\n",
" \n",
"\n",
" \n",
" \n",
"
\n",
"\n",
" \n",
"\n",
" "
],
"text/plain": [
"\n", "Warning - this will overwrite a file of the same name in the current directory\n", "\n", "Delete any provider entries that you do not want to use and add the missing parameters for your providers. " ] }, { "cell_type": "code", "execution_count": 4, "metadata": { "ExecuteTime": { "end_time": "2019-09-25T04:57:56.781478Z", "start_time": "2019-09-25T04:57:56.778478Z" } }, "outputs": [], "source": [ "# %%writefile msticpyconfig.yaml\n", "# QueryDefinitions:\n", "\n", "# TIProviders:\n", "# OTX:\n", "# Args:\n", "# AuthKey: \"your-otx-key\"\n", "# Primary: True\n", "# Provider: \"OTX\" # Explicitly name provider to override\n", "# VirusTotal:\n", "# Args:\n", "# AuthKey: \"your-vt-key\"\n", "# Primary: True\n", "# Provider: \"VirusTotal\"\n", "# XForce:\n", "# Args:\n", "# ApiID: \"your-xforce-id\"\n", "# AuthKey: \"your-xforce-key\"\n", "# Primary: True\n", "# Provider: \"XForce\"\n", "# AzureSentinel:\n", "# Args:\n", "# WorkspaceID: \"your-azure-sentinel-workspace-id\"\n", "# TenantID: \"your-azure-sentinel-tenant-id\"\n", "# Primary: True\n", "# Provider: \"AzSTI\"" ] }, { "cell_type": "markdown", "metadata": { "ExecuteTime": { "end_time": "2019-09-17T23:08:31.871974Z", "start_time": "2019-09-17T23:08:31.854984Z" } }, "source": [ "Reload providers to pick up new settings" ] }, { "cell_type": "code", "execution_count": 5, "metadata": { "ExecuteTime": { "end_time": "2019-09-25T04:57:57.200981Z", "start_time": "2019-09-25T04:57:56.782454Z" } }, "outputs": [ { "data": { "application/javascript": [ "try {IPython.notebook.kernel.execute(\"NOTEBOOK_URL = '\" + window.location + \"'\");} catch(err) {;}" ], "text/plain": [ "
\n",
"\n",
"\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" Ioc IocType QuerySubtype Result Severity \\\n",
"XForce 52.183.120.194 ipv4 None True 1 \n",
"AzSTI 52.183.120.194 ipv4 None True 2 \n",
"\n",
" Details \\\n",
"XForce {'score': 1, 'cats': {}, 'categoryDescriptions... \n",
"AzSTI {'Action': ['alert'], 'ThreatType': ['Malware'... \n",
"\n",
" RawResult \\\n",
"XForce {'ip': '52.183.120.194', 'history': [{'created... \n",
"AzSTI Indic... \n",
"\n",
" Reference Status \n",
"XForce https://api.xforce.ibmcloud.com/ipr/52.183.120... 200 \n",
"AzSTI ThreatIntelligenceIndicator | where TimeGene... 0 "
]
},
"execution_count": 7,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"result = ti_lookup.lookup_ioc(observable=\"52.183.120.194\", providers=[\"AzSTI\", \"XForce\"])\n",
"ti_lookup.result_to_df(result)"
]
},
{
"cell_type": "code",
"execution_count": 8,
"metadata": {
"ExecuteTime": {
"end_time": "2019-09-25T04:58:00.314867Z",
"start_time": "2019-09-25T04:58:00.000046Z"
}
},
"outputs": [
{
"data": {
"text/html": [
"| \n", " | Ioc | \n", "IocType | \n", "QuerySubtype | \n", "Result | \n", "Severity | \n", "Details | \n", "RawResult | \n", "Reference | \n", "Status | \n", "
|---|---|---|---|---|---|---|---|---|---|
| XForce | \n", "52.183.120.194 | \n", "ipv4 | \n", "None | \n", "True | \n", "1 | \n", "{'score': 1, 'cats': {}, 'categoryDescriptions... | \n", "{'ip': '52.183.120.194', 'history': [{'created... | \n", "https://api.xforce.ibmcloud.com/ipr/52.183.120... | \n", "200 | \n", "
| AzSTI | \n", "52.183.120.194 | \n", "ipv4 | \n", "None | \n", "True | \n", "2 | \n", "{'Action': ['alert'], 'ThreatType': ['Malware'... | \n", "Indic... | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "0 | \n", "
\n",
"\n",
"\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" OTX \\\n",
"Ioc 52.183.120.194 \n",
"IocType ipv4 \n",
"QuerySubtype None \n",
"Result True \n",
"Severity 0 \n",
"Details {'pulse_count': 0, 'sections_available': ['gen... \n",
"RawResult {'sections': ['general', 'geo', 'reputation', ... \n",
"Reference https://otx.alienvault.com/api/v1/indicators/I... \n",
"Status 200 \n",
"\n",
" XForce \\\n",
"Ioc 52.183.120.194 \n",
"IocType ipv4 \n",
"QuerySubtype None \n",
"Result True \n",
"Severity 1 \n",
"Details {'score': 1, 'cats': {}, 'categoryDescriptions... \n",
"RawResult {'ip': '52.183.120.194', 'history': [{'created... \n",
"Reference https://api.xforce.ibmcloud.com/ipr/52.183.120... \n",
"Status 200 \n",
"\n",
" AzSTI \n",
"Ioc 52.183.120.194 \n",
"IocType ipv4 \n",
"QuerySubtype None \n",
"Result True \n",
"Severity 2 \n",
"Details {'Action': ['alert'], 'ThreatType': ['Malware'... \n",
"RawResult Indic... \n",
"Reference ThreatIntelligenceIndicator | where TimeGene... \n",
"Status 0 "
]
},
"execution_count": 8,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"result = ti_lookup.lookup_ioc(observable=\"52.183.120.194\")\n",
"ti_lookup.result_to_df(result).T"
]
},
{
"cell_type": "code",
"execution_count": 9,
"metadata": {
"ExecuteTime": {
"end_time": "2019-09-25T04:58:00.486796Z",
"start_time": "2019-09-25T04:58:00.315866Z"
}
},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"OTX\n",
"ioc: 38.75.137.9 ( ipv4 )\n",
"result: True\n",
"severity: 1 warning\n",
"{ 'names': ['Underminer EK'],\n",
" 'pulse_count': 1,\n",
" 'references': [ [ 'https://blog.malwarebytes.com/threat-analysis/2019/07/exploit-kits-summer-2019-review/']],\n",
" 'tags': [[]]}\n",
"reference: https://otx.alienvault.com/api/v1/indicators/IPv4/38.75.137.9/general\n"
]
}
],
"source": [
"import pprint\n",
"pp = pprint.PrettyPrinter(indent=2)\n",
"\n",
"result, details = ti_lookup.lookup_ioc(observable=\"38.75.137.9\", providers=[\"OTX\"])\n",
"\n",
"# the details is a list (since there could be multiple responses for an IoC)\n",
"for provider, detail in details:\n",
" print(provider)\n",
" detail.summary\n",
"# Un-comment to view raw response\n",
"# print(\"\\nRaw Results\")\n",
"# pp.pprint(detail.raw_result)\n"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"#### Or convert result to a DataFrame and let pandas do the display work..."
]
},
{
"cell_type": "code",
"execution_count": 10,
"metadata": {
"ExecuteTime": {
"end_time": "2019-09-25T04:58:00.498762Z",
"start_time": "2019-09-25T04:58:00.487768Z"
}
},
"outputs": [
{
"data": {
"text/html": [
"| \n", " | OTX | \n", "XForce | \n", "AzSTI | \n", "
|---|---|---|---|
| Ioc | \n", "52.183.120.194 | \n", "52.183.120.194 | \n", "52.183.120.194 | \n", "
| IocType | \n", "ipv4 | \n", "ipv4 | \n", "ipv4 | \n", "
| QuerySubtype | \n", "None | \n", "None | \n", "None | \n", "
| Result | \n", "True | \n", "True | \n", "True | \n", "
| Severity | \n", "0 | \n", "1 | \n", "2 | \n", "
| Details | \n", "{'pulse_count': 0, 'sections_available': ['gen... | \n", "{'score': 1, 'cats': {}, 'categoryDescriptions... | \n", "{'Action': ['alert'], 'ThreatType': ['Malware'... | \n", "
| RawResult | \n", "{'sections': ['general', 'geo', 'reputation', ... | \n", "{'ip': '52.183.120.194', 'history': [{'created... | \n", "Indic... | \n", "
| Reference | \n", "https://otx.alienvault.com/api/v1/indicators/I... | \n", "https://api.xforce.ibmcloud.com/ipr/52.183.120... | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "
| Status | \n", "200 | \n", "200 | \n", "0 | \n", "
\n",
"\n",
"\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" OTX\n",
"Ioc 38.75.137.9\n",
"IocType ipv4\n",
"QuerySubtype None\n",
"Result True\n",
"Severity 1\n",
"Details {'pulse_count': 1, 'names': ['Underminer EK'],...\n",
"RawResult {'sections': ['general', 'geo', 'reputation', ...\n",
"Reference https://otx.alienvault.com/api/v1/indicators/I...\n",
"Status 200"
]
},
"execution_count": 10,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"result = ti_lookup.lookup_ioc(observable=\"38.75.137.9\", providers=[\"OTX\"])\n",
"ti_lookup.result_to_df(result).T"
]
},
{
"cell_type": "code",
"execution_count": 11,
"metadata": {
"ExecuteTime": {
"end_time": "2019-09-25T04:58:00.519751Z",
"start_time": "2019-09-25T04:58:00.499762Z"
},
"scrolled": true
},
"outputs": [
{
"data": {
"text/plain": [
"{'sections': ['general',\n",
" 'geo',\n",
" 'reputation',\n",
" 'url_list',\n",
" 'passive_dns',\n",
" 'malware',\n",
" 'nids_list',\n",
" 'http_scans'],\n",
" 'city': 'Los Angeles',\n",
" 'area_code': 0,\n",
" 'pulse_info': {'count': 1,\n",
" 'references': ['https://blog.malwarebytes.com/threat-analysis/2019/07/exploit-kits-summer-2019-review/'],\n",
" 'pulses': [{'indicator_type_counts': {'URL': 16,\n",
" 'FileHash-MD5': 5,\n",
" 'IPv4': 3},\n",
" 'pulse_source': 'web',\n",
" 'TLP': 'white',\n",
" 'description': '',\n",
" 'subscriber_count': 11,\n",
" 'tags': [],\n",
" 'export_count': 0,\n",
" 'malware_families': [],\n",
" 'is_modified': False,\n",
" 'upvotes_count': 0,\n",
" 'modified_text': '55 days ago ',\n",
" 'is_subscribing': None,\n",
" 'references': ['https://blog.malwarebytes.com/threat-analysis/2019/07/exploit-kits-summer-2019-review/'],\n",
" 'targeted_countries': [],\n",
" 'groups': [{'name': 'DCT Security Team', 'id': 614}],\n",
" 'vote': 0,\n",
" 'validator_count': 0,\n",
" 'threat_hunter_scannable': True,\n",
" 'is_author': False,\n",
" 'adversary': '',\n",
" 'id': '5d41d77901a2f8c6e9b650e9',\n",
" 'industries': [],\n",
" 'locked': 0,\n",
" 'name': 'Underminer EK',\n",
" 'created': '2019-07-31T18:01:29.744000',\n",
" 'cloned_from': None,\n",
" 'downvotes_count': 0,\n",
" 'modified': '2019-07-31T18:01:29.744000',\n",
" 'comment_count': 0,\n",
" 'indicator_count': 24,\n",
" 'attack_ids': [],\n",
" 'in_group': True,\n",
" 'follower_count': 0,\n",
" 'votes_count': 0,\n",
" 'author': {'username': 'mattvittitoe',\n",
" 'is_subscribed': False,\n",
" 'avatar_url': 'https://otx.alienvault.com/assets/images/default-avatar.png',\n",
" 'is_following': False,\n",
" 'id': '79520'},\n",
" 'public': 1}]},\n",
" 'continent_code': 'NA',\n",
" 'country_name': 'United States',\n",
" 'postal_code': '90017',\n",
" 'dma_code': 803,\n",
" 'country_code': 'US',\n",
" 'flag_url': '/assets/images/flags/us.png',\n",
" 'asn': 'AS63023 GTHost',\n",
" 'city_data': True,\n",
" 'indicator': '38.75.137.9',\n",
" 'whois': 'http://whois.domaintools.com/38.75.137.9',\n",
" 'type_title': 'IPv4',\n",
" 'region': 'CA',\n",
" 'charset': 0,\n",
" 'longitude': -118.278,\n",
" 'country_code3': 'USA',\n",
" 'reputation': 0,\n",
" 'base_indicator': {'indicator': '38.75.137.9',\n",
" 'description': '',\n",
" 'title': '',\n",
" 'access_reason': '',\n",
" 'access_type': 'public',\n",
" 'content': '',\n",
" 'type': 'IPv4',\n",
" 'id': 2127020821},\n",
" 'latitude': 34.0584,\n",
" 'type': 'IPv4',\n",
" 'flag_title': 'United States'}"
]
},
"execution_count": 11,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"# Extract a single field (RawResult) from the dataframe (.iloc[0] is to select the row)\n",
"ti_lookup.result_to_df(result)[\"RawResult\"].iloc[0]"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Lookup using all primary providers"
]
},
{
"cell_type": "code",
"execution_count": 12,
"metadata": {
"ExecuteTime": {
"end_time": "2019-09-25T04:58:03.536452Z",
"start_time": "2019-09-25T04:58:00.520750Z"
},
"scrolled": true
},
"outputs": [
{
"data": {
"application/javascript": [
"try {IPython.notebook.kernel.execute(\"NOTEBOOK_URL = '\" + window.location + \"'\");} catch(err) {;}"
],
"text/plain": [
"| \n", " | OTX | \n", "
|---|---|
| Ioc | \n", "38.75.137.9 | \n", "
| IocType | \n", "ipv4 | \n", "
| QuerySubtype | \n", "None | \n", "
| Result | \n", "True | \n", "
| Severity | \n", "1 | \n", "
| Details | \n", "{'pulse_count': 1, 'names': ['Underminer EK'],... | \n", "
| RawResult | \n", "{'sections': ['general', 'geo', 'reputation', ... | \n", "
| Reference | \n", "https://otx.alienvault.com/api/v1/indicators/I... | \n", "
| Status | \n", "200 | \n", "
\n",
"\n",
"\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" Ioc IocType QuerySubtype Result Severity \\\n",
"OTX 188.127.231.124 ipv4 None True 2 \n",
"XForce 188.127.231.124 ipv4 None True 1 \n",
"AzSTI 188.127.231.124 ipv4 None False 0 \n",
"\n",
" Details \\\n",
"OTX {'pulse_count': 5, 'names': ['Locky Ransomware... \n",
"XForce {'score': 1, 'cats': {}, 'categoryDescriptions... \n",
"AzSTI 0 rows returned. \n",
"\n",
" RawResult \\\n",
"OTX {'sections': ['general', 'geo', 'reputation', ... \n",
"XForce {'ip': '188.127.231.124', 'history': [{'create... \n",
"AzSTI None \n",
"\n",
" Reference Status \n",
"OTX https://otx.alienvault.com/api/v1/indicators/I... 200 \n",
"XForce https://api.xforce.ibmcloud.com/ipr/188.127.23... 200 \n",
"AzSTI None -1 "
]
},
"execution_count": 12,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"result = ti_lookup.lookup_ioc(observable=\"188.127.231.124\")\n",
"ti_lookup.result_to_df(result)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Provider Usage\n",
"This shows the supported IoC Types.\n",
"\n",
"In some cases an IoC type will also support special types of sub-query such as geo-ip and passive-dns"
]
},
{
"cell_type": "code",
"execution_count": 13,
"metadata": {
"ExecuteTime": {
"end_time": "2019-09-25T04:58:03.543449Z",
"start_time": "2019-09-25T04:58:03.537451Z"
}
},
"outputs": [
{
"data": {
"text/plain": [
"['OTX - AlientVault OTX Lookup. (primary)',\n",
" 'XForce - IBM XForce Lookup. (primary)',\n",
" 'AzSTI - Azure Sentinel TI provider class. (primary)',\n",
" 'VirusTotal - VirusTotal Lookup. (secondary)']"
]
},
"metadata": {},
"output_type": "display_data"
},
{
"name": "stdout",
"output_type": "stream",
"text": [
"Azure Sentinel TI provider class. Supported query types:\n",
"\tioc_type=dns\n",
"\tioc_type=file_hash\n",
"\tioc_type=hostname\n",
"\tioc_type=ipv4\n",
"\tioc_type=ipv6\n",
"\tioc_type=linux_path\n",
"\tioc_type=md5_hash\n",
"\tioc_type=sha1_hash\n",
"\tioc_type=sha256_hash\n",
"\tioc_type=url\n",
"\tioc_type=windows_path\n"
]
}
],
"source": [
"display(ti_lookup.provider_status)\n",
"ti_lookup.loaded_providers[\"AzSTI\"].usage()"
]
},
{
"cell_type": "code",
"execution_count": 14,
"metadata": {
"ExecuteTime": {
"end_time": "2019-09-25T04:58:03.566435Z",
"start_time": "2019-09-25T04:58:03.544447Z"
}
},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Primary providers\n",
"-----------------\n",
"\n",
"Provider class: OTX\n",
"AlientVault OTX Lookup. Supported query types:\n",
"\tioc_type=dns\n",
"\tioc_type=dns, ioc_query_type=geo\n",
"\tioc_type=dns, ioc_query_type=passivedns\n",
"\tioc_type=file_hash\n",
"\tioc_type=hostname\n",
"\tioc_type=ipv4\n",
"\tioc_type=ipv4, ioc_query_type=geo\n",
"\tioc_type=ipv4, ioc_query_type=passivedns\n",
"\tioc_type=ipv6\n",
"\tioc_type=ipv6, ioc_query_type=geo\n",
"\tioc_type=ipv6, ioc_query_type=passivedns\n",
"\tioc_type=md5_hash\n",
"\tioc_type=sha1_hash\n",
"\tioc_type=sha256_hash\n",
"\tioc_type=url\n",
"\n",
"Provider class: XForce\n",
"IBM XForce Lookup. Supported query types:\n",
"\tioc_type=dns\n",
"\tioc_type=dns, ioc_query_type=malware\n",
"\tioc_type=dns, ioc_query_type=passivedns\n",
"\tioc_type=dns, ioc_query_type=whois\n",
"\tioc_type=file_hash\n",
"\tioc_type=hostname, ioc_query_type=whois\n",
"\tioc_type=ipv4\n",
"\tioc_type=ipv4, ioc_query_type=malware\n",
"\tioc_type=ipv4, ioc_query_type=passivedns\n",
"\tioc_type=ipv4, ioc_query_type=rep\n",
"\tioc_type=ipv4, ioc_query_type=whois\n",
"\tioc_type=ipv6\n",
"\tioc_type=ipv6, ioc_query_type=malware\n",
"\tioc_type=ipv6, ioc_query_type=passivedns\n",
"\tioc_type=ipv6, ioc_query_type=rep\n",
"\tioc_type=ipv6, ioc_query_type=whois\n",
"\tioc_type=md5_hash\n",
"\tioc_type=sha1_hash\n",
"\tioc_type=sha256_hash\n",
"\tioc_type=url\n",
"\tioc_type=url, ioc_query_type=malware\n",
"\n",
"Provider class: AzSTI\n",
"Azure Sentinel TI provider class. Supported query types:\n",
"\tioc_type=dns\n",
"\tioc_type=file_hash\n",
"\tioc_type=hostname\n",
"\tioc_type=ipv4\n",
"\tioc_type=ipv6\n",
"\tioc_type=linux_path\n",
"\tioc_type=md5_hash\n",
"\tioc_type=sha1_hash\n",
"\tioc_type=sha256_hash\n",
"\tioc_type=url\n",
"\tioc_type=windows_path\n",
"\n",
"Secondary providers\n",
"-------------------\n",
"\n",
"Provider class: VirusTotal\n",
"VirusTotal Lookup. Supported query types:\n",
"\tioc_type=dns\n",
"\tioc_type=file_hash\n",
"\tioc_type=ipv4\n",
"\tioc_type=md5_hash\n",
"\tioc_type=sha1_hash\n",
"\tioc_type=sha256_hash\n",
"\tioc_type=url\n"
]
}
],
"source": [
"ti_lookup.provider_usage()"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Use to do a passive DNS lookup"
]
},
{
"cell_type": "code",
"execution_count": 15,
"metadata": {
"ExecuteTime": {
"end_time": "2019-09-25T04:58:04.168465Z",
"start_time": "2019-09-25T04:58:03.567435Z"
}
},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"(True, [('XForce', LookupResult(ioc='38.75.137.9', ioc_type='ipv4', query_subtype='passivedns', result=True, severity=0, details={'records': 1}, raw_result={'Passive': {'query': '0x00000000000000000000ffff264b8909', 'records': []}, 'RDNS': ['9-137-75-38.clients.gthost.com'], 'total_rows': 1}, reference='https://api.xforce.ibmcloud.com/resolve/38.75.137.9', status=200))])\n",
"\n",
"Provider result:\n"
]
},
{
"data": {
"text/plain": [
"{'Passive': {'query': '0x00000000000000000000ffff264b8909', 'records': []},\n",
" 'RDNS': ['9-137-75-38.clients.gthost.com'],\n",
" 'total_rows': 1}"
]
},
"execution_count": 15,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"result = ti_lookup.lookup_ioc(observable=\"38.75.137.9\", ico_type=\"ipv4\", ioc_query_type=\"passivedns\", providers=[\"XForce\"])\n",
"print(result)\n",
"print(\"\\nProvider result:\")\n",
"result[1][0][1].raw_result"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Use to do a GeoIP lookup"
]
},
{
"cell_type": "code",
"execution_count": 16,
"metadata": {
"ExecuteTime": {
"end_time": "2019-09-25T04:58:04.287394Z",
"start_time": "2019-09-25T04:58:04.169440Z"
}
},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"(True, [('OTX', LookupResult(ioc='38.75.137.9', ioc_type='ipv4', query_subtype='geo', result=True, severity=0, details={}, raw_result={'flag_url': '/assets/images/flags/us.png', 'city_data': True, 'city': 'Los Angeles', 'region': 'CA', 'charset': 0, 'area_code': 0, 'continent_code': 'NA', 'country_code3': 'USA', 'latitude': 34.0584, 'postal_code': '90017', 'longitude': -118.278, 'country_code': 'US', 'country_name': 'United States', 'asn': 'AS63023 GTHost', 'dma_code': 803, 'flag_title': 'United States'}, reference='https://otx.alienvault.com/api/v1/indicators/IPv4/38.75.137.9/geo', status=200))])\n",
"\n",
"Provider result:\n"
]
},
{
"data": {
"text/plain": [
"{'flag_url': '/assets/images/flags/us.png',\n",
" 'city_data': True,\n",
" 'city': 'Los Angeles',\n",
" 'region': 'CA',\n",
" 'charset': 0,\n",
" 'area_code': 0,\n",
" 'continent_code': 'NA',\n",
" 'country_code3': 'USA',\n",
" 'latitude': 34.0584,\n",
" 'postal_code': '90017',\n",
" 'longitude': -118.278,\n",
" 'country_code': 'US',\n",
" 'country_name': 'United States',\n",
" 'asn': 'AS63023 GTHost',\n",
" 'dma_code': 803,\n",
" 'flag_title': 'United States'}"
]
},
"execution_count": 16,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"result = ti_lookup.lookup_ioc(observable=\"38.75.137.9\", ico_type=\"ipv4\", ioc_query_type=\"geo\", providers=[\"OTX\"])\n",
"print(result)\n",
"print(\"\\nProvider result:\")\n",
"result[1][0][1].raw_result"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Inferring IoC Type vs. Specifying explicity\n",
"If you do a lookup without specifying a type, TILookup will try to infer the type by matching regexes. There are patterns for all supported types but there are some caveats:\n",
"\n",
"- The match is not 100% foolproof - e.g. some URLs and hash types may be misidentified.\n",
"- The inference adds an overhead to each lookup.\n",
"\n",
"If you know the type that you want to look up, it is always better to explicitly include it.\n",
"- For single IoC lookup, use the `ioc_type` parameter.\n",
"- For multiple IoC lookups (see below), supply either:\n",
" - a DataFrame with a column that specifies the type for each entry\n",
" - a dictionary of the form `{ioc_observable: ioc_type}`"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"## Looking up Multiple IoCs"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### lookup_iocs\n",
"```\n",
"Signature:\n",
"ti_lookup.lookup_iocs(\n",
" data: Union[pandas.core.frame.DataFrame, Mapping[str, str], Iterable[str]],\n",
" obs_col: str = None,\n",
" ioc_type_col: str = None,\n",
" ioc_query_type: str = None,\n",
" providers: List[str] = None,\n",
" prov_scope: str = 'primary',\n",
" **kwargs,\n",
") -> pandas.core.frame.DataFrame\n",
"\n",
"Lookup a collection of IoCs.\n",
"\n",
"Parameters\n",
"----------\n",
"data : Union[pd.DataFrame, Mapping[str, str], Iterable[str]]\n",
" Data input in one of three formats:\n",
" 1. Pandas dataframe (you must supply the column name in\n",
" `obs_col` parameter)\n",
" 2. Mapping (e.g. a dict) of [observable, IoCType]\n",
" 3. Iterable of observables - IoCTypes will be inferred\n",
"obs_col : str, optional\n",
" DataFrame column to use for observables, by default None\n",
"ioc_type_col : str, optional\n",
" DataFrame column to use for IoCTypes, by default None\n",
"ioc_query_type: str, optional\n",
" The ioc query type (e.g. rep, info, malware)\n",
"providers: List[str]\n",
" Explicit list of providers to use\n",
"prov_scope : str, optional\n",
" Use primary, secondary or all providers, by default \"primary\"\n",
"kwargs :\n",
" Additional arguments passed to the underlying provider(s)\n",
"\n",
"Returns\n",
"-------\n",
"pd.DataFrame\n",
" DataFrame of results\n",
"```"
]
},
{
"cell_type": "code",
"execution_count": 17,
"metadata": {
"ExecuteTime": {
"end_time": "2019-09-25T04:58:04.290371Z",
"start_time": "2019-09-25T04:58:04.288371Z"
}
},
"outputs": [],
"source": [
"# Uncomment this and run to see the document string\n",
"# ti_lookup.lookup_iocs?"
]
},
{
"cell_type": "markdown",
"metadata": {
"ExecuteTime": {
"end_time": "2019-09-19T01:36:31.215275Z",
"start_time": "2019-09-19T01:36:31.200284Z"
}
},
"source": [
"### Multiple IP Lookup from single provider"
]
},
{
"cell_type": "code",
"execution_count": 18,
"metadata": {
"ExecuteTime": {
"end_time": "2019-09-25T04:58:07.304839Z",
"start_time": "2019-09-25T04:58:04.293368Z"
},
"scrolled": true
},
"outputs": [
{
"data": {
"application/javascript": [
"try {IPython.notebook.kernel.execute(\"NOTEBOOK_URL = '\" + window.location + \"'\");} catch(err) {;}"
],
"text/plain": [
"| \n", " | Ioc | \n", "IocType | \n", "QuerySubtype | \n", "Result | \n", "Severity | \n", "Details | \n", "RawResult | \n", "Reference | \n", "Status | \n", "
|---|---|---|---|---|---|---|---|---|---|
| OTX | \n", "188.127.231.124 | \n", "ipv4 | \n", "None | \n", "True | \n", "2 | \n", "{'pulse_count': 5, 'names': ['Locky Ransomware... | \n", "{'sections': ['general', 'geo', 'reputation', ... | \n", "https://otx.alienvault.com/api/v1/indicators/I... | \n", "200 | \n", "
| XForce | \n", "188.127.231.124 | \n", "ipv4 | \n", "None | \n", "True | \n", "1 | \n", "{'score': 1, 'cats': {}, 'categoryDescriptions... | \n", "{'ip': '188.127.231.124', 'history': [{'create... | \n", "https://api.xforce.ibmcloud.com/ipr/188.127.23... | \n", "200 | \n", "
| AzSTI | \n", "188.127.231.124 | \n", "ipv4 | \n", "None | \n", "False | \n", "0 | \n", "0 rows returned. | \n", "None | \n", "None | \n", "-1 | \n", "
\n",
"\n",
"\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" Ioc IocType QuerySubtype \\\n",
"0 1.2.3.4 ipv4 None \n",
"1 13.91.229.209 ipv4 None \n",
"2 52.167.223.49 ipv4 None \n",
"3 51.75.29.61 ipv4 None \n",
"4 1.2.3.5 ipv4 None \n",
"\n",
" Reference Result Status \\\n",
"0 ThreatIntelligenceIndicator | where TimeGene... True 0 \n",
"1 ThreatIntelligenceIndicator | where TimeGene... True 0 \n",
"2 ThreatIntelligenceIndicator | where TimeGene... True 0 \n",
"3 ThreatIntelligenceIndicator | where TimeGene... True 0 \n",
"4 ThreatIntelligenceIndicator | where TimeGene... True 0 \n",
"\n",
" Severity Details \\\n",
"0 2 {'Action': 'alert', 'ThreatType': 'Malware', '... \n",
"1 2 {'Action': 'alert', 'ThreatType': 'Malware', '... \n",
"2 2 {'Action': 'alert', 'ThreatType': 'Malware', '... \n",
"3 2 {'Action': 'alert', 'ThreatType': 'WatchList',... \n",
"4 2 {'Action': 'alert', 'ThreatType': 'Malware', '... \n",
"\n",
" RawResult Provider \n",
"0 {'IndicatorId': 'BF59F0493B17FFDCDA7B8D2969342... AzSTI \n",
"1 {'IndicatorId': '0F1ED19DB6F3E209EB7B3C70F3DA5... AzSTI \n",
"2 {'IndicatorId': 'A6AF4F01F06D5977DE741A41DD1BC... AzSTI \n",
"3 {'IndicatorId': '745AC38B70FF24CC7DCA13BB4467D... AzSTI \n",
"4 {'IndicatorId': 'AE428189DCD303DA2A79AF8F85030... AzSTI "
]
},
"execution_count": 18,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"\n",
"ioc_ips = [\n",
" \"51.75.29.61\",\n",
" \"33.44.55.66\"\n",
" \"52.183.120.194\",\n",
" \"13.91.229.209\",\n",
" \"1.2.3.4\",\n",
" \"52.167.223.49\",\n",
" \"1.2.3.5\",\n",
"]\n",
"\n",
"ti_lookup.lookup_iocs(data=ioc_ips, providers=\"AzSTI\")"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Multiple IoCs using all providers\n",
"Output sorted by IoC\n",
"\n",
"Note that these URLs were picked randomly from the TI databases of the three providers used. In most cases the IoC is found by only that provider, which "
]
},
{
"cell_type": "code",
"execution_count": 19,
"metadata": {
"ExecuteTime": {
"end_time": "2019-09-25T04:58:17.054530Z",
"start_time": "2019-09-25T04:58:07.306811Z"
}
},
"outputs": [
{
"data": {
"application/javascript": [
"try {IPython.notebook.kernel.execute(\"NOTEBOOK_URL = '\" + window.location + \"'\");} catch(err) {;}"
],
"text/plain": [
"| \n", " | Ioc | \n", "IocType | \n", "QuerySubtype | \n", "Reference | \n", "Result | \n", "Status | \n", "Severity | \n", "Details | \n", "RawResult | \n", "Provider | \n", "
|---|---|---|---|---|---|---|---|---|---|---|
| 0 | \n", "1.2.3.4 | \n", "ipv4 | \n", "None | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "True | \n", "0 | \n", "2 | \n", "{'Action': 'alert', 'ThreatType': 'Malware', '... | \n", "{'IndicatorId': 'BF59F0493B17FFDCDA7B8D2969342... | \n", "AzSTI | \n", "
| 1 | \n", "13.91.229.209 | \n", "ipv4 | \n", "None | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "True | \n", "0 | \n", "2 | \n", "{'Action': 'alert', 'ThreatType': 'Malware', '... | \n", "{'IndicatorId': '0F1ED19DB6F3E209EB7B3C70F3DA5... | \n", "AzSTI | \n", "
| 2 | \n", "52.167.223.49 | \n", "ipv4 | \n", "None | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "True | \n", "0 | \n", "2 | \n", "{'Action': 'alert', 'ThreatType': 'Malware', '... | \n", "{'IndicatorId': 'A6AF4F01F06D5977DE741A41DD1BC... | \n", "AzSTI | \n", "
| 3 | \n", "51.75.29.61 | \n", "ipv4 | \n", "None | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "True | \n", "0 | \n", "2 | \n", "{'Action': 'alert', 'ThreatType': 'WatchList',... | \n", "{'IndicatorId': '745AC38B70FF24CC7DCA13BB4467D... | \n", "AzSTI | \n", "
| 4 | \n", "1.2.3.5 | \n", "ipv4 | \n", "None | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "True | \n", "0 | \n", "2 | \n", "{'Action': 'alert', 'ThreatType': 'Malware', '... | \n", "{'IndicatorId': 'AE428189DCD303DA2A79AF8F85030... | \n", "AzSTI | \n", "
\n",
"\n",
"\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" Ioc IocType QuerySubtype Result \\\n",
"5 http://104.248.196.145/apache2 url None False \n",
"5 http://104.248.196.145/apache2 url None True \n",
"2 http://104.248.196.145/apache2 url None True \n",
"6 http://ajaraheritage.ge/g7cberv url None True \n",
"6 http://ajaraheritage.ge/g7cberv url None True \n",
"9 http://ajaraheritage.ge/g7cberv url None False \n",
"4 http://append.pl/srh9xsz url None True \n",
"0 http://append.pl/srh9xsz url None False \n",
"4 http://append.pl/srh9xsz url None True \n",
"3 http://businesstobuy.net url None False \n",
"3 http://businesstobuy.net url None True \n",
"3 http://businesstobuy.net url None True \n",
"4 http://cheapshirts.us/zVnMrG.php url None False \n",
"0 http://cheapshirts.us/zVnMrG.php url None True \n",
"0 http://cheapshirts.us/zVnMrG.php url None True \n",
"1 http://chinasymbolic.com/i9jnrc url None True \n",
"5 http://chinasymbolic.com/i9jnrc url None False \n",
"1 http://chinasymbolic.com/i9jnrc url None True \n",
"6 http://cic-integration.com/hjy93JNBasdas url None False \n",
"7 http://cic-integration.com/hjy93JNBasdas url None True \n",
"7 http://cic-integration.com/hjy93JNBasdas url None True \n",
"7 https://google.com url None False \n",
"8 https://google.com url None True \n",
"8 https://google.com url None True \n",
"2 https://hotel-bristol.lu/dlry/MAnJIPnY/ url None True \n",
"10 https://hotel-bristol.lu/dlry/MAnJIPnY/ url None True \n",
"2 https://hotel-bristol.lu/dlry/MAnJIPnY/ url None False \n",
"9 https://microsoft.com url None True \n",
"9 https://microsoft.com url None True \n",
"8 https://microsoft.com url None False \n",
"10 https://python.org url None True \n",
"10 https://python.org url None True \n",
"1 https://python.org url None False \n",
"\n",
" Severity Details \\\n",
"5 0.0 Not found. \n",
"5 0.0 {'pulse_count': 0, 'sections_available': ['gen... \n",
"2 2.0 {'Action': 'alert', 'ThreatType': 'Malware', '... \n",
"6 2.0 {'pulse_count': 2, 'names': ['Locky Ransomware... \n",
"6 0.0 {'score': 0, 'cats': None, 'categoryDescriptio... \n",
"9 0.0 0 rows returned. \n",
"4 1.0 {'pulse_count': 1, 'names': ['Locky Ransomware... \n",
"0 0.0 0 rows returned. \n",
"4 0.0 {'score': 0, 'cats': None, 'categoryDescriptio... \n",
"3 0.0 0 rows returned. \n",
"3 0.0 {'pulse_count': 0, 'sections_available': ['gen... \n",
"3 0.0 {'score': 0, 'cats': None, 'categoryDescriptio... \n",
"4 0.0 0 rows returned. \n",
"0 2.0 {'pulse_count': 7, 'names': ['CryptoWall Ranso... \n",
"0 0.0 {'score': 0, 'cats': None, 'categoryDescriptio... \n",
"1 0.0 {'score': 0, 'cats': None, 'categoryDescriptio... \n",
"5 0.0 0 rows returned. \n",
"1 2.0 {'pulse_count': 2, 'names': ['Locky Ransomware... \n",
"6 0.0 0 rows returned. \n",
"7 0.0 {'score': 0, 'cats': None, 'categoryDescriptio... \n",
"7 1.0 {'pulse_count': 1, 'names': ['Locky Ransomware... \n",
"7 0.0 0 rows returned. \n",
"8 0.0 {'score': 0, 'cats': None, 'categoryDescriptio... \n",
"8 0.0 {'pulse_count': 0, 'sections_available': ['gen... \n",
"2 0.0 {'pulse_count': 0, 'sections_available': ['gen... \n",
"10 2.0 {'Action': 'alert', 'ThreatType': 'Malware', '... \n",
"2 0.0 Not found. \n",
"9 0.0 {'score': 0, 'cats': None, 'categoryDescriptio... \n",
"9 0.0 {'pulse_count': 0, 'sections_available': ['gen... \n",
"8 0.0 0 rows returned. \n",
"10 0.0 {'score': 0, 'cats': None, 'categoryDescriptio... \n",
"10 0.0 {'pulse_count': 0, 'sections_available': ['gen... \n",
"1 0.0 0 rows returned. \n",
"\n",
" RawResult \\\n",
"5 | \n", " | Ioc | \n", "IocType | \n", "QuerySubtype | \n", "Result | \n", "Severity | \n", "Details | \n", "RawResult | \n", "Reference | \n", "Status | \n", "Provider | \n", "
|---|---|---|---|---|---|---|---|---|---|---|
| 5 | \n", "http://104.248.196.145/apache2 | \n", "url | \n", "None | \n", "False | \n", "0.0 | \n", "Not found. | \n", "<Response [404]> | \n", "https://api.xforce.ibmcloud.com/url/http://104... | \n", "404.0 | \n", "XForce | \n", "
| 5 | \n", "http://104.248.196.145/apache2 | \n", "url | \n", "None | \n", "True | \n", "0.0 | \n", "{'pulse_count': 0, 'sections_available': ['gen... | \n", "{'indicator': 'http://104.248.196.145/apache2'... | \n", "https://otx.alienvault.com/api/v1/indicators/u... | \n", "200.0 | \n", "OTX | \n", "
| 2 | \n", "http://104.248.196.145/apache2 | \n", "url | \n", "None | \n", "True | \n", "2.0 | \n", "{'Action': 'alert', 'ThreatType': 'Malware', '... | \n", "{'IndicatorId': '415EE92D312FAE7ACAAC8329C2EE4... | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "0.0 | \n", "AzSTI | \n", "
| 6 | \n", "http://ajaraheritage.ge/g7cberv | \n", "url | \n", "None | \n", "True | \n", "2.0 | \n", "{'pulse_count': 2, 'names': ['Locky Ransomware... | \n", "{'indicator': 'http://ajaraheritage.ge/g7cberv... | \n", "https://otx.alienvault.com/api/v1/indicators/u... | \n", "200.0 | \n", "OTX | \n", "
| 6 | \n", "http://ajaraheritage.ge/g7cberv | \n", "url | \n", "None | \n", "True | \n", "0.0 | \n", "{'score': 0, 'cats': None, 'categoryDescriptio... | \n", "{'result': {'url': 'ajaraheritage.ge', 'cats':... | \n", "https://api.xforce.ibmcloud.com/url/http://aja... | \n", "200.0 | \n", "XForce | \n", "
| 9 | \n", "http://ajaraheritage.ge/g7cberv | \n", "url | \n", "None | \n", "False | \n", "0.0 | \n", "0 rows returned. | \n", "NaN | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "-1.0 | \n", "AzSTI | \n", "
| 4 | \n", "http://append.pl/srh9xsz | \n", "url | \n", "None | \n", "True | \n", "1.0 | \n", "{'pulse_count': 1, 'names': ['Locky Ransomware... | \n", "{'indicator': 'http://append.pl/srh9xsz', 'ale... | \n", "https://otx.alienvault.com/api/v1/indicators/u... | \n", "200.0 | \n", "OTX | \n", "
| 0 | \n", "http://append.pl/srh9xsz | \n", "url | \n", "None | \n", "False | \n", "0.0 | \n", "0 rows returned. | \n", "NaN | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "-1.0 | \n", "AzSTI | \n", "
| 4 | \n", "http://append.pl/srh9xsz | \n", "url | \n", "None | \n", "True | \n", "0.0 | \n", "{'score': 0, 'cats': None, 'categoryDescriptio... | \n", "{'result': {'url': 'append.pl', 'cats': {'Soft... | \n", "https://api.xforce.ibmcloud.com/url/http://app... | \n", "200.0 | \n", "XForce | \n", "
| 3 | \n", "http://businesstobuy.net | \n", "url | \n", "None | \n", "False | \n", "0.0 | \n", "0 rows returned. | \n", "NaN | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "-1.0 | \n", "AzSTI | \n", "
| 3 | \n", "http://businesstobuy.net | \n", "url | \n", "None | \n", "True | \n", "0.0 | \n", "{'pulse_count': 0, 'sections_available': ['gen... | \n", "{'indicator': 'http://businesstobuy.net', 'ale... | \n", "https://otx.alienvault.com/api/v1/indicators/u... | \n", "200.0 | \n", "OTX | \n", "
| 3 | \n", "http://businesstobuy.net | \n", "url | \n", "None | \n", "True | \n", "0.0 | \n", "{'score': 0, 'cats': None, 'categoryDescriptio... | \n", "{'result': {'url': 'businesstobuy.net', 'cats'... | \n", "https://api.xforce.ibmcloud.com/url/http://bus... | \n", "200.0 | \n", "XForce | \n", "
| 4 | \n", "http://cheapshirts.us/zVnMrG.php | \n", "url | \n", "None | \n", "False | \n", "0.0 | \n", "0 rows returned. | \n", "NaN | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "-1.0 | \n", "AzSTI | \n", "
| 0 | \n", "http://cheapshirts.us/zVnMrG.php | \n", "url | \n", "None | \n", "True | \n", "2.0 | \n", "{'pulse_count': 7, 'names': ['CryptoWall Ranso... | \n", "{'indicator': 'http://cheapshirts.us/zVnMrG.ph... | \n", "https://otx.alienvault.com/api/v1/indicators/u... | \n", "200.0 | \n", "OTX | \n", "
| 0 | \n", "http://cheapshirts.us/zVnMrG.php | \n", "url | \n", "None | \n", "True | \n", "0.0 | \n", "{'score': 0, 'cats': None, 'categoryDescriptio... | \n", "{'result': {'url': 'cheapshirts.us/zvnmrg.php'... | \n", "https://api.xforce.ibmcloud.com/url/http://che... | \n", "200.0 | \n", "XForce | \n", "
| 1 | \n", "http://chinasymbolic.com/i9jnrc | \n", "url | \n", "None | \n", "True | \n", "0.0 | \n", "{'score': 0, 'cats': None, 'categoryDescriptio... | \n", "{'result': {'url': 'chinasymbolic.com', 'cats'... | \n", "https://api.xforce.ibmcloud.com/url/http://chi... | \n", "200.0 | \n", "XForce | \n", "
| 5 | \n", "http://chinasymbolic.com/i9jnrc | \n", "url | \n", "None | \n", "False | \n", "0.0 | \n", "0 rows returned. | \n", "NaN | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "-1.0 | \n", "AzSTI | \n", "
| 1 | \n", "http://chinasymbolic.com/i9jnrc | \n", "url | \n", "None | \n", "True | \n", "2.0 | \n", "{'pulse_count': 2, 'names': ['Locky Ransomware... | \n", "{'indicator': 'http://chinasymbolic.com/i9jnrc... | \n", "https://otx.alienvault.com/api/v1/indicators/u... | \n", "200.0 | \n", "OTX | \n", "
| 6 | \n", "http://cic-integration.com/hjy93JNBasdas | \n", "url | \n", "None | \n", "False | \n", "0.0 | \n", "0 rows returned. | \n", "NaN | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "-1.0 | \n", "AzSTI | \n", "
| 7 | \n", "http://cic-integration.com/hjy93JNBasdas | \n", "url | \n", "None | \n", "True | \n", "0.0 | \n", "{'score': 0, 'cats': None, 'categoryDescriptio... | \n", "{'result': {'url': 'cic-integration.com', 'cat... | \n", "https://api.xforce.ibmcloud.com/url/http://cic... | \n", "200.0 | \n", "XForce | \n", "
| 7 | \n", "http://cic-integration.com/hjy93JNBasdas | \n", "url | \n", "None | \n", "True | \n", "1.0 | \n", "{'pulse_count': 1, 'names': ['Locky Ransomware... | \n", "{'indicator': 'http://cic-integration.com/hjy9... | \n", "https://otx.alienvault.com/api/v1/indicators/u... | \n", "200.0 | \n", "OTX | \n", "
| 7 | \n", "https://google.com | \n", "url | \n", "None | \n", "False | \n", "0.0 | \n", "0 rows returned. | \n", "NaN | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "-1.0 | \n", "AzSTI | \n", "
| 8 | \n", "https://google.com | \n", "url | \n", "None | \n", "True | \n", "0.0 | \n", "{'score': 0, 'cats': None, 'categoryDescriptio... | \n", "{'result': {'url': 'https://google.com', 'cats... | \n", "https://api.xforce.ibmcloud.com/url/https://go... | \n", "200.0 | \n", "XForce | \n", "
| 8 | \n", "https://google.com | \n", "url | \n", "None | \n", "True | \n", "0.0 | \n", "{'pulse_count': 0, 'sections_available': ['gen... | \n", "{'indicator': 'https://google.com', 'alexa': '... | \n", "https://otx.alienvault.com/api/v1/indicators/u... | \n", "200.0 | \n", "OTX | \n", "
| 2 | \n", "https://hotel-bristol.lu/dlry/MAnJIPnY/ | \n", "url | \n", "None | \n", "True | \n", "0.0 | \n", "{'pulse_count': 0, 'sections_available': ['gen... | \n", "{'indicator': 'https://hotel-bristol.lu/dlry/M... | \n", "https://otx.alienvault.com/api/v1/indicators/u... | \n", "200.0 | \n", "OTX | \n", "
| 10 | \n", "https://hotel-bristol.lu/dlry/MAnJIPnY/ | \n", "url | \n", "None | \n", "True | \n", "2.0 | \n", "{'Action': 'alert', 'ThreatType': 'Malware', '... | \n", "{'IndicatorId': '53B98EB318CD0B0388240598D0FF9... | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "0.0 | \n", "AzSTI | \n", "
| 2 | \n", "https://hotel-bristol.lu/dlry/MAnJIPnY/ | \n", "url | \n", "None | \n", "False | \n", "0.0 | \n", "Not found. | \n", "<Response [404]> | \n", "https://api.xforce.ibmcloud.com/url/https://ho... | \n", "404.0 | \n", "XForce | \n", "
| 9 | \n", "https://microsoft.com | \n", "url | \n", "None | \n", "True | \n", "0.0 | \n", "{'score': 0, 'cats': None, 'categoryDescriptio... | \n", "{'result': {'url': 'microsoft.com', 'cats': {'... | \n", "https://api.xforce.ibmcloud.com/url/https://mi... | \n", "200.0 | \n", "XForce | \n", "
| 9 | \n", "https://microsoft.com | \n", "url | \n", "None | \n", "True | \n", "0.0 | \n", "{'pulse_count': 0, 'sections_available': ['gen... | \n", "{'indicator': 'https://microsoft.com', 'alexa'... | \n", "https://otx.alienvault.com/api/v1/indicators/u... | \n", "200.0 | \n", "OTX | \n", "
| 8 | \n", "https://microsoft.com | \n", "url | \n", "None | \n", "False | \n", "0.0 | \n", "0 rows returned. | \n", "NaN | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "-1.0 | \n", "AzSTI | \n", "
| 10 | \n", "https://python.org | \n", "url | \n", "None | \n", "True | \n", "0.0 | \n", "{'score': 0, 'cats': None, 'categoryDescriptio... | \n", "{'result': {'url': 'python.org', 'cats': {'Sof... | \n", "https://api.xforce.ibmcloud.com/url/https://py... | \n", "200.0 | \n", "XForce | \n", "
| 10 | \n", "https://python.org | \n", "url | \n", "None | \n", "True | \n", "0.0 | \n", "{'pulse_count': 0, 'sections_available': ['gen... | \n", "{'indicator': 'https://python.org', 'alexa': '... | \n", "https://otx.alienvault.com/api/v1/indicators/u... | \n", "200.0 | \n", "OTX | \n", "
| 1 | \n", "https://python.org | \n", "url | \n", "None | \n", "False | \n", "0.0 | \n", "0 rows returned. | \n", "NaN | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "-1.0 | \n", "AzSTI | \n", "
\n",
"\n",
"\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" Ioc IocType \\\n",
"0 http://104.248.196.145/apache2 url \n",
"1 http://ajaraheritage.ge/g7cberv url \n",
"2 http://cic-integration.com/hjy93JNBasdas url \n",
"3 51.75.29.61 ipv4 \n",
"4 33.44.55.66 ipv4 \n",
"5 52.183.120.194 ipv4 \n",
"6 f8a7135496fd6168df5f0ea21c745db89ecea9accc29c5... sha256_hash \n",
"7 cc2db822f652ca67038ba7cca8a8bde3 md5_hash \n",
"8 ajaraheritage.ge dns \n",
"0 http://104.248.196.145/apache2 url \n",
"1 http://ajaraheritage.ge/g7cberv url \n",
"2 http://cic-integration.com/hjy93JNBasdas url \n",
"3 51.75.29.61 ipv4 \n",
"4 33.44.55.66 ipv4 \n",
"5 52.183.120.194 ipv4 \n",
"6 f8a7135496fd6168df5f0ea21c745db89ecea9accc29c5... sha256_hash \n",
"7 cc2db822f652ca67038ba7cca8a8bde3 md5_hash \n",
"8 ajaraheritage.ge dns \n",
"0 http://cic-integration.com/hjy93JNBasdas url \n",
"1 http://ajaraheritage.ge/g7cberv url \n",
"2 http://104.248.196.145/apache2 url \n",
"3 33.44.55.66 ipv4 \n",
"4 52.183.120.194 ipv4 \n",
"5 51.75.29.61 ipv4 \n",
"6 f8a7135496fd6168df5f0ea21c745db89ecea9accc29c5... sha256_hash \n",
"7 cc2db822f652ca67038ba7cca8a8bde3 md5_hash \n",
"8 ajaraheritage.ge dns \n",
"\n",
" QuerySubtype Result Severity \\\n",
"0 None True 0.0 \n",
"1 None True 2.0 \n",
"2 None True 1.0 \n",
"3 None True 2.0 \n",
"4 None True 0.0 \n",
"5 None True 0.0 \n",
"6 None True 2.0 \n",
"7 None True 0.0 \n",
"8 None True 1.0 \n",
"0 None False 0.0 \n",
"1 None True 0.0 \n",
"2 None True 0.0 \n",
"3 None True 1.0 \n",
"4 None True 1.0 \n",
"5 None True 1.0 \n",
"6 None True 2.0 \n",
"7 None True 2.0 \n",
"8 None True 0.0 \n",
"0 None False 0.0 \n",
"1 None False 0.0 \n",
"2 None True 2.0 \n",
"3 None True 2.0 \n",
"4 None True 2.0 \n",
"5 None True 2.0 \n",
"6 None False 0.0 \n",
"7 None False 0.0 \n",
"8 None False 0.0 \n",
"\n",
" Details \\\n",
"0 {'pulse_count': 0, 'sections_available': ['gen... \n",
"1 {'pulse_count': 2, 'names': ['Locky Ransomware... \n",
"2 {'pulse_count': 1, 'names': ['Locky Ransomware... \n",
"3 {'pulse_count': 28, 'names': ['SSH honeypot lo... \n",
"4 {'pulse_count': 0, 'sections_available': ['gen... \n",
"5 {'pulse_count': 0, 'sections_available': ['gen... \n",
"6 {'pulse_count': 3, 'names': ['Emotet IOCs 2/4/... \n",
"7 {'pulse_count': 0, 'sections_available': ['gen... \n",
"8 {'pulse_count': 1, 'names': ['Ransomware - Loc... \n",
"0 Not found. \n",
"1 {'score': 0, 'cats': None, 'categoryDescriptio... \n",
"2 {'score': 0, 'cats': None, 'categoryDescriptio... \n",
"3 {'score': 1, 'cats': {}, 'categoryDescriptions... \n",
"4 {'score': 1, 'cats': {}, 'categoryDescriptions... \n",
"5 {'score': 1, 'cats': {}, 'categoryDescriptions... \n",
"6 {'risk': 'high', 'family': None, 'reasonDescri... \n",
"7 {'risk': 'high', 'family': None, 'reasonDescri... \n",
"8 {'score': 0, 'cats': None, 'categoryDescriptio... \n",
"0 0 rows returned. \n",
"1 0 rows returned. \n",
"2 {'Action': 'alert', 'ThreatType': 'Malware', '... \n",
"3 {'Action': 'alert', 'ThreatType': 'Malware', '... \n",
"4 {'Action': 'alert', 'ThreatType': 'Malware', '... \n",
"5 {'Action': 'alert', 'ThreatType': 'WatchList',... \n",
"6 0 rows returned. \n",
"7 0 rows returned. \n",
"8 0 rows returned. \n",
"\n",
" RawResult \\\n",
"0 {'indicator': 'http://104.248.196.145/apache2'... \n",
"1 {'indicator': 'http://ajaraheritage.ge/g7cberv... \n",
"2 {'indicator': 'http://cic-integration.com/hjy9... \n",
"3 {'sections': ['general', 'geo', 'reputation', ... \n",
"4 {'sections': ['general', 'geo', 'reputation', ... \n",
"5 {'sections': ['general', 'geo', 'reputation', ... \n",
"6 {'indicator': 'f8a7135496fd6168df5f0ea21c745db... \n",
"7 {'indicator': 'cc2db822f652ca67038ba7cca8a8bde... \n",
"8 {'indicator': 'ajaraheritage.ge', 'alexa': 'ht... \n",
"0 | \n", " | Ioc | \n", "IocType | \n", "QuerySubtype | \n", "Result | \n", "Severity | \n", "Details | \n", "RawResult | \n", "Reference | \n", "Status | \n", "Provider | \n", "
|---|---|---|---|---|---|---|---|---|---|---|
| 0 | \n", "http://104.248.196.145/apache2 | \n", "url | \n", "None | \n", "True | \n", "0.0 | \n", "{'pulse_count': 0, 'sections_available': ['gen... | \n", "{'indicator': 'http://104.248.196.145/apache2'... | \n", "https://otx.alienvault.com/api/v1/indicators/u... | \n", "200.0 | \n", "OTX | \n", "
| 1 | \n", "http://ajaraheritage.ge/g7cberv | \n", "url | \n", "None | \n", "True | \n", "2.0 | \n", "{'pulse_count': 2, 'names': ['Locky Ransomware... | \n", "{'indicator': 'http://ajaraheritage.ge/g7cberv... | \n", "https://otx.alienvault.com/api/v1/indicators/u... | \n", "200.0 | \n", "OTX | \n", "
| 2 | \n", "http://cic-integration.com/hjy93JNBasdas | \n", "url | \n", "None | \n", "True | \n", "1.0 | \n", "{'pulse_count': 1, 'names': ['Locky Ransomware... | \n", "{'indicator': 'http://cic-integration.com/hjy9... | \n", "https://otx.alienvault.com/api/v1/indicators/u... | \n", "200.0 | \n", "OTX | \n", "
| 3 | \n", "51.75.29.61 | \n", "ipv4 | \n", "None | \n", "True | \n", "2.0 | \n", "{'pulse_count': 28, 'names': ['SSH honeypot lo... | \n", "{'sections': ['general', 'geo', 'reputation', ... | \n", "https://otx.alienvault.com/api/v1/indicators/I... | \n", "200.0 | \n", "OTX | \n", "
| 4 | \n", "33.44.55.66 | \n", "ipv4 | \n", "None | \n", "True | \n", "0.0 | \n", "{'pulse_count': 0, 'sections_available': ['gen... | \n", "{'sections': ['general', 'geo', 'reputation', ... | \n", "https://otx.alienvault.com/api/v1/indicators/I... | \n", "200.0 | \n", "OTX | \n", "
| 5 | \n", "52.183.120.194 | \n", "ipv4 | \n", "None | \n", "True | \n", "0.0 | \n", "{'pulse_count': 0, 'sections_available': ['gen... | \n", "{'sections': ['general', 'geo', 'reputation', ... | \n", "https://otx.alienvault.com/api/v1/indicators/I... | \n", "200.0 | \n", "OTX | \n", "
| 6 | \n", "f8a7135496fd6168df5f0ea21c745db89ecea9accc29c5... | \n", "sha256_hash | \n", "None | \n", "True | \n", "2.0 | \n", "{'pulse_count': 3, 'names': ['Emotet IOCs 2/4/... | \n", "{'indicator': 'f8a7135496fd6168df5f0ea21c745db... | \n", "https://otx.alienvault.com/api/v1/indicators/f... | \n", "200.0 | \n", "OTX | \n", "
| 7 | \n", "cc2db822f652ca67038ba7cca8a8bde3 | \n", "md5_hash | \n", "None | \n", "True | \n", "0.0 | \n", "{'pulse_count': 0, 'sections_available': ['gen... | \n", "{'indicator': 'cc2db822f652ca67038ba7cca8a8bde... | \n", "https://otx.alienvault.com/api/v1/indicators/f... | \n", "200.0 | \n", "OTX | \n", "
| 8 | \n", "ajaraheritage.ge | \n", "dns | \n", "None | \n", "True | \n", "1.0 | \n", "{'pulse_count': 1, 'names': ['Ransomware - Loc... | \n", "{'indicator': 'ajaraheritage.ge', 'alexa': 'ht... | \n", "https://otx.alienvault.com/api/v1/indicators/d... | \n", "200.0 | \n", "OTX | \n", "
| 0 | \n", "http://104.248.196.145/apache2 | \n", "url | \n", "None | \n", "False | \n", "0.0 | \n", "Not found. | \n", "<Response [404]> | \n", "https://api.xforce.ibmcloud.com/url/http://104... | \n", "404.0 | \n", "XForce | \n", "
| 1 | \n", "http://ajaraheritage.ge/g7cberv | \n", "url | \n", "None | \n", "True | \n", "0.0 | \n", "{'score': 0, 'cats': None, 'categoryDescriptio... | \n", "{'result': {'url': 'ajaraheritage.ge', 'cats':... | \n", "https://api.xforce.ibmcloud.com/url/http://aja... | \n", "200.0 | \n", "XForce | \n", "
| 2 | \n", "http://cic-integration.com/hjy93JNBasdas | \n", "url | \n", "None | \n", "True | \n", "0.0 | \n", "{'score': 0, 'cats': None, 'categoryDescriptio... | \n", "{'result': {'url': 'cic-integration.com', 'cat... | \n", "https://api.xforce.ibmcloud.com/url/http://cic... | \n", "200.0 | \n", "XForce | \n", "
| 3 | \n", "51.75.29.61 | \n", "ipv4 | \n", "None | \n", "True | \n", "1.0 | \n", "{'score': 1, 'cats': {}, 'categoryDescriptions... | \n", "{'ip': '51.75.29.61', 'history': [{'created': ... | \n", "https://api.xforce.ibmcloud.com/ipr/51.75.29.61 | \n", "200.0 | \n", "XForce | \n", "
| 4 | \n", "33.44.55.66 | \n", "ipv4 | \n", "None | \n", "True | \n", "1.0 | \n", "{'score': 1, 'cats': {}, 'categoryDescriptions... | \n", "{'ip': '33.44.55.66', 'history': [{'created': ... | \n", "https://api.xforce.ibmcloud.com/ipr/33.44.55.66 | \n", "200.0 | \n", "XForce | \n", "
| 5 | \n", "52.183.120.194 | \n", "ipv4 | \n", "None | \n", "True | \n", "1.0 | \n", "{'score': 1, 'cats': {}, 'categoryDescriptions... | \n", "{'ip': '52.183.120.194', 'history': [{'created... | \n", "https://api.xforce.ibmcloud.com/ipr/52.183.120... | \n", "200.0 | \n", "XForce | \n", "
| 6 | \n", "f8a7135496fd6168df5f0ea21c745db89ecea9accc29c5... | \n", "sha256_hash | \n", "None | \n", "True | \n", "2.0 | \n", "{'risk': 'high', 'family': None, 'reasonDescri... | \n", "{'malware': {'origins': {'external': {'source'... | \n", "https://api.xforce.ibmcloud.com/malware/f8a713... | \n", "200.0 | \n", "XForce | \n", "
| 7 | \n", "cc2db822f652ca67038ba7cca8a8bde3 | \n", "md5_hash | \n", "None | \n", "True | \n", "2.0 | \n", "{'risk': 'high', 'family': None, 'reasonDescri... | \n", "{'malware': {'origins': {'external': {'source'... | \n", "https://api.xforce.ibmcloud.com/malware/cc2db8... | \n", "200.0 | \n", "XForce | \n", "
| 8 | \n", "ajaraheritage.ge | \n", "dns | \n", "None | \n", "True | \n", "0.0 | \n", "{'score': 0, 'cats': None, 'categoryDescriptio... | \n", "{'result': {'url': 'ajaraheritage.ge', 'cats':... | \n", "https://api.xforce.ibmcloud.com/url/ajaraherit... | \n", "200.0 | \n", "XForce | \n", "
| 0 | \n", "http://cic-integration.com/hjy93JNBasdas | \n", "url | \n", "None | \n", "False | \n", "0.0 | \n", "0 rows returned. | \n", "NaN | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "-1.0 | \n", "AzSTI | \n", "
| 1 | \n", "http://ajaraheritage.ge/g7cberv | \n", "url | \n", "None | \n", "False | \n", "0.0 | \n", "0 rows returned. | \n", "NaN | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "-1.0 | \n", "AzSTI | \n", "
| 2 | \n", "http://104.248.196.145/apache2 | \n", "url | \n", "None | \n", "True | \n", "2.0 | \n", "{'Action': 'alert', 'ThreatType': 'Malware', '... | \n", "{'IndicatorId': '415EE92D312FAE7ACAAC8329C2EE4... | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "0.0 | \n", "AzSTI | \n", "
| 3 | \n", "33.44.55.66 | \n", "ipv4 | \n", "None | \n", "True | \n", "2.0 | \n", "{'Action': 'alert', 'ThreatType': 'Malware', '... | \n", "{'IndicatorId': '988978A20393BAFE37D639C36922E... | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "0.0 | \n", "AzSTI | \n", "
| 4 | \n", "52.183.120.194 | \n", "ipv4 | \n", "None | \n", "True | \n", "2.0 | \n", "{'Action': 'alert', 'ThreatType': 'Malware', '... | \n", "{'IndicatorId': 'E277A374F1848BE5E04AC08D422B4... | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "0.0 | \n", "AzSTI | \n", "
| 5 | \n", "51.75.29.61 | \n", "ipv4 | \n", "None | \n", "True | \n", "2.0 | \n", "{'Action': 'alert', 'ThreatType': 'WatchList',... | \n", "{'IndicatorId': '745AC38B70FF24CC7DCA13BB4467D... | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "0.0 | \n", "AzSTI | \n", "
| 6 | \n", "f8a7135496fd6168df5f0ea21c745db89ecea9accc29c5... | \n", "sha256_hash | \n", "None | \n", "False | \n", "0.0 | \n", "0 rows returned. | \n", "NaN | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "-1.0 | \n", "AzSTI | \n", "
| 7 | \n", "cc2db822f652ca67038ba7cca8a8bde3 | \n", "md5_hash | \n", "None | \n", "False | \n", "0.0 | \n", "0 rows returned. | \n", "NaN | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "-1.0 | \n", "AzSTI | \n", "
| 8 | \n", "ajaraheritage.ge | \n", "dns | \n", "None | \n", "False | \n", "0.0 | \n", "0 rows returned. | \n", "NaN | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "-1.0 | \n", "AzSTI | \n", "
Set query time boundaries
')" ] }, "metadata": {}, "output_type": "display_data" }, { "data": { "application/vnd.jupyter.widget-view+json": { "model_id": "5c1d89b2165f4230a97320dc16d253ce", "version_major": 2, "version_minor": 0 }, "text/plain": [ "HBox(children=(DatePicker(value=datetime.date(2019, 8, 5), description='Origin Date'), Text(value='00:00:00', …" ] }, "metadata": {}, "output_type": "display_data" }, { "data": { "application/vnd.jupyter.widget-view+json": { "model_id": "2e76923b94564277a64db3cd9dfa3053", "version_major": 2, "version_minor": 0 }, "text/plain": [ "VBox(children=(IntRangeSlider(value=(-24, 10), description='Time Range (hour):', layout=Layout(width='80%'), m…" ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "from datetime import datetime\n", "search_origin = datetime(2019, 8, 5)\n", "q_times = nbwidgets.QueryTime(units=\"hour\", auto_display=True, origin_time=search_origin, max_after=24, max_before=24)" ] }, { "cell_type": "code", "execution_count": 22, "metadata": { "ExecuteTime": { "end_time": "2019-09-25T04:58:36.693199Z", "start_time": "2019-09-25T04:58:34.264895Z" } }, "outputs": [ { "data": { "application/javascript": [ "try {IPython.notebook.kernel.execute(\"NOTEBOOK_URL = '\" + window.location + \"'\");} catch(err) {;}" ], "text/plain": [ "\n",
"\n",
"\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" Ioc IocType QuerySubtype \\\n",
"0 1.2.3.4 ipv4 None \n",
"1 13.91.229.209 ipv4 None \n",
"2 52.167.223.49 ipv4 None \n",
"3 51.75.29.61 ipv4 None \n",
"4 1.2.3.5 ipv4 None \n",
"\n",
" Reference Result \\\n",
"0 ThreatIntelligenceIndicator | where TimeGene... False \n",
"1 ThreatIntelligenceIndicator | where TimeGene... False \n",
"2 ThreatIntelligenceIndicator | where TimeGene... False \n",
"3 ThreatIntelligenceIndicator | where TimeGene... False \n",
"4 ThreatIntelligenceIndicator | where TimeGene... False \n",
"\n",
" Details Status Severity Provider \n",
"0 0 rows returned. -1 0 AzSTI \n",
"1 0 rows returned. -1 0 AzSTI \n",
"2 0 rows returned. -1 0 AzSTI \n",
"3 0 rows returned. -1 0 AzSTI \n",
"4 0 rows returned. -1 0 AzSTI "
]
},
"execution_count": 22,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"# Using this data range returned no results\n",
"ti_lookup.lookup_iocs(data=ioc_ips, providers=\"AzSTI\", start=q_times.start, end=q_times.end).head()"
]
},
{
"cell_type": "code",
"execution_count": 23,
"metadata": {
"ExecuteTime": {
"end_time": "2019-09-25T04:58:36.734209Z",
"start_time": "2019-09-25T04:58:36.694198Z"
},
"execution_event_id": "dd3239aa-89dc-46de-9ce2-75a23e53f5bd",
"last_executed_text": "q_times = nbwidgets.QueryTime(units=\"day\", auto_display=True)",
"persistent_id": "26b9e886-3fc7-4985-9873-7fa7c3a00cef",
"scrolled": false
},
"outputs": [
{
"data": {
"application/vnd.jupyter.widget-view+json": {
"model_id": "9d55d1adc7b04b31a33429e60f6be427",
"version_major": 2,
"version_minor": 0
},
"text/plain": [
"HTML(value='| \n", " | Ioc | \n", "IocType | \n", "QuerySubtype | \n", "Reference | \n", "Result | \n", "Details | \n", "Status | \n", "Severity | \n", "Provider | \n", "
|---|---|---|---|---|---|---|---|---|---|
| 0 | \n", "1.2.3.4 | \n", "ipv4 | \n", "None | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "False | \n", "0 rows returned. | \n", "-1 | \n", "0 | \n", "AzSTI | \n", "
| 1 | \n", "13.91.229.209 | \n", "ipv4 | \n", "None | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "False | \n", "0 rows returned. | \n", "-1 | \n", "0 | \n", "AzSTI | \n", "
| 2 | \n", "52.167.223.49 | \n", "ipv4 | \n", "None | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "False | \n", "0 rows returned. | \n", "-1 | \n", "0 | \n", "AzSTI | \n", "
| 3 | \n", "51.75.29.61 | \n", "ipv4 | \n", "None | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "False | \n", "0 rows returned. | \n", "-1 | \n", "0 | \n", "AzSTI | \n", "
| 4 | \n", "1.2.3.5 | \n", "ipv4 | \n", "None | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "False | \n", "0 rows returned. | \n", "-1 | \n", "0 | \n", "AzSTI | \n", "
Set query time boundaries
')" ] }, "metadata": {}, "output_type": "display_data" }, { "data": { "application/vnd.jupyter.widget-view+json": { "model_id": "ca5c15f902ac4c068536b00e1d3089f8", "version_major": 2, "version_minor": 0 }, "text/plain": [ "HBox(children=(DatePicker(value=datetime.date(2019, 8, 5), description='Origin Date'), Text(value='00:00:00', …" ] }, "metadata": {}, "output_type": "display_data" }, { "data": { "application/vnd.jupyter.widget-view+json": { "model_id": "68cba20fa4104e23b4bb2ee7e5b941d7", "version_major": 2, "version_minor": 0 }, "text/plain": [ "VBox(children=(IntRangeSlider(value=(-24, 10), description='Time Range (day):', layout=Layout(width='80%'), ma…" ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "from datetime import datetime\n", "search_origin = datetime(2019, 8, 5)\n", "q_times = nbwidgets.QueryTime(units=\"day\", auto_display=True, origin_time=search_origin, max_after=24, max_before=24)" ] }, { "cell_type": "code", "execution_count": 24, "metadata": { "ExecuteTime": { "end_time": "2019-09-25T04:58:39.213273Z", "start_time": "2019-09-25T04:58:36.735175Z" } }, "outputs": [ { "data": { "application/javascript": [ "try {IPython.notebook.kernel.execute(\"NOTEBOOK_URL = '\" + window.location + \"'\");} catch(err) {;}" ], "text/plain": [ "\n",
"\n",
"\n",
" \n",
"
\n",
"
"
],
"text/plain": [
" Ioc IocType QuerySubtype \\\n",
"0 1.2.3.4 ipv4 None \n",
"1 13.91.229.209 ipv4 None \n",
"2 52.167.223.49 ipv4 None \n",
"3 51.75.29.61 ipv4 None \n",
"4 1.2.3.5 ipv4 None \n",
"\n",
" Reference Result Status \\\n",
"0 ThreatIntelligenceIndicator | where TimeGene... True 0.0 \n",
"1 ThreatIntelligenceIndicator | where TimeGene... False -1.0 \n",
"2 ThreatIntelligenceIndicator | where TimeGene... False -1.0 \n",
"3 ThreatIntelligenceIndicator | where TimeGene... False -1.0 \n",
"4 ThreatIntelligenceIndicator | where TimeGene... False -1.0 \n",
"\n",
" Severity Details \\\n",
"0 2.0 {'Action': 'alert', 'ThreatType': 'Malware', '... \n",
"1 0.0 0 rows returned. \n",
"2 0.0 0 rows returned. \n",
"3 0.0 0 rows returned. \n",
"4 0.0 0 rows returned. \n",
"\n",
" RawResult Provider \n",
"0 {'IndicatorId': 'BF59F0493B17FFDCDA7B8D2969342... AzSTI \n",
"1 NaN AzSTI \n",
"2 NaN AzSTI \n",
"3 NaN AzSTI \n",
"4 NaN AzSTI "
]
},
"execution_count": 24,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"# Using a wider ranges produces results\n",
"ti_lookup.lookup_iocs(data=ioc_ips, providers=\"AzSTI\", start=q_times.start, end=q_times.end)"
]
}
],
"metadata": {
"celltoolbar": "Tags",
"hide_input": false,
"history": [
{
"cell": {
"executionCount": 1,
"executionEventId": "70a7d32e-f312-4f33-b41c-566918af9ea8",
"hasError": false,
"id": "9dd0697a-24e3-4283-b634-83da0179b04b",
"outputs": [
{
"data": {
"text/html": "\nThis product includes GeoLite2 data created by MaxMind, available from\nhttps://www.maxmind.com.\n",
"text/plain": "| \n", " | Ioc | \n", "IocType | \n", "QuerySubtype | \n", "Reference | \n", "Result | \n", "Status | \n", "Severity | \n", "Details | \n", "RawResult | \n", "Provider | \n", "
|---|---|---|---|---|---|---|---|---|---|---|
| 0 | \n", "1.2.3.4 | \n", "ipv4 | \n", "None | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "True | \n", "0.0 | \n", "2.0 | \n", "{'Action': 'alert', 'ThreatType': 'Malware', '... | \n", "{'IndicatorId': 'BF59F0493B17FFDCDA7B8D2969342... | \n", "AzSTI | \n", "
| 1 | \n", "13.91.229.209 | \n", "ipv4 | \n", "None | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "False | \n", "-1.0 | \n", "0.0 | \n", "0 rows returned. | \n", "NaN | \n", "AzSTI | \n", "
| 2 | \n", "52.167.223.49 | \n", "ipv4 | \n", "None | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "False | \n", "-1.0 | \n", "0.0 | \n", "0 rows returned. | \n", "NaN | \n", "AzSTI | \n", "
| 3 | \n", "51.75.29.61 | \n", "ipv4 | \n", "None | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "False | \n", "-1.0 | \n", "0.0 | \n", "0 rows returned. | \n", "NaN | \n", "AzSTI | \n", "
| 4 | \n", "1.2.3.5 | \n", "ipv4 | \n", "None | \n", "ThreatIntelligenceIndicator | where TimeGene... | \n", "False | \n", "-1.0 | \n", "0.0 | \n", "0 rows returned. | \n", "NaN | \n", "AzSTI | \n", "
\n 
\n
\n \n ",
"text/plain": "\n
\n Kql Query Language, aka kql, is the query language for advanced analytics on Azure Monitor resources. The current supported data sources are \n Azure Data Explorer (Kusto), Log Analytics and Application Insights. To get more information execute '%kql --help \"kql\"'
\n • kql reference: Click on 'Help' tab > and Select 'kql reference' or execute '%kql --help \"kql\"'
\n • Kqlmagic configuration: execute '%config Kqlmagic'
\n • Kqlmagic usage: execute '%kql --usage'
\n
Kqlmagic package is updated frequently. Run '!pip install Kqlmagic --no-cache-dir --upgrade' to use the latest version.
Kqlmagic version: 0.1.101, source: https://github.com/Microsoft/jupyter-Kqlmagic
* a927809c-8142-43e1-96b3-4ad87cfe95a3@loganalytics
['{"error":{"message":"The request had some invalid properties","code":"BadArgumentError","innererror":{"code":"SemanticError","message":"A semantic error occurred.","innererror":{"code":"SEM0100","message":"\\'\\' operator: Failed to resolve table or column or scalar expression named \\'connection\\'"}}}}']
Overview
\nHelp command is a tool to get more information on a topics that are relevant to Kqlmagic.\nt\nusage: %kql --help \"topic\"
Topics
\n- \n
- \n
usage - How to use the Kqlmagic.
\n
\n \n - \n
conn - Lists the available connection string variation, and how their are used to authenticatie to data sources.
\n
\n \n - \n
query / kql - Reference to resources Kusto Queru language, aka kql, documentation
\n
\n \n - \n
options - Lists the available options, and their behavior impact on the submit query command.
\n
\n \n - \n
commands - Lists the available commands, and what they do.
\n
\n \n - \n
faq - Lists frequently asked quetions and answers.
\n
\n \n - \n
help - This help.
\n
\n \n - \n
AzureMonitor- Reference to resources Azure Monitor tools
\n
\nAzure Monitor, which now includes Log Analytics and Application Insights, provides sophisticated tools for collecting and analyzing telemetry that allow you to maximize the performance and availability of your cloud and on-premises resources and applications. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on.\n \n - \n
AzureDataExplorer / kusto- Reference to resources Azure Data Explorer (kusto) service
\n
\nAzure Data Explorer is a fast and highly scalable data exploration service for log and telemetry data. It helps you handle the many data streams emitted by modern software, so you can collect, store, and analyze data. Azure Data Explorer is ideal for analyzing large volumes of diverse data from any data source, such as websites, applications, IoT devices, and more.\n \n - \n
LogAnalytics- Reference to resources Log Analytics service
\n
\nLog data collected by Azure Monitor is stored in Log Analytics which collects telemetry and other data from a variety of sources and provides a query language for advanced analytics.\n \n - \n
ApplicationInsights / AppInsights- Reference to resources Application Insights service
\n
\nApplication Insights is an extensible Application Performance Management (APM) service for web developers on multiple platforms. Use it to monitor your live web application. It will automatically detect performance anomalies. It includes powerful analytics tools to help you diagnose issues and to understand what users actually do with your app. It's designed to help you continuously improve performance and usability. It works for apps on a wide variety of platforms including .NET, Node.js and J2EE, hosted on-premises or in the cloud. It integrates with your DevOps process, and has connection points to a variety of development tools. It can monitor and analyze telemetry from mobile apps by integrating with Visual Studio App Center.\n \n
Need Support?
\n- \n
- Have a feature request for Kqlmagic? Please post it on User Voice to help us prioritize \n
- Have a technical question? Ask on Stack Overflow with tag \"Kqlmagic\" \n
- Need Support? Every customer with an active Azure subscription has access to support with guaranteed response time. Consider submitting a ticket and get assistance from Microsoft support team \n
- Found a bug? Please help us fix it by thoroughly documenting it and filing an issue. \n
\n\n## Topics\n- **usage** - How to use the Kqlmagic.
\n
\n\n- **conn** - Lists the available connection string variation, and how their are used to authenticatie to data sources.
\n
\n\n- **query** / **kql** - [Reference to resources Kusto Queru language, aka kql, documentation](http://aka.ms/kdocs)
\n
\n\n- **options** - Lists the available options, and their behavior impact on the submit query command.
\n
\n\n- **commands** - Lists the available commands, and what they do.
\n
\n\n- **faq** - Lists frequently asked quetions and answers.
\n
\n\n- **help** - This help.
\n
\n\n- **AzureMonitor**- [Reference to resources Azure Monitor tools](https://docs.microsoft.com/en-us/azure/azure-monitor/)
\nAzure Monitor, which now includes Log Analytics and Application Insights, provides sophisticated tools for collecting and analyzing telemetry that allow you to maximize the performance and availability of your cloud and on-premises resources and applications. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on.\n
\n\n- **AzureDataExplorer** / **kusto**- [Reference to resources Azure Data Explorer (kusto) service](https://docs.microsoft.com/en-us/azure/data-explorer/)
\nAzure Data Explorer is a fast and highly scalable data exploration service for log and telemetry data. It helps you handle the many data streams emitted by modern software, so you can collect, store, and analyze data. Azure Data Explorer is ideal for analyzing large volumes of diverse data from any data source, such as websites, applications, IoT devices, and more.\n
\n\n- **LogAnalytics**- [Reference to resources Log Analytics service](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-queries?toc=/azure/azure-monitor/toc.json)
\nLog data collected by Azure Monitor is stored in Log Analytics which collects telemetry and other data from a variety of sources and provides a query language for advanced analytics.\n
\n\n- **ApplicationInsights** / **AppInsights**- [Reference to resources Application Insights service](https://docs.microsoft.com/en-us/azure/application-insights/app-insights-overview?toc=/azure/azure-monitor/toc.json)
\nApplication Insights is an extensible Application Performance Management (APM) service for web developers on multiple platforms. Use it to monitor your live web application. It will automatically detect performance anomalies. It includes powerful analytics tools to help you diagnose issues and to understand what users actually do with your app. It's designed to help you continuously improve performance and usability. It works for apps on a wide variety of platforms including .NET, Node.js and J2EE, hosted on-premises or in the cloud. It integrates with your DevOps process, and has connection points to a variety of development tools. It can monitor and analyze telemetry from mobile apps by integrating with Visual Studio App Center.\n
\n\n\n## Need Support?\n- **Have a feature request for Kqlmagic?** Please post it on [User Voice](https://feedback.azure.com/forums/913690-azure-monitor) to help us prioritize\n- **Have a technical question?** Ask on [Stack Overflow with tag \"Kqlmagic\"](https://stackoverflow.com/questions/tagged/Kqlmagic)\n- **Need Support?** Every customer with an active Azure subscription has access to [support](https://docs.microsoft.com/en-us/azure/azure-supportability/how-to-create-azure-support-request) with guaranteed response time. Consider submitting a ticket and get assistance from Microsoft support team\n- **Found a bug?** Please help us fix it by thoroughly documenting it and [filing an issue](https://github.com/Microsoft/jupyter-Kqlmagic/issues/new).\n", "text/plain": "Overview\nHelp command is a tool to get more information on a topics that are relevant to Kqlmagic.\nt\nusage: %kql --help \"topic\"\nTopics\n\n\nusage - How to use the Kqlmagic.\n\n\n\nconn - Lists the available connection string variation, and how their are used to authenticatie to data sources.\n\n\n\nquery / kql - Reference to resources Kusto Queru language, aka kql, documentation\n\n\n\noptions - Lists the available options, and their behavior impact on the submit query command.\n\n\n\ncommands - Lists the available commands, and what they do.\n\n\n\nfaq - Lists frequently asked quetions and answers.\n\n\n\nhelp - This help.\n\n\n\nAzureMonitor- Reference to resources Azure Monitor tools\nAzure Monitor, which now includes Log Analytics and Application Insights, provides sophisticated tools for collecting and analyzing telemetry that allow you to maximize the performance and availability of your cloud and on-premises resources and applications. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on.\n\n\n\nAzureDataExplorer / kusto- Reference to resources Azure Data Explorer (kusto) service\nAzure Data Explorer is a fast and highly scalable data exploration service for log and telemetry data. It helps you handle the many data streams emitted by modern software, so you can collect, store, and analyze data. Azure Data Explorer is ideal for analyzing large volumes of diverse data from any data source, such as websites, applications, IoT devices, and more.\n\n\n\nLogAnalytics- Reference to resources Log Analytics service\nLog data collected by Azure Monitor is stored in Log Analytics which collects telemetry and other data from a variety of sources and provides a query language for advanced analytics.\n\n\n\nApplicationInsights / AppInsights- Reference to resources Application Insights service\nApplication Insights is an extensible Application Performance Management (APM) service for web developers on multiple platforms. Use it to monitor your live web application. It will automatically detect performance anomalies. It includes powerful analytics tools to help you diagnose issues and to understand what users actually do with your app. It's designed to help you continuously improve performance and usability. It works for apps on a wide variety of platforms including .NET, Node.js and J2EE, hosted on-premises or in the cloud. It integrates with your DevOps process, and has connection points to a variety of development tools. It can monitor and analyze telemetry from mobile apps by integrating with Visual Studio App Center.\n\n\n\nNeed Support?\n\nHave a feature request for Kqlmagic? Please post it on User Voice to help us prioritize\nHave a technical question? Ask on Stack Overflow with tag \"Kqlmagic\"\nNeed Support? Every customer with an active Azure subscription has access to support with guaranteed response time. Consider submitting a ticket and get assistance from Microsoft support team\nFound a bug? Please help us fix it by thoroughly documenting it and filing an issue." }, "execution_count": 5, "metadata": {}, "output_type": "execute_result" } ], "persistentId": "53af05b4-61af-4e19-9720-f03ca043969e", "text": "%kql --help" }, "executionTime": "2019-08-15T21:15:04.512Z" }, { "cell": { "executionCount": 6, "executionEventId": "0cc68306-40c8-4bd7-8b5a-b394a80025b6", "hasError": false, "id": "c591dfa1-6746-4363-ad43-da0e669ecb0b", "outputs": [ { "data": { "application/javascript": "try {IPython.notebook.kernel.execute(\"NOTEBOOK_URL = '\" + window.location + \"'\");} catch(err) {;}", "text/plain": "
* a927809c-8142-43e1-96b3-4ad87cfe95a3@loganalytics
['{"error":{"message":"The request had some invalid properties","code":"BadArgumentError","innererror":{"code":"SemanticError","message":"A semantic error occurred.","innererror":{"code":"SEM0100","message":"\\'\\' operator: Failed to resolve table or column or scalar expression named \\'conn\\'"}}}}']
unknown command --conn
Overview
\nHelp command is a tool to get more information on a topics that are relevant to Kqlmagic.\nt\nusage: %kql --help \"topic\"
Topics
\n- \n
- \n
usage - How to use the Kqlmagic.
\n
\n \n - \n
conn - Lists the available connection string variation, and how their are used to authenticatie to data sources.
\n
\n \n - \n
query / kql - Reference to resources Kusto Queru language, aka kql, documentation
\n
\n \n - \n
options - Lists the available options, and their behavior impact on the submit query command.
\n
\n \n - \n
commands - Lists the available commands, and what they do.
\n
\n \n - \n
faq - Lists frequently asked quetions and answers.
\n
\n \n - \n
help - This help.
\n
\n \n - \n
AzureMonitor- Reference to resources Azure Monitor tools
\n
\nAzure Monitor, which now includes Log Analytics and Application Insights, provides sophisticated tools for collecting and analyzing telemetry that allow you to maximize the performance and availability of your cloud and on-premises resources and applications. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on.\n \n - \n
AzureDataExplorer / kusto- Reference to resources Azure Data Explorer (kusto) service
\n
\nAzure Data Explorer is a fast and highly scalable data exploration service for log and telemetry data. It helps you handle the many data streams emitted by modern software, so you can collect, store, and analyze data. Azure Data Explorer is ideal for analyzing large volumes of diverse data from any data source, such as websites, applications, IoT devices, and more.\n \n - \n
LogAnalytics- Reference to resources Log Analytics service
\n
\nLog data collected by Azure Monitor is stored in Log Analytics which collects telemetry and other data from a variety of sources and provides a query language for advanced analytics.\n \n - \n
ApplicationInsights / AppInsights- Reference to resources Application Insights service
\n
\nApplication Insights is an extensible Application Performance Management (APM) service for web developers on multiple platforms. Use it to monitor your live web application. It will automatically detect performance anomalies. It includes powerful analytics tools to help you diagnose issues and to understand what users actually do with your app. It's designed to help you continuously improve performance and usability. It works for apps on a wide variety of platforms including .NET, Node.js and J2EE, hosted on-premises or in the cloud. It integrates with your DevOps process, and has connection points to a variety of development tools. It can monitor and analyze telemetry from mobile apps by integrating with Visual Studio App Center.\n \n
Need Support?
\n- \n
- Have a feature request for Kqlmagic? Please post it on User Voice to help us prioritize \n
- Have a technical question? Ask on Stack Overflow with tag \"Kqlmagic\" \n
- Need Support? Every customer with an active Azure subscription has access to support with guaranteed response time. Consider submitting a ticket and get assistance from Microsoft support team \n
- Found a bug? Please help us fix it by thoroughly documenting it and filing an issue. \n
\n\n## Topics\n- **usage** - How to use the Kqlmagic.
\n
\n\n- **conn** - Lists the available connection string variation, and how their are used to authenticatie to data sources.
\n
\n\n- **query** / **kql** - [Reference to resources Kusto Queru language, aka kql, documentation](http://aka.ms/kdocs)
\n
\n\n- **options** - Lists the available options, and their behavior impact on the submit query command.
\n
\n\n- **commands** - Lists the available commands, and what they do.
\n
\n\n- **faq** - Lists frequently asked quetions and answers.
\n
\n\n- **help** - This help.
\n
\n\n- **AzureMonitor**- [Reference to resources Azure Monitor tools](https://docs.microsoft.com/en-us/azure/azure-monitor/)
\nAzure Monitor, which now includes Log Analytics and Application Insights, provides sophisticated tools for collecting and analyzing telemetry that allow you to maximize the performance and availability of your cloud and on-premises resources and applications. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on.\n
\n\n- **AzureDataExplorer** / **kusto**- [Reference to resources Azure Data Explorer (kusto) service](https://docs.microsoft.com/en-us/azure/data-explorer/)
\nAzure Data Explorer is a fast and highly scalable data exploration service for log and telemetry data. It helps you handle the many data streams emitted by modern software, so you can collect, store, and analyze data. Azure Data Explorer is ideal for analyzing large volumes of diverse data from any data source, such as websites, applications, IoT devices, and more.\n
\n\n- **LogAnalytics**- [Reference to resources Log Analytics service](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-queries?toc=/azure/azure-monitor/toc.json)
\nLog data collected by Azure Monitor is stored in Log Analytics which collects telemetry and other data from a variety of sources and provides a query language for advanced analytics.\n
\n\n- **ApplicationInsights** / **AppInsights**- [Reference to resources Application Insights service](https://docs.microsoft.com/en-us/azure/application-insights/app-insights-overview?toc=/azure/azure-monitor/toc.json)
\nApplication Insights is an extensible Application Performance Management (APM) service for web developers on multiple platforms. Use it to monitor your live web application. It will automatically detect performance anomalies. It includes powerful analytics tools to help you diagnose issues and to understand what users actually do with your app. It's designed to help you continuously improve performance and usability. It works for apps on a wide variety of platforms including .NET, Node.js and J2EE, hosted on-premises or in the cloud. It integrates with your DevOps process, and has connection points to a variety of development tools. It can monitor and analyze telemetry from mobile apps by integrating with Visual Studio App Center.\n
\n\n\n## Need Support?\n- **Have a feature request for Kqlmagic?** Please post it on [User Voice](https://feedback.azure.com/forums/913690-azure-monitor) to help us prioritize\n- **Have a technical question?** Ask on [Stack Overflow with tag \"Kqlmagic\"](https://stackoverflow.com/questions/tagged/Kqlmagic)\n- **Need Support?** Every customer with an active Azure subscription has access to [support](https://docs.microsoft.com/en-us/azure/azure-supportability/how-to-create-azure-support-request) with guaranteed response time. Consider submitting a ticket and get assistance from Microsoft support team\n- **Found a bug?** Please help us fix it by thoroughly documenting it and [filing an issue](https://github.com/Microsoft/jupyter-Kqlmagic/issues/new).\n", "text/plain": "Overview\nHelp command is a tool to get more information on a topics that are relevant to Kqlmagic.\nt\nusage: %kql --help \"topic\"\nTopics\n\n\nusage - How to use the Kqlmagic.\n\n\n\nconn - Lists the available connection string variation, and how their are used to authenticatie to data sources.\n\n\n\nquery / kql - Reference to resources Kusto Queru language, aka kql, documentation\n\n\n\noptions - Lists the available options, and their behavior impact on the submit query command.\n\n\n\ncommands - Lists the available commands, and what they do.\n\n\n\nfaq - Lists frequently asked quetions and answers.\n\n\n\nhelp - This help.\n\n\n\nAzureMonitor- Reference to resources Azure Monitor tools\nAzure Monitor, which now includes Log Analytics and Application Insights, provides sophisticated tools for collecting and analyzing telemetry that allow you to maximize the performance and availability of your cloud and on-premises resources and applications. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on.\n\n\n\nAzureDataExplorer / kusto- Reference to resources Azure Data Explorer (kusto) service\nAzure Data Explorer is a fast and highly scalable data exploration service for log and telemetry data. It helps you handle the many data streams emitted by modern software, so you can collect, store, and analyze data. Azure Data Explorer is ideal for analyzing large volumes of diverse data from any data source, such as websites, applications, IoT devices, and more.\n\n\n\nLogAnalytics- Reference to resources Log Analytics service\nLog data collected by Azure Monitor is stored in Log Analytics which collects telemetry and other data from a variety of sources and provides a query language for advanced analytics.\n\n\n\nApplicationInsights / AppInsights- Reference to resources Application Insights service\nApplication Insights is an extensible Application Performance Management (APM) service for web developers on multiple platforms. Use it to monitor your live web application. It will automatically detect performance anomalies. It includes powerful analytics tools to help you diagnose issues and to understand what users actually do with your app. It's designed to help you continuously improve performance and usability. It works for apps on a wide variety of platforms including .NET, Node.js and J2EE, hosted on-premises or in the cloud. It integrates with your DevOps process, and has connection points to a variety of development tools. It can monitor and analyze telemetry from mobile apps by integrating with Visual Studio App Center.\n\n\n\nNeed Support?\n\nHave a feature request for Kqlmagic? Please post it on User Voice to help us prioritize\nHave a technical question? Ask on Stack Overflow with tag \"Kqlmagic\"\nNeed Support? Every customer with an active Azure subscription has access to support with guaranteed response time. Consider submitting a ticket and get assistance from Microsoft support team\nFound a bug? Please help us fix it by thoroughly documenting it and filing an issue." }, "execution_count": 8, "metadata": {}, "output_type": "execute_result" } ], "persistentId": "53af05b4-61af-4e19-9720-f03ca043969e", "text": "%kql --help" }, "executionTime": "2019-08-15T21:15:27.059Z" }, { "cell": { "executionCount": 9, "executionEventId": "fd04bf25-85eb-4bb6-812d-d6fb720ceafb", "hasError": false, "id": "c591dfa1-6746-4363-ad43-da0e669ecb0b", "outputs": [ { "data": { "text/html": "\n \n \n \n \n
failed to set --help, due to invalid str value commands.
unknown command --commands
Overview
\nHelp command is a tool to get more information on a topics that are relevant to Kqlmagic.\nt\nusage: %kql --help \"topic\"
Topics
\n- \n
- \n
usage - How to use the Kqlmagic.
\n
\n \n - \n
conn - Lists the available connection string variation, and how their are used to authenticatie to data sources.
\n
\n \n - \n
query / kql - Reference to resources Kusto Queru language, aka kql, documentation
\n
\n \n - \n
options - Lists the available options, and their behavior impact on the submit query command.
\n
\n \n - \n
commands - Lists the available commands, and what they do.
\n
\n \n - \n
faq - Lists frequently asked quetions and answers.
\n
\n \n - \n
help - This help.
\n
\n \n - \n
AzureMonitor- Reference to resources Azure Monitor tools
\n
\nAzure Monitor, which now includes Log Analytics and Application Insights, provides sophisticated tools for collecting and analyzing telemetry that allow you to maximize the performance and availability of your cloud and on-premises resources and applications. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on.\n \n - \n
AzureDataExplorer / kusto- Reference to resources Azure Data Explorer (kusto) service
\n
\nAzure Data Explorer is a fast and highly scalable data exploration service for log and telemetry data. It helps you handle the many data streams emitted by modern software, so you can collect, store, and analyze data. Azure Data Explorer is ideal for analyzing large volumes of diverse data from any data source, such as websites, applications, IoT devices, and more.\n \n - \n
LogAnalytics- Reference to resources Log Analytics service
\n
\nLog data collected by Azure Monitor is stored in Log Analytics which collects telemetry and other data from a variety of sources and provides a query language for advanced analytics.\n \n - \n
ApplicationInsights / AppInsights- Reference to resources Application Insights service
\n
\nApplication Insights is an extensible Application Performance Management (APM) service for web developers on multiple platforms. Use it to monitor your live web application. It will automatically detect performance anomalies. It includes powerful analytics tools to help you diagnose issues and to understand what users actually do with your app. It's designed to help you continuously improve performance and usability. It works for apps on a wide variety of platforms including .NET, Node.js and J2EE, hosted on-premises or in the cloud. It integrates with your DevOps process, and has connection points to a variety of development tools. It can monitor and analyze telemetry from mobile apps by integrating with Visual Studio App Center.\n \n
Need Support?
\n- \n
- Have a feature request for Kqlmagic? Please post it on User Voice to help us prioritize \n
- Have a technical question? Ask on Stack Overflow with tag \"Kqlmagic\" \n
- Need Support? Every customer with an active Azure subscription has access to support with guaranteed response time. Consider submitting a ticket and get assistance from Microsoft support team \n
- Found a bug? Please help us fix it by thoroughly documenting it and filing an issue. \n
\n\n## Topics\n- **usage** - How to use the Kqlmagic.
\n
\n\n- **conn** - Lists the available connection string variation, and how their are used to authenticatie to data sources.
\n
\n\n- **query** / **kql** - [Reference to resources Kusto Queru language, aka kql, documentation](http://aka.ms/kdocs)
\n
\n\n- **options** - Lists the available options, and their behavior impact on the submit query command.
\n
\n\n- **commands** - Lists the available commands, and what they do.
\n
\n\n- **faq** - Lists frequently asked quetions and answers.
\n
\n\n- **help** - This help.
\n
\n\n- **AzureMonitor**- [Reference to resources Azure Monitor tools](https://docs.microsoft.com/en-us/azure/azure-monitor/)
\nAzure Monitor, which now includes Log Analytics and Application Insights, provides sophisticated tools for collecting and analyzing telemetry that allow you to maximize the performance and availability of your cloud and on-premises resources and applications. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on.\n
\n\n- **AzureDataExplorer** / **kusto**- [Reference to resources Azure Data Explorer (kusto) service](https://docs.microsoft.com/en-us/azure/data-explorer/)
\nAzure Data Explorer is a fast and highly scalable data exploration service for log and telemetry data. It helps you handle the many data streams emitted by modern software, so you can collect, store, and analyze data. Azure Data Explorer is ideal for analyzing large volumes of diverse data from any data source, such as websites, applications, IoT devices, and more.\n
\n\n- **LogAnalytics**- [Reference to resources Log Analytics service](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-queries?toc=/azure/azure-monitor/toc.json)
\nLog data collected by Azure Monitor is stored in Log Analytics which collects telemetry and other data from a variety of sources and provides a query language for advanced analytics.\n
\n\n- **ApplicationInsights** / **AppInsights**- [Reference to resources Application Insights service](https://docs.microsoft.com/en-us/azure/application-insights/app-insights-overview?toc=/azure/azure-monitor/toc.json)
\nApplication Insights is an extensible Application Performance Management (APM) service for web developers on multiple platforms. Use it to monitor your live web application. It will automatically detect performance anomalies. It includes powerful analytics tools to help you diagnose issues and to understand what users actually do with your app. It's designed to help you continuously improve performance and usability. It works for apps on a wide variety of platforms including .NET, Node.js and J2EE, hosted on-premises or in the cloud. It integrates with your DevOps process, and has connection points to a variety of development tools. It can monitor and analyze telemetry from mobile apps by integrating with Visual Studio App Center.\n
\n\n\n## Need Support?\n- **Have a feature request for Kqlmagic?** Please post it on [User Voice](https://feedback.azure.com/forums/913690-azure-monitor) to help us prioritize\n- **Have a technical question?** Ask on [Stack Overflow with tag \"Kqlmagic\"](https://stackoverflow.com/questions/tagged/Kqlmagic)\n- **Need Support?** Every customer with an active Azure subscription has access to [support](https://docs.microsoft.com/en-us/azure/azure-supportability/how-to-create-azure-support-request) with guaranteed response time. Consider submitting a ticket and get assistance from Microsoft support team\n- **Found a bug?** Please help us fix it by thoroughly documenting it and [filing an issue](https://github.com/Microsoft/jupyter-Kqlmagic/issues/new).\n", "text/plain": "Overview\nHelp command is a tool to get more information on a topics that are relevant to Kqlmagic.\nt\nusage: %kql --help \"topic\"\nTopics\n\n\nusage - How to use the Kqlmagic.\n\n\n\nconn - Lists the available connection string variation, and how their are used to authenticatie to data sources.\n\n\n\nquery / kql - Reference to resources Kusto Queru language, aka kql, documentation\n\n\n\noptions - Lists the available options, and their behavior impact on the submit query command.\n\n\n\ncommands - Lists the available commands, and what they do.\n\n\n\nfaq - Lists frequently asked quetions and answers.\n\n\n\nhelp - This help.\n\n\n\nAzureMonitor- Reference to resources Azure Monitor tools\nAzure Monitor, which now includes Log Analytics and Application Insights, provides sophisticated tools for collecting and analyzing telemetry that allow you to maximize the performance and availability of your cloud and on-premises resources and applications. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on.\n\n\n\nAzureDataExplorer / kusto- Reference to resources Azure Data Explorer (kusto) service\nAzure Data Explorer is a fast and highly scalable data exploration service for log and telemetry data. It helps you handle the many data streams emitted by modern software, so you can collect, store, and analyze data. Azure Data Explorer is ideal for analyzing large volumes of diverse data from any data source, such as websites, applications, IoT devices, and more.\n\n\n\nLogAnalytics- Reference to resources Log Analytics service\nLog data collected by Azure Monitor is stored in Log Analytics which collects telemetry and other data from a variety of sources and provides a query language for advanced analytics.\n\n\n\nApplicationInsights / AppInsights- Reference to resources Application Insights service\nApplication Insights is an extensible Application Performance Management (APM) service for web developers on multiple platforms. Use it to monitor your live web application. It will automatically detect performance anomalies. It includes powerful analytics tools to help you diagnose issues and to understand what users actually do with your app. It's designed to help you continuously improve performance and usability. It works for apps on a wide variety of platforms including .NET, Node.js and J2EE, hosted on-premises or in the cloud. It integrates with your DevOps process, and has connection points to a variety of development tools. It can monitor and analyze telemetry from mobile apps by integrating with Visual Studio App Center.\n\n\n\nNeed Support?\n\nHave a feature request for Kqlmagic? Please post it on User Voice to help us prioritize\nHave a technical question? Ask on Stack Overflow with tag \"Kqlmagic\"\nNeed Support? Every customer with an active Azure subscription has access to support with guaranteed response time. Consider submitting a ticket and get assistance from Microsoft support team\nFound a bug? Please help us fix it by thoroughly documenting it and filing an issue." }, "execution_count": 11, "metadata": {}, "output_type": "execute_result" } ], "persistentId": "53af05b4-61af-4e19-9720-f03ca043969e", "text": "%kql --help" }, "executionTime": "2019-08-15T21:16:04.370Z" }, { "cell": { "executionCount": 12, "executionEventId": "42f289e2-0dfb-4dc5-8462-9b691081ca95", "hasError": false, "id": "c591dfa1-6746-4363-ad43-da0e669ecb0b", "outputs": [ { "data": { "text/html": "
Overview
\n- \n
- To get data from Azure Monitor data resources, the user need to authenticate itself, and if it has the right permission, \nhe would be able to query that data resource. \n
- The current supported data sources are: Azure Data Explorer (kusto) clusters, Application Insights, Log Analytics and Cache. \n
- \n
Cache data source is not a real data source, it retrieves query results that were cached, but it can only retreive results queries that were executed before, new queries or modified queries won't work.\nto get more information on cache data source, execute
\nhelp \"cache\"\n - \n
The user can connect to multiple data resources.
\n \n - Once a connection to a data resource is established, it gets a name of the form
@ . \n - \n
Reference to a data resource can be by connection string, connection name, or current connection (last connection used).
\n- \n
- If connection is not specified, current connection (last connection used) will be used. \n
- To submit queries, at least one connection to a data resource must be established. \n
\n - \n
When a connection is specified, and it is a new connection string, the authentication and authorization is validated authomatically, by submiting \na validation query
\nrange c from 1 to 10 step 1 | count, and if the correct result returns, the connection is established. \n - \n
An initial connection can be specified as an environment variable.
\n- \n
- if specified it will be established when Kqlmagic loads. \n
- The variable name is
KQLMAGIC_CONNECTION_STR\n
\n
Authentication methods:
\n- \n
- AAD Username/password - Provide your AAD username and password. \n
- AAD application - Provide your AAD tenant ID, AAD app ID and app secret. \n
- AAD code - Provide only your AAD username, and authenticate yourself using a code, generated by ADAL. \n
- certificate - Provide your AAD tenant ID, AAD app ID, certificate and certificate-thumbprint (supported only with Azure Data Explorer) \n
- appid/appkey - Provide you application insight appid, and appkey (supported only with Application Insights) \n
- anonymous - No authentication. For the case that you run your data source locally. \n
Connect to Azure Data Explorer (kusto) data resource <database or alias>@<cluster>
\nFew options to authenticate with Azure Data Explorer (Kusto) data resources:
\n%kql azuredataexplorer://code;cluster='<cluster-name>';database='<database-name>';alias='<database-friendly-name>'
\n%kql azuredataexplorer://tenant='<tenant-id>';clientid='<aad-appid>';clientsecret='<aad-appkey>';cluster='<cluster-name>';database='<database-name>';alias='<database-friendly-name>'
\n%kql azuredataexplorer://tenant='<tenant-id>';certificate='<certificate>';certificate_thumbprint='<thumbprint>';cluster='<cluster-name>';database='<database-name>';alias='<database-friendly-name>'
\n%kql azuredataexplorer://tenant='<tenant-id>';certificate_pem_file='<pem_filename>';certificate_thumbprint='<thumbprint>';cluster='<cluster-name>';database='<database-name>';alias='<database-friendly-name>'
\n%kql azuredataexplorer://username='<username>';password='<password>';cluster='<cluster-name>';database='<database-name>';alias='<database-friendly-name>'
\n%kql azuredataexplorer://anonymous;cluster='<cluster-name>';database='<database-name>';alias='<database-friendly-name>'
Notes:
\n- username/password works only on corporate network.
\n- alias is optional.
\n- if credentials are missing, and a previous connection was established the credentials will be inherited.
\n- if secret (password / clientsecret / thumbprint) is missing, user will be prompted to provide it.
\n- if cluster is missing, and a previous connection was established the cluster will be inherited.
\n- if tenant is missing, and a previous connection was established the tenant will be inherited.
\n- if only the database change, a new connection can be set as follow: \n<new-database-name>@<cluster-name>
\n- a not quoted value, is a python expression, that is evaluated and its result is used as the value. This is how you can parametrize the connection string
Connect to Log Analytics data resources <workspace or alias>@loganalytics
\nFew options to authenticate with Log Analytics:
\n%kql loganalytics://code;workspace='<workspace-id>';alias='<workspace-friendly-name>'
\n%kql loganalytics://tenant='<tenant-id>';clientid='<aad-appid>';clientsecret='<aad-appkey>';workspace='<workspace-id>';alias='<workspace-friendly-name>'
\n%kql loganalytics://username='<username>';password='<password>';workspace='<workspace-id>';alias='<workspace-friendly-name>'
\n%kql loganalytics://anonymous;workspace='<workspace-id>';alias='<workspace-friendly-name>'
Notes:
\n- authentication with appkey works only for the demo.
\n- username/password works only on corporate network.
\n- alias is optional.
\n- if credentials are missing, and a previous connection was established the credentials will be inherited.
\n- if secret (password / clientsecret) is missing, user will be prompted to provide it.
\n- if tenant is missing, and a previous connection was established the tenant will be inherited.
\n- a not quoted value, is a python expression, that is evaluated and its result is used as the value. This is how you can parametrize the connection string
Connect to Application Insights data resources <appid or alias>@appinsights
\nFew options to authenticate with Apllication Insights:
\n%kql appinsights://appid='<app-id>';appkey='<app-key>';alias='<appid-friendly-name>'
\n%kql appinsights://code;appid='<app-id>';alias='<appid-friendly-name>'
\n%kql appinsights://tenant='<tenant-id>';clientid='<aad-appid>';clientsecret='<aad-appkey>';appid='<app-id>';alias='<appid-friendly-name>'
\n%kql appinsights://username='<username>';password='<password>';appid='<app-id>';alias='<appid-friendly-name>'
\n%kql appinsights://anonymous;appid='<app-id>';alias='<appid-friendly-name>'
Notes:
\n- username/password works only on corporate network.
\n- alias is optional.
\n- if credentials are missing, and a previous connection was established the credentials will be inherited.
\n- if secret (password / clientsecret / appkey) is missing, user will be prompted to provide it.
\n- if tenant is missing, and a previous connection was established the tenant will be inherited.
\n- a not quoted value, is a python expression, that is evaluated and its result is used as the value. This is how you can parametrize the connection string
Need Support?
\n- \n
- Have a feature request for Kqlmagic? Please post it on User Voice to help us prioritize \n
- Have a technical question? Ask on Stack Overflow with tag \"Kqlmagic\" \n
- Need Support? Every customer with an active Azure subscription has access to support with guaranteed response time. Consider submitting a ticket and get assistance from Microsoft support team \n
- Found a bug? Please help us fix it by thoroughly documenting it and filing an issue. \n
\n```%kql azuredataexplorer://code;cluster='
\n```%kql azuredataexplorer://tenant='
\n```%kql azuredataexplorer://tenant='
\n```%kql azuredataexplorer://tenant='
\n```%kql azuredataexplorer://username='
\n```%kql azuredataexplorer://anonymous;cluster='
\n\nNotes:
\n- username/password works only on corporate network.
\n- alias is optional.
\n- if credentials are missing, and a previous connection was established the credentials will be inherited.
\n- if secret (password / clientsecret / thumbprint) is missing, user will be prompted to provide it.
\n- if cluster is missing, and a previous connection was established the cluster will be inherited.
\n- if tenant is missing, and a previous connection was established the tenant will be inherited.
\n- if only the database change, a new connection can be set as follow: \n```
\n- **a not quoted value, is a python expression, that is evaluated and its result is used as the value. This is how you can parametrize the connection string** \n\n## Connect to Log Analytics data resources ```
\n```%kql loganalytics://code;workspace='
\n```%kql loganalytics://tenant='
\n```%kql loganalytics://username='
\n```%kql loganalytics://anonymous;workspace='
\n\nNotes:
\n- authentication with appkey works only for the demo.
\n- username/password works only on corporate network.
\n- alias is optional.
\n- if credentials are missing, and a previous connection was established the credentials will be inherited.
\n- if secret (password / clientsecret) is missing, user will be prompted to provide it.
\n- if tenant is missing, and a previous connection was established the tenant will be inherited.
\n- **a not quoted value, is a python expression, that is evaluated and its result is used as the value. This is how you can parametrize the connection string**\n\n\n## Connect to Application Insights data resources ```
\n```%kql appinsights://appid='
\n```%kql appinsights://code;appid='
\n```%kql appinsights://tenant='
\n```%kql appinsights://username='
\n```%kql appinsights://anonymous;appid='
\n\nNotes:
\n- username/password works only on corporate network.
\n- alias is optional.
\n- if credentials are missing, and a previous connection was established the credentials will be inherited.
\n- if secret (password / clientsecret / appkey) is missing, user will be prompted to provide it.
\n- if tenant is missing, and a previous connection was established the tenant will be inherited.
\n- **a not quoted value, is a python expression, that is evaluated and its result is used as the value. This is how you can parametrize the connection string**\n\n\n## Need Support?\n- **Have a feature request for Kqlmagic?** Please post it on [User Voice](https://feedback.azure.com/forums/913690-azure-monitor) to help us prioritize\n- **Have a technical question?** Ask on [Stack Overflow with tag \"Kqlmagic\"](https://stackoverflow.com/questions/tagged/Kqlmagic)\n- **Need Support?** Every customer with an active Azure subscription has access to [support](https://docs.microsoft.com/en-us/azure/azure-supportability/how-to-create-azure-support-request) with guaranteed response time. Consider submitting a ticket and get assistance from Microsoft support team\n- **Found a bug?** Please help us fix it by thoroughly documenting it and [filing an issue](https://github.com/Microsoft/jupyter-Kqlmagic/issues/new).\n", "text/plain": "Overview\n\nTo get data from Azure Monitor data resources, the user need to authenticate itself, and if it has the right permission, \nhe would be able to query that data resource.\nThe current supported data sources are: Azure Data Explorer (kusto) clusters, Application Insights, Log Analytics and Cache.\n\nCache data source is not a real data source, it retrieves query results that were cached, but it can only retreive results queries that were executed before, new queries or modified queries won't work.\nto get more information on cache data source, execute help \"cache\"\n\n\nThe user can connect to multiple data resources.\n\nOnce a connection to a data resource is established, it gets a name of the form @.\n\nReference to a data resource can be by connection string, connection name, or current connection (last connection used).\n\nIf connection is not specified, current connection (last connection used) will be used.\nTo submit queries, at least one connection to a data resource must be established.\n\n\n\nWhen a connection is specified, and it is a new connection string, the authentication and authorization is validated authomatically, by submiting \na validation query range c from 1 to 10 step 1 | count, and if the correct result returns, the connection is established.\n\n\nAn initial connection can be specified as an environment variable.\n\nif specified it will be established when Kqlmagic loads.\nThe variable name is KQLMAGIC_CONNECTION_STR\n\n\n\nAuthentication methods:\n\nAAD Username/password - Provide your AAD username and password.\nAAD application - Provide your AAD tenant ID, AAD app ID and app secret.\nAAD code - Provide only your AAD username, and authenticate yourself using a code, generated by ADAL.\ncertificate - Provide your AAD tenant ID, AAD app ID, certificate and certificate-thumbprint (supported only with Azure Data Explorer)\nappid/appkey - Provide you application insight appid, and appkey (supported only with Application Insights)\nanonymous - No authentication. For the case that you run your data source locally.\n\nConnect to Azure Data Explorer (kusto) data resource
Overview
\nExcept submitting kql queries, few other commands are included that may help using the Kqlmagic.
\n- Only one command can be executed per magic transaction.
\n- A command must start with a double hyphen-minus --
\n- If command is not specified, the default command \"submit\" is assumed, that submits the query.
Commands
\nThe following commands are supported:
\n- submit - Execute the query and return result.
\n - Options can be used to customize the behavior of the transaction.
\n - The query can parametrized.
\n - This is the default command.
\n
- \n
- \n
version - Displays the current version string.
\n
\n \n - \n
usage - Displays usage of Kqlmagic.
\n
\n \n - \n
help \"topic\" - Displays information about the topic.
\n- \n
- To get the list of all the topics, execute
%kql --help \"help\"
\n \n
\n - To get the list of all the topics, execute
- \n
**palette - Display information about the current or other named color palette.
\n- \n
- The behaviour of this command will change based on the specified option: \n
- -palette_name, -palette_colors, palette_reverse, -palette_desaturation, execute
%kql --palette -palette_name \"Reds\"
\n \n
\n - \n
**palettes - Display information about all available palettes.
\n- \n
- The behaviour of this command will change based on the specified option: \n
- -palette_colors, palette_reverse, -palette_desaturation, execute
%kql --palettes -palette_desaturation 0.75
\n \n
\n - \n
schema \"database\" - Returns the database schema as a python dict (displayed as a json format).
\n- \n
- To get Azure Data Explorer database schema:
%kql --schema \"databasename@clustername\"\n - To get application insights app schema:
%kql --schema \"appname@applicationinsights\"\n - To get log analytics workspace schema:
%kql --schema \"workspacename@loganalytics\"\n - To get current connection database schema
%kql --schema\n - If -conn option is sepcified it will override the database value.
\n \n
\n - To get Azure Data Explorer database schema:
- \n
**cache - Enables caching query results to a cache folder, or disbale.
\n- \n
- To enable caching to folder XXX, execute:
%kql --cache \"XXX\"\n - To disable caching, execute:
%kql --cache None\n - Once results are cached, the results can be used by enabling the use of the cache, with the --use_cache command.
\n \n
\n - To enable caching to folder XXX, execute:
- \n
**use_cache - Enables use of cached results from a cache folder.
\n- \n
- To enable use of cache from folder XXX, execute:
%kql --use_cache \"XXX\"\n - To disable use of cache, execute:
%kql --use_cache None\n - Once enabled, intead of quering the data source, the results are retreived from the cache.
\n \n
\n - To enable use of cache from folder XXX, execute:
Examples:
\n%kql --version
\n%kql --usage
\n%kql --help \"help\"
\n%kql --help \"options\"
\n%kql --help \"conn\"
\n%kql --palette -palette_name \"Reds\"
\n%kql --schema 'DEMO_APP@applicationinsights'
\n%kql --cache \"XXX\"
\n%kql --use_cache None
\n%kql --submit appinsights://appid='DEMO_APP';appkey='DEMO_KEY' pageViews | count
\n%kql --palettes -palette_desaturation 0.75\n%kql pageViews | count
\n- Only one command can be executed per magic transaction.
\n- A command must start with a double hyphen-minus ```--```
\n- If command is not specified, the default command ```\"submit\"``` is assumed, that submits the query.
\n\n## Commands\nThe following commands are supported:
\n- **submit** - Execute the query and return result.
\n - Options can be used to customize the behavior of the transaction.
\n - The query can parametrized.
\n - This is the default command.
\n
\n\n- **version** - Displays the current version string.
\n
\n\n- **usage** - Displays usage of Kqlmagic.
\n
\n\n- **help \"topic\"** - Displays information about the topic.
\n - To get the list of all the topics, execute ```%kql --help \"help\"```
\n
\n\n- **palette - Display information about the current or other named color palette.
\n - The behaviour of this command will change based on the specified option:\n - -palette_name, -palette_colors, palette_reverse, -palette_desaturation, execute ```%kql --palette -palette_name \"Reds\"```
\n
\n\n- **palettes - Display information about all available palettes.
\n - The behaviour of this command will change based on the specified option:\n - -palette_colors, palette_reverse, -palette_desaturation, execute ```%kql --palettes -palette_desaturation 0.75```
\n
\n\n- **schema \"database\"** - Returns the database schema as a python dict (displayed as a json format).
\n - To get Azure Data Explorer database schema: ```%kql --schema \"databasename@clustername\"```
\n - To get application insights app schema: ```%kql --schema \"appname@applicationinsights\"```
\n - To get log analytics workspace schema: ```%kql --schema \"workspacename@loganalytics\"```
\n - To get current connection database schema ```%kql --schema```
\n - If -conn option is sepcified it will override the database value.
\n
\n\n- **cache - Enables caching query results to a cache folder, or disbale.
\n - To enable caching to folder XXX, execute: ```%kql --cache \"XXX\"```
\n - To disable caching, execute: ```%kql --cache None```
\n - Once results are cached, the results can be used by enabling the use of the cache, with the --use_cache command.
\n
\n\n- **use_cache - Enables use of cached results from a cache folder.
\n - To enable use of cache from folder XXX, execute: ```%kql --use_cache \"XXX\"```
\n - To disable use of cache, execute: ```%kql --use_cache None```
\n - Once enabled, intead of quering the data source, the results are retreived from the cache.
\n
\n\n## Examples:\n```%kql --version```
\n```%kql --usage```
\n```%kql --help \"help\"```
\n```%kql --help \"options\"```
\n```%kql --help \"conn\"```
\n```%kql --palette -palette_name \"Reds\"```
\n```%kql --schema 'DEMO_APP@applicationinsights'```
\n```%kql --cache \"XXX\"```
\n```%kql --use_cache None```
\n```%kql --submit appinsights://appid='DEMO_APP';appkey='DEMO_KEY' pageViews | count```
\n```%kql --palettes -palette_desaturation 0.75```\n```%kql pageViews | count```\n", "text/plain": "Overview\nExcept submitting kql queries, few other commands are included that may help using the Kqlmagic.\n- Only one command can be executed per magic transaction.\n- A command must start with a double hyphen-minus --\n- If command is not specified, the default command \"submit\" is assumed, that submits the query.\nCommands\nThe following commands are supported:\n- submit - Execute the query and return result. \n - Options can be used to customize the behavior of the transaction.\n - The query can parametrized.\n - This is the default command.\n\n\n\nversion - Displays the current version string.\n\n\n\nusage - Displays usage of Kqlmagic.\n\n\n\nhelp \"topic\" - Displays information about the topic.\n\nTo get the list of all the topics, execute %kql --help \"help\"\n\n\n\n\n**palette - Display information about the current or other named color palette.\n\nThe behaviour of this command will change based on the specified option:\n-palette_name, -palette_colors, palette_reverse, -palette_desaturation, execute %kql --palette -palette_name \"Reds\"\n\n\n\n\n**palettes - Display information about all available palettes.\n\nThe behaviour of this command will change based on the specified option:\n-palette_colors, palette_reverse, -palette_desaturation, execute %kql --palettes -palette_desaturation 0.75\n\n\n\n\nschema \"database\" - Returns the database schema as a python dict (displayed as a json format). \n\nTo get Azure Data Explorer database schema: %kql --schema \"databasename@clustername\"\nTo get application insights app schema: %kql --schema \"appname@applicationinsights\"\nTo get log analytics workspace schema: %kql --schema \"workspacename@loganalytics\"\nTo get current connection database schema %kql --schema\nIf -conn option is sepcified it will override the database value.\n\n\n\n\n**cache - Enables caching query results to a cache folder, or disbale. \n\nTo enable caching to folder XXX, execute: %kql --cache \"XXX\"\nTo disable caching, execute: %kql --cache None\nOnce results are cached, the results can be used by enabling the use of the cache, with the --use_cache command.\n\n\n\n\n**use_cache - Enables use of cached results from a cache folder. \n\nTo enable use of cache from folder XXX, execute: %kql --use_cache \"XXX\"\nTo disable use of cache, execute: %kql --use_cache None\nOnce enabled, intead of quering the data source, the results are retreived from the cache.\n\n\n\n\nExamples:\n%kql --version\n%kql --usage\n%kql --help \"help\"\n%kql --help \"options\"\n%kql --help \"conn\"\n%kql --palette -palette_name \"Reds\"\n%kql --schema 'DEMO_APP@applicationinsights'\n%kql --cache \"XXX\"\n%kql --use_cache None\n%kql --submit appinsights://appid='DEMO_APP';appkey='DEMO_KEY' pageViews | count\n%kql --palettes -palette_desaturation 0.75\n%kql pageViews | count" }, "execution_count": 13, "metadata": {}, "output_type": "execute_result" } ], "persistentId": "53af05b4-61af-4e19-9720-f03ca043969e", "text": "%kql --help \"commands\"" }, "executionTime": "2019-08-15T21:16:59.019Z" }, { "cell": { "executionCount": 14, "executionEventId": "4d635d06-f9aa-462b-967e-2ed7628175ea", "hasError": false, "id": "c591dfa1-6746-4363-ad43-da0e669ecb0b", "outputs": [ { "data": { "text/plain": "{\n \u001b[94m\"AADDomainServicesAccountLogon\"\u001b[39;49;00m: {\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CertIssuerName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CertSerialNumber\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CertThumbprint\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ClientUserName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CorrelationId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FailureCode\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"IpAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"IpPort\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MappedName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MappingBy\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"PackageName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"PreAuthType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RecordId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultDescription\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ServiceName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TicketOptions\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"_ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"AADDomainServicesAccountManagement\"\u001b[39;49;00m: {\n \u001b[94m\"AccountExpires\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AllowedToDelegateTo\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CallerProcessId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CallerProcessName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ComputerAccountChange\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CorrelationId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DisplayName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DnsHostName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"GroupTypeChange\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"HomeDirectory\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"HomePath\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LogonHours\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MemberName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MemberSid\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MembershipExpirationTime\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"NewTargetUserName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"NewUacValue\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OldTargetUserName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OldUacValue\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"PasswordLastSet\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"PrimaryGroupId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"PrivilegeList\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ProfilePath\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RecordId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultDescription\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SamAccountName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ScriptPath\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ServicePrincipalNames\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SidHistory\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSid\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceUserName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Status\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SubjectDomainName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SubjectLogonId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SubjectUserName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SubjectUserSid\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TargetSid\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserAccountControl\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserParameters\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserPrincipalName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserWorkstations\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Workstation\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"_ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"AADDomainServicesDirectoryServiceAccess\"\u001b[39;49;00m: {\n \u001b[94m\"AppCorrelationID\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AttributeLDAPDisplayName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AttributeSyntaxOID\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AttributeValue\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CorrelationId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DSName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DSType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"NewObjectDN\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ObjectClass\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ObjectDN\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ObjectGUID\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OldObjectDN\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OpCorrelationID\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RecordId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultDescription\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"TreeDelete\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"_ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"AADDomainServicesLogonLogoff\"\u001b[39;49;00m: {\n \u001b[94m\"AuthenticationPackageName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CorrelationId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ElevatedToken\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FailureReason\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ImpersonationLevel\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"KeyLength\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"LmPackageName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LogonGuid\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LogonProcessName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LogonType\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RecordId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RestrictedAdminMode\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultDescription\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SidList\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SubStatus\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TargetDomainName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TargetInfo\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TargetLinkedLogonId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TargetLogonGuid\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TargetLogonId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TargetOutboundDomainName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TargetOutboundUserName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TargetServerName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TargetUserName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TargetUserSid\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TdoSid\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"TransmittedServices\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"VirtualAccount\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"WorkstationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"_ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"AADDomainServicesPolicyChange\"\u001b[39;49;00m: {\n \u001b[94m\"AccessGranted\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AccessRemoved\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AuditPolicyChanges\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AuditSourceName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CategoryId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CollisionTargetName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CollisionTargetType\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"CorrelationId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CrashOnAuditFailValue\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"DisabledPrivilegeList\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DnsName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DomainBehaviorVersion\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DomainName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DomainPolicyChanged\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DomainSid\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EnabledPrivilegeList\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EntryType\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"EventSourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Flags\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"ForceLogoff\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ForestRoot\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ForestRootSid\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"HandleId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"KerberosPolicyChange\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LockoutDuration\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LockoutObservationWindow\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LockoutThreshold\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MachineAccountQuota\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MaxPasswordAge\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MinPasswordAge\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MinPasswordLength\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MixedDomainMode\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"NetbiosName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"NewSd\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ObjectName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ObjectServer\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ObjectType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OemInformation\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OldSd\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"PasswordHistoryLength\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"PasswordProperties\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RecordId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultDescription\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SidFilteringEnabled\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SubcategoryGuid\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SubcategoryId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TdoAttributes\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"TdoDirection\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"TdoType\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"TopLevelName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"_ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"AADDomainServicesPrivilegeUse\"\u001b[39;49;00m: {\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CorrelationId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"NewState\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ProcessId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ProcessName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RecordId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceManager\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultDescription\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"TransactionId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"_ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"AADDomainServicesSystemSecurity\"\u001b[39;49;00m: {\n \u001b[94m\"AuditsDiscarded\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CorrelationId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RecordId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultDescription\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"_ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"ADFActivityRun\"\u001b[39;49;00m: {\n \u001b[94m\"ActivityIterationCount\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"ActivityName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ActivityRunId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ActivityType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Annotations\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CorrelationId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EffectiveIntegrationRuntime\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"End\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Error\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ErrorCode\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"ErrorMessage\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EventMessage\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FailureType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Input\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Level\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LinkedServiceName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Location\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Output\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"PipelineName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"PipelineRunId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Start\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Status\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Tags\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TenantId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserProperties\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"ADFPipelineRun\"\u001b[39;49;00m: {\n \u001b[94m\"Annotations\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CorrelationId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"End\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"EventMessage\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FailureType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Level\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Location\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Parameters\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"PipelineName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Predecessors\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RunId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Start\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Status\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SystemParameters\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Tags\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TenantId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserProperties\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"ADFTriggerRun\"\u001b[39;49;00m: {\n \u001b[94m\"Annotations\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CorrelationId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EventMessage\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Level\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Location\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Parameters\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Start\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Status\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SystemParameters\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Tags\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TenantId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"TriggerEvent\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TriggerFailureType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TriggerId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TriggerName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TriggerType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserProperties\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"AWSCloudTrail\"\u001b[39;49;00m: {\n \u001b[94m\"APIVersion\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AWSRegion\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AdditionalEventData\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AwsEventId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AwsRequestId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ErrorCode\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"ErrorMessage\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EventName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EventSource\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EventTypeName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EventVersion\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ManagementEvent\"\u001b[39;49;00m: \u001b[33m\"bool\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ReadOnly\"\u001b[39;49;00m: \u001b[33m\"bool\"\u001b[39;49;00m,\n \u001b[94m\"RecipientAccountId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RequestParameters\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Resources\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResponseElements\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ServiceEventDetails\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SessionCreationDate\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"SessionIssuerAccountId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SessionIssuerArn\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SessionIssuerPrincipalId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SessionIssuerType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SessionIssuerUserName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SessionMfaAuthenticated\"\u001b[39;49;00m: \u001b[33m\"bool\"\u001b[39;49;00m,\n \u001b[94m\"SharedEventId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceIpAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserAgent\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserIdentityAccessKeyId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserIdentityAccountId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserIdentityArn\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserIdentityInvokedBy\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserIdentityPrincipalid\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserIdentityType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserIdentityUserName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"VpcEndpointId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"Alert\"\u001b[39;49;00m: {\n \u001b[94m\"AlertContext\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AlertDescription\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AlertError\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AlertId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AlertName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AlertPriority\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AlertRuleId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AlertRuleInstanceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AlertSeverity\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AlertState\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AlertStatus\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"AlertTypeDescription\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AlertTypeNumber\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"AlertValue\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"Comments\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Computer\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Custom1\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Custom10\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Custom2\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Custom3\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Custom4\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Custom5\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Custom6\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Custom7\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Custom8\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Custom9\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Expression\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Flags\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"FlagsDescription\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"HostName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LastModifiedBy\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LinkToSearchResults\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ManagementGroupName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ObjectDisplayName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"PriorityNumber\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"Query\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"QueryExecutionEndTime\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"QueryExecutionStartTime\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"RemediationJobId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RemediationRunbookName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RepeatCount\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"ResolvedBy\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceValue\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RootObjectName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ServiceDeskConnectionName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ServiceDeskId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ServiceDeskWorkItemLink\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ServiceDeskWorkItemType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceDisplayName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceFullName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"StateType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"StatusDescription\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TemplateId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ThresholdOperator\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ThresholdValue\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"TicketId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"TimeLastModified\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"TimeRaised\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"TimeResolved\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"TriggerId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Url\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ValueDescription\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ValueFlags\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"ValueFlagsDescription\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"_ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"AppCenterError\"\u001b[39;49;00m: {\n \u001b[94m\"Annotation\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CreatedAt\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"ErrorClass\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ErrorFile\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ErrorGroupId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ErrorId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ErrorLine\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"ErrorMethod\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ErrorReason\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ErrorType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ExceptionType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"JailBreak\"\u001b[39;49;00m: \u001b[33m\"bool\"\u001b[39;49;00m,\n \u001b[94m\"LastErrorAt\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Model\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Oem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OsVersion\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SchemaType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Status\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SymbolicatedAt\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserString\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"AuditLogs\"\u001b[39;49;00m: {\n \u001b[94m\"AADOperationType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AADTenantId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ActivityDateTime\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"ActivityDisplayName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AdditionalDetails\"\u001b[39;49;00m: \u001b[33m\"dynamic\"\u001b[39;49;00m,\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CorrelationId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DurationMs\"\u001b[39;49;00m: \u001b[33m\"long\"\u001b[39;49;00m,\n \u001b[94m\"Id\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Identity\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"InitiatedBy\"\u001b[39;49;00m: \u001b[33m\"dynamic\"\u001b[39;49;00m,\n \u001b[94m\"Level\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Location\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LoggedByService\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationVersion\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Resource\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceGroup\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceProvider\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Result\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultDescription\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultReason\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultSignature\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TargetResources\"\u001b[39;49;00m: \u001b[33m\"dynamic\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"AutoscaleEvaluationsLog\"\u001b[39;49;00m: {\n \u001b[94m\"AutoscaleMetricName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AvailabilitySet\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CloudServiceName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CloudServiceRole\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CoolDown\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"CorrelationId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CurrentInstanceCount\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"DefaultInstanceCount\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"DeploymentSlot\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EstimateScaleResult\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EvaluationResult\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EvaluationTime\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"InstanceUpdateReason\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LastScaleActionOperationId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LastScaleActionOperationStatus\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LastScaleActionTime\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"MaximumInstanceCount\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"MetricData\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MetricEndTime\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"MetricNamespace\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MetricStartTime\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"MetricTimeGrain\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MinimumInstanceCount\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"NewInstanceCount\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"ObservedValue\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Operator\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Profile\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ProfileEvaluationTime\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"ProfileSelected\"\u001b[39;49;00m: \u001b[33m\"bool\"\u001b[39;49;00m,\n \u001b[94m\"Projection\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultDescription\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SelectedAutoscaleProfile\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ServerFarm\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ShouldUpdateInstance\"\u001b[39;49;00m: \u001b[33m\"bool\"\u001b[39;49;00m,\n \u001b[94m\"SkipCurrentAutoscaleEvaluation\"\u001b[39;49;00m: \u001b[33m\"bool\"\u001b[39;49;00m,\n \u001b[94m\"SkipRuleEvaluationForCooldown\"\u001b[39;49;00m: \u001b[33m\"bool\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TargetResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Threshold\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"TimeAggregationType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"TimeGrainStatistic\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeWindow\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Webspace\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"AutoscaleScaleActionsLog\"\u001b[39;49;00m: {\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CorrelationId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CreatedAsyncScaleActionJob\"\u001b[39;49;00m: \u001b[33m\"bool\"\u001b[39;49;00m,\n \u001b[94m\"CreatedAsyncScaleActionJobId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CurrentInstanceCount\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"NewInstanceCount\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultDescription\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ScaleActionMessage\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ScaleActionOperationId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ScaleActionOperationStatus\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ScaleDirection\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TargetResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"AzureActivity\"\u001b[39;49;00m: {\n \u001b[94m\"ActivityStatus\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ActivityStatusValue\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ActivitySubstatus\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ActivitySubstatusValue\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Authorization\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Caller\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CallerIpAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CategoryValue\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CorrelationId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EventSubmissionTimestamp\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"HTTPRequest\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Level\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationNameValue\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Properties\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Resource\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceGroup\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceProvider\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceProviderValue\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SubscriptionId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"_ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"AzureDiagnostics\"\u001b[39;49;00m: {\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Computer\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Level\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ManagementGroupName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RawData\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Resource\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceGroup\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceProvider\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SubscriptionId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"_ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"_schema_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"code_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"correlation_actionTrackingId_g\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"correlation_clientTrackingId_g\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"correlation_clientTrackingId_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"endTime_t\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"error_code_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"error_message_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"resource_actionName_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"resource_location_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"resource_originRunId_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"resource_resourceGroupName_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"resource_runId_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"resource_subscriptionId_g\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"resource_triggerName_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"resource_workflowId_g\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"resource_workflowName_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"startTime_t\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"status_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"tags_LogicAppsCategory_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"workflowId_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"AzureMetrics\"\u001b[39;49;00m: {\n \u001b[94m\"Average\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"CallerIpAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Confidence\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CorrelationId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Count\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"Description\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DurationMs\"\u001b[39;49;00m: \u001b[33m\"long\"\u001b[39;49;00m,\n \u001b[94m\"FirstReportedDateTime\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"IndicatorThreatType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"IsActive\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LastReportedDateTime\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MaliciousIP\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Maximum\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"MetricName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Minimum\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationVersion\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RemoteIPCountry\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RemoteIPLatitude\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"RemoteIPLongitude\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"Resource\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceGroup\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceProvider\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultDescription\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultSignature\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Severity\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SubscriptionId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TLPLevel\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"TimeGrain\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Total\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UnitName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"_ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"CommonSecurityLog\"\u001b[39;49;00m: {\n \u001b[94m\"Activity\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AdditionalExtensions\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ApplicationProtocol\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CommunicationDirection\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Computer\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DestinationDnsDomain\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DestinationHostName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DestinationIP\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DestinationMACAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DestinationNTDomain\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DestinationPort\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"DestinationProcessId\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"DestinationProcessName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DestinationServiceName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DestinationTranslatedAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DestinationTranslatedPort\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"DestinationUserID\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DestinationUserName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DestinationUserPrivileges\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceAction\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomDate1\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomDate1Label\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomDate2\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomDate2Label\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomFloatingPoint1\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomFloatingPoint1Label\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomFloatingPoint2\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomFloatingPoint2Label\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomFloatingPoint3\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomFloatingPoint3Label\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomFloatingPoint4\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomFloatingPoint4Label\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomIPv6Address1\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomIPv6Address1Label\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomIPv6Address2\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomIPv6Address2Label\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomIPv6Address3\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomIPv6Address3Label\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomIPv6Address4\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomIPv6Address4Label\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomNumber1\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomNumber1Label\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomNumber2\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomNumber2Label\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomNumber3\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomNumber3Label\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomString1\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomString1Label\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomString2\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomString2Label\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomString3\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomString3Label\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomString4\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomString4Label\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomString5\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomString5Label\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomString6\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceCustomString6Label\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceDnsDomain\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceEventClassID\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceExternalID\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceFacility\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceInboundInterface\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceMacAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceNtDomain\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceOutboundInterface\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DevicePayloadId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceProduct\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceTimeZone\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceTranslatedAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceVendor\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceVersion\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EndTime\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"EventCount\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"EventType\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"ExternalID\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"FileCreateTime\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FileHash\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FileID\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FileModificationTime\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FileName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FilePath\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FilePermission\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FileSize\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"FileType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FlexDate1\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FlexDate1Label\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FlexNumber1\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"FlexNumber1Label\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FlexNumber2\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"FlexNumber2Label\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FlexString1\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FlexString1Label\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FlexString2\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FlexString2Label\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"IndicatorThreatType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LogSeverity\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MaliciousIP\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MaliciousIPCountry\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MaliciousIPLatitude\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"MaliciousIPLongitude\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"Message\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OldFileCreateTime\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OldFileHash\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OldFileID\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OldFileModificationTime\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OldFileName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OldFilePath\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OldFilePermission\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OldFileSize\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"OldFileType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OriginalLogSeverity\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ProcessID\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"ProcessName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Protocol\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ReceiptTime\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ReceivedBytes\"\u001b[39;49;00m: \u001b[33m\"long\"\u001b[39;49;00m,\n \u001b[94m\"RemoteIP\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RemotePort\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RequestClientApplication\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RequestContext\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RequestCookies\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RequestMethod\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RequestURL\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SentBytes\"\u001b[39;49;00m: \u001b[33m\"long\"\u001b[39;49;00m,\n \u001b[94m\"SimplifiedDeviceAction\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceDnsDomain\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceHostName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceIP\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceMACAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceNTDomain\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourcePort\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"SourceProcessId\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"SourceProcessName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceServiceName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceTranslatedAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceTranslatedPort\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"SourceUserID\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceUserName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceUserPrivileges\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"StartTime\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"ThreatConfidence\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ThreatDescription\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ThreatSeverity\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"_ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"ComputerGroup\"\u001b[39;49;00m: {\n \u001b[94m\"Computer\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Group\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"GroupFullName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"GroupId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"GroupSource\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"GroupSourceName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"_ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"ContainerRegistryLoginEvents\"\u001b[39;49;00m: {\n \u001b[94m\"CallerIpAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CorrelationId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DurationMs\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Identity\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"JwtId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Region\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultDescription\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TenantId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserAgent\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"_ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"ContainerRegistryRepositoryEvents\"\u001b[39;49;00m: {\n \u001b[94m\"ArtifactType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CallerIpAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CorrelationId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Digest\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DurationMs\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Identity\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MediaType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Region\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Repository\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultDescription\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"ResultType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Size\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Tag\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TenantId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserAgent\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserTenantId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"_ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"DatabricksAccounts\"\u001b[39;49;00m: {\n \u001b[94m\"ActionName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Identity\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LogId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationVersion\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RequestId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RequestParams\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Response\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ServiceName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SessionId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceIPAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserAgent\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"DatabricksClusters\"\u001b[39;49;00m: {\n \u001b[94m\"ActionName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Identity\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LogId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationVersion\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RequestId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RequestParams\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Response\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ServiceName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SessionId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceIPAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserAgent\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"DatabricksDBFS\"\u001b[39;49;00m: {\n \u001b[94m\"ActionName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Identity\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LogId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationVersion\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RequestId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RequestParams\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Response\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ServiceName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SessionId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceIPAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserAgent\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"DatabricksJobs\"\u001b[39;49;00m: {\n \u001b[94m\"ActionName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Identity\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LogId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationVersion\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RequestId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RequestParams\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Response\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ServiceName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SessionId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceIPAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserAgent\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"DatabricksNotebook\"\u001b[39;49;00m: {\n \u001b[94m\"ActionName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Identity\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LogId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationVersion\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RequestId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RequestParams\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Response\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ServiceName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SessionId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceIPAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserAgent\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"DatabricksSQLPermissions\"\u001b[39;49;00m: {\n \u001b[94m\"ActionName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Identity\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LogId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationVersion\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RequestId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RequestParams\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Response\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ServiceName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SessionId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceIPAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserAgent\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"DatabricksSSH\"\u001b[39;49;00m: {\n \u001b[94m\"ActionName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Identity\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LogId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationVersion\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RequestId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RequestParams\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Response\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ServiceName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SessionId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceIPAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserAgent\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"DatabricksSecrets\"\u001b[39;49;00m: {\n \u001b[94m\"ActionName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Identity\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LogId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationVersion\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RequestId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RequestParams\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Response\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ServiceName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SessionId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceIPAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserAgent\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"DatabricksTables\"\u001b[39;49;00m: {\n \u001b[94m\"ActionName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Identity\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LogId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationVersion\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RequestId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RequestParams\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Response\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ServiceName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SessionId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceIPAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserAgent\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"DatabricksWorkspace\"\u001b[39;49;00m: {\n \u001b[94m\"ActionName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Identity\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LogId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationVersion\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RequestId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RequestParams\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Response\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ServiceName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SessionId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceIPAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserAgent\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"ETWEvent\"\u001b[39;49;00m: {\n \u001b[94m\"AzureDeploymentID\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ChannelName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Computer\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EventId\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"EventMessage\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EventSourceName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"KeywordName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Level\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Message\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OpcodeName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Pid\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"ProviderGuid\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Role\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TaskName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Tid\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"Event\"\u001b[39;49;00m: {\n \u001b[94m\"AzureDeploymentID\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Computer\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EventCategory\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"EventData\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EventID\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"EventLevel\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"EventLevelName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EventLog\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ManagementGroupName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Message\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ParameterXml\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RenderedDescription\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Role\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Source\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"_ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"Heartbeat\"\u001b[39;49;00m: {\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Computer\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ComputerEnvironment\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ComputerIP\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"IsGatewayInstalled\"\u001b[39;49;00m: \u001b[33m\"bool\"\u001b[39;49;00m,\n \u001b[94m\"ManagementGroupName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OSMajorVersion\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OSMinorVersion\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OSName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OSType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RemoteIPCountry\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RemoteIPLatitude\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"RemoteIPLongitude\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"Resource\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceGroup\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceProvider\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SCAgentChannel\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Solutions\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SubscriptionId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"VMUUID\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Version\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"_ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"HuntingBookmark\"\u001b[39;49;00m: {\n \u001b[94m\"BookmarkId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"BookmarkName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"BookmarkType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CreatedBy\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CreatedTime\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"EventTime\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"LastUpdatedTime\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Notes\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"QueryResultRow\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"QueryText\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SoftDeleted\"\u001b[39;49;00m: \u001b[33m\"bool\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Tags\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UpdatedBy\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"IntuneAuditLogs\"\u001b[39;49;00m: {\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CorrelationId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Identity\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Properties\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultDescription\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"IntuneOperationalLogs\"\u001b[39;49;00m: {\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Properties\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Result\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"LinuxAuditLog\"\u001b[39;49;00m: {\n \u001b[94m\"AuditID\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Computer\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ComputerEnvironment\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ExternalAgentIp\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ManagementGroup\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ManagementGroupName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RawRecord\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RecordType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SerialNumber\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceComputerId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"TimeUploaded\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"_ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"a0\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"a1\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"a2\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"a3\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"a4\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"a5\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"a6\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"a7\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"a8\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"a9\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"acct\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"addr\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"arch\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"argc\"\u001b[39;49;00m: \u001b[33m\"long\"\u001b[39;49;00m,\n \u001b[94m\"audit_user\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"auid\"\u001b[39;49;00m: \u001b[33m\"long\"\u001b[39;49;00m,\n \u001b[94m\"cmd\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"comm\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"cwd\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"data\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"effective_group\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"effective_user\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"egid\"\u001b[39;49;00m: \u001b[33m\"long\"\u001b[39;49;00m,\n \u001b[94m\"euid\"\u001b[39;49;00m: \u001b[33m\"long\"\u001b[39;49;00m,\n \u001b[94m\"exe\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"exit\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"family\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"filetype\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"gid\"\u001b[39;49;00m: \u001b[33m\"long\"\u001b[39;49;00m,\n \u001b[94m\"group\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"hostname\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"icmptype\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"key\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"name\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"node\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"op\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"path\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"pid\"\u001b[39;49;00m: \u001b[33m\"long\"\u001b[39;49;00m,\n \u001b[94m\"ppid\"\u001b[39;49;00m: \u001b[33m\"long\"\u001b[39;49;00m,\n \u001b[94m\"res\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"result\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ses\"\u001b[39;49;00m: \u001b[33m\"long\"\u001b[39;49;00m,\n \u001b[94m\"success\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"syscall\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"terminal\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"tty\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"uid\"\u001b[39;49;00m: \u001b[33m\"long\"\u001b[39;49;00m,\n \u001b[94m\"user\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"vm\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"McasShadowItReporting\"\u001b[39;49;00m: {\n \u001b[94m\"AppCategory\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AppId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AppInstance\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AppName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AppScore\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"AppTags\"\u001b[39;49;00m: \u001b[33m\"dynamic\"\u001b[39;49;00m,\n \u001b[94m\"BlockedEvents\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"DownloadedBytes\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"EnrichedUserName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"IpAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MachineId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MachineName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"StreamName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TenantId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"TotalBytes\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"TotalEvents\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UploadedBytes\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"UserName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"Microservices4SpringApplicationLogs\"\u001b[39;49;00m: {\n \u001b[94m\"AppName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"InstanceName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Level\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Log\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Stream\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TenantId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"MicrosoftInsightsAzureActivityLog\"\u001b[39;49;00m: {\n \u001b[94m\"ActivityStatusValue\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ActivitySubstatusValue\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Authorization\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Caller\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CallerIpAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CategoryValue\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Claims\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CorrelationId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EventDataId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EventSubmissionTimestamp\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"HTTPRequest\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Level\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationNameValue\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Properties\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceGroup\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceProviderValue\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TenantId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"_ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"MicrosoftWebApplicationLog\"\u001b[39;49;00m: {\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CustomLevel\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ExceptionClass\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Host\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Level\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Logger\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Message\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Method\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultDescription\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Source\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Stacktrace\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"WebSiteInstanceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"_ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"MicrosoftWebFunctionExecutionLogs\"\u001b[39;49;00m: {\n \u001b[94m\"ActivityId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ExceptionDetails\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ExceptionMessage\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ExceptionType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FunctionInvocationId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FunctionName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"HostInstanceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"HostVersion\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Level\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Location\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Message\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"_ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"MicrosoftWebStdOutStdErrLog\"\u001b[39;49;00m: {\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Host\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Level\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Message\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"_ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"MicrosoftWebW3CLog\"\u001b[39;49;00m: {\n \u001b[94m\"CIp\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CsHost\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CsMethod\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CsUriStem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Result\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SPort\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserAgent\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"_ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"OfficeActivity\"\u001b[39;49;00m: {\n \u001b[94m\"AADTarget\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Actor\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ActorContextId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ActorIpAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AffectedItems\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Application\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AzureActiveDirectory_EventType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Client\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ClientIP\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ClientInfoString\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ClientMachineName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ClientProcessName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ClientVersion\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Client_IPAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CrossMailboxOperations\"\u001b[39;49;00m: \u001b[33m\"bool\"\u001b[39;49;00m,\n \u001b[94m\"CustomEvent\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DataCenterSecurityEventType\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"DestFolder\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DestMailboxId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DestMailboxOwnerMasterAccountSid\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DestMailboxOwnerSid\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DestMailboxOwnerUPN\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DestinationFileExtension\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DestinationFileName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DestinationRelativeUrl\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EffectiveOrganization\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ElevationApprovedTime\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"ElevationApprover\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ElevationDuration\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"ElevationRequestId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ElevationRole\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ElevationTime\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"EventSource\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Event_Data\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ExtendedProperties\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ExternalAccess\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Folder\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Folders\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"GenericInfo\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"InterSystemsId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"InternalLogonType\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"IntraSystemId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Item\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ItemType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LoginStatus\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"LogonUserDisplayName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LogonUserSid\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Logon_Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MachineDomainInfo\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MachineId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MailboxGuid\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MailboxOwnerMasterAccountSid\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MailboxOwnerSid\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MailboxOwnerUPN\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ModifiedObjectResolvedName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ModifiedProperties\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OfficeId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OfficeObjectId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OfficeTenantId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OfficeWorkload\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Operation\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OrganizationId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OrganizationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OriginatingServer\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Parameters\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RecordType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultStatus\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SendAsUserMailboxGuid\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SendAsUserSmtp\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SendOnBehalfOfUserSmtp\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SendonBehalfOfUserMailboxGuid\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SharingType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Site_\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Site_Url\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceFileExtension\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceFileName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceRelativeUrl\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Source_Name\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Start_Time\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"SupportTicketId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TargetContextId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserAgent\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserDomain\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserKey\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserSharedWith\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"Operation\"\u001b[39;49;00m: {\n \u001b[94m\"Computer\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CorrelationId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Detail\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ErrorId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"HelpLink\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ManagementGroupName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationCategory\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationKey\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationStatus\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Solution\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceComputerId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"_ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"Perf\"\u001b[39;49;00m: {\n \u001b[94m\"BucketEndTime\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"BucketStartTime\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Computer\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CounterName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CounterPath\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CounterValue\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"InstanceName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Max\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"Min\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"ObjectName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SampleCount\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"StandardDeviation\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"_ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"ReservedAzureCommonFields\"\u001b[39;49;00m: {\n \u001b[94m\"Caller_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ClientIP_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ClientInfo_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ClientPort_d\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"Direction_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FailedRequestCount_d\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"HealthyHostCount_d\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"HttpMethod_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"HttpStatusCode_d\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"HttpStatus_d\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"HttpVersion_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Id_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"InstanceId_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"JobId_g\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Latency_d\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"MacAddress_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MatchedConnections_d\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"Priority_d\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"ReceivedBytes_d\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"RequestCount_d\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"RequestQuery_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RequestUri_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RuleName_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RunbookName_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SentBytes_d\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SslEnabled_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"StreamType_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SubnetPrefix_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Throughput_d\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"TimeTaken_d\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Type_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UnHealthyHostCount_d\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"UserAgent_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"VnetResourceGuid_s\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"ReservedCommonFields\"\u001b[39;49;00m: {\n \u001b[94m\"CallerIPAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Computer\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CorrelationId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DurationMs\"\u001b[39;49;00m: \u001b[33m\"long\"\u001b[39;49;00m,\n \u001b[94m\"IPAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Level\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Message\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationVersion\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Resource\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceGroup\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceProvider\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultDescription\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultSignature\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Severity\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"SourceIP\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SubscriptionId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"SecurityAlert\"\u001b[39;49;00m: {\n \u001b[94m\"AlertName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AlertSeverity\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ConfidenceLevel\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ConfidenceScore\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"Description\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DisplayName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EndTime\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Entities\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ExtendedLinks\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ExtendedProperties\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"IsIncident\"\u001b[39;49;00m: \u001b[33m\"bool\"\u001b[39;49;00m,\n \u001b[94m\"ProcessingEndTime\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"ProductComponentName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ProductName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ProviderName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RemediationSteps\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceComputerId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"StartTime\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"SystemAlertId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"VendorName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"VendorOriginalId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"WorkspaceResourceGroup\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"WorkspaceSubscriptionId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"SecurityEvent\"\u001b[39;49;00m: {\n \u001b[94m\"AccessMask\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Account\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AccountDomain\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AccountExpires\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AccountName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AccountSessionIdentifier\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AccountType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Activity\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AdditionalInfo\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AdditionalInfo2\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AllowedToDelegateTo\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Attributes\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AuditPolicyChanges\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AuditsDiscarded\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"AuthenticationLevel\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"AuthenticationPackageName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AuthenticationProvider\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AuthenticationServer\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AuthenticationService\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"AuthenticationType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AzureDeploymentID\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CACertificateHash\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CAPublicKeyHash\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CalledStationID\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CallerProcessId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CallerProcessName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CallingStationID\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CategoryId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CertificateDatabaseHash\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Channel\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ClassId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ClassName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ClientAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ClientIPAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ClientName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CommandLine\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CompatibleIds\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Computer\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DCDNSName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceDescription\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DeviceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DisplayName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Disposition\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DomainBehaviorVersion\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DomainName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DomainPolicyChanged\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DomainSid\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EAPType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ElevatedToken\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ErrorCode\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"EventData\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EventID\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"EventSourceName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ExtendedQuarantineState\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FailureReason\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FileHash\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FilePath\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FilePathNoUser\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Filter\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ForceLogoff\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Fqbn\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FullyQualifiedSubjectMachineName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FullyQualifiedSubjectUserName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"GroupMembership\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"HandleId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"HardwareIds\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"HomeDirectory\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"HomePath\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"InterfaceUuid\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"IpAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"IpPort\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"KeyLength\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"Level\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LmPackageName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LocationInformation\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LockoutDuration\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LockoutObservationWindow\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LockoutThreshold\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LoggingResult\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LogonGuid\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LogonHours\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LogonID\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LogonProcessName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LogonType\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"LogonTypeName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MachineAccountQuota\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MachineInventory\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MachineLogon\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ManagementGroupName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MandatoryLabel\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MaxPasswordAge\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MemberName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MemberSid\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MinPasswordAge\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MinPasswordLength\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MixedDomainMode\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"NASIPv4Address\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"NASIPv6Address\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"NASIdentifier\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"NASPort\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"NASPortType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"NetworkPolicyName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"NewDate\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"NewMaxUsers\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"NewProcessId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"NewProcessName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"NewRemark\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"NewShareFlags\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"NewTime\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"NewUacValue\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"NewValue\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"NewValueType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ObjectName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ObjectServer\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ObjectType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ObjectValueName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OemInformation\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OldMaxUsers\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OldRemark\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OldShareFlags\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OldUacValue\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OldValue\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OldValueType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"PackageName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ParentProcessName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"PasswordHistoryLength\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"PasswordLastSet\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"PasswordProperties\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"PreviousDate\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"PreviousTime\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"PrimaryGroupId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"PrivateKeyUsageCount\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"PrivilegeList\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Process\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ProcessId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ProcessName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ProfilePath\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Properties\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ProtocolSequence\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ProxyPolicyName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"QuarantineHelpURL\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"QuarantineSessionID\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"QuarantineSessionIdentifier\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"QuarantineState\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"QuarantineSystemHealthResult\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RelativeTargetName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RemoteIpAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RemotePort\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RequestId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Requester\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RestrictedAdminMode\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RowsDeleted\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SamAccountName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ScriptPath\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SecurityDescriptor\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ServiceAccount\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ServiceFileName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ServiceName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ServiceStartType\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"ServiceType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SessionName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ShareLocalPath\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ShareName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SidHistory\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceComputerId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Status\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"StorageAccount\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SubStatus\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SubcategoryGuid\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SubcategoryId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Subject\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SubjectAccount\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SubjectDomainName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SubjectKeyIdentifier\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SubjectLogonId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SubjectMachineName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SubjectMachineSID\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SubjectUserName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SubjectUserSid\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TableId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TargetAccount\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TargetDomainName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TargetInfo\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TargetLinkedLogonId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TargetLogonGuid\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TargetLogonId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TargetOutboundDomainName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TargetOutboundUserName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TargetServerName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TargetSid\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TargetUser\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TargetUserName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TargetUserSid\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Task\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"TemplateContent\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TemplateDSObjectFQDN\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TemplateInternalName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TemplateOID\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TemplateSchemaVersion\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TemplateVersion\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"TokenElevationType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TransmittedServices\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserAccountControl\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserParameters\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserPrincipalName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserWorkstations\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"VendorIds\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"VirtualAccount\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Workstation\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"WorkstationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"_ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"ServiceFabricOperationalEvent\"\u001b[39;49;00m: {\n \u001b[94m\"ApplicationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ApplicationTypeName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ApplicationTypeVersion\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AzureDeploymentID\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ChannelName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Computer\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EventId\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"EventMessage\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EventSourceName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"KeywordName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Level\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OpcodeName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"PartitionId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Pid\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"ProviderGuid\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Role\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ServiceName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ServiceTypeName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TaskName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Tid\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UpgradeDomains\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"ServiceFabricReliableActorEvent\"\u001b[39;49;00m: {\n \u001b[94m\"ActorId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ActorIdKind\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"ActorType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ApplicationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ApplicationTypeName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AzureDeploymentID\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ChannelName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Computer\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CountOfWaitingMethodCalls\"\u001b[39;49;00m: \u001b[33m\"long\"\u001b[39;49;00m,\n \u001b[94m\"EventId\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"EventMessage\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EventSourceName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Exception\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"IsStateful\"\u001b[39;49;00m: \u001b[33m\"bool\"\u001b[39;49;00m,\n \u001b[94m\"KeywordName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Level\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MethodExecutionTimeTicks\"\u001b[39;49;00m: \u001b[33m\"long\"\u001b[39;49;00m,\n \u001b[94m\"MethodName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MethodSignature\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"NodeId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"NodeName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OpcodeName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"PartitionId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Pid\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"ProviderGuid\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ReplicaId\"\u001b[39;49;00m: \u001b[33m\"long\"\u001b[39;49;00m,\n \u001b[94m\"ReplicaOrInstanceId\"\u001b[39;49;00m: \u001b[33m\"long\"\u001b[39;49;00m,\n \u001b[94m\"Role\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SaveStateExecutionTimeTicks\"\u001b[39;49;00m: \u001b[33m\"long\"\u001b[39;49;00m,\n \u001b[94m\"ServiceName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ServiceTypeName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TaskName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Tid\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"ServiceFabricReliableServiceEvent\"\u001b[39;49;00m: {\n \u001b[94m\"ActualCancellationTimeMillis\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"ApplicationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ApplicationTypeName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AzureDeploymentID\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ChannelName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Computer\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EventId\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"EventMessage\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EventSourceName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Exception\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"InstanceId\"\u001b[39;49;00m: \u001b[33m\"long\"\u001b[39;49;00m,\n \u001b[94m\"KeywordName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Level\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OpcodeName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"PartitionId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Pid\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"ProviderGuid\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ReplicaId\"\u001b[39;49;00m: \u001b[33m\"long\"\u001b[39;49;00m,\n \u001b[94m\"Role\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ServiceName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ServiceTypeName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SlowCancellationTimeMillis\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TaskName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Tid\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"WasCanceled\"\u001b[39;49;00m: \u001b[33m\"bool\"\u001b[39;49;00m\n },\n \u001b[94m\"SigninLogs\"\u001b[39;49;00m: {\n \u001b[94m\"AADTenantId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AppDisplayName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AppId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Category\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ClientAppUsed\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ConditionalAccessPolicies\"\u001b[39;49;00m: \u001b[33m\"dynamic\"\u001b[39;49;00m,\n \u001b[94m\"ConditionalAccessStatus\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CorrelationId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"CreatedDateTime\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"DeviceDetail\"\u001b[39;49;00m: \u001b[33m\"dynamic\"\u001b[39;49;00m,\n \u001b[94m\"DurationMs\"\u001b[39;49;00m: \u001b[33m\"long\"\u001b[39;49;00m,\n \u001b[94m\"IPAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Id\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Identity\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"IsRisky\"\u001b[39;49;00m: \u001b[33m\"bool\"\u001b[39;49;00m,\n \u001b[94m\"Level\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Location\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LocationDetails\"\u001b[39;49;00m: \u001b[33m\"dynamic\"\u001b[39;49;00m,\n \u001b[94m\"OperationName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OperationVersion\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"OriginalRequestId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Resource\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceDisplayName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceGroup\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceProvider\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultDescription\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultSignature\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResultType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RiskDetail\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RiskEventTypes\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RiskLevelAggregated\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RiskLevelDuringSignIn\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RiskState\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Status\"\u001b[39;49;00m: \u001b[33m\"dynamic\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserDisplayName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserPrincipalName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"Syslog\"\u001b[39;49;00m: {\n \u001b[94m\"Computer\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EventTime\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Facility\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"HostIP\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"HostName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ProcessID\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"ProcessName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SeverityLevel\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SyslogMessage\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"_ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"ThreatIntelligenceIndicator\"\u001b[39;49;00m: {\n \u001b[94m\"Action\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Active\"\u001b[39;49;00m: \u001b[33m\"bool\"\u001b[39;49;00m,\n \u001b[94m\"ActivityGroupNames\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"AdditionalInformation\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ConfidenceScore\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"Description\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DiamondModel\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DomainName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EmailEncoding\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EmailLanguage\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EmailRecipient\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EmailSenderAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EmailSenderName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EmailSourceDomain\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EmailSourceIpAddress\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EmailSubject\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EmailXMailer\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ExpirationDateTime\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"ExternalIndicatorId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FileCompileDateTime\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"FileCreatedDateTime\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"FileHashType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FileHashValue\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FileMutexName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FileName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FilePacker\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FilePath\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FileSize\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"FileType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"IndicatorId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"KillChainActions\"\u001b[39;49;00m: \u001b[33m\"bool\"\u001b[39;49;00m,\n \u001b[94m\"KillChainC2\"\u001b[39;49;00m: \u001b[33m\"bool\"\u001b[39;49;00m,\n \u001b[94m\"KillChainDelivery\"\u001b[39;49;00m: \u001b[33m\"bool\"\u001b[39;49;00m,\n \u001b[94m\"KillChainExploitation\"\u001b[39;49;00m: \u001b[33m\"bool\"\u001b[39;49;00m,\n \u001b[94m\"KillChainReconnaissance\"\u001b[39;49;00m: \u001b[33m\"bool\"\u001b[39;49;00m,\n \u001b[94m\"KillChainWeaponization\"\u001b[39;49;00m: \u001b[33m\"bool\"\u001b[39;49;00m,\n \u001b[94m\"KnownFalsePositives\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MalwareNames\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"NetworkCidrBlock\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"NetworkDestinationAsn\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"NetworkDestinationCidrBlock\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"NetworkDestinationIP\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"NetworkDestinationPort\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"NetworkIP\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"NetworkPort\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"NetworkProtocol\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"NetworkSourceAsn\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"NetworkSourceCidrBlock\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"NetworkSourceIP\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"NetworkSourcePort\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"PassiveOnly\"\u001b[39;49;00m: \u001b[33m\"bool\"\u001b[39;49;00m,\n \u001b[94m\"Tags\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ThreatSeverity\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"ThreatType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"TrafficLightProtocolLevel\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Url\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"UserAgent\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"Usage\"\u001b[39;49;00m: {\n \u001b[94m\"AvgLatencyInSeconds\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"BatchesCapped\"\u001b[39;49;00m: \u001b[33m\"long\"\u001b[39;49;00m,\n \u001b[94m\"BatchesOutsideSla\"\u001b[39;49;00m: \u001b[33m\"long\"\u001b[39;49;00m,\n \u001b[94m\"BatchesWithinSla\"\u001b[39;49;00m: \u001b[33m\"long\"\u001b[39;49;00m,\n \u001b[94m\"Computer\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"DataType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"EndTime\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"IsBillable\"\u001b[39;49;00m: \u001b[33m\"bool\"\u001b[39;49;00m,\n \u001b[94m\"LinkedMeterId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LinkedResourceUri\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MeterId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Quantity\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"QuantityUnit\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ResourceUri\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Solution\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"StartTime\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"TotalBatches\"\u001b[39;49;00m: \u001b[33m\"long\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n },\n \u001b[94m\"W3CIISLog\"\u001b[39;49;00m: {\n \u001b[94m\"AzureDeploymentID\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Computer\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Confidence\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Description\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"FirstReportedDateTime\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"IndicatorThreatType\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"IsActive\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"LastReportedDateTime\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"MaliciousIP\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"ManagementGroupName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RemoteIPCountry\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RemoteIPLatitude\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"RemoteIPLongitude\"\u001b[39;49;00m: \u001b[33m\"real\"\u001b[39;49;00m,\n \u001b[94m\"Role\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"RoleInstance\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"Severity\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"SourceSystem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"StorageAccount\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TLPLevel\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"TimeGenerated\"\u001b[39;49;00m: \u001b[33m\"datetime\"\u001b[39;49;00m,\n \u001b[94m\"TimeTaken\"\u001b[39;49;00m: \u001b[33m\"long\"\u001b[39;49;00m,\n \u001b[94m\"Type\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"_ResourceId\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"cIP\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"csBytes\"\u001b[39;49;00m: \u001b[33m\"long\"\u001b[39;49;00m,\n \u001b[94m\"csCookie\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"csHost\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"csMethod\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"csReferer\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"csUriQuery\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"csUriStem\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"csUserAgent\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"csUserName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"csVersion\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"sIP\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"sPort\"\u001b[39;49;00m: \u001b[33m\"int\"\u001b[39;49;00m,\n \u001b[94m\"sSiteName\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"scBytes\"\u001b[39;49;00m: \u001b[33m\"long\"\u001b[39;49;00m,\n \u001b[94m\"scStatus\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"scSubStatus\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m,\n \u001b[94m\"scWin32Status\"\u001b[39;49;00m: \u001b[33m\"string\"\u001b[39;49;00m\n }\n}" }, "execution_count": 14, "metadata": {}, "output_type": "execute_result" } ], "persistentId": "53af05b4-61af-4e19-9720-f03ca043969e", "text": "%kql --schema" }, "executionTime": "2019-08-15T21:17:38.587Z" }, { "cell": { "executionCount": 15, "executionEventId": "88dc76b5-a442-4015-8e5d-a019c1138e1d", "hasError": false, "id": "c591dfa1-6746-4363-ad43-da0e669ecb0b", "outputs": [ { "data": { "text/html": "\n \n \n \n \n
unknown option
\n \n
\n \n ",
"text/plain": "\n
\n Kql Query Language, aka kql, is the query language for advanced analytics on Azure Monitor resources. The current supported data sources are \n Azure Data Explorer (Kusto), Log Analytics and Application Insights. To get more information execute '%kql --help \"kql\"'
\n • kql reference: Click on 'Help' tab > and Select 'kql reference' or execute '%kql --help \"kql\"'
\n • Kqlmagic configuration: execute '%config Kqlmagic'
\n • Kqlmagic usage: execute '%kql --usage'
\n
Kqlmagic package is updated frequently. Run '!pip install Kqlmagic --no-cache-dir --upgrade' to use the latest version.
Kqlmagic version: 0.1.101, source: https://github.com/Microsoft/jupyter-Kqlmagic