"dataFlows": [ { "streams": [ "Microsoft-Syslog" ], "destinations": [ "" ], "transformKql": "source | where SyslogMessage has \"metadata_http\" | extend data = parse_json(SyslogMessage) | extend uid = tostring(data.uid), id_orig_h = tostring(data['id.orig_h']), id_orig_p = toint(data['id.orig_p']), id_resp_h = tostring(data['id.resp_h']), id_resp_p = toint(data['id.resp_p']), id_ip_ver = tostring(data['id.ip_ver']), method = tostring(data.method), host = tostring(data.host), host_multihomed = tobool(data.host_multihomed), uri = tostring(data.uri), referrer = tostring(data.referrer), user_agent = tostring(data.user_agent), request_body_len = tolong(data.request_body_len), response_body_len = tolong(data.response_body_len), status_code = toint(data.status_code), status_msg = tostring(data.status_msg), resp_filename = tostring(data.resp_filename), proxied = tostring(data.proxied), orig_mime_types = data.orig_mime_types, resp_mime_types = data.resp_mime_types, cookie = tostring(data.cookie), response_content_disposition = tostring(data.response_content_disposition), request_header_count = tolong(data.request_header_count), response_header_count = tolong(data.response_header_count), cookie_vars = tostring(data.cookie_vars), orig_ip_bytes = tolong(data.orig_ip_bytes), resp_ip_bytes = tolong(data.resp_ip_bytes), orig_pkts = tolong(data.orig_pkts), resp_pkts = tolong(data.resp_pkts), request_cache_control = tostring(data.request_cache_control), response_cache_control = tostring(data.response_cache_control), response_expires = tostring(data.response_expires), orig_hostname = tostring(data.orig_hostname), resp_hostname = tostring(data.resp_hostname), orig_huid = tostring(data.orig_huid), resp_huid = tostring(data.resp_huid), local_orig = tobool(data.local_orig), local_resp = tobool(data.local_resp), is_proxied = tobool(data.is_proxied), ts = datetime_add('second', data.ts / 1000, datetime(1970-01-01)), orig_sluid = tostring(data.orig_sluid), resp_sluid = tostring(data.resp_sluid), sensor_uid = tostring(data.sensor_uid), community_id = tostring(data.community_id), metadata_type = tostring(data.metadata_type)", "outputStream": "Custom-vectra_http_CL" }, { "streams": [ "Microsoft-Syslog" ], "destinations": [ "" ], "transformKql": "source | where SyslogMessage has \"metadata_ssl\" | extend data = parse_json(SyslogMessage) | extend uid = tostring(data.uid), id_orig_h = tostring(data['id.orig_h']), id_orig_p = toint(data['id.orig_p']), id_resp_h = tostring(data['id.resp_h']), id_resp_p = toint(data['id.resp_p']), id_ip_ver = tostring(data['id.ip_ver']), local_orig = tobool(data.local_orig), local_resp = tobool(data.local_resp), orig_hostname = tostring(data.orig_hostname), resp_hostname = tostring(data.resp_hostname), orig_huid = tostring(data.orig_huid), resp_huid = tostring(data.resp_huid), server_name = tostring(data.server_name), next_protocol = tostring(data.next_protocol), established = tobool(data.established), cipher = tostring(data.cipher), curve = tostring(data.curve), version_num = toint(data.version_num), version = tostring(data.version), issuer = tostring(data.issuer), subject = tostring(data.subject), client_issuer = tostring(data.client_issuer), client_subject = tostring(data.client_subject), client_curve_num = data.client_curve_num, client_ec_point_format = data.client_ec_point_format, client_extension = data.client_extension, client_version = tostring(data.client_version), client_version_num = toint(data.client_version_num), ja3 = tostring(data.ja3), server_extensions = data.server_extensions, ja3s = tostring(data.ja3s), ts = datetime_add('second', data.ts / 1000, datetime(1970-01-01)), orig_sluid = tostring(data.orig_sluid), resp_sluid = tostring(data.resp_sluid), sensor_uid = tostring(data.sensor_uid), community_id = tostring(data.community_id), metadata_type = tostring(data.metadata_type)", "outputStream": "Custom-vectra_ssl_CL" }, { "streams": [ "Microsoft-Syslog" ], "destinations": [ "" ], "transformKql": "source | where SyslogMessage has \"metadata_dns\" | extend data = parse_json(SyslogMessage) | extend uid = tostring(data.uid), id_orig_h = tostring(data['id.orig_h']), id_orig_p = toint(data['id.orig_p']), id_resp_h = tostring(data['id.resp_h']), id_resp_p = toint(data['id.resp_p']), id_ip_ver = tostring(data['id.ip_ver']), proto = toint(data.proto), trans_id = tolong(data.trans_id), query = tostring(data.query), qclass = toint(data.qclass), qclass_name = tostring(data.qclass_name), qtype = toint(data.qtype), qtype_name = tostring(data.qtype_name), rcode = toint(data.rcode), rcode_name = tostring(data.rcode_name), AA = tobool(data.AA), TC = tobool(data.TC), RD = tobool(data.RD), RA = tobool(data.RA), answers = data.answers, auth = tostring(data.auth), TTLs = data.TTLs, rejected = tobool(data.rejected), total_answers = toint(data.total_answers), total_replies = toint(data.total_replies), saw_query = tobool(data.saw_query), saw_reply = tobool(data.saw_reply), ts = datetime_add('second', data.ts / 1000, datetime(1970-01-01)), community_id = tostring(data.community_id), metadata_type = tostring(data.metadata_type), local_orig = tobool(data.local_orig), local_resp = tobool(data.local_resp), orig_hostname = tostring(data.orig_hostname), resp_hostname = tostring(data.resp_hostname), resp_huid = tostring(data.resp_huid), orig_huid = tostring(data.orig_huid), orig_sluid = tostring(data.orig_sluid), resp_sluid = tostring(data.resp_sluid), sensor_uid = tostring(data.sensor_uid)", "outputStream": "Custom-vectra_dns_CL" }, { "streams": [ "Microsoft-Syslog" ], "destinations": [ "" ], "transformKql": "source | where SyslogMessage has \"metadata_ldap\" | extend data = parse_json(SyslogMessage) | extend uid = tostring(data.uid), id_orig_h = tostring(data['id.orig_h']), id_orig_p = toint(data['id.orig_p']), id_resp_h = tostring(data['id.resp_h']), id_resp_p = toint(data['id.resp_p']), id_ip_ver = tostring(data['id.ip_ver']), orig_hostname = tostring(data.orig_hostname), resp_hostname = tostring(data.resp_hostname), orig_huid = tostring(data.orig_huid), resp_huid = tostring(data.resp_huid), message_id = tolong(data.message_id), base_object = tostring(data.base_object), query_scope = tostring(data.query_scope), query = tostring(data.query), result = data.result, result_code = tostring(data.result_code), matched_dn = tostring(data.matched_dn), error = tostring(data.error), duration = tolong(data.duration), request_bytes = tolong(data.request_bytes), response_bytes = tolong(data.response_bytes), is_close = tobool(data.is_close), is_query = tobool(data.is_query), attributes = data.attributes, bind_error_count = toint(data.bind_error_count), logon_failure_error_count = toint(data.logon_failure_error_count), result_count = toint(data.result_count), encrypted_sasl_payload_count = toint(data.encrypted_sasl_payload_count), local_orig = tobool(data.local_orig), local_resp = tobool(data.local_resp), ts = datetime_add('second', data.ts / 1000, datetime(1970-01-01)), orig_sluid = tostring(data.orig_sluid), resp_sluid = tostring(data.resp_sluid), sensor_uid = tostring(data.sensor_uid), community_id = tostring(data.community_id), metadata_type = tostring(data.metadata_type)", "outputStream": "Custom-vectra_ldap_CL" }, { "streams": [ "Microsoft-Syslog" ], "destinations": [ "" ], "transformKql": "source | where SyslogMessage has \"metadata_kerberos\" | extend data = parse_json(SyslogMessage) | extend uid = tostring(data.uid), id_orig_h = tostring(data['id.orig_h']), id_orig_p = toint(data['id.orig_p']), id_resp_h = tostring(data['id.resp_h']), id_resp_p = toint(data['id.resp_p']), id_ip_ver = tostring(data['id.ip_ver']), orig_hostname = tostring(data.orig_hostname), resp_hostname = tostring(data.resp_hostname), orig_huid = tostring(data.orig_huid), resp_huid = tostring(data.resp_huid), request_type = tostring(data.request_type), client = tostring(data.client), service = tostring(data.service), success = tobool(data.success), error_code = tostring(data.error_code), error_msg = tostring(data.error_msg), protocol = toint(data.protocol), reply_timestamp = datetime_add('second', data.reply_timestamp / 1000, datetime(1970-01-01)), local_orig = tobool(data.local_orig), local_resp = tobool(data.local_resp), orig_host_observed_privilege = toint(data.orig_host_observed_privilege), account_privilege = toint(data.account_privilege), ts = datetime_add('second', data.ts / 1000, datetime(1970-01-01)), orig_sluid = tostring(data.orig_sluid), resp_sluid = tostring(data.resp_sluid), sensor_uid = tostring(data.sensor_uid), req_cipher = data.req_cipher, rep_cipher = tostring(data.rep_cipher), community_id = tostring(data.community_id), metadata_type = tostring(data.metadata_type), account_uid = tostring(data.account_uid), service_uid = tostring(data.service_uid), service_privilege = toint(data.service_privilege), data_source = tostring(data.data_source)", "outputStream": "Custom-vectra_kerberos_CL" }, { "streams": [ "Microsoft-Syslog" ], "destinations": [ "" ], "transformKql": "source | where SyslogMessage has \"metadata_ssh\" | extend data = parse_json(SyslogMessage) | extend uid = tostring(data.uid), id_orig_h = tostring(data['id.orig_h']), id_orig_p = toint(data['id.orig_p']), id_resp_h = tostring(data['id.resp_h']), id_resp_p = toint(data['id.resp_p']), id_ip_ver = tostring(data['id.ip_ver']), local_orig = tobool(data.local_orig), local_resp = tobool(data.local_resp), orig_hostname = tostring(data.orig_hostname), resp_hostname = tostring(data.resp_hostname), orig_huid = tostring(data.orig_huid), resp_huid = tostring(data.resp_huid), version = toint(data.version), client = tostring(data.client), server = tostring(data.server), cipher_alg = tostring(data.cipher_alg), mac_alg = tostring(data.mac_alg), compression_alg = tostring(data.compression_alg), kex_alg = tostring(data.kex_alg), host_key_alg = tostring(data.host_key_alg), host_key = tostring(data.host_key), hassh = tostring(data.hassh), hasshServer = tostring(data.hasshServer), ts = datetime_add('second', data.ts / 1000, datetime(1970-01-01)), orig_sluid = tostring(data.orig_sluid), resp_sluid = tostring(data.resp_sluid), sensor_uid = tostring(data.sensor_uid), community_id = tostring(data.community_id), metadata_type = tostring(data.metadata_type)", "outputStream": "Custom-vectra_ssh_CL" }, { "streams": [ "Microsoft-Syslog" ], "destinations": [ "" ], "transformKql": "source | where SyslogMessage has \"metadata_x509\" | extend data = parse_json(SyslogMessage) | extend uid = tostring(data.uid), id_orig_h = tostring(data['id.orig_h']), id_orig_p = toint(data['id.orig_p']), id_resp_h = tostring(data['id.resp_h']), id_resp_p = toint(data['id.resp_p']), id_ip_ver = tostring(data['id.ip_ver']), local_orig = tobool(data.local_orig), local_resp = tobool(data.local_resp), orig_hostname = tostring(data.orig_hostname), resp_hostname = tostring(data.resp_hostname), orig_huid = tostring(data.orig_huid), resp_huid = tostring(data.resp_huid), self_issued = tobool(data.self_issued), version = toint(data.version), serial = tostring(data.serial), subject = tostring(data.subject), issuer = tostring(data.issuer), cn = tostring(data.cn), not_valid_before = datetime_add('second', data.not_valid_before / 1000, datetime(1970-01-01)), not_valid_after = datetime_add('second', data.not_valid_after / 1000, datetime(1970-01-01)), key_alg = tostring(data.key_alg), sig_alg = tostring(data.sig_alg), key_type = tostring(data.key_type), key_length = tostring(data.key_length), exponent = tostring(data.exponent), curve = tostring(data.curve), ca = tobool(data.ca), path_len = tostring(data.path_len), san_dns = data['san.dns'], san_email = data['san.email'], san_ip = data['san.ip'], san_uri = data['san.uri'], other_fields = tobool(data.other_fields), ts = datetime_add('second', data.ts / 1000, datetime(1970-01-01)), orig_sluid = tostring(data.orig_sluid), resp_sluid = tostring(data.resp_sluid), sensor_uid = tostring(data.sensor_uid), community_id = tostring(data.community_id), metadata_type = tostring(data.metadata_type)", "outputStream": "Custom-vectra_x509_CL" }, { "streams": [ "Microsoft-Syslog" ], "destinations": [ "" ], "transformKql": "source | where SyslogMessage has \"metadata_dcerpc\" | extend data = parse_json(SyslogMessage) | extend uid = tostring(data.uid), id_orig_h = tostring(data['id.orig_h']), id_orig_p = toint(data['id.orig_p']), id_resp_h = tostring(data['id.resp_h']), id_resp_p = toint(data['id.resp_p']), id_ip_ver = tostring(data['id.ip_ver']), orig_hostname = tostring(data.orig_hostname), resp_hostname = tostring(data.resp_hostname), resp_huid = tostring(data.resp_huid), orig_huid = tostring(data.orig_huid), rtt = tolong(data.rtt), username = tostring(data.username), domain = tostring(data.domain), hostname = tostring(data.hostname), endpoint = tostring(data.endpoint), operation = tostring(data.operation), local_orig = tobool(data.local_orig), local_resp = tobool(data.local_resp), ts = datetime_add('second', data.ts / 1000, datetime(1970-01-01)), orig_sluid = tostring(data.orig_sluid), resp_sluid = tostring(data.resp_sluid), sensor_uid = tostring(data.sensor_uid), community_id = tostring(data.community_id), metadata_type = tostring(data.metadata_type)", "outputStream": "Custom-vectra_dcerpc_CL" }, { "streams": [ "Microsoft-Syslog" ], "destinations": [ "" ], "transformKql": "source | where SyslogMessage has \"metadata_isession\" | extend data = parse_json(SyslogMessage) | extend uid = tostring(data.uid), id_orig_h = tostring(data['id.orig_h']), id_orig_p = toint(data['id.orig_p']), id_resp_h = tostring(data['id.resp_h']), id_resp_p = toint(data['id.resp_p']), id_ip_ver = tostring(data['id.ip_ver']), proto = toint(data.proto), protoName = tostring(data.protoName), service = tostring(data.service), duration = tolong(data.duration), conn_state = tostring(data.conn_state), orig_pkts = tolong(data.orig_pkts), orig_ip_bytes = tolong(data.orig_ip_bytes), resp_pkts = tolong(data.resp_pkts), resp_ip_bytes = tolong(data.resp_ip_bytes), resp_domain = tostring(data.resp_domain), resp_multihomed = tobool(data.resp_multihomed), orig_vlan_id = toint(data.orig_vlan_id), resp_vlan_id = toint(data.resp_vlan_id), first_orig_resp_pkt_time = datetime_add('second', data.first_orig_resp_pkt_time / 1000, datetime(1970-01-01)), first_resp_orig_pkt_time = datetime_add('second', data.first_resp_orig_pkt_time / 1000, datetime(1970-01-01)), first_orig_resp_data_pkt_time = datetime_add('second', data.first_orig_resp_data_pkt_time / 1000, datetime(1970-01-01)), first_resp_orig_data_pkt_time = datetime_add('second', data.first_resp_orig_data_pkt_time / 1000, datetime(1970-01-01)), session_start_time = datetime_add('second', data.session_start_time / 1000, datetime(1970-01-01)), first_orig_resp_data_pkt = tostring(data.first_orig_resp_data_pkt), first_resp_orig_data_pkt = tostring(data.first_resp_orig_data_pkt), ts = datetime_add('second', data.ts / 1000, datetime(1970-01-01)), community_id = tostring(data.community_id), metadata_type = tostring(data.metadata_type), resp_huid = tostring(data.resp_huid), orig_huid = tostring(data.orig_huid), orig_sluid = tostring(data.orig_sluid), resp_sluid = tostring(data.resp_sluid), sensor_uid = tostring(data.sensor_uid), orig_hostname = tostring(data.orig_hostname), resp_hostname = tostring(data.resp_hostname), local_orig = tobool(data.local_orig), local_resp = tobool(data.local_resp), dir_confidence = toint(data.dir_confidence)", "outputStream": "Custom-vectra_isession_CL" }, { "streams": [ "Microsoft-Syslog" ], "destinations": [ "" ], "transformKql": "source | where SyslogMessage has \"metadata_ntlm\" | extend data = parse_json(SyslogMessage) | extend uid = tostring(data.uid), id_orig_h = tostring(data['id.orig_h']), id_orig_p = toint(data['id.orig_p']), id_resp_h = tostring(data['id.resp_h']), id_resp_p = toint(data['id.resp_p']), id_ip_ver = tostring(data['id.ip_ver']), orig_hostname = tostring(data.orig_hostname), resp_hostname = tostring(data.resp_hostname), orig_huid = tostring(data.orig_huid), resp_huid = tostring(data.resp_huid), username = tostring(data.username), hostname = tostring(data.hostname), domain = tostring(data.domain), status = tostring(data.status), success = tobool(data.success), local_orig = tobool(data.local_orig), local_resp = tobool(data.local_resp), ts = datetime_add('second', data.ts / 1000, datetime(1970-01-01)), orig_sluid = tostring(data.orig_sluid), resp_sluid = tostring(data.resp_sluid), sensor_uid = tostring(data.sensor_uid), community_id = tostring(data.community_id), metadata_type = tostring(data.metadata_type)", "outputStream": "Custom-vectra_ntlm_CL" } ]