuxSysmonFileDeletedV02\", \"_Im_FileEvent_Microsoft365DV02\", \"_Im_FileEvent_MicrosoftSharePointV03\", \"_Im_FileEvent_MicrosoftSysmonV04\", \"_Im_FileEvent_MicrosoftWindowsEventsV01\", \"_Im_FileEvent_NativeV01\", \"_Im_FileEventBuiltIn\",\r\n\"vimFileEventAzureBlobStorage\", \"vimFileEventAzureFileStorage\", \"vimFileEventAzureQueueStorage\", \"vimFileEventAzureTableStorage\", \"vimFileEventEmpty\", \"vimFileEventGoogleWorkspace\", \"vimFileEventLinuxSysmonFileCreated\", \"vimFileEventLinuxSysmonFileDeleted\", \"vimFileEventM365D\", \"vimFileEventMicrosoftSharePoint\", \"vimFileEventMicrosoftSysmon\", \"vimFileEventMicrosoftWindowsEvents\", \"vimFileEventNative\", \"vimFileEventSentinelOne\", \"vimFileEventVMwareCarbonBlackCloud\" ]", "timeContext": { "durationMs": 86400000 }, "value": "_ASim_FileEvent" } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 19" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{fileParsers}\r\n| getschema\r\n| order by ColumnName asc", "size": 0, "title": "Schema for {fileParsers}", "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "name": "query - 20" } ] }, "customWidth": "75", "conditionalVisibilities": [ { "parameterName": "Schema", "comparison": "isEqualTo", "value": "File Event" }, { "parameterName": "referenceASIM", "comparison": "isEqualTo", "value": "Yes" } ], "name": "fileParserGroup" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "ba71304b-4186-414f-94c8-f891900cb0d7", "version": "KqlParameterItem/1.0", "name": "networkParsers", "label": "Network Parsers", "type": 2, "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "jsonData": "[\"_ASim_NetworkSession\", \"_ASim_NetworkSession_AppGateSDPV02\", \"_ASim_NetworkSession_AWSVPCV03\", \"_ASim_NetworkSession_AzureFirewallV01\", \"_ASim_NetworkSession_AzureNSGV01\", \"_ASim_NetworkSession_BarracudaWAFV01\", \"_ASim_NetworkSession_CheckPointFirewallV11\", \"_ASim_NetworkSession_CiscoASAV10\", \"_ASim_NetworkSession_CiscoISEV11\", \"_ASim_NetworkSession_CiscoMerakiV11\", \"_ASim_NetworkSession_CorelightZeekV02\", \"_ASim_NetworkSession_ForcePointFirewallV01\", \"_ASim_NetworkSession_FortinetFortiGateV05\", \"_ASim_NetworkSession_LinuxSysmonV03\", \"_ASim_NetworkSession_MD4IoTAgentV02\", \"_ASim_NetworkSession_MD4IoTSensorV01\", \"_ASim_NetworkSession_MD4IoTV02\", \"_ASim_NetworkSession_Microsoft365DefenderV04\", \"_ASim_NetworkSession_MicrosoftSysmonV01\", \"_ASim_NetworkSession_MicrosoftWindowsEventFirewallV04\", \"_ASim_NetworkSession_NativeV03\", \"_ASim_NetworkSession_PaloAltoCEFV06\", \"_ASim_NetworkSession_VectraAIV02\", \"_ASim_NetworkSession_VMConnectionV02\", \"_ASim_NetworkSession_WatchGuardFirewareOSV01\", \"_ASim_NetworkSession_ZscalerZIAV04\", \"_ASim_NetworkSessionBuiltIn\", \"_Im_NetworkSession_AppGateSDPV02\", \"_Im_NetworkSession_AWSVPCV03\", \"_Im_NetworkSession_AzureFirewallV01\", \"_Im_NetworkSession_AzureNSGV01\", \"_Im_NetworkSession_BarracudaWAFV01\", \"_Im_NetworkSession_CheckPointFirewallV11\", \"_Im_NetworkSession_CiscoASAV10\", \"_Im_NetworkSession_CiscoISEV11\", \"_Im_NetworkSession_CiscoMerakiV11\", \"_im_NetworkSession_CorelightZeekV02\", \"_Im_NetworkSession_EmptyV03\", \"_im_NetworkSession_ForcePointFirewallV01\", \"_Im_NetworkSession_FortinetFortiGateV04\", \"_Im_NetworkSession_LinuxSysmonV04\", \"_Im_NetworkSession_MD4IoTAgentV02\", \"_Im_NetworkSession_MD4IoTSensorV02\", \"_Im_NetworkSession_MD4IoTV02\", \"_Im_NetworkSession_Microsoft365DefenderV04\", \"_Im_NetworkSession_MicrosoftWindowsEventFirewallV04\", \"_Im_NetworkSession_NativeV03\", \"_im_NetworkSession_PaloAltoCEFV07\", \"_Im_NetworkSession_VectraAIV02\", \"_Im_NetworkSession_VMConnectionV02\", \"_Im_NetworkSession_WatchGuardFirewareOSV01\", \"_Im_NetworkSession_ZscalerZIAV04\"]", "timeContext": { "durationMs": 86400000 }, "value": "_ASim_NetworkSession" } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 19" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{networkParsers}\r\n| getschema\r\n| order by ColumnName asc", "size": 0, "title": "Schema for {networkParsers}", "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "name": "query - 20" } ] }, "customWidth": "75", "conditionalVisibilities": [ { "parameterName": "Schema", "comparison": "isEqualTo", "value": "Network Session" }, { "parameterName": "referenceASIM", "comparison": "isEqualTo", "value": "Yes" } ], "name": "networkParserGroup" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "ba71304b-4186-414f-94c8-f891900cb0d7", "version": "KqlParameterItem/1.0", "name": "processParsers", "label": "Process Event Parsers", "type": 2, "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "jsonData": "[\"_ASim_ProcessEvent\", \"_ASim_ProcessEvent_Create\", \"_ASim_ProcessEvent_CreateBuiltIn\", \"_ASim_ProcessEvent_CreateLinuxSysmonV02\", \"_ASim_ProcessEvent_CreateMicrosoftSecurityEventsV01\",\"_ASim_ProcessEvent_CreateMicrosoftSysmonV03\", \"_ASim_ProcessEvent_CreateMicrosoftWindowsEventsV03\", \"_ASim_ProcessEvent_MD4IoTV01\", \"_ASim_ProcessEvent_Microsoft365DV01\", \"_ASim_ProcessEvent_NativeV01\", \"_ASim_ProcessEvent_Terminate\", \"_ASim_ProcessEvent_TerminateBuiltIn\", \"_ASim_ProcessEvent_TerminateLinuxSysmonV01\", \"_ASim_ProcessEvent_TerminateMicrosoftSecurityEventsV02\", \"_ASim_ProcessEvent_TerminateMicrosoftSysmonV02\", \"_ASim_ProcessEvent_TerminateMicrosoftWindowsEventsV02\", \"_ASim_ProcessEventBuiltIn\", \"_Im_ProcessCreate\", \"_Im_ProcessCreate_LinuxSysmonV03\", \"_Im_ProcessCreate_MD4IoTV01\", \"_Im_ProcessCreate_MicrosoftSecurityEventsV02\", \"_Im_ProcessCreate_MicrosoftSysmonV04\", \"_Im_ProcessCreate_MicrosoftWindowsEventsV03\", \"_Im_ProcessCreateBuiltIn\", \"_Im_ProcessEvent\", \"_Im_ProcessEvent_MD4IoTV02\", \"_Im_ProcessEvent_Microsoft365DV02\", \"_Im_ProcessEvent_NativeV01\", \"_Im_ProcessEventBuiltIn\", \"_Im_ProcessTerminate\", \"_Im_ProcessTerminate_LinuxSysmonV02\", \"_Im_ProcessTerminate_MD4IoTV02\", \"_Im_ProcessTerminate_MicrosoftSecurityEventsV03\", \"_Im_ProcessTerminate_MicrosoftSysmonV03\",\"_Im_ProcessTerminate_MicrosoftWindowsEventsV03\", \"_Im_ProcessTerminateBuiltIn\"]", "timeContext": { "durationMs": 86400000 }, "value": null } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 19" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{processParsers}\r\n| getschema\r\n| order by ColumnName asc", "size": 0, "title": "Schema for {processParsers}", "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "name": "query - 20" } ] }, "customWidth": "75", "conditionalVisibilities": [ { "parameterName": "Schema", "comparison": "isEqualTo", "value": "Process Event Schema" }, { "parameterName": "referenceASIM", "comparison": "isEqualTo", "value": "Yes" } ], "name": "processParserGroup" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "ba71304b-4186-414f-94c8-f891900cb0d7", "version": "KqlParameterItem/1.0", "name": "registryParsers", "label": "Registry Event Parsers", "type": 2, "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "jsonData": "[\"_ASim_RegistryEvent\", \"_ASim_RegistryEvent_Microsoft365DV01\", \"_ASim_RegistryEvent_MicrosoftSysmonV02\", \"_ASim_RegistryEvent_MicrosoftWindowsEventV02\", \"_ASim_RegistryEvent_NativeV01\", \"_ASim_RegistryEventBuiltIn\", \"_Im_RegistryEvent\", \"_Im_RegistryEvent_EmptyV01\", \"_Im_RegistryEvent_Microsoft365DV01\", \"_Im_RegistryEvent_MicrosoftSysmonV02\", \"_Im_RegistryEvent_MicrosoftWindowsEventV02\", \"_Im_RegistryEvent_NativeV01\", \"_Im_RegistryEventBuiltIn\" ]", "timeContext": { "durationMs": 86400000 }, "value": "_ASim_RegistryEvent" } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 19" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{registryParsers}\r\n| getschema\r\n| order by ColumnName asc", "size": 0, "title": "Schema for {registryParsers}", "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "name": "query - 20" } ] }, "customWidth": "75", "conditionalVisibilities": [ { "parameterName": "Schema", "comparison": "isEqualTo", "value": "Registry Event" }, { "parameterName": "referenceASIM", "comparison": "isEqualTo", "value": "Yes" } ], "name": "registryParserGroup" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "ba71304b-4186-414f-94c8-f891900cb0d7", "version": "KqlParameterItem/1.0", "name": "webParsers", "label": "Web Session Parsers", "type": 2, "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "jsonData": "[\"_ASim_WebSession_IISV02\", \"_ASim_WebSession_NativeV01\", \"_ASim_WebSession_PaloAltoCEFV02\", \"_ASim_WebSession_SquidProxyV03\", \"_ASim_WebSession_VectraAIV02\", \"_ASim_WebSession_ZscalerZIAV04\", \"_ASim_WebSessionBuiltIn\", \"_Im_WebSession\", \"_Im_WebSession_ApacheHTTPServerV01\", \"_Im_WebSession_CiscoMerakiV01\", \"_Im_WebSession_EmptyV03\", \"_Im_WebSession_FortinetFortiGateV01\", \"_Im_WebSession_IISV01\", \"_Im_WebSession_NativeV01\", \"_Im_WebSession_PaloAltoCEFV02\", \"_Im_WebSession_SquidProxyV06\", \"_Im_WebSession_VectraAIV02\", \"_Im_WebSession_ZscalerZIAV06\", \"_Im_WebSessionBuiltIn\"]", "timeContext": { "durationMs": 86400000 }, "value": "_ASim_WebSession_IISV02" } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 19" }, { "type": 3, "content": { "version": "KqlItem/1.0", "query": "{webParsers}\r\n| getschema\r\n| order by ColumnName asc", "size": 0, "title": "Schema for {webParsers}", "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "crossComponentResources": [ "{Workspace}" ] }, "name": "query - 20" } ] }, "customWidth": "75", "conditionalVisibilities": [ { "parameterName": "Schema", "comparison": "isEqualTo", "value": "Web Session" }, { "parameterName": "referenceASIM", "comparison": "isEqualTo", "value": "Yes" } ], "name": "webParserGroup" }, { "type": 1, "content": { "json": "### Note\r\n\r\nNot all of the parsers are listed in the drop down as the ones provided are just examples. Additionally, in this current build only 3 are listed: Audit, Authentication, and DNS. \r\n\r\nIf an error occurs when calling the function alias, chances are the workspace that is being queried does not have the parser in it. Please visit Content Hub to find the proper solutions that contain the parsers of interest.", "style": "info" }, "customWidth": "25", "conditionalVisibility": { "parameterName": "referenceASIM", "comparison": "isEqualTo", "value": "Yes" }, "name": "text - 23" } ] }, "conditionalVisibility": { "parameterName": "Destination", "comparison": "isEqualTo", "value": "ASIM Parser" }, "name": "ASIM Settings", "styleSettings": { "showBorder": true } }, { "type": 1, "content": { "json": "# ↓" }, "conditionalVisibility": { "parameterName": "Destination", "comparison": "isEqualTo", "value": "ASIM Parser" }, "name": "text - 5" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "Endpoint and Paging", "items": [ { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "Request", "items": [ { "type": 1, "content": { "json": "#### Please note: The Office 365 Management API is not supported at this time. Please refer to one of the public solutions in the [Microsoft Sentinel Github Repository](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors).", "style": "warning" }, "name": "text - 3" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "35386afa-f883-4fe5-84e1-d2612e4cf5d6", "version": "KqlParameterItem/1.0", "name": "apiEndpoint", "label": "API Endpoint", "type": 1, "isRequired": true, "timeContext": { "durationMs": 86400000 }, "value": "" }, { "id": "0086700a-76a1-46b5-86aa-97f22042153d", "version": "KqlParameterItem/1.0", "name": "rateLimitOPS", "label": "Rate Limit", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "10" }, { "id": "8eb90b25-d9ec-4d3b-9414-79320036316f", "version": "KqlParameterItem/1.0", "name": "queryWindowInMin", "label": "Query Window in Minutes", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "5" }, { "id": "5b9a6ed7-59f3-4adb-a48c-49e49f410f0a", "version": "KqlParameterItem/1.0", "name": "httpMethod", "label": "HTTP Method", "type": 10, "isRequired": true, "typeSettings": { "additionalResourceOptions": [] }, "jsonData": "[\"GET\", \"PUT\", \"POST\"]", "timeContext": { "durationMs": 86400000 }, "value": "GET" }, { "id": "44f7790f-a03a-485a-b505-58a722897456", "version": "KqlParameterItem/1.0", "name": "queryTimeFormat", "label": "Query Time Format", "type": 1, "isRequired": true, "timeContext": { "durationMs": 86400000 }, "value": "yyyy-MM-ddTHH:mm:ssZ" }, { "id": "1ffc0e85-a276-4947-bae6-3d848cac0026", "version": "KqlParameterItem/1.0", "name": "startTimeAttributeName", "label": "Start Time Attribute Name", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "startTime" }, { "id": "2ed6ed3c-4ecf-4167-ad47-9c79bffe03ad", "version": "KqlParameterItem/1.0", "name": "endTimeAttributeName", "label": "End Time Attribute Name", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "endTime" }, { "id": "3ecb94be-86d6-4e58-88d3-d5a9535bb74e", "version": "KqlParameterItem/1.0", "name": "retryCount", "label": "Retry Count", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "3" }, { "id": "78cba2d3-d9db-4336-bd9f-cbd71519eed0", "version": "KqlParameterItem/1.0", "name": "timeoutInSeconds", "label": "Timeout in Seconds", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "60" }, { "id": "bc09f3d3-1a71-47af-8c05-95c0fb40b239", "version": "KqlParameterItem/1.0", "name": "needQP", "label": "Using Query Parameters?", "type": 10, "isRequired": true, "typeSettings": { "additionalResourceOptions": [] }, "jsonData": "[\"Yes\", \"No\"]", "value": "No" } ], "style": "formVertical", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "customWidth": "50", "name": "parameters - 0" }, { "type": 1, "content": { "json": "### Details\r\n\r\nThis section creates the request for the connector. The request body is made up of:\r\n\r\n1. API Endpoint: Mandatory, The endpoint URI for the API that provides the data.\r\n2. Rate Limit: Optional, defines the number of calls or queries allowed in seconds.\r\n3. Query Window in Minutes: Optional, defines the available query window in minutes. Minimum is 1 minute. Default is 5 minutes.\r\n4. HTTP Method: Mandatory, The request method used for fetching the data.\r\n5. Query Time Format: Mandatory, defines the format used to define the query time. Value can be a string or in UnixTimestamp/UnixTimestampInMills format to indicate the query start and end time. (Ex. YYYY-MM-DD HH:MM:SS)\r\n6. Start Time Attribute Name: Optional, defines the name of the attribute that defines the query start time. Ex. from\r\n7. End Time Attribute Name: Optional, defines the name of the attribute that defines the query time interval. Ex. until\r\n8. Retry Count: Optional, defines 1 to 6 retries allowed to recover from a failure. Default is 3.\r\n9. Timeout in Seconds: Optional, Defines the request timeout, in seconds. Default is 20.\r\n10. Query Time Interval Attribute Name: Optional, if the endpoint requires a specialized format for querying the data on a time frame, then use this property with the QueryTimeIntervalPrepend and the QueryTimeIntervalDelimiter parameters.\r\n11. Query Time Interval Prepend: Only required if query time interval name is set. Ex. receivedDateTime gt.\r\n12. Query Time Interval Delimiter: Only required if query time interval name is set. Ex. and receivedDateTime lt \r\n \r\nAny value entered will be compiled into a variable for the template. If anything is left empty, it will not be included.\r\n\r\nFor more information, please refer to the [request section of the public document](https://learn.microsoft.com/en-us/azure/sentinel/create-codeless-connector?tabs=deploy-via-arm-template%2Cconnect-via-the-azure-portal#request-configuration).\r\n", "style": "info" }, "customWidth": "50", "name": "text - 2" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "5963b984-bdb4-43a1-a8de-7ec49f43f3a0", "version": "KqlParameterItem/1.0", "name": "_QueryWindowStartTime", "type": 1, "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "value": "{_QueryWindowStartTime}" }, { "version": "KqlParameterItem/1.0", "name": "_QueryWindowEndTime", "type": 1, "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "value": "{_QueryWindowEndTime}", "id": "11f5ab95-a127-4d2d-8be2-ece5cf8c3b7c" } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 7" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "3fe33b2e-8ee7-4c31-a1ad-b976ce43d7c2", "version": "KqlParameterItem/1.0", "name": "queryParameters", "type": 1, "typeSettings": { "multiLineText": true, "editorLanguage": "json" }, "value": "{\r\n\t\"data\": { \"start\": {_QueryWindowStartTime}, \"end\": {_QueryWindowEndTime} }\r\n}", "label": "Query Parameters" } ], "style": "formVertical", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "customWidth": "75", "conditionalVisibility": { "parameterName": "needQP", "comparison": "isEqualTo", "value": "Yes" }, "name": "parameters - 4" }, { "type": 1, "content": { "json": "### Please Note\r\n\r\nPutting the API version within the query parameters field will cause an issue when deploying the connector. Unfortunately, KQL takes the entered date and translates it to a full datetime value. This will prevent the connector from working. Please add the API version to the endpoint URL if possible. \r\n\r\nEx. 2022-01-01 gets translated to 2022-01-01T00:00:00Z\r\n", "style": "warning" }, "customWidth": "25", "conditionalVisibility": { "parameterName": "needQP", "comparison": "isEqualTo", "value": "Yes" }, "name": "text - 6" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "081d31d2-6989-4838-acfc-05a23eb309f2", "version": "KqlParameterItem/1.0", "name": "queryParametersValue", "type": 1, "isHiddenWhenLocked": true, "criteriaData": [ { "criteriaContext": { "leftOperand": "needQP", "operator": "==", "rightValType": "static", "rightVal": "Yes", "resultValType": "param", "resultVal": "queryParameters" } }, { "criteriaContext": { "leftOperand": "needQP", "operator": "==", "rightValType": "static", "rightVal": "No", "resultValType": "static", "resultVal": "{}" } }, { "criteriaContext": { "operator": "Default", "rightValType": "param", "resultValType": "param" } } ], "timeContext": { "durationMs": 86400000 } } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 5" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "crossComponentResources": [ "{Workspace}" ], "parameters": [ { "id": "c89da298-41bb-4936-9d70-4dff774e97c2", "version": "KqlParameterItem/1.0", "name": "request", "type": 1, "query": "let content = datatable(key: string, value:dynamic)[\r\n \"apiEndpoint\", \"{apiEndpoint}\",\r\n \"rateLimitQPS\", int({rateLimitOPS}),\r\n \"queryWindowInMIn\", int({queryWindowInMin}),\r\n \"httpMethod\", \"{httpMethod}\",\r\n \"queryTimeFormat\", \"{queryTimeFormat}\",\r\n \"startTimeAttributeName\", \"{startTimeAttributeName}\",\r\n \"endTimeAttributeName\", \"{endTimeAttributeName}\",\r\n \"retryCount\", int({retryCount}),\r\n \"timeoutInSeconds\", int({timeoutInSeconds}),\r\n \"queryParameters\", dynamic({queryParametersValue}),\r\n \"Accept\", \"application/json\"\r\n ];\r\ncontent\r\n| extend value = iff(value == '{}', '', value)\r\n| where isnotempty(value)\r\n| project holder = bag_pack(key, value)\r\n| extend holder = iff(holder has 'queryParameters', replace_string(tostring(holder), '\"{', '{'), holder)\r\n| extend holder = iff(holder has 'queryParameters', replace_string(tostring(holder), '{\\\\', '{'), holder)\r\n| extend holder = iff(holder has 'queryParameters', replace_string(tostring(holder), '\\\\', ''), holder)\r\n| extend holder = iff(holder has 'queryParameters', replace_string(tostring(holder), '\"}\"}', '\"}}'), holder)\r\n| extend holder = todynamic(holder)\r\n| summarize request = make_bag(holder)", "crossComponentResources": [ "{Workspace}" ], "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 1" } ], "exportParameters": true }, "name": "Request", "styleSettings": { "margin": "0px 0px 0px 20px", "showBorder": true } }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "Response", "items": [ { "type": 9, "content": { "version": "KqlParameterItem/1.0", "crossComponentResources": [ "{Workspace}" ], "parameters": [ { "id": "1ca7158e-2e5a-4d42-81f1-cba2b27ee5b5", "version": "KqlParameterItem/1.0", "name": "eventsJsonPaths", "label": "JSON Path", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "$" }, { "id": "f02f4241-cc49-4a38-aa2a-afa1b8206836", "version": "KqlParameterItem/1.0", "name": "format", "label": "Format", "type": 10, "isRequired": true, "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "jsonData": "[\"json\", \"csv\", \"xml\"]", "value": "json" }, { "id": "c570bdaa-4433-47be-bed6-282a7ac29c83", "version": "KqlParameterItem/1.0", "name": "responseJSON", "type": 1, "query": "let response = datatable(key:string, value:string)[\r\n \"eventsJsonPaths\", \"{eventsJsonPaths}\",\r\n \"format\", \"{format}\"\r\n ];\r\nresponse\r\n| where isnotempty(value)\r\n| extend response = bag_pack(key, value)\r\n| extend response = iff(response has 'eventsJsonPaths', todynamic(strcat('{\"eventsJsonPaths\":[', replace_regex(tostring(split(response, ':')[1]), '}', ''), ']}')), response)\r\n| extend response = todynamic(response)\r\n| summarize response = make_bag(response)\r\n", "crossComponentResources": [ "{Workspace}" ], "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" } ], "style": "formVertical", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "customWidth": "50", "name": "parameters - 0" }, { "type": 1, "content": { "json": "### Details\r\n\r\nThis section will define how the response is processed from the request. The response body is made up of:\r\n\r\n1. JSON Path: The JSON Path that can be used to parse out the data in the API response.\r\n2. Format: The expected format of the response.\r\n\r\nAll values entered will be consolidated into a variable for the template. Anything left empty will not be included.\r\n\r\nFor a quick reference to JSONPaths, please refer to [this sample document](https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/jsonpath).\r\n\r\nFor more information, please refer to the [response section of the public document](https://learn.microsoft.com/en-us/azure/sentinel/create-codeless-connector?tabs=deploy-via-arm-template%2Cconnect-via-the-azure-portal#response-configuration).", "style": "info" }, "customWidth": "50", "name": "text - 1" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "99635f81-0761-4441-88c4-af8fa5143ad0", "version": "KqlParameterItem/1.0", "name": "CsvDelimiter", "type": 1, "timeContext": { "durationMs": 86400000 }, "label": "CSV Delimiter" }, { "id": "c852b3f8-3e84-464c-aa71-3ff979897dfa", "version": "KqlParameterItem/1.0", "name": "HasCsvBoundary", "label": "Has CSV Boundary?", "type": 10, "isRequired": true, "typeSettings": { "additionalResourceOptions": [] }, "jsonData": "[\"true\", \"false\"]", "timeContext": { "durationMs": 86400000 }, "value": "false" }, { "id": "4fd24554-e677-46e4-a93a-5fee4639b962", "version": "KqlParameterItem/1.0", "name": "HasCsvHeader", "label": "Has CSV Header?", "type": 10, "isRequired": true, "typeSettings": { "additionalResourceOptions": [] }, "jsonData": "[\"true\", \"false\"]", "timeContext": { "durationMs": 86400000 }, "value": "true" }, { "id": "f28b27bb-825d-4686-9385-c14b30cdef04", "version": "KqlParameterItem/1.0", "name": "CsvEscape", "label": "CSV Escape", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "" }, { "id": "4e44f524-f58e-43a3-ae50-03f64b14d18c", "version": "KqlParameterItem/1.0", "name": "responseCSV", "type": 1, "query": "let response = datatable(key:string, value:string)[\r\n \"eventsJsonPaths\", \"{eventsJsonPaths}\",\r\n \"format\", \"{format}\",\r\n \"CsvDelimiter\", \"{CsvDelimiter}\",\r\n \"HasCsvBoundary\", \"{HasCsvBoundary}\",\r\n \"HasCsvHeader\", \"{HasCsvHeader}\",\r\n \"CsvEscape\", \"{CsvEscape}\"\r\n ];\r\nresponse\r\n| extend value = iff(key has 'CsvEscape' and isempty(value), '\"', value)\r\n| where isnotempty(value)\r\n| extend response = bag_pack(key, value)\r\n| summarize response = make_bag(response)\r\n", "crossComponentResources": [ "{Workspace}" ], "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "6b6dee3d-4cc5-4e1b-b7d7-7d8e56037387", "version": "KqlParameterItem/1.0", "name": "response", "type": 1, "isHiddenWhenLocked": true, "criteriaData": [ { "criteriaContext": { "leftOperand": "format", "operator": "==", "rightValType": "static", "rightVal": "JSON", "resultValType": "param", "resultVal": "responseJSON" } }, { "criteriaContext": { "leftOperand": "format", "operator": "==", "rightValType": "static", "rightVal": "CSV", "resultValType": "param", "resultVal": "responseCSV" } }, { "criteriaContext": { "operator": "Default", "resultValType": "param", "resultVal": "responseJSON" } } ], "timeContext": { "durationMs": 86400000 } } ], "style": "formVertical", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "customWidth": "50", "conditionalVisibility": { "parameterName": "format", "comparison": "isEqualTo", "value": "csv" }, "name": "parameters - 2" }, { "type": 1, "content": { "json": "### Details\r\n\r\nThis section will define how the response is processed from the request. The response body is made up of:\r\n\r\n\r\n1. Format: The expected format of the response.\r\n2. CSV Delimiter: Optional, if response format is CSV and you want to change the default CSV delimiter of \",\".\r\n3. Has CSV Boundary: Optional, indicate if CSV data has a boundary.\r\n4. Has CSV Header: Optional, indicate if CSV data has a header, default is True.\r\n5. CSV Escape: Optional, escape character for a field boundary, default is \". For example, a CSV with headers id,name,avg and a row of data containing spaces like 1,\"my name\",5.5 requires the \" field boundary.\r\n\r\nAll values entered will be consolidated into a variable for the template. Anything left empty will not be included.\r\n\r\nFor a quick reference to JSONPaths, please refer to [this sample document](https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/jsonpath).\r\n\r\nFor more information, please refer to the [response section of the public document](https://learn.microsoft.com/en-us/azure/sentinel/data-connector-connection-rules-reference#response-configuration).", "style": "info" }, "customWidth": "50", "conditionalVisibility": { "parameterName": "format", "comparison": "isEqualTo", "value": "csv" }, "name": "text - 1 - Copy" } ], "exportParameters": true }, "name": "Response", "styleSettings": { "margin": "0px 0px 0px 20px", "showBorder": true } }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "Paging", "items": [ { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "33ec858e-50a4-45e4-b2bf-e1092a57998a", "version": "KqlParameterItem/1.0", "name": "pagingType", "label": "Paging Type", "type": 2, "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "jsonData": "[\"None\",\"LinkHeader\", \"PersistentLinkHeader\",\"NextPageToken\",\"PersistentToken\", \"NextPageUrl\", \"Offset\"]", "timeContext": { "durationMs": 86400000 }, "value": "None" } ], "style": "formVertical", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "customWidth": "50", "name": "parameters - 0" }, { "type": 1, "content": { "json": "### Details\r\n\r\nThis section will configure the pagination of the data brought in via the connector. The paging body will vary depending on the type chosen. The available options are:\r\n- LinkHeader\r\n- PersistentLinkheader\r\n- NextPageToken\r\n- PersistentToken\r\n- NextPageUrl\r\n- Offset\r\n\r\nIf you are unsure about which method to use or if one is needed, please refer to the API documentation for the endpoint that you are calling.\r\n\r\nFor more information, please refer to the [paging section of the public document](https://learn.microsoft.com/en-us/azure/sentinel/create-codeless-connector?tabs=deploy-via-arm-template%2Cconnect-via-the-azure-portal#paging-configuration).", "style": "info" }, "customWidth": "50", "name": "text - 6" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "4d89449a-6e7a-45c8-8f73-801388348efa", "version": "KqlParameterItem/1.0", "name": "Field", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "" }, { "id": "0165bc67-9025-4c8d-afa7-96fbd57b13fa", "version": "KqlParameterItem/1.0", "name": "LinkHeaderTokenJsonPath", "label": "Link Header Token JSON Path", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "" }, { "id": "02236bff-0485-4c65-b067-96ce45c56fe5", "version": "KqlParameterItem/1.0", "name": "LHPageSize", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "" }, { "id": "68008130-7deb-4640-8cd0-017eff737183", "version": "KqlParameterItem/1.0", "name": "LHPageSizeParameterName", "label": "Page Size Parameter Name", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "" } ], "style": "formVertical", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "customWidth": "50", "conditionalVisibilities": [ { "parameterName": "pagingType", "comparison": "isNotEqualTo", "value": "NextPageUrl" }, { "parameterName": "pagingType", "comparison": "isNotEqualTo", "value": "Offset" }, { "parameterName": "pagingType", "comparison": "isNotEqualTo", "value": "NextPageToken" }, { "parameterName": "pagingType", "comparison": "isNotEqualTo", "value": "PersistentToken" }, { "parameterName": "pagingType", "comparison": "isNotEqualTo", "value": "None" } ], "name": "Headers" }, { "type": 1, "content": { "json": "### Details\r\n\r\nLinkHeader or PersistentLinkheader has been chosen for the paging method. The body of this section is made up of:\r\n\r\n- Field: Optional, specifies the field that contains the value (value, body, etc).\r\n- Link Header Token JSON Path: Optional, defines the JSON path to link header in the response JSON if the header isn't already defined..\r\n- Page Size: Defines the paging size for the link header.\r\n- Page Size Parameter Name: Optional, defines the name of the page size parameter.\r\n\r\nAll values entered will be consolidated into a variable for the template. Anything that is left empty will not be included.", "style": "info" }, "customWidth": "50", "conditionalVisibilities": [ { "parameterName": "pagingType", "comparison": "isNotEqualTo", "value": "NextPageToken" }, { "parameterName": "pagingType", "comparison": "isNotEqualTo", "value": "PersistentToken" }, { "parameterName": "pagingType", "comparison": "isNotEqualTo", "value": "NextPageUrl" }, { "parameterName": "pagingType", "comparison": "isNotEqualTo", "value": "Offset" }, { "parameterName": "pagingType", "comparison": "isNotEqualTo", "value": "None" } ], "name": "text - 7" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "2f8c153c-e260-4a19-82f6-103cdf7f6764", "version": "KqlParameterItem/1.0", "name": "TokenPageSize", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "" }, { "id": "4d2dce98-99d7-4eef-bbe7-a2815da694cd", "version": "KqlParameterItem/1.0", "name": "TokenNextPageTokenResponseHeader", "label": "Next Page Token Response Header", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "" }, { "id": "7d9542a3-d0dd-4b00-b7e3-4235e5d06618", "version": "KqlParameterItem/1.0", "name": "TokenNextPageTokenJSONPath", "label": "Next Page Token JSON Path", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "" }, { "id": "5cfcf59f-5090-4d57-9546-cfaa7bc6922a", "version": "KqlParameterItem/1.0", "name": "TokenNextPageResponseHeader", "label": "Next Page Response Header", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "" }, { "id": "5f0e9757-95ae-4c68-afd9-a860b8cb7b4f", "version": "KqlParameterItem/1.0", "name": "TokenNextPageParaName", "label": "Next Page Para Name", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "" }, { "id": "32d931b3-95bb-49f0-a2e8-988bd513911b", "version": "KqlParameterItem/1.0", "name": "TokenHasNextFlagJSONPath", "label": "Has Next Flag JSON Path", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "" }, { "id": "6e22ee58-fa2b-4df2-b016-03a58f74aba6", "version": "KqlParameterItem/1.0", "name": "TokenNextPageRequestHeader", "label": "Next Page Request Header", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "" } ], "style": "formVertical", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "customWidth": "50", "conditionalVisibilities": [ { "parameterName": "pagingType", "comparison": "isNotEqualTo", "value": "LinkHeader" }, { "parameterName": "pagingType", "comparison": "isNotEqualTo", "value": "PersistentLinkHeader" }, { "parameterName": "pagingType", "comparison": "isNotEqualTo", "value": "NextPageUrl" }, { "parameterName": "pagingType", "comparison": "isNotEqualTo", "value": "Offset" }, { "parameterName": "pagingType", "comparison": "isNotEqualTo", "value": "None" } ], "name": "Tokens" }, { "type": 1, "content": { "json": "### Details\r\n\r\nNextPageToken or PersistentToken has been selected as the paging method. The body of this section is made up of:\r\n\r\n- Token Page Size: Defines the paging size.\r\n- Next Page Token Response Header: Optional, defines the next page token header name in the response.\r\n- Next Page Token JSON Path: Optional, defines the path to a next page token JSON.\r\n- Next Page Parameter Name: Optional, determines the next page name in the request.\r\n- Has Next Flag JSON Path: Optional, defines the JSON path to link header in the response JSON if the header isn't already defined..\r\n- Next Page Request Header: Optional, determines the next page header name in the request.\r\n\r\nAll values entered will be consolidated into a variable for the template. Anything that is left empty will not be included.", "style": "info" }, "customWidth": "50", "conditionalVisibilities": [ { "parameterName": "pagingType", "comparison": "isNotEqualTo", "value": "LinkHeader" }, { "parameterName": "pagingType", "comparison": "isNotEqualTo", "value": "PersistentLinkHeader" }, { "parameterName": "pagingType", "comparison": "isNotEqualTo", "value": "NextPageUrl" }, { "parameterName": "pagingType", "comparison": "isNotEqualTo", "value": "Offset" }, { "parameterName": "pagingType", "comparison": "isNotEqualTo", "value": "None" } ], "name": "text - 7" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "c3aba4d6-3170-43c8-a951-74561965ce2f", "version": "KqlParameterItem/1.0", "name": "URLPageSize", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "" }, { "id": "865d435b-7a23-4849-8a98-ab3bc6ad195d", "version": "KqlParameterItem/1.0", "name": "URLPageSizeParameterName", "label": "Page Size Parameter Name", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "" }, { "id": "c07f3197-4d62-4abb-8099-d851f8b382a4", "version": "KqlParameterItem/1.0", "name": "URLNextPageUrl", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "" }, { "id": "a3cf6d66-2565-441f-8697-825e1c66b28d", "version": "KqlParameterItem/1.0", "name": "URLNextPageUrlQueryParameters", "label": "Next Page Url Query Parameters", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "" }, { "id": "5d9c02c4-f3a5-4f6e-bc2f-9a004e648a3f", "version": "KqlParameterItem/1.0", "name": "URLNextPageParaName", "label": "Next Page Para Name", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "" }, { "id": "85c4d8d2-fa65-4aa0-b154-c1e1066e4916", "version": "KqlParameterItem/1.0", "name": "URLHasNextFlagJSONFlag", "label": "Has Next Flag JSON Flag", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "" }, { "id": "09abdb60-e04c-4397-97a9-5b1f400d766a", "version": "KqlParameterItem/1.0", "name": "URLNextPageRequestHeader", "label": "Next Page Request Header", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "" }, { "id": "47df636e-9c7d-4c5e-893d-e621c8e68d26", "version": "KqlParameterItem/1.0", "name": "URLNextPageUrlQueryParametersTemplate", "label": "Next Page Url Query Parameters Template", "type": 1, "timeContext": { "durationMs": 86400000 } } ], "style": "formVertical", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "customWidth": "50", "conditionalVisibility": { "parameterName": "pagingType", "comparison": "isEqualTo", "value": "NextPageUrl" }, "name": "URL" }, { "type": 1, "content": { "json": "### Details\r\n\r\nNextPageUrl has been selected as the paging method. The body of this section is made up of:\r\n\r\n- URLPageSize: Defines the paging size.\r\n- Page Size Parameter Name: Optional, defines the name of the page size parameter.\r\n- URL Next Page Url: Optional, determines the next page URL if it is different from the initial URL.\r\n- Next Page Url Query Parameters: Optional, determines the next page URL's query parameters if it's different from the initial request's URL. Define the string in the dictionary ``` format: {'': , '': ... }```\r\n- Next Page Para Name: Optional, determines the next page name in the request.\r\n- Has Next Flag JSON Path: Optional, defines the path to the HasNextPage flag attribute.\r\n- Next Page Request Header: Optional, determines the next page header name in the request.\r\n\r\nAll values entered will be consolidated into a variable for the template. Anything that is left empty will not be included.", "style": "info" }, "customWidth": "50", "conditionalVisibilities": [ { "parameterName": "pagingType", "comparison": "isNotEqualTo", "value": "NextPageToken" }, { "parameterName": "pagingType", "comparison": "isNotEqualTo", "value": "PersistentToken" }, { "parameterName": "pagingType", "comparison": "isNotEqualTo", "value": "LinkHeader" }, { "parameterName": "pagingType", "comparison": "isNotEqualTo", "value": "Offset" }, { "parameterName": "pagingType", "comparison": "isNotEqualTo", "value": "None" }, { "parameterName": "pagingType", "comparison": "isNotEqualTo", "value": "PersistentLinkHeader" } ], "name": "text - 7" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "9936107c-dab2-4685-9cc5-10a7b74d5dca", "version": "KqlParameterItem/1.0", "name": "OffsetPageSize", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "" }, { "id": "cf7c55ec-a20b-4987-b19c-f8b28a2194a1", "version": "KqlParameterItem/1.0", "name": "OffsetPageSizeParameterName", "label": "Page Size Parameter Name", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "" }, { "id": "cc56b799-263d-45c6-9531-55befd462a67", "version": "KqlParameterItem/1.0", "name": "OffsetParaName", "label": "Offset Para Name", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "" } ], "style": "formVertical", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "customWidth": "50", "conditionalVisibility": { "parameterName": "pagingType", "comparison": "isEqualTo", "value": "Offset" }, "name": "Offset" }, { "type": 1, "content": { "json": "### Details\r\n\r\nOffset has been selected as the paging method. The body of this section is made up of:\r\n\r\n- Offset Page Size: Defines the paging size.\r\n- Page Size Parameter Name: Optional, defines the name of the page size parameter.\r\n- Offset Parameter Name: Optional, defines the name of the offset parameter.\r\n\r\n\r\nAll values entered will be consolidated into a variable for the template. Anything that is left empty will not be included.", "style": "info" }, "customWidth": "50", "conditionalVisibilities": [ { "parameterName": "pagingType", "comparison": "isNotEqualTo", "value": "NextPageToken" }, { "parameterName": "pagingType", "comparison": "isNotEqualTo", "value": "PersistentToken" }, { "parameterName": "pagingType", "comparison": "isNotEqualTo", "value": "LinkHeader" }, { "parameterName": "pagingType", "comparison": "isNotEqualTo", "value": "NextPageUrl" }, { "parameterName": "pagingType", "comparison": "isNotEqualTo", "value": "None" }, { "parameterName": "pagingType", "comparison": "isNotEqualTo", "value": "PersistentLinkHeader" } ], "name": "text - 7" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "52b3697f-b42c-47c4-b0e6-a70628f4b2e0", "version": "KqlParameterItem/1.0", "name": "LHPaging", "type": 1, "query": "let pagingType_ = dynamic('{pagingType}');\r\nlet linkHeaderValues = datatable(key:string, value:string)[\r\n \"pagingType\", \"{pagingType}\",\r\n \"Field\", \"{Field}\",\r\n \"LinkHeaderTokenJsonPath\", \"{LinkHeaderTokenJsonPath}\",\r\n \"PageSize\", \"{LHPageSize}\",\r\n \"PageSizeParameterName\", \"{LHPageSizeParameterName}\"\r\n];\r\nlet LHChecker = linkHeaderValues | where pagingType_ has 'linkheader' | where isnotempty(value);\r\nLHChecker\r\n| extend paging = bag_pack(key, value)\r\n| summarize paging = make_bag(paging)\r\n\r\n\r\n\r\n", "crossComponentResources": [ "{Workspace}" ], "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "d0b4f67b-ca40-43d6-8896-dfcbd7c10521", "version": "KqlParameterItem/1.0", "name": "TokenPaging", "type": 1, "query": "let pagingType_ = dynamic('{pagingType}');\r\nlet NextPageValues = datatable(key:string, value:dynamic)[\r\n \"pagingType\", \"{pagingType}\",\r\n \"PageSize\", \"{TokenPageSize}\",\r\n \"NextPageTokenResponseHeader\", \"{TokenNextPageTokenResponseHeader}\",\r\n \"NextPageTokenJSONPath\", \"{TokenNextPageTokenJSONPath}\",\r\n \"NextPageResponseHeader\", \"{TokenNextPageResponseHeader}\",\r\n \"NextPageParaName\", \"{TokenNextPageParaName}\",\r\n \"HasNextFlagJSONPath\", \"{TokenHasNextFlagJSONPath}\",\r\n \"NextPageRequestHeader\", \"{TokenNextPageRequestHeader}\"\r\n ];\r\nlet NPChecker = NextPageValues | where pagingType_ == 'NextPageToken' or pagingType_ == 'PersistentToken' | where isnotempty(value);\r\nNPChecker\r\n| extend paging = bag_pack(key, value)\r\n| summarize paging = make_bag(paging)\r\n\r\n\r\n", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "aec989a2-cb8b-4bec-867f-5a352fac9d22", "version": "KqlParameterItem/1.0", "name": "URLPaging", "type": 1, "query": "let pagingType_ = dynamic('{pagingType}');\r\nlet URL = datatable(key:string, value:string)[\r\n \"pagingType\", \"{pagingType}\",\r\n \"PageSize\", \"{URLPageSize}\",\r\n \"PageSizeParameterName\", \"{URLPageSizeParameterName}\",\r\n \"NextPageUrl\", \"{URLNextPageUrl}\",\r\n \"NextPageUrlQueryParameters\", \"{URLNextPageUrlQueryParameters}\",\r\n \"NextPageParaName\", \"{URLNextPageParaName}\",\r\n \"HasNextFlagJSONFlag\", \"{URLHasNextFlagJSONFlag}\",\r\n \"NextPageRequestHeader\", \"{URLNextPageRequestHeader}\",\r\n \"NextPageUrlQueryParametersTemplate\", \"{URLNextPageUrlQueryParametersTemplate}\"\r\n ];\r\nlet URLChecker = URL | where pagingType_ == 'NextPageUrl' | where isnotempty(value);\r\nURLChecker\r\n| extend paging = bag_pack(key, value)\r\n| summarize paging = make_bag(paging)", "crossComponentResources": [ "{Workspace}" ], "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "022896f0-d200-4d55-b03f-aa58227a422a", "version": "KqlParameterItem/1.0", "name": "OffsetPaging", "type": 1, "query": "let pagingType_ = dynamic('{pagingType}');\r\nlet OffsetValues = datatable(key:string, value:string)[\r\n \"pagingType\", \"{pagingType}\",\r\n \"PageSize\", \"{OffsetPageSize}\",\r\n \"PageSizeParameterName\", \"{OffsetPageSizeParameterName}\",\r\n \"OffsetParaName\", \"{OffsetParaName}\"\r\n ];\r\nlet OffsetChecker = OffsetValues | where pagingType_ == 'Offset' | where isnotempty(value);\r\nOffsetChecker\r\n| extend paging = bag_pack(key, value)\r\n| summarize paging = make_bag(paging)", "crossComponentResources": [ "{Workspace}" ], "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "88bd6651-1a20-40a0-a487-203532b74c88", "version": "KqlParameterItem/1.0", "name": "paging", "type": 1, "isHiddenWhenLocked": true, "criteriaData": [ { "criteriaContext": { "leftOperand": "pagingType", "operator": "==", "rightValType": "static", "rightVal": "LinkHeader", "resultValType": "param", "resultVal": "LHPaging" } }, { "criteriaContext": { "leftOperand": "pagingType", "operator": "==", "rightValType": "static", "rightVal": "PersistentLinkHeader", "resultValType": "param", "resultVal": "LHPaging" } }, { "criteriaContext": { "leftOperand": "pagingType", "operator": "==", "rightValType": "static", "rightVal": "NextPageToken", "resultValType": "param", "resultVal": "TokenPaging" } }, { "criteriaContext": { "leftOperand": "pagingType", "operator": "==", "rightValType": "static", "rightVal": "PersistentToken", "resultValType": "param", "resultVal": "TokenPaging" } }, { "criteriaContext": { "leftOperand": "pagingType", "operator": "==", "rightValType": "static", "rightVal": "NextPageUrl", "resultValType": "param", "resultVal": "URLPaging" } }, { "criteriaContext": { "leftOperand": "pagingType", "operator": "==", "rightValType": "static", "rightVal": "Offset", "resultValType": "param", "resultVal": "OffsetPaging" } }, { "criteriaContext": { "leftOperand": "pagingType", "operator": "==", "rightValType": "static", "rightVal": "None", "resultValType": "static", "resultVal": "{\"pagingType\": \"None\"}" } }, { "criteriaContext": { "operator": "Default", "rightValType": "param", "resultValType": "param" } } ], "timeContext": { "durationMs": 86400000 } } ], "style": "pills", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 6" } ], "exportParameters": true }, "name": "Paging", "styleSettings": { "margin": "0px 0px 0px 20px", "showBorder": true } } ], "exportParameters": true }, "conditionalVisibility": { "parameterName": "Destination", "comparison": "isNotEqualTo", "value": "UI Only" }, "name": "Request, Response, and Paging", "styleSettings": { "showBorder": true } }, { "type": 1, "content": { "json": "# ↓" }, "conditionalVisibility": { "parameterName": "Destination", "comparison": "isNotEqualTo", "value": "UI Only" }, "name": "text - 5" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "Authentication", "items": [ { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "5caa27ee-70ea-4ea2-a230-bb82e0982e93", "version": "KqlParameterItem/1.0", "name": "Auth", "label": "Authentication Type", "type": 2, "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "jsonData": "[\"Basic\", \"APIKey\", \"OAuth2\"]", "timeContext": { "durationMs": 86400000 }, "value": null } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "customWidth": "50", "name": "parameters - 1" }, { "type": 1, "content": { "json": "### Details\r\n\r\nThis section will configure the authentication used by the connector in order to poll the data. The current options are:\r\n\r\n- Basic\r\n- APIKey\r\n- OAuth2", "style": "info" }, "customWidth": "50", "conditionalVisibility": { "parameterName": "Help", "comparison": "isEqualTo", "value": "On" }, "name": "text - 5" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "APIKey Authentication", "loadType": "always", "items": [ { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "c003d9ed-414b-455a-b076-7a71d8e23ce5", "version": "KqlParameterItem/1.0", "name": "APIKeyName", "type": 1, "label": "API Key Name", "value": "X-API-Key" }, { "id": "f1c21bc0-4506-4696-8db9-d2c8bf04b3eb", "version": "KqlParameterItem/1.0", "name": "isAPIKeyInPostPayload", "label": "APIKey in POST?", "type": 10, "isRequired": true, "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "jsonData": "[true, false]", "timeContext": { "durationMs": 86400000 }, "value": "false" } ], "style": "formVertical", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "customWidth": "50", "name": "parameters - 0" }, { "type": 1, "content": { "json": "### Details\r\n\r\nAPIKeyName: Optional, defines the name of your API key, as one of the following values:\r\n\t- XAuthToken\r\n\t- Authorization\r\nIsAPIKeyInPostPayload: Determines where your API key is defined.\r\n\t- True: API key is defined in the POST request payload\r\n\t- False: API key is defined in the header", "style": "info" }, "customWidth": "50", "name": "text - 1" } ], "exportParameters": true }, "conditionalVisibility": { "parameterName": "Auth", "comparison": "isEqualTo", "value": "APIKey" }, "name": "APIKey", "styleSettings": { "margin": "0px 0px 0px 50px" } }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "OAuth2 Authentication", "loadType": "always", "items": [ { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "57e35fde-cefc-42dd-88dd-b3b871d01ef4", "version": "KqlParameterItem/1.0", "name": "AuthorizationCode", "type": 1, "label": "Authorization Code", "value": "" }, { "id": "7716ef84-931d-4d06-b86b-dafe1f519b56", "version": "KqlParameterItem/1.0", "name": "Scope", "type": 1, "value": "" }, { "id": "25b82e19-013f-4564-bb63-b3defdf1be29", "version": "KqlParameterItem/1.0", "name": "RedirectUri", "label": "Redirect URI", "type": 1, "value": "https://portal.azure.com/TokenAuthorize/ExtensionName/Microsoft_Azure_Security_Insights" }, { "id": "0d971f51-a010-484b-82ed-c264bbf79a16", "version": "KqlParameterItem/1.0", "name": "GrantType", "label": "Grant Type", "type": 1, "value": "client_credentials" }, { "id": "c5091ecb-5bb6-494b-b5a0-072e9da4de19", "version": "KqlParameterItem/1.0", "name": "TokenEndpoint", "label": "Token Endpoint", "type": 1, "value": "" }, { "id": "4fafdc15-e7f3-45ab-8666-c10757f5f63d", "version": "KqlParameterItem/1.0", "name": "TokenEndpointQueryParameters", "label": "Token Endpoint Query Parameters", "type": 1, "typeSettings": { "multiLineText": true, "editorLanguage": "json" }, "value": "{}" }, { "id": "63b0e830-06dd-4716-bff6-cf6d4327dce8", "version": "KqlParameterItem/1.0", "name": "IsClientSecretInHeader", "type": 10, "isRequired": true, "typeSettings": { "additionalResourceOptions": [] }, "jsonData": "[\"true\", \"false\"]", "value": "false", "label": "Client Secret in Header?" }, { "id": "673c716c-9ed9-4d2e-ab9c-0bba667543a9", "version": "KqlParameterItem/1.0", "name": "AuthorizationEndpoint", "label": "Authorization Endpoint", "type": 1, "value": "" }, { "id": "47a7fcab-3244-429a-b8d0-745916ce8588", "version": "KqlParameterItem/1.0", "name": "AuthorizationEndpointQueryParameters", "label": "Authorization Endpoint Query Parameters", "type": 1, "typeSettings": { "multiLineText": true, "editorLanguage": "json" }, "value": "{}" } ], "style": "formVertical", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "customWidth": "50", "name": "parameters - 0" }, { "type": 1, "content": { "json": "### Details\r\n\r\n1. FlowName: Mandatory, defines an OAuth2 flow. Automatically set by the builder.\r\n2. TokenEndpoint: Mandatory for OAuth2 auth types, defines the OAuth2 token service endpoint.\r\n3. RedirectionEndpoint: Optional, defines a redirection endpoint during onboarding.\r\n4. Scope: Defines the scope of where the API is pointing to.\r\n5. GrantType: Defines the type of token granting. Default value is client_credentials but may also be authorization_code\r\n6. AuthorizationEndpoint: Optional, defines the OAuth2 authorization service endpoint. Used only during onboarding or when renewing a refresh token.\r\n7. Is Client Secret in Header: Optional, default is false. Determines whether the client_id and client_secret values are defined in the header.\r\n8. Token Endpoint Query Parameters: Optional, Optional, define query parameters when calling OAuth2 token service endpoint. Define a string in the serialized dictionary``` format: {'': , '': , ... }```\r\n9. Authorization Endpoint Query Parameters: Optional, Optional. defines query parameters when calling an OAuth2 authorization service endpoint. Used only during onboarding or when renewing a refresh token. Define a string in the serialized dictionary``` format:{'': , '': , ... }```\r\n\r\nFor more information, please refer to the [OAuth2 section of the public document](https://learn.microsoft.com/en-us/azure/sentinel/create-codeless-connector?tabs=deploy-via-arm-template%2Cconnect-via-the-azure-portal#oauth2-authtype-parameters).", "style": "info" }, "customWidth": "50", "name": "text - 1" } ], "exportParameters": true }, "conditionalVisibility": { "parameterName": "Auth", "comparison": "isEqualTo", "value": "OAuth2" }, "name": "OAuth2", "styleSettings": { "margin": "0px 0px 0px 50px" } }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "crossComponentResources": [ "{Workspace}" ], "parameters": [ { "id": "8d2ff354-1322-4b6d-83dc-d6bfebbe1313", "version": "KqlParameterItem/1.0", "name": "basicAuth", "type": 1, "query": "let basic = datatable(key:string, value:dynamic)[\r\n \"type\", \"Basic\",\r\n \"Username\", \"[[parameters('username')]\",\r\n \"Password\", \"[[parameters('password')]\"\r\n ]\r\n;\r\nbasic\r\n| where isnotempty(key)\r\n| where isnotempty(value)\r\n| project auth = bag_pack(key, value)\r\n| summarize auth = make_bag(auth)", "crossComponentResources": [ "{Workspace}" ], "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "260a8cbd-54cc-4ee3-9831-8c9bf3a90fe6", "version": "KqlParameterItem/1.0", "name": "apiKeyAuth", "type": 1, "query": "let apiKey = datatable(key:string, value:dynamic)[\r\n \"type\", \"APIKey\",\r\n \"APIKey\", \"[[parameters('apiKey')]\",\r\n \"APIKeyName\", \"{APIKeyName}\",\r\n \"isAPIKeyInPostPayload\", \"{isAPIKeyInPostPayload}\"\r\n ]\r\n;\r\napiKey\r\n| where isnotempty(key)\r\n| where isnotempty(value)\r\n| project auth = bag_pack(key, value)\r\n| summarize auth = make_bag(auth)", "crossComponentResources": [ "{Workspace}" ], "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "19caa500-4540-4606-a702-f097426909f2", "version": "KqlParameterItem/1.0", "name": "oAuth", "type": 1, "query": "let OAuth2 = datatable(key:string, value:dynamic)[\r\n \"type\", \"OAuth2\",\r\n \"Scope\", \"{Scope}\",\r\n \"RedirectUri\", \"{RedirectUri}\",\r\n \"GrantType\", \"{GrantType}\",\r\n \"TokenEndpoint\", \"{TokenEndpoint}\",\r\n \"TokenEndpointHeaders\", 'Content-Type\":\"application/x-www-form-urlencoded',\r\n \"tokenEndpointQueryParameters\", dynamic({TokenEndpointQueryParameters}),\r\n \"isClientSecretInHeader\", \"{IsClientSecretInHeader}\",\r\n \"AuthorizationEndpoint\", \"{AuthorizationEndpoint}\",\r\n \"AuthorizationEndpointQueryParameters\", dynamic({AuthorizationEndpointQueryParameters}),\r\n \"FlowName\", \"AuthCode\"\r\n ]\r\n;\r\nOAuth2\r\n| extend value = iff(value == '{}', '', value)\r\n| where isnotempty(value)\r\n| project auth = bag_pack(key, value)\r\n| summarize auth = make_bag(auth)\r\n", "crossComponentResources": [ "{Workspace}" ], "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "f28c9b5e-7cf6-4565-b6f7-1da5b2671434", "version": "KqlParameterItem/1.0", "name": "auth", "type": 1, "isHiddenWhenLocked": true, "criteriaData": [ { "criteriaContext": { "leftOperand": "Auth", "operator": "==", "rightValType": "static", "rightVal": "APIKey", "resultValType": "param", "resultVal": "apiKeyAuth" } }, { "criteriaContext": { "leftOperand": "Auth", "operator": "==", "rightValType": "static", "rightVal": "OAuth2", "resultValType": "param", "resultVal": "oAuth" } }, { "criteriaContext": { "leftOperand": "Auth", "operator": "==", "rightValType": "static", "rightVal": "None", "resultValType": "static", "resultVal": "{\"type\":\"None\"}" } }, { "criteriaContext": { "leftOperand": "Auth", "operator": "==", "rightValType": "static", "rightVal": "Basic", "resultValType": "param", "resultVal": "basicAuth" } }, { "criteriaContext": { "operator": "Default", "resultValType": "static", "resultVal": "{\"type\": \"None\"}" } } ] } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 4" } ], "exportParameters": true }, "conditionalVisibility": { "parameterName": "Destination", "comparison": "isNotEqualTo", "value": "UI Only" }, "name": "Authentication", "styleSettings": { "showBorder": true } } ], "exportParameters": true }, "conditionalVisibility": { "parameterName": "Tab", "comparison": "isEqualTo", "value": "2" }, "name": "Collection" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 1, "content": { "json": "### Details\r\n\r\nThe connector summary section will configure general details for the connector, such as title, publisher, and more.
\r\n\r\n- Title: The title that the connector will have.\r\n- Publisher: Publisher of the connector. Can use Custom or the provider of the data.\r\n- Description: The description that will be shown within the connector gallery.\r\n- Graph visualization: The configuration for the graph that is shown for data ingest. The values below are pre-defined and don't need to be changed. They can be if more queries are desired. The only value that needs to be changed is the query table name.", "style": "info" }, "conditionalVisibility": { "parameterName": "Help", "comparison": "isEqualTo", "value": "On" }, "name": "text - 5" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "9e331015-28ec-4649-920f-2dee95bef0a9", "version": "KqlParameterItem/1.0", "name": "title", "type": 1, "isRequired": true, "timeContext": { "durationMs": 86400000 }, "value": "ENTER CONNECTOR NAME HERE", "label": "Title" } ], "style": "formVertical", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 0" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "e0378415-4e39-44e9-acec-03ff107b3864", "version": "KqlParameterItem/1.0", "name": "publisher", "type": 1, "isRequired": true, "timeContext": { "durationMs": 86400000 }, "value": "Custom", "label": "Publisher" } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 0 - Copy" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "c175aaca-8eb2-4db9-9c07-4b0042dd71a4", "version": "KqlParameterItem/1.0", "name": "descriptionMarkdown", "type": 1, "isRequired": true, "typeSettings": { "multiLineText": true, "editorLanguage": "markdown" }, "timeContext": { "durationMs": 86400000 }, "label": "Description", "value": "This is the connector description." } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 0 - Copy - Copy - Copy - Copy" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "f1c92db6-dc41-44e2-bb78-25fe189c448f", "version": "KqlParameterItem/1.0", "name": "modifyGraph", "label": "Modify Graph Settings?", "type": 10, "isRequired": true, "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "jsonData": "[\"Yes\", \"No\"]", "timeContext": { "durationMs": 86400000 }, "value": "No" } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "conditionalVisibility": { "parameterName": "Destination", "comparison": "isNotEqualTo", "value": "UI Only" }, "name": "parameters - 6" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "loadType": "always", "items": [ { "type": 9, "content": { "version": "KqlParameterItem/1.0", "crossComponentResources": [ "{Workspace}" ], "parameters": [ { "id": "15e7ce0a-14a2-407b-aecb-c670e6313c09", "version": "KqlParameterItem/1.0", "name": "graphQueriesTableName", "label": "Query Table Name", "type": 1, "query": "print '{FetchTableName}'", "crossComponentResources": [ "{Workspace}" ], "timeContext": { "durationMs": 86400000 }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, { "id": "cb6b2518-9899-4484-9437-089588650565", "version": "KqlParameterItem/1.0", "name": "graphQueries", "label": "Queries", "type": 1, "typeSettings": { "multiLineText": true, "editorLanguage": "json", "multiLineHeight": 8 }, "timeContext": { "durationMs": 86400000 }, "value": "[\r\n\t{\r\n\t\t\"metricName\": \"Total events received\",\r\n\t\t\"legend\": \"{graphQueriesTableName}\",\r\n\t\t\"baseQuery\": \"{graphQueriesTableName}\"\r\n\t}\r\n]\r\n" }, { "id": "77c88a39-3e83-43b4-9794-c7499a82ca1b", "version": "KqlParameterItem/1.0", "name": "sampleQueries", "label": "Sample Queries", "type": 1, "typeSettings": { "multiLineText": true, "editorLanguage": "json", "multiLineHeight": 10 }, "timeContext": { "durationMs": 86400000 }, "value": "[\r\n\t{\r\n\t\t\"description\": \"Get Sample of Connector Events\",\r\n\t\t\"query\": \"{graphQueriesTableName} | take 10\"\r\n\t}\r\n]" }, { "id": "cd3e1eed-b160-44c6-af16-2f9a26420eed", "version": "KqlParameterItem/1.0", "name": "dataTypes", "label": "Data Types", "type": 1, "typeSettings": { "multiLineText": true, "editorLanguage": "json", "multiLineHeight": 8 }, "timeContext": { "durationMs": 86400000 }, "value": "[\r\n\t{\r\n\t\t\"name\": \"{graphQueriesTableName}\",\r\n\t\t\"lastDataReceivedQuery\": \"{graphQueriesTableName} | summarize Time = max(TimeGenerated)\\n\"\r\n\t}\r\n]\r\n" } ], "style": "formVertical", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "customWidth": "80", "name": "parameters - 0" }, { "type": 1, "content": { "json": "### Details\r\n\r\nThese values are pre-configured. The table name will need to be updated to reflect the table being used for the connector. If additional queries are desired, they can be added but are required to be JSON format.", "style": "info" }, "customWidth": "20", "name": "text - 1" } ], "exportParameters": true }, "conditionalVisibility": { "parameterName": "modifyGraph", "comparison": "isEqualTo", "value": "Yes" }, "name": "Graph", "styleSettings": { "margin": "0px 0px 0px 50px" } }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "loadType": "always", "items": [ { "type": 1, "content": { "json": "### Graph Queries for UI Only template\r\n\r\nModify the queries below to represent the different data table(s) that the connector should monitor for. ", "style": "info" }, "name": "text - 2" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "crossComponentResources": [ "{Workspace}" ], "parameters": [ { "id": "cb6b2518-9899-4484-9437-089588650565", "version": "KqlParameterItem/1.0", "name": "graphQueriesUI", "label": "Queries", "type": 1, "typeSettings": { "multiLineText": true, "editorLanguage": "json", "multiLineHeight": 8 }, "timeContext": { "durationMs": 86400000 }, "value": "[\r\n\t{\r\n\t\t\"metricName\": \"Total events received\",\r\n\t\t\"legend\": \"ProtectionStatus\",\r\n\t\t\"baseQuery\": \"ProtectionStatus\"\r\n\t}\r\n]\r\n" }, { "id": "77c88a39-3e83-43b4-9794-c7499a82ca1b", "version": "KqlParameterItem/1.0", "name": "sampleQueriesUI", "label": "Sample Queries", "type": 1, "typeSettings": { "multiLineText": true, "editorLanguage": "json", "multiLineHeight": 10 }, "timeContext": { "durationMs": 86400000 }, "value": "[\r\n\t{\r\n\t\t\"description\": \"Get Sample of Connector Events\",\r\n\t\t\"query\": \"ProtectionStatus | take 10\"\r\n\t}\r\n]" }, { "id": "cd3e1eed-b160-44c6-af16-2f9a26420eed", "version": "KqlParameterItem/1.0", "name": "dataTypesUI", "label": "Data Types", "type": 1, "typeSettings": { "multiLineText": true, "editorLanguage": "json", "multiLineHeight": 8 }, "timeContext": { "durationMs": 86400000 }, "value": "[\r\n\t{\r\n\t\t\"name\": \"ProtectionStatus\",\r\n\t\t\"lastDataReceivedQuery\": \"ProtectionStatus | summarize Time = max(TimeGenerated)\\n\"\r\n\t}\r\n]\r\n" } ], "style": "formVertical", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 0" }, { "type": 1, "content": { "json": "### Details\r\n\r\nEach of these boxes need to be modified with the name of the table(s) that should be used by the UI to check if data is flowing. If looking for multiple tables, the JSON will need to include sections for each table or query to properly capture information about the data ingestion.\r\n\r\nExample:\r\n\r\n\r\n~~~\r\n\"graphQueries\": [\r\n\t{\r\n\t\t\t\"metricName\": \"Total data received\",\r\n\t\t\t\"legend\": \"ProtectionStatus\",\r\n\t\t\t\"baseQuery\": \"ProtectionStatus\"\r\n\t\t},\r\n\t\t{\r\n\t\t\t\"metricName\": \"Total data received\",\r\n\t\t\t\"legend\": \"SecureScoreControls\",\r\n\t\t\t\"baseQuery\": \"SecureScoreControls\"\r\n\t\t},\r\n\t\t{\r\n\t\t\t\"metricName\": \"Total data received\",\r\n\t\t\t\"legend\": \"SecureScores\",\r\n\t\t\t\"baseQuery\": \"SecureScores\"\r\n\t\t},\r\n\t\t{\r\n\t\t\t\"metricName\": \"Total data received\",\r\n\t\t\t\"legend\": \"SecurityBaseline\",\r\n\t\t\t\"baseQuery\": \"SecurityBaseline\"\r\n\t\t},\r\n\t\t{\r\n\t\t\t\"metricName\": \"Total data received\",\r\n\t\t\t\"legend\": \"SecurityBaselineSummary\",\r\n\t\t\t\"baseQuery\": \"SecurityBaselineSummary\"\r\n\t\t},\r\n\t\t{\r\n\t\t\t\"metricName\": \"Total data received\",\r\n\t\t\t\"legend\": \"SecurityDetection\",\r\n\t\t\t\"baseQuery\": \"SecurityDetection\"\r\n\t\t},\r\n\t\t{\r\n\t\t\t\"metricName\": \"Total data received\",\r\n\t\t\t\"legend\": \"SecurityNestedRecommendation\",\r\n\t\t\t\"baseQuery\": \"SecurityNestedRecommendation\"\r\n\t\t}\r\n],\r\n\"sampleQueries\": [\r\n\t\t{\r\n\t\t\"description\": \"All ProtectionStatus logs\",\r\n\t\t\"query\": \"ProtectionStatus\\n | sort by TimeGenerated\"\r\n\t},\r\n\t{\r\n\t\t\"description\": \"All SecureScoreControl logs\",\r\n\t\t\"query\": \"SecureScoreControl\\n | sort by TimeGenerated\"\r\n\t},\r\n\t\t\t\t\t\t\t\t\t\t\t\t{\r\n\t\t\"description\": \"All SecureScores logs\",\r\n\t\t\"query\": \"SecureScores\\n | sort by TimeGenerated\"\r\n\t},\r\n\t{\r\n\t\t\"description\": \"All SecurityBaseline logs\",\r\n\t\t\"query\": \"SecurityBaseline\\n | sort by TimeGenerated\"\r\n\t},\r\n\t\t\t\t\t\t\t\t\t\t\t{\r\n\t\t\"description\": \"All SecurityBaselineSummary logs\",\r\n\t\t\"query\": \"SecurityBaselineSummary\\n | sort by TimeGenerated\"\r\n\t}\r\n],\r\n\"dataTypes\": [\r\n\t{\r\n\t\t\"name\": \"ProtectionStatus\",\r\n\t\t\"lastDataReceivedQuery\": \"ProtectionStatus\\n | summarize Time = max(TimeGenerated)\\n | where isnotempty(Time)\"\r\n\t},\r\n\t{\r\n\t\t\"name\": \"SecureScoreControl\",\r\n\t\t\"lastDataReceivedQuery\": \"SecureScoreControl\\n | summarize Time = max(TimeGenerated)\\n | where isnotempty(Time)\"\r\n\t},\r\n\t\t\t\t\t\t\t\t\t\t\t{\r\n\t\t\"name\": \"SecureScores\",\r\n\t\t\"lastDataReceivedQuery\": \"SecureScores\\n | summarize Time = max(TimeGenerated)\\n | where isnotempty(Time)\"\r\n\t},\r\n\t{\r\n\t\t\"name\": \"SecurityBaseline\",\r\n\t\t\"lastDataReceivedQuery\": \"SecurityBaseline\\n | summarize Time = max(TimeGenerated)\\n | where isnotempty(Time)\"\r\n\t},\r\n\t\t\t\t\t\t\t\t\t\t\t{\r\n\t\t\"name\": \"SecurityBaselineSummary\",\r\n\t\t\"lastDataReceivedQuery\": \"SecurityBaselineSummary\\n | summarize Time = max(TimeGenerated)\\n | where isnotempty(Time)\"\r\n\t},\r\n\t\t\t\t\t\t\t\t\t\t\t{\r\n\t\t\"name\": \"SecurityDetection\",\r\n\t\t\"lastDataReceivedQuery\": \"SecurityDetection\\n | summarize Time = max(TimeGenerated)\\n | where isnotempty(Time)\"\r\n\t}\r\n]\r\n~~~", "style": "info" }, "name": "text - 1" } ], "exportParameters": true }, "conditionalVisibility": { "parameterName": "Destination", "comparison": "isEqualTo", "value": "UI Only" }, "name": "Graph - UI", "styleSettings": { "margin": "0px 0px 0px 50px" } }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "f80f8c2b-cd81-4b69-a66b-4e2f95480224", "version": "KqlParameterItem/1.0", "name": "connectivityCriteriaType", "label": "Type", "type": 1, "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, "value": "HasDataConnectors" } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 5" } ], "exportParameters": true }, "conditionalVisibility": { "parameterName": "Tab", "comparison": "isEqualTo", "value": "1" }, "name": "Summary" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "title": "Prerequisites", "items": [ { "type": 1, "content": { "json": "##### Required Connector Permissions" }, "name": "text - 2" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "e79fa8ed-e241-4950-aa0e-6a2dc66c05d7", "version": "KqlParameterItem/1.0", "name": "ResourceProvider", "label": "Resource Provider", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "Microsoft.OperationalInsights/workspaces" }, { "id": "7905bbee-a345-4d67-ba5c-b268bf95253c", "version": "KqlParameterItem/1.0", "name": "permissionDisplayText", "label": "Permission Display Text", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "Read and Write Permissions are Required" }, { "id": "f7663d2e-0211-4ef7-a6b6-bcea7d4062df", "version": "KqlParameterItem/1.0", "name": "providerDisplayName", "label": "Provider Display Name", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "Workspace" }, { "id": "4127f3b5-96bc-415a-86d9-28e28f1efeac", "version": "KqlParameterItem/1.0", "name": "scope", "label": "Scope", "type": 1, "timeContext": { "durationMs": 86400000 }, "value": "Workspace" }, { "id": "c00e4a72-fe2e-4730-a717-38586c95748b", "version": "KqlParameterItem/1.0", "name": "write", "label": "Write", "type": 10, "isRequired": true, "isHiddenWhenLocked": true, "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "jsonData": "[\"True\"]", "timeContext": { "durationMs": 86400000 }, "value": "True" }, { "id": "eaacea03-0c6f-4012-8250-2886b6832146", "version": "KqlParameterItem/1.0", "name": "read", "label": "Read", "type": 10, "isRequired": true, "isHiddenWhenLocked": true, "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "jsonData": "[\"True\"]", "timeContext": { "durationMs": 86400000 }, "value": "True" }, { "version": "KqlParameterItem/1.0", "name": "delete", "label": "Delete", "type": 10, "isRequired": true, "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "jsonData": "[\"True\", \"False\"]", "timeContext": { "durationMs": 86400000 }, "value": "False", "id": "8e5c6612-6275-4d2b-be27-9e932f124b9a" }, { "id": "2a43c69f-8b2d-4183-82e0-b1f0f357208c", "version": "KqlParameterItem/1.0", "name": "permissions", "type": 1, "query": "let permissions = datatable(key:string, value:dynamic)\r\n[ \r\n \"resourceProvider\", \"{ResourceProvider}\",\r\n \"permissionDisplayText\",\"{permissionDisplayText}\",\r\n \"providerDisplayName\", \"{providerDisplayName}\",\r\n \"scope\", \"{scope}\",\r\n \"write\", \"{write}\",\r\n \"read\", \"{read}\",\r\n \"delete\", \"{delete}\"\r\n ];\r\npermissions\r\n| project holder = bag_pack(key, value)\r\n| summarize request = make_bag(holder)", "isHiddenWhenLocked": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" } ], "style": "formVertical", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "customWidth": "50", "name": "Permissions", "styleSettings": { "margin": "0px 0px 0px 50px" } }, { "type": 1, "content": { "json": "### Details\r\n\r\nThis section will configure the permissions portion of the data connector. These values are pre-defined and don't need to be changed.", "style": "info" }, "customWidth": "50", "name": "text - 2" } ], "exportParameters": true }, "name": "Prerequisites" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "78d89f37-5618-4470-9d73-f6c3a4ca4827", "version": "KqlParameterItem/1.0", "name": "ModifyInstructions", "label": "Modify Instructions?", "type": 10, "isRequired": true, "typeSettings": { "additionalResourceOptions": [], "showDefault": false }, "jsonData": "[\"Yes\", \"No\"]", "timeContext": { "durationMs": 86400000 }, "value": "No" } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "customWidth": "50", "conditionalVisibility": { "parameterName": "Destination", "comparison": "isNotEqualTo", "value": "UI Only" }, "name": "parameters - 2" }, { "type": 1, "content": { "json": "### Details\r\n\r\nThis section will configure the instructions that appear on the connector details page. These values are pre-defined and don't need to be changed.", "style": "info" }, "customWidth": "50", "conditionalVisibility": { "parameterName": "Destination", "comparison": "isNotEqualTo", "value": "UI Only" }, "name": "text - 2" }, { "type": 1, "content": { "json": "------------------------------------" }, "conditionalVisibility": { "parameterName": "Destination", "comparison": "isEqualTo", "value": "UI Only" }, "name": "text - 4" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 9, "content": { "version": "KqlParameterItem/1.0", "crossComponentResources": [ "{Workspace}" ], "parameters": [ { "id": "a86af865-711e-433d-b8f3-4bb33565321c", "version": "KqlParameterItem/1.0", "name": "InTitle", "type": 1, "timeContext": { "durationMs": 86400000 }, "label": "Title", "value": "Connect the Connector" }, { "id": "31bde674-0f1d-4ab2-8ee3-0794159a4914", "version": "KqlParameterItem/1.0", "name": "UserInDescription", "type": 1, "typeSettings": { "multiLineText": true, "editorLanguage": "markdown" }, "timeContext": { "durationMs": 86400000 }, "label": "Description", "value": "Follow the steps listed in order to connect the connector. Enter the requested values in the boxes below." }, { "id": "7f8cf825-13c2-47ec-92f9-4991f0883854", "version": "KqlParameterItem/1.0", "name": "BottomBorder", "type": 10, "isRequired": true, "typeSettings": { "additionalResourceOptions": [] }, "jsonData": "[\"Add\", \"Ignore\"]", "timeContext": { "durationMs": 86400000 }, "value": "Ignore", "label": "Bottom Border?" }, { "id": "e30b70c2-0e3c-4f7b-a1b0-5142cafcb2b4", "version": "KqlParameterItem/1.0", "name": "InDescription", "type": 1, "query": "print description = strcat('{UserInDescription}', 'This connector is sending data via the {DCR2:name} data collection rule and the {DCESelect:name} data collection endpoint.')", "crossComponentResources": [ "{Workspace}" ], "isHiddenWhenLocked": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "conditionalVisibilities": [ { "parameterName": "ModifyInstructions", "comparison": "isEqualTo", "value": "Yes" }, { "parameterName": "Destination", "comparison": "isNotEqualTo", "value": "UI Only" } ], "name": "parameters - 0" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "6e573ec0-b9c2-485f-9cf9-e96fd2ea9a2b", "version": "KqlParameterItem/1.0", "name": "noneInstructions", "label": "Instructions", "type": 1, "typeSettings": { "multiLineText": true, "editorLanguage": "json", "multiLineHeight": 30 }, "timeContext": { "durationMs": 86400000 }, "value": "[\r\n\t{\r\n\t\t\"parameters\": {\r\n\t\t\t\"label\": \"toggle\",\r\n\t\t\t\"name\": \"toggle\"\r\n\t\t},\r\n\t\t\"type\": \"ConnectionToggleButton\"\r\n\t}\r\n]\r\n" } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "customWidth": "50", "conditionalVisibilities": [ { "parameterName": "Auth", "comparison": "isEqualTo", "value": "None" }, { "parameterName": "ModifyInstructions", "comparison": "isEqualTo", "value": "Yes" } ], "name": "BasicInstructions - Copy" }, { "type": 1, "content": { "json": "### Details\r\n\r\nThis area defines the UI for the instructions on the connector. These instructions will be associated with connectors that do not use authentication and will just have a connect/disconnect button.", "style": "info" }, "customWidth": "50", "conditionalVisibilities": [ { "parameterName": "Auth", "comparison": "isEqualTo", "value": "None" }, { "parameterName": "ModifyInstructions", "comparison": "isEqualTo", "value": "Yes" } ], "name": "text - 6" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "f3e0cbb1-7b40-490c-a30f-e9739e0498c9", "version": "KqlParameterItem/1.0", "name": "basicInstructions", "label": "Instructions", "type": 1, "typeSettings": { "multiLineText": true, "editorLanguage": "json", "multiLineHeight": 30 }, "timeContext": { "durationMs": 86400000 }, "value": "[\r\n\t\t{\r\n\t\t\t\"type\": \"Textbox\",\r\n\t\t\t\"parameters\": {\r\n\t\t\t\t\"label\": \"Path to console\",\r\n\t\t\t\t\"placeholder\": \"https://europe-west3.cloud.twistlock.com/{sasid}\",\r\n\t\t\t\t\"type\": \"text\",\r\n\t\t\t\t\"name\": \"domainname\"\r\n\t\t\t}\r\n\t\t},\r\n\t\t{\r\n\t\t\t\"type\": \"Textbox\",\r\n\t\t\t\"parameters\": {\r\n\t\t\t\t\"label\": \"Username\",\r\n\t\t\t\t\"placeholder\": \"Username\",\r\n\t\t\t\t\"type\": \"text\",\r\n\t\t\t\t\"name\": \"username\"\r\n\t\t\t}\r\n\t\t},\r\n\t\t{\r\n\t\t\t\"type\": \"Textbox\",\r\n\t\t\t\"parameters\": {\r\n\t\t\t\t\"label\": \"Password\",\r\n\t\t\t\t\"placeholder\": \"Password\",\r\n\t\t\t\t\"type\": \"password\",\r\n\t\t\t\t\"name\": \"password\"\r\n\t\t\t}\r\n\t\t},\r\n\t\t{\r\n\t\t\t\"parameters\": {\r\n\t\t\t\t\"label\": \"toggle\",\r\n\t\t\t\t\"name\": \"toggle\"\r\n\t\t\t},\r\n\t\t\t\"type\": \"ConnectionToggleButton\"\r\n\t\t}\r\n]\r\n" } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "customWidth": "50", "conditionalVisibilities": [ { "parameterName": "Auth", "comparison": "isEqualTo", "value": "Basic" }, { "parameterName": "ModifyInstructions", "comparison": "isEqualTo", "value": "Yes" } ], "name": "BasicInstructions" }, { "type": 1, "content": { "json": "### Details\r\n\r\nThis area defines the UI for the instructions on the connector. These instructions will be associated with connectors that use basic authentication. The connector will contain input boxes for the authentication endpoint, the username, and the password needed for authentication. Once entered, the connect/disconnect button can be used.", "style": "info" }, "customWidth": "50", "conditionalVisibilities": [ { "parameterName": "Auth", "comparison": "isEqualTo", "value": "Basic" }, { "parameterName": "ModifyInstructions", "comparison": "isEqualTo", "value": "Yes" } ], "name": "text - 7" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "85f9553d-d92d-4277-bb9b-36849ce921d9", "version": "KqlParameterItem/1.0", "name": "apiKeyInstructions", "label": "Instructions", "type": 1, "typeSettings": { "multiLineText": true, "editorLanguage": "json", "multiLineHeight": 30 }, "timeContext": { "durationMs": 86400000 }, "value": "[\r\n\t{\r\n\t\t\"type\": \"Textbox\",\r\n\t\t\"parameters\": {\r\n\t\t\t\"label\": \"Path to source\",\r\n\t\t\t\"placeholder\": \"https://europe-west3.cloud.twistlock.com/{sasid}\",\r\n\t\t\t\"type\": \"text\",\r\n\t\t\t\"name\": \"apiEndpoint\"\r\n\t\t}\r\n\t},\r\n\t{\r\n\t\t\"type\": \"Textbox\",\r\n\t\t\"parameters\": {\r\n\t\t\t\"label\": \"API Key Value\",\r\n\t\t\t\"placeholder\": \"Paste the API key value here.\",\r\n\t\t\t\"type\": \"password\",\r\n\t\t\t\"name\": \"APIKey\"\r\n\t\t}\r\n\t},\r\n\t{\r\n\t\t\"parameters\": {\r\n\t\t\t\"label\": \"toggle\",\r\n\t\t\t\"name\": \"toggle\"\r\n\t\t},\r\n\t\t\"type\": \"ConnectionToggleButton\"\r\n\t}\r\n]\r\n" } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "customWidth": "50", "conditionalVisibilities": [ { "parameterName": "Auth", "comparison": "isEqualTo", "value": "APIKey" }, { "parameterName": "ModifyInstructions", "comparison": "isEqualTo", "value": "Yes" } ], "name": "APIKeyInstructions" }, { "type": 1, "content": { "json": "### Details\r\n\r\nThis area defines the UI for the instructions on the connector. These instructions will be associated with connectors that use APIKey authentication. The connector will contain input boxes for the authentication endpoint and the API key. Once entered, the connect/disconnect button can be used.", "style": "info" }, "customWidth": "50", "conditionalVisibilities": [ { "parameterName": "Auth", "comparison": "isEqualTo", "value": "APIKey" }, { "parameterName": "ModifyInstructions", "comparison": "isEqualTo", "value": "Yes" } ], "name": "text - 8" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "1bfa8116-55ae-4e87-85af-a18cad992199", "version": "KqlParameterItem/1.0", "name": "OAuthInstructions", "label": "Instructions", "type": 1, "typeSettings": { "multiLineText": true, "editorLanguage": "json", "multiLineHeight": 30 }, "timeContext": { "durationMs": 86400000 }, "value": "[\r\n\t{\r\n\t\t\"type\":\"OAuthForm\",\r\n\t\t\"parameters\":{\r\n\t\t\t\"clientIdLabel\":\"Client ID\",\r\n\t\t\t\"clientSecretLabel\":\"Client Secret\",\r\n\t\t\t\"authorizationCodeLabel\":\"Authorization Code\",\r\n\t\t\t\"connectButtonLabel\":\"Connect\",\r\n\t\t\t\"disconnectButtonLabel\":\"Disconnect\"\r\n\t\t}\r\n\t}\r\n]" } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "customWidth": "50", "conditionalVisibilities": [ { "parameterName": "Auth", "comparison": "isEqualTo", "value": "OAuth2" }, { "parameterName": "ModifyInstructions", "comparison": "isEqualTo", "value": "Yes" }, { "parameterName": "Destination", "comparison": "isNotEqualTo", "value": "UI Only" } ], "name": "OAuthInstructions" }, { "type": 1, "content": { "json": "### Details\r\n\r\nThese instructions will be associated with connectors that use OAuth2 authentication. The connector will contain input boxes for the client ID, client secret, and authorization code if needed. Once entered, the connect/disconnect button can be used.", "style": "info" }, "customWidth": "50", "conditionalVisibilities": [ { "parameterName": "Auth", "comparison": "isEqualTo", "value": "OAuth2" }, { "parameterName": "ModifyInstructions", "comparison": "isEqualTo", "value": "Yes" }, { "parameterName": "Destination", "comparison": "isNotEqualTo", "value": "UI Only" } ], "name": "text - 9" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "f2fbd83c-96e8-4a59-9e19-5a62525d0c7f", "version": "KqlParameterItem/1.0", "name": "UIInstructions", "label": "Instructions", "type": 1, "typeSettings": { "multiLineText": true, "editorLanguage": "json", "multiLineHeight": 30 }, "timeContext": { "durationMs": 86400000 }, "value": "[\r\n\t{\r\n\t\t\"title\": \"1. Configure Defender for Cloud to Use Microsoft Sentinel Workspace\",\r\n\t\t\"description\": \"To configure Defender for Cloud to send data to the same workspace as Microsoft Sentinel, go to the environment settings and click on the subscription. Then modify the auto-provisioning settings so that the workspaces are the same.\",\r\n\t\t\"instructions\": [\r\n\t\t\t{\r\n\t\t\t\t\"type\": \"InstallAgent\",\r\n\t\t\t\t\"parameters\": {\r\n\t\t\t\t\t\"linkType\": \"URL\"\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t]\r\n\t},\r\n\t{\r\n\t\t\"title\": \"2. Configure Continuous Export from Defender for Cloud to Microsoft Sentinel\",\r\n\t\t\"description\": \"For more information, please see the [documentation](https://learn.microsoft.com/en-us/azure/defender-for-cloud/continuous-export?tabs=azure-portal).\",\r\n\t\t\"instructions\": [\r\n\t\t\t{\r\n\t\t\t\t\"type\": \"InstallAgent\",\r\n\t\t\t\t\"parameters\": {\r\n\t\t\t\t\t\"linkType\": \"URL\" \r\n\t\t\t\t}\r\n\t\t\t} \r\n\t\t]\r\n\t}\r\n]" } ], "style": "above", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "customWidth": "50", "conditionalVisibility": { "parameterName": "Destination", "comparison": "isEqualTo", "value": "UI Only" }, "name": "UIInstructions" }, { "type": 1, "content": { "json": "### Help\r\n\r\nThese instructions are tied to the UI only template option. These instructions will need to be filled out completely by the user/creator. An example is populated in the box and other examples can be found [in the public documentation.](https://learn.microsoft.com/en-us/azure/sentinel/data-connector-ui-definitions-reference#instructions)", "style": "info" }, "customWidth": "50", "conditionalVisibility": { "parameterName": "Destination", "comparison": "isEqualTo", "value": "UI Only" }, "name": "text - 11" }, { "type": 9, "content": { "version": "KqlParameterItem/1.0", "parameters": [ { "id": "502264b0-ca11-4348-9b6a-668114a2cfe9", "version": "KqlParameterItem/1.0", "name": "instructions", "type": 1, "isHiddenWhenLocked": true, "criteriaData": [ { "criteriaContext": { "leftOperand": "Auth", "operator": "==", "rightValType": "static", "rightVal": "None", "resultValType": "param", "resultVal": "noneInstructions" } }, { "criteriaContext": { "leftOperand": "Destination", "operator": "==", "rightValType": "static", "rightVal": "UI Only", "resultValType": "param", "resultVal": "UIInstructions" } }, { "criteriaContext": { "leftOperand": "Auth", "operator": "==", "rightValType": "static", "rightVal": "Basic", "resultValType": "param", "resultVal": "basicInstructions" } }, { "criteriaContext": { "leftOperand": "Auth", "operator": "==", "rightValType": "static", "rightVal": "APIKey", "resultValType": "param", "resultVal": "apiKeyInstructions" } }, { "criteriaContext": { "leftOperand": "Auth", "operator": "==", "rightValType": "static", "rightVal": "OAuth2", "resultValType": "param", "resultVal": "OAuthInstructions" } }, { "criteriaContext": { "operator": "Default", "rightValType": "param", "resultValType": "param" } } ], "timeContext": { "durationMs": 86400000 } } ], "style": "pills", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, "name": "parameters - 5" } ], "exportParameters": true }, "name": "Instructions" } ], "exportParameters": true }, "conditionalVisibility": { "parameterName": "Tab", "comparison": "isEqualTo", "value": "3" }, "name": "Details" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 1, "content": { "json": "### Please Review Key Values for Connector Template\r\n##### This is the final check before deploying. This box is always shown and is not an indicator that something is incorrect. If any of these values are marked as unset, please review each tab to ensure that a value is set and loaded.\r\n\r\n```\r\nTitle: {title}\r\nPublisher: {publisher}\r\nDescription: {descriptionMarkdown}\r\nData Collection Endpoint: {DCESelect}\r\nData Collect Rule: {DCR2}\r\nDCR Stream Name: {StreamName}\r\nDCR Destination Table: {FetchTableName}\r\nDCR Immutable ID: {DCRImmutableID}\r\nRequest: {request}\r\nResponse: {response}\r\nPaging: {paging}\r\nAuthentication: {auth}\r\nGraph Queries: {graphQueries}\r\nSample Queries: {sampleQueries}\r\nPermissions: {permissions}\r\nInstructions Title: {InTitle}\r\nInstructions Description: {InDescription}\r\nInstructions: {instructions}\r\n```\r\n", "style": "warning" }, "name": "text - 1" }, { "type": 11, "content": { "version": "LinkItem/1.0", "style": "paragraph", "links": [ { "id": "80e9227a-0d0d-4b7b-8d27-7fff63d52a59", "linkTarget": "ArmTemplate", "linkLabel": "Deploy Basic Auth Connector", "style": "primary", "linkIsContextBlade": true, "templateRunContext": { "componentIdSource": "parameter", "componentId": "WSRG", "templateUriSource": "static", "templateUri": "https://raw.githubusercontent.com/malowe101/Sentinel-Projects/master/CCP%20Builder%20Preview/CCP-Preview-BasicAuth.json", "templateParameters": [ { "name": "workspace", "source": "parameter", "value": "workspaceName", "kind": "stringValue" }, { "name": "title", "source": "parameter", "value": "title", "kind": "stringValue" }, { "name": "publisher", "source": "parameter", "value": "publisher", "kind": "stringValue" }, { "name": "description", "source": "parameter", "value": "descriptionMarkdown", "kind": "stringValue" }, { "name": "graphQueriesTableName", "source": "parameter", "value": "graphQueriesTableName", "kind": "stringValue" }, { "name": "instructions", "source": "parameter", "value": "instructions", "kind": "arrayValue" }, { "name": "polling", "source": "parameter", "value": "retryCount", "kind": "stringValue" }, { "name": "request", "source": "parameter", "value": "request", "kind": "objectValue" }, { "name": "paging", "source": "parameter", "value": "paging", "kind": "objectValue" }, { "name": "response", "source": "parameter", "value": "response", "kind": "objectValue" }, { "name": "auth", "source": "parameter", "value": "auth", "kind": "objectValue" }, { "name": "delete", "source": "parameter", "value": "delete", "kind": "stringValue" }, { "name": "graphQueries", "source": "parameter", "value": "graphQueries", "kind": "arrayValue" }, { "name": "sampleQueries", "source": "parameter", "value": "sampleQueries", "kind": "arrayValue" }, { "name": "dataTypes", "source": "parameter", "value": "dataTypes", "kind": "arrayValue" }, { "name": "streamName", "source": "parameter", "value": "StreamName", "kind": "stringValue" }, { "name": "logAnalyticsTableId", "source": "parameter", "value": "FetchTableName", "kind": "stringValue" }, { "name": "dataCollectionRuleId", "source": "static", "value": "{DCR2:name}", "kind": "stringValue" }, { "name": "DCRImmutableID", "source": "parameter", "value": "DCRImmutableID", "kind": "stringValue" }, { "name": "InTitle", "source": "parameter", "value": "InTitle", "kind": "stringValue" }, { "name": "InDescription", "source": "parameter", "value": "InDescription", "kind": "stringValue" }, { "name": "dataCollectionEndpointId", "source": "parameter", "value": "dceURL", "kind": "stringValue" } ], "titleSource": "static", "title": "", "descriptionSource": "static", "description": "```json\r\n \"variables\": {\r\n \"solutionId\": \"[concat('azuresentinel.azure-sentinel-solution-',replace(parameters('title'), ' ', ''))]\",\r\n \"_solutionId\": \"[variables('solutionId')]\",\r\n \"_solutionVersion\": \"1.0.0\",\r\n \"_solutionName\": \"[parameters('title')]\",\r\n \"dataCollectionRuleImmutableId\": \"[parameters('DCRImmutableID')]\",\r\n \"_dataCollectionRuleImmutableId\": \"[variables('dataCollectionRuleImmutableId')]\",\r\n \"dataCollectionEndpointId\": \"[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]\",\r\n \"_dataCollectionEndpointId\": \"[parameters('dataCollectionEndpointId')]\",\r\n \"workspaceResourceId\": \"[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]\",\r\n \"logAnalyticsTableId1\": \"[parameters('graphQueriesTableName')]\",\r\n \"streamName\": \"[parameters('streamName')]\",\r\n \"dataCollectionRuleId\": \"[parameters('dataCollectionRuleId')]\",\r\n \"dataConnectorVersionConnectorDefinition\": \"1.0.0\",\r\n \"dataConnectorVersionConnections\": \"1.0.0\",\r\n \"_dataConnectorContentIdConnectorDefinition\": \"[concat(replace(parameters('title'), ' ', ''), '-ConnectorDefinition')]\",\r\n \"dataConnectorTemplateNameConnectorDefinition\": \"[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition')))]\",\r\n \"_dataConnectorContentIdConnections\": \"[concat(replace(parameters('title'), ' ', ''), '-Connections')]\",\r\n \"dataConnectorTemplateNameConnections\": \"[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections')))]\",\r\n \"solutionIDNameLength\": \"[length(variables('solutionId'))]\"\r\n },\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/contentTemplates\",\r\n \"apiVersion\": \"2023-04-01-preview\",\r\n \"name\": \"[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition'), variables('dataConnectorVersionConnectorDefinition'))]\",\r\n \"location\": \"[parameters('workspace-location')]\",\r\n \"tags\": {\r\n \"hidden-sentinelWorkspaceId\": \"[variables('workspaceResourceId')]\",\r\n \"hidden-sentinelContentType\": \"DataConnector\"\r\n },\r\n \"dependsOn\": [\r\n \"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]\"\r\n ],\r\n \"properties\": {\r\n \"contentId\": \"[variables('_dataConnectorContentIdConnectorDefinition')]\",\r\n \"displayName\": \"[concat(variables('_solutionName'), variables('dataConnectorTemplateNameConnectorDefinition'))]\",\r\n \"contentKind\": \"DataConnector\",\r\n \"mainTemplate\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"[variables('dataConnectorVersionConnectorDefinition')]\",\r\n \"parameters\": {},\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/metadata\",\r\n \"apiVersion\": \"2022-01-01-preview\",\r\n \"name\": \"[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_dataConnectorContentIdConnectorDefinition'))]\",\r\n \"properties\": {\r\n \"parentId\": \"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition'))]\",\r\n \"contentId\": \"[variables('_dataConnectorContentIdConnectorDefinition')]\",\r\n \"kind\": \"DataConnector\",\r\n \"version\": \"[variables('dataConnectorVersionConnectorDefinition')]\",\r\n \"source\": {\r\n \"kind\": \"Solution\",\r\n \"name\": \"[variables('_solutionName')]\",\r\n \"sourceId\": \"[variables('_solutionId')]\"\r\n },\r\n \"author\": {\r\n \"name\": \"Custom\"\r\n },\r\n \"support\": {\r\n \"name\": \"Microsoft Corporation\",\r\n \"email\": \"support@microsoft.com\",\r\n \"tier\": \"Microsoft\",\r\n \"link\": \"https://support.microsoft.com\"\r\n },\r\n \"dependencies\": {\r\n \"criteria\": [\r\n {\r\n \"kind\": \"ResourcesDataConnector\",\r\n \"contentId\": \"[variables('_dataConnectorContentIdConnections')]\",\r\n \"version\": \"[variables('dataConnectorVersionConnections')]\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n {\r\n \"name\": \"[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition'))]\",\r\n \"apiVersion\": \"2022-09-01-preview\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions\",\r\n \"location\": \"[parameters('workspace-location')]\",\r\n \"kind\": \"Customizable\",\r\n \"properties\": {\r\n \"connectorUiConfig\": {\r\n \"title\": \"[parameters('title')]\",\r\n \"publisher\": \"[parameters('publisher')]\",\r\n \"graphQueriesTableName\": \"[parameters('graphQueriesTableName')]\",\r\n \"descriptionMarkdown\": \"[parameters('description')]\",\r\n \"graphQueries\": \"[parameters('graphQueries')]\",\r\n \"sampleQueries\": \"[parameters('sampleQueries')]\",\r\n \"dataTypes\": \"[parameters('dataTypes')]\",\r\n \"connectivityCriteria\": [\r\n {\r\n \"type\": \"HasDataConnectors\",\r\n \"value\": []\r\n }\r\n ],\r\n \"availability\": {\r\n \"status\": 1,\r\n \"isPreview\": true\r\n },\r\n \"permissions\": {\r\n \"resourceProvider\": [\r\n {\r\n \"provider\": \"Microsoft.OperationalInsights/workspaces\",\r\n \"permissionsDisplayText\": \"read and write permissions are required.\",\r\n \"providerDisplayName\": \"Workspace\",\r\n \"scope\": \"Workspace\",\r\n \"requiredPermissions\": {\r\n \"write\": true,\r\n \"read\": true,\r\n \"delete\": \"[parameters('delete')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"instructionSteps\": [\r\n {\r\n \"description\": \"[parameters('InDescription')]\",\r\n \"instructions\": \"[parameters('instructions')]\",\r\n \"title\": \"[parameters('InTitle')]\"\r\n }\r\n ]\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"packageKind\": \"Solution\",\r\n \"packageVersion\": \"[variables('_solutionVersion')]\",\r\n \"packageName\": \"[variables('_solutionName')]\",\r\n \"contentProductId\": \"[concat(substring(variables('_solutionId'), 0, variables('solutionIDNameLength')),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition'),'-', variables('dataConnectorVersionConnectorDefinition'))))]\",\r\n \"packageId\": \"[variables('_solutionId')]\",\r\n \"contentSchemaVersion\": \"3.0.0\",\r\n \"version\": \"[variables('_solutionVersion')]\"\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions\",\r\n \"apiVersion\": \"2022-09-01-preview\",\r\n \"name\": \"[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition'))]\",\r\n \"location\": \"[parameters('workspace-location')]\",\r\n \"kind\": \"Customizable\",\r\n \"properties\": {\r\n \"connectorUiConfig\": {\r\n \"title\": \"[parameters('title')]\",\r\n \"publisher\": \"[parameters('publisher')]\",\r\n \"graphQueriesTableName\": \"[parameters('graphQueriesTableName')]\",\r\n \"descriptionMarkdown\": \"[parameters('description')]\",\r\n \"graphQueries\": \"[parameters('graphQueries')]\",\r\n \"sampleQueries\": \"[parameters('sampleQueries')]\",\r\n \"dataTypes\": \"[parameters('dataTypes')]\",\r\n \"connectivityCriteria\": [\r\n {\r\n \"type\": \"HasDataConnectors\",\r\n \"value\": []\r\n }\r\n ],\r\n \"availability\": {\r\n \"status\": 1,\r\n \"isPreview\": false\r\n },\r\n \"permissions\": {\r\n \"resourceProvider\": [\r\n {\r\n \"provider\": \"Microsoft.OperationalInsights/workspaces\",\r\n \"permissionsDisplayText\": \"read and write permissions are required.\",\r\n \"providerDisplayName\": \"Workspace\",\r\n \"scope\": \"Workspace\",\r\n \"requiredPermissions\": {\r\n \"write\": true,\r\n \"read\": true,\r\n \"delete\": \"[parameters('delete')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"instructionSteps\": [\r\n {\r\n \"description\": \"[parameters('InDescription')]\",\r\n \"instructions\": \"[parameters('instructions')]\",\r\n \"title\": \"[parameters('InTitle')]\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/metadata\",\r\n \"apiVersion\": \"2022-01-01-preview\",\r\n \"name\": \"[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_dataConnectorContentIdConnectorDefinition'))]\",\r\n \"properties\": {\r\n \"parentId\": \"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition'))]\",\r\n \"contentId\": \"[variables('_dataConnectorContentIdConnectorDefinition')]\",\r\n \"kind\": \"DataConnector\",\r\n \"version\": \"[variables('dataConnectorVersionConnectorDefinition')]\",\r\n \"source\": {\r\n \"kind\": \"Solution\",\r\n \"name\": \"[variables('_solutionName')]\",\r\n \"sourceId\": \"[variables('_solutionId')]\"\r\n },\r\n \"author\": {\r\n \"name\": \"Custom\"\r\n },\r\n \"support\": {\r\n \"name\": \"Microsoft Corporation\",\r\n \"email\": \"support@microsoft.com\",\r\n \"tier\": \"Microsoft\",\r\n \"link\": \"https://support.microsoft.com\"\r\n },\r\n \"dependencies\": {\r\n \"criteria\": [\r\n {\r\n \"kind\": \"ResourcesDataConnector\",\r\n \"contentId\": \"[variables('_dataConnectorContentIdConnections')]\",\r\n \"version\": \"[variables('dataConnectorVersionConnections')]\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/contentTemplates\",\r\n \"apiVersion\": \"2023-04-01-preview\",\r\n \"name\": \"[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections'), variables('dataConnectorVersionConnections'))]\",\r\n \"location\": \"[parameters('workspace-location')]\",\r\n \"dependsOn\": [\r\n \"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]\"\r\n ],\r\n \"tags\": {\r\n \"hidden-sentinelWorkspaceId\": \"[variables('workspaceResourceId')]\",\r\n \"hidden-sentinelContentType\": \"LogicAppsCustomConnector\"\r\n },\r\n \"properties\": {\r\n \"contentId\": \"[variables('_dataConnectorContentIdConnections')]\",\r\n \"displayName\": \"[concat(variables('_solutionName'), variables('dataConnectorTemplateNameConnections'))]\",\r\n \"contentKind\": \"ResourcesDataConnector\",\r\n \"mainTemplate\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"[variables('dataConnectorVersionConnections')]\",\r\n \"parameters\": {\r\n \"apiKey\": {\r\n \"defaultValue\": \"apiKey\",\r\n \"type\": \"string\",\r\n \"minLength\": 1,\r\n \"metadata\": {\r\n \"description\": \"api Key\"\r\n }\r\n },\r\n \"apiEndpoint\": {\r\n \"defaultValue\": \"apiEndpoint\",\r\n \"type\": \"string\",\r\n \"minLength\": 1,\r\n \"metadata\": {\r\n \"description\": \"apiEndpoint\"\r\n }\r\n },\r\n \"ClientId\": {\r\n \"defaultValue\": \"ClientId\",\r\n \"type\": \"string\",\r\n \"minLength\": 1,\r\n \"metadata\": {\r\n \"description\": \"ClientId\"\r\n }\r\n },\r\n \"ClientSecret\": {\r\n \"defaultValue\": \"ClientSecret\",\r\n \"type\": \"string\",\r\n \"minLength\": 1,\r\n \"metadata\": {\r\n \"description\": \"ClientSecret\"\r\n }\r\n },\r\n \"AuthorizationCode\": {\r\n \"defaultValue\": \"AuthorizationCode\",\r\n \"type\": \"string\",\r\n \"minLength\": 1,\r\n \"metadata\": {\r\n \"description\": \"AuthorizationCode\"\r\n }\r\n },\r\n \"connectorDefinitionName\": {\r\n \"defaultValue\": \"connectorDefinitionName\",\r\n \"type\": \"string\",\r\n \"minLength\": 1\r\n },\r\n \"workspace\": {\r\n \"defaultValue\": \"[parameters('workspace')]\",\r\n \"type\": \"string\"\r\n },\r\n \"location\": {\r\n \"defaultValue\": \"[parameters('workspace-location')]\",\r\n \"type\": \"string\"\r\n },\r\n \"dcrConfig\": {\r\n \"type\": \"object\",\r\n \"defaultValue\": {\r\n \"dataCollectionEndpoint\": \"[parameters('dataCollectionEndpointId')]\",\r\n \"dataCollectionRuleImmutableId\": \"[variables('_dataCollectionRuleImmutableId')]\"\r\n }\r\n }\r\n },\r\n \"variables\": {\r\n \"_dataConnectorContentIdConnections\": \"[variables('_dataConnectorContentIdConnections')]\"\r\n },\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/metadata\",\r\n \"apiVersion\": \"2022-01-01-preview\",\r\n \"name\": \"[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_dataConnectorContentIdConnections'))]\",\r\n \"properties\": {\r\n \"parentId\": \"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections'))]\",\r\n \"contentId\": \"[variables('_dataConnectorContentIdConnections')]\",\r\n \"kind\": \"ResourcesDataConnector\",\r\n \"version\": \"[variables('dataConnectorVersionConnections')]\",\r\n \"source\": {\r\n \"kind\": \"Solution\",\r\n \"name\": \"[variables('_solutionName')]\",\r\n \"sourceId\": \"[variables('_solutionId')]\"\r\n },\r\n \"author\": {\r\n \"name\": \"Custom\"\r\n },\r\n \"support\": {\r\n \"name\": \"Microsoft Corporation\",\r\n \"email\": \"support@microsoft.com\",\r\n \"tier\": \"Microsoft\",\r\n \"link\": \"https://support.microsoft.com\"\r\n }\r\n }\r\n },\r\n {\r\n \"name\": \"[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', replace(parameters('title'), ' ', ''))]\",\r\n \"apiVersion\": \"2022-12-01-preview\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/dataConnectors\",\r\n \"location\": \"[parameters('workspace-location')]\",\r\n \"kind\": \"RestApiPoller\",\r\n \"properties\": {\r\n \"connectorDefinitionName\": \"[[parameters('connectorDefinitionName')]\",\r\n \"dcrConfig\": {\r\n \"streamName\": \"[variables('streamName')]\",\r\n \"dataCollectionEndpoint\": \"[[parameters('dcrConfig').dataCollectionEndpoint]\",\r\n \"dataCollectionRuleImmutableId\": \"[[parameters('dcrConfig').dataCollectionRuleImmutableId]\"\r\n },\r\n \"dataType\": \"[variables('logAnalyticsTableId1')]\",\r\n \"auth\": \"[parameters('auth')]\",\r\n \"request\": \"[parameters('request')]\",\r\n \"paging\": \"[parameters('paging')]\",\r\n \"response\": \"[parameters('response')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"packageKind\": \"Solution\",\r\n \"packageVersion\": \"[variables('_solutionVersion')]\",\r\n \"packageName\": \"[variables('_solutionName')]\",\r\n \"contentProductId\": \"[concat(substring(variables('_solutionId'), 0, variables('solutionIDNameLength')),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections'),'-', variables('dataConnectorVersionConnections'))))]\",\r\n \"packageId\": \"[variables('_solutionId')]\",\r\n \"contentSchemaVersion\": \"3.0.0\",\r\n \"version\": \"[variables('_solutionVersion')]\"\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/contentPackages\",\r\n \"name\": \"[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]\",\r\n \"location\": \"[parameters('workspace-location')]\",\r\n \"apiVersion\": \"2023-04-01-preview\",\r\n \"properties\": {\r\n \"version\": \"[variables('_solutionVersion')]\",\r\n \"kind\": \"Solution\",\r\n \"contentSchemaVersion\": \"3.0.0\",\r\n \"contentId\": \"[variables('_solutionId')]\",\r\n \"source\": {\r\n \"kind\": \"Solution\",\r\n \"name\": \"[variables('_solutionName')]\",\r\n \"sourceId\": \"[variables('_solutionId')]\"\r\n },\r\n \"author\": {\r\n \"name\": \"Custom\"\r\n },\r\n \"support\": {\r\n \"name\": \"Microsoft\"\r\n },\r\n \"dependencies\": {\r\n \"operator\": \"AND\",\r\n \"criteria\": [\r\n {\r\n \"kind\": \"DataConnector\",\r\n \"contentId\": \"[variables('_dataConnectorContentIdConnectorDefinition')]\",\r\n \"version\": \"[variables('dataConnectorVersionConnectorDefinition')]\"\r\n }\r\n ]\r\n },\r\n \"firstPublishDate\": \"2023-09-01\",\r\n \"providers\": [\r\n \"Custom\"\r\n ],\r\n \"contentKind\": \"Solution\",\r\n \"packageId\": \"[variables('_solutionId')]\",\r\n \"contentProductId\": \"[concat(substring(variables('_solutionId'), 0, variables('solutionIDNameLength')),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]\",\r\n \"displayName\": \"[variables('_solutionName')]\",\r\n \"publisherDisplayName\": \"[variables('_solutionId')]\"\r\n }\r\n }\r\n ],\r\n \"outputs\": {}\r\n```\r\n\r\n### Populated Values for Template\r\n```{toggle}\r\nWorkspace: {Workspace}\r\nTitle: {title}\r\nPublisher: {publisher}\r\nDescription: {descriptionMarkdown}\r\nGraph Queries: {graphQueries}\r\nSample Queries: {sampleQueries}\r\nData Types: {dataTypes}\r\nUnique Name: {name}\r\nWorkspace Location: {WSLocation}\r\nInstructions Title: {InTitle}\r\nInstructions Description: {InDescription}\r\nInstructions: {instructions}\r\nAuth: {auth}\r\nRequest: {request}\r\nPaging: {paging}\r\nResponse: {response}\r\nDelete {delete}\r\n```", "runLabelSource": "static", "runLabel": "Deploy Connector" } } ] }, "customWidth": "30", "conditionalVisibility": { "parameterName": "Auth", "comparison": "isEqualTo", "value": "Basic" }, "name": "DeployBasicTemplate" }, { "type": 11, "content": { "version": "LinkItem/1.0", "style": "paragraph", "links": [ { "id": "73bc731b-2357-40eb-9139-0ba4d9211409", "linkTarget": "ArmTemplate", "linkLabel": "Deploy APIKey Connector", "style": "primary", "linkIsContextBlade": true, "templateRunContext": { "componentIdSource": "parameter", "componentId": "WSRG", "templateUriSource": "static", "templateUri": "https://raw.githubusercontent.com/malowe101/Sentinel-Projects/master/Sample%20CCP%20Template%20without%20TemplateSpecs.json", "templateParameters": [ { "name": "workspace", "source": "parameter", "value": "workspaceName", "kind": "stringValue" }, { "name": "title", "source": "parameter", "value": "title", "kind": "stringValue" }, { "name": "publisher", "source": "parameter", "value": "publisher", "kind": "stringValue" }, { "name": "description", "source": "parameter", "value": "descriptionMarkdown", "kind": "stringValue" }, { "name": "graphQueriesTableName", "source": "parameter", "value": "graphQueriesTableName", "kind": "stringValue" }, { "name": "instructions", "source": "parameter", "value": "instructions", "kind": "arrayValue" }, { "name": "polling", "source": "parameter", "value": "retryCount", "kind": "stringValue" }, { "name": "request", "source": "parameter", "value": "request", "kind": "objectValue" }, { "name": "paging", "source": "parameter", "value": "paging", "kind": "objectValue" }, { "name": "response", "source": "parameter", "value": "response", "kind": "objectValue" }, { "name": "auth", "source": "parameter", "value": "auth", "kind": "objectValue" }, { "name": "delete", "source": "parameter", "value": "delete", "kind": "stringValue" }, { "name": "graphQueries", "source": "parameter", "value": "graphQueries", "kind": "arrayValue" }, { "name": "sampleQueries", "source": "parameter", "value": "sampleQueries", "kind": "arrayValue" }, { "name": "dataTypes", "source": "parameter", "value": "dataTypes", "kind": "arrayValue" }, { "name": "streamName", "source": "parameter", "value": "StreamName", "kind": "stringValue" }, { "name": "logAnalyticsTableId", "source": "parameter", "value": "FetchTableName", "kind": "stringValue" }, { "name": "dataCollectionRuleId", "source": "static", "value": "{DCR2:name}", "kind": "stringValue" }, { "name": "DCRImmutableID", "source": "parameter", "value": "DCRImmutableID", "kind": "stringValue" }, { "name": "InTitle", "source": "parameter", "value": "InTitle", "kind": "stringValue" }, { "name": "InDescription", "source": "parameter", "value": "InDescription", "kind": "stringValue" }, { "name": "dataCollectionEndpointId", "source": "parameter", "value": "dceURL", "kind": "stringValue" } ], "titleSource": "static", "title": "", "descriptionSource": "static", "description": "```json\r\n \"variables\": {\r\n \"solutionId\": \"[concat('azuresentinel.azure-sentinel-solution-',replace(parameters('title'), ' ', ''))]\",\r\n \"_solutionId\": \"[variables('solutionId')]\",\r\n \"_solutionVersion\": \"1.0.0\",\r\n \"_solutionName\": \"[parameters('title')]\",\r\n \"dataCollectionRuleImmutableId\": \"[parameters('DCRImmutableID')]\",\r\n \"_dataCollectionRuleImmutableId\": \"[variables('dataCollectionRuleImmutableId')]\",\r\n \"dataCollectionEndpointId\": \"[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]\",\r\n \"_dataCollectionEndpointId\": \"[parameters('dataCollectionEndpointId')]\",\r\n \"workspaceResourceId\": \"[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]\",\r\n \"logAnalyticsTableId1\": \"[parameters('graphQueriesTableName')]\",\r\n \"streamName\": \"[parameters('streamName')]\",\r\n \"dataCollectionRuleId\": \"[parameters('dataCollectionRuleId')]\",\r\n \"dataConnectorVersionConnectorDefinition\": \"1.0.0\",\r\n \"dataConnectorVersionConnections\": \"1.0.0\",\r\n \"_dataConnectorContentIdConnectorDefinition\": \"[concat(replace(parameters('title'), ' ', ''), '-ConnectorDefinition')]\",\r\n \"dataConnectorTemplateNameConnectorDefinition\": \"[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition')))]\",\r\n \"_dataConnectorContentIdConnections\": \"[concat(replace(parameters('title'), ' ', ''), '-Connections')]\",\r\n \"dataConnectorTemplateNameConnections\": \"[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections')))]\",\r\n \"solutionIDNameLength\": \"[length(variables('solutionId'))]\"\r\n },\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/contentTemplates\",\r\n \"apiVersion\": \"2023-04-01-preview\",\r\n \"name\": \"[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition'), variables('dataConnectorVersionConnectorDefinition'))]\",\r\n \"location\": \"[parameters('workspace-location')]\",\r\n \"tags\": {\r\n \"hidden-sentinelWorkspaceId\": \"[variables('workspaceResourceId')]\",\r\n \"hidden-sentinelContentType\": \"DataConnector\"\r\n },\r\n \"dependsOn\": [\r\n \"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]\"\r\n ],\r\n \"properties\": {\r\n \"contentId\": \"[variables('_dataConnectorContentIdConnectorDefinition')]\",\r\n \"displayName\": \"[concat(variables('_solutionName'), variables('dataConnectorTemplateNameConnectorDefinition'))]\",\r\n \"contentKind\": \"DataConnector\",\r\n \"mainTemplate\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"[variables('dataConnectorVersionConnectorDefinition')]\",\r\n \"parameters\": {},\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/metadata\",\r\n \"apiVersion\": \"2022-01-01-preview\",\r\n \"name\": \"[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_dataConnectorContentIdConnectorDefinition'))]\",\r\n \"properties\": {\r\n \"parentId\": \"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition'))]\",\r\n \"contentId\": \"[variables('_dataConnectorContentIdConnectorDefinition')]\",\r\n \"kind\": \"DataConnector\",\r\n \"version\": \"[variables('dataConnectorVersionConnectorDefinition')]\",\r\n \"source\": {\r\n \"kind\": \"Solution\",\r\n \"name\": \"[variables('_solutionName')]\",\r\n \"sourceId\": \"[variables('_solutionId')]\"\r\n },\r\n \"author\": {\r\n \"name\": \"Custom\"\r\n },\r\n \"support\": {\r\n \"name\": \"Microsoft Corporation\",\r\n \"email\": \"support@microsoft.com\",\r\n \"tier\": \"Microsoft\",\r\n \"link\": \"https://support.microsoft.com\"\r\n },\r\n \"dependencies\": {\r\n \"criteria\": [\r\n {\r\n \"kind\": \"ResourcesDataConnector\",\r\n \"contentId\": \"[variables('_dataConnectorContentIdConnections')]\",\r\n \"version\": \"[variables('dataConnectorVersionConnections')]\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n {\r\n \"name\": \"[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition'))]\",\r\n \"apiVersion\": \"2022-09-01-preview\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions\",\r\n \"location\": \"[parameters('workspace-location')]\",\r\n \"kind\": \"Customizable\",\r\n \"properties\": {\r\n \"connectorUiConfig\": {\r\n \"title\": \"[parameters('title')]\",\r\n \"publisher\": \"[parameters('publisher')]\",\r\n \"graphQueriesTableName\": \"[parameters('graphQueriesTableName')]\",\r\n \"descriptionMarkdown\": \"[parameters('description')]\",\r\n \"graphQueries\": \"[parameters('graphQueries')]\",\r\n \"sampleQueries\": \"[parameters('sampleQueries')]\",\r\n \"dataTypes\": \"[parameters('dataTypes')]\",\r\n \"connectivityCriteria\": [\r\n {\r\n \"type\": \"HasDataConnectors\",\r\n \"value\": []\r\n }\r\n ],\r\n \"availability\": {\r\n \"status\": 1,\r\n \"isPreview\": true\r\n },\r\n \"permissions\": {\r\n \"resourceProvider\": [\r\n {\r\n \"provider\": \"Microsoft.OperationalInsights/workspaces\",\r\n \"permissionsDisplayText\": \"read and write permissions are required.\",\r\n \"providerDisplayName\": \"Workspace\",\r\n \"scope\": \"Workspace\",\r\n \"requiredPermissions\": {\r\n \"write\": true,\r\n \"read\": true,\r\n \"delete\": \"[parameters('delete')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"instructionSteps\": [\r\n {\r\n \"description\": \"[parameters('InDescription')]\",\r\n \"instructions\": \"[parameters('instructions')]\",\r\n \"title\": \"[parameters('InTitle')]\"\r\n }\r\n ]\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"packageKind\": \"Solution\",\r\n \"packageVersion\": \"[variables('_solutionVersion')]\",\r\n \"packageName\": \"[variables('_solutionName')]\",\r\n \"contentProductId\": \"[concat(substring(variables('_solutionId'), 0, variables('solutionIDNameLength')),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition'),'-', variables('dataConnectorVersionConnectorDefinition'))))]\",\r\n \"packageId\": \"[variables('_solutionId')]\",\r\n \"contentSchemaVersion\": \"3.0.0\",\r\n \"version\": \"[variables('_solutionVersion')]\"\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions\",\r\n \"apiVersion\": \"2022-09-01-preview\",\r\n \"name\": \"[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition'))]\",\r\n \"location\": \"[parameters('workspace-location')]\",\r\n \"kind\": \"Customizable\",\r\n \"properties\": {\r\n \"connectorUiConfig\": {\r\n \"title\": \"[parameters('title')]\",\r\n \"publisher\": \"[parameters('publisher')]\",\r\n \"graphQueriesTableName\": \"[parameters('graphQueriesTableName')]\",\r\n \"descriptionMarkdown\": \"[parameters('description')]\",\r\n \"graphQueries\": \"[parameters('graphQueries')]\",\r\n \"sampleQueries\": \"[parameters('sampleQueries')]\",\r\n \"dataTypes\": \"[parameters('dataTypes')]\",\r\n \"connectivityCriteria\": [\r\n {\r\n \"type\": \"HasDataConnectors\",\r\n \"value\": []\r\n }\r\n ],\r\n \"availability\": {\r\n \"status\": 1,\r\n \"isPreview\": false\r\n },\r\n \"permissions\": {\r\n \"resourceProvider\": [\r\n {\r\n \"provider\": \"Microsoft.OperationalInsights/workspaces\",\r\n \"permissionsDisplayText\": \"read and write permissions are required.\",\r\n \"providerDisplayName\": \"Workspace\",\r\n \"scope\": \"Workspace\",\r\n \"requiredPermissions\": {\r\n \"write\": true,\r\n \"read\": true,\r\n \"delete\": \"[parameters('delete')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"instructionSteps\": [\r\n {\r\n \"description\": \"[parameters('InDescription')]\",\r\n \"instructions\": \"[parameters('instructions')]\",\r\n \"title\": \"[parameters('InTitle')]\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/metadata\",\r\n \"apiVersion\": \"2022-01-01-preview\",\r\n \"name\": \"[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_dataConnectorContentIdConnectorDefinition'))]\",\r\n \"properties\": {\r\n \"parentId\": \"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition'))]\",\r\n \"contentId\": \"[variables('_dataConnectorContentIdConnectorDefinition')]\",\r\n \"kind\": \"DataConnector\",\r\n \"version\": \"[variables('dataConnectorVersionConnectorDefinition')]\",\r\n \"source\": {\r\n \"kind\": \"Solution\",\r\n \"name\": \"[variables('_solutionName')]\",\r\n \"sourceId\": \"[variables('_solutionId')]\"\r\n },\r\n \"author\": {\r\n \"name\": \"Custom\"\r\n },\r\n \"support\": {\r\n \"name\": \"Microsoft Corporation\",\r\n \"email\": \"support@microsoft.com\",\r\n \"tier\": \"Microsoft\",\r\n \"link\": \"https://support.microsoft.com\"\r\n },\r\n \"dependencies\": {\r\n \"criteria\": [\r\n {\r\n \"kind\": \"ResourcesDataConnector\",\r\n \"contentId\": \"[variables('_dataConnectorContentIdConnections')]\",\r\n \"version\": \"[variables('dataConnectorVersionConnections')]\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/contentTemplates\",\r\n \"apiVersion\": \"2023-04-01-preview\",\r\n \"name\": \"[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections'), variables('dataConnectorVersionConnections'))]\",\r\n \"location\": \"[parameters('workspace-location')]\",\r\n \"dependsOn\": [\r\n \"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]\"\r\n ],\r\n \"tags\": {\r\n \"hidden-sentinelWorkspaceId\": \"[variables('workspaceResourceId')]\",\r\n \"hidden-sentinelContentType\": \"LogicAppsCustomConnector\"\r\n },\r\n \"properties\": {\r\n \"contentId\": \"[variables('_dataConnectorContentIdConnections')]\",\r\n \"displayName\": \"[concat(variables('_solutionName'), variables('dataConnectorTemplateNameConnections'))]\",\r\n \"contentKind\": \"ResourcesDataConnector\",\r\n \"mainTemplate\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"[variables('dataConnectorVersionConnections')]\",\r\n \"parameters\": {\r\n \"apiKey\": {\r\n \"defaultValue\": \"apiKey\",\r\n \"type\": \"string\",\r\n \"minLength\": 1,\r\n \"metadata\": {\r\n \"description\": \"api Key\"\r\n }\r\n },\r\n \"apiEndpoint\": {\r\n \"defaultValue\": \"apiEndpoint\",\r\n \"type\": \"string\",\r\n \"minLength\": 1,\r\n \"metadata\": {\r\n \"description\": \"apiEndpoint\"\r\n }\r\n },\r\n \"ClientId\": {\r\n \"defaultValue\": \"ClientId\",\r\n \"type\": \"string\",\r\n \"minLength\": 1,\r\n \"metadata\": {\r\n \"description\": \"ClientId\"\r\n }\r\n },\r\n \"ClientSecret\": {\r\n \"defaultValue\": \"ClientSecret\",\r\n \"type\": \"string\",\r\n \"minLength\": 1,\r\n \"metadata\": {\r\n \"description\": \"ClientSecret\"\r\n }\r\n },\r\n \"AuthorizationCode\": {\r\n \"defaultValue\": \"AuthorizationCode\",\r\n \"type\": \"string\",\r\n \"minLength\": 1,\r\n \"metadata\": {\r\n \"description\": \"AuthorizationCode\"\r\n }\r\n },\r\n \"connectorDefinitionName\": {\r\n \"defaultValue\": \"connectorDefinitionName\",\r\n \"type\": \"string\",\r\n \"minLength\": 1\r\n },\r\n \"workspace\": {\r\n \"defaultValue\": \"[parameters('workspace')]\",\r\n \"type\": \"string\"\r\n },\r\n \"location\": {\r\n \"defaultValue\": \"[parameters('workspace-location')]\",\r\n \"type\": \"string\"\r\n },\r\n \"dcrConfig\": {\r\n \"type\": \"object\",\r\n \"defaultValue\": {\r\n \"dataCollectionEndpoint\": \"[parameters('dataCollectionEndpointId')]\",\r\n \"dataCollectionRuleImmutableId\": \"[variables('_dataCollectionRuleImmutableId')]\"\r\n }\r\n }\r\n },\r\n \"variables\": {\r\n \"_dataConnectorContentIdConnections\": \"[variables('_dataConnectorContentIdConnections')]\"\r\n },\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/metadata\",\r\n \"apiVersion\": \"2022-01-01-preview\",\r\n \"name\": \"[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_dataConnectorContentIdConnections'))]\",\r\n \"properties\": {\r\n \"parentId\": \"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections'))]\",\r\n \"contentId\": \"[variables('_dataConnectorContentIdConnections')]\",\r\n \"kind\": \"ResourcesDataConnector\",\r\n \"version\": \"[variables('dataConnectorVersionConnections')]\",\r\n \"source\": {\r\n \"kind\": \"Solution\",\r\n \"name\": \"[variables('_solutionName')]\",\r\n \"sourceId\": \"[variables('_solutionId')]\"\r\n },\r\n \"author\": {\r\n \"name\": \"Custom\"\r\n },\r\n \"support\": {\r\n \"name\": \"Microsoft Corporation\",\r\n \"email\": \"support@microsoft.com\",\r\n \"tier\": \"Microsoft\",\r\n \"link\": \"https://support.microsoft.com\"\r\n }\r\n }\r\n },\r\n {\r\n \"name\": \"[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', replace(parameters('title'), ' ', ''))]\",\r\n \"apiVersion\": \"2022-12-01-preview\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/dataConnectors\",\r\n \"location\": \"[parameters('workspace-location')]\",\r\n \"kind\": \"RestApiPoller\",\r\n \"properties\": {\r\n \"connectorDefinitionName\": \"[[parameters('connectorDefinitionName')]\",\r\n \"dcrConfig\": {\r\n \"streamName\": \"[variables('streamName')]\",\r\n \"dataCollectionEndpoint\": \"[[parameters('dcrConfig').dataCollectionEndpoint]\",\r\n \"dataCollectionRuleImmutableId\": \"[[parameters('dcrConfig').dataCollectionRuleImmutableId]\"\r\n },\r\n \"dataType\": \"[variables('logAnalyticsTableId1')]\",\r\n \"auth\": \"[parameters('auth')]\",\r\n \"request\": \"[parameters('request')]\",\r\n \"paging\": \"[parameters('paging')]\",\r\n \"response\": \"[parameters('response')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"packageKind\": \"Solution\",\r\n \"packageVersion\": \"[variables('_solutionVersion')]\",\r\n \"packageName\": \"[variables('_solutionName')]\",\r\n \"contentProductId\": \"[concat(substring(variables('_solutionId'), 0, variables('solutionIDNameLength')),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections'),'-', variables('dataConnectorVersionConnections'))))]\",\r\n \"packageId\": \"[variables('_solutionId')]\",\r\n \"contentSchemaVersion\": \"3.0.0\",\r\n \"version\": \"[variables('_solutionVersion')]\"\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/contentPackages\",\r\n \"name\": \"[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]\",\r\n \"location\": \"[parameters('workspace-location')]\",\r\n \"apiVersion\": \"2023-04-01-preview\",\r\n \"properties\": {\r\n \"version\": \"[variables('_solutionVersion')]\",\r\n \"kind\": \"Solution\",\r\n \"contentSchemaVersion\": \"3.0.0\",\r\n \"contentId\": \"[variables('_solutionId')]\",\r\n \"source\": {\r\n \"kind\": \"Solution\",\r\n \"name\": \"[variables('_solutionName')]\",\r\n \"sourceId\": \"[variables('_solutionId')]\"\r\n },\r\n \"author\": {\r\n \"name\": \"Custom\"\r\n },\r\n \"support\": {\r\n \"name\": \"Microsoft\"\r\n },\r\n \"dependencies\": {\r\n \"operator\": \"AND\",\r\n \"criteria\": [\r\n {\r\n \"kind\": \"DataConnector\",\r\n \"contentId\": \"[variables('_dataConnectorContentIdConnectorDefinition')]\",\r\n \"version\": \"[variables('dataConnectorVersionConnectorDefinition')]\"\r\n }\r\n ]\r\n },\r\n \"firstPublishDate\": \"2023-09-01\",\r\n \"providers\": [\r\n \"Custom\"\r\n ],\r\n \"contentKind\": \"Solution\",\r\n \"packageId\": \"[variables('_solutionId')]\",\r\n \"contentProductId\": \"[concat(substring(variables('_solutionId'), 0, variables('solutionIDNameLength')),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]\",\r\n \"displayName\": \"[variables('_solutionName')]\",\r\n \"publisherDisplayName\": \"[variables('_solutionId')]\"\r\n }\r\n }\r\n ],\r\n \"outputs\": {}\r\n```\r\n\r\n### Populated Values for Template\r\n```{toggle}\r\nWorkspace: {Workspace}\r\nTitle: {title}\r\nPublisher: {publisher}\r\nDescription: {descriptionMarkdown}\r\nGraph Queries: {graphQueries}\r\nSample Queries: {sampleQueries}\r\nData Types: {dataTypes}\r\nUnique Name: {name}\r\nWorkspace Location: {WSLocation}\r\nInstructions Title: {InTitle}\r\nInstructions Description: {InDescription}\r\nInstructions: {instructions}\r\nAuth: {auth}\r\nRequest: {request}\r\nPaging: {paging}\r\nResponse: {response}\r\nDelete {delete}\r\n```", "runLabelSource": "static", "runLabel": "Deploy Connector" } } ] }, "customWidth": "30", "conditionalVisibility": { "parameterName": "Auth", "comparison": "isEqualTo", "value": "APIKey" }, "name": "DeployAPIKeyTemplate" }, { "type": 1, "content": { "json": "### Note\r\n\r\nPlease note: Deploying this template does not enable the connector. This will just deploy the connector components and create the UI. You will need to go to the data connector gallery and deploy the connector.", "style": "upsell" }, "customWidth": "70", "name": "text - 2" } ] }, "conditionalVisibilities": [ { "parameterName": "Tab", "comparison": "isEqualTo", "value": "5" }, { "parameterName": "Auth", "comparison": "isNotEqualTo", "value": "OAuth2" }, { "parameterName": "Destination", "comparison": "isNotEqualTo", "value": "UI Only" } ], "name": "Deploy" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 1, "content": { "json": "### Review Key Values for Connector Template\r\n##### This is the final check before deploying. This box is always shown and is not an indicator that something is incorrect. If any of these values are marked as unset, please review each tab to ensure that a value is set and loaded.\r\n\r\n```\r\nTitle: {title}\r\nPublisher: {publisher}\r\nDescription: {descriptionMarkdown}\r\nData Collection Endpoint: {DCESelect}\r\nData Collect Rule: {DCR2}\r\nDCR Stream Name: {StreamName}\r\nDCR Destination Table: {FetchTableName}\r\nDCR Immutable ID: {DCRImmutableID}\r\nRequest: {request}\r\nResponse: {response}\r\nAuthentication: {auth}\r\nGraph Queries: {graphQueries}\r\nSample Queries: {sampleQueries}\r\nPermissions: {permissions}\r\nInstructions Title: {InTitle}\r\nInstructions Description: {InDescription}\r\nInstructions: {instructions}\r\n```\r\n", "style": "warning" }, "name": "text - 1" }, { "type": 11, "content": { "version": "LinkItem/1.0", "style": "paragraph", "links": [ { "id": "73bc731b-2357-40eb-9139-0ba4d9211409", "linkTarget": "ArmTemplate", "linkLabel": "Deploy OAuth Connector", "style": "primary", "linkIsContextBlade": true, "templateRunContext": { "componentIdSource": "parameter", "componentId": "WSRG", "templateUriSource": "static", "templateUri": "https://raw.githubusercontent.com/malowe101/Sentinel-Projects/master/Scratch-Oauth-without-Tempspecs.json", "templateParameters": [ { "name": "workspace", "source": "parameter", "value": "workspaceName", "kind": "stringValue" }, { "name": "title", "source": "parameter", "value": "title", "kind": "stringValue" }, { "name": "publisher", "source": "parameter", "value": "publisher", "kind": "stringValue" }, { "name": "description", "source": "parameter", "value": "descriptionMarkdown", "kind": "stringValue" }, { "name": "graphQueriesTableName", "source": "parameter", "value": "graphQueriesTableName", "kind": "stringValue" }, { "name": "instructions", "source": "parameter", "value": "instructions", "kind": "arrayValue" }, { "name": "request", "source": "parameter", "value": "request", "kind": "objectValue" }, { "name": "paging", "source": "parameter", "value": "paging", "kind": "objectValue" }, { "name": "response", "source": "parameter", "value": "response", "kind": "objectValue" }, { "name": "delete", "source": "parameter", "value": "delete", "kind": "stringValue" }, { "name": "graphQueries", "source": "parameter", "value": "graphQueries", "kind": "arrayValue" }, { "name": "sampleQueries", "source": "parameter", "value": "sampleQueries", "kind": "arrayValue" }, { "name": "dataTypes", "source": "parameter", "value": "dataTypes", "kind": "arrayValue" }, { "name": "streamName", "source": "parameter", "value": "StreamName", "kind": "stringValue" }, { "name": "logAnalyticsTableId", "source": "parameter", "value": "FetchTableName", "kind": "stringValue" }, { "name": "dataCollectionRuleId", "source": "static", "value": "{DCR2:name}", "kind": "stringValue" }, { "name": "DCRImmutableID", "source": "parameter", "value": "DCRImmutableID", "kind": "stringValue" }, { "name": "InTitle", "source": "parameter", "value": "InTitle", "kind": "stringValue" }, { "name": "InDescription", "source": "parameter", "value": "InDescription", "kind": "stringValue" }, { "name": "dataCollectionEndpointId", "source": "parameter", "value": "dceURL", "kind": "stringValue" }, { "name": "Scope", "source": "parameter", "value": "Scope", "kind": "stringValue" }, { "name": "RedirectUri", "source": "parameter", "value": "RedirectUri", "kind": "stringValue" }, { "name": "GrantType", "source": "parameter", "value": "GrantType", "kind": "stringValue" }, { "name": "TokenEndpoint", "source": "parameter", "value": "TokenEndpoint", "kind": "stringValue" }, { "name": "ContentType", "source": "static", "value": "application/x-www-form-urlencoded", "kind": "stringValue" }, { "name": "AccessType", "source": "static", "value": "offline", "kind": "stringValue" }, { "name": "AuthorizationEndpoint", "source": "parameter", "value": "AuthorizationEndpoint", "kind": "stringValue" } ], "titleSource": "static", "descriptionSource": "static", "description": "```json\r\n\"variables\": {\r\n \"solutionId\": \"concat('azuresentinel.azure-sentinel-solution-',{title},'-preview')\",\r\n \"_solutionId\": \"[variables('solutionId')]\",\r\n \"dataCollectionRuleImmutableId\": \"data collection rule immutableId\",\r\n \"_dataCollectionRuleImmutableId\": \"[variables('dataCollectionRuleImmutableId')]\",\r\n \"dataCollectionEndpointId\": \"[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]\",\r\n \"_dataCollectionEndpointId\": \"[variables('dataCollectionEndpointId')]\",\r\n \"workspaceResourceId\": \"[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]\",\r\n \"uiConfigId1\": \"concat({title},'NativePoller')\",\r\n \"_uiConfigId1\": \"[variables('uiConfigId1')]\",\r\n \"dataConnectorContentId1\": \"concat({title},'NativePoller')\",\r\n \"_dataConnectorContentId1\": \"[variables('dataConnectorContentId1')]\",\r\n \"dataConnectorId1\": \"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentId1'))]\",\r\n \"_dataConnectorId1\": \"[variables('dataConnectorId1')]\",\r\n \"dataConnectorTemplateSpecName1\": \"[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]\",\r\n \"dataConnectorVersion1\": \"1.0.0\",\r\n \"dataConnectorContentId2\": \"concat({title},'IncidentsPoller')\",\r\n \"_dataConnectorContentId2\": \"[variables('dataConnectorContentId2')]\",\r\n \"dataConnectorId2\": \"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]\",\r\n \"_dataConnectorId2\": \"[variables('dataConnectorId2')]\",\r\n \"dataConnectorTemplateSpecName2\": \"[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2')))]\",\r\n \"dataConnectorVersion2\": \"1.0.0\",\r\n \"logAnalyticsTableId1\": \"{graphQueriesTableName}\",\r\n \"streamName1\": \"[parameters('streamName1')]\",\r\n \"dataCollectionRuleId\": \"[parameters('dataCollectionRuleId')]\"\r\n },\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.Resources/templateSpecs\",\r\n \"apiVersion\": \"2021-05-01\",\r\n \"name\": \"[variables('dataConnectorTemplateSpecName1')]\",\r\n \"location\": \"[parameters('workspace-location')]\",\r\n \"tags\": {\r\n \"hidden-sentinelWorkspaceId\": \"[variables('workspaceResourceId')]\",\r\n \"hidden-sentinelContentType\": \"DataConnector\"\r\n },\r\n \"properties\": {\r\n \"description\": \"{descriptionMarkdown}\",\r\n \"displayName\": \"[concat({title},' template')]\"\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/templateSpecs/versions\",\r\n \"apiVersion\": \"2021-05-01\",\r\n \"name\": \"[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]\",\r\n \"location\": \"[parameters('workspace-location')]\",\r\n \"dependsOn\": [\r\n \"[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]\"\r\n ],\r\n \"tags\": {\r\n \"hidden-sentinelWorkspaceId\": \"[variables('workspaceResourceId')]\",\r\n \"hidden-sentinelContentType\": \"DataConnector\"\r\n },\r\n \"properties\": {\r\n \"description\": \"Generic data connector with template version 2.0.0\",\r\n \"mainTemplate\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"[variables('dataConnectorVersion1')]\",\r\n \"parameters\": {},\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"name\": \"[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]\",\r\n \"apiVersion\": \"2022-09-01-preview\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions\",\r\n \"location\": \"[parameters('workspace-location')]\",\r\n \"kind\": \"Customizable\",\r\n \"properties\": {\r\n \"connectorUiConfig\": {\r\n \"id\": \"DynamicTemplate\",\r\n \"title\": \"{title}\",\r\n \"publisher\": \"{publisher}\",\r\n \"graphQueriesTableName\": \"{graphQueriesTableName}\",\r\n \"descriptionMarkdown\": \"{descriptionMarkdown}\",\r\n \"graphQueries\": \"{graphQueries}\",\r\n \"sampleQueries\": \"{sampleQueries}\",\r\n \"dataTypes\": \"{dataTypes}\",\r\n \"connectivityCriteria\": [{\r\n \"type\": \"SentinelKindsV2\",\r\n \"value\": []\r\n }\r\n ],\r\n \"availability\": {\r\n \"status\": 1,\r\n \"isPreview\": true\r\n },\r\n \"permissions\": {\r\n \"resourceProvider\": [{\r\n \"provider\": \"Microsoft.OperationalInsights/workspaces\",\r\n \"permissionsDisplayText\": \"read and write permissions are required.\",\r\n \"providerDisplayName\": \"Workspace\",\r\n \"scope\": \"Workspace\",\r\n \"requiredPermissions\": {\r\n \"write\": true,\r\n \"read\": true,\r\n \"delete\": \"{delete}\"\r\n }\r\n }\r\n ]\r\n },\r\n \"instructionSteps\": \"{instructions}\"\r\n },\r\n \"connectionsConfig\": {\r\n \"templateSpecName\": \"[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Resources/templateSpecs/',variables('dataConnectorTemplateSpecName2'))]\",\r\n \"templateSpecVersion\": \"[variables('dataConnectorVersion2')]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/metadata\",\r\n \"apiVersion\": \"2022-01-01-preview\",\r\n \"name\": \"[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]\",\r\n \"properties\": {\r\n \"parentId\": \"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentId1'))]\",\r\n \"contentId\": \"[variables('_dataConnectorContentId1')]\",\r\n \"kind\": \"DataConnector\",\r\n \"version\": \"[variables('dataConnectorVersion1')]\",\r\n \"source\": {\r\n \"kind\": \"Solution\",\r\n \"name\": \"{title}\",\r\n \"sourceId\": \"[variables('_solutionId')]\"\r\n },\r\n \"author\": {\r\n \"name\": \"{publisher}\"\r\n },\r\n \"support\": {\r\n \"name\": \"Microsoft Corporation\",\r\n \"email\": \"support@microsoft.com\",\r\n \"tier\": \"Microsoft\",\r\n \"link\": \"https://support.microsoft.com\"\r\n },\r\n \"dependencies\": {\r\n \"criteria\": [\r\n {\r\n \"kind\": \"DataConnector\",\r\n \"contentId\": \"[variables('_dataConnectorContentId2')]\",\r\n \"version\": \"[variables('dataConnectorVersion2')]\"\r\n }\r\n ]\r\n }\r\n }\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions\",\r\n \"apiVersion\": \"2022-09-01-preview\",\r\n \"name\": \"[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]\",\r\n \"location\": \"[parameters('workspace-location')]\",\r\n \"kind\": \"Customizable\",\r\n \"properties\": {\r\n \"connectorUiConfig\": {\r\n \"id\": \"DynamicTemplate\",\r\n \"title\": \"{title}\",\r\n \"publisher\": \"{publisher}\",\r\n \"graphQueriesTableName\": \"{graphQueriesTableName}\",\r\n \"descriptionMarkdown\": \"{descriptionMarkdown}\",\r\n \"graphQueries\": \"{graphQueries}\",\r\n \"sampleQueries\": \"{sampleQueries}\",\r\n \"dataTypes\": \"{dataTypes}\",\r\n \"connectivityCriteria\": [{\r\n \"type\": \"SentinelKindsV2\",\r\n \"value\": []\r\n }\r\n ],\r\n \"availability\": {\r\n \"status\": 1,\r\n \"isPreview\": true\r\n },\r\n \"permissions\": {\r\n \"resourceProvider\": [{\r\n \"provider\": \"Microsoft.OperationalInsights/workspaces\",\r\n \"permissionsDisplayText\": \"read and write permissions are required.\",\r\n \"providerDisplayName\": \"Workspace\",\r\n \"scope\": \"Workspace\",\r\n \"requiredPermissions\": {\r\n \"write\": true,\r\n \"read\": true,\r\n \"delete\": \"{delete}\"\r\n }\r\n }\r\n ]\r\n },\r\n \"instructionSteps\": \"{instructions}\"\r\n },\r\n \"connectionsConfig\": {\r\n \"templateSpecName\": \"[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Resources/templateSpecs/',variables('dataConnectorTemplateSpecName2'))]\",\r\n \"templateSpecVersion\": \"[variables('dataConnectorVersion2')]\"\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/metadata\",\r\n \"apiVersion\": \"2022-01-01-preview\",\r\n \"name\": \"[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]\",\r\n \"properties\": {\r\n \"parentId\": \"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentId1'))]\",\r\n \"contentId\": \"[variables('_dataConnectorContentId1')]\",\r\n \"kind\": \"DataConnector\",\r\n \"version\": \"[variables('dataConnectorVersion1')]\",\r\n \"source\": {\r\n \"kind\": \"Solution\",\r\n \"name\": \"{title}\",\r\n \"sourceId\": \"[variables('_solutionId')]\"\r\n },\r\n \"author\": {\r\n \"name\": \"Microsoft\"\r\n },\r\n \"support\": {\r\n \"name\": \"Microsoft Corporation\",\r\n \"email\": \"support@microsoft.com\",\r\n \"tier\": \"Microsoft\",\r\n \"link\": \"https://support.microsoft.com\"\r\n },\r\n \"dependencies\": {\r\n \"criteria\": [\r\n {\r\n \"kind\": \"DataConnector\",\r\n \"contentId\": \"[variables('_dataConnectorContentId2')]\",\r\n \"version\": \"[variables('dataConnectorVersion2')]\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/templateSpecs\",\r\n \"apiVersion\": \"2021-05-01\",\r\n \"name\": \"[variables('dataConnectorTemplateSpecName2')]\",\r\n \"location\": \"[parameters('workspace-location')]\",\r\n \"tags\": {\r\n \"hidden-sentinelWorkspaceId\": \"[variables('workspaceResourceId')]\",\r\n \"hidden-sentinelContentType\": \"LogicAppsCustomConnector\"\r\n },\r\n \"properties\": {\r\n \"description\": \"[parameters('description')]\",\r\n \"displayName\": \"concat[parameters('title'),' template']\"\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.Resources/templateSpecs/versions\",\r\n \"apiVersion\": \"2021-05-01\",\r\n \"name\": \"[concat(variables('dataConnectorTemplateSpecName2'),'/',variables('dataConnectorVersion2'))]\",\r\n \"location\": \"[parameters('workspace-location')]\",\r\n \"dependsOn\": [\r\n \"[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName2'))]\"\r\n ],\r\n \"tags\": {\r\n \"hidden-sentinelWorkspaceId\": \"[variables('workspaceResourceId')]\",\r\n \"hidden-sentinelContentType\": \"LogicAppsCustomConnector\"\r\n },\r\n \"properties\": {\r\n \"description\": \"[concat(parameters('title'),' with template version 2.0.0')]\",\r\n \"mainTemplate\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"[variables('dataConnectorVersion2')]\",\r\n \"parameters\": {\r\n \"domainname\": {\r\n \"defaultValue\": \"domainname\",\r\n \"type\": \"string\",\r\n \"minLength\": 1,\r\n \"metadata\": {\r\n \"description\": \"domainname\"\r\n }\r\n },\r\n \"password\": {\r\n \"defaultValue\": \"password\",\r\n \"type\": \"string\",\r\n \"minLength\": 1,\r\n \"metadata\": {\r\n \"description\": \"password\"\r\n }\r\n },\r\n \"username\": {\r\n \"defaultValue\": \"username\",\r\n \"type\": \"string\",\r\n \"minLength\": 1,\r\n \"metadata\": {\r\n \"description\": \"username\"\r\n }\r\n },\r\n \"connectorDefinitionName\": {\r\n \"defaultValue\": \"connectorDefinitionName\",\r\n \"type\": \"string\",\r\n \"minLength\": 1,\r\n \"metadata\": {\r\n \"description\": \"connectorDefinitionName\"\r\n }\r\n },\r\n \"workspace\": {\r\n \"defaultValue\": \"[parameters('workspace')]\",\r\n \"type\": \"string\"\r\n },\r\n \"location\": {\r\n \"defaultValue\": \"\",\r\n \"type\": \"string\"\r\n },\r\n \"workspaceName\": {\r\n \"defaultValue\": \"\",\r\n \"type\": \"string\"\r\n },\r\n \"dcrConfig\": {\r\n \"type\": \"object\",\r\n \"defaultValue\": {\r\n \"dataCollectionEndpoint\": \"data collection Endpoint\",\r\n \"dataCollectionRuleImmutableId\": \"[variables('_dataCollectionRuleImmutableId')]\"\r\n }\r\n }\r\n },\r\n \"variables\": {\r\n \"_dataConnectorContentId2\": \"[variables('_dataConnectorContentId2')]\",\r\n \"_dataConnectorEventsId1\": \"incidents\"\r\n },\r\n \"resources\": [\r\n {\r\n \"name\": \"[[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorEventsId1'))]\",\r\n \"apiVersion\": \"2022-12-01-preview\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/dataConnectors\",\r\n \"location\": \"[parameters('workspace-location')]\",\r\n \"kind\": \"RestApiPoller\",\r\n \"properties\": {\r\n \"connectorDefinitionName\": \"[[parameters('connectorDefinitionName')]\",\r\n \"dcrConfig\": {\r\n \"streamName\": \"[variables('streamName1')]\",\r\n \"dataCollectionEndpoint\": \"[[parameters('dcrConfig').dataCollectionEndpoint]\",\r\n \"dataCollectionRuleImmutableId\": \"[[parameters('dcrConfig').dataCollectionRuleImmutableId]\"\r\n },\r\n \"dataType\": \"[variables('logAnalyticsTableId1')]\",\r\n \"auth\": {\r\n \"type\": \"Basic\",\r\n \"password\": \"[[parameters('password')]\",\r\n \"userName\": \"[[parameters('username')]\"\r\n },\r\n \"request\": {\r\n \"apiEndpoint\": \"[[concat(parameters('domainname'),'/api/v1/audits/incidents','?acknowledged=false')]\",\r\n \"rateLimitQPS\": 10,\r\n \"queryWindowInMin\": 5,\r\n \"httpMethod\": \"Get\",\r\n \"queryTimeFormat\": \"yyyy-MM-ddTHH:mm:ssZ\",\r\n \"startTimeAttributeName\": \"from\",\r\n \"endTimeAttributeName\": \"to\",\r\n \"retryCount\": 3,\r\n \"timeoutInSeconds\": 60,\r\n \"headers\": {\r\n \"Accept\": \"application/json\",\r\n \"User-Agent\": \"Scuba\"\r\n },\r\n \"queryParameters\": {\r\n \"sort\": \"time\"\r\n }\r\n },\r\n \"paging\": {\r\n \"pagingType\": \"Offset\",\r\n \"offsetParaName\": \"offset\",\r\n \"pageSizeParaName\": \"limit\"\r\n },\r\n \"response\": {\r\n \"eventsJsonPaths\": [\r\n \"$\"\r\n ]\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/metadata\",\r\n \"apiVersion\": \"2022-01-01-preview\",\r\n \"name\": \"[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]\",\r\n \"properties\": {\r\n \"parentId\": \"[[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorEventsId1'))]\",\r\n \"contentId\": \"[variables('_dataConnectorContentId2')]\",\r\n \"kind\": \"LogicAppsCustomConnector\",\r\n \"version\": \"[variables('dataConnectorVersion2')]\",\r\n \"source\": {\r\n \"kind\": \"Solution\",\r\n \"name\": \"{name}\",\r\n \"sourceId\": \"[variables('_solutionId')]\"\r\n },\r\n \"author\": {\r\n \"name\": \"Microsoft\"\r\n },\r\n \"support\": {\r\n \"name\": \"Microsoft Corporation\",\r\n \"email\": \"support@microsoft.com\",\r\n \"tier\": \"Microsoft\",\r\n \"link\": \"https://support.microsoft.com\"\r\n }\r\n }\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/metadata\",\r\n \"apiVersion\": \"2022-01-01-preview\",\r\n \"location\": \"[parameters('workspace-location')]\",\r\n \"properties\": {\r\n \"version\": \"2.0.0\",\r\n \"kind\": \"Solution\",\r\n \"contentSchemaVersion\": \"2.0.0\",\r\n \"contentId\": \"[variables('_solutionId')]\",\r\n \"parentId\": \"[variables('_solutionId')]\",\r\n \"source\": {\r\n \"kind\": \"Solution\",\r\n \"name\": \"Prisma Cloud compute\",\r\n \"sourceId\": \"[variables('_solutionId')]\"\r\n },\r\n \"author\": {\r\n \"name\": \"Microsoft\"\r\n },\r\n \"support\": {\r\n \"name\": \"Microsoft Corporation\",\r\n \"email\": \"support@microsoft.com\",\r\n \"tier\": \"Microsoft\",\r\n \"link\": \"https://support.microsoft.com/\"\r\n },\r\n \"dependencies\": {\r\n \"operator\": \"AND\",\r\n \"criteria\": [\r\n {\r\n \"kind\": \"DataConnector\",\r\n \"contentId\": \"[variables('_dataConnectorContentId1')]\",\r\n \"version\": \"[variables('dataConnectorVersion1')]\"\r\n }\r\n ]\r\n },\r\n \"firstPublishDate\": \"2022-06-24\",\r\n \"providers\": [\r\n \"Microsoft\"\r\n ],\r\n \"categories\": {\r\n \"domains\": [\r\n \"Cloud Provider\"\r\n ]\r\n }\r\n },\r\n \"name\": \"[concat({Workspace},'/Microsoft.SecurityInsights/', variables('_solutionId'))]\"\r\n }\r\n ],\r\n \"outputs\": {}\r\n```\r\n\r\n### Populated Values for Template\r\n```{toggle}\r\nWorkspace: {Workspace}\r\nTitle: {title}\r\nPublisher: {publisher}\r\nDescription: {descriptionMarkdown}\r\nGraph Queries: {graphQueries}\r\nSample Queries: {sampleQueries}\r\nData Types: {dataTypes}\r\nUnique Name: {name}\r\nWorkspace Location: {WSLocation}\r\nInstructions Title: {InTitle}\r\nInstructions Description: {InDescription}\r\nInstructions: {instructions}\r\nAuth: {auth}\r\nRequest: {request}\r\nPaging: {paging}\r\nResponse: {response}\r\nDelete {delete}\r\n```", "runLabelSource": "static", "runLabel": "Deploy Connector" } } ] }, "customWidth": "30", "name": "DeployBasicTemplate" }, { "type": 1, "content": { "json": "### Note\r\n\r\nPlease note: Deploying this template does not enable the connector. This will just deploy the connector components and create the UI. You will need to go to the data connector gallery and deploy the connector.", "style": "upsell" }, "customWidth": "70", "conditionalVisibility": { "parameterName": "Auth", "comparison": "isEqualTo", "value": "OAuth2" }, "name": "text - 2" } ] }, "conditionalVisibilities": [ { "parameterName": "Tab", "comparison": "isEqualTo", "value": "5" }, { "parameterName": "Auth", "comparison": "isEqualTo", "value": "OAuth2" }, { "parameterName": "Destination", "comparison": "isNotEqualTo", "value": "UI Only" } ], "name": "Deploy - OAuth" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", "items": [ { "type": 1, "content": { "json": "### Please Review Key Values for Connector Template\r\n##### This is the final check before deploying. This box is always shown and is not an indicator that something is incorrect. If any of these values are marked as unset, please review each tab to ensure that a value is set and loaded.\r\n\r\n```\r\nTitle: {title}\r\nPublisher: {publisher}\r\nDescription: {descriptionMarkdown}\r\nGraph Queries: {graphQueriesUI}\r\nSample Queries: {sampleQueriesUI}\r\nData Types: {dataTypesUI}\r\nPermissions: {permissions}\r\nInstructions Title: {InTitle}\r\nInstructions Description: {InDescription}\r\nInstructions: {instructions}\r\n```\r\n", "style": "warning" }, "name": "text - 1" }, { "type": 11, "content": { "version": "LinkItem/1.0", "style": "paragraph", "links": [ { "id": "73bc731b-2357-40eb-9139-0ba4d9211409", "linkTarget": "ArmTemplate", "linkLabel": "Deploy Connector UI", "style": "primary", "linkIsContextBlade": true, "templateRunContext": { "componentIdSource": "parameter", "componentId": "WSRG", "templateUriSource": "static", "templateUri": "https://raw.githubusercontent.com/malowe101/Sentinel-Projects/master/CCP%20Builder%20Preview/CCP-Preview-UI.json", "templateParameters": [ { "name": "workspace", "source": "parameter", "value": "workspaceName", "kind": "stringValue" }, { "name": "title", "source": "parameter", "value": "title", "kind": "stringValue" }, { "name": "publisher", "source": "parameter", "value": "publisher", "kind": "stringValue" }, { "name": "description", "source": "parameter", "value": "descriptionMarkdown", "kind": "stringValue" }, { "name": "instructions", "source": "parameter", "value": "instructions", "kind": "arrayValue" }, { "name": "delete", "source": "parameter", "value": "delete", "kind": "stringValue" }, { "name": "graphQueries", "source": "parameter", "value": "graphQueriesUI", "kind": "arrayValue" }, { "name": "sampleQueries", "source": "parameter", "value": "sampleQueriesUI", "kind": "arrayValue" }, { "name": "dataTypes", "source": "parameter", "value": "dataTypesUI", "kind": "arrayValue" } ], "titleSource": "static", "title": "", "descriptionSource": "static", "description": "```json\r\n \"variables\": {\r\n \"solutionId\": \"[concat('azuresentinel.azure-sentinel-solution-',replace(parameters('title'), ' ', ''))]\",\r\n \"_solutionId\": \"[variables('solutionId')]\",\r\n \"_solutionVersion\": \"1.0.0\",\r\n \"_solutionName\": \"[parameters('title')]\",\r\n \"dataCollectionRuleImmutableId\": \"[parameters('DCRImmutableID')]\",\r\n \"_dataCollectionRuleImmutableId\": \"[variables('dataCollectionRuleImmutableId')]\",\r\n \"dataCollectionEndpointId\": \"[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]\",\r\n \"_dataCollectionEndpointId\": \"[parameters('dataCollectionEndpointId')]\",\r\n \"workspaceResourceId\": \"[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]\",\r\n \"logAnalyticsTableId1\": \"[parameters('graphQueriesTableName')]\",\r\n \"streamName\": \"[parameters('streamName')]\",\r\n \"dataCollectionRuleId\": \"[parameters('dataCollectionRuleId')]\",\r\n \"dataConnectorVersionConnectorDefinition\": \"1.0.0\",\r\n \"dataConnectorVersionConnections\": \"1.0.0\",\r\n \"_dataConnectorContentIdConnectorDefinition\": \"[concat(replace(parameters('title'), ' ', ''), '-ConnectorDefinition')]\",\r\n \"dataConnectorTemplateNameConnectorDefinition\": \"[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition')))]\",\r\n \"_dataConnectorContentIdConnections\": \"[concat(replace(parameters('title'), ' ', ''), '-Connections')]\",\r\n \"dataConnectorTemplateNameConnections\": \"[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections')))]\",\r\n \"solutionIDNameLength\": \"[length(variables('solutionId'))]\"\r\n },\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/contentTemplates\",\r\n \"apiVersion\": \"2023-04-01-preview\",\r\n \"name\": \"[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition'), variables('dataConnectorVersionConnectorDefinition'))]\",\r\n \"location\": \"[parameters('workspace-location')]\",\r\n \"tags\": {\r\n \"hidden-sentinelWorkspaceId\": \"[variables('workspaceResourceId')]\",\r\n \"hidden-sentinelContentType\": \"DataConnector\"\r\n },\r\n \"dependsOn\": [\r\n \"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]\"\r\n ],\r\n \"properties\": {\r\n \"contentId\": \"[variables('_dataConnectorContentIdConnectorDefinition')]\",\r\n \"displayName\": \"[concat(variables('_solutionName'), variables('dataConnectorTemplateNameConnectorDefinition'))]\",\r\n \"contentKind\": \"DataConnector\",\r\n \"mainTemplate\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"[variables('dataConnectorVersionConnectorDefinition')]\",\r\n \"parameters\": {},\r\n \"variables\": {},\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/metadata\",\r\n \"apiVersion\": \"2022-01-01-preview\",\r\n \"name\": \"[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_dataConnectorContentIdConnectorDefinition'))]\",\r\n \"properties\": {\r\n \"parentId\": \"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition'))]\",\r\n \"contentId\": \"[variables('_dataConnectorContentIdConnectorDefinition')]\",\r\n \"kind\": \"DataConnector\",\r\n \"version\": \"[variables('dataConnectorVersionConnectorDefinition')]\",\r\n \"source\": {\r\n \"kind\": \"Solution\",\r\n \"name\": \"[variables('_solutionName')]\",\r\n \"sourceId\": \"[variables('_solutionId')]\"\r\n },\r\n \"author\": {\r\n \"name\": \"Custom\"\r\n },\r\n \"support\": {\r\n \"name\": \"Microsoft Corporation\",\r\n \"email\": \"support@microsoft.com\",\r\n \"tier\": \"Microsoft\",\r\n \"link\": \"https://support.microsoft.com\"\r\n },\r\n \"dependencies\": {\r\n \"criteria\": [\r\n {\r\n \"kind\": \"ResourcesDataConnector\",\r\n \"contentId\": \"[variables('_dataConnectorContentIdConnections')]\",\r\n \"version\": \"[variables('dataConnectorVersionConnections')]\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n {\r\n \"name\": \"[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition'))]\",\r\n \"apiVersion\": \"2022-09-01-preview\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions\",\r\n \"location\": \"[parameters('workspace-location')]\",\r\n \"kind\": \"Customizable\",\r\n \"properties\": {\r\n \"connectorUiConfig\": {\r\n \"title\": \"[parameters('title')]\",\r\n \"publisher\": \"[parameters('publisher')]\",\r\n \"graphQueriesTableName\": \"[parameters('graphQueriesTableName')]\",\r\n \"descriptionMarkdown\": \"[parameters('description')]\",\r\n \"graphQueries\": \"[parameters('graphQueries')]\",\r\n \"sampleQueries\": \"[parameters('sampleQueries')]\",\r\n \"dataTypes\": \"[parameters('dataTypes')]\",\r\n \"connectivityCriteria\": [\r\n {\r\n \"type\": \"HasDataConnectors\",\r\n \"value\": []\r\n }\r\n ],\r\n \"availability\": {\r\n \"status\": 1,\r\n \"isPreview\": true\r\n },\r\n \"permissions\": {\r\n \"resourceProvider\": [\r\n {\r\n \"provider\": \"Microsoft.OperationalInsights/workspaces\",\r\n \"permissionsDisplayText\": \"read and write permissions are required.\",\r\n \"providerDisplayName\": \"Workspace\",\r\n \"scope\": \"Workspace\",\r\n \"requiredPermissions\": {\r\n \"write\": true,\r\n \"read\": true,\r\n \"delete\": \"[parameters('delete')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"instructionSteps\": [\r\n {\r\n \"description\": \"[parameters('InDescription')]\",\r\n \"instructions\": \"[parameters('instructions')]\",\r\n \"title\": \"[parameters('InTitle')]\"\r\n }\r\n ]\r\n }\r\n }\r\n }\r\n ]\r\n },\r\n \"packageKind\": \"Solution\",\r\n \"packageVersion\": \"[variables('_solutionVersion')]\",\r\n \"packageName\": \"[variables('_solutionName')]\",\r\n \"contentProductId\": \"[concat(substring(variables('_solutionId'), 0, variables('solutionIDNameLength')),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition'),'-', variables('dataConnectorVersionConnectorDefinition'))))]\",\r\n \"packageId\": \"[variables('_solutionId')]\",\r\n \"contentSchemaVersion\": \"3.0.0\",\r\n \"version\": \"[variables('_solutionVersion')]\"\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions\",\r\n \"apiVersion\": \"2022-09-01-preview\",\r\n \"name\": \"[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition'))]\",\r\n \"location\": \"[parameters('workspace-location')]\",\r\n \"kind\": \"Customizable\",\r\n \"properties\": {\r\n \"connectorUiConfig\": {\r\n \"title\": \"[parameters('title')]\",\r\n \"publisher\": \"[parameters('publisher')]\",\r\n \"graphQueriesTableName\": \"[parameters('graphQueriesTableName')]\",\r\n \"descriptionMarkdown\": \"[parameters('description')]\",\r\n \"graphQueries\": \"[parameters('graphQueries')]\",\r\n \"sampleQueries\": \"[parameters('sampleQueries')]\",\r\n \"dataTypes\": \"[parameters('dataTypes')]\",\r\n \"connectivityCriteria\": [\r\n {\r\n \"type\": \"HasDataConnectors\",\r\n \"value\": []\r\n }\r\n ],\r\n \"availability\": {\r\n \"status\": 1,\r\n \"isPreview\": false\r\n },\r\n \"permissions\": {\r\n \"resourceProvider\": [\r\n {\r\n \"provider\": \"Microsoft.OperationalInsights/workspaces\",\r\n \"permissionsDisplayText\": \"read and write permissions are required.\",\r\n \"providerDisplayName\": \"Workspace\",\r\n \"scope\": \"Workspace\",\r\n \"requiredPermissions\": {\r\n \"write\": true,\r\n \"read\": true,\r\n \"delete\": \"[parameters('delete')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"instructionSteps\": [\r\n {\r\n \"description\": \"[parameters('InDescription')]\",\r\n \"instructions\": \"[parameters('instructions')]\",\r\n \"title\": \"[parameters('InTitle')]\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/metadata\",\r\n \"apiVersion\": \"2022-01-01-preview\",\r\n \"name\": \"[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_dataConnectorContentIdConnectorDefinition'))]\",\r\n \"properties\": {\r\n \"parentId\": \"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition'))]\",\r\n \"contentId\": \"[variables('_dataConnectorContentIdConnectorDefinition')]\",\r\n \"kind\": \"DataConnector\",\r\n \"version\": \"[variables('dataConnectorVersionConnectorDefinition')]\",\r\n \"source\": {\r\n \"kind\": \"Solution\",\r\n \"name\": \"[variables('_solutionName')]\",\r\n \"sourceId\": \"[variables('_solutionId')]\"\r\n },\r\n \"author\": {\r\n \"name\": \"Custom\"\r\n },\r\n \"support\": {\r\n \"name\": \"Microsoft Corporation\",\r\n \"email\": \"support@microsoft.com\",\r\n \"tier\": \"Microsoft\",\r\n \"link\": \"https://support.microsoft.com\"\r\n },\r\n \"dependencies\": {\r\n \"criteria\": [\r\n {\r\n \"kind\": \"ResourcesDataConnector\",\r\n \"contentId\": \"[variables('_dataConnectorContentIdConnections')]\",\r\n \"version\": \"[variables('dataConnectorVersionConnections')]\"\r\n }\r\n ]\r\n }\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/contentTemplates\",\r\n \"apiVersion\": \"2023-04-01-preview\",\r\n \"name\": \"[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections'), variables('dataConnectorVersionConnections'))]\",\r\n \"location\": \"[parameters('workspace-location')]\",\r\n \"dependsOn\": [\r\n \"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]\"\r\n ],\r\n \"tags\": {\r\n \"hidden-sentinelWorkspaceId\": \"[variables('workspaceResourceId')]\",\r\n \"hidden-sentinelContentType\": \"LogicAppsCustomConnector\"\r\n },\r\n \"properties\": {\r\n \"contentId\": \"[variables('_dataConnectorContentIdConnections')]\",\r\n \"displayName\": \"[concat(variables('_solutionName'), variables('dataConnectorTemplateNameConnections'))]\",\r\n \"contentKind\": \"ResourcesDataConnector\",\r\n \"mainTemplate\": {\r\n \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\r\n \"contentVersion\": \"[variables('dataConnectorVersionConnections')]\",\r\n \"parameters\": {\r\n \"apiKey\": {\r\n \"defaultValue\": \"apiKey\",\r\n \"type\": \"string\",\r\n \"minLength\": 1,\r\n \"metadata\": {\r\n \"description\": \"api Key\"\r\n }\r\n },\r\n \"apiEndpoint\": {\r\n \"defaultValue\": \"apiEndpoint\",\r\n \"type\": \"string\",\r\n \"minLength\": 1,\r\n \"metadata\": {\r\n \"description\": \"apiEndpoint\"\r\n }\r\n },\r\n \"ClientId\": {\r\n \"defaultValue\": \"ClientId\",\r\n \"type\": \"string\",\r\n \"minLength\": 1,\r\n \"metadata\": {\r\n \"description\": \"ClientId\"\r\n }\r\n },\r\n \"ClientSecret\": {\r\n \"defaultValue\": \"ClientSecret\",\r\n \"type\": \"string\",\r\n \"minLength\": 1,\r\n \"metadata\": {\r\n \"description\": \"ClientSecret\"\r\n }\r\n },\r\n \"AuthorizationCode\": {\r\n \"defaultValue\": \"AuthorizationCode\",\r\n \"type\": \"string\",\r\n \"minLength\": 1,\r\n \"metadata\": {\r\n \"description\": \"AuthorizationCode\"\r\n }\r\n },\r\n \"connectorDefinitionName\": {\r\n \"defaultValue\": \"connectorDefinitionName\",\r\n \"type\": \"string\",\r\n \"minLength\": 1\r\n },\r\n \"workspace\": {\r\n \"defaultValue\": \"[parameters('workspace')]\",\r\n \"type\": \"string\"\r\n },\r\n \"location\": {\r\n \"defaultValue\": \"[parameters('workspace-location')]\",\r\n \"type\": \"string\"\r\n },\r\n \"dcrConfig\": {\r\n \"type\": \"object\",\r\n \"defaultValue\": {\r\n \"dataCollectionEndpoint\": \"[parameters('dataCollectionEndpointId')]\",\r\n \"dataCollectionRuleImmutableId\": \"[variables('_dataCollectionRuleImmutableId')]\"\r\n }\r\n }\r\n },\r\n \"variables\": {\r\n \"_dataConnectorContentIdConnections\": \"[variables('_dataConnectorContentIdConnections')]\"\r\n },\r\n \"resources\": [\r\n {\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/metadata\",\r\n \"apiVersion\": \"2022-01-01-preview\",\r\n \"name\": \"[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_dataConnectorContentIdConnections'))]\",\r\n \"properties\": {\r\n \"parentId\": \"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections'))]\",\r\n \"contentId\": \"[variables('_dataConnectorContentIdConnections')]\",\r\n \"kind\": \"ResourcesDataConnector\",\r\n \"version\": \"[variables('dataConnectorVersionConnections')]\",\r\n \"source\": {\r\n \"kind\": \"Solution\",\r\n \"name\": \"[variables('_solutionName')]\",\r\n \"sourceId\": \"[variables('_solutionId')]\"\r\n },\r\n \"author\": {\r\n \"name\": \"Custom\"\r\n },\r\n \"support\": {\r\n \"name\": \"Microsoft Corporation\",\r\n \"email\": \"support@microsoft.com\",\r\n \"tier\": \"Microsoft\",\r\n \"link\": \"https://support.microsoft.com\"\r\n }\r\n }\r\n },\r\n {\r\n \"name\": \"[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', replace(parameters('title'), ' ', ''))]\",\r\n \"apiVersion\": \"2022-12-01-preview\",\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/dataConnectors\",\r\n \"location\": \"[parameters('workspace-location')]\",\r\n \"kind\": \"RestApiPoller\",\r\n \"properties\": {\r\n \"connectorDefinitionName\": \"[[parameters('connectorDefinitionName')]\",\r\n \"dcrConfig\": {\r\n \"streamName\": \"[variables('streamName')]\",\r\n \"dataCollectionEndpoint\": \"[[parameters('dcrConfig').dataCollectionEndpoint]\",\r\n \"dataCollectionRuleImmutableId\": \"[[parameters('dcrConfig').dataCollectionRuleImmutableId]\"\r\n },\r\n \"dataType\": \"[variables('logAnalyticsTableId1')]\",\r\n \"auth\": \"[parameters('auth')]\",\r\n \"request\": \"[parameters('request')]\",\r\n \"paging\": \"[parameters('paging')]\",\r\n \"response\": \"[parameters('response')]\"\r\n }\r\n }\r\n ]\r\n },\r\n \"packageKind\": \"Solution\",\r\n \"packageVersion\": \"[variables('_solutionVersion')]\",\r\n \"packageName\": \"[variables('_solutionName')]\",\r\n \"contentProductId\": \"[concat(substring(variables('_solutionId'), 0, variables('solutionIDNameLength')),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections'),'-', variables('dataConnectorVersionConnections'))))]\",\r\n \"packageId\": \"[variables('_solutionId')]\",\r\n \"contentSchemaVersion\": \"3.0.0\",\r\n \"version\": \"[variables('_solutionVersion')]\"\r\n }\r\n },\r\n {\r\n \"type\": \"Microsoft.OperationalInsights/workspaces/providers/contentPackages\",\r\n \"name\": \"[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]\",\r\n \"location\": \"[parameters('workspace-location')]\",\r\n \"apiVersion\": \"2023-04-01-preview\",\r\n \"properties\": {\r\n \"version\": \"[variables('_solutionVersion')]\",\r\n \"kind\": \"Solution\",\r\n \"contentSchemaVersion\": \"3.0.0\",\r\n \"contentId\": \"[variables('_solutionId')]\",\r\n \"source\": {\r\n \"kind\": \"Solution\",\r\n \"name\": \"[variables('_solutionName')]\",\r\n \"sourceId\": \"[variables('_solutionId')]\"\r\n },\r\n \"author\": {\r\n \"name\": \"Custom\"\r\n },\r\n \"support\": {\r\n \"name\": \"Microsoft\"\r\n },\r\n \"dependencies\": {\r\n \"operator\": \"AND\",\r\n \"criteria\": [\r\n {\r\n \"kind\": \"DataConnector\",\r\n \"contentId\": \"[variables('_dataConnectorContentIdConnectorDefinition')]\",\r\n \"version\": \"[variables('dataConnectorVersionConnectorDefinition')]\"\r\n }\r\n ]\r\n },\r\n \"firstPublishDate\": \"2023-09-01\",\r\n \"providers\": [\r\n \"Custom\"\r\n ],\r\n \"contentKind\": \"Solution\",\r\n \"packageId\": \"[variables('_solutionId')]\",\r\n \"contentProductId\": \"[concat(substring(variables('_solutionId'), 0, variables('solutionIDNameLength')),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]\",\r\n \"displayName\": \"[variables('_solutionName')]\",\r\n \"publisherDisplayName\": \"[variables('_solutionId')]\"\r\n }\r\n }\r\n ],\r\n \"outputs\": {}\r\n```\r\n\r\n### Populated Values for Template\r\n```{toggle}\r\nWorkspace: {Workspace}\r\nTitle: {title}\r\nPublisher: {publisher}\r\nDescription: {descriptionMarkdown}\r\nGraph Queries: {graphQueries}\r\nSample Queries: {sampleQueries}\r\nData Types: {dataTypes}\r\nUnique Name: {name}\r\nWorkspace Location: {WSLocation}\r\nInstructions Title: {InTitle}\r\nInstructions Description: {InDescription}\r\nInstructions: {instructions}\r\nAuth: {auth}\r\nRequest: {request}\r\nPaging: {paging}\r\nResponse: {response}\r\nDelete {delete}\r\n```", "runLabelSource": "static", "runLabel": "Deploy Connector" } } ] }, "customWidth": "30", "conditionalVisibility": { "parameterName": "Destination", "comparison": "isEqualTo", "value": "UI Only" }, "name": "DeployBasicTemplate" }, { "type": 1, "content": { "json": "### Note\r\n\r\nPlease note: Deploying this template does not enable the connector. This will just deploy the connector components and create the UI. This UI will only query the data table specified using the queries defined in the template to confirm if data is ingesting.", "style": "upsell" }, "customWidth": "70", "conditionalVisibility": { "parameterName": "Destination", "comparison": "isEqualTo", "value": "UI Only" }, "name": "text - 2" } ] }, "conditionalVisibilities": [ { "parameterName": "Tab", "comparison": "isEqualTo", "value": "5" }, { "parameterName": "Destination", "comparison": "isEqualTo", "value": "UI Only" } ], "name": "Deploy - UI" } ], "fallbackResourceIds": [ "" ], "fromTemplateId": "sentinel-UserWorkbook", "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" }