@{items('For_each_alert')?['properties']?['alertDisplayName']} @{items('For_each_alert')?['properties']?['description']}
", - "Importance": "High", - "Subject": "Netskope Webtx Error Encountered", - "To": "[[parameters('ReceiverEmailId')]" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['outlook']['connectionId']" - } - }, - "method": "post", - "path": "/v2/Mail" - } - } - }, - "type": "Foreach" - } - } - }, - "parameters": { - "$connections": { - "value": { - "azuresentinel_1": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "outlook": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('OutlookConnectionName'))]", - "connectionName": "[[variables('OutlookConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Outlook')]" - } - } - } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "hidden-SentinelTemplateName": "NetskopeWebTxErrorEmail", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('OutlookConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('OutlookConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('OutlookConnectionName')]", - "api": { - "id": "[[variables('_connection-3')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId2')]", - "contentId": "[variables('_playbookContentId2')]", - "kind": "Playbook", - "version": "[variables('playbookVersion2')]", - "source": { - "kind": "Solution", - "name": "Netskopev2", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - } - ], - "metadata": { - "title": "NetskopeWebTxErrorEmail", - "description": "This playbook sends email when Netskope Web Transaction data connector error is detected.", - "postDeployment": [ - "**Authorize connections**", - "Once deployment is complete, authorize each connection.", - "1. Click the MicrosoftSentinelConnection resource", - "2. Click edit API connections", - "3. Click Authorize", - "4. Provide Required Parameters", - "5. Click Save", - "6. Repeat same steps for OutlookConnection", - "**In Microsoft Sentinel, analytics rules should be configured to trigger an incident.**", - "1. Select the **Netskope - WebTx Error Detection** analytic rule you have deployed.", - "2. Click on **Edit**", - "3. Go to **Automated response** tab", - "4. Click on **Add new**", - "5. Provide name for your rule, In Actions dropdown select **Run playbook**", - "6. In second dropdown select your deployed playbook", - "7. Click on **Apply**", - "8. Save the Analytic rule." - ], - "tags": [ - "Netskope", - "Email", - "WebTransaction" - ], - "lastUpdateTime": "2024-05-08T15:18:07.631Z", - "releaseNotes": { - "version": "1.0", - "title": "[variables('blanks')]", - "notes": [ - "Initial version" - ] - } - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId2')]", - "contentKind": "Playbook", - "displayName": "NetskopeWebTxErrorEmail", - "contentProductId": "[variables('_playbookcontentProductId2')]", - "id": "[variables('_playbookcontentProductId2')]", - "version": "[variables('playbookVersion2')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject1').parserTemplateSpecName1]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "AlertsCompromisedCredential Data Parser with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject1').parserVersion1]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject1')._parserName1]", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for AlertsCompromisedCredential", - "category": "Microsoft Sentinel Parser", - "functionAlias": "AlertsCompromisedCredential", - "query": "let Alerts_compromised_credential_View = view (){\n alertscompromisedcredentialdata_CL\n |extend \n TenantId = column_ifexists('TenantId', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n MG = column_ifexists('MG', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n TimeGenerated = column_ifexists('TimeGenerated', ''),\n Computer = column_ifexists('Computer', ''),\n RawData = column_ifexists('RawData', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n Category = column_ifexists('Category', ''),\n Type = column_ifexists('Type', ''),\n Id = column_ifexists('_id_s', ''),\n Acked = column_ifexists('acked_s', ''),\n Alert = column_ifexists('alert_s', ''),\n AlertName = column_ifexists('alert_name_s', ''),\n AlertType = column_ifexists('alert_type_s', ''),\n App = column_ifexists('app_s', ''),\n BreachDate = column_ifexists('breach_date_d', ''),\n BreachDescription = column_ifexists('breach_description_s', ''),\n BreachId = column_ifexists('breach_id_s', ''),\n BreachMediaReferences = column_ifexists('breach_media_references_s', ''),\n BreachScore = column_ifexists('breach_score_s', ''),\n BreachTargetReferences = column_ifexists('breach_target_references_s', ''),\n CCIString = column_ifexists('cci_s', ''),\n CCI = column_ifexists('cci_d', ''),\n CCL = column_ifexists('ccl_s', ''),\n Count = column_ifexists('count_d', ''),\n Department = column_ifexists('department_s', ''),\n DistinguishedName = column_ifexists('distinguishedName_s', ''),\n Division = column_ifexists('division_s', ''),\n EmailSource = column_ifexists('email_source_s', ''),\n EmployeeType = column_ifexists('employeeType_s', ''),\n ExternalEmail = column_ifexists('external_email_d', ''),\n Mail = column_ifexists('mail_s', ''),\n MatchedUsername = column_ifexists('matched_username_s', ''),\n OrganizationUnit = column_ifexists('organization_unit_s', ''),\n PasswordType = column_ifexists('password_type_s', ''),\n SAMAccountName = column_ifexists('sAMAccountName_s', ''),\n SAMAccountType = column_ifexists('sAMAccountType_s', ''),\n Timestamp = column_ifexists('timestamp_d', ''),\n PolicyType = column_ifexists('type_s', ''),\n UrNormalized = column_ifexists('ur_normalized_s', ''),\n User = column_ifexists('user_s', ''),\n UserKey = column_ifexists('userkey_s', ''),\n UserPrincipalName = column_ifexists('userPrincipalName_s', '')\n | project TenantId,\n SourceSystem,\n MG,\n ManagementGroupName,\n TimeGenerated,\n Computer,\n RawData,\n _ResourceId,\n Category,\n Type,\n Id,\n Acked,\n Alert,\n AlertName,\n AlertType,\n App,\n BreachDate,\n BreachDescription,\n BreachId,\n BreachMediaReferences,\n BreachScore,\n BreachTargetReferences,\n CCIString,\n CCI,\n CCL,\n Count,\n Department,\n DistinguishedName,\n Division,\n EmailSource,\n EmployeeType,\n ExternalEmail,\n Mail,\n MatchedUsername,\n OrganizationUnit,\n PasswordType,\n SAMAccountName,\n SAMAccountType,\n Timestamp,\n PolicyType,\n UrNormalized,\n User,\n UserKey,\n UserPrincipalName\n};\nAlerts_compromised_credential_View\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", - "dependsOn": [ - "[variables('parserObject1')._parserId1]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AlertsCompromisedCredential')]", - "contentId": "[variables('parserObject1').parserContentId1]", - "kind": "Parser", - "version": "[variables('parserObject1').parserVersion1]", - "source": { - "name": "Netskopev2", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject1').parserContentId1]", - "contentKind": "Parser", - "displayName": "Parser for AlertsCompromisedCredential", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", - "version": "[variables('parserObject1').parserVersion1]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", - "name": "[variables('parserObject1')._parserName1]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for AlertsCompromisedCredential", - "category": "Microsoft Sentinel Parser", - "functionAlias": "AlertsCompromisedCredential", - "query": "let Alerts_compromised_credential_View = view (){\n alertscompromisedcredentialdata_CL\n |extend \n TenantId = column_ifexists('TenantId', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n MG = column_ifexists('MG', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n TimeGenerated = column_ifexists('TimeGenerated', ''),\n Computer = column_ifexists('Computer', ''),\n RawData = column_ifexists('RawData', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n Category = column_ifexists('Category', ''),\n Type = column_ifexists('Type', ''),\n Id = column_ifexists('_id_s', ''),\n Acked = column_ifexists('acked_s', ''),\n Alert = column_ifexists('alert_s', ''),\n AlertName = column_ifexists('alert_name_s', ''),\n AlertType = column_ifexists('alert_type_s', ''),\n App = column_ifexists('app_s', ''),\n BreachDate = column_ifexists('breach_date_d', ''),\n BreachDescription = column_ifexists('breach_description_s', ''),\n BreachId = column_ifexists('breach_id_s', ''),\n BreachMediaReferences = column_ifexists('breach_media_references_s', ''),\n BreachScore = column_ifexists('breach_score_s', ''),\n BreachTargetReferences = column_ifexists('breach_target_references_s', ''),\n CCIString = column_ifexists('cci_s', ''),\n CCI = column_ifexists('cci_d', ''),\n CCL = column_ifexists('ccl_s', ''),\n Count = column_ifexists('count_d', ''),\n Department = column_ifexists('department_s', ''),\n DistinguishedName = column_ifexists('distinguishedName_s', ''),\n Division = column_ifexists('division_s', ''),\n EmailSource = column_ifexists('email_source_s', ''),\n EmployeeType = column_ifexists('employeeType_s', ''),\n ExternalEmail = column_ifexists('external_email_d', ''),\n Mail = column_ifexists('mail_s', ''),\n MatchedUsername = column_ifexists('matched_username_s', ''),\n OrganizationUnit = column_ifexists('organization_unit_s', ''),\n PasswordType = column_ifexists('password_type_s', ''),\n SAMAccountName = column_ifexists('sAMAccountName_s', ''),\n SAMAccountType = column_ifexists('sAMAccountType_s', ''),\n Timestamp = column_ifexists('timestamp_d', ''),\n PolicyType = column_ifexists('type_s', ''),\n UrNormalized = column_ifexists('ur_normalized_s', ''),\n User = column_ifexists('user_s', ''),\n UserKey = column_ifexists('userkey_s', ''),\n UserPrincipalName = column_ifexists('userPrincipalName_s', '')\n | project TenantId,\n SourceSystem,\n MG,\n ManagementGroupName,\n TimeGenerated,\n Computer,\n RawData,\n _ResourceId,\n Category,\n Type,\n Id,\n Acked,\n Alert,\n AlertName,\n AlertType,\n App,\n BreachDate,\n BreachDescription,\n BreachId,\n BreachMediaReferences,\n BreachScore,\n BreachTargetReferences,\n CCIString,\n CCI,\n CCL,\n Count,\n Department,\n DistinguishedName,\n Division,\n EmailSource,\n EmployeeType,\n ExternalEmail,\n Mail,\n MatchedUsername,\n OrganizationUnit,\n PasswordType,\n SAMAccountName,\n SAMAccountType,\n Timestamp,\n PolicyType,\n UrNormalized,\n User,\n UserKey,\n UserPrincipalName\n};\nAlerts_compromised_credential_View\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", - "dependsOn": [ - "[variables('parserObject1')._parserId1]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AlertsCompromisedCredential')]", - "contentId": "[variables('parserObject1').parserContentId1]", - "kind": "Parser", - "version": "[variables('parserObject1').parserVersion1]", - "source": { - "kind": "Solution", - "name": "Netskopev2", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject2').parserTemplateSpecName2]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "AlertsCtep Data Parser with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject2').parserVersion2]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject2')._parserName2]", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for AlertsCtep", - "category": "Microsoft Sentinel Parser", - "functionAlias": "AlertsCtep", - "query": "let Alerts_ctep_view = view(){\nalertsctepdata_CL\n| extend Category = column_ifexists('Category', ''),\n Computer = column_ifexists('Computer', ''),\n MG = column_ifexists('MG', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n RawData = column_ifexists('RawData', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n TenantId = column_ifexists('TenantId', ''),\n TimeGenerated = column_ifexists('TimeGenerated', ''),\n Type = column_ifexists('Type', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n Id = column_ifexists('_id_s', ''),\n Acked = column_ifexists('acked_s', ''),\n Action = column_ifexists('action_s', ''),\n AlertName = column_ifexists('alert_name_s', ''),\n Alert = column_ifexists('alert_s', ''),\n AlertType = column_ifexists('alert_type_s', ''),\n App = column_ifexists('app_s', ''),\n CCI = column_ifexists('cci_d', ''),\n CCIString = column_ifexists('cci_s', ''),\n CCL = column_ifexists('ccl_s', ''),\n Company = column_ifexists('company_s', ''),\n Count = column_ifexists('count_d', ''),\n Department = column_ifexists('department_s', ''),\n DeviceClassification = column_ifexists('deviceClassification_s', ''),\n Device = column_ifexists('device_s', ''),\n DestinationCountry = column_ifexists('dst_country_s', ''),\n DestinationGeoipSource = column_ifexists('dst_geoip_src_d', ''),\n DestinationLatitude = column_ifexists('dst_latitude_d', ''),\n DestinationLocation = column_ifexists('dst_location_s', ''),\n DestinationLongitude = column_ifexists('dst_longitude_d', ''),\n DestinationRegion = column_ifexists('dst_region_s', ''),\n DestinationZipcode = column_ifexists('dst_zipcode_s', ''),\n DestinationIp = column_ifexists('dstip_s', ''),\n DestinationPort = column_ifexists('dstport_d', ''),\n GId = column_ifexists('gid_d', ''),\n HomePop = column_ifexists('home_pop_s', ''),\n HostName = column_ifexists('hostname_s', ''),\n HttpMethod_s = column_ifexists('http_method_s', ''),\n HttpPort_d = column_ifexists('http_port_d', ''),\n IpProtocol = column_ifexists('ip_protocol_s', ''),\n Manager = column_ifexists('manager_s', ''),\n NetskopePop_s = column_ifexists('netskope_pop_s', ''),\n OrganizationUnit = column_ifexists('organization_unit_s', ''),\n OS = column_ifexists('os_s', ''),\n OtherCategories = column_ifexists('other_categories_s', ''),\n ProfileId = column_ifexists('profile_id_s', ''),\n Referer = column_ifexists('referer_s', ''),\n SignatureId = column_ifexists('signature_id_d', ''),\n Signature = column_ifexists('signature_s', ''),\n Site = column_ifexists('site_s', ''),\n SourceCountry = column_ifexists('src_country_s', ''),\n SourceGeoIpSrc = column_ifexists('src_geoip_src_d', ''),\n SourceLatitude = column_ifexists('src_latitude_d', ''),\n SourceLocation = column_ifexists('src_location_s', ''),\n SourceLongitude = column_ifexists('src_longitude_d', ''),\n SourceRegion = column_ifexists('src_region_s', ''),\n SourceZipcode = column_ifexists('src_zipcode_s', ''),\n SourceIp = column_ifexists('srcip_s', ''),\n SourcePort = column_ifexists('srcport_d', ''),\n Timestamp = column_ifexists('timestamp_d', ''),\n TrafficType = column_ifexists('traffic_type_s', ''),\n TransactionId = column_ifexists('transaction_id_d', ''),\n TunnelId = column_ifexists('tunnel_id_s', ''),\n PolicyType = column_ifexists('type_s', ''),\n UrNormalized = column_ifexists('ur_normalized_s', ''),\n Url = column_ifexists('url_s', ''),\n UserPrincipalName = column_ifexists('userPrincipalName_s', ''),\n User = column_ifexists('user_s', ''),\n UserIp = column_ifexists('userip_s', ''),\n Userkey = column_ifexists('userkey_s', '')\n |project Category,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n TimeGenerated,\n Type,\n _ResourceId,\n Id,\n Acked,\n Action,\n AlertName,\n Alert,\n AlertType,\n App,\n CCI,\n CCIString,\n CCL,\n Company,\n Count,\n Department,\n DeviceClassification,\n Device,\n DestinationCountry,\n DestinationGeoipSource,\n DestinationLatitude,\n DestinationLocation,\n DestinationLongitude,\n DestinationRegion,\n DestinationZipcode,\n DestinationIp,\n DestinationPort,\n GId,\n HomePop,\n HostName,\n HttpMethod_s,\n HttpPort_d,\n IpProtocol,\n Manager,\n NetskopePop_s,\n OrganizationUnit,\n OS,\n OtherCategories,\n ProfileId,\n Referer,\n SignatureId,\n Signature,\n Site,\n SourceCountry,\n SourceGeoIpSrc,\n SourceLatitude,\n SourceLocation,\n SourceLongitude,\n SourceRegion,\n SourceZipcode,\n SourceIp,\n SourcePort,\n Timestamp,\n TrafficType,\n TransactionId,\n TunnelId,\n PolicyType,\n UrNormalized,\n Url,\n UserPrincipalName,\n User,\n UserIp,\n Userkey\n};\nAlerts_ctep_view\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject2')._parserId2,'/'))))]", - "dependsOn": [ - "[variables('parserObject2')._parserId2]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AlertsCtep')]", - "contentId": "[variables('parserObject2').parserContentId2]", - "kind": "Parser", - "version": "[variables('parserObject2').parserVersion2]", - "source": { - "name": "Netskopev2", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject2').parserContentId2]", - "contentKind": "Parser", - "displayName": "Parser for AlertsCtep", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '1.0.0')))]", - "version": "[variables('parserObject2').parserVersion2]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", - "name": "[variables('parserObject2')._parserName2]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for AlertsCtep", - "category": "Microsoft Sentinel Parser", - "functionAlias": "AlertsCtep", - "query": "let Alerts_ctep_view = view(){\nalertsctepdata_CL\n| extend Category = column_ifexists('Category', ''),\n Computer = column_ifexists('Computer', ''),\n MG = column_ifexists('MG', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n RawData = column_ifexists('RawData', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n TenantId = column_ifexists('TenantId', ''),\n TimeGenerated = column_ifexists('TimeGenerated', ''),\n Type = column_ifexists('Type', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n Id = column_ifexists('_id_s', ''),\n Acked = column_ifexists('acked_s', ''),\n Action = column_ifexists('action_s', ''),\n AlertName = column_ifexists('alert_name_s', ''),\n Alert = column_ifexists('alert_s', ''),\n AlertType = column_ifexists('alert_type_s', ''),\n App = column_ifexists('app_s', ''),\n CCI = column_ifexists('cci_d', ''),\n CCIString = column_ifexists('cci_s', ''),\n CCL = column_ifexists('ccl_s', ''),\n Company = column_ifexists('company_s', ''),\n Count = column_ifexists('count_d', ''),\n Department = column_ifexists('department_s', ''),\n DeviceClassification = column_ifexists('deviceClassification_s', ''),\n Device = column_ifexists('device_s', ''),\n DestinationCountry = column_ifexists('dst_country_s', ''),\n DestinationGeoipSource = column_ifexists('dst_geoip_src_d', ''),\n DestinationLatitude = column_ifexists('dst_latitude_d', ''),\n DestinationLocation = column_ifexists('dst_location_s', ''),\n DestinationLongitude = column_ifexists('dst_longitude_d', ''),\n DestinationRegion = column_ifexists('dst_region_s', ''),\n DestinationZipcode = column_ifexists('dst_zipcode_s', ''),\n DestinationIp = column_ifexists('dstip_s', ''),\n DestinationPort = column_ifexists('dstport_d', ''),\n GId = column_ifexists('gid_d', ''),\n HomePop = column_ifexists('home_pop_s', ''),\n HostName = column_ifexists('hostname_s', ''),\n HttpMethod_s = column_ifexists('http_method_s', ''),\n HttpPort_d = column_ifexists('http_port_d', ''),\n IpProtocol = column_ifexists('ip_protocol_s', ''),\n Manager = column_ifexists('manager_s', ''),\n NetskopePop_s = column_ifexists('netskope_pop_s', ''),\n OrganizationUnit = column_ifexists('organization_unit_s', ''),\n OS = column_ifexists('os_s', ''),\n OtherCategories = column_ifexists('other_categories_s', ''),\n ProfileId = column_ifexists('profile_id_s', ''),\n Referer = column_ifexists('referer_s', ''),\n SignatureId = column_ifexists('signature_id_d', ''),\n Signature = column_ifexists('signature_s', ''),\n Site = column_ifexists('site_s', ''),\n SourceCountry = column_ifexists('src_country_s', ''),\n SourceGeoIpSrc = column_ifexists('src_geoip_src_d', ''),\n SourceLatitude = column_ifexists('src_latitude_d', ''),\n SourceLocation = column_ifexists('src_location_s', ''),\n SourceLongitude = column_ifexists('src_longitude_d', ''),\n SourceRegion = column_ifexists('src_region_s', ''),\n SourceZipcode = column_ifexists('src_zipcode_s', ''),\n SourceIp = column_ifexists('srcip_s', ''),\n SourcePort = column_ifexists('srcport_d', ''),\n Timestamp = column_ifexists('timestamp_d', ''),\n TrafficType = column_ifexists('traffic_type_s', ''),\n TransactionId = column_ifexists('transaction_id_d', ''),\n TunnelId = column_ifexists('tunnel_id_s', ''),\n PolicyType = column_ifexists('type_s', ''),\n UrNormalized = column_ifexists('ur_normalized_s', ''),\n Url = column_ifexists('url_s', ''),\n UserPrincipalName = column_ifexists('userPrincipalName_s', ''),\n User = column_ifexists('user_s', ''),\n UserIp = column_ifexists('userip_s', ''),\n Userkey = column_ifexists('userkey_s', '')\n |project Category,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n TimeGenerated,\n Type,\n _ResourceId,\n Id,\n Acked,\n Action,\n AlertName,\n Alert,\n AlertType,\n App,\n CCI,\n CCIString,\n CCL,\n Company,\n Count,\n Department,\n DeviceClassification,\n Device,\n DestinationCountry,\n DestinationGeoipSource,\n DestinationLatitude,\n DestinationLocation,\n DestinationLongitude,\n DestinationRegion,\n DestinationZipcode,\n DestinationIp,\n DestinationPort,\n GId,\n HomePop,\n HostName,\n HttpMethod_s,\n HttpPort_d,\n IpProtocol,\n Manager,\n NetskopePop_s,\n OrganizationUnit,\n OS,\n OtherCategories,\n ProfileId,\n Referer,\n SignatureId,\n Signature,\n Site,\n SourceCountry,\n SourceGeoIpSrc,\n SourceLatitude,\n SourceLocation,\n SourceLongitude,\n SourceRegion,\n SourceZipcode,\n SourceIp,\n SourcePort,\n Timestamp,\n TrafficType,\n TransactionId,\n TunnelId,\n PolicyType,\n UrNormalized,\n Url,\n UserPrincipalName,\n User,\n UserIp,\n Userkey\n};\nAlerts_ctep_view\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject2')._parserId2,'/'))))]", - "dependsOn": [ - "[variables('parserObject2')._parserId2]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AlertsCtep')]", - "contentId": "[variables('parserObject2').parserContentId2]", - "kind": "Parser", - "version": "[variables('parserObject2').parserVersion2]", - "source": { - "kind": "Solution", - "name": "Netskopev2", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject3').parserTemplateSpecName3]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "AlertsDLP Data Parser with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject3').parserVersion3]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject3')._parserName3]", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for AlertsDLP", - "category": "Microsoft Sentinel Parser", - "functionAlias": "AlertsDLP", - "query": "let Alert_DLP_Data_View = view (){\n alertsdlpdata_CL\n |extend \n Category = column_ifexists('Category', ''),\n Computer = column_ifexists('Computer', ''),\n MG = column_ifexists('MG', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n RawData = column_ifexists('RawData', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n TenantId = column_ifexists('TenantId', ''),\n TimeGenerated = column_ifexists('TimeGenerated', ''),\n Type = column_ifexists('Type', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n Id = column_ifexists('_id_s', ''),\n AccessMethod = column_ifexists('access_method_s', ''),\n Acked = column_ifexists('acked_s', ''),\n ActUser = column_ifexists('act_user_s', ''),\n Action = column_ifexists('action_s', ''),\n Activity = column_ifexists('activity_s', ''),\n AlertName = column_ifexists('alert_name_s', ''),\n Alert = column_ifexists('alert_s', ''),\n AlertType = column_ifexists('alert_type_s', ''),\n AppActivity = column_ifexists('app_activity_s', ''),\n App = column_ifexists('app_s', ''),\n AppSessionId = column_ifexists('app_session_id_d', ''),\n AppCategory = column_ifexists('appcategory_s', ''),\n AppSuite = column_ifexists('appsuite_s', ''),\n BCC = column_ifexists('bcc_s', ''),\n Browser = column_ifexists('browser_s', ''),\n BrowserSessionId = column_ifexists('browser_session_id_d', ''),\n BrowserVersion = column_ifexists('browser_version_s', ''),\n CCL = column_ifexists('ccl_s', ''),\n Channel = column_ifexists('channel_s', ''),\n ClassificationName = column_ifexists('classification_name_s', ''),\n Collaborated = column_ifexists('collaborated_s', ''),\n ConnectionId = column_ifexists('connection_id_d', ''),\n DataType = column_ifexists('data_type_s', ''),\n DeviceClassification = column_ifexists('device_classification_s', ''),\n Device = column_ifexists('device_s', ''),\n DisplayName = column_ifexists('displayName_s', ''),\n DlpFile = column_ifexists('dlp_file_s', ''),\n DlpFingerprintClassification = column_ifexists('dlp_fingerprint_classification_s', ''),\n DlpFingerprintMatch = column_ifexists('dlp_fingerprint_match_s', ''),\n DlpFingerprintScore = column_ifexists('dlp_fingerprint_score_d', ''),\n DlpIncidentId = column_ifexists('dlp_incident_id_d', ''),\n DlpIsUniqueCount = column_ifexists('dlp_is_unique_count_s', ''),\n DlpMailParentId = column_ifexists('dlp_mail_parent_id_s', ''),\n DlpParentId = column_ifexists('dlp_parent_id_d', ''),\n DlpProfile = column_ifexists('dlp_profile_s', ''),\n DlpRuleCount = column_ifexists('dlp_rule_count_d', ''),\n DlpRule = column_ifexists('dlp_rule_s', ''),\n DlpRuleScore = column_ifexists('dlp_rule_score_d', ''),\n DlpRuleSeverity = column_ifexists('dlp_rule_severity_s', ''),\n DlpUniqueCount = column_ifexists('dlp_unique_count_d', ''),\n DestinationCountry = column_ifexists('dst_country_s', ''),\n DestinationGeoipSource = column_ifexists('dst_geoip_src_d', ''),\n DestinationLatitude = column_ifexists('dst_latitude_d', ''),\n DestinationLocation = column_ifexists('dst_location_s', ''),\n DestinationLongitude = column_ifexists('dst_longitude_d', ''),\n DestinationRegion = column_ifexists('dst_region_s', ''),\n DestinationTimezone = column_ifexists('dst_timezone_s', ''),\n DestinationZipcode = column_ifexists('dst_zipcode_s', ''),\n DestinationIp = column_ifexists('dstip_s', ''),\n DynamicClassification = column_ifexists('dynamic_classification_s', ''),\n Exposure = column_ifexists('exposure_s', ''),\n ExternalCollaboratorCount = column_ifexists('external_collaborator_count_d', ''),\n FileCategory = column_ifexists('file_category_s', ''),\n FileClsEncrypted = column_ifexists('file_cls_encrypted_b', ''),\n FileLang = column_ifexists('file_lang_s', ''),\n FilePasswordProtected = column_ifexists('file_password_protected_s', ''),\n FilePath = column_ifexists('file_path_s', ''),\n FileSize = column_ifexists('file_size_d', ''),\n FileType = column_ifexists('file_type_s', ''),\n FromStorage = column_ifexists('from_storage_s', ''),\n FromUser = column_ifexists('from_user_s', ''),\n Group = column_ifexists('group_s', ''),\n HostName = column_ifexists('hostname_s', ''),\n IncidentId = column_ifexists('incident_id_d', ''),\n InstanceId = column_ifexists('instance_id_s', ''),\n Instance = column_ifexists('instance_s', ''),\n LocalSha256 = column_ifexists('local_sha256_s', ''),\n Mail = column_ifexists('mail_s', ''),\n ManagedApp = column_ifexists('managed_app_s', ''),\n ManagementId = column_ifexists('managementID_s', ''),\n Manager = column_ifexists('manager_s', ''),\n Md5 = column_ifexists('md5_g', ''),\n MessageId = column_ifexists('message_id_s', ''),\n MessageSize = column_ifexists('message_size_d', ''),\n MimeType = column_ifexists('mime_type_s', ''),\n Modified = column_ifexists('modified_d', ''),\n ObjectId = column_ifexists('object_id_s', ''),\n Object = column_ifexists('object_s', ''),\n ObjectType = column_ifexists('object_type_s', ''),\n OrganizationUnit = column_ifexists('organization_unit_s', ''),\n OrignalFilePath = column_ifexists('orignal_file_path_s', ''),\n OS = column_ifexists('os_s', ''),\n OsVersion = column_ifexists('os_version_s', ''),\n OuterDocType = column_ifexists('outer_doc_type_d', ''),\n OwnerPdl = column_ifexists('owner_pdl_s', ''),\n Owner = column_ifexists('owner_s', ''),\n Page = column_ifexists('page_s', ''),\n PageSite = column_ifexists('page_site_s', ''),\n ParentId = column_ifexists('parent_id_s', ''),\n PolicyId = column_ifexists('policy_id_s', ''),\n Policy = column_ifexists('policy_s', ''),\n Protocol = column_ifexists('protocol_s', ''),\n Referer = column_ifexists('referer_s', ''),\n RequestId = column_ifexists('request_id_s', ''),\n RetroScanName = column_ifexists('retro_scan_name_s', ''),\n SAMAccountName = column_ifexists('sAMAccountName_s', ''),\n SanctionedInstance = column_ifexists('sanctioned_instance_s', ''),\n ScanType = column_ifexists('scan_type_s', ''),\n Severity = column_ifexists('severity_s', ''),\n SHA256 = column_ifexists('sha256_s', ''),\n SharedDomains = column_ifexists('shared_domains_s', ''),\n SharedWith = column_ifexists('shared_with_s', ''),\n Site = column_ifexists('site_s', ''),\n SmtpTo = column_ifexists('smtp_to_s', ''),\n SourceCountry = column_ifexists('src_country_s', ''),\n SourceGeoIpSrc = column_ifexists('src_geoip_src_d', ''),\n SourceLatitude = column_ifexists('src_latitude_d', ''),\n SourceLocation = column_ifexists('src_location_s', ''),\n SourceLongitude = column_ifexists('src_longitude_d', ''),\n SourceRegion = column_ifexists('src_region_s', ''),\n SourceTime = column_ifexists('src_time_s', ''),\n SourceTimezone = column_ifexists('src_timezone_s', ''),\n SourceZipcode = column_ifexists('src_zipcode_s', ''),\n SourceIp = column_ifexists('srcip_s', ''),\n SubType = column_ifexists('sub_type_s', ''),\n SuppressionKey = column_ifexists('suppression_key_s', ''),\n Timestamp = column_ifexists('timestamp_d', ''),\n Title = column_ifexists('title_s', ''),\n ToStorage = column_ifexists('to_storage_s', ''),\n ToUser = column_ifexists('to_user_s', ''),\n TotalCollaboratorCount = column_ifexists('total_collaborator_count_d', ''),\n TrafficType = column_ifexists('traffic_type_s', ''),\n TransactionId = column_ifexists('transaction_id_d', ''),\n TrueFileType = column_ifexists('true_filetype_s', ''),\n TrueObjCategory = column_ifexists('true_obj_category_s', ''),\n TrueObjType = column_ifexists('true_obj_type_s', ''),\n TrueTypeId = column_ifexists('true_type_id_d', ''),\n TssMode = column_ifexists('tss_mode_s', ''),\n PolicyType = column_ifexists('type_s', ''),\n UniversalConnector = column_ifexists('universal_connector_s', ''),\n UrNormalized = column_ifexists('ur_normalized_s', ''),\n Url = column_ifexists('url_s', ''),\n UserCountry = column_ifexists('userCountry_s', ''),\n UserPrincipalName = column_ifexists('userPrincipalName_s', ''),\n UserId = column_ifexists('user_id_s', ''),\n User = column_ifexists('user_s', ''),\n UserIp = column_ifexists('userip_s', ''),\n Userkey = column_ifexists('userkey_s', ''),\n ViolatingUser = column_ifexists('violating_user_s', ''),\n ViolatingUserType = column_ifexists('violating_user_type_s', ''),\n WebUniversalConnector = column_ifexists('web_universal_connector_s', '')\n | project \n Category,\n MG,\n ManagementGroupName,\n SourceSystem,\n TenantId,\n _ResourceId,\n Computer,\n RawData,\n TimeGenerated,\n Type,\n Id,\n AccessMethod,\n Acked,\n ActUser,\n Action,\n Activity,\n AlertName,\n Alert,\n AlertType,\n AppActivity,\n App,\n AppSessionId,\n AppCategory,\n AppSuite,\n BCC,\n Browser,\n BrowserSessionId,\n BrowserVersion,\n CCL,\n Channel,\n ClassificationName,\n Collaborated,\n ConnectionId,\n DataType,\n DeviceClassification,\n Device,\n DisplayName,\n DlpFile,\n DlpFingerprintClassification,\n DlpFingerprintMatch,\n DlpFingerprintScore,\n DlpIncidentId,\n DlpIsUniqueCount,\n DlpMailParentId,\n DlpParentId,\n DlpProfile,\n DlpRuleCount,\n DlpRule,\n DlpRuleScore,\n DlpRuleSeverity,\n DlpUniqueCount,\n DestinationCountry,\n DestinationGeoipSource,\n DestinationLatitude,\n DestinationLocation,\n DestinationLongitude,\n DestinationRegion,\n DestinationTimezone,\n DestinationZipcode,\n DestinationIp,\n DynamicClassification,\n Exposure,\n ExternalCollaboratorCount,\n FileCategory,\n FileClsEncrypted,\n FileLang,\n FilePasswordProtected,\n FilePath,\n FileSize,\n FileType,\n FromStorage,\n FromUser,\n Group,\n HostName,\n IncidentId,\n InstanceId,\n Instance,\n LocalSha256,\n Mail,\n ManagedApp,\n ManagementId,\n Manager,\n Md5,\n MessageId,\n MessageSize,\n MimeType,\n Modified,\n ObjectId,\n Object,\n ObjectType,\n OrganizationUnit,\n OrignalFilePath,\n OS,\n OsVersion,\n OuterDocType,\n OwnerPdl,\n Owner,\n Page,\n PageSite,\n ParentId,\n PolicyId,\n Policy,\n Protocol,\n Referer,\n RequestId,\n RetroScanName,\n SAMAccountName,\n SanctionedInstance,\n ScanType,\n Severity,\n SHA256,\n SharedDomains,\n SharedWith,\n Site,\n SmtpTo,\n SourceCountry,\n SourceGeoIpSrc,\n SourceLatitude,\n SourceLocation,\n SourceLongitude,\n SourceRegion,\n SourceTime,\n SourceTimezone,\n SourceZipcode,\n SourceIp,\n SubType,\n SuppressionKey,\n Timestamp,\n Title,\n ToStorage,\n ToUser,\n TotalCollaboratorCount,\n TrafficType,\n TransactionId,\n TrueFileType,\n TrueObjCategory,\n TrueObjType,\n TrueTypeId,\n TssMode,\n PolicyType,\n UniversalConnector,\n UrNormalized,\n Url,\n UserCountry,\n UserPrincipalName,\n UserId,\n User,\n UserIp,\n Userkey,\n ViolatingUser,\n ViolatingUserType,\n WebUniversalConnector\n };\n Alert_DLP_Data_View\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject3')._parserId3,'/'))))]", - "dependsOn": [ - "[variables('parserObject3')._parserId3]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AlertsDLP')]", - "contentId": "[variables('parserObject3').parserContentId3]", - "kind": "Parser", - "version": "[variables('parserObject3').parserVersion3]", - "source": { - "name": "Netskopev2", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject3').parserContentId3]", - "contentKind": "Parser", - "displayName": "Parser for AlertsDLP", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '1.0.0')))]", - "version": "[variables('parserObject3').parserVersion3]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", - "name": "[variables('parserObject3')._parserName3]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for AlertsDLP", - "category": "Microsoft Sentinel Parser", - "functionAlias": "AlertsDLP", - "query": "let Alert_DLP_Data_View = view (){\n alertsdlpdata_CL\n |extend \n Category = column_ifexists('Category', ''),\n Computer = column_ifexists('Computer', ''),\n MG = column_ifexists('MG', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n RawData = column_ifexists('RawData', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n TenantId = column_ifexists('TenantId', ''),\n TimeGenerated = column_ifexists('TimeGenerated', ''),\n Type = column_ifexists('Type', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n Id = column_ifexists('_id_s', ''),\n AccessMethod = column_ifexists('access_method_s', ''),\n Acked = column_ifexists('acked_s', ''),\n ActUser = column_ifexists('act_user_s', ''),\n Action = column_ifexists('action_s', ''),\n Activity = column_ifexists('activity_s', ''),\n AlertName = column_ifexists('alert_name_s', ''),\n Alert = column_ifexists('alert_s', ''),\n AlertType = column_ifexists('alert_type_s', ''),\n AppActivity = column_ifexists('app_activity_s', ''),\n App = column_ifexists('app_s', ''),\n AppSessionId = column_ifexists('app_session_id_d', ''),\n AppCategory = column_ifexists('appcategory_s', ''),\n AppSuite = column_ifexists('appsuite_s', ''),\n BCC = column_ifexists('bcc_s', ''),\n Browser = column_ifexists('browser_s', ''),\n BrowserSessionId = column_ifexists('browser_session_id_d', ''),\n BrowserVersion = column_ifexists('browser_version_s', ''),\n CCL = column_ifexists('ccl_s', ''),\n Channel = column_ifexists('channel_s', ''),\n ClassificationName = column_ifexists('classification_name_s', ''),\n Collaborated = column_ifexists('collaborated_s', ''),\n ConnectionId = column_ifexists('connection_id_d', ''),\n DataType = column_ifexists('data_type_s', ''),\n DeviceClassification = column_ifexists('device_classification_s', ''),\n Device = column_ifexists('device_s', ''),\n DisplayName = column_ifexists('displayName_s', ''),\n DlpFile = column_ifexists('dlp_file_s', ''),\n DlpFingerprintClassification = column_ifexists('dlp_fingerprint_classification_s', ''),\n DlpFingerprintMatch = column_ifexists('dlp_fingerprint_match_s', ''),\n DlpFingerprintScore = column_ifexists('dlp_fingerprint_score_d', ''),\n DlpIncidentId = column_ifexists('dlp_incident_id_d', ''),\n DlpIsUniqueCount = column_ifexists('dlp_is_unique_count_s', ''),\n DlpMailParentId = column_ifexists('dlp_mail_parent_id_s', ''),\n DlpParentId = column_ifexists('dlp_parent_id_d', ''),\n DlpProfile = column_ifexists('dlp_profile_s', ''),\n DlpRuleCount = column_ifexists('dlp_rule_count_d', ''),\n DlpRule = column_ifexists('dlp_rule_s', ''),\n DlpRuleScore = column_ifexists('dlp_rule_score_d', ''),\n DlpRuleSeverity = column_ifexists('dlp_rule_severity_s', ''),\n DlpUniqueCount = column_ifexists('dlp_unique_count_d', ''),\n DestinationCountry = column_ifexists('dst_country_s', ''),\n DestinationGeoipSource = column_ifexists('dst_geoip_src_d', ''),\n DestinationLatitude = column_ifexists('dst_latitude_d', ''),\n DestinationLocation = column_ifexists('dst_location_s', ''),\n DestinationLongitude = column_ifexists('dst_longitude_d', ''),\n DestinationRegion = column_ifexists('dst_region_s', ''),\n DestinationTimezone = column_ifexists('dst_timezone_s', ''),\n DestinationZipcode = column_ifexists('dst_zipcode_s', ''),\n DestinationIp = column_ifexists('dstip_s', ''),\n DynamicClassification = column_ifexists('dynamic_classification_s', ''),\n Exposure = column_ifexists('exposure_s', ''),\n ExternalCollaboratorCount = column_ifexists('external_collaborator_count_d', ''),\n FileCategory = column_ifexists('file_category_s', ''),\n FileClsEncrypted = column_ifexists('file_cls_encrypted_b', ''),\n FileLang = column_ifexists('file_lang_s', ''),\n FilePasswordProtected = column_ifexists('file_password_protected_s', ''),\n FilePath = column_ifexists('file_path_s', ''),\n FileSize = column_ifexists('file_size_d', ''),\n FileType = column_ifexists('file_type_s', ''),\n FromStorage = column_ifexists('from_storage_s', ''),\n FromUser = column_ifexists('from_user_s', ''),\n Group = column_ifexists('group_s', ''),\n HostName = column_ifexists('hostname_s', ''),\n IncidentId = column_ifexists('incident_id_d', ''),\n InstanceId = column_ifexists('instance_id_s', ''),\n Instance = column_ifexists('instance_s', ''),\n LocalSha256 = column_ifexists('local_sha256_s', ''),\n Mail = column_ifexists('mail_s', ''),\n ManagedApp = column_ifexists('managed_app_s', ''),\n ManagementId = column_ifexists('managementID_s', ''),\n Manager = column_ifexists('manager_s', ''),\n Md5 = column_ifexists('md5_g', ''),\n MessageId = column_ifexists('message_id_s', ''),\n MessageSize = column_ifexists('message_size_d', ''),\n MimeType = column_ifexists('mime_type_s', ''),\n Modified = column_ifexists('modified_d', ''),\n ObjectId = column_ifexists('object_id_s', ''),\n Object = column_ifexists('object_s', ''),\n ObjectType = column_ifexists('object_type_s', ''),\n OrganizationUnit = column_ifexists('organization_unit_s', ''),\n OrignalFilePath = column_ifexists('orignal_file_path_s', ''),\n OS = column_ifexists('os_s', ''),\n OsVersion = column_ifexists('os_version_s', ''),\n OuterDocType = column_ifexists('outer_doc_type_d', ''),\n OwnerPdl = column_ifexists('owner_pdl_s', ''),\n Owner = column_ifexists('owner_s', ''),\n Page = column_ifexists('page_s', ''),\n PageSite = column_ifexists('page_site_s', ''),\n ParentId = column_ifexists('parent_id_s', ''),\n PolicyId = column_ifexists('policy_id_s', ''),\n Policy = column_ifexists('policy_s', ''),\n Protocol = column_ifexists('protocol_s', ''),\n Referer = column_ifexists('referer_s', ''),\n RequestId = column_ifexists('request_id_s', ''),\n RetroScanName = column_ifexists('retro_scan_name_s', ''),\n SAMAccountName = column_ifexists('sAMAccountName_s', ''),\n SanctionedInstance = column_ifexists('sanctioned_instance_s', ''),\n ScanType = column_ifexists('scan_type_s', ''),\n Severity = column_ifexists('severity_s', ''),\n SHA256 = column_ifexists('sha256_s', ''),\n SharedDomains = column_ifexists('shared_domains_s', ''),\n SharedWith = column_ifexists('shared_with_s', ''),\n Site = column_ifexists('site_s', ''),\n SmtpTo = column_ifexists('smtp_to_s', ''),\n SourceCountry = column_ifexists('src_country_s', ''),\n SourceGeoIpSrc = column_ifexists('src_geoip_src_d', ''),\n SourceLatitude = column_ifexists('src_latitude_d', ''),\n SourceLocation = column_ifexists('src_location_s', ''),\n SourceLongitude = column_ifexists('src_longitude_d', ''),\n SourceRegion = column_ifexists('src_region_s', ''),\n SourceTime = column_ifexists('src_time_s', ''),\n SourceTimezone = column_ifexists('src_timezone_s', ''),\n SourceZipcode = column_ifexists('src_zipcode_s', ''),\n SourceIp = column_ifexists('srcip_s', ''),\n SubType = column_ifexists('sub_type_s', ''),\n SuppressionKey = column_ifexists('suppression_key_s', ''),\n Timestamp = column_ifexists('timestamp_d', ''),\n Title = column_ifexists('title_s', ''),\n ToStorage = column_ifexists('to_storage_s', ''),\n ToUser = column_ifexists('to_user_s', ''),\n TotalCollaboratorCount = column_ifexists('total_collaborator_count_d', ''),\n TrafficType = column_ifexists('traffic_type_s', ''),\n TransactionId = column_ifexists('transaction_id_d', ''),\n TrueFileType = column_ifexists('true_filetype_s', ''),\n TrueObjCategory = column_ifexists('true_obj_category_s', ''),\n TrueObjType = column_ifexists('true_obj_type_s', ''),\n TrueTypeId = column_ifexists('true_type_id_d', ''),\n TssMode = column_ifexists('tss_mode_s', ''),\n PolicyType = column_ifexists('type_s', ''),\n UniversalConnector = column_ifexists('universal_connector_s', ''),\n UrNormalized = column_ifexists('ur_normalized_s', ''),\n Url = column_ifexists('url_s', ''),\n UserCountry = column_ifexists('userCountry_s', ''),\n UserPrincipalName = column_ifexists('userPrincipalName_s', ''),\n UserId = column_ifexists('user_id_s', ''),\n User = column_ifexists('user_s', ''),\n UserIp = column_ifexists('userip_s', ''),\n Userkey = column_ifexists('userkey_s', ''),\n ViolatingUser = column_ifexists('violating_user_s', ''),\n ViolatingUserType = column_ifexists('violating_user_type_s', ''),\n WebUniversalConnector = column_ifexists('web_universal_connector_s', '')\n | project \n Category,\n MG,\n ManagementGroupName,\n SourceSystem,\n TenantId,\n _ResourceId,\n Computer,\n RawData,\n TimeGenerated,\n Type,\n Id,\n AccessMethod,\n Acked,\n ActUser,\n Action,\n Activity,\n AlertName,\n Alert,\n AlertType,\n AppActivity,\n App,\n AppSessionId,\n AppCategory,\n AppSuite,\n BCC,\n Browser,\n BrowserSessionId,\n BrowserVersion,\n CCL,\n Channel,\n ClassificationName,\n Collaborated,\n ConnectionId,\n DataType,\n DeviceClassification,\n Device,\n DisplayName,\n DlpFile,\n DlpFingerprintClassification,\n DlpFingerprintMatch,\n DlpFingerprintScore,\n DlpIncidentId,\n DlpIsUniqueCount,\n DlpMailParentId,\n DlpParentId,\n DlpProfile,\n DlpRuleCount,\n DlpRule,\n DlpRuleScore,\n DlpRuleSeverity,\n DlpUniqueCount,\n DestinationCountry,\n DestinationGeoipSource,\n DestinationLatitude,\n DestinationLocation,\n DestinationLongitude,\n DestinationRegion,\n DestinationTimezone,\n DestinationZipcode,\n DestinationIp,\n DynamicClassification,\n Exposure,\n ExternalCollaboratorCount,\n FileCategory,\n FileClsEncrypted,\n FileLang,\n FilePasswordProtected,\n FilePath,\n FileSize,\n FileType,\n FromStorage,\n FromUser,\n Group,\n HostName,\n IncidentId,\n InstanceId,\n Instance,\n LocalSha256,\n Mail,\n ManagedApp,\n ManagementId,\n Manager,\n Md5,\n MessageId,\n MessageSize,\n MimeType,\n Modified,\n ObjectId,\n Object,\n ObjectType,\n OrganizationUnit,\n OrignalFilePath,\n OS,\n OsVersion,\n OuterDocType,\n OwnerPdl,\n Owner,\n Page,\n PageSite,\n ParentId,\n PolicyId,\n Policy,\n Protocol,\n Referer,\n RequestId,\n RetroScanName,\n SAMAccountName,\n SanctionedInstance,\n ScanType,\n Severity,\n SHA256,\n SharedDomains,\n SharedWith,\n Site,\n SmtpTo,\n SourceCountry,\n SourceGeoIpSrc,\n SourceLatitude,\n SourceLocation,\n SourceLongitude,\n SourceRegion,\n SourceTime,\n SourceTimezone,\n SourceZipcode,\n SourceIp,\n SubType,\n SuppressionKey,\n Timestamp,\n Title,\n ToStorage,\n ToUser,\n TotalCollaboratorCount,\n TrafficType,\n TransactionId,\n TrueFileType,\n TrueObjCategory,\n TrueObjType,\n TrueTypeId,\n TssMode,\n PolicyType,\n UniversalConnector,\n UrNormalized,\n Url,\n UserCountry,\n UserPrincipalName,\n UserId,\n User,\n UserIp,\n Userkey,\n ViolatingUser,\n ViolatingUserType,\n WebUniversalConnector\n };\n Alert_DLP_Data_View\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject3')._parserId3,'/'))))]", - "dependsOn": [ - "[variables('parserObject3')._parserId3]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AlertsDLP')]", - "contentId": "[variables('parserObject3').parserContentId3]", - "kind": "Parser", - "version": "[variables('parserObject3').parserVersion3]", - "source": { - "kind": "Solution", - "name": "Netskopev2", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject4').parserTemplateSpecName4]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "AlertsMalsite Data Parser with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject4').parserVersion4]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject4')._parserName4]", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for AlertsMalsite", - "category": "Microsoft Sentinel Parser", - "functionAlias": "AlertsMalsite", - "query": "let Alerts_malsite_view = view(){\n alertsmalsitedata_CL\n | extend Category = column_ifexists('Category', ''),\n Computer = column_ifexists('Computer', ''),\n MG = column_ifexists('MG', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n RawData = column_ifexists('RawData', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n TenantId = column_ifexists('TenantId', ''),\n TimeGenerated = column_ifexists('TimeGenerated', ''),\n Type = column_ifexists('Type', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n Id = column_ifexists('_id_s', ''),\n AccessMethod = column_ifexists('access_method_s', ''),\n Acked = column_ifexists('acked_s', ''),\n Action = column_ifexists('action_s', ''),\n AggregatedUser = column_ifexists('aggregated_user_s', ''),\n AlertName = column_ifexists('alert_name_s', ''),\n Alert = column_ifexists('alert_s', ''),\n AlertType = column_ifexists('alert_type_s', ''),\n App = column_ifexists('app_s', ''),\n AppSessionId = column_ifexists('app_session_id_d', ''),\n AppCategory = column_ifexists('appcategory_s', ''),\n AppSuite = column_ifexists('appsuite_s', ''),\n Browser = column_ifexists('browser_s', ''),\n BrowserSessionId = column_ifexists('browser_session_id_d', ''),\n BrowserVersion = column_ifexists('browser_version_s', ''),\n CCI = column_ifexists('cci_d', ''),\n CCIString = column_ifexists('cci_s', ''),\n CCL = column_ifexists('ccl_s', ''),\n ClientBytes = column_ifexists('client_bytes_d', ''),\n CO = column_ifexists('co_s', ''),\n ConnDuration = column_ifexists('conn_duration_d', ''),\n ConnectionId = column_ifexists('connection_id_d', ''),\n Count = column_ifexists('count_d', ''),\n Department = column_ifexists('department_s', ''),\n DeviceClassification = column_ifexists('device_classification_s', ''),\n Device = column_ifexists('device_s', ''),\n Division = column_ifexists('division_s', ''),\n DestinationCountry = column_ifexists('dst_country_s', ''),\n DestinationGeoipSource = column_ifexists('dst_geoip_src_d', ''),\n DestinationLatitude = column_ifexists('dst_latitude_d', ''),\n DestinationLocation = column_ifexists('dst_location_s', ''),\n DestinationLongitude = column_ifexists('dst_longitude_d', ''),\n DestinationRegion = column_ifexists('dst_region_s', ''),\n DestinationTimezone = column_ifexists('dst_timezone_s', ''),\n DestinationZipcode = column_ifexists('dst_zipcode_s', ''),\n DestinationHost = column_ifexists('dsthost_s', ''),\n DestinationIp = column_ifexists('dstip_s', ''),\n DestinationPort = column_ifexists('dstport_d', ''),\n FromUser = column_ifexists('from_user_s', ''),\n Fromlogs = column_ifexists('fromlogs_s', ''),\n Gateway = column_ifexists('gateway_s', ''),\n HostName = column_ifexists('hostname_s', ''),\n IncidentId = column_ifexists('incident_id_d', ''),\n JA3 = column_ifexists('ja3_s', ''),\n JA3S = column_ifexists('ja3s_s', ''),\n LogFileName = column_ifexists('log_file_name_s', ''),\n Malicious = column_ifexists('malicious_s', ''),\n malsite_active = column_ifexists('malsite_active_s', ''),\n MalsiteCategory = column_ifexists('malsite_category_s', ''),\n MalsiteConfidence = column_ifexists('malsite_confidence_d', ''),\n MalsiteConsecutive = column_ifexists('malsite_consecutive_s', ''),\n MalsiteCountry = column_ifexists('malsite_country_s', ''),\n MalsiteFirstSeen = column_ifexists('malsite_first_seen_d', ''),\n MalsiteHostility = column_ifexists('malsite_hostility_s', ''),\n MalsiteId = column_ifexists('malsite_id_s', ''),\n MalsiteIpHost = column_ifexists('malsite_ip_host_s', ''),\n MalsiteLastSeen = column_ifexists('malsite_last_seen_d', ''),\n MalsiteLatitude = column_ifexists('malsite_latitude_d', ''),\n MalsiteLongitude = column_ifexists('malsite_longitude_d', ''),\n MalsiteRegion = column_ifexists('malsite_region_s', ''),\n MalsiteReputation = column_ifexists('malsite_reputation_s', ''),\n ManagedApp = column_ifexists('managed_app_s', ''),\n NotifyTemplate = column_ifexists('notify_template_s', ''),\n Numbytes = column_ifexists('numbytes_d', ''),\n Object = column_ifexists('object_s', ''),\n ObjectType = column_ifexists('object_type_s', ''),\n Org = column_ifexists('org_s', ''),\n OrganizationUnit = column_ifexists('organization_unit_s', ''),\n OS = column_ifexists('os_s', ''),\n OsVersion = column_ifexists('os_version_s', ''),\n OtherCategories = column_ifexists('other_categories_s', ''),\n Page = column_ifexists('page_s', ''),\n PageSite = column_ifexists('page_site_s', ''),\n PolicyId = column_ifexists('policy_id_s', ''),\n Policy = column_ifexists('policy_s', ''),\n Protocol = column_ifexists('protocol_s', ''),\n Referer = column_ifexists('referer_s', ''),\n RequestCount = column_ifexists('req_cnt_d', ''),\n RequestId = column_ifexists('request_id_s', ''),\n ResponseCount = column_ifexists('resp_cnt_d', ''),\n SAMAccountName = column_ifexists('sAMAccountName_s', ''),\n Serial = column_ifexists('serial_s', ''),\n ServerBytes = column_ifexists('server_bytes_d', ''),\n severity_level_id = column_ifexists('severity_level_id_d', ''),\n severity_level = column_ifexists('severity_level_s', ''),\n Severity = column_ifexists('severity_s', ''),\n Sfwder = column_ifexists('sfwder_s', ''),\n Site = column_ifexists('site_s', ''),\n SourceCountry = column_ifexists('src_country_s', ''),\n SourceGeoIpSrc = column_ifexists('src_geoip_src_d', ''),\n SourceLatitude = column_ifexists('src_latitude_d', ''),\n SourceLocation = column_ifexists('src_location_s', ''),\n SourceLongitude = column_ifexists('src_longitude_d', ''),\n SourceRegion = column_ifexists('src_region_s', ''),\n SourceTime = column_ifexists('src_time_s', ''),\n SourceTimezone = column_ifexists('src_timezone_s', ''),\n SourceZipcode = column_ifexists('src_zipcode_s', ''),\n SourceIp = column_ifexists('srcip_s', ''),\n SuppressionEndTime = column_ifexists('suppression_end_time_d', ''),\n SuppressionStartTime = column_ifexists('suppression_start_time_d', ''),\n TelemetryApp = column_ifexists('telemetry_app_s', ''),\n ThreatMatchField = column_ifexists('threat_match_field_s', ''),\n ThreatMatchValue = column_ifexists('threat_match_value_s', ''),\n ThreatSourceId = column_ifexists('threat_source_id_d', ''),\n Timestamp = column_ifexists('timestamp_d', ''),\n TrafficType = column_ifexists('traffic_type_s', ''),\n TransactionId = column_ifexists('transaction_id_d', ''),\n PolicyType = column_ifexists('type_s', ''),\n UniversalConnector = column_ifexists('universal_connector_s', ''),\n UrNormalized = column_ifexists('ur_normalized_s', ''),\n Url = column_ifexists('url_s', ''),\n User = column_ifexists('user_s', ''),\n Useragent = column_ifexists('useragent_s', ''),\n UserIp = column_ifexists('userip_s', '')\n | project Category,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n TimeGenerated,\n Type,\n _ResourceId,\n Id,\n AccessMethod,\n Acked,\n Action,\n AggregatedUser,\n AlertName,\n Alert,\n AlertType,\n App,\n AppSessionId,\n AppCategory,\n AppSuite,\n Browser,\n BrowserSessionId,\n BrowserVersion,\n CCI,\n CCIString,\n CCL,\n ClientBytes,\n CO,\n ConnDuration,\n ConnectionId,\n Count,\n Department,\n DeviceClassification,\n Device,\n Division,\n DestinationCountry,\n DestinationGeoipSource,\n DestinationLatitude,\n DestinationLocation,\n DestinationLongitude,\n DestinationRegion,\n DestinationTimezone,\n DestinationZipcode,\n DestinationHost,\n DestinationIp,\n DestinationPort,\n FromUser,\n Fromlogs,\n Gateway,\n HostName,\n IncidentId,\n JA3,\n JA3S,\n LogFileName,\n Malicious,\n malsite_active,\n MalsiteCategory,\n MalsiteConfidence,\n MalsiteConsecutive,\n MalsiteCountry,\n MalsiteFirstSeen,\n MalsiteHostility,\n MalsiteId,\n MalsiteIpHost,\n MalsiteLastSeen,\n MalsiteLatitude,\n MalsiteLongitude,\n MalsiteRegion,\n MalsiteReputation,\n ManagedApp,\n NotifyTemplate,\n Numbytes,\n Object,\n ObjectType,\n Org,\n OrganizationUnit,\n OS,\n OsVersion,\n OtherCategories,\n Page,\n PageSite,\n PolicyId,\n Policy,\n Protocol,\n Referer,\n RequestCount,\n RequestId,\n ResponseCount,\n SAMAccountName,\n Serial,\n ServerBytes,\n severity_level_id,\n severity_level,\n Severity,\n Sfwder,\n Site,\n SourceCountry,\n SourceGeoIpSrc,\n SourceLatitude,\n SourceLocation,\n SourceLongitude,\n SourceRegion,\n SourceTime,\n SourceTimezone,\n SourceZipcode,\n SourceIp,\n SuppressionEndTime,\n SuppressionStartTime,\n TelemetryApp,\n ThreatMatchField,\n ThreatMatchValue,\n ThreatSourceId,\n Timestamp,\n TrafficType,\n TransactionId,\n PolicyType,\n UniversalConnector,\n UrNormalized,\n Url,\n User,\n Useragent,\n UserIp\n };\n Alerts_malsite_view\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject4')._parserId4,'/'))))]", - "dependsOn": [ - "[variables('parserObject4')._parserId4]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AlertsMalsite')]", - "contentId": "[variables('parserObject4').parserContentId4]", - "kind": "Parser", - "version": "[variables('parserObject4').parserVersion4]", - "source": { - "name": "Netskopev2", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject4').parserContentId4]", - "contentKind": "Parser", - "displayName": "Parser for AlertsMalsite", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.0.0')))]", - "version": "[variables('parserObject4').parserVersion4]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", - "name": "[variables('parserObject4')._parserName4]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for AlertsMalsite", - "category": "Microsoft Sentinel Parser", - "functionAlias": "AlertsMalsite", - "query": "let Alerts_malsite_view = view(){\n alertsmalsitedata_CL\n | extend Category = column_ifexists('Category', ''),\n Computer = column_ifexists('Computer', ''),\n MG = column_ifexists('MG', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n RawData = column_ifexists('RawData', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n TenantId = column_ifexists('TenantId', ''),\n TimeGenerated = column_ifexists('TimeGenerated', ''),\n Type = column_ifexists('Type', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n Id = column_ifexists('_id_s', ''),\n AccessMethod = column_ifexists('access_method_s', ''),\n Acked = column_ifexists('acked_s', ''),\n Action = column_ifexists('action_s', ''),\n AggregatedUser = column_ifexists('aggregated_user_s', ''),\n AlertName = column_ifexists('alert_name_s', ''),\n Alert = column_ifexists('alert_s', ''),\n AlertType = column_ifexists('alert_type_s', ''),\n App = column_ifexists('app_s', ''),\n AppSessionId = column_ifexists('app_session_id_d', ''),\n AppCategory = column_ifexists('appcategory_s', ''),\n AppSuite = column_ifexists('appsuite_s', ''),\n Browser = column_ifexists('browser_s', ''),\n BrowserSessionId = column_ifexists('browser_session_id_d', ''),\n BrowserVersion = column_ifexists('browser_version_s', ''),\n CCI = column_ifexists('cci_d', ''),\n CCIString = column_ifexists('cci_s', ''),\n CCL = column_ifexists('ccl_s', ''),\n ClientBytes = column_ifexists('client_bytes_d', ''),\n CO = column_ifexists('co_s', ''),\n ConnDuration = column_ifexists('conn_duration_d', ''),\n ConnectionId = column_ifexists('connection_id_d', ''),\n Count = column_ifexists('count_d', ''),\n Department = column_ifexists('department_s', ''),\n DeviceClassification = column_ifexists('device_classification_s', ''),\n Device = column_ifexists('device_s', ''),\n Division = column_ifexists('division_s', ''),\n DestinationCountry = column_ifexists('dst_country_s', ''),\n DestinationGeoipSource = column_ifexists('dst_geoip_src_d', ''),\n DestinationLatitude = column_ifexists('dst_latitude_d', ''),\n DestinationLocation = column_ifexists('dst_location_s', ''),\n DestinationLongitude = column_ifexists('dst_longitude_d', ''),\n DestinationRegion = column_ifexists('dst_region_s', ''),\n DestinationTimezone = column_ifexists('dst_timezone_s', ''),\n DestinationZipcode = column_ifexists('dst_zipcode_s', ''),\n DestinationHost = column_ifexists('dsthost_s', ''),\n DestinationIp = column_ifexists('dstip_s', ''),\n DestinationPort = column_ifexists('dstport_d', ''),\n FromUser = column_ifexists('from_user_s', ''),\n Fromlogs = column_ifexists('fromlogs_s', ''),\n Gateway = column_ifexists('gateway_s', ''),\n HostName = column_ifexists('hostname_s', ''),\n IncidentId = column_ifexists('incident_id_d', ''),\n JA3 = column_ifexists('ja3_s', ''),\n JA3S = column_ifexists('ja3s_s', ''),\n LogFileName = column_ifexists('log_file_name_s', ''),\n Malicious = column_ifexists('malicious_s', ''),\n malsite_active = column_ifexists('malsite_active_s', ''),\n MalsiteCategory = column_ifexists('malsite_category_s', ''),\n MalsiteConfidence = column_ifexists('malsite_confidence_d', ''),\n MalsiteConsecutive = column_ifexists('malsite_consecutive_s', ''),\n MalsiteCountry = column_ifexists('malsite_country_s', ''),\n MalsiteFirstSeen = column_ifexists('malsite_first_seen_d', ''),\n MalsiteHostility = column_ifexists('malsite_hostility_s', ''),\n MalsiteId = column_ifexists('malsite_id_s', ''),\n MalsiteIpHost = column_ifexists('malsite_ip_host_s', ''),\n MalsiteLastSeen = column_ifexists('malsite_last_seen_d', ''),\n MalsiteLatitude = column_ifexists('malsite_latitude_d', ''),\n MalsiteLongitude = column_ifexists('malsite_longitude_d', ''),\n MalsiteRegion = column_ifexists('malsite_region_s', ''),\n MalsiteReputation = column_ifexists('malsite_reputation_s', ''),\n ManagedApp = column_ifexists('managed_app_s', ''),\n NotifyTemplate = column_ifexists('notify_template_s', ''),\n Numbytes = column_ifexists('numbytes_d', ''),\n Object = column_ifexists('object_s', ''),\n ObjectType = column_ifexists('object_type_s', ''),\n Org = column_ifexists('org_s', ''),\n OrganizationUnit = column_ifexists('organization_unit_s', ''),\n OS = column_ifexists('os_s', ''),\n OsVersion = column_ifexists('os_version_s', ''),\n OtherCategories = column_ifexists('other_categories_s', ''),\n Page = column_ifexists('page_s', ''),\n PageSite = column_ifexists('page_site_s', ''),\n PolicyId = column_ifexists('policy_id_s', ''),\n Policy = column_ifexists('policy_s', ''),\n Protocol = column_ifexists('protocol_s', ''),\n Referer = column_ifexists('referer_s', ''),\n RequestCount = column_ifexists('req_cnt_d', ''),\n RequestId = column_ifexists('request_id_s', ''),\n ResponseCount = column_ifexists('resp_cnt_d', ''),\n SAMAccountName = column_ifexists('sAMAccountName_s', ''),\n Serial = column_ifexists('serial_s', ''),\n ServerBytes = column_ifexists('server_bytes_d', ''),\n severity_level_id = column_ifexists('severity_level_id_d', ''),\n severity_level = column_ifexists('severity_level_s', ''),\n Severity = column_ifexists('severity_s', ''),\n Sfwder = column_ifexists('sfwder_s', ''),\n Site = column_ifexists('site_s', ''),\n SourceCountry = column_ifexists('src_country_s', ''),\n SourceGeoIpSrc = column_ifexists('src_geoip_src_d', ''),\n SourceLatitude = column_ifexists('src_latitude_d', ''),\n SourceLocation = column_ifexists('src_location_s', ''),\n SourceLongitude = column_ifexists('src_longitude_d', ''),\n SourceRegion = column_ifexists('src_region_s', ''),\n SourceTime = column_ifexists('src_time_s', ''),\n SourceTimezone = column_ifexists('src_timezone_s', ''),\n SourceZipcode = column_ifexists('src_zipcode_s', ''),\n SourceIp = column_ifexists('srcip_s', ''),\n SuppressionEndTime = column_ifexists('suppression_end_time_d', ''),\n SuppressionStartTime = column_ifexists('suppression_start_time_d', ''),\n TelemetryApp = column_ifexists('telemetry_app_s', ''),\n ThreatMatchField = column_ifexists('threat_match_field_s', ''),\n ThreatMatchValue = column_ifexists('threat_match_value_s', ''),\n ThreatSourceId = column_ifexists('threat_source_id_d', ''),\n Timestamp = column_ifexists('timestamp_d', ''),\n TrafficType = column_ifexists('traffic_type_s', ''),\n TransactionId = column_ifexists('transaction_id_d', ''),\n PolicyType = column_ifexists('type_s', ''),\n UniversalConnector = column_ifexists('universal_connector_s', ''),\n UrNormalized = column_ifexists('ur_normalized_s', ''),\n Url = column_ifexists('url_s', ''),\n User = column_ifexists('user_s', ''),\n Useragent = column_ifexists('useragent_s', ''),\n UserIp = column_ifexists('userip_s', '')\n | project Category,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n TimeGenerated,\n Type,\n _ResourceId,\n Id,\n AccessMethod,\n Acked,\n Action,\n AggregatedUser,\n AlertName,\n Alert,\n AlertType,\n App,\n AppSessionId,\n AppCategory,\n AppSuite,\n Browser,\n BrowserSessionId,\n BrowserVersion,\n CCI,\n CCIString,\n CCL,\n ClientBytes,\n CO,\n ConnDuration,\n ConnectionId,\n Count,\n Department,\n DeviceClassification,\n Device,\n Division,\n DestinationCountry,\n DestinationGeoipSource,\n DestinationLatitude,\n DestinationLocation,\n DestinationLongitude,\n DestinationRegion,\n DestinationTimezone,\n DestinationZipcode,\n DestinationHost,\n DestinationIp,\n DestinationPort,\n FromUser,\n Fromlogs,\n Gateway,\n HostName,\n IncidentId,\n JA3,\n JA3S,\n LogFileName,\n Malicious,\n malsite_active,\n MalsiteCategory,\n MalsiteConfidence,\n MalsiteConsecutive,\n MalsiteCountry,\n MalsiteFirstSeen,\n MalsiteHostility,\n MalsiteId,\n MalsiteIpHost,\n MalsiteLastSeen,\n MalsiteLatitude,\n MalsiteLongitude,\n MalsiteRegion,\n MalsiteReputation,\n ManagedApp,\n NotifyTemplate,\n Numbytes,\n Object,\n ObjectType,\n Org,\n OrganizationUnit,\n OS,\n OsVersion,\n OtherCategories,\n Page,\n PageSite,\n PolicyId,\n Policy,\n Protocol,\n Referer,\n RequestCount,\n RequestId,\n ResponseCount,\n SAMAccountName,\n Serial,\n ServerBytes,\n severity_level_id,\n severity_level,\n Severity,\n Sfwder,\n Site,\n SourceCountry,\n SourceGeoIpSrc,\n SourceLatitude,\n SourceLocation,\n SourceLongitude,\n SourceRegion,\n SourceTime,\n SourceTimezone,\n SourceZipcode,\n SourceIp,\n SuppressionEndTime,\n SuppressionStartTime,\n TelemetryApp,\n ThreatMatchField,\n ThreatMatchValue,\n ThreatSourceId,\n Timestamp,\n TrafficType,\n TransactionId,\n PolicyType,\n UniversalConnector,\n UrNormalized,\n Url,\n User,\n Useragent,\n UserIp\n };\n Alerts_malsite_view\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject4')._parserId4,'/'))))]", - "dependsOn": [ - "[variables('parserObject4')._parserId4]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AlertsMalsite')]", - "contentId": "[variables('parserObject4').parserContentId4]", - "kind": "Parser", - "version": "[variables('parserObject4').parserVersion4]", - "source": { - "kind": "Solution", - "name": "Netskopev2", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject5').parserTemplateSpecName5]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "AlertsMalware Data Parser with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject5').parserVersion5]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject5')._parserName5]", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for AlertsMalware", - "category": "Microsoft Sentinel Parser", - "functionAlias": "AlertsMalware", - "query": "let Alerts_Malware_View = view(){\n alertsmalwaredata_CL\n | extend\n Category = column_ifexists('Category', ''),\n Computer = column_ifexists('Computer', ''),\n MG = column_ifexists('MG', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n RawData = column_ifexists('RawData', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n TenantId = column_ifexists('TenantId', ''),\n TimeGenerated = column_ifexists('TimeGenerated', ''),\n Type = column_ifexists('Type', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n Id = column_ifexists('_id_s', ''),\n AccessMethod = column_ifexists('access_method_s', ''),\n Acked = column_ifexists('acked_s', ''),\n Action = column_ifexists('action_s', ''),\n Activity = column_ifexists('activity_s', ''),\n AlertName = column_ifexists('alert_name_s', ''),\n Alert = column_ifexists('alert_s', ''),\n AlertType = column_ifexists('alert_type_s', ''),\n AppName = column_ifexists('app_name_s', ''),\n App = column_ifexists('app_s', ''),\n AppSessionId = column_ifexists('app_session_id_d', ''),\n AppCategory = column_ifexists('appcategory_s', ''),\n AppSuite = column_ifexists('appsuite_s', ''),\n Browser = column_ifexists('browser_s', ''),\n BrowserSessionId = column_ifexists('browser_session_id_d', ''),\n BrowserVersion = column_ifexists('browser_version_s', ''),\n CCI = column_ifexists('cci_d', ''),\n CCIString = column_ifexists('cci_s', ''),\n CCL = column_ifexists('ccl_s', ''),\n Company = column_ifexists('company_s', ''),\n ConnectionId = column_ifexists('connection_id_d', ''),\n Count = column_ifexists('count_d', ''),\n CreatedDate = column_ifexists('created_date_d', ''),\n Department = column_ifexists('department_s', ''),\n DetectionEngine = column_ifexists('detection_engine_s', ''),\n DetectionType = column_ifexists('detection_type_s', ''),\n DeviceClassification = column_ifexists('device_classification_s', ''),\n Device = column_ifexists('device_s', ''),\n DestinationCountry = column_ifexists('dst_country_s', ''),\n DestinationGeoipSource = column_ifexists('dst_geoip_src_d', ''),\n DestinationLatitude = column_ifexists('dst_latitude_d', ''),\n DestinationLocation = column_ifexists('dst_location_s', ''),\n DestinationLongitude = column_ifexists('dst_longitude_d', ''),\n DestinationRegion = column_ifexists('dst_region_s', ''),\n DestinationTimezone = column_ifexists('dst_timezone_s', ''),\n DestinationZipcode = column_ifexists('dst_zipcode_s', ''),\n DestinationIp = column_ifexists('dstip_s', ''),\n FastscanResults = column_ifexists('fastscan_results_s', ''),\n FileCategory = column_ifexists('file_category_s', ''),\n FileId = column_ifexists('file_id_s', ''),\n FileName1 = column_ifexists('file_name_s', ''),\n FilePath = column_ifexists('file_path_s', ''),\n FileSize = column_ifexists('file_size_d', ''),\n FileType = column_ifexists('file_type_s', ''),\n FileName2 = column_ifexists('filename_s', ''),\n FromUser = column_ifexists('from_user_s', ''),\n HostName = column_ifexists('hostname_s', ''),\n IncidentId = column_ifexists('incident_id_d', ''),\n InstanceId = column_ifexists('instance_id_s', ''),\n Instance = column_ifexists('instance_s', ''),\n LocalMd5 = column_ifexists('local_md5_s', ''),\n LocalSha256 = column_ifexists('local_sha256_s', ''),\n MalwareId = column_ifexists('malware_id_s', ''),\n MalwareName = column_ifexists('malware_name_s', ''),\n MalwareProfile = column_ifexists('malware_profile_s', ''),\n MalwareSeverity = column_ifexists('malware_severity_s', ''),\n MalwareType = column_ifexists('malware_type_s', ''),\n ManagedApp = column_ifexists('managed_app_s', ''),\n ManagementId = column_ifexists('managementID_s', ''),\n Manager = column_ifexists('manager_s', ''),\n Md5 = column_ifexists('md5_g', ''),\n MimeType = column_ifexists('mime_type_s', ''),\n MlDetection = column_ifexists('ml_detection_s', ''),\n ModifiedDate = column_ifexists('modified_date_d', ''),\n Nsdeviceuid = column_ifexists('nsdeviceuid_s', ''),\n ObjectId = column_ifexists('object_id_s', ''),\n Object = column_ifexists('object_s', ''),\n ObjectType = column_ifexists('object_type_s', ''),\n OrganizationUnit = column_ifexists('organization_unit_s', ''),\n OS = column_ifexists('os_s', ''),\n OsVersion = column_ifexists('os_version_s', ''),\n Page = column_ifexists('page_s', ''),\n PageSite = column_ifexists('page_site_s', ''),\n ParentId = column_ifexists('parent_id_s', ''),\n PolicyId = column_ifexists('policy_id_s', ''),\n Policy = column_ifexists('policy_s', ''),\n Protocol = column_ifexists('protocol_s', ''),\n Referer = column_ifexists('referer_s', ''),\n RequestId = column_ifexists('request_id_s', ''),\n SanctionedInstance = column_ifexists('sanctioned_instance_s', ''),\n ScanTime = column_ifexists('scan_time_d', ''),\n ScanType = column_ifexists('scan_type_s', ''),\n ScannerResult = column_ifexists('scanner_result_s', ''),\n SeverityId = column_ifexists('severity_id_d', ''),\n Severity = column_ifexists('severity_s', ''),\n SHA1 = column_ifexists('sha1_s', ''),\n SharedType = column_ifexists('shared_type_s', ''),\n SharedWith = column_ifexists('shared_with_s', ''),\n Site = column_ifexists('site_s', ''),\n SourceCountry = column_ifexists('src_country_s', ''),\n SourceGeoIpSrc = column_ifexists('src_geoip_src_d', ''),\n SourceLatitude = column_ifexists('src_latitude_d', ''),\n SourceLocation = column_ifexists('src_location_s', ''),\n SourceLongitude = column_ifexists('src_longitude_d', ''),\n SourceRegion = column_ifexists('src_region_s', ''),\n SourceTime = column_ifexists('src_time_s', ''),\n SourceTimezone = column_ifexists('src_timezone_s', ''),\n SourceZipcode = column_ifexists('src_zipcode_s', ''),\n SourceIp = column_ifexists('srcip_s', ''),\n Timestamp = column_ifexists('timestamp_d', ''),\n Title = column_ifexists('title_s', ''),\n TrafficType = column_ifexists('traffic_type_s', ''),\n TransactionId = column_ifexists('transaction_id_d', ''),\n TrueFileType = column_ifexists('true_filetype_s', ''),\n TssLicense = column_ifexists('tss_license_s', ''),\n TssMode = column_ifexists('tss_mode_s', ''),\n TssScan = column_ifexists('TSS_scan_s', ''),\n PolicyType = column_ifexists('type_s', ''),\n UrNormalized = column_ifexists('ur_normalized_s', ''),\n Url = column_ifexists('url_s', ''),\n UserCountry = column_ifexists('userCountry_s', ''),\n UserPrincipalName = column_ifexists('userPrincipalName_s', ''),\n UserId = column_ifexists('user_id_s', ''),\n User = column_ifexists('user_s', ''),\n UserIp = column_ifexists('userip_s', ''),\n UsrDisplayName = column_ifexists('usr_display_name_s', ''),\n usrStatus = column_ifexists('usr_status_s', ''),\n usrTitle = column_ifexists('usr_title_s', ''),\n UsrUdfBusinessSegmentLevel1 = column_ifexists('usr_udf_businesssegmentlevel1_s', ''),\n UsrUdfBusinessSegmentLevel2 = column_ifexists('usr_udf_businesssegmentlevel2_s', ''),\n UsrUdfBusinessSegmentLevel3 = column_ifexists('usr_udf_businesssegmentlevel3_s', ''),\n UsrUdfBusinessSegmentLevel4 = column_ifexists('usr_udf_businesssegmentlevel4_s', ''),\n UsrUdfCompanyName = column_ifexists('usr_udf_companyname_s', ''),\n UsrUdfEmployeeId = column_ifexists('usr_udf_employeeid_s', ''),\n UsrUdfPrimaryDomain = column_ifexists('usr_udf_primarydomain_s', ''),\n UsrUdfSupervisorId = column_ifexists('usr_udf_supervisorid_s', ''),\n UsrUdfSupervisorName = column_ifexists('usr_udf_supervisorname_s', '')\n | project \n Category,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n TimeGenerated,\n Type,\n _ResourceId,\n Id,\n AccessMethod,\n Acked,\n Action,\n Activity,\n AlertName,\n Alert,\n AlertType,\n AppName,\n App,\n AppSessionId,\n AppCategory,\n AppSuite,\n Browser,\n BrowserSessionId,\n BrowserVersion,\n CCI,\n CCIString,\n CCL,\n Company,\n ConnectionId,\n Count,\n CreatedDate,\n Department,\n DetectionEngine,\n DetectionType,\n DeviceClassification,\n Device,\n DestinationCountry,\n DestinationGeoipSource,\n DestinationLatitude,\n DestinationLocation,\n DestinationLongitude,\n DestinationRegion,\n DestinationTimezone,\n DestinationZipcode,\n DestinationIp,\n FastscanResults,\n FileCategory,\n FileId,\n FileName1,\n FilePath,\n FileSize,\n FileType,\n FileName2,\n FromUser,\n HostName,\n IncidentId,\n InstanceId,\n Instance,\n LocalMd5,\n LocalSha256,\n MalwareId,\n MalwareName,\n MalwareProfile,\n MalwareSeverity,\n MalwareType,\n ManagedApp,\n ManagementId,\n Manager,\n Md5,\n MimeType,\n MlDetection,\n ModifiedDate,\n Nsdeviceuid,\n ObjectId,\n Object,\n ObjectType,\n OrganizationUnit,\n OS,\n OsVersion,\n Page,\n PageSite,\n ParentId,\n PolicyId,\n Policy,\n Protocol,\n Referer,\n RequestId,\n SanctionedInstance,\n ScanTime,\n ScanType,\n ScannerResult,\n SeverityId,\n Severity,\n SHA1,\n SharedType,\n SharedWith,\n Site,\n SourceCountry,\n SourceGeoIpSrc,\n SourceLatitude,\n SourceLocation,\n SourceLongitude,\n SourceRegion,\n SourceTime,\n SourceTimezone,\n SourceZipcode,\n SourceIp,\n Timestamp,\n Title,\n TrafficType,\n TransactionId,\n TrueFileType,\n TssLicense,\n TssMode,\n TssScan,\n PolicyType,\n UrNormalized,\n Url,\n UserCountry,\n UserPrincipalName,\n UserId,\n User,\n UserIp,\n UsrDisplayName,\n usrStatus,\n usrTitle,\n UsrUdfBusinessSegmentLevel1,\n UsrUdfBusinessSegmentLevel2,\n UsrUdfBusinessSegmentLevel3,\n UsrUdfBusinessSegmentLevel4,\n UsrUdfCompanyName,\n UsrUdfEmployeeId,\n UsrUdfPrimaryDomain,\n UsrUdfSupervisorId,\n UsrUdfSupervisorName \n};\nAlerts_Malware_View\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]", - "dependsOn": [ - "[variables('parserObject5')._parserId5]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AlertsMalware')]", - "contentId": "[variables('parserObject5').parserContentId5]", - "kind": "Parser", - "version": "[variables('parserObject5').parserVersion5]", - "source": { - "name": "Netskopev2", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject5').parserContentId5]", - "contentKind": "Parser", - "displayName": "Parser for AlertsMalware", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]", - "version": "[variables('parserObject5').parserVersion5]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", - "name": "[variables('parserObject5')._parserName5]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for AlertsMalware", - "category": "Microsoft Sentinel Parser", - "functionAlias": "AlertsMalware", - "query": "let Alerts_Malware_View = view(){\n alertsmalwaredata_CL\n | extend\n Category = column_ifexists('Category', ''),\n Computer = column_ifexists('Computer', ''),\n MG = column_ifexists('MG', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n RawData = column_ifexists('RawData', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n TenantId = column_ifexists('TenantId', ''),\n TimeGenerated = column_ifexists('TimeGenerated', ''),\n Type = column_ifexists('Type', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n Id = column_ifexists('_id_s', ''),\n AccessMethod = column_ifexists('access_method_s', ''),\n Acked = column_ifexists('acked_s', ''),\n Action = column_ifexists('action_s', ''),\n Activity = column_ifexists('activity_s', ''),\n AlertName = column_ifexists('alert_name_s', ''),\n Alert = column_ifexists('alert_s', ''),\n AlertType = column_ifexists('alert_type_s', ''),\n AppName = column_ifexists('app_name_s', ''),\n App = column_ifexists('app_s', ''),\n AppSessionId = column_ifexists('app_session_id_d', ''),\n AppCategory = column_ifexists('appcategory_s', ''),\n AppSuite = column_ifexists('appsuite_s', ''),\n Browser = column_ifexists('browser_s', ''),\n BrowserSessionId = column_ifexists('browser_session_id_d', ''),\n BrowserVersion = column_ifexists('browser_version_s', ''),\n CCI = column_ifexists('cci_d', ''),\n CCIString = column_ifexists('cci_s', ''),\n CCL = column_ifexists('ccl_s', ''),\n Company = column_ifexists('company_s', ''),\n ConnectionId = column_ifexists('connection_id_d', ''),\n Count = column_ifexists('count_d', ''),\n CreatedDate = column_ifexists('created_date_d', ''),\n Department = column_ifexists('department_s', ''),\n DetectionEngine = column_ifexists('detection_engine_s', ''),\n DetectionType = column_ifexists('detection_type_s', ''),\n DeviceClassification = column_ifexists('device_classification_s', ''),\n Device = column_ifexists('device_s', ''),\n DestinationCountry = column_ifexists('dst_country_s', ''),\n DestinationGeoipSource = column_ifexists('dst_geoip_src_d', ''),\n DestinationLatitude = column_ifexists('dst_latitude_d', ''),\n DestinationLocation = column_ifexists('dst_location_s', ''),\n DestinationLongitude = column_ifexists('dst_longitude_d', ''),\n DestinationRegion = column_ifexists('dst_region_s', ''),\n DestinationTimezone = column_ifexists('dst_timezone_s', ''),\n DestinationZipcode = column_ifexists('dst_zipcode_s', ''),\n DestinationIp = column_ifexists('dstip_s', ''),\n FastscanResults = column_ifexists('fastscan_results_s', ''),\n FileCategory = column_ifexists('file_category_s', ''),\n FileId = column_ifexists('file_id_s', ''),\n FileName1 = column_ifexists('file_name_s', ''),\n FilePath = column_ifexists('file_path_s', ''),\n FileSize = column_ifexists('file_size_d', ''),\n FileType = column_ifexists('file_type_s', ''),\n FileName2 = column_ifexists('filename_s', ''),\n FromUser = column_ifexists('from_user_s', ''),\n HostName = column_ifexists('hostname_s', ''),\n IncidentId = column_ifexists('incident_id_d', ''),\n InstanceId = column_ifexists('instance_id_s', ''),\n Instance = column_ifexists('instance_s', ''),\n LocalMd5 = column_ifexists('local_md5_s', ''),\n LocalSha256 = column_ifexists('local_sha256_s', ''),\n MalwareId = column_ifexists('malware_id_s', ''),\n MalwareName = column_ifexists('malware_name_s', ''),\n MalwareProfile = column_ifexists('malware_profile_s', ''),\n MalwareSeverity = column_ifexists('malware_severity_s', ''),\n MalwareType = column_ifexists('malware_type_s', ''),\n ManagedApp = column_ifexists('managed_app_s', ''),\n ManagementId = column_ifexists('managementID_s', ''),\n Manager = column_ifexists('manager_s', ''),\n Md5 = column_ifexists('md5_g', ''),\n MimeType = column_ifexists('mime_type_s', ''),\n MlDetection = column_ifexists('ml_detection_s', ''),\n ModifiedDate = column_ifexists('modified_date_d', ''),\n Nsdeviceuid = column_ifexists('nsdeviceuid_s', ''),\n ObjectId = column_ifexists('object_id_s', ''),\n Object = column_ifexists('object_s', ''),\n ObjectType = column_ifexists('object_type_s', ''),\n OrganizationUnit = column_ifexists('organization_unit_s', ''),\n OS = column_ifexists('os_s', ''),\n OsVersion = column_ifexists('os_version_s', ''),\n Page = column_ifexists('page_s', ''),\n PageSite = column_ifexists('page_site_s', ''),\n ParentId = column_ifexists('parent_id_s', ''),\n PolicyId = column_ifexists('policy_id_s', ''),\n Policy = column_ifexists('policy_s', ''),\n Protocol = column_ifexists('protocol_s', ''),\n Referer = column_ifexists('referer_s', ''),\n RequestId = column_ifexists('request_id_s', ''),\n SanctionedInstance = column_ifexists('sanctioned_instance_s', ''),\n ScanTime = column_ifexists('scan_time_d', ''),\n ScanType = column_ifexists('scan_type_s', ''),\n ScannerResult = column_ifexists('scanner_result_s', ''),\n SeverityId = column_ifexists('severity_id_d', ''),\n Severity = column_ifexists('severity_s', ''),\n SHA1 = column_ifexists('sha1_s', ''),\n SharedType = column_ifexists('shared_type_s', ''),\n SharedWith = column_ifexists('shared_with_s', ''),\n Site = column_ifexists('site_s', ''),\n SourceCountry = column_ifexists('src_country_s', ''),\n SourceGeoIpSrc = column_ifexists('src_geoip_src_d', ''),\n SourceLatitude = column_ifexists('src_latitude_d', ''),\n SourceLocation = column_ifexists('src_location_s', ''),\n SourceLongitude = column_ifexists('src_longitude_d', ''),\n SourceRegion = column_ifexists('src_region_s', ''),\n SourceTime = column_ifexists('src_time_s', ''),\n SourceTimezone = column_ifexists('src_timezone_s', ''),\n SourceZipcode = column_ifexists('src_zipcode_s', ''),\n SourceIp = column_ifexists('srcip_s', ''),\n Timestamp = column_ifexists('timestamp_d', ''),\n Title = column_ifexists('title_s', ''),\n TrafficType = column_ifexists('traffic_type_s', ''),\n TransactionId = column_ifexists('transaction_id_d', ''),\n TrueFileType = column_ifexists('true_filetype_s', ''),\n TssLicense = column_ifexists('tss_license_s', ''),\n TssMode = column_ifexists('tss_mode_s', ''),\n TssScan = column_ifexists('TSS_scan_s', ''),\n PolicyType = column_ifexists('type_s', ''),\n UrNormalized = column_ifexists('ur_normalized_s', ''),\n Url = column_ifexists('url_s', ''),\n UserCountry = column_ifexists('userCountry_s', ''),\n UserPrincipalName = column_ifexists('userPrincipalName_s', ''),\n UserId = column_ifexists('user_id_s', ''),\n User = column_ifexists('user_s', ''),\n UserIp = column_ifexists('userip_s', ''),\n UsrDisplayName = column_ifexists('usr_display_name_s', ''),\n usrStatus = column_ifexists('usr_status_s', ''),\n usrTitle = column_ifexists('usr_title_s', ''),\n UsrUdfBusinessSegmentLevel1 = column_ifexists('usr_udf_businesssegmentlevel1_s', ''),\n UsrUdfBusinessSegmentLevel2 = column_ifexists('usr_udf_businesssegmentlevel2_s', ''),\n UsrUdfBusinessSegmentLevel3 = column_ifexists('usr_udf_businesssegmentlevel3_s', ''),\n UsrUdfBusinessSegmentLevel4 = column_ifexists('usr_udf_businesssegmentlevel4_s', ''),\n UsrUdfCompanyName = column_ifexists('usr_udf_companyname_s', ''),\n UsrUdfEmployeeId = column_ifexists('usr_udf_employeeid_s', ''),\n UsrUdfPrimaryDomain = column_ifexists('usr_udf_primarydomain_s', ''),\n UsrUdfSupervisorId = column_ifexists('usr_udf_supervisorid_s', ''),\n UsrUdfSupervisorName = column_ifexists('usr_udf_supervisorname_s', '')\n | project \n Category,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n TimeGenerated,\n Type,\n _ResourceId,\n Id,\n AccessMethod,\n Acked,\n Action,\n Activity,\n AlertName,\n Alert,\n AlertType,\n AppName,\n App,\n AppSessionId,\n AppCategory,\n AppSuite,\n Browser,\n BrowserSessionId,\n BrowserVersion,\n CCI,\n CCIString,\n CCL,\n Company,\n ConnectionId,\n Count,\n CreatedDate,\n Department,\n DetectionEngine,\n DetectionType,\n DeviceClassification,\n Device,\n DestinationCountry,\n DestinationGeoipSource,\n DestinationLatitude,\n DestinationLocation,\n DestinationLongitude,\n DestinationRegion,\n DestinationTimezone,\n DestinationZipcode,\n DestinationIp,\n FastscanResults,\n FileCategory,\n FileId,\n FileName1,\n FilePath,\n FileSize,\n FileType,\n FileName2,\n FromUser,\n HostName,\n IncidentId,\n InstanceId,\n Instance,\n LocalMd5,\n LocalSha256,\n MalwareId,\n MalwareName,\n MalwareProfile,\n MalwareSeverity,\n MalwareType,\n ManagedApp,\n ManagementId,\n Manager,\n Md5,\n MimeType,\n MlDetection,\n ModifiedDate,\n Nsdeviceuid,\n ObjectId,\n Object,\n ObjectType,\n OrganizationUnit,\n OS,\n OsVersion,\n Page,\n PageSite,\n ParentId,\n PolicyId,\n Policy,\n Protocol,\n Referer,\n RequestId,\n SanctionedInstance,\n ScanTime,\n ScanType,\n ScannerResult,\n SeverityId,\n Severity,\n SHA1,\n SharedType,\n SharedWith,\n Site,\n SourceCountry,\n SourceGeoIpSrc,\n SourceLatitude,\n SourceLocation,\n SourceLongitude,\n SourceRegion,\n SourceTime,\n SourceTimezone,\n SourceZipcode,\n SourceIp,\n Timestamp,\n Title,\n TrafficType,\n TransactionId,\n TrueFileType,\n TssLicense,\n TssMode,\n TssScan,\n PolicyType,\n UrNormalized,\n Url,\n UserCountry,\n UserPrincipalName,\n UserId,\n User,\n UserIp,\n UsrDisplayName,\n usrStatus,\n usrTitle,\n UsrUdfBusinessSegmentLevel1,\n UsrUdfBusinessSegmentLevel2,\n UsrUdfBusinessSegmentLevel3,\n UsrUdfBusinessSegmentLevel4,\n UsrUdfCompanyName,\n UsrUdfEmployeeId,\n UsrUdfPrimaryDomain,\n UsrUdfSupervisorId,\n UsrUdfSupervisorName \n};\nAlerts_Malware_View\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]", - "dependsOn": [ - "[variables('parserObject5')._parserId5]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AlertsMalware')]", - "contentId": "[variables('parserObject5').parserContentId5]", - "kind": "Parser", - "version": "[variables('parserObject5').parserVersion5]", - "source": { - "kind": "Solution", - "name": "Netskopev2", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject6').parserTemplateSpecName6]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "AlertsPolicy Data Parser with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject6').parserVersion6]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject6')._parserName6]", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for AlertsPolicy", - "category": "Microsoft Sentinel Parser", - "functionAlias": "AlertsPolicy", - "query": "let Alerts_Policy_View = view () {\n alertspolicydata_CL\n | extend \n Category = column_ifexists('Category', ''),\n Computer = column_ifexists('Computer', ''),\n MG = column_ifexists('MG', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n RawData = column_ifexists('RawData', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n TenantId = column_ifexists('TenantId', ''),\n TimeGenerated = column_ifexists('TimeGenerated', ''),\n Type = column_ifexists('Type', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n Id = column_ifexists('_id_s', ''),\n AccessMethod = column_ifexists('access_method_s', ''),\n Acked = column_ifexists('acked_s', ''),\n ActUser = column_ifexists('act_user_s', ''),\n Action = column_ifexists('action_s', ''),\n Activity = column_ifexists('activity_s', ''),\n ActivityStatus = column_ifexists('activity_status_s', ''),\n ActivityType = column_ifexists('activity_type_s', ''),\n AggregatedUser = column_ifexists('aggregated_user_s', ''),\n Alert = column_ifexists('alert_s', ''),\n AlertName = column_ifexists('alert_name_s', ''),\n AlertType = column_ifexists('alert_type_s', ''),\n AllPolicyMatches = column_ifexists('all_policy_matches_s', ''),\n App = column_ifexists('app_s', ''),\n AppActivity = column_ifexists('app_activity_s', ''),\n AppScopes = column_ifexists('app_scopes_s', ''),\n AppSessionId = column_ifexists('app_session_id_d', ''),\n AppCategory = column_ifexists('appcategory_s', ''),\n AppSuite = column_ifexists('appsuite_s', ''),\n BCC = column_ifexists('bcc_s', ''),\n Browser = column_ifexists('browser_s', ''),\n BrowserSessionId = column_ifexists('browser_session_id_d', ''),\n BrowserVersion = column_ifexists('browser_version_s', ''),\n CC = column_ifexists('cc_s', ''),\n CCI = column_ifexists('cci_d', ''),\n CCIString = column_ifexists('cci_s', ''),\n CCL = column_ifexists('ccl_s', ''),\n ClientBytes = column_ifexists('client_bytes_d', ''),\n ClientPackets = column_ifexists('client_packets_d', ''),\n ConnDuration = column_ifexists('conn_duration_d', ''),\n ConnectionId = column_ifexists('connection_id_d', ''),\n Count = column_ifexists('count_d', ''),\n CustomConnector = column_ifexists('custom_connector_s', ''),\n DataType = column_ifexists('data_type_s', ''),\n Device = column_ifexists('device_s', ''),\n DeviceClassification = column_ifexists('device_classification_s', ''),\n DisplayName = column_ifexists('displayName_s', ''),\n DistinguishedName = column_ifexists('distinguishedName_s', ''),\n Division = column_ifexists('division_s', ''),\n DlpFailReason = column_ifexists('dlp_fail_reason_s', ''),\n DlpProfile = column_ifexists('dlp_profile_s', ''),\n DlpScanFailed = column_ifexists('dlp_scan_failed_s', ''),\n DestinationCountry = column_ifexists('dst_country_s', ''),\n DestinationGeoIpSource = column_ifexists('dst_geoip_src_d', ''),\n DestinationLatitude = column_ifexists('dst_latitude_d', ''),\n DestinationLocation = column_ifexists('dst_location_s', ''),\n DestinationLongitude = column_ifexists('dst_longitude_d', ''),\n DestinationRegion = column_ifexists('dst_region_s', ''),\n DestinationTimezone = column_ifexists('dst_timezone_s', ''),\n DestinationZipcode = column_ifexists('dst_zipcode_s', ''),\n DestinationHost = column_ifexists('dsthost_s', ''),\n DestinationIp = column_ifexists('dstip_s', ''),\n DestinationPort = column_ifexists('dstport_d', ''),\n DynamicClassification = column_ifexists('dynamic_classification_s', ''),\n EncryptFailure = column_ifexists('encrypt_failure_s', ''),\n EndTime = column_ifexists('end_time_s', ''),\n EventType = column_ifexists('event_type_s', ''),\n Exposure = column_ifexists('exposure_s', ''),\n ExternalCollaboratorCount = column_ifexists('external_collaborator_count_d', ''),\n FileCategory = column_ifexists('file_category_s', ''),\n FileId = column_ifexists('file_id_s', ''),\n FilePath = column_ifexists('file_path_s', ''),\n FileSize = column_ifexists('file_size_d', ''),\n FileType = column_ifexists('file_type_s', ''),\n ForwardToProxyXau = column_ifexists('forward_to_proxy_xau_s', ''),\n FromObject = column_ifexists('from_object_s', ''),\n FromStorage = column_ifexists('from_storage_s', ''),\n FromUser = column_ifexists('from_user_s', ''),\n Gateway = column_ifexists('gateway_s', ''),\n Group = column_ifexists('group_s', ''),\n Hostname = column_ifexists('hostname_s', ''),\n HttpStatus = column_ifexists('http_status_s', ''),\n IncidentId = column_ifexists('incident_id_d', ''),\n Instance = column_ifexists('instance_s', ''),\n InstanceId = column_ifexists('instance_id_s', ''),\n InternalCollaboratorCount = column_ifexists('internal_collaborator_count_d', ''),\n IpProtocol = column_ifexists('ip_protocol_s', ''),\n JustificationReason = column_ifexists('justification_reason_s', ''),\n JustificationType = column_ifexists('justification_type_s', ''),\n LastName = column_ifexists('last_name_s', ''),\n LogFileName = column_ifexists('log_file_name_s', ''),\n Mail = column_ifexists('mail_s', ''),\n Malicious = column_ifexists('malicious_s', ''),\n MalsiteCategory = column_ifexists('malsite_category_s', ''),\n MalwareId = column_ifexists('malware_id_s', ''),\n MalwareName = column_ifexists('malware_name_s', ''),\n MalwareSeverity = column_ifexists('malware_severity_s', ''),\n MalwareType = column_ifexists('malware_type_s', ''),\n ManagedApp = column_ifexists('managed_app_s', ''),\n ManagementId = column_ifexists('managementID_s', ''),\n Manager = column_ifexists('manager_s', ''),\n Md5 = column_ifexists('md5_g', ''),\n MemberOf = column_ifexists('memberOf_s', ''),\n MessageId = column_ifexists('message_id_s', ''),\n MessageSize = column_ifexists('message_size_d', ''),\n MimeType = column_ifexists('mime_type_s', ''),\n Modified = column_ifexists('modified_d', ''),\n Network = column_ifexists('network_s', ''),\n NetworkSessionId = column_ifexists('network_session_id_s', ''),\n NotifyTemplate = column_ifexists('notify_template_s', ''),\n Nsdeviceuid = column_ifexists('nsdeviceuid_s', ''),\n NumSessions = column_ifexists('num_sessions_d', ''),\n NumBytes = column_ifexists('numbytes_d', ''),\n Object = column_ifexists('object_s', ''),\n ObjectCount = column_ifexists('object_count_d', ''),\n ObjectId = column_ifexists('object_id_s', ''),\n ObjectType = column_ifexists('object_type_s', ''),\n Org = column_ifexists('org_s', ''),\n OrganizationUnit = column_ifexists('organization_unit_s', ''),\n OrignalFilePath = column_ifexists('orignal_file_path_s', ''),\n OS = column_ifexists('os_s', ''),\n OsVersion = column_ifexists('os_version_s', ''),\n OtherCategories = column_ifexists('other_categories_s', ''),\n Owner = column_ifexists('owner_s', ''),\n Page = column_ifexists('page_s', ''),\n PageSite = column_ifexists('page_site_s', ''),\n ParentId = column_ifexists('parent_id_s', ''),\n Policy = column_ifexists('policy_s', ''),\n PolicyId = column_ifexists('policy_id_s', ''),\n PolicyType = column_ifexists('type_s', ''),\n ProfileEmails = column_ifexists('profile_emails_s', ''),\n Protocol = column_ifexists('protocol_s', ''),\n ProtocolPort = column_ifexists('protocol_port_s', ''),\n PublisherCn = column_ifexists('publisher_cn_s', ''),\n PublisherName = column_ifexists('publisher_name_s', ''),\n QAdmin = column_ifexists('q_admin_s', ''),\n QApp = column_ifexists('q_app_s', ''),\n QInstance = column_ifexists('q_instance_s', ''),\n QOriginalFilename = column_ifexists('q_original_filename_s', ''),\n QOriginalFilepath = column_ifexists('q_original_filepath_s', ''),\n QOriginalShared = column_ifexists('q_original_shared_s', ''),\n QOriginalVersion = column_ifexists('q_original_version_s', ''),\n QuarantineFileId = column_ifexists('quarantine_file_id_s', ''),\n QuarantineFileName = column_ifexists('quarantine_file_name_s', ''),\n QuarantineProfile = column_ifexists('quarantine_profile_s', ''),\n QuarantineProfileId = column_ifexists('quarantine_profile_id_s', ''),\n RedirectUrl = column_ifexists('redirect_url_s', ''),\n Referer = column_ifexists('referer_s', ''),\n RemediationProfile = column_ifexists('remediation_profile_s', ''),\n ReqCnt = column_ifexists('req_cnt_d', ''),\n RequestId = column_ifexists('request_id_s', ''),\n RespCnt = column_ifexists('resp_cnt_d', ''),\n RiskLevel = column_ifexists('risk_level_s', ''),\n SAMAccountName = column_ifexists('sAMAccountName_s', ''),\n SAMAccountType = column_ifexists('sAMAccountType_s', ''),\n SanctionedInstance = column_ifexists('sanctioned_instance_s', ''),\n ScanType = column_ifexists('scan_type_s', ''),\n Sender = column_ifexists('sender_s', ''),\n Serial = column_ifexists('serial_s', ''),\n ServerBytes = column_ifexists('server_bytes_d', ''),\n ServerPackets = column_ifexists('server_packets_d', ''),\n SessionDuration = column_ifexists('session_duration_d', ''),\n SessionId = column_ifexists('sessionid_s', ''),\n Severity = column_ifexists('severity_s', ''),\n Sfwder = column_ifexists('sfwder_s', ''),\n SharedDomains = column_ifexists('shared_domains_s', ''),\n SharedWith = column_ifexists('shared_with_s', ''),\n Site = column_ifexists('site_s', ''),\n SmtpStatus = column_ifexists('smtp_status_s', ''),\n SmtpTo = column_ifexists('smtp_to_s', ''),\n SourceCountry = column_ifexists('src_country_s', ''),\n SourceGeoIpSource = column_ifexists('src_geoip_src_d', ''),\n SourceLatitude = column_ifexists('src_latitude_d', ''),\n SourceLocation = column_ifexists('src_location_s', ''),\n SourceLongitude = column_ifexists('src_longitude_d', ''),\n SourceRegion = column_ifexists('src_region_s', ''),\n SourceTime = column_ifexists('src_time_s', ''),\n SourceTimezone = column_ifexists('src_timezone_s', ''),\n SourceZipcode = column_ifexists('src_zipcode_s', ''),\n SourceIp = column_ifexists('srcip_s', ''),\n SourcePort = column_ifexists('srcport_d', ''),\n StartTime = column_ifexists('start_time_s', ''),\n SuppressionEndTime = column_ifexists('suppression_end_time_d', ''),\n SuppressionKey = column_ifexists('suppression_key_s', ''),\n SuppressionStartTime = column_ifexists('suppression_start_time_d', ''),\n TelemetryApp = column_ifexists('telemetry_app_s', ''),\n ThreatMatchField = column_ifexists('threat_match_field_s', ''),\n ThreatMatchValue = column_ifexists('threat_match_value_s', ''),\n ThreatSourceId = column_ifexists('threat_source_id_d', ''),\n Timestamp = column_ifexists('timestamp_d', ''),\n Title = column_ifexists('Title_s', ''),\n ToObject = column_ifexists('to_object_s', ''),\n ToStorage = column_ifexists('to_storage_s', ''),\n ToUser = column_ifexists('to_user_s', ''),\n TotalCollaboratorCount = column_ifexists('total_collaborator_count_d', ''),\n TotalPackets = column_ifexists('total_packets_d', ''),\n TrafficType = column_ifexists('traffic_type_s', ''),\n TransactionId = column_ifexists('transaction_id_d', ''),\n TrustComputerChecked = column_ifexists('trust_computer_checked_s', ''),\n TssFailReason = column_ifexists('tss_fail_reason_s', ''),\n TssMode = column_ifexists('tss_mode_s', ''),\n TssScanFailed = column_ifexists('tss_scan_failed_s', ''),\n TssScan = column_ifexists('TSS_scan_s', ''),\n TunnelId = column_ifexists('tunnel_id_s', ''),\n TunnelType = column_ifexists('tunnel_type_s', ''),\n TunnelUpTime = column_ifexists('tunnel_up_time_d', ''),\n TwoFactorAuth = column_ifexists('two_factor_auth_s', ''),\n UniversalConnector = column_ifexists('universal_connector_s', ''),\n UrNormalized = column_ifexists('ur_normalized_s', ''),\n Url = column_ifexists('url_s', ''),\n User = column_ifexists('user_s', ''),\n UserId = column_ifexists('user_id_s', ''),\n UserTmp = column_ifexists('user_tmp_s', ''),\n UserAgent = column_ifexists('useragent_s', ''),\n UserCountry = column_ifexists('userCountry_s', ''),\n UserIp = column_ifexists('userip_s', '')\n | project \n Category,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n TimeGenerated,\n Type,\n _ResourceId,\n Id,\n AccessMethod,\n Acked,\n ActUser,\n Action,\n Activity,\n ActivityStatus,\n ActivityType,\n AggregatedUser,\n Alert,\n AlertName,\n AlertType,\n AllPolicyMatches,\n App,\n AppActivity,\n AppScopes,\n AppSessionId,\n AppCategory,\n AppSuite,\n BCC,\n Browser,\n BrowserSessionId,\n BrowserVersion,\n CC,\n CCI,\n CCIString,\n CCL,\n ClientBytes,\n ClientPackets,\n ConnDuration,\n ConnectionId,\n Count,\n CustomConnector,\n DataType,\n Device,\n DeviceClassification,\n DisplayName,\n DistinguishedName,\n Division,\n DlpFailReason,\n DlpProfile,\n DlpScanFailed,\n DestinationCountry,\n DestinationGeoIpSource,\n DestinationLatitude,\n DestinationLocation,\n DestinationLongitude,\n DestinationRegion,\n DestinationTimezone,\n DestinationZipcode,\n DestinationHost,\n DestinationIp,\n DestinationPort,\n DynamicClassification,\n EncryptFailure,\n EndTime,\n EventType,\n Exposure,\n ExternalCollaboratorCount,\n FileCategory,\n FileId,\n FilePath,\n FileSize,\n FileType,\n ForwardToProxyXau,\n FromObject,\n FromStorage,\n FromUser,\n Gateway,\n Group,\n Hostname,\n HttpStatus,\n IncidentId,\n Instance,\n InstanceId,\n InternalCollaboratorCount,\n IpProtocol,\n JustificationReason,\n JustificationType,\n LastName,\n LogFileName,\n Mail,\n Malicious,\n MalsiteCategory,\n MalwareId,\n MalwareName,\n MalwareSeverity,\n MalwareType,\n ManagedApp,\n ManagementId,\n Manager,\n Md5,\n MemberOf,\n MessageId,\n MessageSize,\n MimeType,\n Modified,\n Network,\n NetworkSessionId,\n NotifyTemplate,\n Nsdeviceuid,\n NumSessions,\n NumBytes,\n Object,\n ObjectCount,\n ObjectId,\n ObjectType,\n Org,\n OrganizationUnit,\n OrignalFilePath,\n OS,\n OsVersion,\n OtherCategories,\n Owner,\n Page,\n PageSite,\n ParentId,\n Policy,\n PolicyId,\n PolicyType,\n ProfileEmails,\n Protocol,\n ProtocolPort,\n PublisherCn,\n PublisherName,\n QAdmin,\n QApp,\n QInstance,\n QOriginalFilename,\n QOriginalFilepath,\n QOriginalShared,\n QOriginalVersion,\n QuarantineFileId,\n QuarantineFileName,\n QuarantineProfile,\n QuarantineProfileId,\n RedirectUrl,\n Referer,\n RemediationProfile,\n ReqCnt,\n RequestId,\n RespCnt,\n RiskLevel,\n SAMAccountName,\n SAMAccountType,\n SanctionedInstance,\n ScanType,\n Sender,\n Serial,\n ServerBytes,\n ServerPackets,\n SessionDuration,\n SessionId,\n Severity,\n Sfwder,\n SharedDomains,\n SharedWith,\n Site,\n SmtpStatus,\n SmtpTo,\n SourceCountry,\n SourceGeoIpSource,\n SourceLatitude,\n SourceLocation,\n SourceLongitude,\n SourceRegion,\n SourceTime,\n SourceTimezone,\n SourceZipcode,\n SourceIp,\n SourcePort,\n StartTime,\n SuppressionEndTime,\n SuppressionKey,\n SuppressionStartTime,\n TelemetryApp,\n ThreatMatchField,\n ThreatMatchValue,\n ThreatSourceId,\n Timestamp,\n Title,\n ToObject,\n ToStorage,\n ToUser,\n TotalCollaboratorCount,\n TotalPackets,\n TrafficType,\n TransactionId,\n TrustComputerChecked,\n TssFailReason,\n TssMode,\n TssScanFailed,\n TssScan,\n TunnelId,\n TunnelType,\n TunnelUpTime,\n TwoFactorAuth,\n UniversalConnector,\n UrNormalized,\n Url,\n User,\n UserId,\n UserTmp,\n UserAgent,\n UserCountry,\n UserIp\n};\nAlerts_Policy_View\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject6')._parserId6,'/'))))]", - "dependsOn": [ - "[variables('parserObject6')._parserId6]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AlertsPolicy')]", - "contentId": "[variables('parserObject6').parserContentId6]", - "kind": "Parser", - "version": "[variables('parserObject6').parserVersion6]", - "source": { - "name": "Netskopev2", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject6').parserContentId6]", - "contentKind": "Parser", - "displayName": "Parser for AlertsPolicy", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject6').parserContentId6,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject6').parserContentId6,'-', '1.0.0')))]", - "version": "[variables('parserObject6').parserVersion6]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", - "name": "[variables('parserObject6')._parserName6]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for AlertsPolicy", - "category": "Microsoft Sentinel Parser", - "functionAlias": "AlertsPolicy", - "query": "let Alerts_Policy_View = view () {\n alertspolicydata_CL\n | extend \n Category = column_ifexists('Category', ''),\n Computer = column_ifexists('Computer', ''),\n MG = column_ifexists('MG', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n RawData = column_ifexists('RawData', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n TenantId = column_ifexists('TenantId', ''),\n TimeGenerated = column_ifexists('TimeGenerated', ''),\n Type = column_ifexists('Type', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n Id = column_ifexists('_id_s', ''),\n AccessMethod = column_ifexists('access_method_s', ''),\n Acked = column_ifexists('acked_s', ''),\n ActUser = column_ifexists('act_user_s', ''),\n Action = column_ifexists('action_s', ''),\n Activity = column_ifexists('activity_s', ''),\n ActivityStatus = column_ifexists('activity_status_s', ''),\n ActivityType = column_ifexists('activity_type_s', ''),\n AggregatedUser = column_ifexists('aggregated_user_s', ''),\n Alert = column_ifexists('alert_s', ''),\n AlertName = column_ifexists('alert_name_s', ''),\n AlertType = column_ifexists('alert_type_s', ''),\n AllPolicyMatches = column_ifexists('all_policy_matches_s', ''),\n App = column_ifexists('app_s', ''),\n AppActivity = column_ifexists('app_activity_s', ''),\n AppScopes = column_ifexists('app_scopes_s', ''),\n AppSessionId = column_ifexists('app_session_id_d', ''),\n AppCategory = column_ifexists('appcategory_s', ''),\n AppSuite = column_ifexists('appsuite_s', ''),\n BCC = column_ifexists('bcc_s', ''),\n Browser = column_ifexists('browser_s', ''),\n BrowserSessionId = column_ifexists('browser_session_id_d', ''),\n BrowserVersion = column_ifexists('browser_version_s', ''),\n CC = column_ifexists('cc_s', ''),\n CCI = column_ifexists('cci_d', ''),\n CCIString = column_ifexists('cci_s', ''),\n CCL = column_ifexists('ccl_s', ''),\n ClientBytes = column_ifexists('client_bytes_d', ''),\n ClientPackets = column_ifexists('client_packets_d', ''),\n ConnDuration = column_ifexists('conn_duration_d', ''),\n ConnectionId = column_ifexists('connection_id_d', ''),\n Count = column_ifexists('count_d', ''),\n CustomConnector = column_ifexists('custom_connector_s', ''),\n DataType = column_ifexists('data_type_s', ''),\n Device = column_ifexists('device_s', ''),\n DeviceClassification = column_ifexists('device_classification_s', ''),\n DisplayName = column_ifexists('displayName_s', ''),\n DistinguishedName = column_ifexists('distinguishedName_s', ''),\n Division = column_ifexists('division_s', ''),\n DlpFailReason = column_ifexists('dlp_fail_reason_s', ''),\n DlpProfile = column_ifexists('dlp_profile_s', ''),\n DlpScanFailed = column_ifexists('dlp_scan_failed_s', ''),\n DestinationCountry = column_ifexists('dst_country_s', ''),\n DestinationGeoIpSource = column_ifexists('dst_geoip_src_d', ''),\n DestinationLatitude = column_ifexists('dst_latitude_d', ''),\n DestinationLocation = column_ifexists('dst_location_s', ''),\n DestinationLongitude = column_ifexists('dst_longitude_d', ''),\n DestinationRegion = column_ifexists('dst_region_s', ''),\n DestinationTimezone = column_ifexists('dst_timezone_s', ''),\n DestinationZipcode = column_ifexists('dst_zipcode_s', ''),\n DestinationHost = column_ifexists('dsthost_s', ''),\n DestinationIp = column_ifexists('dstip_s', ''),\n DestinationPort = column_ifexists('dstport_d', ''),\n DynamicClassification = column_ifexists('dynamic_classification_s', ''),\n EncryptFailure = column_ifexists('encrypt_failure_s', ''),\n EndTime = column_ifexists('end_time_s', ''),\n EventType = column_ifexists('event_type_s', ''),\n Exposure = column_ifexists('exposure_s', ''),\n ExternalCollaboratorCount = column_ifexists('external_collaborator_count_d', ''),\n FileCategory = column_ifexists('file_category_s', ''),\n FileId = column_ifexists('file_id_s', ''),\n FilePath = column_ifexists('file_path_s', ''),\n FileSize = column_ifexists('file_size_d', ''),\n FileType = column_ifexists('file_type_s', ''),\n ForwardToProxyXau = column_ifexists('forward_to_proxy_xau_s', ''),\n FromObject = column_ifexists('from_object_s', ''),\n FromStorage = column_ifexists('from_storage_s', ''),\n FromUser = column_ifexists('from_user_s', ''),\n Gateway = column_ifexists('gateway_s', ''),\n Group = column_ifexists('group_s', ''),\n Hostname = column_ifexists('hostname_s', ''),\n HttpStatus = column_ifexists('http_status_s', ''),\n IncidentId = column_ifexists('incident_id_d', ''),\n Instance = column_ifexists('instance_s', ''),\n InstanceId = column_ifexists('instance_id_s', ''),\n InternalCollaboratorCount = column_ifexists('internal_collaborator_count_d', ''),\n IpProtocol = column_ifexists('ip_protocol_s', ''),\n JustificationReason = column_ifexists('justification_reason_s', ''),\n JustificationType = column_ifexists('justification_type_s', ''),\n LastName = column_ifexists('last_name_s', ''),\n LogFileName = column_ifexists('log_file_name_s', ''),\n Mail = column_ifexists('mail_s', ''),\n Malicious = column_ifexists('malicious_s', ''),\n MalsiteCategory = column_ifexists('malsite_category_s', ''),\n MalwareId = column_ifexists('malware_id_s', ''),\n MalwareName = column_ifexists('malware_name_s', ''),\n MalwareSeverity = column_ifexists('malware_severity_s', ''),\n MalwareType = column_ifexists('malware_type_s', ''),\n ManagedApp = column_ifexists('managed_app_s', ''),\n ManagementId = column_ifexists('managementID_s', ''),\n Manager = column_ifexists('manager_s', ''),\n Md5 = column_ifexists('md5_g', ''),\n MemberOf = column_ifexists('memberOf_s', ''),\n MessageId = column_ifexists('message_id_s', ''),\n MessageSize = column_ifexists('message_size_d', ''),\n MimeType = column_ifexists('mime_type_s', ''),\n Modified = column_ifexists('modified_d', ''),\n Network = column_ifexists('network_s', ''),\n NetworkSessionId = column_ifexists('network_session_id_s', ''),\n NotifyTemplate = column_ifexists('notify_template_s', ''),\n Nsdeviceuid = column_ifexists('nsdeviceuid_s', ''),\n NumSessions = column_ifexists('num_sessions_d', ''),\n NumBytes = column_ifexists('numbytes_d', ''),\n Object = column_ifexists('object_s', ''),\n ObjectCount = column_ifexists('object_count_d', ''),\n ObjectId = column_ifexists('object_id_s', ''),\n ObjectType = column_ifexists('object_type_s', ''),\n Org = column_ifexists('org_s', ''),\n OrganizationUnit = column_ifexists('organization_unit_s', ''),\n OrignalFilePath = column_ifexists('orignal_file_path_s', ''),\n OS = column_ifexists('os_s', ''),\n OsVersion = column_ifexists('os_version_s', ''),\n OtherCategories = column_ifexists('other_categories_s', ''),\n Owner = column_ifexists('owner_s', ''),\n Page = column_ifexists('page_s', ''),\n PageSite = column_ifexists('page_site_s', ''),\n ParentId = column_ifexists('parent_id_s', ''),\n Policy = column_ifexists('policy_s', ''),\n PolicyId = column_ifexists('policy_id_s', ''),\n PolicyType = column_ifexists('type_s', ''),\n ProfileEmails = column_ifexists('profile_emails_s', ''),\n Protocol = column_ifexists('protocol_s', ''),\n ProtocolPort = column_ifexists('protocol_port_s', ''),\n PublisherCn = column_ifexists('publisher_cn_s', ''),\n PublisherName = column_ifexists('publisher_name_s', ''),\n QAdmin = column_ifexists('q_admin_s', ''),\n QApp = column_ifexists('q_app_s', ''),\n QInstance = column_ifexists('q_instance_s', ''),\n QOriginalFilename = column_ifexists('q_original_filename_s', ''),\n QOriginalFilepath = column_ifexists('q_original_filepath_s', ''),\n QOriginalShared = column_ifexists('q_original_shared_s', ''),\n QOriginalVersion = column_ifexists('q_original_version_s', ''),\n QuarantineFileId = column_ifexists('quarantine_file_id_s', ''),\n QuarantineFileName = column_ifexists('quarantine_file_name_s', ''),\n QuarantineProfile = column_ifexists('quarantine_profile_s', ''),\n QuarantineProfileId = column_ifexists('quarantine_profile_id_s', ''),\n RedirectUrl = column_ifexists('redirect_url_s', ''),\n Referer = column_ifexists('referer_s', ''),\n RemediationProfile = column_ifexists('remediation_profile_s', ''),\n ReqCnt = column_ifexists('req_cnt_d', ''),\n RequestId = column_ifexists('request_id_s', ''),\n RespCnt = column_ifexists('resp_cnt_d', ''),\n RiskLevel = column_ifexists('risk_level_s', ''),\n SAMAccountName = column_ifexists('sAMAccountName_s', ''),\n SAMAccountType = column_ifexists('sAMAccountType_s', ''),\n SanctionedInstance = column_ifexists('sanctioned_instance_s', ''),\n ScanType = column_ifexists('scan_type_s', ''),\n Sender = column_ifexists('sender_s', ''),\n Serial = column_ifexists('serial_s', ''),\n ServerBytes = column_ifexists('server_bytes_d', ''),\n ServerPackets = column_ifexists('server_packets_d', ''),\n SessionDuration = column_ifexists('session_duration_d', ''),\n SessionId = column_ifexists('sessionid_s', ''),\n Severity = column_ifexists('severity_s', ''),\n Sfwder = column_ifexists('sfwder_s', ''),\n SharedDomains = column_ifexists('shared_domains_s', ''),\n SharedWith = column_ifexists('shared_with_s', ''),\n Site = column_ifexists('site_s', ''),\n SmtpStatus = column_ifexists('smtp_status_s', ''),\n SmtpTo = column_ifexists('smtp_to_s', ''),\n SourceCountry = column_ifexists('src_country_s', ''),\n SourceGeoIpSource = column_ifexists('src_geoip_src_d', ''),\n SourceLatitude = column_ifexists('src_latitude_d', ''),\n SourceLocation = column_ifexists('src_location_s', ''),\n SourceLongitude = column_ifexists('src_longitude_d', ''),\n SourceRegion = column_ifexists('src_region_s', ''),\n SourceTime = column_ifexists('src_time_s', ''),\n SourceTimezone = column_ifexists('src_timezone_s', ''),\n SourceZipcode = column_ifexists('src_zipcode_s', ''),\n SourceIp = column_ifexists('srcip_s', ''),\n SourcePort = column_ifexists('srcport_d', ''),\n StartTime = column_ifexists('start_time_s', ''),\n SuppressionEndTime = column_ifexists('suppression_end_time_d', ''),\n SuppressionKey = column_ifexists('suppression_key_s', ''),\n SuppressionStartTime = column_ifexists('suppression_start_time_d', ''),\n TelemetryApp = column_ifexists('telemetry_app_s', ''),\n ThreatMatchField = column_ifexists('threat_match_field_s', ''),\n ThreatMatchValue = column_ifexists('threat_match_value_s', ''),\n ThreatSourceId = column_ifexists('threat_source_id_d', ''),\n Timestamp = column_ifexists('timestamp_d', ''),\n Title = column_ifexists('Title_s', ''),\n ToObject = column_ifexists('to_object_s', ''),\n ToStorage = column_ifexists('to_storage_s', ''),\n ToUser = column_ifexists('to_user_s', ''),\n TotalCollaboratorCount = column_ifexists('total_collaborator_count_d', ''),\n TotalPackets = column_ifexists('total_packets_d', ''),\n TrafficType = column_ifexists('traffic_type_s', ''),\n TransactionId = column_ifexists('transaction_id_d', ''),\n TrustComputerChecked = column_ifexists('trust_computer_checked_s', ''),\n TssFailReason = column_ifexists('tss_fail_reason_s', ''),\n TssMode = column_ifexists('tss_mode_s', ''),\n TssScanFailed = column_ifexists('tss_scan_failed_s', ''),\n TssScan = column_ifexists('TSS_scan_s', ''),\n TunnelId = column_ifexists('tunnel_id_s', ''),\n TunnelType = column_ifexists('tunnel_type_s', ''),\n TunnelUpTime = column_ifexists('tunnel_up_time_d', ''),\n TwoFactorAuth = column_ifexists('two_factor_auth_s', ''),\n UniversalConnector = column_ifexists('universal_connector_s', ''),\n UrNormalized = column_ifexists('ur_normalized_s', ''),\n Url = column_ifexists('url_s', ''),\n User = column_ifexists('user_s', ''),\n UserId = column_ifexists('user_id_s', ''),\n UserTmp = column_ifexists('user_tmp_s', ''),\n UserAgent = column_ifexists('useragent_s', ''),\n UserCountry = column_ifexists('userCountry_s', ''),\n UserIp = column_ifexists('userip_s', '')\n | project \n Category,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n TimeGenerated,\n Type,\n _ResourceId,\n Id,\n AccessMethod,\n Acked,\n ActUser,\n Action,\n Activity,\n ActivityStatus,\n ActivityType,\n AggregatedUser,\n Alert,\n AlertName,\n AlertType,\n AllPolicyMatches,\n App,\n AppActivity,\n AppScopes,\n AppSessionId,\n AppCategory,\n AppSuite,\n BCC,\n Browser,\n BrowserSessionId,\n BrowserVersion,\n CC,\n CCI,\n CCIString,\n CCL,\n ClientBytes,\n ClientPackets,\n ConnDuration,\n ConnectionId,\n Count,\n CustomConnector,\n DataType,\n Device,\n DeviceClassification,\n DisplayName,\n DistinguishedName,\n Division,\n DlpFailReason,\n DlpProfile,\n DlpScanFailed,\n DestinationCountry,\n DestinationGeoIpSource,\n DestinationLatitude,\n DestinationLocation,\n DestinationLongitude,\n DestinationRegion,\n DestinationTimezone,\n DestinationZipcode,\n DestinationHost,\n DestinationIp,\n DestinationPort,\n DynamicClassification,\n EncryptFailure,\n EndTime,\n EventType,\n Exposure,\n ExternalCollaboratorCount,\n FileCategory,\n FileId,\n FilePath,\n FileSize,\n FileType,\n ForwardToProxyXau,\n FromObject,\n FromStorage,\n FromUser,\n Gateway,\n Group,\n Hostname,\n HttpStatus,\n IncidentId,\n Instance,\n InstanceId,\n InternalCollaboratorCount,\n IpProtocol,\n JustificationReason,\n JustificationType,\n LastName,\n LogFileName,\n Mail,\n Malicious,\n MalsiteCategory,\n MalwareId,\n MalwareName,\n MalwareSeverity,\n MalwareType,\n ManagedApp,\n ManagementId,\n Manager,\n Md5,\n MemberOf,\n MessageId,\n MessageSize,\n MimeType,\n Modified,\n Network,\n NetworkSessionId,\n NotifyTemplate,\n Nsdeviceuid,\n NumSessions,\n NumBytes,\n Object,\n ObjectCount,\n ObjectId,\n ObjectType,\n Org,\n OrganizationUnit,\n OrignalFilePath,\n OS,\n OsVersion,\n OtherCategories,\n Owner,\n Page,\n PageSite,\n ParentId,\n Policy,\n PolicyId,\n PolicyType,\n ProfileEmails,\n Protocol,\n ProtocolPort,\n PublisherCn,\n PublisherName,\n QAdmin,\n QApp,\n QInstance,\n QOriginalFilename,\n QOriginalFilepath,\n QOriginalShared,\n QOriginalVersion,\n QuarantineFileId,\n QuarantineFileName,\n QuarantineProfile,\n QuarantineProfileId,\n RedirectUrl,\n Referer,\n RemediationProfile,\n ReqCnt,\n RequestId,\n RespCnt,\n RiskLevel,\n SAMAccountName,\n SAMAccountType,\n SanctionedInstance,\n ScanType,\n Sender,\n Serial,\n ServerBytes,\n ServerPackets,\n SessionDuration,\n SessionId,\n Severity,\n Sfwder,\n SharedDomains,\n SharedWith,\n Site,\n SmtpStatus,\n SmtpTo,\n SourceCountry,\n SourceGeoIpSource,\n SourceLatitude,\n SourceLocation,\n SourceLongitude,\n SourceRegion,\n SourceTime,\n SourceTimezone,\n SourceZipcode,\n SourceIp,\n SourcePort,\n StartTime,\n SuppressionEndTime,\n SuppressionKey,\n SuppressionStartTime,\n TelemetryApp,\n ThreatMatchField,\n ThreatMatchValue,\n ThreatSourceId,\n Timestamp,\n Title,\n ToObject,\n ToStorage,\n ToUser,\n TotalCollaboratorCount,\n TotalPackets,\n TrafficType,\n TransactionId,\n TrustComputerChecked,\n TssFailReason,\n TssMode,\n TssScanFailed,\n TssScan,\n TunnelId,\n TunnelType,\n TunnelUpTime,\n TwoFactorAuth,\n UniversalConnector,\n UrNormalized,\n Url,\n User,\n UserId,\n UserTmp,\n UserAgent,\n UserCountry,\n UserIp\n};\nAlerts_Policy_View\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject6')._parserId6,'/'))))]", - "dependsOn": [ - "[variables('parserObject6')._parserId6]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AlertsPolicy')]", - "contentId": "[variables('parserObject6').parserContentId6]", - "kind": "Parser", - "version": "[variables('parserObject6').parserVersion6]", - "source": { - "kind": "Solution", - "name": "Netskopev2", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject7').parserTemplateSpecName7]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "AlertsQuarantine Data Parser with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject7').parserVersion7]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject7')._parserName7]", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for AlertsQuarantine", - "category": "Microsoft Sentinel Parser", - "functionAlias": "AlertsQuarantine", - "query": "let ALert_Quarantine_View = view (){\n alertsquarantinedata_CL\n | extend TenantId = column_ifexists('TenantId', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n MG = column_ifexists('MG', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n Category = column_ifexists('Category', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n TimeGenerated = column_ifexists('TimeGenerated', ''),\n Computer = column_ifexists('Computer', ''),\n RawData = column_ifexists('RawData', ''),\n Type = column_ifexists('Type', ''),\n Id = column_ifexists('_id_s', ''),\n AccessMethod = column_ifexists('access_method_s', ''),\n Acked = column_ifexists('acked_s', ''),\n Action = column_ifexists('action_s', ''),\n Alert = column_ifexists('alert_s', ''),\n AlertName = column_ifexists('alert_name_s', ''),\n AlertType = column_ifexists('alert_type_s', ''),\n App = column_ifexists('app_s', ''),\n AppCategory = column_ifexists('appcategory_s', ''),\n Browser = column_ifexists('browser_s', ''),\n CCI = column_ifexists('cci_d', ''),\n CCIString = column_ifexists('cci_s', ''),\n CCL = column_ifexists('ccl_s', ''),\n Count = column_ifexists('count_d', ''),\n Department = column_ifexists('department_s', ''),\n DepartmentNumber = column_ifexists('departmentNumber_s', ''),\n Device = column_ifexists('device_s', ''),\n DlpProfile = column_ifexists('dlp_profile_s', ''),\n Exposure = column_ifexists('exposure_s', ''),\n FileId = column_ifexists('file_id_s', ''),\n FilePath = column_ifexists('file_path_s', ''),\n FileSize = column_ifexists('file_size_d', ''),\n FileType = column_ifexists('file_type_s', ''),\n FromUser = column_ifexists('from_user_s', ''),\n InstanceId = column_ifexists('instance_id_s', ''),\n Manager = column_ifexists('manager_s', ''),\n Md5 = column_ifexists('md5_g', ''),\n MimeType = column_ifexists('mime_type_s', ''),\n Modified = column_ifexists('modified_d', ''),\n Object = column_ifexists('object_s', ''),\n ObjectId = column_ifexists('object_id_s', ''),\n ObjectType = column_ifexists('object_type_s', ''),\n OrganizationUnit = column_ifexists('organization_unit_s', ''),\n OriginalFilePath = column_ifexists('orignal_file_path_s', ''),\n OS = column_ifexists('os_s', ''),\n Owner = column_ifexists('owner_s', ''),\n OtherCategories = column_ifexists('other_categories_s', ''),\n Policy = column_ifexists('policy_s', ''),\n ProfileEmails = column_ifexists('profile_emails_s', ''),\n QAdmin = column_ifexists('q_admin_s', ''),\n QApp = column_ifexists('q_app_s', ''),\n QInstance = column_ifexists('q_instance_s', ''),\n QOriginalFilename = column_ifexists('q_original_filename_s', ''),\n QOriginalFilepath = column_ifexists('q_original_filepath_s', ''),\n QOriginalShared = column_ifexists('q_original_shared_s', ''),\n QOriginalVersion = column_ifexists('q_original_version_s', ''),\n QuarantineFileId = column_ifexists('quarantine_file_id_s', ''),\n QuarantineFileName = column_ifexists('quarantine_file_name_s', ''),\n QuarantineProfile = column_ifexists('quarantine_profile_s', ''),\n QuarantineProfileId = column_ifexists('quarantine_profile_id_s', ''),\n ScanType = column_ifexists('scan_type_s', ''),\n SharedWith = column_ifexists('shared_with_s', ''),\n Site = column_ifexists('site_s', ''),\n SuppressionKey = column_ifexists('suppression_key_s', ''),\n Timestamp = column_ifexists('timestamp_d', ''),\n TrafficType = column_ifexists('traffic_type_s', ''),\n PolicyType = column_ifexists('type_s', ''),\n Url = column_ifexists('url_s', ''),\n UrNormalized = column_ifexists('ur_normalized_s', ''),\n User = column_ifexists('user_s', ''),\n UserId = column_ifexists('user_id_s', ''),\n UserKey = column_ifexists('userkey_s', '')\n | project TenantId,\n SourceSystem,\n MG,\n ManagementGroupName,\n Category,\n _ResourceId,\n TimeGenerated,\n Computer,\n RawData,\n Type,\n Id,\n AccessMethod,\n Acked,\n Action,\n Alert,\n AlertName,\n AlertType,\n App,\n AppCategory,\n Browser,\n CCI,\n CCIString,\n CCL,\n Count,\n Department,\n DepartmentNumber,\n Device,\n DlpProfile,\n Exposure,\n FileId,\n FilePath,\n FileSize,\n FileType,\n FromUser,\n InstanceId,\n Manager,\n Md5,\n MimeType,\n Modified,\n Object,\n ObjectId,\n ObjectType,\n OrganizationUnit,\n OriginalFilePath,\n OS,\n Owner,\n OtherCategories,\n Policy,\n ProfileEmails,\n QAdmin,\n QApp,\n QInstance,\n QOriginalFilename,\n QOriginalFilepath,\n QOriginalShared,\n QOriginalVersion,\n QuarantineFileId,\n QuarantineFileName,\n QuarantineProfile,\n QuarantineProfileId,\n ScanType,\n SharedWith,\n Site,\n SuppressionKey,\n Timestamp,\n TrafficType,\n PolicyType,\n Url,\n UrNormalized,\n User,\n UserId,\n UserKey\n};\nALert_Quarantine_View\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject7')._parserId7,'/'))))]", - "dependsOn": [ - "[variables('parserObject7')._parserId7]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AlertsQuarantine')]", - "contentId": "[variables('parserObject7').parserContentId7]", - "kind": "Parser", - "version": "[variables('parserObject7').parserVersion7]", - "source": { - "name": "Netskopev2", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject7').parserContentId7]", - "contentKind": "Parser", - "displayName": "Parser for AlertsQuarantine", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject7').parserContentId7,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject7').parserContentId7,'-', '1.0.0')))]", - "version": "[variables('parserObject7').parserVersion7]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", - "name": "[variables('parserObject7')._parserName7]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for AlertsQuarantine", - "category": "Microsoft Sentinel Parser", - "functionAlias": "AlertsQuarantine", - "query": "let ALert_Quarantine_View = view (){\n alertsquarantinedata_CL\n | extend TenantId = column_ifexists('TenantId', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n MG = column_ifexists('MG', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n Category = column_ifexists('Category', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n TimeGenerated = column_ifexists('TimeGenerated', ''),\n Computer = column_ifexists('Computer', ''),\n RawData = column_ifexists('RawData', ''),\n Type = column_ifexists('Type', ''),\n Id = column_ifexists('_id_s', ''),\n AccessMethod = column_ifexists('access_method_s', ''),\n Acked = column_ifexists('acked_s', ''),\n Action = column_ifexists('action_s', ''),\n Alert = column_ifexists('alert_s', ''),\n AlertName = column_ifexists('alert_name_s', ''),\n AlertType = column_ifexists('alert_type_s', ''),\n App = column_ifexists('app_s', ''),\n AppCategory = column_ifexists('appcategory_s', ''),\n Browser = column_ifexists('browser_s', ''),\n CCI = column_ifexists('cci_d', ''),\n CCIString = column_ifexists('cci_s', ''),\n CCL = column_ifexists('ccl_s', ''),\n Count = column_ifexists('count_d', ''),\n Department = column_ifexists('department_s', ''),\n DepartmentNumber = column_ifexists('departmentNumber_s', ''),\n Device = column_ifexists('device_s', ''),\n DlpProfile = column_ifexists('dlp_profile_s', ''),\n Exposure = column_ifexists('exposure_s', ''),\n FileId = column_ifexists('file_id_s', ''),\n FilePath = column_ifexists('file_path_s', ''),\n FileSize = column_ifexists('file_size_d', ''),\n FileType = column_ifexists('file_type_s', ''),\n FromUser = column_ifexists('from_user_s', ''),\n InstanceId = column_ifexists('instance_id_s', ''),\n Manager = column_ifexists('manager_s', ''),\n Md5 = column_ifexists('md5_g', ''),\n MimeType = column_ifexists('mime_type_s', ''),\n Modified = column_ifexists('modified_d', ''),\n Object = column_ifexists('object_s', ''),\n ObjectId = column_ifexists('object_id_s', ''),\n ObjectType = column_ifexists('object_type_s', ''),\n OrganizationUnit = column_ifexists('organization_unit_s', ''),\n OriginalFilePath = column_ifexists('orignal_file_path_s', ''),\n OS = column_ifexists('os_s', ''),\n Owner = column_ifexists('owner_s', ''),\n OtherCategories = column_ifexists('other_categories_s', ''),\n Policy = column_ifexists('policy_s', ''),\n ProfileEmails = column_ifexists('profile_emails_s', ''),\n QAdmin = column_ifexists('q_admin_s', ''),\n QApp = column_ifexists('q_app_s', ''),\n QInstance = column_ifexists('q_instance_s', ''),\n QOriginalFilename = column_ifexists('q_original_filename_s', ''),\n QOriginalFilepath = column_ifexists('q_original_filepath_s', ''),\n QOriginalShared = column_ifexists('q_original_shared_s', ''),\n QOriginalVersion = column_ifexists('q_original_version_s', ''),\n QuarantineFileId = column_ifexists('quarantine_file_id_s', ''),\n QuarantineFileName = column_ifexists('quarantine_file_name_s', ''),\n QuarantineProfile = column_ifexists('quarantine_profile_s', ''),\n QuarantineProfileId = column_ifexists('quarantine_profile_id_s', ''),\n ScanType = column_ifexists('scan_type_s', ''),\n SharedWith = column_ifexists('shared_with_s', ''),\n Site = column_ifexists('site_s', ''),\n SuppressionKey = column_ifexists('suppression_key_s', ''),\n Timestamp = column_ifexists('timestamp_d', ''),\n TrafficType = column_ifexists('traffic_type_s', ''),\n PolicyType = column_ifexists('type_s', ''),\n Url = column_ifexists('url_s', ''),\n UrNormalized = column_ifexists('ur_normalized_s', ''),\n User = column_ifexists('user_s', ''),\n UserId = column_ifexists('user_id_s', ''),\n UserKey = column_ifexists('userkey_s', '')\n | project TenantId,\n SourceSystem,\n MG,\n ManagementGroupName,\n Category,\n _ResourceId,\n TimeGenerated,\n Computer,\n RawData,\n Type,\n Id,\n AccessMethod,\n Acked,\n Action,\n Alert,\n AlertName,\n AlertType,\n App,\n AppCategory,\n Browser,\n CCI,\n CCIString,\n CCL,\n Count,\n Department,\n DepartmentNumber,\n Device,\n DlpProfile,\n Exposure,\n FileId,\n FilePath,\n FileSize,\n FileType,\n FromUser,\n InstanceId,\n Manager,\n Md5,\n MimeType,\n Modified,\n Object,\n ObjectId,\n ObjectType,\n OrganizationUnit,\n OriginalFilePath,\n OS,\n Owner,\n OtherCategories,\n Policy,\n ProfileEmails,\n QAdmin,\n QApp,\n QInstance,\n QOriginalFilename,\n QOriginalFilepath,\n QOriginalShared,\n QOriginalVersion,\n QuarantineFileId,\n QuarantineFileName,\n QuarantineProfile,\n QuarantineProfileId,\n ScanType,\n SharedWith,\n Site,\n SuppressionKey,\n Timestamp,\n TrafficType,\n PolicyType,\n Url,\n UrNormalized,\n User,\n UserId,\n UserKey\n};\nALert_Quarantine_View\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject7')._parserId7,'/'))))]", - "dependsOn": [ - "[variables('parserObject7')._parserId7]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AlertsQuarantine')]", - "contentId": "[variables('parserObject7').parserContentId7]", - "kind": "Parser", - "version": "[variables('parserObject7').parserVersion7]", - "source": { - "kind": "Solution", - "name": "Netskopev2", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject8').parserTemplateSpecName8]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "AlertsRemediation Data Parser with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject8').parserVersion8]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject8')._parserName8]", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for AlertsRemediation", - "category": "Microsoft Sentinel Parser", - "functionAlias": "AlertsRemediation", - "query": "let Alerts_Remediation_View = view (){\n alertsremediationdata_CL\n | extend Category = column_ifexists('Category', ''),\n Computer = column_ifexists('Computer', ''),\n MG = column_ifexists('MG', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n RawData = column_ifexists('RawData', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n TenantId = column_ifexists('TenantId', ''),\n TimeGenerated = column_ifexists('TimeGenerated', ''),\n Type = column_ifexists('Type', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n Id = column_ifexists('_id_s', ''),\n AccessMethod = column_ifexists('access_method_s', ''),\n Acked = column_ifexists('acked_s', ''),\n Action = column_ifexists('action_s', ''),\n ActionsTaken = column_ifexists('actions_taken_s', ''),\n Activity = column_ifexists('activity_s', ''),\n AlertName = column_ifexists('alert_name_s', ''),\n Alert = column_ifexists('alert_s', ''),\n AlertType = column_ifexists('alert_type_s', ''),\n AllPolicyMatches = column_ifexists('all_policy_matches_s', ''),\n App = column_ifexists('app_s', ''),\n AppSessionId = column_ifexists('app_session_id_d', ''),\n AppCategory = column_ifexists('appcategory_s', ''),\n AppSuite = column_ifexists('appsuite_s', ''),\n Browser = column_ifexists('browser_s', ''),\n BrowserSessionId = column_ifexists('browser_session_id_d', ''),\n CCI = column_ifexists('cci_d', ''),\n CCIString = column_ifexists('cci_s', ''),\n CCL = column_ifexists('ccl_s', ''),\n ConnectionId = column_ifexists('connection_id_d', ''),\n Count = column_ifexists('count_d', ''),\n DeviceClassification = column_ifexists('device_classification_s', ''),\n Device = column_ifexists('device_s', ''),\n DlpProfile = column_ifexists('dlp_profile_s', ''),\n DestinationCountry = column_ifexists('dst_country_s', ''),\n DestinationGeoipSource = column_ifexists('dst_geoip_src_d', ''),\n DestinationLatitude = column_ifexists('dst_latitude_d', ''),\n DestinationLocation = column_ifexists('dst_location_s', ''),\n DestinationLongitude = column_ifexists('dst_longitude_d', ''),\n DestinationRegion = column_ifexists('dst_region_s', ''),\n DestinationTimezone = column_ifexists('dst_timezone_s', ''),\n DestinationZipcode = column_ifexists('dst_zipcode_s', ''),\n DestinationIp = column_ifexists('dstip_s', ''),\n EdrApp = column_ifexists('edr_app_s', ''),\n EndpointCount = column_ifexists('endpoint_count_d', ''),\n Endpoints = column_ifexists('endpoints_s', ''),\n FileSize = column_ifexists('file_size_d', ''),\n FileType = column_ifexists('file_type_s', ''),\n FromUser = column_ifexists('from_user_s', ''),\n HostName = column_ifexists('hostname_s', ''),\n IncidentId = column_ifexists('incident_id_d', ''),\n InstanceId = column_ifexists('instance_id_s', ''),\n MalwareId = column_ifexists('malware_id_s', ''),\n MalwareName = column_ifexists('malware_name_s', ''),\n MalwareSeverity = column_ifexists('malware_severity_s', ''),\n MalwareType = column_ifexists('malware_type_s', ''),\n ManagedApp = column_ifexists('managed_app_s', ''),\n ManagementId = column_ifexists('managementID_s', ''),\n Md5 = column_ifexists('md5_g', ''),\n NotifyTemplate = column_ifexists('notify_template_s', ''),\n Nsdeviceuid = column_ifexists('nsdeviceuid_s', ''),\n Object = column_ifexists('object_s', ''),\n ObjectType = column_ifexists('object_type_s', ''),\n OrganizationUnit = column_ifexists('organization_unit_s', ''),\n OS = column_ifexists('os_s', ''),\n OsVersion = column_ifexists('os_version_s', ''),\n Page = column_ifexists('page_s', ''),\n PageSite = column_ifexists('page_site_s', ''),\n PolicyId = column_ifexists('policy_id_s', ''),\n Policy = column_ifexists('policy_s', ''),\n ProfileHits = column_ifexists('profile_hits_s', ''),\n Protocol = column_ifexists('protocol_s', ''),\n RemediationProfile = column_ifexists('remediation_profile_s', ''),\n RequestId = column_ifexists('request_id_s', ''),\n SanctionedInstance = column_ifexists('sanctioned_instance_s', ''),\n Severity = column_ifexists('severity_s', ''),\n Site = column_ifexists('site_s', ''),\n SourceCountry = column_ifexists('src_country_s', ''),\n SourceGeoIpSrc = column_ifexists('src_geoip_src_d', ''),\n SourceLatitude = column_ifexists('src_latitude_d', ''),\n SourceLocation = column_ifexists('src_location_s', ''),\n SourceLongitude = column_ifexists('src_longitude_d', ''),\n SourceRegion = column_ifexists('src_region_s', ''),\n SourceTime = column_ifexists('src_time_s', ''),\n SourceTimezone = column_ifexists('src_timezone_s', ''),\n SourceZipcode = column_ifexists('src_zipcode_s', ''),\n SourceIp = column_ifexists('srcip_s', ''),\n Timestamp = column_ifexists('timestamp_d', ''),\n TrafficType = column_ifexists('traffic_type_s', ''),\n TransactionId = column_ifexists('transaction_id_d', ''),\n TssMode = column_ifexists('tss_mode_s', ''),\n PolicyType = column_ifexists('type_s', ''),\n UrNormalized = column_ifexists('ur_normalized_s', ''),\n Url = column_ifexists('url_s', ''),\n User = column_ifexists('user_s', ''),\n Userip = column_ifexists('userip_s', '')\n |project Category,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n TimeGenerated,\n Type,\n _ResourceId,\n Id,\n AccessMethod,\n Acked,\n Action,\n ActionsTaken,\n Activity,\n AlertName,\n Alert,\n AlertType,\n AllPolicyMatches,\n App,\n AppSessionId,\n AppCategory,\n AppSuite,\n Browser,\n BrowserSessionId,\n CCI,\n CCIString,\n CCL,\n ConnectionId,\n Count,\n DeviceClassification,\n Device,\n DlpProfile,\n DestinationCountry,\n DestinationGeoipSource,\n DestinationLatitude,\n DestinationLocation,\n DestinationLongitude,\n DestinationRegion,\n DestinationTimezone,\n DestinationZipcode,\n DestinationIp,\n EdrApp,\n EndpointCount,\n Endpoints,\n FileSize,\n FileType,\n FromUser,\n HostName,\n IncidentId,\n InstanceId,\n MalwareId,\n MalwareName,\n MalwareSeverity,\n MalwareType,\n ManagedApp,\n ManagementId,\n Md5,\n NotifyTemplate,\n Nsdeviceuid,\n Object,\n ObjectType,\n OrganizationUnit,\n OS,\n OsVersion,\n Page,\n PageSite,\n PolicyId,\n Policy,\n ProfileHits,\n Protocol,\n RemediationProfile,\n RequestId,\n SanctionedInstance,\n Severity,\n Site,\n SourceCountry,\n SourceGeoIpSrc,\n SourceLatitude,\n SourceLocation,\n SourceLongitude,\n SourceRegion,\n SourceTime,\n SourceTimezone,\n SourceZipcode,\n SourceIp,\n Timestamp,\n TrafficType,\n TransactionId,\n TssMode,\n PolicyType,\n UrNormalized,\n Url,\n User,\n Userip\n};\nAlerts_Remediation_View\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject8')._parserId8,'/'))))]", - "dependsOn": [ - "[variables('parserObject8')._parserId8]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AlertsRemediation')]", - "contentId": "[variables('parserObject8').parserContentId8]", - "kind": "Parser", - "version": "[variables('parserObject8').parserVersion8]", - "source": { - "name": "Netskopev2", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject8').parserContentId8]", - "contentKind": "Parser", - "displayName": "Parser for AlertsRemediation", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject8').parserContentId8,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject8').parserContentId8,'-', '1.0.0')))]", - "version": "[variables('parserObject8').parserVersion8]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", - "name": "[variables('parserObject8')._parserName8]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for AlertsRemediation", - "category": "Microsoft Sentinel Parser", - "functionAlias": "AlertsRemediation", - "query": "let Alerts_Remediation_View = view (){\n alertsremediationdata_CL\n | extend Category = column_ifexists('Category', ''),\n Computer = column_ifexists('Computer', ''),\n MG = column_ifexists('MG', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n RawData = column_ifexists('RawData', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n TenantId = column_ifexists('TenantId', ''),\n TimeGenerated = column_ifexists('TimeGenerated', ''),\n Type = column_ifexists('Type', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n Id = column_ifexists('_id_s', ''),\n AccessMethod = column_ifexists('access_method_s', ''),\n Acked = column_ifexists('acked_s', ''),\n Action = column_ifexists('action_s', ''),\n ActionsTaken = column_ifexists('actions_taken_s', ''),\n Activity = column_ifexists('activity_s', ''),\n AlertName = column_ifexists('alert_name_s', ''),\n Alert = column_ifexists('alert_s', ''),\n AlertType = column_ifexists('alert_type_s', ''),\n AllPolicyMatches = column_ifexists('all_policy_matches_s', ''),\n App = column_ifexists('app_s', ''),\n AppSessionId = column_ifexists('app_session_id_d', ''),\n AppCategory = column_ifexists('appcategory_s', ''),\n AppSuite = column_ifexists('appsuite_s', ''),\n Browser = column_ifexists('browser_s', ''),\n BrowserSessionId = column_ifexists('browser_session_id_d', ''),\n CCI = column_ifexists('cci_d', ''),\n CCIString = column_ifexists('cci_s', ''),\n CCL = column_ifexists('ccl_s', ''),\n ConnectionId = column_ifexists('connection_id_d', ''),\n Count = column_ifexists('count_d', ''),\n DeviceClassification = column_ifexists('device_classification_s', ''),\n Device = column_ifexists('device_s', ''),\n DlpProfile = column_ifexists('dlp_profile_s', ''),\n DestinationCountry = column_ifexists('dst_country_s', ''),\n DestinationGeoipSource = column_ifexists('dst_geoip_src_d', ''),\n DestinationLatitude = column_ifexists('dst_latitude_d', ''),\n DestinationLocation = column_ifexists('dst_location_s', ''),\n DestinationLongitude = column_ifexists('dst_longitude_d', ''),\n DestinationRegion = column_ifexists('dst_region_s', ''),\n DestinationTimezone = column_ifexists('dst_timezone_s', ''),\n DestinationZipcode = column_ifexists('dst_zipcode_s', ''),\n DestinationIp = column_ifexists('dstip_s', ''),\n EdrApp = column_ifexists('edr_app_s', ''),\n EndpointCount = column_ifexists('endpoint_count_d', ''),\n Endpoints = column_ifexists('endpoints_s', ''),\n FileSize = column_ifexists('file_size_d', ''),\n FileType = column_ifexists('file_type_s', ''),\n FromUser = column_ifexists('from_user_s', ''),\n HostName = column_ifexists('hostname_s', ''),\n IncidentId = column_ifexists('incident_id_d', ''),\n InstanceId = column_ifexists('instance_id_s', ''),\n MalwareId = column_ifexists('malware_id_s', ''),\n MalwareName = column_ifexists('malware_name_s', ''),\n MalwareSeverity = column_ifexists('malware_severity_s', ''),\n MalwareType = column_ifexists('malware_type_s', ''),\n ManagedApp = column_ifexists('managed_app_s', ''),\n ManagementId = column_ifexists('managementID_s', ''),\n Md5 = column_ifexists('md5_g', ''),\n NotifyTemplate = column_ifexists('notify_template_s', ''),\n Nsdeviceuid = column_ifexists('nsdeviceuid_s', ''),\n Object = column_ifexists('object_s', ''),\n ObjectType = column_ifexists('object_type_s', ''),\n OrganizationUnit = column_ifexists('organization_unit_s', ''),\n OS = column_ifexists('os_s', ''),\n OsVersion = column_ifexists('os_version_s', ''),\n Page = column_ifexists('page_s', ''),\n PageSite = column_ifexists('page_site_s', ''),\n PolicyId = column_ifexists('policy_id_s', ''),\n Policy = column_ifexists('policy_s', ''),\n ProfileHits = column_ifexists('profile_hits_s', ''),\n Protocol = column_ifexists('protocol_s', ''),\n RemediationProfile = column_ifexists('remediation_profile_s', ''),\n RequestId = column_ifexists('request_id_s', ''),\n SanctionedInstance = column_ifexists('sanctioned_instance_s', ''),\n Severity = column_ifexists('severity_s', ''),\n Site = column_ifexists('site_s', ''),\n SourceCountry = column_ifexists('src_country_s', ''),\n SourceGeoIpSrc = column_ifexists('src_geoip_src_d', ''),\n SourceLatitude = column_ifexists('src_latitude_d', ''),\n SourceLocation = column_ifexists('src_location_s', ''),\n SourceLongitude = column_ifexists('src_longitude_d', ''),\n SourceRegion = column_ifexists('src_region_s', ''),\n SourceTime = column_ifexists('src_time_s', ''),\n SourceTimezone = column_ifexists('src_timezone_s', ''),\n SourceZipcode = column_ifexists('src_zipcode_s', ''),\n SourceIp = column_ifexists('srcip_s', ''),\n Timestamp = column_ifexists('timestamp_d', ''),\n TrafficType = column_ifexists('traffic_type_s', ''),\n TransactionId = column_ifexists('transaction_id_d', ''),\n TssMode = column_ifexists('tss_mode_s', ''),\n PolicyType = column_ifexists('type_s', ''),\n UrNormalized = column_ifexists('ur_normalized_s', ''),\n Url = column_ifexists('url_s', ''),\n User = column_ifexists('user_s', ''),\n Userip = column_ifexists('userip_s', '')\n |project Category,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n TimeGenerated,\n Type,\n _ResourceId,\n Id,\n AccessMethod,\n Acked,\n Action,\n ActionsTaken,\n Activity,\n AlertName,\n Alert,\n AlertType,\n AllPolicyMatches,\n App,\n AppSessionId,\n AppCategory,\n AppSuite,\n Browser,\n BrowserSessionId,\n CCI,\n CCIString,\n CCL,\n ConnectionId,\n Count,\n DeviceClassification,\n Device,\n DlpProfile,\n DestinationCountry,\n DestinationGeoipSource,\n DestinationLatitude,\n DestinationLocation,\n DestinationLongitude,\n DestinationRegion,\n DestinationTimezone,\n DestinationZipcode,\n DestinationIp,\n EdrApp,\n EndpointCount,\n Endpoints,\n FileSize,\n FileType,\n FromUser,\n HostName,\n IncidentId,\n InstanceId,\n MalwareId,\n MalwareName,\n MalwareSeverity,\n MalwareType,\n ManagedApp,\n ManagementId,\n Md5,\n NotifyTemplate,\n Nsdeviceuid,\n Object,\n ObjectType,\n OrganizationUnit,\n OS,\n OsVersion,\n Page,\n PageSite,\n PolicyId,\n Policy,\n ProfileHits,\n Protocol,\n RemediationProfile,\n RequestId,\n SanctionedInstance,\n Severity,\n Site,\n SourceCountry,\n SourceGeoIpSrc,\n SourceLatitude,\n SourceLocation,\n SourceLongitude,\n SourceRegion,\n SourceTime,\n SourceTimezone,\n SourceZipcode,\n SourceIp,\n Timestamp,\n TrafficType,\n TransactionId,\n TssMode,\n PolicyType,\n UrNormalized,\n Url,\n User,\n Userip\n};\nAlerts_Remediation_View\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject8')._parserId8,'/'))))]", - "dependsOn": [ - "[variables('parserObject8')._parserId8]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AlertsRemediation')]", - "contentId": "[variables('parserObject8').parserContentId8]", - "kind": "Parser", - "version": "[variables('parserObject8').parserVersion8]", - "source": { - "kind": "Solution", - "name": "Netskopev2", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject9').parserTemplateSpecName9]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "AlertsSecurityAssessment Data Parser with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject9').parserVersion9]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject9')._parserName9]", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for AlertsSecurityAssessment", - "category": "Microsoft Sentinel Parser", - "functionAlias": "AlertsSecurityAssessment", - "query": "let Alerts_Security_Assessment_View = view ( ) { \n alertssecurityassessmentdata_CL\n | extend \n Category = column_ifexists('Category', ''),\n Computer = column_ifexists('Computer', ''),\n MG = column_ifexists('MG', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n RawData = column_ifexists('RawData', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n TenantId = column_ifexists('TenantId', ''),\n TimeGenerated = column_ifexists('TimeGenerated', ''),\n Type = column_ifexists('Type', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n Id = column_ifexists('_id_s', ''),\n AccessMethod = column_ifexists('access_method_s', ''),\n AccountId = column_ifexists('account_id_s', ''),\n AccountName = column_ifexists('account_name_s', ''),\n Acked = column_ifexists('acked_s', ''),\n Action = column_ifexists('action_s', ''),\n Activity = column_ifexists('activity_s', ''),\n Alert = column_ifexists('alert_s', ''),\n AlertName = column_ifexists('alert_name_s', ''),\n AlertType = column_ifexists('alert_type_s', ''),\n App = column_ifexists('app_s', ''),\n AppCategory = column_ifexists('appcategory_s', ''),\n AssetId = column_ifexists('asset_id_s', ''),\n AssetObjectId = column_ifexists('asset_object_id_s', ''),\n Browser = column_ifexists('browser_s', ''),\n CCI = column_ifexists('cci_d', ''),\n CCIString = column_ifexists('cci_s', ''),\n CCL = column_ifexists('ccl_s', ''),\n ComplianceStandards = column_ifexists('compliance_standards_s', ''),\n Count = column_ifexists('count_d', ''),\n Device = column_ifexists('device_s', ''),\n IaasAssetTags = column_ifexists('iaas_asset_tags_s', ''),\n IaasRemediated = column_ifexists('iaas_remediated_s', ''),\n InstanceId = column_ifexists('instance_id_s', ''),\n Object = column_ifexists('object_s', ''),\n ObjectType = column_ifexists('object_type_s', ''),\n OrganizationUnit = column_ifexists('organization_unit_s', ''),\n OS = column_ifexists('os_s', ''),\n Policy = column_ifexists('policy_s', ''),\n PolicyId = column_ifexists('policy_id_d', ''),\n PolicyType = column_ifexists('type_s', ''),\n RegionId = column_ifexists('region_id_s', ''),\n RegionName = column_ifexists('region_name_s', ''),\n ResourceCategory = column_ifexists('resource_category_s', ''),\n ResourceGroup = column_ifexists('resource_group_s', ''),\n SaProfileId = column_ifexists('sa_profile_id_d', ''),\n SaProfileName = column_ifexists('sa_profile_name_s', ''),\n SaRuleId = column_ifexists('sa_rule_id_s', ''),\n SaRuleName = column_ifexists('sa_rule_name_s', ''),\n SaRuleSeverity = column_ifexists('sa_rule_severity_s', ''),\n SAMAccountName = column_ifexists('sAMAccountName_s', ''),\n Site = column_ifexists('site_s', ''),\n Timestamp = column_ifexists('timestamp_d', ''),\n TrafficType = column_ifexists('traffic_type_s', ''),\n UrNormalized = column_ifexists('ur_normalized_s', ''),\n User = column_ifexists('user_s', ''),\n UserKey = column_ifexists('userkey_s', '')\n | project \n Category,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n TimeGenerated,\n Type,\n _ResourceId,\n Id,\n AccessMethod,\n AccountId,\n AccountName,\n Acked,\n Action,\n Activity,\n Alert,\n AlertName,\n AlertType,\n App,\n AppCategory,\n AssetId,\n AssetObjectId,\n Browser,\n CCI,\n CCIString,\n CCL,\n ComplianceStandards,\n Count,\n Device,\n IaasAssetTags,\n IaasRemediated,\n InstanceId,\n Object,\n ObjectType,\n OrganizationUnit,\n OS,\n Policy,\n PolicyId,\n PolicyType,\n RegionId,\n RegionName,\n ResourceCategory,\n ResourceGroup,\n SaProfileId,\n SaProfileName,\n SaRuleId,\n SaRuleName,\n SaRuleSeverity,\n SAMAccountName,\n Site,\n Timestamp,\n TrafficType,\n UrNormalized,\n User,\n UserKey\n};\nAlerts_Security_Assessment_View\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject9')._parserId9,'/'))))]", - "dependsOn": [ - "[variables('parserObject9')._parserId9]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AlertsSecurityAssessment')]", - "contentId": "[variables('parserObject9').parserContentId9]", - "kind": "Parser", - "version": "[variables('parserObject9').parserVersion9]", - "source": { - "name": "Netskopev2", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject9').parserContentId9]", - "contentKind": "Parser", - "displayName": "Parser for AlertsSecurityAssessment", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject9').parserContentId9,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject9').parserContentId9,'-', '1.0.0')))]", - "version": "[variables('parserObject9').parserVersion9]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", - "name": "[variables('parserObject9')._parserName9]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for AlertsSecurityAssessment", - "category": "Microsoft Sentinel Parser", - "functionAlias": "AlertsSecurityAssessment", - "query": "let Alerts_Security_Assessment_View = view ( ) { \n alertssecurityassessmentdata_CL\n | extend \n Category = column_ifexists('Category', ''),\n Computer = column_ifexists('Computer', ''),\n MG = column_ifexists('MG', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n RawData = column_ifexists('RawData', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n TenantId = column_ifexists('TenantId', ''),\n TimeGenerated = column_ifexists('TimeGenerated', ''),\n Type = column_ifexists('Type', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n Id = column_ifexists('_id_s', ''),\n AccessMethod = column_ifexists('access_method_s', ''),\n AccountId = column_ifexists('account_id_s', ''),\n AccountName = column_ifexists('account_name_s', ''),\n Acked = column_ifexists('acked_s', ''),\n Action = column_ifexists('action_s', ''),\n Activity = column_ifexists('activity_s', ''),\n Alert = column_ifexists('alert_s', ''),\n AlertName = column_ifexists('alert_name_s', ''),\n AlertType = column_ifexists('alert_type_s', ''),\n App = column_ifexists('app_s', ''),\n AppCategory = column_ifexists('appcategory_s', ''),\n AssetId = column_ifexists('asset_id_s', ''),\n AssetObjectId = column_ifexists('asset_object_id_s', ''),\n Browser = column_ifexists('browser_s', ''),\n CCI = column_ifexists('cci_d', ''),\n CCIString = column_ifexists('cci_s', ''),\n CCL = column_ifexists('ccl_s', ''),\n ComplianceStandards = column_ifexists('compliance_standards_s', ''),\n Count = column_ifexists('count_d', ''),\n Device = column_ifexists('device_s', ''),\n IaasAssetTags = column_ifexists('iaas_asset_tags_s', ''),\n IaasRemediated = column_ifexists('iaas_remediated_s', ''),\n InstanceId = column_ifexists('instance_id_s', ''),\n Object = column_ifexists('object_s', ''),\n ObjectType = column_ifexists('object_type_s', ''),\n OrganizationUnit = column_ifexists('organization_unit_s', ''),\n OS = column_ifexists('os_s', ''),\n Policy = column_ifexists('policy_s', ''),\n PolicyId = column_ifexists('policy_id_d', ''),\n PolicyType = column_ifexists('type_s', ''),\n RegionId = column_ifexists('region_id_s', ''),\n RegionName = column_ifexists('region_name_s', ''),\n ResourceCategory = column_ifexists('resource_category_s', ''),\n ResourceGroup = column_ifexists('resource_group_s', ''),\n SaProfileId = column_ifexists('sa_profile_id_d', ''),\n SaProfileName = column_ifexists('sa_profile_name_s', ''),\n SaRuleId = column_ifexists('sa_rule_id_s', ''),\n SaRuleName = column_ifexists('sa_rule_name_s', ''),\n SaRuleSeverity = column_ifexists('sa_rule_severity_s', ''),\n SAMAccountName = column_ifexists('sAMAccountName_s', ''),\n Site = column_ifexists('site_s', ''),\n Timestamp = column_ifexists('timestamp_d', ''),\n TrafficType = column_ifexists('traffic_type_s', ''),\n UrNormalized = column_ifexists('ur_normalized_s', ''),\n User = column_ifexists('user_s', ''),\n UserKey = column_ifexists('userkey_s', '')\n | project \n Category,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n TimeGenerated,\n Type,\n _ResourceId,\n Id,\n AccessMethod,\n AccountId,\n AccountName,\n Acked,\n Action,\n Activity,\n Alert,\n AlertName,\n AlertType,\n App,\n AppCategory,\n AssetId,\n AssetObjectId,\n Browser,\n CCI,\n CCIString,\n CCL,\n ComplianceStandards,\n Count,\n Device,\n IaasAssetTags,\n IaasRemediated,\n InstanceId,\n Object,\n ObjectType,\n OrganizationUnit,\n OS,\n Policy,\n PolicyId,\n PolicyType,\n RegionId,\n RegionName,\n ResourceCategory,\n ResourceGroup,\n SaProfileId,\n SaProfileName,\n SaRuleId,\n SaRuleName,\n SaRuleSeverity,\n SAMAccountName,\n Site,\n Timestamp,\n TrafficType,\n UrNormalized,\n User,\n UserKey\n};\nAlerts_Security_Assessment_View\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject9')._parserId9,'/'))))]", - "dependsOn": [ - "[variables('parserObject9')._parserId9]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AlertsSecurityAssessment')]", - "contentId": "[variables('parserObject9').parserContentId9]", - "kind": "Parser", - "version": "[variables('parserObject9').parserVersion9]", - "source": { - "kind": "Solution", - "name": "Netskopev2", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject10').parserTemplateSpecName10]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "AlertsUba Data Parser with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject10').parserVersion10]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject10')._parserName10]", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for AlertsUba", - "category": "Microsoft Sentinel Parser", - "functionAlias": "AlertsUba", - "query": "let Alerts_Uda_view = view (){\n alertsubadata_CL\n | extend \n Category = column_ifexists('Category', ''),\n Computer = column_ifexists('Computer', ''),\n MG = column_ifexists('MG', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n RawData = column_ifexists('RawData', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n TenantId = column_ifexists('TenantId', ''),\n TimeGenerated = column_ifexists('TimeGenerated', ''),\n Type = column_ifexists('Type', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n TssScan = column_ifexists('TSS_scan_s', ''),\n AccountType = column_ifexists('AccountType_s', ''),\n UserSPACEId = column_ifexists('User_SPACE_Id_s', ''),\n UserSPACEName = column_ifexists('User_SPACE_Name_s', ''),\n Id = column_ifexists('_id_s', ''),\n AccessMethod = column_ifexists('access_method_s', ''),\n Acked = column_ifexists('acked_s', ''),\n ActUser = column_ifexists('act_user_s', ''),\n Action = column_ifexists('action_s', ''),\n Activity = column_ifexists('activity_s', ''),\n ActivityStatus = column_ifexists('activity_status_s', ''),\n AlertId = column_ifexists('alert_id_g', ''),\n AlertName = column_ifexists('alert_name_s', ''),\n Alert = column_ifexists('alert_s', ''),\n AlertType = column_ifexists('alert_type_s', ''),\n AllPolicyMatches = column_ifexists('all_policy_matches_s', ''),\n AnomalyType = column_ifexists('anomaly_type_s', ''),\n AppActivity = column_ifexists('app_activity_s', ''),\n AppCategory_ = column_ifexists('app_category_s', ''),\n App = column_ifexists('app_s', ''),\n AppSessionId = column_ifexists('app_session_id_d', ''),\n AppCategory = column_ifexists('appcategory_s', ''),\n AppSuite = column_ifexists('appsuite_s', ''),\n AuditCategory = column_ifexists('audit_category_s', ''),\n AuditType = column_ifexists('audit_type_s', ''),\n BinTimestamp = column_ifexists('bin_timestamp_d', ''),\n Browser = column_ifexists('browser_s', ''),\n BrowserSessionId = column_ifexists('browser_session_id_d', ''),\n BrowserVersion = column_ifexists('browser_version_s', ''),\n CCI = column_ifexists('cci_d', ''),\n CCL = column_ifexists('ccl_s', ''),\n ConnectionId = column_ifexists('connection_id_d', ''),\n Count = column_ifexists('count_d', ''),\n CreatedTime = column_ifexists('createdTime_s', ''),\n DeviceClassification = column_ifexists('device_classification_s', ''),\n Device = column_ifexists('device_s', ''),\n DisplayName = column_ifexists('displayName_s', ''),\n DistinguishedName = column_ifexists('distinguishedName_s', ''),\n Division = column_ifexists('division_s', ''),\n DownloadApp = column_ifexists('download_app_s', ''),\n DestinationCountry = column_ifexists('dst_country_s', ''),\n DestinationGeoipSource = column_ifexists('dst_geoip_src_d', ''),\n DestinationLatitude = column_ifexists('dst_latitude_d', ''),\n DestinationLocation = column_ifexists('dst_location_s', ''),\n DestinationLongitude = column_ifexists('dst_longitude_d', ''),\n DestinationRegion = column_ifexists('dst_region_s', ''),\n DestinationTimezone = column_ifexists('dst_timezone_s', ''),\n DestinationZipcode = column_ifexists('dst_zipcode_s', ''),\n DestinationIp = column_ifexists('dstip_s', ''),\n EmployeeType = column_ifexists('employeeType_s', ''),\n EventType = column_ifexists('event_type_s', ''),\n EventSourceChannel = column_ifexists('evt_src_chnl_s', ''),\n FileCategory = column_ifexists('file_category_s', ''),\n FileSize = column_ifexists('file_size_d', ''),\n FileType = column_ifexists('file_type_s', ''),\n FromUserCategory = column_ifexists('from_user_category_s', ''),\n FromUser = column_ifexists('from_user_s', ''),\n Group = column_ifexists('group_s', ''),\n HostName = column_ifexists('hostname_s', ''),\n IncidentId = column_ifexists('incident_id_d', ''),\n InstanceId = column_ifexists('instance_id_s', ''),\n LastApp = column_ifexists('last_app_s', ''),\n LastCountry = column_ifexists('last_country_s', ''),\n LastDevice = column_ifexists('last_device_s', ''),\n LastLocation = column_ifexists('last_location_s', ''),\n LastRegion = column_ifexists('last_region_s', ''),\n LastTimestamp = column_ifexists('last_timestamp_d', ''),\n LoginType = column_ifexists('logintype_s', ''),\n LoginUrl = column_ifexists('loginurl_s', ''),\n Mail = column_ifexists('mail_s', ''),\n ManagedApp = column_ifexists('managed_app_s', ''),\n ManagementId = column_ifexists('managementID_s', ''),\n Manager = column_ifexists('manager_s', ''),\n Md5 = column_ifexists('md5_g', ''),\n NetskopeActivity = column_ifexists('netskope_activity_s', ''),\n ObjectCount = column_ifexists('object_count_d', ''),\n ObjectId = column_ifexists('object_id_g', ''),\n Object = column_ifexists('object_s', ''),\n ObjectType = column_ifexists('object_type_s', ''),\n OrganizationUnit = column_ifexists('organization_unit_s', ''),\n OS = column_ifexists('os_s', ''),\n OsVersion = column_ifexists('os_version_s', ''),\n Page = column_ifexists('page_s', ''),\n PageSite = column_ifexists('page_site_s', ''),\n ParentId = column_ifexists('parent_id_s', ''),\n PolicyActions = column_ifexists('policy_actions_s', ''),\n PolicyId = column_ifexists('policy_id_s', ''),\n PolicyName = column_ifexists('policy_name_s', ''),\n Policy = column_ifexists('policy_s', ''),\n ProfileId = column_ifexists('profile_id_s', ''),\n Protocol = column_ifexists('protocol_s', ''),\n Referer = column_ifexists('referer_s', ''),\n RequestId = column_ifexists('request_id_d', ''),\n RiskLevelId = column_ifexists('risk_level_id_d', ''),\n RiskLevel = column_ifexists('risk_level_s', ''),\n SAMAccountName = column_ifexists('sAMAccountName_s', ''),\n SanctionedInstance = column_ifexists('sanctioned_instance_s', ''),\n Scopes = column_ifexists('scopes_s', ''),\n Score = column_ifexists('score_s', ''),\n Severity = column_ifexists('severity_s', ''),\n SharedCredentialUser = column_ifexists('shared_credential_user_s', ''),\n Site = column_ifexists('site_s', ''),\n SourceCountry = column_ifexists('src_country_s', ''),\n SourceGeoIpSrc = column_ifexists('src_geoip_src_d', ''),\n SourceLatitude = column_ifexists('src_latitude_d', ''),\n SourceLocation = column_ifexists('src_location_s', ''),\n SourceLongitude = column_ifexists('src_longitude_d', ''),\n SourceRegion = column_ifexists('src_region_s', ''),\n SourceTime = column_ifexists('src_time_s', ''),\n SourceTimezone = column_ifexists('src_timezone_s', ''),\n SourceZipcode = column_ifexists('src_zipcode_s', ''),\n SourceIp = column_ifexists('srcip_s', ''),\n SuppressionEndTime = column_ifexists('suppression_end_time_d', ''),\n SuppressionStartTime = column_ifexists('suppression_start_time_d', ''),\n Surhn = column_ifexists('surhn_s', ''),\n TelemetryApp = column_ifexists('telemetry_app_s', ''),\n Threshold = column_ifexists('threshold_d', ''),\n ThresholdTime = column_ifexists('threshold_time_d', ''),\n Timestamp = column_ifexists('timestamp_d', ''),\n ToObject = column_ifexists('to_object_s', ''),\n ToUserCategory = column_ifexists('to_user_category_s', ''),\n ToUser = column_ifexists('to_user_s', ''),\n TrafficType = column_ifexists('traffic_type_s', ''),\n TransactionId = column_ifexists('transaction_id_d', ''),\n TssFailReason = column_ifexists('tss_fail_reason_s', ''),\n TssMode = column_ifexists('tss_mode_s', ''),\n TssScanFailed = column_ifexists('tss_scan_failed_s', ''),\n TwoFactorAuth = column_ifexists('two_factor_auth_s', ''),\n PolicyType = column_ifexists('type_s', ''),\n UbaAp1 = column_ifexists('uba_ap1_s', ''),\n UbaAp2 = column_ifexists('uba_ap2_s', ''),\n UbaInst1 = column_ifexists('uba_inst1_s', ''),\n UbaInst2 = column_ifexists('uba_inst2_s', ''),\n UrNormalized = column_ifexists('ur_normalized_s', ''),\n Url = column_ifexists('url_s', ''),\n UserPrincipalName = column_ifexists('userPrincipalName_s', ''),\n UserCountry = column_ifexists('user_category_s', ''),\n UserId = column_ifexists('user_id_s', ''),\n UserName = column_ifexists('user_name_s', ''),\n UserRole = column_ifexists('user_role_s', ''),\n User = column_ifexists('user_s', ''),\n Useragent = column_ifexists('useragent_s', ''),\n UserIp = column_ifexists('userip_s', ''),\n Userkey = column_ifexists('userkey_s', ''),\n WebUniversalConnector = column_ifexists('web_universal_connector_s', ''),\n WindowId = column_ifexists('windowId_d', '') \n | project Category,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n TimeGenerated,\n Type,\n _ResourceId,\n TssScan,\n AccountType,\n UserSPACEId,\n UserSPACEName,\n Id,\n AccessMethod,\n Acked,\n ActUser,\n Action,\n Activity,\n ActivityStatus,\n AlertId,\n AlertName,\n Alert,\n AlertType,\n AllPolicyMatches,\n AnomalyType,\n AppActivity,\n AppCategory_,\n App,\n AppSessionId,\n AppCategory,\n AppSuite,\n AuditCategory,\n AuditType,\n BinTimestamp,\n Browser,\n BrowserSessionId,\n BrowserVersion,\n CCI,\n CCL,\n ConnectionId,\n Count,\n CreatedTime,\n DeviceClassification,\n Device,\n DisplayName,\n DistinguishedName,\n Division,\n DownloadApp,\n DestinationCountry,\n DestinationGeoipSource,\n DestinationLatitude,\n DestinationLocation,\n DestinationLongitude,\n DestinationRegion,\n DestinationTimezone,\n DestinationZipcode,\n DestinationIp,\n EmployeeType,\n EventType,\n EventSourceChannel,\n FileCategory,\n FileSize,\n FileType,\n FromUserCategory,\n FromUser,\n Group,\n HostName,\n IncidentId,\n InstanceId,\n LastApp,\n LastCountry,\n LastDevice,\n LastLocation,\n LastRegion,\n LastTimestamp,\n LoginType,\n LoginUrl,\n Mail,\n ManagedApp,\n ManagementId,\n Manager,\n Md5,\n NetskopeActivity,\n ObjectCount,\n ObjectId,\n Object,\n ObjectType,\n OrganizationUnit,\n OS,\n OsVersion,\n Page,\n PageSite,\n ParentId,\n PolicyActions,\n PolicyId,\n PolicyName,\n Policy,\n ProfileId,\n Protocol,\n Referer,\n RequestId,\n RiskLevelId,\n RiskLevel,\n SAMAccountName,\n SanctionedInstance,\n Scopes,\n Score,\n Severity,\n SharedCredentialUser,\n Site,\n SourceCountry,\n SourceGeoIpSrc,\n SourceLatitude,\n SourceLocation,\n SourceLongitude,\n SourceRegion,\n SourceTime,\n SourceTimezone,\n SourceZipcode,\n SourceIp,\n SuppressionEndTime,\n SuppressionStartTime,\n Surhn,\n TelemetryApp,\n Threshold,\n ThresholdTime,\n Timestamp,\n ToObject,\n ToUserCategory,\n ToUser,\n TrafficType,\n TransactionId,\n TssFailReason,\n TssMode,\n TssScanFailed,\n TwoFactorAuth,\n PolicyType,\n UbaAp1,\n UbaAp2,\n UbaInst1,\n UbaInst2,\n UrNormalized,\n Url,\n UserPrincipalName,\n UserCountry,\n UserId,\n UserName,\n UserRole,\n User,\n Useragent,\n UserIp,\n Userkey,\n WebUniversalConnector,\n WindowId\n};\nAlerts_Uda_view\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject10')._parserId10,'/'))))]", - "dependsOn": [ - "[variables('parserObject10')._parserId10]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AlertsUba')]", - "contentId": "[variables('parserObject10').parserContentId10]", - "kind": "Parser", - "version": "[variables('parserObject10').parserVersion10]", - "source": { - "name": "Netskopev2", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject10').parserContentId10]", - "contentKind": "Parser", - "displayName": "Parser for AlertsUba", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject10').parserContentId10,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject10').parserContentId10,'-', '1.0.0')))]", - "version": "[variables('parserObject10').parserVersion10]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", - "name": "[variables('parserObject10')._parserName10]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for AlertsUba", - "category": "Microsoft Sentinel Parser", - "functionAlias": "AlertsUba", - "query": "let Alerts_Uda_view = view (){\n alertsubadata_CL\n | extend \n Category = column_ifexists('Category', ''),\n Computer = column_ifexists('Computer', ''),\n MG = column_ifexists('MG', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n RawData = column_ifexists('RawData', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n TenantId = column_ifexists('TenantId', ''),\n TimeGenerated = column_ifexists('TimeGenerated', ''),\n Type = column_ifexists('Type', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n TssScan = column_ifexists('TSS_scan_s', ''),\n AccountType = column_ifexists('AccountType_s', ''),\n UserSPACEId = column_ifexists('User_SPACE_Id_s', ''),\n UserSPACEName = column_ifexists('User_SPACE_Name_s', ''),\n Id = column_ifexists('_id_s', ''),\n AccessMethod = column_ifexists('access_method_s', ''),\n Acked = column_ifexists('acked_s', ''),\n ActUser = column_ifexists('act_user_s', ''),\n Action = column_ifexists('action_s', ''),\n Activity = column_ifexists('activity_s', ''),\n ActivityStatus = column_ifexists('activity_status_s', ''),\n AlertId = column_ifexists('alert_id_g', ''),\n AlertName = column_ifexists('alert_name_s', ''),\n Alert = column_ifexists('alert_s', ''),\n AlertType = column_ifexists('alert_type_s', ''),\n AllPolicyMatches = column_ifexists('all_policy_matches_s', ''),\n AnomalyType = column_ifexists('anomaly_type_s', ''),\n AppActivity = column_ifexists('app_activity_s', ''),\n AppCategory_ = column_ifexists('app_category_s', ''),\n App = column_ifexists('app_s', ''),\n AppSessionId = column_ifexists('app_session_id_d', ''),\n AppCategory = column_ifexists('appcategory_s', ''),\n AppSuite = column_ifexists('appsuite_s', ''),\n AuditCategory = column_ifexists('audit_category_s', ''),\n AuditType = column_ifexists('audit_type_s', ''),\n BinTimestamp = column_ifexists('bin_timestamp_d', ''),\n Browser = column_ifexists('browser_s', ''),\n BrowserSessionId = column_ifexists('browser_session_id_d', ''),\n BrowserVersion = column_ifexists('browser_version_s', ''),\n CCI = column_ifexists('cci_d', ''),\n CCL = column_ifexists('ccl_s', ''),\n ConnectionId = column_ifexists('connection_id_d', ''),\n Count = column_ifexists('count_d', ''),\n CreatedTime = column_ifexists('createdTime_s', ''),\n DeviceClassification = column_ifexists('device_classification_s', ''),\n Device = column_ifexists('device_s', ''),\n DisplayName = column_ifexists('displayName_s', ''),\n DistinguishedName = column_ifexists('distinguishedName_s', ''),\n Division = column_ifexists('division_s', ''),\n DownloadApp = column_ifexists('download_app_s', ''),\n DestinationCountry = column_ifexists('dst_country_s', ''),\n DestinationGeoipSource = column_ifexists('dst_geoip_src_d', ''),\n DestinationLatitude = column_ifexists('dst_latitude_d', ''),\n DestinationLocation = column_ifexists('dst_location_s', ''),\n DestinationLongitude = column_ifexists('dst_longitude_d', ''),\n DestinationRegion = column_ifexists('dst_region_s', ''),\n DestinationTimezone = column_ifexists('dst_timezone_s', ''),\n DestinationZipcode = column_ifexists('dst_zipcode_s', ''),\n DestinationIp = column_ifexists('dstip_s', ''),\n EmployeeType = column_ifexists('employeeType_s', ''),\n EventType = column_ifexists('event_type_s', ''),\n EventSourceChannel = column_ifexists('evt_src_chnl_s', ''),\n FileCategory = column_ifexists('file_category_s', ''),\n FileSize = column_ifexists('file_size_d', ''),\n FileType = column_ifexists('file_type_s', ''),\n FromUserCategory = column_ifexists('from_user_category_s', ''),\n FromUser = column_ifexists('from_user_s', ''),\n Group = column_ifexists('group_s', ''),\n HostName = column_ifexists('hostname_s', ''),\n IncidentId = column_ifexists('incident_id_d', ''),\n InstanceId = column_ifexists('instance_id_s', ''),\n LastApp = column_ifexists('last_app_s', ''),\n LastCountry = column_ifexists('last_country_s', ''),\n LastDevice = column_ifexists('last_device_s', ''),\n LastLocation = column_ifexists('last_location_s', ''),\n LastRegion = column_ifexists('last_region_s', ''),\n LastTimestamp = column_ifexists('last_timestamp_d', ''),\n LoginType = column_ifexists('logintype_s', ''),\n LoginUrl = column_ifexists('loginurl_s', ''),\n Mail = column_ifexists('mail_s', ''),\n ManagedApp = column_ifexists('managed_app_s', ''),\n ManagementId = column_ifexists('managementID_s', ''),\n Manager = column_ifexists('manager_s', ''),\n Md5 = column_ifexists('md5_g', ''),\n NetskopeActivity = column_ifexists('netskope_activity_s', ''),\n ObjectCount = column_ifexists('object_count_d', ''),\n ObjectId = column_ifexists('object_id_g', ''),\n Object = column_ifexists('object_s', ''),\n ObjectType = column_ifexists('object_type_s', ''),\n OrganizationUnit = column_ifexists('organization_unit_s', ''),\n OS = column_ifexists('os_s', ''),\n OsVersion = column_ifexists('os_version_s', ''),\n Page = column_ifexists('page_s', ''),\n PageSite = column_ifexists('page_site_s', ''),\n ParentId = column_ifexists('parent_id_s', ''),\n PolicyActions = column_ifexists('policy_actions_s', ''),\n PolicyId = column_ifexists('policy_id_s', ''),\n PolicyName = column_ifexists('policy_name_s', ''),\n Policy = column_ifexists('policy_s', ''),\n ProfileId = column_ifexists('profile_id_s', ''),\n Protocol = column_ifexists('protocol_s', ''),\n Referer = column_ifexists('referer_s', ''),\n RequestId = column_ifexists('request_id_d', ''),\n RiskLevelId = column_ifexists('risk_level_id_d', ''),\n RiskLevel = column_ifexists('risk_level_s', ''),\n SAMAccountName = column_ifexists('sAMAccountName_s', ''),\n SanctionedInstance = column_ifexists('sanctioned_instance_s', ''),\n Scopes = column_ifexists('scopes_s', ''),\n Score = column_ifexists('score_s', ''),\n Severity = column_ifexists('severity_s', ''),\n SharedCredentialUser = column_ifexists('shared_credential_user_s', ''),\n Site = column_ifexists('site_s', ''),\n SourceCountry = column_ifexists('src_country_s', ''),\n SourceGeoIpSrc = column_ifexists('src_geoip_src_d', ''),\n SourceLatitude = column_ifexists('src_latitude_d', ''),\n SourceLocation = column_ifexists('src_location_s', ''),\n SourceLongitude = column_ifexists('src_longitude_d', ''),\n SourceRegion = column_ifexists('src_region_s', ''),\n SourceTime = column_ifexists('src_time_s', ''),\n SourceTimezone = column_ifexists('src_timezone_s', ''),\n SourceZipcode = column_ifexists('src_zipcode_s', ''),\n SourceIp = column_ifexists('srcip_s', ''),\n SuppressionEndTime = column_ifexists('suppression_end_time_d', ''),\n SuppressionStartTime = column_ifexists('suppression_start_time_d', ''),\n Surhn = column_ifexists('surhn_s', ''),\n TelemetryApp = column_ifexists('telemetry_app_s', ''),\n Threshold = column_ifexists('threshold_d', ''),\n ThresholdTime = column_ifexists('threshold_time_d', ''),\n Timestamp = column_ifexists('timestamp_d', ''),\n ToObject = column_ifexists('to_object_s', ''),\n ToUserCategory = column_ifexists('to_user_category_s', ''),\n ToUser = column_ifexists('to_user_s', ''),\n TrafficType = column_ifexists('traffic_type_s', ''),\n TransactionId = column_ifexists('transaction_id_d', ''),\n TssFailReason = column_ifexists('tss_fail_reason_s', ''),\n TssMode = column_ifexists('tss_mode_s', ''),\n TssScanFailed = column_ifexists('tss_scan_failed_s', ''),\n TwoFactorAuth = column_ifexists('two_factor_auth_s', ''),\n PolicyType = column_ifexists('type_s', ''),\n UbaAp1 = column_ifexists('uba_ap1_s', ''),\n UbaAp2 = column_ifexists('uba_ap2_s', ''),\n UbaInst1 = column_ifexists('uba_inst1_s', ''),\n UbaInst2 = column_ifexists('uba_inst2_s', ''),\n UrNormalized = column_ifexists('ur_normalized_s', ''),\n Url = column_ifexists('url_s', ''),\n UserPrincipalName = column_ifexists('userPrincipalName_s', ''),\n UserCountry = column_ifexists('user_category_s', ''),\n UserId = column_ifexists('user_id_s', ''),\n UserName = column_ifexists('user_name_s', ''),\n UserRole = column_ifexists('user_role_s', ''),\n User = column_ifexists('user_s', ''),\n Useragent = column_ifexists('useragent_s', ''),\n UserIp = column_ifexists('userip_s', ''),\n Userkey = column_ifexists('userkey_s', ''),\n WebUniversalConnector = column_ifexists('web_universal_connector_s', ''),\n WindowId = column_ifexists('windowId_d', '') \n | project Category,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n TimeGenerated,\n Type,\n _ResourceId,\n TssScan,\n AccountType,\n UserSPACEId,\n UserSPACEName,\n Id,\n AccessMethod,\n Acked,\n ActUser,\n Action,\n Activity,\n ActivityStatus,\n AlertId,\n AlertName,\n Alert,\n AlertType,\n AllPolicyMatches,\n AnomalyType,\n AppActivity,\n AppCategory_,\n App,\n AppSessionId,\n AppCategory,\n AppSuite,\n AuditCategory,\n AuditType,\n BinTimestamp,\n Browser,\n BrowserSessionId,\n BrowserVersion,\n CCI,\n CCL,\n ConnectionId,\n Count,\n CreatedTime,\n DeviceClassification,\n Device,\n DisplayName,\n DistinguishedName,\n Division,\n DownloadApp,\n DestinationCountry,\n DestinationGeoipSource,\n DestinationLatitude,\n DestinationLocation,\n DestinationLongitude,\n DestinationRegion,\n DestinationTimezone,\n DestinationZipcode,\n DestinationIp,\n EmployeeType,\n EventType,\n EventSourceChannel,\n FileCategory,\n FileSize,\n FileType,\n FromUserCategory,\n FromUser,\n Group,\n HostName,\n IncidentId,\n InstanceId,\n LastApp,\n LastCountry,\n LastDevice,\n LastLocation,\n LastRegion,\n LastTimestamp,\n LoginType,\n LoginUrl,\n Mail,\n ManagedApp,\n ManagementId,\n Manager,\n Md5,\n NetskopeActivity,\n ObjectCount,\n ObjectId,\n Object,\n ObjectType,\n OrganizationUnit,\n OS,\n OsVersion,\n Page,\n PageSite,\n ParentId,\n PolicyActions,\n PolicyId,\n PolicyName,\n Policy,\n ProfileId,\n Protocol,\n Referer,\n RequestId,\n RiskLevelId,\n RiskLevel,\n SAMAccountName,\n SanctionedInstance,\n Scopes,\n Score,\n Severity,\n SharedCredentialUser,\n Site,\n SourceCountry,\n SourceGeoIpSrc,\n SourceLatitude,\n SourceLocation,\n SourceLongitude,\n SourceRegion,\n SourceTime,\n SourceTimezone,\n SourceZipcode,\n SourceIp,\n SuppressionEndTime,\n SuppressionStartTime,\n Surhn,\n TelemetryApp,\n Threshold,\n ThresholdTime,\n Timestamp,\n ToObject,\n ToUserCategory,\n ToUser,\n TrafficType,\n TransactionId,\n TssFailReason,\n TssMode,\n TssScanFailed,\n TwoFactorAuth,\n PolicyType,\n UbaAp1,\n UbaAp2,\n UbaInst1,\n UbaInst2,\n UrNormalized,\n Url,\n UserPrincipalName,\n UserCountry,\n UserId,\n UserName,\n UserRole,\n User,\n Useragent,\n UserIp,\n Userkey,\n WebUniversalConnector,\n WindowId\n};\nAlerts_Uda_view\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject10')._parserId10,'/'))))]", - "dependsOn": [ - "[variables('parserObject10')._parserId10]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AlertsUba')]", - "contentId": "[variables('parserObject10').parserContentId10]", - "kind": "Parser", - "version": "[variables('parserObject10').parserVersion10]", - "source": { - "kind": "Solution", - "name": "Netskopev2", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject11').parserTemplateSpecName11]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "EventIncident Data Parser with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject11').parserVersion11]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject11')._parserName11]", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for EventIncident", - "category": "Microsoft Sentinel Parser", - "functionAlias": "EventIncident", - "query": "let Event_Incidents_View = view (){\n eventsincidentdata_CL\n | extend \n Computer = column_ifexists('Computer', ''),\n MG = column_ifexists('MG', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n RawData = column_ifexists('RawData', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n TenantId = column_ifexists('TenantId', ''),\n TimeGenerated = column_ifexists('TimeGenerated [UTC]', ''),\n Type = column_ifexists('Type', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n Id = column_ifexists('_id_s', ''),\n AccessMethod = column_ifexists('access_method_s', ''),\n ActingUser = column_ifexists('acting_user_s', ''),\n Activity = column_ifexists('activity_s', ''),\n App = column_ifexists('app_s', ''),\n AppSessionId = column_ifexists('app_session_id_d', ''),\n Assignee = column_ifexists('assignee_s', ''),\n BCC = column_ifexists('bcc_s', ''),\n CC = column_ifexists('cc_s', ''),\n Channel = column_ifexists('channel_s', ''),\n Classification = column_ifexists('classification_s', ''),\n ConnectionId = column_ifexists('connection_id_d', ''),\n DestinationApp = column_ifexists('destination_app_s', ''),\n DestinationInstanceId = column_ifexists('destination_instance_id_s', ''),\n DestinationSite = column_ifexists('destination_site_s', ''),\n DlpFile = column_ifexists('dlp_file_s', ''),\n DlpIncidentId = column_ifexists('dlp_incident_id_d', ''),\n DlpMatchInfo = column_ifexists('dlp_match_info_s', ''),\n DlpParentId = column_ifexists('dlp_parent_id_d', ''),\n DestinationLocation = column_ifexists('dst_location_s', ''),\n Exposure = column_ifexists('exposure_s', ''),\n FileLang = column_ifexists('file_lang_s', ''),\n FilePath = column_ifexists('file_path_s', ''),\n FileSize = column_ifexists('file_size_d', ''),\n FileType = column_ifexists('file_type_s', ''),\n FromUser = column_ifexists('from_user_s', ''),\n InlineDlpMatchInfo = column_ifexists('inline_dlp_match_info_s', ''),\n InstanceId = column_ifexists('instance_id_s', ''),\n Instance = column_ifexists('instance_s', ''),\n LatestIncidentId = column_ifexists('latest_incident_id_d', ''),\n Md5 = column_ifexists('md5_g', ''),\n ObjectId = column_ifexists('object_id_s', ''),\n Object = column_ifexists('object_s', ''),\n ObjectType = column_ifexists('object_type_s', ''),\n OriginalFileSnapshotId = column_ifexists('original_file_snapshot_id_s', ''),\n OwnerPdl = column_ifexists('owner_pdl_s', ''),\n Owner = column_ifexists('owner_s', ''),\n Referer = column_ifexists('referer_s', ''),\n Severity = column_ifexists('severity_s', ''),\n Site = column_ifexists('site_s', ''),\n SrcLocation = column_ifexists('src_location_s', ''),\n Status = column_ifexists('status_s', ''),\n Timestamp = column_ifexists('timestamp_d', ''),\n Title = column_ifexists('title_s', ''),\n ToUser = column_ifexists('to_user_s', ''),\n TrueObjCategory = column_ifexists('true_obj_category_s', ''),\n TrueObjType = column_ifexists('true_obj_type_s', ''),\n Url = column_ifexists('url_s', ''),\n UserId = column_ifexists('user_id_s', ''),\n User = column_ifexists('user_s', ''),\n ZipFileId = column_ifexists('zip_file_id_s', '')\n | project Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n TimeGenerated,\n Type,\n _ResourceId,\n Id,\n AccessMethod,\n ActingUser,\n Activity,\n App,\n AppSessionId,\n Assignee,\n BCC,\n CC,\n Channel,\n Classification,\n ConnectionId,\n DestinationApp,\n DestinationInstanceId,\n DestinationSite,\n DlpFile,\n DlpIncidentId,\n DlpMatchInfo,\n DlpParentId,\n DestinationLocation,\n Exposure,\n FileLang,\n FilePath,\n FileSize,\n FileType,\n FromUser,\n InlineDlpMatchInfo,\n InstanceId,\n Instance,\n LatestIncidentId,\n Md5,\n ObjectId,\n Object,\n ObjectType,\n OriginalFileSnapshotId,\n OwnerPdl,\n Owner,\n Referer,\n Severity,\n Site,\n SrcLocation,\n Status,\n Timestamp,\n Title,\n ToUser,\n TrueObjCategory,\n TrueObjType,\n Url,\n UserId,\n User,\n ZipFileId\n};\nEvent_Incidents_View\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject11')._parserId11,'/'))))]", - "dependsOn": [ - "[variables('parserObject11')._parserId11]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'EventIncident')]", - "contentId": "[variables('parserObject11').parserContentId11]", - "kind": "Parser", - "version": "[variables('parserObject11').parserVersion11]", - "source": { - "name": "Netskopev2", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject11').parserContentId11]", - "contentKind": "Parser", - "displayName": "Parser for EventIncident", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject11').parserContentId11,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject11').parserContentId11,'-', '1.0.0')))]", - "version": "[variables('parserObject11').parserVersion11]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", - "name": "[variables('parserObject11')._parserName11]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for EventIncident", - "category": "Microsoft Sentinel Parser", - "functionAlias": "EventIncident", - "query": "let Event_Incidents_View = view (){\n eventsincidentdata_CL\n | extend \n Computer = column_ifexists('Computer', ''),\n MG = column_ifexists('MG', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n RawData = column_ifexists('RawData', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n TenantId = column_ifexists('TenantId', ''),\n TimeGenerated = column_ifexists('TimeGenerated [UTC]', ''),\n Type = column_ifexists('Type', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n Id = column_ifexists('_id_s', ''),\n AccessMethod = column_ifexists('access_method_s', ''),\n ActingUser = column_ifexists('acting_user_s', ''),\n Activity = column_ifexists('activity_s', ''),\n App = column_ifexists('app_s', ''),\n AppSessionId = column_ifexists('app_session_id_d', ''),\n Assignee = column_ifexists('assignee_s', ''),\n BCC = column_ifexists('bcc_s', ''),\n CC = column_ifexists('cc_s', ''),\n Channel = column_ifexists('channel_s', ''),\n Classification = column_ifexists('classification_s', ''),\n ConnectionId = column_ifexists('connection_id_d', ''),\n DestinationApp = column_ifexists('destination_app_s', ''),\n DestinationInstanceId = column_ifexists('destination_instance_id_s', ''),\n DestinationSite = column_ifexists('destination_site_s', ''),\n DlpFile = column_ifexists('dlp_file_s', ''),\n DlpIncidentId = column_ifexists('dlp_incident_id_d', ''),\n DlpMatchInfo = column_ifexists('dlp_match_info_s', ''),\n DlpParentId = column_ifexists('dlp_parent_id_d', ''),\n DestinationLocation = column_ifexists('dst_location_s', ''),\n Exposure = column_ifexists('exposure_s', ''),\n FileLang = column_ifexists('file_lang_s', ''),\n FilePath = column_ifexists('file_path_s', ''),\n FileSize = column_ifexists('file_size_d', ''),\n FileType = column_ifexists('file_type_s', ''),\n FromUser = column_ifexists('from_user_s', ''),\n InlineDlpMatchInfo = column_ifexists('inline_dlp_match_info_s', ''),\n InstanceId = column_ifexists('instance_id_s', ''),\n Instance = column_ifexists('instance_s', ''),\n LatestIncidentId = column_ifexists('latest_incident_id_d', ''),\n Md5 = column_ifexists('md5_g', ''),\n ObjectId = column_ifexists('object_id_s', ''),\n Object = column_ifexists('object_s', ''),\n ObjectType = column_ifexists('object_type_s', ''),\n OriginalFileSnapshotId = column_ifexists('original_file_snapshot_id_s', ''),\n OwnerPdl = column_ifexists('owner_pdl_s', ''),\n Owner = column_ifexists('owner_s', ''),\n Referer = column_ifexists('referer_s', ''),\n Severity = column_ifexists('severity_s', ''),\n Site = column_ifexists('site_s', ''),\n SrcLocation = column_ifexists('src_location_s', ''),\n Status = column_ifexists('status_s', ''),\n Timestamp = column_ifexists('timestamp_d', ''),\n Title = column_ifexists('title_s', ''),\n ToUser = column_ifexists('to_user_s', ''),\n TrueObjCategory = column_ifexists('true_obj_category_s', ''),\n TrueObjType = column_ifexists('true_obj_type_s', ''),\n Url = column_ifexists('url_s', ''),\n UserId = column_ifexists('user_id_s', ''),\n User = column_ifexists('user_s', ''),\n ZipFileId = column_ifexists('zip_file_id_s', '')\n | project Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n TimeGenerated,\n Type,\n _ResourceId,\n Id,\n AccessMethod,\n ActingUser,\n Activity,\n App,\n AppSessionId,\n Assignee,\n BCC,\n CC,\n Channel,\n Classification,\n ConnectionId,\n DestinationApp,\n DestinationInstanceId,\n DestinationSite,\n DlpFile,\n DlpIncidentId,\n DlpMatchInfo,\n DlpParentId,\n DestinationLocation,\n Exposure,\n FileLang,\n FilePath,\n FileSize,\n FileType,\n FromUser,\n InlineDlpMatchInfo,\n InstanceId,\n Instance,\n LatestIncidentId,\n Md5,\n ObjectId,\n Object,\n ObjectType,\n OriginalFileSnapshotId,\n OwnerPdl,\n Owner,\n Referer,\n Severity,\n Site,\n SrcLocation,\n Status,\n Timestamp,\n Title,\n ToUser,\n TrueObjCategory,\n TrueObjType,\n Url,\n UserId,\n User,\n ZipFileId\n};\nEvent_Incidents_View\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject11')._parserId11,'/'))))]", - "dependsOn": [ - "[variables('parserObject11')._parserId11]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'EventIncident')]", - "contentId": "[variables('parserObject11').parserContentId11]", - "kind": "Parser", - "version": "[variables('parserObject11').parserVersion11]", - "source": { - "kind": "Solution", - "name": "Netskopev2", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject12').parserTemplateSpecName12]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "EventsApplication Data Parser with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject12').parserVersion12]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject12')._parserName12]", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for EventsApplication", - "category": "Microsoft Sentinel Parser", - "functionAlias": "EventsApplication", - "query": "let Event_Application_View = view (){\n eventsapplicationdata_CL\n | extend \n Category = column_ifexists('Category', ''),\n Computer = column_ifexists('Computer', ''),\n MG = column_ifexists('MG', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n RawData = column_ifexists('RawData', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n TenantId = column_ifexists('TenantId', ''),\n TimeGenerated = column_ifexists('TimeGenerated', ''),\n Type = column_ifexists('Type', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n Id = column_ifexists('_id_s', ''),\n AccessMethod = column_ifexists('access_method_s', ''),\n Action = column_ifexists('action_s', ''),\n Activity = column_ifexists('activity_s', ''),\n Alert = column_ifexists('alert_s', ''),\n AlertType = column_ifexists('alert_type_s', ''),\n AppActivity = column_ifexists('app_activity_s', ''),\n App = column_ifexists('app_s', ''),\n AppSessionId = column_ifexists('app_session_id_d', ''),\n AppCategory = column_ifexists('appcategory_s', ''),\n AppSuite = column_ifexists('appsuite_s', ''),\n audit_category = column_ifexists('audit_category_s', ''),\n audit_type = column_ifexists('audit_type_s', ''),\n Browser = column_ifexists('browser_s', ''),\n BrowserSessionId = column_ifexists('browser_session_id_d', ''),\n BrowserVersion = column_ifexists('browser_version_s', ''),\n CCI = column_ifexists('cci_d', ''),\n CCIString = column_ifexists('cci_s', ''),\n CCL = column_ifexists('ccl_s', ''),\n ChannelId = column_ifexists('channel_id_s', ''),\n ClientBytes = column_ifexists('client_bytes_d', ''),\n ConnDuration = column_ifexists('conn_duration_d', ''),\n ConnectionId = column_ifexists('connection_id_d', ''),\n Count = column_ifexists('count_d', ''),\n CononicalName = column_ifexists('CononicalName_s', ''),\n Custom_Connector = column_ifexists('custom_connector_s', ''),\n DataCenter = column_ifexists('data_center_s', ''),\n DataType = column_ifexists('data_type_s', ''),\n DeviceClassification = column_ifexists('device_classification_s', ''),\n Device = column_ifexists('device_s', ''),\n DlpFile = column_ifexists('dlp_file_s', ''),\n DlpIncidentId = column_ifexists('dlp_incident_id_d', ''),\n DlpIsUniqueCount = column_ifexists('dlp_is_unique_count_s', ''),\n DlpMailParentId = column_ifexists('dlp_mail_parent_id_s', ''),\n DlpParentId = column_ifexists('dlp_parent_id_d', ''),\n DlpProfile = column_ifexists('dlp_profile_s', ''),\n DlpRule = column_ifexists('dlp_rule_s', ''),\n DlpRuleCount = column_ifexists('dlp_rule_count_d', ''),\n DlpRuleSeverity = column_ifexists('dlp_rule_severity_s', ''),\n DlpUniquwCount = column_ifexists('dlp_unique_count_d', ''),\n DestinationCountry = column_ifexists('dst_country_s', ''),\n DestinationGeoipSource = column_ifexists('dst_geoip_src_d', ''),\n DestinationLatitude = column_ifexists('dst_latitude_d', ''),\n DestinationLocation = column_ifexists('dst_location_s', ''),\n DestinationLongitude = column_ifexists('dst_longitude_d', ''),\n DestinationRegion = column_ifexists('dst_region_s', ''),\n DestinationTimezone = column_ifexists('dst_timezone_s', ''),\n DestinationZipcode = column_ifexists('dst_zipcode_s', ''),\n DestinationHost = column_ifexists('dsthost_s', ''),\n DestinationIp = column_ifexists('dstip_s', ''),\n DestinationPort = column_ifexists('dstport_d', ''),\n Exposure = column_ifexists('exposure_s', ''),\n FileLang = column_ifexists('file_lang_s', ''),\n FilePath = column_ifexists('file_path_s', ''),\n FileSize = column_ifexists('file_size_d', ''),\n FileType = column_ifexists('file_type_s', ''),\n FromUserCategory = column_ifexists('from_user_category_s', ''),\n FromUser = column_ifexists('from_user_s', ''),\n Fromlogs = column_ifexists('fromlogs_s', ''),\n HostName = column_ifexists('hostname_s', ''),\n InstanceId = column_ifexists('instance_id_s', ''),\n Instance = column_ifexists('instance_s', ''),\n InternalCollaboratorCount = column_ifexists('internal_collaborator_count_d', ''),\n LogFileName = column_ifexists('log_file_name_s', ''),\n LoginType = column_ifexists('logintype_s', ''),\n LoginUrl = column_ifexists('loginurl_s', ''),\n ManagedApp = column_ifexists('managed_app_s', ''),\n ManagementId = column_ifexists('managementID_s', ''),\n Md5 = column_ifexists('md5_g', ''),\n MimeType = column_ifexists('mime_type_s', ''),\n Modified = column_ifexists('modified_d', ''),\n NetskopeActivity = column_ifexists('netskope_activity_s', ''),\n NetskopePop = column_ifexists('netskope_pop_s', ''),\n NotifyTemplate = column_ifexists('notify_template_s', ''),\n Nsdeviceuid = column_ifexists('nsdeviceuid_s', ''),\n Numbytes = column_ifexists('numbytes_d', ''),\n ObjectId = column_ifexists('object_id_s', ''),\n Object = column_ifexists('object_s', ''),\n ObjectType = column_ifexists('object_type_s', ''),\n Org = column_ifexists('org_s', ''),\n OrganizationUnit = column_ifexists('organization_unit_s', ''),\n OrignalFilePath = column_ifexists('orignal_file_path_s', ''),\n OS = column_ifexists('os_s', ''),\n OsVersion = column_ifexists('os_version_s', ''),\n OtherCategories = column_ifexists('other_categories_s', ''),\n Owner = column_ifexists('owner_s', ''),\n Page = column_ifexists('page_s', ''),\n PageSite = column_ifexists('page_site_s', ''),\n ParentId = column_ifexists('parent_id_s', ''),\n PolicyId = column_ifexists('policy_id_s', ''),\n Policy = column_ifexists('policy_s', ''),\n Protocol = column_ifexists('protocol_s', ''),\n Referer = column_ifexists('referer_s', ''),\n ReqCnt = column_ifexists('req_cnt_d', ''),\n RequestId = column_ifexists('request_id_s', ''),\n RespCnt = column_ifexists('resp_cnt_d', ''),\n SAMAccountName = column_ifexists('sAMAccountName_s', ''),\n sanctioned_instance = column_ifexists('sanctioned_instance_s', ''),\n ScanType = column_ifexists('scan_type_s', ''),\n Serial = column_ifexists('serial_s', ''),\n ServerBytes = column_ifexists('server_bytes_d', ''),\n SessionId = column_ifexists('sessionid_s', ''),\n Severity = column_ifexists('severity_s', ''),\n SHA256 = column_ifexists('sha256_s', ''),\n SharedWith = column_ifexists('shared_with_s', ''),\n Site = column_ifexists('site_s', ''),\n SmtpTo = column_ifexists('smtp_to_s', ''),\n SourceCountry = column_ifexists('src_country_s', ''),\n SourceGeoIpSrc = column_ifexists('src_geoip_src_d', ''),\n SourceLatitude = column_ifexists('src_latitude_d', ''),\n SourceLocation = column_ifexists('src_location_s', ''),\n SourceLongitude = column_ifexists('src_longitude_d', ''),\n SourceRegion = column_ifexists('src_region_s', ''),\n SourceTime = column_ifexists('src_time_s', ''),\n SourceTimezone = column_ifexists('src_timezone_s', ''),\n SourceZipcode = column_ifexists('src_zipcode_s', ''),\n SourceIp = column_ifexists('srcip_s', ''),\n SuppressionEndTime = column_ifexists('suppression_end_time_d', ''),\n SuppressionKey = column_ifexists('suppression_key_s', ''),\n SuppressionStartTime = column_ifexists('suppression_start_time_d', ''),\n TelemetryApp = column_ifexists('telemetry_app_s', ''),\n Timestamp = column_ifexists('timestamp_d', ''),\n Title = column_ifexists('title_s', ''),\n ToUser = column_ifexists('to_user_s', ''),\n TotalCollaboratorCount = column_ifexists('total_collaborator_count_d', ''),\n TrafficType = column_ifexists('traffic_type_s', ''),\n TransactionId = column_ifexists('transaction_id_d', ''),\n TrueObjCategory = column_ifexists('true_obj_category_s', ''),\n TrueObjType = column_ifexists('true_obj_type_s', ''),\n TssMode = column_ifexists('tss_mode_s', ''),\n PolicyType = column_ifexists('type_s', ''),\n UniversalConnector = column_ifexists('universal_connector_s', ''),\n UrNormalized = column_ifexists('ur_normalized_s', ''),\n Url = column_ifexists('url_s', ''),\n UserPrincipalName = column_ifexists('userPrincipalName_s', ''),\n UserCategory = column_ifexists('user_category_s', ''),\n UserId = column_ifexists('user_id_s', ''),\n User = column_ifexists('user_s', ''),\n Useragent = column_ifexists('useragent_s', ''),\n UserIp = column_ifexists('userip_s', ''),\n Userkey = column_ifexists('userkey_s', ''),\n WebUniversalConnector = column_ifexists('web_universal_connector_s', ''),\n WorkspaceId = column_ifexists('workspace_id_s', ''),\n Workspace = column_ifexists('workspace_s', '')\n |project \n Category,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n TimeGenerated,\n Type,\n _ResourceId,\n Id,\n AccessMethod,\n Action,\n Activity,\n Alert,\n AlertType,\n AppActivity,\n App,\n AppSessionId,\n AppCategory,\n AppSuite,\n audit_category,\n audit_type,\n Browser,\n BrowserSessionId,\n BrowserVersion,\n CCI,\n CCIString,\n CCL,\n ChannelId,\n ClientBytes,\n ConnDuration,\n ConnectionId,\n Count,\n CononicalName,\n Custom_Connector,\n DataCenter,\n DataType,\n DeviceClassification,\n Device,\n DlpFile,\n DlpIncidentId,\n DlpIsUniqueCount,\n DlpMailParentId,\n DlpParentId,\n DlpProfile,\n DlpRule,\n DlpRuleCount,\n DlpRuleSeverity,\n DlpUniquwCount,\n DestinationCountry,\n DestinationGeoipSource,\n DestinationLatitude,\n DestinationLocation,\n DestinationLongitude,\n DestinationRegion,\n DestinationTimezone,\n DestinationZipcode,\n DestinationHost,\n DestinationIp,\n DestinationPort,\n Exposure,\n FileLang,\n FilePath,\n FileSize,\n FileType,\n FromUserCategory,\n FromUser,\n Fromlogs,\n HostName,\n InstanceId,\n Instance,\n InternalCollaboratorCount,\n LogFileName,\n LoginType,\n LoginUrl,\n ManagedApp,\n ManagementId,\n Md5,\n MimeType,\n Modified,\n NetskopeActivity,\n NetskopePop,\n NotifyTemplate,\n Nsdeviceuid,\n Numbytes,\n ObjectId,\n Object,\n ObjectType,\n Org,\n OrganizationUnit,\n OrignalFilePath,\n OS,\n OsVersion,\n OtherCategories,\n Owner,\n Page,\n PageSite,\n ParentId,\n PolicyId,\n Policy,\n Protocol,\n Referer,\n ReqCnt,\n RequestId,\n RespCnt,\n SAMAccountName,\n sanctioned_instance,\n ScanType,\n Serial,\n ServerBytes,\n SessionId,\n Severity,\n SHA256,\n SharedWith,\n Site,\n SmtpTo,\n SourceCountry,\n SourceGeoIpSrc,\n SourceLatitude,\n SourceLocation,\n SourceLongitude,\n SourceRegion,\n SourceTime,\n SourceTimezone,\n SourceZipcode,\n SourceIp,\n SuppressionEndTime,\n SuppressionKey,\n SuppressionStartTime,\n TelemetryApp,\n Timestamp,\n Title,\n ToUser,\n TotalCollaboratorCount,\n TrafficType,\n TransactionId,\n TrueObjCategory,\n TrueObjType,\n TssMode,\n PolicyType,\n UniversalConnector,\n UrNormalized,\n Url,\n UserPrincipalName,\n UserCategory,\n UserId,\n User,\n Useragent,\n UserIp,\n Userkey,\n WebUniversalConnector,\n WorkspaceId,\n Workspace\n};\nEvent_Application_View\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject12')._parserId12,'/'))))]", - "dependsOn": [ - "[variables('parserObject12')._parserId12]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'EventsApplication')]", - "contentId": "[variables('parserObject12').parserContentId12]", - "kind": "Parser", - "version": "[variables('parserObject12').parserVersion12]", - "source": { - "name": "Netskopev2", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject12').parserContentId12]", - "contentKind": "Parser", - "displayName": "Parser for EventsApplication", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject12').parserContentId12,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject12').parserContentId12,'-', '1.0.0')))]", - "version": "[variables('parserObject12').parserVersion12]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", - "name": "[variables('parserObject12')._parserName12]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for EventsApplication", - "category": "Microsoft Sentinel Parser", - "functionAlias": "EventsApplication", - "query": "let Event_Application_View = view (){\n eventsapplicationdata_CL\n | extend \n Category = column_ifexists('Category', ''),\n Computer = column_ifexists('Computer', ''),\n MG = column_ifexists('MG', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n RawData = column_ifexists('RawData', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n TenantId = column_ifexists('TenantId', ''),\n TimeGenerated = column_ifexists('TimeGenerated', ''),\n Type = column_ifexists('Type', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n Id = column_ifexists('_id_s', ''),\n AccessMethod = column_ifexists('access_method_s', ''),\n Action = column_ifexists('action_s', ''),\n Activity = column_ifexists('activity_s', ''),\n Alert = column_ifexists('alert_s', ''),\n AlertType = column_ifexists('alert_type_s', ''),\n AppActivity = column_ifexists('app_activity_s', ''),\n App = column_ifexists('app_s', ''),\n AppSessionId = column_ifexists('app_session_id_d', ''),\n AppCategory = column_ifexists('appcategory_s', ''),\n AppSuite = column_ifexists('appsuite_s', ''),\n audit_category = column_ifexists('audit_category_s', ''),\n audit_type = column_ifexists('audit_type_s', ''),\n Browser = column_ifexists('browser_s', ''),\n BrowserSessionId = column_ifexists('browser_session_id_d', ''),\n BrowserVersion = column_ifexists('browser_version_s', ''),\n CCI = column_ifexists('cci_d', ''),\n CCIString = column_ifexists('cci_s', ''),\n CCL = column_ifexists('ccl_s', ''),\n ChannelId = column_ifexists('channel_id_s', ''),\n ClientBytes = column_ifexists('client_bytes_d', ''),\n ConnDuration = column_ifexists('conn_duration_d', ''),\n ConnectionId = column_ifexists('connection_id_d', ''),\n Count = column_ifexists('count_d', ''),\n CononicalName = column_ifexists('CononicalName_s', ''),\n Custom_Connector = column_ifexists('custom_connector_s', ''),\n DataCenter = column_ifexists('data_center_s', ''),\n DataType = column_ifexists('data_type_s', ''),\n DeviceClassification = column_ifexists('device_classification_s', ''),\n Device = column_ifexists('device_s', ''),\n DlpFile = column_ifexists('dlp_file_s', ''),\n DlpIncidentId = column_ifexists('dlp_incident_id_d', ''),\n DlpIsUniqueCount = column_ifexists('dlp_is_unique_count_s', ''),\n DlpMailParentId = column_ifexists('dlp_mail_parent_id_s', ''),\n DlpParentId = column_ifexists('dlp_parent_id_d', ''),\n DlpProfile = column_ifexists('dlp_profile_s', ''),\n DlpRule = column_ifexists('dlp_rule_s', ''),\n DlpRuleCount = column_ifexists('dlp_rule_count_d', ''),\n DlpRuleSeverity = column_ifexists('dlp_rule_severity_s', ''),\n DlpUniquwCount = column_ifexists('dlp_unique_count_d', ''),\n DestinationCountry = column_ifexists('dst_country_s', ''),\n DestinationGeoipSource = column_ifexists('dst_geoip_src_d', ''),\n DestinationLatitude = column_ifexists('dst_latitude_d', ''),\n DestinationLocation = column_ifexists('dst_location_s', ''),\n DestinationLongitude = column_ifexists('dst_longitude_d', ''),\n DestinationRegion = column_ifexists('dst_region_s', ''),\n DestinationTimezone = column_ifexists('dst_timezone_s', ''),\n DestinationZipcode = column_ifexists('dst_zipcode_s', ''),\n DestinationHost = column_ifexists('dsthost_s', ''),\n DestinationIp = column_ifexists('dstip_s', ''),\n DestinationPort = column_ifexists('dstport_d', ''),\n Exposure = column_ifexists('exposure_s', ''),\n FileLang = column_ifexists('file_lang_s', ''),\n FilePath = column_ifexists('file_path_s', ''),\n FileSize = column_ifexists('file_size_d', ''),\n FileType = column_ifexists('file_type_s', ''),\n FromUserCategory = column_ifexists('from_user_category_s', ''),\n FromUser = column_ifexists('from_user_s', ''),\n Fromlogs = column_ifexists('fromlogs_s', ''),\n HostName = column_ifexists('hostname_s', ''),\n InstanceId = column_ifexists('instance_id_s', ''),\n Instance = column_ifexists('instance_s', ''),\n InternalCollaboratorCount = column_ifexists('internal_collaborator_count_d', ''),\n LogFileName = column_ifexists('log_file_name_s', ''),\n LoginType = column_ifexists('logintype_s', ''),\n LoginUrl = column_ifexists('loginurl_s', ''),\n ManagedApp = column_ifexists('managed_app_s', ''),\n ManagementId = column_ifexists('managementID_s', ''),\n Md5 = column_ifexists('md5_g', ''),\n MimeType = column_ifexists('mime_type_s', ''),\n Modified = column_ifexists('modified_d', ''),\n NetskopeActivity = column_ifexists('netskope_activity_s', ''),\n NetskopePop = column_ifexists('netskope_pop_s', ''),\n NotifyTemplate = column_ifexists('notify_template_s', ''),\n Nsdeviceuid = column_ifexists('nsdeviceuid_s', ''),\n Numbytes = column_ifexists('numbytes_d', ''),\n ObjectId = column_ifexists('object_id_s', ''),\n Object = column_ifexists('object_s', ''),\n ObjectType = column_ifexists('object_type_s', ''),\n Org = column_ifexists('org_s', ''),\n OrganizationUnit = column_ifexists('organization_unit_s', ''),\n OrignalFilePath = column_ifexists('orignal_file_path_s', ''),\n OS = column_ifexists('os_s', ''),\n OsVersion = column_ifexists('os_version_s', ''),\n OtherCategories = column_ifexists('other_categories_s', ''),\n Owner = column_ifexists('owner_s', ''),\n Page = column_ifexists('page_s', ''),\n PageSite = column_ifexists('page_site_s', ''),\n ParentId = column_ifexists('parent_id_s', ''),\n PolicyId = column_ifexists('policy_id_s', ''),\n Policy = column_ifexists('policy_s', ''),\n Protocol = column_ifexists('protocol_s', ''),\n Referer = column_ifexists('referer_s', ''),\n ReqCnt = column_ifexists('req_cnt_d', ''),\n RequestId = column_ifexists('request_id_s', ''),\n RespCnt = column_ifexists('resp_cnt_d', ''),\n SAMAccountName = column_ifexists('sAMAccountName_s', ''),\n sanctioned_instance = column_ifexists('sanctioned_instance_s', ''),\n ScanType = column_ifexists('scan_type_s', ''),\n Serial = column_ifexists('serial_s', ''),\n ServerBytes = column_ifexists('server_bytes_d', ''),\n SessionId = column_ifexists('sessionid_s', ''),\n Severity = column_ifexists('severity_s', ''),\n SHA256 = column_ifexists('sha256_s', ''),\n SharedWith = column_ifexists('shared_with_s', ''),\n Site = column_ifexists('site_s', ''),\n SmtpTo = column_ifexists('smtp_to_s', ''),\n SourceCountry = column_ifexists('src_country_s', ''),\n SourceGeoIpSrc = column_ifexists('src_geoip_src_d', ''),\n SourceLatitude = column_ifexists('src_latitude_d', ''),\n SourceLocation = column_ifexists('src_location_s', ''),\n SourceLongitude = column_ifexists('src_longitude_d', ''),\n SourceRegion = column_ifexists('src_region_s', ''),\n SourceTime = column_ifexists('src_time_s', ''),\n SourceTimezone = column_ifexists('src_timezone_s', ''),\n SourceZipcode = column_ifexists('src_zipcode_s', ''),\n SourceIp = column_ifexists('srcip_s', ''),\n SuppressionEndTime = column_ifexists('suppression_end_time_d', ''),\n SuppressionKey = column_ifexists('suppression_key_s', ''),\n SuppressionStartTime = column_ifexists('suppression_start_time_d', ''),\n TelemetryApp = column_ifexists('telemetry_app_s', ''),\n Timestamp = column_ifexists('timestamp_d', ''),\n Title = column_ifexists('title_s', ''),\n ToUser = column_ifexists('to_user_s', ''),\n TotalCollaboratorCount = column_ifexists('total_collaborator_count_d', ''),\n TrafficType = column_ifexists('traffic_type_s', ''),\n TransactionId = column_ifexists('transaction_id_d', ''),\n TrueObjCategory = column_ifexists('true_obj_category_s', ''),\n TrueObjType = column_ifexists('true_obj_type_s', ''),\n TssMode = column_ifexists('tss_mode_s', ''),\n PolicyType = column_ifexists('type_s', ''),\n UniversalConnector = column_ifexists('universal_connector_s', ''),\n UrNormalized = column_ifexists('ur_normalized_s', ''),\n Url = column_ifexists('url_s', ''),\n UserPrincipalName = column_ifexists('userPrincipalName_s', ''),\n UserCategory = column_ifexists('user_category_s', ''),\n UserId = column_ifexists('user_id_s', ''),\n User = column_ifexists('user_s', ''),\n Useragent = column_ifexists('useragent_s', ''),\n UserIp = column_ifexists('userip_s', ''),\n Userkey = column_ifexists('userkey_s', ''),\n WebUniversalConnector = column_ifexists('web_universal_connector_s', ''),\n WorkspaceId = column_ifexists('workspace_id_s', ''),\n Workspace = column_ifexists('workspace_s', '')\n |project \n Category,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n TimeGenerated,\n Type,\n _ResourceId,\n Id,\n AccessMethod,\n Action,\n Activity,\n Alert,\n AlertType,\n AppActivity,\n App,\n AppSessionId,\n AppCategory,\n AppSuite,\n audit_category,\n audit_type,\n Browser,\n BrowserSessionId,\n BrowserVersion,\n CCI,\n CCIString,\n CCL,\n ChannelId,\n ClientBytes,\n ConnDuration,\n ConnectionId,\n Count,\n CononicalName,\n Custom_Connector,\n DataCenter,\n DataType,\n DeviceClassification,\n Device,\n DlpFile,\n DlpIncidentId,\n DlpIsUniqueCount,\n DlpMailParentId,\n DlpParentId,\n DlpProfile,\n DlpRule,\n DlpRuleCount,\n DlpRuleSeverity,\n DlpUniquwCount,\n DestinationCountry,\n DestinationGeoipSource,\n DestinationLatitude,\n DestinationLocation,\n DestinationLongitude,\n DestinationRegion,\n DestinationTimezone,\n DestinationZipcode,\n DestinationHost,\n DestinationIp,\n DestinationPort,\n Exposure,\n FileLang,\n FilePath,\n FileSize,\n FileType,\n FromUserCategory,\n FromUser,\n Fromlogs,\n HostName,\n InstanceId,\n Instance,\n InternalCollaboratorCount,\n LogFileName,\n LoginType,\n LoginUrl,\n ManagedApp,\n ManagementId,\n Md5,\n MimeType,\n Modified,\n NetskopeActivity,\n NetskopePop,\n NotifyTemplate,\n Nsdeviceuid,\n Numbytes,\n ObjectId,\n Object,\n ObjectType,\n Org,\n OrganizationUnit,\n OrignalFilePath,\n OS,\n OsVersion,\n OtherCategories,\n Owner,\n Page,\n PageSite,\n ParentId,\n PolicyId,\n Policy,\n Protocol,\n Referer,\n ReqCnt,\n RequestId,\n RespCnt,\n SAMAccountName,\n sanctioned_instance,\n ScanType,\n Serial,\n ServerBytes,\n SessionId,\n Severity,\n SHA256,\n SharedWith,\n Site,\n SmtpTo,\n SourceCountry,\n SourceGeoIpSrc,\n SourceLatitude,\n SourceLocation,\n SourceLongitude,\n SourceRegion,\n SourceTime,\n SourceTimezone,\n SourceZipcode,\n SourceIp,\n SuppressionEndTime,\n SuppressionKey,\n SuppressionStartTime,\n TelemetryApp,\n Timestamp,\n Title,\n ToUser,\n TotalCollaboratorCount,\n TrafficType,\n TransactionId,\n TrueObjCategory,\n TrueObjType,\n TssMode,\n PolicyType,\n UniversalConnector,\n UrNormalized,\n Url,\n UserPrincipalName,\n UserCategory,\n UserId,\n User,\n Useragent,\n UserIp,\n Userkey,\n WebUniversalConnector,\n WorkspaceId,\n Workspace\n};\nEvent_Application_View\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject12')._parserId12,'/'))))]", - "dependsOn": [ - "[variables('parserObject12')._parserId12]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'EventsApplication')]", - "contentId": "[variables('parserObject12').parserContentId12]", - "kind": "Parser", - "version": "[variables('parserObject12').parserVersion12]", - "source": { - "kind": "Solution", - "name": "Netskopev2", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject13').parserTemplateSpecName13]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "EventsAudit Data Parser with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject13').parserVersion13]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject13')._parserName13]", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for EventsAudit", - "category": "Microsoft Sentinel Parser", - "functionAlias": "EventsAudit", - "query": "let Event_Audit_View = view (){\n eventsauditdata_CL\n | extend \n Computer = column_ifexists('Computer', ''),\n MG = column_ifexists('MG', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n RawData = column_ifexists('RawData', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n TenantId = column_ifexists('TenantId', ''),\n TimeGenerated = column_ifexists('TimeGenerated', ''),\n Type = column_ifexists('Type', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n Id = column_ifexists('_id_s', ''),\n AuditLogEvent = column_ifexists('audit_log_event_s', ''),\n CCL = column_ifexists('ccl_s', ''),\n Count = column_ifexists('count_d', ''),\n Details = column_ifexists('details_s', ''),\n OrganizationUnit = column_ifexists('organization_unit_s', ''),\n SAMAccountName = column_ifexists('sAMAccountName_s', ''),\n SeverityLevel = column_ifexists('severity_level_d', ''),\n SupportingData_DataType = column_ifexists('supporting_data_data_type_s', ''),\n SupportingData_DataValues = column_ifexists('supporting_data_data_values_s', ''),\n Timestamp = column_ifexists('timestamp_d', ''),\n PolicyType = column_ifexists('type_s', ''),\n UrNormalized = column_ifexists('ur_normalized_s', ''),\n UserPrincipalName = column_ifexists('userPrincipalName_s', ''),\n User = column_ifexists('user_s', '')\n | project \n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n TimeGenerated,\n Type,\n _ResourceId,\n Id,\n AuditLogEvent,\n CCL,\n Count,\n Details,\n OrganizationUnit,\n SAMAccountName,\n SeverityLevel,\n SupportingData_DataType,\n SupportingData_DataValues,\n Timestamp,\n PolicyType,\n UrNormalized,\n UserPrincipalName,\n User\n};\nEvent_Audit_View\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject13')._parserId13,'/'))))]", - "dependsOn": [ - "[variables('parserObject13')._parserId13]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'EventsAudit')]", - "contentId": "[variables('parserObject13').parserContentId13]", - "kind": "Parser", - "version": "[variables('parserObject13').parserVersion13]", - "source": { - "name": "Netskopev2", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject13').parserContentId13]", - "contentKind": "Parser", - "displayName": "Parser for EventsAudit", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject13').parserContentId13,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject13').parserContentId13,'-', '1.0.0')))]", - "version": "[variables('parserObject13').parserVersion13]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", - "name": "[variables('parserObject13')._parserName13]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for EventsAudit", - "category": "Microsoft Sentinel Parser", - "functionAlias": "EventsAudit", - "query": "let Event_Audit_View = view (){\n eventsauditdata_CL\n | extend \n Computer = column_ifexists('Computer', ''),\n MG = column_ifexists('MG', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n RawData = column_ifexists('RawData', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n TenantId = column_ifexists('TenantId', ''),\n TimeGenerated = column_ifexists('TimeGenerated', ''),\n Type = column_ifexists('Type', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n Id = column_ifexists('_id_s', ''),\n AuditLogEvent = column_ifexists('audit_log_event_s', ''),\n CCL = column_ifexists('ccl_s', ''),\n Count = column_ifexists('count_d', ''),\n Details = column_ifexists('details_s', ''),\n OrganizationUnit = column_ifexists('organization_unit_s', ''),\n SAMAccountName = column_ifexists('sAMAccountName_s', ''),\n SeverityLevel = column_ifexists('severity_level_d', ''),\n SupportingData_DataType = column_ifexists('supporting_data_data_type_s', ''),\n SupportingData_DataValues = column_ifexists('supporting_data_data_values_s', ''),\n Timestamp = column_ifexists('timestamp_d', ''),\n PolicyType = column_ifexists('type_s', ''),\n UrNormalized = column_ifexists('ur_normalized_s', ''),\n UserPrincipalName = column_ifexists('userPrincipalName_s', ''),\n User = column_ifexists('user_s', '')\n | project \n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n TimeGenerated,\n Type,\n _ResourceId,\n Id,\n AuditLogEvent,\n CCL,\n Count,\n Details,\n OrganizationUnit,\n SAMAccountName,\n SeverityLevel,\n SupportingData_DataType,\n SupportingData_DataValues,\n Timestamp,\n PolicyType,\n UrNormalized,\n UserPrincipalName,\n User\n};\nEvent_Audit_View\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject13')._parserId13,'/'))))]", - "dependsOn": [ - "[variables('parserObject13')._parserId13]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'EventsAudit')]", - "contentId": "[variables('parserObject13').parserContentId13]", - "kind": "Parser", - "version": "[variables('parserObject13').parserVersion13]", - "source": { - "kind": "Solution", - "name": "Netskopev2", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject14').parserTemplateSpecName14]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "EventsConnection Data Parser with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject14').parserVersion14]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject14')._parserName14]", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for EventsConnection", - "category": "Microsoft Sentinel Parser", - "functionAlias": "EventsConnection", - "query": "let Events_Connection_view = view(){\neventsconnectiondata_CL\n| extend Category = column_ifexists('Category', ''),\n Type = column_ifexists('Type', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n TenantId = column_ifexists('TenantId', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n MG = column_ifexists('MG', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n TimeGenerated = column_ifexists('TimeGenerated [UTC]', ''),\n Computer = column_ifexists('Computer', ''),\n RawData = column_ifexists('RawData', ''),\n SuppressionEndTime = column_ifexists('suppression_end_time_d', ''),\n SuppressionStartTime = column_ifexists('suppression_start_time_d', ''),\n Id = column_ifexists('_id_s', ''),\n AccessMethod = column_ifexists('access_method_s', ''),\n App = column_ifexists('app_s', ''),\n AppCategory = column_ifexists('appcategory_s', ''),\n BypassReason = column_ifexists('bypass_reason_s', ''),\n BypassTraffic = column_ifexists('bypass_traffic_s', ''),\n CCI = column_ifexists('cci_d', ''),\n CCL = column_ifexists('ccl_s', ''),\n ConnectionId = column_ifexists('connection_id_d', ''),\n Count = column_ifexists('count_d', ''),\n Domain = column_ifexists('domain_s', ''),\n DestinationCountry = column_ifexists('dst_country_s', ''),\n DestinationLatitude = column_ifexists('dst_latitude_d', ''),\n DestinationLocation = column_ifexists('dst_location_s', ''),\n DestinationLongitude = column_ifexists('dst_longitude_d', ''),\n DestinationRegion = column_ifexists('dst_region_s', ''),\n DestinationTimezone = column_ifexists('dst_timezone_s', ''),\n DestinationZipcode = column_ifexists('dst_zipcode_s', ''),\n DestinationIp = column_ifexists('dstip_s', ''),\n DestinationPort = column_ifexists('dstport_d', ''),\n IncidentId = column_ifexists('incident_id_d', ''),\n NetskopePop = column_ifexists('netskope_pop_s', ''),\n OrganizationUnit = column_ifexists('organization_unit_s', ''),\n OtherCategories = column_ifexists('other_categories_s', ''),\n Page = column_ifexists('page_s', ''),\n RequestId = column_ifexists('request_id_d', ''),\n Site = column_ifexists('site_s', ''),\n SourceCountry = column_ifexists('src_country_s', ''),\n SourceLatitude = column_ifexists('src_latitude_d', ''),\n SourceLocation = column_ifexists('src_location_s', ''),\n SourceLongitude = column_ifexists('src_longitude_d', ''),\n SourceRegion = column_ifexists('src_region_s', ''),\n SourceTime = column_ifexists('src_time_s', ''),\n SourceTimezone = column_ifexists('src_timezone_s', ''),\n SourceZipcode = column_ifexists('src_zipcode_s', ''),\n SourceIp = column_ifexists('srcip_s', ''),\n SslDecryptPolicy = column_ifexists('ssl_decrypt_policy_s', ''),\n Timestamp = column_ifexists('timestamp_d', ''),\n TrafficType = column_ifexists('traffic_type_s', ''),\n TransactionId = column_ifexists('transaction_id_d', ''),\n PolicyType = column_ifexists('type_s', ''),\n UrNormalized = column_ifexists('ur_normalized_s', ''),\n Url = column_ifexists('url_s', ''),\n User = column_ifexists('user_s', ''),\n UserGenerated = column_ifexists('user_generated_s', ''),\n UserIp = column_ifexists('userip_s', ''),\n Userkey = column_ifexists('userkey_s', '')\n |project Category,\n Type,\n _ResourceId,\n TenantId,\n SourceSystem,\n MG,\n ManagementGroupName,\n TimeGenerated,\n Computer,\n RawData,\n SuppressionEndTime,\n SuppressionStartTime,\n Id,\n AccessMethod,\n App,\n AppCategory,\n BypassReason,\n BypassTraffic,\n CCI,\n CCL,\n ConnectionId,\n Count,\n Domain,\n DestinationCountry,\n DestinationLatitude,\n DestinationLocation,\n DestinationLongitude,\n DestinationRegion,\n DestinationTimezone,\n DestinationZipcode,\n DestinationIp,\n DestinationPort,\n IncidentId,\n NetskopePop,\n OrganizationUnit,\n OtherCategories,\n Page,\n RequestId,\n Site,\n SourceCountry,\n SourceLatitude,\n SourceLocation,\n SourceLongitude,\n SourceRegion,\n SourceTime,\n SourceTimezone,\n SourceZipcode,\n SourceIp,\n SslDecryptPolicy,\n Timestamp,\n TrafficType,\n TransactionId,\n PolicyType,\n UrNormalized,\n Url,\n User,\n UserGenerated,\n UserIp,\n Userkey\n};\nEvents_Connection_view\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject14')._parserId14,'/'))))]", - "dependsOn": [ - "[variables('parserObject14')._parserId14]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'EventsConnection')]", - "contentId": "[variables('parserObject14').parserContentId14]", - "kind": "Parser", - "version": "[variables('parserObject14').parserVersion14]", - "source": { - "name": "Netskopev2", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject14').parserContentId14]", - "contentKind": "Parser", - "displayName": "Parser for EventsConnection", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject14').parserContentId14,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject14').parserContentId14,'-', '1.0.0')))]", - "version": "[variables('parserObject14').parserVersion14]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", - "name": "[variables('parserObject14')._parserName14]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for EventsConnection", - "category": "Microsoft Sentinel Parser", - "functionAlias": "EventsConnection", - "query": "let Events_Connection_view = view(){\neventsconnectiondata_CL\n| extend Category = column_ifexists('Category', ''),\n Type = column_ifexists('Type', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n TenantId = column_ifexists('TenantId', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n MG = column_ifexists('MG', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n TimeGenerated = column_ifexists('TimeGenerated [UTC]', ''),\n Computer = column_ifexists('Computer', ''),\n RawData = column_ifexists('RawData', ''),\n SuppressionEndTime = column_ifexists('suppression_end_time_d', ''),\n SuppressionStartTime = column_ifexists('suppression_start_time_d', ''),\n Id = column_ifexists('_id_s', ''),\n AccessMethod = column_ifexists('access_method_s', ''),\n App = column_ifexists('app_s', ''),\n AppCategory = column_ifexists('appcategory_s', ''),\n BypassReason = column_ifexists('bypass_reason_s', ''),\n BypassTraffic = column_ifexists('bypass_traffic_s', ''),\n CCI = column_ifexists('cci_d', ''),\n CCL = column_ifexists('ccl_s', ''),\n ConnectionId = column_ifexists('connection_id_d', ''),\n Count = column_ifexists('count_d', ''),\n Domain = column_ifexists('domain_s', ''),\n DestinationCountry = column_ifexists('dst_country_s', ''),\n DestinationLatitude = column_ifexists('dst_latitude_d', ''),\n DestinationLocation = column_ifexists('dst_location_s', ''),\n DestinationLongitude = column_ifexists('dst_longitude_d', ''),\n DestinationRegion = column_ifexists('dst_region_s', ''),\n DestinationTimezone = column_ifexists('dst_timezone_s', ''),\n DestinationZipcode = column_ifexists('dst_zipcode_s', ''),\n DestinationIp = column_ifexists('dstip_s', ''),\n DestinationPort = column_ifexists('dstport_d', ''),\n IncidentId = column_ifexists('incident_id_d', ''),\n NetskopePop = column_ifexists('netskope_pop_s', ''),\n OrganizationUnit = column_ifexists('organization_unit_s', ''),\n OtherCategories = column_ifexists('other_categories_s', ''),\n Page = column_ifexists('page_s', ''),\n RequestId = column_ifexists('request_id_d', ''),\n Site = column_ifexists('site_s', ''),\n SourceCountry = column_ifexists('src_country_s', ''),\n SourceLatitude = column_ifexists('src_latitude_d', ''),\n SourceLocation = column_ifexists('src_location_s', ''),\n SourceLongitude = column_ifexists('src_longitude_d', ''),\n SourceRegion = column_ifexists('src_region_s', ''),\n SourceTime = column_ifexists('src_time_s', ''),\n SourceTimezone = column_ifexists('src_timezone_s', ''),\n SourceZipcode = column_ifexists('src_zipcode_s', ''),\n SourceIp = column_ifexists('srcip_s', ''),\n SslDecryptPolicy = column_ifexists('ssl_decrypt_policy_s', ''),\n Timestamp = column_ifexists('timestamp_d', ''),\n TrafficType = column_ifexists('traffic_type_s', ''),\n TransactionId = column_ifexists('transaction_id_d', ''),\n PolicyType = column_ifexists('type_s', ''),\n UrNormalized = column_ifexists('ur_normalized_s', ''),\n Url = column_ifexists('url_s', ''),\n User = column_ifexists('user_s', ''),\n UserGenerated = column_ifexists('user_generated_s', ''),\n UserIp = column_ifexists('userip_s', ''),\n Userkey = column_ifexists('userkey_s', '')\n |project Category,\n Type,\n _ResourceId,\n TenantId,\n SourceSystem,\n MG,\n ManagementGroupName,\n TimeGenerated,\n Computer,\n RawData,\n SuppressionEndTime,\n SuppressionStartTime,\n Id,\n AccessMethod,\n App,\n AppCategory,\n BypassReason,\n BypassTraffic,\n CCI,\n CCL,\n ConnectionId,\n Count,\n Domain,\n DestinationCountry,\n DestinationLatitude,\n DestinationLocation,\n DestinationLongitude,\n DestinationRegion,\n DestinationTimezone,\n DestinationZipcode,\n DestinationIp,\n DestinationPort,\n IncidentId,\n NetskopePop,\n OrganizationUnit,\n OtherCategories,\n Page,\n RequestId,\n Site,\n SourceCountry,\n SourceLatitude,\n SourceLocation,\n SourceLongitude,\n SourceRegion,\n SourceTime,\n SourceTimezone,\n SourceZipcode,\n SourceIp,\n SslDecryptPolicy,\n Timestamp,\n TrafficType,\n TransactionId,\n PolicyType,\n UrNormalized,\n Url,\n User,\n UserGenerated,\n UserIp,\n Userkey\n};\nEvents_Connection_view\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject14')._parserId14,'/'))))]", - "dependsOn": [ - "[variables('parserObject14')._parserId14]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'EventsConnection')]", - "contentId": "[variables('parserObject14').parserContentId14]", - "kind": "Parser", - "version": "[variables('parserObject14').parserVersion14]", - "source": { - "kind": "Solution", - "name": "Netskopev2", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject15').parserTemplateSpecName15]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "EventsNetwork Data Parser with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject15').parserVersion15]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject15')._parserName15]", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for EventsNetwork", - "category": "Microsoft Sentinel Parser", - "functionAlias": "EventsNetwork", - "query": "let Events_Network_View = view () { \n eventsnetworkdata_CL\n | extend \n Category = column_ifexists('Category', ''),\n Computer = column_ifexists('Computer', ''),\n MG = column_ifexists('MG', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n RawData = column_ifexists('RawData', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n TenantId = column_ifexists('TenantId', ''),\n TimeGenerated = column_ifexists('TimeGenerated', ''),\n Type = column_ifexists('Type', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n Id = column_ifexists('_id_s', ''),\n AccessMethod = column_ifexists('access_method_s', ''),\n Action = column_ifexists('action_s', ''),\n App = column_ifexists('app_s', ''),\n AppCategory = column_ifexists('appcategory_s', ''),\n CCI = column_ifexists('cci_d', ''),\n CCIString = column_ifexists('cci_s', ''),\n CCL = column_ifexists('ccl_s', ''),\n ClientBytes = column_ifexists('client_bytes_d', ''),\n ClientPackets = column_ifexists('client_packets_d', ''),\n Count = column_ifexists('count_d', ''),\n Device = column_ifexists('device_s', ''),\n Domain = column_ifexists('domain_s', ''),\n DestinationCountry = column_ifexists('dst_country_s', ''),\n DestinationGeoIpSource = column_ifexists('dst_geoip_src_d', ''),\n DestinationLatitude = column_ifexists('dst_latitude_d', ''),\n DestinationLocation = column_ifexists('dst_location_s', ''),\n DestinationLongitude = column_ifexists('dst_longitude_d', ''),\n DestinationRegion = column_ifexists('dst_region_s', ''),\n DestinationZipcode = column_ifexists('dst_zipcode_s', ''),\n DestinationHost = column_ifexists('dsthost_s', ''),\n DestinationIp = column_ifexists('dstip_s', ''),\n DestinationPort = column_ifexists('dstport_d', ''),\n EndTime = column_ifexists('end_time_s', ''),\n FlowStatus = column_ifexists('flow_status_s', ''),\n HostName = column_ifexists('hostname_s', ''),\n IpProtocol = column_ifexists('ip_protocol_s', ''),\n NetworkSessionId = column_ifexists('network_session_id_s', ''),\n NumSessions = column_ifexists('num_sessions_d', ''),\n NumBytes = column_ifexists('numbytes_d', ''),\n OrganizationUnit = column_ifexists('organization_unit_s', ''),\n OS = column_ifexists('os_s', ''),\n OsVersion = column_ifexists('os_version_s', ''),\n Policy = column_ifexists('policy_s', ''),\n PolicyType = column_ifexists('type_s', ''),\n Protocol = column_ifexists('protocol_s', ''),\n ProtocolPort = column_ifexists('protocol_port_s', ''),\n PublisherCn = column_ifexists('publisher_cn_s', ''),\n PublisherName = column_ifexists('publisher_name_s', ''),\n SAMAccountName = column_ifexists('sAMAccountName_s', ''),\n ServerBytes = column_ifexists('server_bytes_d', ''),\n ServerPackets = column_ifexists('server_packets_d', ''),\n SessionDuration = column_ifexists('session_duration_d', ''),\n Site = column_ifexists('site_s', ''),\n SourceCountry = column_ifexists('src_country_s', ''),\n SourceGeoIpSource = column_ifexists('src_geoip_src_d', ''),\n SourceLatitude = column_ifexists('src_latitude_d', ''),\n SourceLocation = column_ifexists('src_location_s', ''),\n SourceLongitude = column_ifexists('src_longitude_d', ''),\n SourceRegion = column_ifexists('src_region_s', ''),\n SourceZipcode = column_ifexists('src_zipcode_s', ''),\n SourceIp = column_ifexists('srcip_s', ''),\n SourcePort = column_ifexists('srcport_d', ''),\n StartTime = column_ifexists('start_time_s', ''),\n Timestamp = column_ifexists('timestamp_d', ''),\n TotalPackets = column_ifexists('total_packets_d', ''),\n TrafficType = column_ifexists('traffic_type_s', ''),\n TunnelId = column_ifexists('tunnel_id_s', ''),\n TunnelType = column_ifexists('tunnel_type_s', ''),\n TunnelUpTime = column_ifexists('tunnel_up_time_d', ''),\n UrNormalized = column_ifexists('ur_normalized_s', ''),\n User = column_ifexists('user_s', ''),\n Userip = column_ifexists('userip_s', ''),\n Userkey = column_ifexists('userkey_s', ''),\n UserPrincipalName = column_ifexists('userPrincipalName_s', '')\n | project \n Category,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n TimeGenerated,\n Type,\n _ResourceId,\n Id,\n AccessMethod,\n Action,\n App,\n AppCategory,\n CCI,\n CCIString,\n CCL,\n ClientBytes,\n ClientPackets,\n Count,\n Device,\n Domain,\n DestinationCountry,\n DestinationGeoIpSource,\n DestinationLatitude,\n DestinationLocation,\n DestinationLongitude,\n DestinationRegion,\n DestinationZipcode,\n DestinationHost,\n DestinationIp,\n DestinationPort,\n EndTime,\n FlowStatus,\n HostName,\n IpProtocol,\n NetworkSessionId,\n NumSessions,\n NumBytes,\n OrganizationUnit,\n OS,\n OsVersion,\n Policy,\n PolicyType,\n Protocol,\n ProtocolPort,\n PublisherCn,\n PublisherName,\n SAMAccountName,\n ServerBytes,\n ServerPackets,\n SessionDuration,\n Site,\n SourceCountry,\n SourceGeoIpSource,\n SourceLatitude,\n SourceLocation,\n SourceLongitude,\n SourceRegion,\n SourceZipcode,\n SourceIp,\n SourcePort,\n StartTime,\n Timestamp,\n TotalPackets,\n TrafficType,\n TunnelId,\n TunnelType,\n TunnelUpTime,\n UrNormalized,\n User,\n Userip,\n Userkey,\n UserPrincipalName\n};\nEvents_Network_View\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject15')._parserId15,'/'))))]", - "dependsOn": [ - "[variables('parserObject15')._parserId15]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'EventsNetwork')]", - "contentId": "[variables('parserObject15').parserContentId15]", - "kind": "Parser", - "version": "[variables('parserObject15').parserVersion15]", - "source": { - "name": "Netskopev2", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject15').parserContentId15]", - "contentKind": "Parser", - "displayName": "Parser for EventsNetwork", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject15').parserContentId15,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject15').parserContentId15,'-', '1.0.0')))]", - "version": "[variables('parserObject15').parserVersion15]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", - "name": "[variables('parserObject15')._parserName15]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for EventsNetwork", - "category": "Microsoft Sentinel Parser", - "functionAlias": "EventsNetwork", - "query": "let Events_Network_View = view () { \n eventsnetworkdata_CL\n | extend \n Category = column_ifexists('Category', ''),\n Computer = column_ifexists('Computer', ''),\n MG = column_ifexists('MG', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n RawData = column_ifexists('RawData', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n TenantId = column_ifexists('TenantId', ''),\n TimeGenerated = column_ifexists('TimeGenerated', ''),\n Type = column_ifexists('Type', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n Id = column_ifexists('_id_s', ''),\n AccessMethod = column_ifexists('access_method_s', ''),\n Action = column_ifexists('action_s', ''),\n App = column_ifexists('app_s', ''),\n AppCategory = column_ifexists('appcategory_s', ''),\n CCI = column_ifexists('cci_d', ''),\n CCIString = column_ifexists('cci_s', ''),\n CCL = column_ifexists('ccl_s', ''),\n ClientBytes = column_ifexists('client_bytes_d', ''),\n ClientPackets = column_ifexists('client_packets_d', ''),\n Count = column_ifexists('count_d', ''),\n Device = column_ifexists('device_s', ''),\n Domain = column_ifexists('domain_s', ''),\n DestinationCountry = column_ifexists('dst_country_s', ''),\n DestinationGeoIpSource = column_ifexists('dst_geoip_src_d', ''),\n DestinationLatitude = column_ifexists('dst_latitude_d', ''),\n DestinationLocation = column_ifexists('dst_location_s', ''),\n DestinationLongitude = column_ifexists('dst_longitude_d', ''),\n DestinationRegion = column_ifexists('dst_region_s', ''),\n DestinationZipcode = column_ifexists('dst_zipcode_s', ''),\n DestinationHost = column_ifexists('dsthost_s', ''),\n DestinationIp = column_ifexists('dstip_s', ''),\n DestinationPort = column_ifexists('dstport_d', ''),\n EndTime = column_ifexists('end_time_s', ''),\n FlowStatus = column_ifexists('flow_status_s', ''),\n HostName = column_ifexists('hostname_s', ''),\n IpProtocol = column_ifexists('ip_protocol_s', ''),\n NetworkSessionId = column_ifexists('network_session_id_s', ''),\n NumSessions = column_ifexists('num_sessions_d', ''),\n NumBytes = column_ifexists('numbytes_d', ''),\n OrganizationUnit = column_ifexists('organization_unit_s', ''),\n OS = column_ifexists('os_s', ''),\n OsVersion = column_ifexists('os_version_s', ''),\n Policy = column_ifexists('policy_s', ''),\n PolicyType = column_ifexists('type_s', ''),\n Protocol = column_ifexists('protocol_s', ''),\n ProtocolPort = column_ifexists('protocol_port_s', ''),\n PublisherCn = column_ifexists('publisher_cn_s', ''),\n PublisherName = column_ifexists('publisher_name_s', ''),\n SAMAccountName = column_ifexists('sAMAccountName_s', ''),\n ServerBytes = column_ifexists('server_bytes_d', ''),\n ServerPackets = column_ifexists('server_packets_d', ''),\n SessionDuration = column_ifexists('session_duration_d', ''),\n Site = column_ifexists('site_s', ''),\n SourceCountry = column_ifexists('src_country_s', ''),\n SourceGeoIpSource = column_ifexists('src_geoip_src_d', ''),\n SourceLatitude = column_ifexists('src_latitude_d', ''),\n SourceLocation = column_ifexists('src_location_s', ''),\n SourceLongitude = column_ifexists('src_longitude_d', ''),\n SourceRegion = column_ifexists('src_region_s', ''),\n SourceZipcode = column_ifexists('src_zipcode_s', ''),\n SourceIp = column_ifexists('srcip_s', ''),\n SourcePort = column_ifexists('srcport_d', ''),\n StartTime = column_ifexists('start_time_s', ''),\n Timestamp = column_ifexists('timestamp_d', ''),\n TotalPackets = column_ifexists('total_packets_d', ''),\n TrafficType = column_ifexists('traffic_type_s', ''),\n TunnelId = column_ifexists('tunnel_id_s', ''),\n TunnelType = column_ifexists('tunnel_type_s', ''),\n TunnelUpTime = column_ifexists('tunnel_up_time_d', ''),\n UrNormalized = column_ifexists('ur_normalized_s', ''),\n User = column_ifexists('user_s', ''),\n Userip = column_ifexists('userip_s', ''),\n Userkey = column_ifexists('userkey_s', ''),\n UserPrincipalName = column_ifexists('userPrincipalName_s', '')\n | project \n Category,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n TimeGenerated,\n Type,\n _ResourceId,\n Id,\n AccessMethod,\n Action,\n App,\n AppCategory,\n CCI,\n CCIString,\n CCL,\n ClientBytes,\n ClientPackets,\n Count,\n Device,\n Domain,\n DestinationCountry,\n DestinationGeoIpSource,\n DestinationLatitude,\n DestinationLocation,\n DestinationLongitude,\n DestinationRegion,\n DestinationZipcode,\n DestinationHost,\n DestinationIp,\n DestinationPort,\n EndTime,\n FlowStatus,\n HostName,\n IpProtocol,\n NetworkSessionId,\n NumSessions,\n NumBytes,\n OrganizationUnit,\n OS,\n OsVersion,\n Policy,\n PolicyType,\n Protocol,\n ProtocolPort,\n PublisherCn,\n PublisherName,\n SAMAccountName,\n ServerBytes,\n ServerPackets,\n SessionDuration,\n Site,\n SourceCountry,\n SourceGeoIpSource,\n SourceLatitude,\n SourceLocation,\n SourceLongitude,\n SourceRegion,\n SourceZipcode,\n SourceIp,\n SourcePort,\n StartTime,\n Timestamp,\n TotalPackets,\n TrafficType,\n TunnelId,\n TunnelType,\n TunnelUpTime,\n UrNormalized,\n User,\n Userip,\n Userkey,\n UserPrincipalName\n};\nEvents_Network_View\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject15')._parserId15,'/'))))]", - "dependsOn": [ - "[variables('parserObject15')._parserId15]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'EventsNetwork')]", - "contentId": "[variables('parserObject15').parserContentId15]", - "kind": "Parser", - "version": "[variables('parserObject15').parserVersion15]", - "source": { - "kind": "Solution", - "name": "Netskopev2", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject16').parserTemplateSpecName16]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "EventsPage Data Parser with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject16').parserVersion16]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject16')._parserName16]", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for EventsPage", - "category": "Microsoft Sentinel Parser", - "functionAlias": "EventsPage", - "query": "let Events_page_view = view() {\neventspagedata_CL\n| extend Category = column_ifexists('Category', ''),\n Computer = column_ifexists('Computer', ''),\n Type = column_ifexists('Type', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n MG = column_ifexists('MG', ''),\n RawData = column_ifexists('RawData', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n TenantId = column_ifexists('TenantId', ''),\n TimeGenerated = column_ifexists('TimeGenerated', ''),\n AccessMethod = column_ifexists('access_method_s', ''),\n App = column_ifexists('app_s', ''),\n AppCategory = column_ifexists('appcategory_s', ''),\n AppSessionId = column_ifexists('app_session_id_d', ''),\n Browser = column_ifexists('browser_s', ''),\n BrowserSessionId = column_ifexists('browser_session_id_d', ''),\n BrowserVersion = column_ifexists('browser_version_s', ''),\n BypassReason = column_ifexists('bypass_reason_s', ''),\n BypassTraffic = column_ifexists('bypass_traffic_s', ''),\n CanonicalName = column_ifexists('CononicalName_s', ''),\n CCI = column_ifexists('cci_d', ''),\n CCL = column_ifexists('ccl_s', ''),\n ClientBytes = column_ifexists('client_bytes_d', ''),\n ConnDuration = column_ifexists('conn_duration_d', ''),\n ConnectionEndTime = column_ifexists('conn_endtime_d', ''),\n ConnectionId = column_ifexists('connection_id_d', ''),\n ConnectionStartTime = column_ifexists('conn_starttime_d', ''),\n Count = column_ifexists('count_d', ''),\n DestinationCountry = column_ifexists('dst_country_s', ''),\n DestinationGeoipSource = column_ifexists('dst_geoip_src_d', ''),\n DestinationHost = column_ifexists('dsthost_s', ''),\n DestinationIp = column_ifexists('dstip_s', ''),\n DestinationLatitude = column_ifexists('dst_latitude_d', ''),\n DestinationLocation = column_ifexists('dst_location_s', ''),\n DestinationLongitude = column_ifexists('dst_longitude_d', ''),\n DestinationPort = column_ifexists('dstport_d', ''),\n DestinationRegion = column_ifexists('dst_region_s', ''),\n DestinationTimezone = column_ifexists('dst_timezone_s', ''),\n DestinationZipcode = column_ifexists('dst_zipcode_s', ''),\n Device = column_ifexists('device_s', ''),\n Domain = column_ifexists('domain_s', ''),\n DynamicClassification = column_ifexists('dynamic_classification_s', ''),\n ForwardToProxyProfile = column_ifexists('forward_to_proxy_profile_s', ''),\n Fromlogs = column_ifexists('fromlogs_s', ''),\n HostName = column_ifexists('hostname_s', ''),\n HTTPTransactionCount = column_ifexists('http_transaction_count_d', ''),\n Id = column_ifexists('_id_s', ''),\n LogFileName = column_ifexists('log_file_name_s', ''),\n NetskopePop = column_ifexists('netskope_pop_s', ''),\n Network = column_ifexists('network_s', ''),\n Numbytes = column_ifexists('numbytes_d', ''),\n OS = column_ifexists('os_s', ''),\n Org = column_ifexists('org_s', ''),\n OrganizationUnit = column_ifexists('organization_unit_s', ''),\n OSVersion = column_ifexists('os_version_s', ''),\n OtherCategories = column_ifexists('other_categories_s', ''),\n Page = column_ifexists('page_s', ''),\n Policy = column_ifexists('policy_s', ''),\n Protocol = column_ifexists('protocol_s', ''),\n RequestCount = column_ifexists('req_cnt_d', ''),\n RequestId = column_ifexists('request_id_d', ''),\n ResponseContentLength = column_ifexists('resp_content_len_d', ''),\n ResponseContentType = column_ifexists('resp_content_type_s', ''),\n ResponseCount = column_ifexists('resp_cnt_d', ''),\n SAMAccountName = column_ifexists('sAMAccountName_s', ''),\n Serial = column_ifexists('serial_s', ''),\n ServerBytes = column_ifexists('server_bytes_d', ''),\n SessionId = column_ifexists('sessionid_s', ''),\n Severity = column_ifexists('severity_s', ''),\n Site = column_ifexists('site_s', ''),\n SourceCountry = column_ifexists('src_country_s', ''),\n SourceGeoIpSrc = column_ifexists('src_geoip_src_d', ''),\n SourceIp = column_ifexists('srcip_s', ''),\n SourceLatitude = column_ifexists('src_latitude_d', ''),\n SourceLocation = column_ifexists('src_location_s', ''),\n SourceLongitude = column_ifexists('src_longitude_d', ''),\n SourceRegion = column_ifexists('src_region_s', ''),\n SourceTime = column_ifexists('src_time_s', ''),\n SourceTimezone = column_ifexists('src_timezone_s', ''),\n SourceZipcode = column_ifexists('src_zipcode_s', ''),\n SSLDecryptPolicy = column_ifexists('ssl_decrypt_policy_s', ''),\n SuppressionEndTime = column_ifexists('suppression_end_time_d', ''),\n SuppressionStartTime = column_ifexists('suppression_start_time_d', ''),\n Timestamp = column_ifexists('timestamp_d', ''),\n TrafficType = column_ifexists('traffic_type_s', ''),\n TransactionId = column_ifexists('transaction_id_d', ''),\n PolicyType = column_ifexists('type_s', ''),\n Url = column_ifexists('url_s', ''),\n UrNormalized = column_ifexists('ur_normalized_s', ''),\n User = column_ifexists('user_s', ''),\n Useragent = column_ifexists('useragent_s', ''),\n UserGenerated = column_ifexists('user_generated_s', ''),\n UserIp = column_ifexists('userip_s', ''),\n UserKey = column_ifexists('userkey_s', ''),\n UserPrincipalName = column_ifexists('userPrincipalName_s', '')\n | project Category,\n Computer,\n Type,\n ManagementGroupName,\n MG,\n RawData,\n _ResourceId,\n SourceSystem,\n TenantId,\n TimeGenerated,\n AccessMethod,\n App,\n AppCategory,\n AppSessionId,\n Browser,\n BrowserSessionId,\n BrowserVersion,\n BypassReason,\n BypassTraffic,\n CanonicalName,\n CCI,\n CCL,\n ClientBytes,\n ConnDuration,\n ConnectionEndTime,\n ConnectionId,\n ConnectionStartTime,\n Count,\n DestinationCountry,\n DestinationGeoipSource,\n DestinationHost,\n DestinationIp,\n DestinationLatitude,\n DestinationLocation,\n DestinationLongitude,\n DestinationPort,\n DestinationRegion,\n DestinationTimezone,\n DestinationZipcode,\n Device,\n Domain,\n DynamicClassification,\n ForwardToProxyProfile,\n Fromlogs,\n HostName,\n HTTPTransactionCount,\n Id,\n LogFileName,\n NetskopePop,\n Network,\n Numbytes,\n OS,\n Org,\n OrganizationUnit,\n OSVersion,\n OtherCategories,\n Page,\n Policy,\n Protocol,\n RequestCount,\n RequestId,\n ResponseContentLength,\n ResponseContentType,\n ResponseCount,\n SAMAccountName,\n Serial,\n ServerBytes,\n SessionId,\n Severity,\n Site,\n SourceCountry,\n SourceGeoIpSrc,\n SourceIp,\n SourceLatitude,\n SourceLocation,\n SourceLongitude,\n SourceRegion,\n SourceTime,\n SourceTimezone,\n SourceZipcode,\n SSLDecryptPolicy,\n SuppressionEndTime,\n SuppressionStartTime,\n Timestamp,\n TrafficType,\n TransactionId,\n PolicyType,\n Url,\n UrNormalized,\n User,\n Useragent,\n UserGenerated,\n UserIp,\n UserKey,\n UserPrincipalName\n};\nEvents_page_view\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject16')._parserId16,'/'))))]", - "dependsOn": [ - "[variables('parserObject16')._parserId16]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'EventsPage')]", - "contentId": "[variables('parserObject16').parserContentId16]", - "kind": "Parser", - "version": "[variables('parserObject16').parserVersion16]", - "source": { - "name": "Netskopev2", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject16').parserContentId16]", - "contentKind": "Parser", - "displayName": "Parser for EventsPage", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject16').parserContentId16,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject16').parserContentId16,'-', '1.0.0')))]", - "version": "[variables('parserObject16').parserVersion16]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", - "name": "[variables('parserObject16')._parserName16]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for EventsPage", - "category": "Microsoft Sentinel Parser", - "functionAlias": "EventsPage", - "query": "let Events_page_view = view() {\neventspagedata_CL\n| extend Category = column_ifexists('Category', ''),\n Computer = column_ifexists('Computer', ''),\n Type = column_ifexists('Type', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n MG = column_ifexists('MG', ''),\n RawData = column_ifexists('RawData', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n TenantId = column_ifexists('TenantId', ''),\n TimeGenerated = column_ifexists('TimeGenerated', ''),\n AccessMethod = column_ifexists('access_method_s', ''),\n App = column_ifexists('app_s', ''),\n AppCategory = column_ifexists('appcategory_s', ''),\n AppSessionId = column_ifexists('app_session_id_d', ''),\n Browser = column_ifexists('browser_s', ''),\n BrowserSessionId = column_ifexists('browser_session_id_d', ''),\n BrowserVersion = column_ifexists('browser_version_s', ''),\n BypassReason = column_ifexists('bypass_reason_s', ''),\n BypassTraffic = column_ifexists('bypass_traffic_s', ''),\n CanonicalName = column_ifexists('CononicalName_s', ''),\n CCI = column_ifexists('cci_d', ''),\n CCL = column_ifexists('ccl_s', ''),\n ClientBytes = column_ifexists('client_bytes_d', ''),\n ConnDuration = column_ifexists('conn_duration_d', ''),\n ConnectionEndTime = column_ifexists('conn_endtime_d', ''),\n ConnectionId = column_ifexists('connection_id_d', ''),\n ConnectionStartTime = column_ifexists('conn_starttime_d', ''),\n Count = column_ifexists('count_d', ''),\n DestinationCountry = column_ifexists('dst_country_s', ''),\n DestinationGeoipSource = column_ifexists('dst_geoip_src_d', ''),\n DestinationHost = column_ifexists('dsthost_s', ''),\n DestinationIp = column_ifexists('dstip_s', ''),\n DestinationLatitude = column_ifexists('dst_latitude_d', ''),\n DestinationLocation = column_ifexists('dst_location_s', ''),\n DestinationLongitude = column_ifexists('dst_longitude_d', ''),\n DestinationPort = column_ifexists('dstport_d', ''),\n DestinationRegion = column_ifexists('dst_region_s', ''),\n DestinationTimezone = column_ifexists('dst_timezone_s', ''),\n DestinationZipcode = column_ifexists('dst_zipcode_s', ''),\n Device = column_ifexists('device_s', ''),\n Domain = column_ifexists('domain_s', ''),\n DynamicClassification = column_ifexists('dynamic_classification_s', ''),\n ForwardToProxyProfile = column_ifexists('forward_to_proxy_profile_s', ''),\n Fromlogs = column_ifexists('fromlogs_s', ''),\n HostName = column_ifexists('hostname_s', ''),\n HTTPTransactionCount = column_ifexists('http_transaction_count_d', ''),\n Id = column_ifexists('_id_s', ''),\n LogFileName = column_ifexists('log_file_name_s', ''),\n NetskopePop = column_ifexists('netskope_pop_s', ''),\n Network = column_ifexists('network_s', ''),\n Numbytes = column_ifexists('numbytes_d', ''),\n OS = column_ifexists('os_s', ''),\n Org = column_ifexists('org_s', ''),\n OrganizationUnit = column_ifexists('organization_unit_s', ''),\n OSVersion = column_ifexists('os_version_s', ''),\n OtherCategories = column_ifexists('other_categories_s', ''),\n Page = column_ifexists('page_s', ''),\n Policy = column_ifexists('policy_s', ''),\n Protocol = column_ifexists('protocol_s', ''),\n RequestCount = column_ifexists('req_cnt_d', ''),\n RequestId = column_ifexists('request_id_d', ''),\n ResponseContentLength = column_ifexists('resp_content_len_d', ''),\n ResponseContentType = column_ifexists('resp_content_type_s', ''),\n ResponseCount = column_ifexists('resp_cnt_d', ''),\n SAMAccountName = column_ifexists('sAMAccountName_s', ''),\n Serial = column_ifexists('serial_s', ''),\n ServerBytes = column_ifexists('server_bytes_d', ''),\n SessionId = column_ifexists('sessionid_s', ''),\n Severity = column_ifexists('severity_s', ''),\n Site = column_ifexists('site_s', ''),\n SourceCountry = column_ifexists('src_country_s', ''),\n SourceGeoIpSrc = column_ifexists('src_geoip_src_d', ''),\n SourceIp = column_ifexists('srcip_s', ''),\n SourceLatitude = column_ifexists('src_latitude_d', ''),\n SourceLocation = column_ifexists('src_location_s', ''),\n SourceLongitude = column_ifexists('src_longitude_d', ''),\n SourceRegion = column_ifexists('src_region_s', ''),\n SourceTime = column_ifexists('src_time_s', ''),\n SourceTimezone = column_ifexists('src_timezone_s', ''),\n SourceZipcode = column_ifexists('src_zipcode_s', ''),\n SSLDecryptPolicy = column_ifexists('ssl_decrypt_policy_s', ''),\n SuppressionEndTime = column_ifexists('suppression_end_time_d', ''),\n SuppressionStartTime = column_ifexists('suppression_start_time_d', ''),\n Timestamp = column_ifexists('timestamp_d', ''),\n TrafficType = column_ifexists('traffic_type_s', ''),\n TransactionId = column_ifexists('transaction_id_d', ''),\n PolicyType = column_ifexists('type_s', ''),\n Url = column_ifexists('url_s', ''),\n UrNormalized = column_ifexists('ur_normalized_s', ''),\n User = column_ifexists('user_s', ''),\n Useragent = column_ifexists('useragent_s', ''),\n UserGenerated = column_ifexists('user_generated_s', ''),\n UserIp = column_ifexists('userip_s', ''),\n UserKey = column_ifexists('userkey_s', ''),\n UserPrincipalName = column_ifexists('userPrincipalName_s', '')\n | project Category,\n Computer,\n Type,\n ManagementGroupName,\n MG,\n RawData,\n _ResourceId,\n SourceSystem,\n TenantId,\n TimeGenerated,\n AccessMethod,\n App,\n AppCategory,\n AppSessionId,\n Browser,\n BrowserSessionId,\n BrowserVersion,\n BypassReason,\n BypassTraffic,\n CanonicalName,\n CCI,\n CCL,\n ClientBytes,\n ConnDuration,\n ConnectionEndTime,\n ConnectionId,\n ConnectionStartTime,\n Count,\n DestinationCountry,\n DestinationGeoipSource,\n DestinationHost,\n DestinationIp,\n DestinationLatitude,\n DestinationLocation,\n DestinationLongitude,\n DestinationPort,\n DestinationRegion,\n DestinationTimezone,\n DestinationZipcode,\n Device,\n Domain,\n DynamicClassification,\n ForwardToProxyProfile,\n Fromlogs,\n HostName,\n HTTPTransactionCount,\n Id,\n LogFileName,\n NetskopePop,\n Network,\n Numbytes,\n OS,\n Org,\n OrganizationUnit,\n OSVersion,\n OtherCategories,\n Page,\n Policy,\n Protocol,\n RequestCount,\n RequestId,\n ResponseContentLength,\n ResponseContentType,\n ResponseCount,\n SAMAccountName,\n Serial,\n ServerBytes,\n SessionId,\n Severity,\n Site,\n SourceCountry,\n SourceGeoIpSrc,\n SourceIp,\n SourceLatitude,\n SourceLocation,\n SourceLongitude,\n SourceRegion,\n SourceTime,\n SourceTimezone,\n SourceZipcode,\n SSLDecryptPolicy,\n SuppressionEndTime,\n SuppressionStartTime,\n Timestamp,\n TrafficType,\n TransactionId,\n PolicyType,\n Url,\n UrNormalized,\n User,\n Useragent,\n UserGenerated,\n UserIp,\n UserKey,\n UserPrincipalName\n};\nEvents_page_view\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject16')._parserId16,'/'))))]", - "dependsOn": [ - "[variables('parserObject16')._parserId16]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'EventsPage')]", - "contentId": "[variables('parserObject16').parserContentId16]", - "kind": "Parser", - "version": "[variables('parserObject16').parserVersion16]", - "source": { - "kind": "Solution", - "name": "Netskopev2", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject17').parserTemplateSpecName17]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "NetskopeWebTransactions Data Parser with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject17').parserVersion17]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject17')._parserName17]", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for NetskopeWebTransactions", - "category": "Microsoft Sentinel Parser", - "functionAlias": "NetskopeWebTransactions", - "query": "let NetskopeWebTransactions_view = view() {\n NetskopeWebtxData_CL\n | extend\n Computer = column_ifexists('Computer', ''),\n MG = column_ifexists('MG', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n RawData = column_ifexists('RawData', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n TenantId = column_ifexists('TenantId', ''),\n TimeGenerated = column_ifexists('TimeGenerated', ''),\n Type = column_ifexists('Type', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n LogMessageType = column_ifexists('x_type_s', ''),\n TransactionId = column_ifexists('x_transaction_id_s', ''),\n SSLPolicySourceIp = column_ifexists('x_ssl_policy_src_ip_s', ''),\n SSLPolicyName = column_ifexists('x_ssl_policy_name_s', ''),\n SSLPolicyDestinationIp = column_ifexists('x_ssl_policy_dst_ip_s', ''),\n SSLPolicyDestinationHost = column_ifexists('x_ssl_policy_dst_host_source_s', ''),\n SSLPolicyDestinationHostSource = column_ifexists('x_ssl_policy_dst_host_s', ''),\n SSLPolicyCategories = column_ifexists('x_ssl_policy_categories_s', ''),\n SSLPolicyAction = column_ifexists('x_ssl_policy_action_s', ''),\n SSLBypass = column_ifexists('x_ssl_bypass_s', ''),\n SSLBypassReason = column_ifexists('x_ssl_bypass_reason_s', ''),\n ServerSSLVersion = column_ifexists('x_sr_ssl_version_s', ''),\n MalformedSSLFound = column_ifexists('x_sr_ssl_malformed_ssl_s', ''),\n ServerFingerPrints = column_ifexists('x_sr_ssl_ja3s_s', ''),\n ServerSSLHandShakeError = column_ifexists('x_sr_ssl_handshake_error_s', ''),\n ServerSSLEngineAction = column_ifexists('x_sr_ssl_engine_action_s', ''),\n ServerSSLEngineActionReason = column_ifexists('x_sr_ssl_engine_action_reason_s', ''),\n ServerSSLClientCertificateErr = column_ifexists('x_sr_ssl_client_certificate_error_s', ''),\n ServerSSLCipher = column_ifexists('x_sr_ssl_cipher_s', ''),\n RemoteServerSourcePort = column_ifexists('x_sr_src_port_s', ''),\n RemoteServerSourceIp = column_ifexists('x_sr_src_ip_s', ''),\n CustomHeadersValue = column_ifexists('x_sr_headers_value_s', ''),\n CustomHeadersName = column_ifexists('x_sr_headers_name_s', ''),\n RemoteServerDestinationPort = column_ifexists('x_sr_dst_port_s', ''),\n RemoteServerDestinationIp = column_ifexists('x_sr_dst_ip_s', ''),\n ServerSSLError = column_ifexists('x_server_ssl_err_s', ''),\n Notification = column_ifexists('x_sc_notification_name_s', ''),\n DestinationZipCode = column_ifexists('x_s_zipcode_s', ''),\n DestinationRegion = column_ifexists('x_s_region_s', ''),\n ServerLongitude = column_ifexists('x_s_longitude_s', ''),\n DestinationLocation = column_ifexists('x_s_location_s', ''),\n DestinationLatitude = column_ifexists('x_s_latitude_s', ''),\n RequestProcessingDataPlane = column_ifexists('x_s_dp_name_s', ''),\n CustomSigningCAError = column_ifexists('x_s_custom_signing_ca_error_s', ''),\n DestinationCountry = column_ifexists('x_s_country_s', ''),\n RemoteServerFileType = column_ifexists('x_rs_file_type_s', ''),\n RemoteServerFileSize = column_ifexists('x_rs_file_size_s', ''),\n RemoteServerFileSha256 = column_ifexists('x_rs_file_sha256_s', ''),\n RemoteServerFileMd5 = column_ifexists('x_rs_file_md5_s', ''),\n RemoteServerFileMd5GUID = column_ifexists('x_rs_file_md5_g', ''),\n RemoteServerFileLanguage = column_ifexists('x_rs_file_language_s', ''),\n RemoteServerFileCategory = column_ifexists('x_rs_file_category_s', ''),\n RequestId = column_ifexists('x_request_id_s', ''),\n CertValid = column_ifexists('x_r_cert_valid_s', ''),\n CertUntrustedRoot = column_ifexists('x_r_cert_untrusted_root_s', ''),\n CertSubjectCN = column_ifexists('x_r_cert_subject_cn_s', ''),\n CertStartdate = column_ifexists('x_r_cert_startdate_s', ''),\n CertificateSelfSigned = column_ifexists('x_r_cert_self_signed_s', ''),\n CertRevoked = column_ifexists('x_r_cert_revoked_s', ''),\n CertRevocationCheck = column_ifexists('x_r_cert_revocation_check_s', ''),\n CertMisMatch = column_ifexists('x_r_cert_mismatch_s', ''),\n CertIssuerCN = column_ifexists('x_r_cert_issuer_cn_s', ''),\n CertIncompleteChain = column_ifexists('x_r_cert_incomplete_chain_s', ''),\n CertExpired = column_ifexists('x_r_cert_expired_s', ''),\n CertEnddate = column_ifexists('x_r_cert_enddate_s', ''),\n PolicySourceIp = column_ifexists('x_policy_src_ip_s', ''),\n PolicyName = column_ifexists('x_policy_name_s', ''),\n PolicyJustificationType = column_ifexists('x_policy_justification_type_s', ''),\n PolicyJustificationReason = column_ifexists('x_policy_justification_reason_s', ''),\n PolicyDestinationIp = column_ifexists('x_policy_dst_ip_s', ''),\n PolicyDestinationHostSource = column_ifexists('x_policy_dst_host_source_s', ''),\n PolicyHostName = column_ifexists('x_policy_dst_host_s', ''),\n PolicyAction = column_ifexists('x_policy_action_s', ''),\n OtherCategory = column_ifexists('x_other_category_s', ''),\n OtherCategoryId = column_ifexists('x_other_category_id_s', ''),\n TransactionError = column_ifexists('x_error_s', ''),\n SourceIp = column_ifexists('x_cs_userip_s', ''),\n FullRequestURL = column_ifexists('x_cs_url_s', ''),\n ClientUriPath = column_ifexists('x_cs_uri_path_s', ''),\n ClientTunnelId = column_ifexists('x_cs_tunnel_id_s', ''),\n ClientTrafficType = column_ifexists('x_cs_traffic_type_s', ''),\n ClientTimestamp = column_ifexists('x_cs_timestamp_s', ''),\n ClientSSLVersion = column_ifexists('x_cs_ssl_version_s', ''),\n ClientSSLJa3 = column_ifexists('x_cs_ssl_ja3_s', ''),\n ClientSSLJa3GUID = column_ifexists('x_cs_ssl_ja3_g', ''),\n ClientSSLHandshakeError = column_ifexists('x_cs_ssl_handshake_error_s', ''),\n ClientSSLFrontingError = column_ifexists('x_cs_ssl_fronting_error_s', ''),\n ClientSSLEngineAction = column_ifexists('x_cs_ssl_engine_action_s', ''),\n ClientSSLEngineActionReason = column_ifexists('x_cs_ssl_engine_action_reason_s', ''),\n ClientSSLCipher = column_ifexists('x_cs_ssl_cipher_s', ''),\n ClientSourcePort= column_ifexists('x_cs_src_port_s', ''),\n ClientSourceIp = column_ifexists('x_cs_src_ip_s', ''),\n ClientSourceIpEgress = column_ifexists('x_cs_src_ip_egress_s', ''),\n ClientSNI = column_ifexists('x_cs_sni_s', ''),\n Site = column_ifexists('x_cs_site_s', ''),\n SessionId = column_ifexists('x_cs_session_id_s', ''),\n ClientPageId = column_ifexists('x_cs_page_id_s', ''),\n XFFGetRequest = column_ifexists('x_cs_ip_xff_s', ''),\n XFFConnectRequest = column_ifexists('x_cs_ip_connect_xff_s', ''),\n ClientHTTPVersion = column_ifexists('x_cs_http_version_s', ''),\n ClientDestinationPort = column_ifexists('x_cs_dst_port_s', ''),\n ClientDestinationIp = column_ifexists('x_cs_dst_ip_s', ''),\n DomainFrontedSNI= column_ifexists('x_cs_domain_fronted_sni_s', ''),\n ClientConnectUserAgent = column_ifexists('x_cs_connect_user_agent_s', ''),\n ClientConnectPort = column_ifexists('x_cs_connect_port_s', ''),\n ClientConnectHost = column_ifexists('x_cs_connect_host_s', ''),\n CloudAppRecipientsList = column_ifexists('x_cs_app_to_user_s', ''),\n CloudAppTags = column_ifexists('x_cs_app_tags_s', ''),\n CloudAppSuite = column_ifexists('x_cs_app_suite_s', ''),\n ClientCloudApp = column_ifexists('x_cs_app_s', ''),\n CloudAppSharedObjectType = column_ifexists('x_cs_app_object_type_s', ''),\n CloudAppSharedObjectName = column_ifexists('x_cs_app_object_name_s', ''),\n CloudAppSharedObjectId = column_ifexists('x_cs_app_object_id_s', ''),\n CloudAppInstanceTag = column_ifexists('x_cs_app_instance_tag_s', ''),\n CloudAppInstanceName = column_ifexists('x_cs_app_instance_name_s', ''),\n CloudAppInstanceId = column_ifexists('x_cs_app_instance_id_s', ''),\n CloudAppUserIdentity = column_ifexists('x_cs_app_from_user_s', ''),\n CCLevel = column_ifexists('x_cs_app_ccl_s', ''),\n CCI= column_ifexists('x_cs_app_cci_s', ''),\n CloudAppCategory = column_ifexists('x_cs_app_category_s', ''),\n CloudAppActivity = column_ifexists('x_cs_app_activity_s', ''),\n AccessMethod = column_ifexists('x_cs_access_method_s', ''),\n ClientSSLError = column_ifexists('x_client_ssl_err_s', ''),\n CategoryName = column_ifexists('x_category_s', ''),\n CategoryId = column_ifexists('x_category_id_s', ''),\n ClientZipCode = column_ifexists('x_c_zipcode_s', ''),\n ClientRegion = column_ifexists('x_c_region_s', ''),\n ClientOs = column_ifexists('x_c_os_s', ''),\n ClientLongitude = column_ifexists('x_c_longitude_s', ''),\n ClientLocation = column_ifexists('x_c_location_s', ''),\n LocalTime = column_ifexists('x_c_local_time_s', ''),\n ClientLatitude = column_ifexists('x_c_latitude_s', ''),\n ClientDeviceType = column_ifexists('x_c_device_s', ''),\n ClientCountry = column_ifexists('x_c_country_s', ''),\n ClientBrowserVersion = column_ifexists('x_c_browser_version_s', ''),\n ClientBrowser = column_ifexists('x_c_browser_s', ''),\n TimeTaken = column_ifexists('time_taken_s', ''),\n Time = column_ifexists('time_s', ''),\n ServerStatusCode = column_ifexists('sc_status_s', ''),\n ServerContentType = column_ifexists('sc_content_type_s', ''),\n ServerBytes = column_ifexists('sc_bytes_s', ''),\n ServerIp = column_ifexists('s_ip_s', ''),\n RemoteServerStatusCode = column_ifexists('rs_status_s', ''),\n NetskopeTenant= column_ifexists('netskope_api_host_name_s', ''),\n Date = column_ifexists('date_s', ''),\n ClientUsername = column_ifexists('cs_username_s', ''),\n ClientUserAgent = column_ifexists('cs_user_agent_s', ''),\n ClientUriScheme = column_ifexists('cs_uri_scheme_s', ''),\n ClientUri = column_ifexists('cs_uri_s', ''),\n ClientUriQuery = column_ifexists('cs_uri_query_s', ''),\n ClientUriQueryGUID = column_ifexists('cs_uri_query_g', ''),\n ClientUriPort = column_ifexists('cs_uri_port_s', ''),\n HTTPReferer = column_ifexists('cs_referer_s', ''),\n ClientMethod = column_ifexists('cs_method_s', ''),\n ClientHost = column_ifexists('cs_host_s', ''),\n DestinationDomain = column_ifexists('cs_dns_s', ''),\n ClientContentType = column_ifexists('cs_content_type_s', ''),\n ClientBytes = column_ifexists('cs_bytes_s', ''),\n DeviceIp = column_ifexists('c_ip_s', ''),\n TotalBytes = column_ifexists('bytes_s', '')\n | project \n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n TimeGenerated,\n Type,\n _ResourceId,\n LogMessageType,\n TransactionId,\n SSLPolicySourceIp,\n SSLPolicyName,\n SSLPolicyDestinationIp,\n SSLPolicyDestinationHost,\n SSLPolicyDestinationHostSource,\n SSLPolicyCategories,\n SSLPolicyAction,\n SSLBypass,\n SSLBypassReason,\n ServerSSLVersion,\n MalformedSSLFound,\n ServerFingerPrints,\n ServerSSLHandShakeError,\n ServerSSLEngineAction,\n ServerSSLEngineActionReason,\n ServerSSLClientCertificateErr,\n ServerSSLCipher,\n RemoteServerSourcePort,\n RemoteServerSourceIp,\n CustomHeadersValue,\n CustomHeadersName,\n RemoteServerDestinationPort,\n RemoteServerDestinationIp,\n ServerSSLError,\n Notification,\n DestinationZipCode,\n DestinationRegion,\n ServerLongitude,\n DestinationLocation,\n DestinationLatitude,\n RequestProcessingDataPlane,\n CustomSigningCAError,\n DestinationCountry,\n RemoteServerFileType,\n RemoteServerFileSize,\n RemoteServerFileSha256,\n RemoteServerFileMd5,\n RemoteServerFileMd5GUID,\n RemoteServerFileLanguage,\n RemoteServerFileCategory,\n RequestId,\n CertValid,\n CertUntrustedRoot,\n CertSubjectCN,\n CertStartdate,\n CertificateSelfSigned,\n CertRevoked,\n CertRevocationCheck,\n CertMisMatch,\n CertIssuerCN,\n CertIncompleteChain,\n CertExpired,\n CertEnddate,\n PolicySourceIp,\n PolicyName,\n PolicyJustificationType,\n PolicyJustificationReason,\n PolicyDestinationIp,\n PolicyDestinationHostSource,\n PolicyHostName,\n PolicyAction,\n OtherCategory,\n OtherCategoryId,\n TransactionError,\n SourceIp,\n FullRequestURL,\n ClientUriPath,\n ClientTunnelId,\n ClientTrafficType,\n ClientTimestamp,\n ClientSSLVersion,\n ClientSSLJa3,\n ClientSSLJa3GUID,\n ClientSSLHandshakeError,\n ClientSSLFrontingError,\n ClientSSLEngineAction,\n ClientSSLEngineActionReason,\n ClientSSLCipher,\n ClientSourcePort,\n ClientSourceIp,\n ClientSourceIpEgress,\n ClientSNI,\n Site,\n SessionId,\n ClientPageId,\n XFFGetRequest,\n XFFConnectRequest,\n ClientHTTPVersion,\n ClientDestinationPort,\n ClientDestinationIp,\n DomainFrontedSNI,\n ClientConnectUserAgent,\n ClientConnectPort,\n ClientConnectHost,\n CloudAppRecipientsList,\n CloudAppTags,\n CloudAppSuite,\n ClientCloudApp,\n CloudAppSharedObjectType,\n CloudAppSharedObjectName,\n CloudAppSharedObjectId,\n CloudAppInstanceTag,\n CloudAppInstanceName,\n CloudAppInstanceId,\n CloudAppUserIdentity,\n CCLevel,\n CCI,\n CloudAppCategory,\n CloudAppActivity,\n AccessMethod,\n ClientSSLError,\n CategoryName,\n CategoryId,\n ClientZipCode,\n ClientRegion,\n ClientOs,\n ClientLongitude,\n ClientLocation,\n LocalTime,\n ClientLatitude,\n ClientDeviceType,\n ClientCountry,\n ClientBrowserVersion,\n ClientBrowser,\n TimeTaken,\n Time,\n ServerStatusCode,\n ServerContentType,\n ServerBytes,\n ServerIp,\n RemoteServerStatusCode,\n NetskopeTenant,\n Date,\n ClientUsername,\n ClientUserAgent,\n ClientUriScheme,\n ClientUri,\n ClientUriQuery,\n ClientUriQueryGUID,\n ClientUriPort,\n HTTPReferer,\n ClientMethod,\n ClientHost,\n DestinationDomain,\n ClientContentType,\n ClientBytes,\n DeviceIp,\n TotalBytes\n};\nNetskopeWebTransactions_view\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject17')._parserId17,'/'))))]", - "dependsOn": [ - "[variables('parserObject17')._parserId17]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'NetskopeWebTransactions')]", - "contentId": "[variables('parserObject17').parserContentId17]", - "kind": "Parser", - "version": "[variables('parserObject17').parserVersion17]", - "source": { - "name": "Netskopev2", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject17').parserContentId17]", - "contentKind": "Parser", - "displayName": "Parser for NetskopeWebTransactions", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject17').parserContentId17,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject17').parserContentId17,'-', '1.0.0')))]", - "version": "[variables('parserObject17').parserVersion17]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", - "name": "[variables('parserObject17')._parserName17]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for NetskopeWebTransactions", - "category": "Microsoft Sentinel Parser", - "functionAlias": "NetskopeWebTransactions", - "query": "let NetskopeWebTransactions_view = view() {\n NetskopeWebtxData_CL\n | extend\n Computer = column_ifexists('Computer', ''),\n MG = column_ifexists('MG', ''),\n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n RawData = column_ifexists('RawData', ''),\n SourceSystem = column_ifexists('SourceSystem', ''),\n TenantId = column_ifexists('TenantId', ''),\n TimeGenerated = column_ifexists('TimeGenerated', ''),\n Type = column_ifexists('Type', ''),\n _ResourceId = column_ifexists('_ResourceId', ''),\n LogMessageType = column_ifexists('x_type_s', ''),\n TransactionId = column_ifexists('x_transaction_id_s', ''),\n SSLPolicySourceIp = column_ifexists('x_ssl_policy_src_ip_s', ''),\n SSLPolicyName = column_ifexists('x_ssl_policy_name_s', ''),\n SSLPolicyDestinationIp = column_ifexists('x_ssl_policy_dst_ip_s', ''),\n SSLPolicyDestinationHost = column_ifexists('x_ssl_policy_dst_host_source_s', ''),\n SSLPolicyDestinationHostSource = column_ifexists('x_ssl_policy_dst_host_s', ''),\n SSLPolicyCategories = column_ifexists('x_ssl_policy_categories_s', ''),\n SSLPolicyAction = column_ifexists('x_ssl_policy_action_s', ''),\n SSLBypass = column_ifexists('x_ssl_bypass_s', ''),\n SSLBypassReason = column_ifexists('x_ssl_bypass_reason_s', ''),\n ServerSSLVersion = column_ifexists('x_sr_ssl_version_s', ''),\n MalformedSSLFound = column_ifexists('x_sr_ssl_malformed_ssl_s', ''),\n ServerFingerPrints = column_ifexists('x_sr_ssl_ja3s_s', ''),\n ServerSSLHandShakeError = column_ifexists('x_sr_ssl_handshake_error_s', ''),\n ServerSSLEngineAction = column_ifexists('x_sr_ssl_engine_action_s', ''),\n ServerSSLEngineActionReason = column_ifexists('x_sr_ssl_engine_action_reason_s', ''),\n ServerSSLClientCertificateErr = column_ifexists('x_sr_ssl_client_certificate_error_s', ''),\n ServerSSLCipher = column_ifexists('x_sr_ssl_cipher_s', ''),\n RemoteServerSourcePort = column_ifexists('x_sr_src_port_s', ''),\n RemoteServerSourceIp = column_ifexists('x_sr_src_ip_s', ''),\n CustomHeadersValue = column_ifexists('x_sr_headers_value_s', ''),\n CustomHeadersName = column_ifexists('x_sr_headers_name_s', ''),\n RemoteServerDestinationPort = column_ifexists('x_sr_dst_port_s', ''),\n RemoteServerDestinationIp = column_ifexists('x_sr_dst_ip_s', ''),\n ServerSSLError = column_ifexists('x_server_ssl_err_s', ''),\n Notification = column_ifexists('x_sc_notification_name_s', ''),\n DestinationZipCode = column_ifexists('x_s_zipcode_s', ''),\n DestinationRegion = column_ifexists('x_s_region_s', ''),\n ServerLongitude = column_ifexists('x_s_longitude_s', ''),\n DestinationLocation = column_ifexists('x_s_location_s', ''),\n DestinationLatitude = column_ifexists('x_s_latitude_s', ''),\n RequestProcessingDataPlane = column_ifexists('x_s_dp_name_s', ''),\n CustomSigningCAError = column_ifexists('x_s_custom_signing_ca_error_s', ''),\n DestinationCountry = column_ifexists('x_s_country_s', ''),\n RemoteServerFileType = column_ifexists('x_rs_file_type_s', ''),\n RemoteServerFileSize = column_ifexists('x_rs_file_size_s', ''),\n RemoteServerFileSha256 = column_ifexists('x_rs_file_sha256_s', ''),\n RemoteServerFileMd5 = column_ifexists('x_rs_file_md5_s', ''),\n RemoteServerFileMd5GUID = column_ifexists('x_rs_file_md5_g', ''),\n RemoteServerFileLanguage = column_ifexists('x_rs_file_language_s', ''),\n RemoteServerFileCategory = column_ifexists('x_rs_file_category_s', ''),\n RequestId = column_ifexists('x_request_id_s', ''),\n CertValid = column_ifexists('x_r_cert_valid_s', ''),\n CertUntrustedRoot = column_ifexists('x_r_cert_untrusted_root_s', ''),\n CertSubjectCN = column_ifexists('x_r_cert_subject_cn_s', ''),\n CertStartdate = column_ifexists('x_r_cert_startdate_s', ''),\n CertificateSelfSigned = column_ifexists('x_r_cert_self_signed_s', ''),\n CertRevoked = column_ifexists('x_r_cert_revoked_s', ''),\n CertRevocationCheck = column_ifexists('x_r_cert_revocation_check_s', ''),\n CertMisMatch = column_ifexists('x_r_cert_mismatch_s', ''),\n CertIssuerCN = column_ifexists('x_r_cert_issuer_cn_s', ''),\n CertIncompleteChain = column_ifexists('x_r_cert_incomplete_chain_s', ''),\n CertExpired = column_ifexists('x_r_cert_expired_s', ''),\n CertEnddate = column_ifexists('x_r_cert_enddate_s', ''),\n PolicySourceIp = column_ifexists('x_policy_src_ip_s', ''),\n PolicyName = column_ifexists('x_policy_name_s', ''),\n PolicyJustificationType = column_ifexists('x_policy_justification_type_s', ''),\n PolicyJustificationReason = column_ifexists('x_policy_justification_reason_s', ''),\n PolicyDestinationIp = column_ifexists('x_policy_dst_ip_s', ''),\n PolicyDestinationHostSource = column_ifexists('x_policy_dst_host_source_s', ''),\n PolicyHostName = column_ifexists('x_policy_dst_host_s', ''),\n PolicyAction = column_ifexists('x_policy_action_s', ''),\n OtherCategory = column_ifexists('x_other_category_s', ''),\n OtherCategoryId = column_ifexists('x_other_category_id_s', ''),\n TransactionError = column_ifexists('x_error_s', ''),\n SourceIp = column_ifexists('x_cs_userip_s', ''),\n FullRequestURL = column_ifexists('x_cs_url_s', ''),\n ClientUriPath = column_ifexists('x_cs_uri_path_s', ''),\n ClientTunnelId = column_ifexists('x_cs_tunnel_id_s', ''),\n ClientTrafficType = column_ifexists('x_cs_traffic_type_s', ''),\n ClientTimestamp = column_ifexists('x_cs_timestamp_s', ''),\n ClientSSLVersion = column_ifexists('x_cs_ssl_version_s', ''),\n ClientSSLJa3 = column_ifexists('x_cs_ssl_ja3_s', ''),\n ClientSSLJa3GUID = column_ifexists('x_cs_ssl_ja3_g', ''),\n ClientSSLHandshakeError = column_ifexists('x_cs_ssl_handshake_error_s', ''),\n ClientSSLFrontingError = column_ifexists('x_cs_ssl_fronting_error_s', ''),\n ClientSSLEngineAction = column_ifexists('x_cs_ssl_engine_action_s', ''),\n ClientSSLEngineActionReason = column_ifexists('x_cs_ssl_engine_action_reason_s', ''),\n ClientSSLCipher = column_ifexists('x_cs_ssl_cipher_s', ''),\n ClientSourcePort= column_ifexists('x_cs_src_port_s', ''),\n ClientSourceIp = column_ifexists('x_cs_src_ip_s', ''),\n ClientSourceIpEgress = column_ifexists('x_cs_src_ip_egress_s', ''),\n ClientSNI = column_ifexists('x_cs_sni_s', ''),\n Site = column_ifexists('x_cs_site_s', ''),\n SessionId = column_ifexists('x_cs_session_id_s', ''),\n ClientPageId = column_ifexists('x_cs_page_id_s', ''),\n XFFGetRequest = column_ifexists('x_cs_ip_xff_s', ''),\n XFFConnectRequest = column_ifexists('x_cs_ip_connect_xff_s', ''),\n ClientHTTPVersion = column_ifexists('x_cs_http_version_s', ''),\n ClientDestinationPort = column_ifexists('x_cs_dst_port_s', ''),\n ClientDestinationIp = column_ifexists('x_cs_dst_ip_s', ''),\n DomainFrontedSNI= column_ifexists('x_cs_domain_fronted_sni_s', ''),\n ClientConnectUserAgent = column_ifexists('x_cs_connect_user_agent_s', ''),\n ClientConnectPort = column_ifexists('x_cs_connect_port_s', ''),\n ClientConnectHost = column_ifexists('x_cs_connect_host_s', ''),\n CloudAppRecipientsList = column_ifexists('x_cs_app_to_user_s', ''),\n CloudAppTags = column_ifexists('x_cs_app_tags_s', ''),\n CloudAppSuite = column_ifexists('x_cs_app_suite_s', ''),\n ClientCloudApp = column_ifexists('x_cs_app_s', ''),\n CloudAppSharedObjectType = column_ifexists('x_cs_app_object_type_s', ''),\n CloudAppSharedObjectName = column_ifexists('x_cs_app_object_name_s', ''),\n CloudAppSharedObjectId = column_ifexists('x_cs_app_object_id_s', ''),\n CloudAppInstanceTag = column_ifexists('x_cs_app_instance_tag_s', ''),\n CloudAppInstanceName = column_ifexists('x_cs_app_instance_name_s', ''),\n CloudAppInstanceId = column_ifexists('x_cs_app_instance_id_s', ''),\n CloudAppUserIdentity = column_ifexists('x_cs_app_from_user_s', ''),\n CCLevel = column_ifexists('x_cs_app_ccl_s', ''),\n CCI= column_ifexists('x_cs_app_cci_s', ''),\n CloudAppCategory = column_ifexists('x_cs_app_category_s', ''),\n CloudAppActivity = column_ifexists('x_cs_app_activity_s', ''),\n AccessMethod = column_ifexists('x_cs_access_method_s', ''),\n ClientSSLError = column_ifexists('x_client_ssl_err_s', ''),\n CategoryName = column_ifexists('x_category_s', ''),\n CategoryId = column_ifexists('x_category_id_s', ''),\n ClientZipCode = column_ifexists('x_c_zipcode_s', ''),\n ClientRegion = column_ifexists('x_c_region_s', ''),\n ClientOs = column_ifexists('x_c_os_s', ''),\n ClientLongitude = column_ifexists('x_c_longitude_s', ''),\n ClientLocation = column_ifexists('x_c_location_s', ''),\n LocalTime = column_ifexists('x_c_local_time_s', ''),\n ClientLatitude = column_ifexists('x_c_latitude_s', ''),\n ClientDeviceType = column_ifexists('x_c_device_s', ''),\n ClientCountry = column_ifexists('x_c_country_s', ''),\n ClientBrowserVersion = column_ifexists('x_c_browser_version_s', ''),\n ClientBrowser = column_ifexists('x_c_browser_s', ''),\n TimeTaken = column_ifexists('time_taken_s', ''),\n Time = column_ifexists('time_s', ''),\n ServerStatusCode = column_ifexists('sc_status_s', ''),\n ServerContentType = column_ifexists('sc_content_type_s', ''),\n ServerBytes = column_ifexists('sc_bytes_s', ''),\n ServerIp = column_ifexists('s_ip_s', ''),\n RemoteServerStatusCode = column_ifexists('rs_status_s', ''),\n NetskopeTenant= column_ifexists('netskope_api_host_name_s', ''),\n Date = column_ifexists('date_s', ''),\n ClientUsername = column_ifexists('cs_username_s', ''),\n ClientUserAgent = column_ifexists('cs_user_agent_s', ''),\n ClientUriScheme = column_ifexists('cs_uri_scheme_s', ''),\n ClientUri = column_ifexists('cs_uri_s', ''),\n ClientUriQuery = column_ifexists('cs_uri_query_s', ''),\n ClientUriQueryGUID = column_ifexists('cs_uri_query_g', ''),\n ClientUriPort = column_ifexists('cs_uri_port_s', ''),\n HTTPReferer = column_ifexists('cs_referer_s', ''),\n ClientMethod = column_ifexists('cs_method_s', ''),\n ClientHost = column_ifexists('cs_host_s', ''),\n DestinationDomain = column_ifexists('cs_dns_s', ''),\n ClientContentType = column_ifexists('cs_content_type_s', ''),\n ClientBytes = column_ifexists('cs_bytes_s', ''),\n DeviceIp = column_ifexists('c_ip_s', ''),\n TotalBytes = column_ifexists('bytes_s', '')\n | project \n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n TimeGenerated,\n Type,\n _ResourceId,\n LogMessageType,\n TransactionId,\n SSLPolicySourceIp,\n SSLPolicyName,\n SSLPolicyDestinationIp,\n SSLPolicyDestinationHost,\n SSLPolicyDestinationHostSource,\n SSLPolicyCategories,\n SSLPolicyAction,\n SSLBypass,\n SSLBypassReason,\n ServerSSLVersion,\n MalformedSSLFound,\n ServerFingerPrints,\n ServerSSLHandShakeError,\n ServerSSLEngineAction,\n ServerSSLEngineActionReason,\n ServerSSLClientCertificateErr,\n ServerSSLCipher,\n RemoteServerSourcePort,\n RemoteServerSourceIp,\n CustomHeadersValue,\n CustomHeadersName,\n RemoteServerDestinationPort,\n RemoteServerDestinationIp,\n ServerSSLError,\n Notification,\n DestinationZipCode,\n DestinationRegion,\n ServerLongitude,\n DestinationLocation,\n DestinationLatitude,\n RequestProcessingDataPlane,\n CustomSigningCAError,\n DestinationCountry,\n RemoteServerFileType,\n RemoteServerFileSize,\n RemoteServerFileSha256,\n RemoteServerFileMd5,\n RemoteServerFileMd5GUID,\n RemoteServerFileLanguage,\n RemoteServerFileCategory,\n RequestId,\n CertValid,\n CertUntrustedRoot,\n CertSubjectCN,\n CertStartdate,\n CertificateSelfSigned,\n CertRevoked,\n CertRevocationCheck,\n CertMisMatch,\n CertIssuerCN,\n CertIncompleteChain,\n CertExpired,\n CertEnddate,\n PolicySourceIp,\n PolicyName,\n PolicyJustificationType,\n PolicyJustificationReason,\n PolicyDestinationIp,\n PolicyDestinationHostSource,\n PolicyHostName,\n PolicyAction,\n OtherCategory,\n OtherCategoryId,\n TransactionError,\n SourceIp,\n FullRequestURL,\n ClientUriPath,\n ClientTunnelId,\n ClientTrafficType,\n ClientTimestamp,\n ClientSSLVersion,\n ClientSSLJa3,\n ClientSSLJa3GUID,\n ClientSSLHandshakeError,\n ClientSSLFrontingError,\n ClientSSLEngineAction,\n ClientSSLEngineActionReason,\n ClientSSLCipher,\n ClientSourcePort,\n ClientSourceIp,\n ClientSourceIpEgress,\n ClientSNI,\n Site,\n SessionId,\n ClientPageId,\n XFFGetRequest,\n XFFConnectRequest,\n ClientHTTPVersion,\n ClientDestinationPort,\n ClientDestinationIp,\n DomainFrontedSNI,\n ClientConnectUserAgent,\n ClientConnectPort,\n ClientConnectHost,\n CloudAppRecipientsList,\n CloudAppTags,\n CloudAppSuite,\n ClientCloudApp,\n CloudAppSharedObjectType,\n CloudAppSharedObjectName,\n CloudAppSharedObjectId,\n CloudAppInstanceTag,\n CloudAppInstanceName,\n CloudAppInstanceId,\n CloudAppUserIdentity,\n CCLevel,\n CCI,\n CloudAppCategory,\n CloudAppActivity,\n AccessMethod,\n ClientSSLError,\n CategoryName,\n CategoryId,\n ClientZipCode,\n ClientRegion,\n ClientOs,\n ClientLongitude,\n ClientLocation,\n LocalTime,\n ClientLatitude,\n ClientDeviceType,\n ClientCountry,\n ClientBrowserVersion,\n ClientBrowser,\n TimeTaken,\n Time,\n ServerStatusCode,\n ServerContentType,\n ServerBytes,\n ServerIp,\n RemoteServerStatusCode,\n NetskopeTenant,\n Date,\n ClientUsername,\n ClientUserAgent,\n ClientUriScheme,\n ClientUri,\n ClientUriQuery,\n ClientUriQueryGUID,\n ClientUriPort,\n HTTPReferer,\n ClientMethod,\n ClientHost,\n DestinationDomain,\n ClientContentType,\n ClientBytes,\n DeviceIp,\n TotalBytes\n};\nNetskopeWebTransactions_view\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject17')._parserId17,'/'))))]", - "dependsOn": [ - "[variables('parserObject17')._parserId17]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'NetskopeWebTransactions')]", - "contentId": "[variables('parserObject17').parserContentId17]", - "kind": "Parser", - "version": "[variables('parserObject17').parserVersion17]", - "source": { - "kind": "Solution", - "name": "Netskopev2", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Netskopev2 data connector with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "Netskope Data Connector (using Azure Functions)", - "publisher": "Netskope", - "descriptionMarkdown": "The [Netskope](https://docs.netskope.com/en/netskope-help/admin-console/rest-api/rest-api-v2-overview-312207/) data connector provides the following capabilities: \n 1. NetskopeToAzureStorage : \n >* Get the Netskope Alerts and Events data from Netskope and post to Azure storage. \n 2. StorageToSentinel : \n >* Get the Netskope Alerts and Events data from Azure storage and post to custom log table in log analytics workspace. \n 3. WebTxMetrics : \n >* Get the WebTxMetrics data from Netskope and post to custom log table in log analytics workspace.\n\n\n For more details of REST APIs refer to the below documentations: \n 1. Netskope API documentation: \n> https://docs.netskope.com/en/netskope-help/admin-console/rest-api/rest-api-v2-overview-312207/ \n 2. Azure storage documentation: \n> https://learn.microsoft.com/azure/storage/common/storage-introduction \n 3. Microsoft log analytic documentation: \n> https://learn.microsoft.com/azure/azure-monitor/logs/log-analytics-overview", - "graphQueries": [ - { - "metricName": "Compromised Credential data received", - "legend": "alertscompromisedcredentialdata_CL", - "baseQuery": "alertscompromisedcredentialdata_CL" - }, - { - "metricName": "CTEP data received", - "legend": "alertsctepdata_CL", - "baseQuery": "alertsctepdata_CL" - }, - { - "metricName": "DLP data received", - "legend": "alertsdlpdata_CL", - "baseQuery": "alertsdlpdata_CL" - }, - { - "metricName": "Malsite data received", - "legend": "alertsmalsitedata_CL", - "baseQuery": "alertsmalsitedata_CL" - }, - { - "metricName": "Malware data received", - "legend": "alertsmalwaredata_CL", - "baseQuery": "alertsmalwaredata_CL" - }, - { - "metricName": "Policy data received", - "legend": "alertspolicydata_CL", - "baseQuery": "alertspolicydata_CL" - }, - { - "metricName": "Quarantine data received", - "legend": "alertsquarantinedata_CL", - "baseQuery": "alertsquarantinedata_CL" - }, - { - "metricName": "Remediation data received", - "legend": "alertsremediationdata_CL", - "baseQuery": "alertsremediationdata_CL" - }, - { - "metricName": "SecurityAssessment data received", - "legend": "alertssecurityassessmentdata_CL", - "baseQuery": "alertssecurityassessmentdata_CL" - }, - { - "metricName": "UBA data received", - "legend": "alertsubadata_CL", - "baseQuery": "alertsubadata_CL" - }, - { - "metricName": "Application data received", - "legend": "eventsapplicationdata_CL", - "baseQuery": "eventsapplicationdata_CL" - }, - { - "metricName": "Audit data received", - "legend": "eventsauditdata_CL", - "baseQuery": "eventsauditdata_CL" - }, - { - "metricName": "Connection data received", - "legend": "eventsconnectiondata_CL", - "baseQuery": "eventsconnectiondata_CL" - }, - { - "metricName": "Incident data received", - "legend": "eventsincidentdata_CL", - "baseQuery": "eventsincidentdata_CL" - }, - { - "metricName": "Network data received", - "legend": "eventsnetworkdata_CL", - "baseQuery": "eventsnetworkdata_CL" - }, - { - "metricName": "Page data received", - "legend": "eventspagedata_CL", - "baseQuery": "eventspagedata_CL" - }, - { - "metricName": "WebTxMetrics data received", - "legend": "Netskope_WebTx_metrics_CL", - "baseQuery": "Netskope_WebTx_metrics_CL" - } - ], - "sampleQueries": [ - { - "description": "Netskope CompromisedCredential Alerts Data", - "query": "alertscompromisedcredentialdata_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope CTEP Alerts Data", - "query": "alertsctepdata_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope DLP Alerts Data", - "query": "alertsdlpdata_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope Malsite Alerts Data", - "query": "alertsmalsitedata_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope Malware Alerts Data", - "query": "alertsmalwaredata_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope Policy Alerts Data", - "query": "alertspolicydata_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope Quarantine Alerts Data", - "query": "alertsquarantinedata_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope Remediation Alerts Data", - "query": "alertsremediationdata_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope SecurityAssessment Alerts Data", - "query": "alertssecurityassessmentdata_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope Uba Alerts Data", - "query": "alertsubadata_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope Application Events Data.", - "query": "eventsapplicationdata_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope Audit Events Data", - "query": "eventsauditdata_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope Connection Events Data", - "query": "eventsconnectiondata_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope Incident Events Data", - "query": "eventsincidentdata_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope Network Events Data", - "query": "eventsnetworkdata_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope Page Events Data", - "query": "eventspagedata_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope WebTransactions Metrics Data", - "query": "Netskope_WebTx_metrics_CL\n | sort by TimeGenerated desc" - } - ], - "dataTypes": [ - { - "name": "alertscompromisedcredentialdata_CL", - "lastDataReceivedQuery": "alertscompromisedcredentialdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "alertsctepdata_CL", - "lastDataReceivedQuery": "alertsctepdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "alertsdlpdata_CL", - "lastDataReceivedQuery": "alertsdlpdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "alertsmalsitedata_CL", - "lastDataReceivedQuery": "alertsmalsitedata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "alertsmalwaredata_CL", - "lastDataReceivedQuery": "alertsmalwaredata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "alertspolicydata_CL", - "lastDataReceivedQuery": "alertspolicydata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "alertsquarantinedata_CL", - "lastDataReceivedQuery": "alertsquarantinedata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "alertsremediationdata_CL", - "lastDataReceivedQuery": "alertsremediationdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "alertssecurityassessmentdata_CL", - "lastDataReceivedQuery": "alertssecurityassessmentdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "alertsubadata_CL", - "lastDataReceivedQuery": "alertsubadata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "eventsapplicationdata_CL", - "lastDataReceivedQuery": "eventsapplicationdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "eventsauditdata_CL", - "lastDataReceivedQuery": "eventsauditdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "eventsconnectiondata_CL", - "lastDataReceivedQuery": "eventsconnectiondata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "eventsincidentdata_CL", - "lastDataReceivedQuery": "eventsincidentdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "eventsnetworkdata_CL", - "lastDataReceivedQuery": "eventsnetworkdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "eventspagedata_CL", - "lastDataReceivedQuery": "eventspagedata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "Netskope_WebTx_metrics_CL", - "lastDataReceivedQuery": "Netskope_WebTx_metrics_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "alertscompromisedcredentialdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "alertsctepdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "alertsdlpdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "alertsmalsitedata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "alertsmalwaredata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "alertspolicydata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "alertsquarantinedata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "alertsremediationdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "alertssecurityassessmentdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "alertsubadata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "eventsapplicationdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "eventsauditdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "eventsconnectiondata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "eventsincidentdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "eventsnetworkdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "eventspagedata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "Netskope_WebTx_metrics_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions on the workspace are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "name": "Azure Subscription", - "description": "Azure Subscription with owner role is required to register an application in azure active directory() and assign role of contributor to app in resource group." - }, - { - "name": "Microsoft.Web/sites permissions", - "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." - }, - { - "name": "REST API Credentials/permissions", - "description": "**Netskope Tenant** and **Netskope API Token** is required. See the documentation to learn more about API on the [Rest API reference](https://docs.netskope.com/en/netskope-help/admin-console/rest-api/rest-api-v2-overview-312207/)" - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This connector uses Azure Functions to connect to the Netskope APIs to pull its Alerts and Events data into custom log table. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." - }, - { - "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." - }, - { - "description": "**STEP 1 - App Registration steps for the Application in Microsoft Entra ID**\n\n This integration requires an App registration in the Azure portal. Follow the steps in this section to create a new application in Microsoft Entra ID:\n 1. Sign in to the [Azure portal](https://portal.azure.com/).\n 2. Search for and select **Microsoft Entra ID**.\n 3. Under **Manage**, select **App registrations > New registration**.\n 4. Enter a display **Name** for your application.\n 5. Select **Register** to complete the initial app registration.\n 6. When registration finishes, the Azure portal displays the app registration's Overview pane. You see the **Application (client) ID** and **Tenant ID**. The client ID and Tenant ID is required as configuration parameters for the execution of the TriggersSync playbook. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app)" - }, - { - "description": "**STEP 2 - Add a client secret for application in Microsoft Entra ID**\n\n Sometimes called an application password, a client secret is a string value required for the execution of TriggersSync playbook. Follow the steps in this section to create a new Client Secret:\n 1. In the Azure portal, in **App registrations**, select your application.\n 2. Select **Certificates & secrets > Client secrets > New client secret**.\n 3. Add a description for your client secret.\n 4. Select an expiration for the secret or specify a custom lifetime. Limit is 24 months.\n 5. Select **Add**. \n 6. *Record the secret's value for use in your client application code. This secret value is never displayed again after you leave this page.* The secret value is required as configuration parameter for the execution of TriggersSync playbook. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret)" - }, - { - "description": "**STEP 3 - Assign role of Contributor to application in Microsoft Entra ID**\n\n Follow the steps in this section to assign the role:\n 1. In the Azure portal, Go to **Resource Group** and select your resource group.\n 2. Go to **Access control (IAM)** from left panel.\n 3. Click on **Add**, and then select **Add role assignment**.\n 4. Select **Contributor** as role and click on next.\n 5. In **Assign access to**, select `User, group, or service principal`.\n 6. Click on **add members** and type **your app name** that you have created and select it.\n 7. Now click on **Review + assign** and then again click on **Review + assign**. \n\n> **Reference link:** [https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal)" - }, - { - "description": "**STEP 4 - Steps to create/get Credentials for the Netskope account** \n\n Follow the steps in this section to create/get **Netskope Hostname** and **Netskope API Token**:\n 1. Login to your **Netskope Tenant** and go to the **Settings menu** on the left navigation bar.\n 2. Click on Tools and then **REST API v2**\n 3. Now, click on the new token button. Then it will ask for token name, expiration duration and the endpoints that you want to fetch data from.\n 5. Once that is done click the save button, the token will be generated. Copy the token and save at a secure place for further usage." - }, - { - "description": "**STEP 5 - Steps to create the azure functions for Netskope Alerts and Events Data Collection**\n\n>**IMPORTANT:** Before deploying Netskope data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available.., as well as the Netskope API Authorization Key(s).", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Workspace ID" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "fillWith": [ - "PrimaryKey" - ], - "label": "Primary Key" - }, - "type": "CopyableLabel" - } - ] - }, - { - "description": "Using the ARM template deploy the function apps for ingestion of Netskope events and alerts data to Sentinel.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-NetskopeV2-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tNetskope HostName \n\t\tNetskope API Token \n\t\tSelect Yes in Alerts and Events types dropdown for that endpoint you want to fetch Alerts and Events \n\t\tLog Level \n\t\tWorkspace ID \n\t\tWorkspace Key \n4. Click on **Review+Create**. \n5. Then after validation click on **Create** to deploy." - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Netskopev2", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", - "contentKind": "DataConnector", - "displayName": "Netskope Data Connector (using Azure Functions)", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Netskopev2", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "Netskope Data Connector (using Azure Functions)", - "publisher": "Netskope", - "descriptionMarkdown": "The [Netskope](https://docs.netskope.com/en/netskope-help/admin-console/rest-api/rest-api-v2-overview-312207/) data connector provides the following capabilities: \n 1. NetskopeToAzureStorage : \n >* Get the Netskope Alerts and Events data from Netskope and post to Azure storage. \n 2. StorageToSentinel : \n >* Get the Netskope Alerts and Events data from Azure storage and post to custom log table in log analytics workspace. \n 3. WebTxMetrics : \n >* Get the WebTxMetrics data from Netskope and post to custom log table in log analytics workspace.\n\n\n For more details of REST APIs refer to the below documentations: \n 1. Netskope API documentation: \n> https://docs.netskope.com/en/netskope-help/admin-console/rest-api/rest-api-v2-overview-312207/ \n 2. Azure storage documentation: \n> https://learn.microsoft.com/azure/storage/common/storage-introduction \n 3. Microsoft log analytic documentation: \n> https://learn.microsoft.com/azure/azure-monitor/logs/log-analytics-overview", - "graphQueries": [ - { - "metricName": "Compromised Credential data received", - "legend": "alertscompromisedcredentialdata_CL", - "baseQuery": "alertscompromisedcredentialdata_CL" - }, - { - "metricName": "CTEP data received", - "legend": "alertsctepdata_CL", - "baseQuery": "alertsctepdata_CL" - }, - { - "metricName": "DLP data received", - "legend": "alertsdlpdata_CL", - "baseQuery": "alertsdlpdata_CL" - }, - { - "metricName": "Malsite data received", - "legend": "alertsmalsitedata_CL", - "baseQuery": "alertsmalsitedata_CL" - }, - { - "metricName": "Malware data received", - "legend": "alertsmalwaredata_CL", - "baseQuery": "alertsmalwaredata_CL" - }, - { - "metricName": "Policy data received", - "legend": "alertspolicydata_CL", - "baseQuery": "alertspolicydata_CL" - }, - { - "metricName": "Quarantine data received", - "legend": "alertsquarantinedata_CL", - "baseQuery": "alertsquarantinedata_CL" - }, - { - "metricName": "Remediation data received", - "legend": "alertsremediationdata_CL", - "baseQuery": "alertsremediationdata_CL" - }, - { - "metricName": "SecurityAssessment data received", - "legend": "alertssecurityassessmentdata_CL", - "baseQuery": "alertssecurityassessmentdata_CL" - }, - { - "metricName": "UBA data received", - "legend": "alertsubadata_CL", - "baseQuery": "alertsubadata_CL" - }, - { - "metricName": "Application data received", - "legend": "eventsapplicationdata_CL", - "baseQuery": "eventsapplicationdata_CL" - }, - { - "metricName": "Audit data received", - "legend": "eventsauditdata_CL", - "baseQuery": "eventsauditdata_CL" - }, - { - "metricName": "Connection data received", - "legend": "eventsconnectiondata_CL", - "baseQuery": "eventsconnectiondata_CL" - }, - { - "metricName": "Incident data received", - "legend": "eventsincidentdata_CL", - "baseQuery": "eventsincidentdata_CL" - }, - { - "metricName": "Network data received", - "legend": "eventsnetworkdata_CL", - "baseQuery": "eventsnetworkdata_CL" - }, - { - "metricName": "Page data received", - "legend": "eventspagedata_CL", - "baseQuery": "eventspagedata_CL" - }, - { - "metricName": "WebTxMetrics data received", - "legend": "Netskope_WebTx_metrics_CL", - "baseQuery": "Netskope_WebTx_metrics_CL" - } - ], - "dataTypes": [ - { - "name": "alertscompromisedcredentialdata_CL", - "lastDataReceivedQuery": "alertscompromisedcredentialdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "alertsctepdata_CL", - "lastDataReceivedQuery": "alertsctepdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "alertsdlpdata_CL", - "lastDataReceivedQuery": "alertsdlpdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "alertsmalsitedata_CL", - "lastDataReceivedQuery": "alertsmalsitedata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "alertsmalwaredata_CL", - "lastDataReceivedQuery": "alertsmalwaredata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "alertspolicydata_CL", - "lastDataReceivedQuery": "alertspolicydata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "alertsquarantinedata_CL", - "lastDataReceivedQuery": "alertsquarantinedata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "alertsremediationdata_CL", - "lastDataReceivedQuery": "alertsremediationdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "alertssecurityassessmentdata_CL", - "lastDataReceivedQuery": "alertssecurityassessmentdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "alertsubadata_CL", - "lastDataReceivedQuery": "alertsubadata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "eventsapplicationdata_CL", - "lastDataReceivedQuery": "eventsapplicationdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "eventsauditdata_CL", - "lastDataReceivedQuery": "eventsauditdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "eventsconnectiondata_CL", - "lastDataReceivedQuery": "eventsconnectiondata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "eventsincidentdata_CL", - "lastDataReceivedQuery": "eventsincidentdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "eventsnetworkdata_CL", - "lastDataReceivedQuery": "eventsnetworkdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "eventspagedata_CL", - "lastDataReceivedQuery": "eventspagedata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "Netskope_WebTx_metrics_CL", - "lastDataReceivedQuery": "Netskope_WebTx_metrics_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "alertscompromisedcredentialdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "alertsctepdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "alertsdlpdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "alertsmalsitedata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "alertsmalwaredata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "alertspolicydata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "alertsquarantinedata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "alertsremediationdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "alertssecurityassessmentdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "alertsubadata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "eventsapplicationdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "eventsauditdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "eventsconnectiondata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "eventsincidentdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "eventsnetworkdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "eventspagedata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "Netskope_WebTx_metrics_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Netskope CompromisedCredential Alerts Data", - "query": "alertscompromisedcredentialdata_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope CTEP Alerts Data", - "query": "alertsctepdata_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope DLP Alerts Data", - "query": "alertsdlpdata_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope Malsite Alerts Data", - "query": "alertsmalsitedata_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope Malware Alerts Data", - "query": "alertsmalwaredata_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope Policy Alerts Data", - "query": "alertspolicydata_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope Quarantine Alerts Data", - "query": "alertsquarantinedata_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope Remediation Alerts Data", - "query": "alertsremediationdata_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope SecurityAssessment Alerts Data", - "query": "alertssecurityassessmentdata_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope Uba Alerts Data", - "query": "alertsubadata_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope Application Events Data.", - "query": "eventsapplicationdata_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope Audit Events Data", - "query": "eventsauditdata_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope Connection Events Data", - "query": "eventsconnectiondata_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope Incident Events Data", - "query": "eventsincidentdata_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope Network Events Data", - "query": "eventsnetworkdata_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope Page Events Data", - "query": "eventspagedata_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope WebTransactions Metrics Data", - "query": "Netskope_WebTx_metrics_CL\n | sort by TimeGenerated desc" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions on the workspace are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "name": "Azure Subscription", - "description": "Azure Subscription with owner role is required to register an application in azure active directory() and assign role of contributor to app in resource group." - }, - { - "name": "Microsoft.Web/sites permissions", - "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." - }, - { - "name": "REST API Credentials/permissions", - "description": "**Netskope Tenant** and **Netskope API Token** is required. See the documentation to learn more about API on the [Rest API reference](https://docs.netskope.com/en/netskope-help/admin-console/rest-api/rest-api-v2-overview-312207/)" - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This connector uses Azure Functions to connect to the Netskope APIs to pull its Alerts and Events data into custom log table. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." - }, - { - "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." - }, - { - "description": "**STEP 1 - App Registration steps for the Application in Microsoft Entra ID**\n\n This integration requires an App registration in the Azure portal. Follow the steps in this section to create a new application in Microsoft Entra ID:\n 1. Sign in to the [Azure portal](https://portal.azure.com/).\n 2. Search for and select **Microsoft Entra ID**.\n 3. Under **Manage**, select **App registrations > New registration**.\n 4. Enter a display **Name** for your application.\n 5. Select **Register** to complete the initial app registration.\n 6. When registration finishes, the Azure portal displays the app registration's Overview pane. You see the **Application (client) ID** and **Tenant ID**. The client ID and Tenant ID is required as configuration parameters for the execution of the TriggersSync playbook. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app)" - }, - { - "description": "**STEP 2 - Add a client secret for application in Microsoft Entra ID**\n\n Sometimes called an application password, a client secret is a string value required for the execution of TriggersSync playbook. Follow the steps in this section to create a new Client Secret:\n 1. In the Azure portal, in **App registrations**, select your application.\n 2. Select **Certificates & secrets > Client secrets > New client secret**.\n 3. Add a description for your client secret.\n 4. Select an expiration for the secret or specify a custom lifetime. Limit is 24 months.\n 5. Select **Add**. \n 6. *Record the secret's value for use in your client application code. This secret value is never displayed again after you leave this page.* The secret value is required as configuration parameter for the execution of TriggersSync playbook. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret)" - }, - { - "description": "**STEP 3 - Assign role of Contributor to application in Microsoft Entra ID**\n\n Follow the steps in this section to assign the role:\n 1. In the Azure portal, Go to **Resource Group** and select your resource group.\n 2. Go to **Access control (IAM)** from left panel.\n 3. Click on **Add**, and then select **Add role assignment**.\n 4. Select **Contributor** as role and click on next.\n 5. In **Assign access to**, select `User, group, or service principal`.\n 6. Click on **add members** and type **your app name** that you have created and select it.\n 7. Now click on **Review + assign** and then again click on **Review + assign**. \n\n> **Reference link:** [https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal)" - }, - { - "description": "**STEP 4 - Steps to create/get Credentials for the Netskope account** \n\n Follow the steps in this section to create/get **Netskope Hostname** and **Netskope API Token**:\n 1. Login to your **Netskope Tenant** and go to the **Settings menu** on the left navigation bar.\n 2. Click on Tools and then **REST API v2**\n 3. Now, click on the new token button. Then it will ask for token name, expiration duration and the endpoints that you want to fetch data from.\n 5. Once that is done click the save button, the token will be generated. Copy the token and save at a secure place for further usage." - }, - { - "description": "**STEP 5 - Steps to create the azure functions for Netskope Alerts and Events Data Collection**\n\n>**IMPORTANT:** Before deploying Netskope data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available.., as well as the Netskope API Authorization Key(s).", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Workspace ID" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "fillWith": [ - "PrimaryKey" - ], - "label": "Primary Key" - }, - "type": "CopyableLabel" - } - ] - }, - { - "description": "Using the ARM template deploy the function apps for ingestion of Netskope events and alerts data to Sentinel.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-NetskopeV2-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tNetskope HostName \n\t\tNetskope API Token \n\t\tSelect Yes in Alerts and Events types dropdown for that endpoint you want to fetch Alerts and Events \n\t\tLog Level \n\t\tWorkspace ID \n\t\tWorkspace Key \n4. Click on **Review+Create**. \n5. Then after validation click on **Create** to deploy." - } - ], - "id": "[variables('_uiConfigId1')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Netskopev2 data connector with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion2')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId2')]", - "title": "Netskope Web Transactions Data Connector (using Azure Functions)", - "publisher": "Netskope", - "descriptionMarkdown": "The [Netskope Web Transactions](https://docs.netskope.com/en/netskope-help/data-security/transaction-events/netskope-transaction-events/) data connector provides the functionality of a docker image to pull the Netskope Web Transactions data from google pubsublite, process the data and ingest the processed data to Log Analytics. As part of this data connector two tables will be formed in Log Analytics, one for Web Transactions data and other for errors encountered during execution.\n\n\n For more details related to Web Transactions refer to the below documentation: \n 1. Netskope Web Transactions documentation: \n> https://docs.netskope.com/en/netskope-help/data-security/transaction-events/netskope-transaction-events/ \n", - "graphQueries": [ - { - "metricName": "Web Transactions data received", - "legend": "NetskopeWebtxData_CL", - "baseQuery": "NetskopeWebtxData_CL" - }, - { - "metricName": "Web Transactions Data Connector Errors", - "legend": "NetskopeWebtxErrors_CL", - "baseQuery": "NetskopeWebtxErrors_CL" - } - ], - "sampleQueries": [ - { - "description": "Netskope Web Transactions Data", - "query": "NetskopeWebtxData_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope Web Transactions Data Connector Errors", - "query": "NetskopeWebtxErrors_CL\n | sort by TimeGenerated desc" - } - ], - "dataTypes": [ - { - "name": "NetskopeWebtxData_CL", - "lastDataReceivedQuery": "NetskopeWebtxData_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "NetskopeWebtxErrors_CL", - "lastDataReceivedQuery": "NetskopeWebtxErrors_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "NetskopeWebtxData_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "NetskopeWebtxErrors_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions on the workspace are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "name": "Azure Subscription", - "description": "Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group." - }, - { - "name": "Microsoft.Compute permissions", - "description": "Read and write permissions to Azure VMs is required. [See the documentation to learn more about Azure VMs](https://learn.microsoft.com/azure/virtual-machines/overview)." - }, - { - "name": "TransactionEvents Credentials and Permissions", - "description": "**Netskope Tenant** and **Netskope API Token** is required. [See the documentation to learn more about Transaction Events.](https://docs.netskope.com/en/netskope-help/data-security/transaction-events/netskope-transaction-events/)" - }, - { - "name": "Microsoft.Web/sites permissions", - "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This connector provides the functionality of ingesting Netskope Web Transactions data using a docker image to be deployed on a virtual machine (Either Azure VM/On Premise VM). Check the [Azure VM pricing page](https://azure.microsoft.com/pricing/details/virtual-machines/linux) for details." - }, - { - "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." - }, - { - "description": "**STEP 1 - Steps to create/get Credentials for the Netskope account** \n\n Follow the steps in this section to create/get **Netskope Hostname** and **Netskope API Token**:\n 1. Login to your **Netskope Tenant** and go to the **Settings menu** on the left navigation bar.\n 2. Click on Tools and then **REST API v2**\n 3. Now, click on the new token button. Then it will ask for token name, expiration duration and the endpoints that you want to fetch data from.\n 5. Once that is done click the save button, the token will be generated. Copy the token and save at a secure place for further usage." - }, - { - "description": "**STEP 2 - Choose one from the following two deployment options to deploy the docker based data connector to ingest Netskope Web Transactions data **\n\n>**IMPORTANT:** Before deploying Netskope data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available, as well as the Netskope API Authorization Key(s) [Make sure the token has permissions for transaction events].", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Workspace ID" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "fillWith": [ - "PrimaryKey" - ], - "label": "Primary Key" - }, - "type": "CopyableLabel" - } - ] - }, - { - "description": "Using the ARM template deploy an Azure VM, install the prerequisites and start execution.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-NetskopeV2WebTransactions-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tDocker Image Name (mgulledge/netskope-microsoft-sentinel-plugin:netskopewebtransactions)\n\t\tNetskope HostName \n\t\tNetskope API Token \n\t\tSeek Timestamp (The epoch timestamp that you want to seek the pubsublite pointer, can be left empty) \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tBackoff Retry Count (The retry count for token related errors before restarting the execution.) \n\t\tBackoff Sleep Time (Number of seconds to sleep before retrying) \n\t\tIdle Timeout (Number of seconds to wait for Web Transactions Data before restarting execution) \n\t\tVM Name \n\t\tAuthentication Type \n\t\tAdmin Password or Key \n\t\tDNS Label Prefix \n\t\tUbuntu OS Version \n\t\tLocation \n\t\tVM Size \n\t\tSubnet Name \n\t\tNetwork Security Group Name \n\t\tSecurity Type \n4. Click on **Review+Create**. \n5. Then after validation click on **Create** to deploy.", - "title": "Option 1 - Using Azure Resource Manager (ARM) Template to deploy VM [Recommended]" - }, - { - "description": "Use the following step-by-step instructions to deploy the docker based data connector manually on a previously created virtual machine.", - "title": "Option 2 - Manual Deployment on previously created virtual machine" - }, - { - "description": "**1. Install docker and pull docker Image**\n\n>**NOTE:** Make sure that the VM is linux based (preferably Ubuntu).\n\n1. Firstly you will need to [SSH into the virtual machine](https://learn.microsoft.com/azure/virtual-machines/linux-vm-connect?tabs=Linux).\n2. Now install [docker engine](https://docs.docker.com/engine/install/).\n3. Now pull the docker image from docker hub using the command: 'sudo docker pull mgulledge/netskope-microsoft-sentinel-plugin:netskopewebtransactions'.\n4. Now to run the docker image use the command: 'sudo docker run -it -v $(pwd)/docker_persistent_volume:/app mgulledge/netskope-microsoft-sentinel-plugin:netskopewebtransactions'. You can replace mgulledge/netskope-microsoft-sentinel-plugin:netskopewebtransactions with the image id. Here docker_persistent_volume is the name of the folder that would be created on the vm in which the files will get stored." - }, - { - "description": "**2. Configure the Parameters**\n\n1. Once the docker image is running it will ask for the required parameters.\n2. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tNetskope HostName \n\t\tNetskope API Token \n\t\tSeek Timestamp (The epoch timestamp that you want to seek the pubsublite pointer, can be left empty) \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tBackoff Retry Count (The retry count for token related errors before restarting the execution.) \n\t\tBackoff Sleep Time (Number of seconds to sleep before retrying) \n\t\tIdle Timeout (Number of seconds to wait for Web Transactions Data before restarting execution)\n3. Now the execution has started but is in interactive mode, so that shell cannot be stopped. To run it as a background process, stop the current execution by pressing Ctrl+C and then use the command: 'sudo docker run -d -v $(pwd)/docker_persistent_volume:/app mgulledge/netskope-microsoft-sentinel-plugin:netskopewebtransactions'." - }, - { - "description": "**3. Stop the docker container**\n\n1. Use the command 'sudo docker container ps' to list the running docker containers. Note down your container id.\n2. Now stop the container using the command: 'sudo docker stop *<*container-id*>*'." - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "Netskopev2", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId2')]", - "contentKind": "DataConnector", - "displayName": "Netskope Web Transactions Data Connector (using Azure Functions)", - "contentProductId": "[variables('_dataConnectorcontentProductId2')]", - "id": "[variables('_dataConnectorcontentProductId2')]", - "version": "[variables('dataConnectorVersion2')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId2')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "Netskopev2", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Netskope" - }, - "support": { - "name": "Netskope", - "tier": "Partner", - "link": "https://www.netskope.com/services#support" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "Netskope Web Transactions Data Connector (using Azure Functions)", - "publisher": "Netskope", - "descriptionMarkdown": "The [Netskope Web Transactions](https://docs.netskope.com/en/netskope-help/data-security/transaction-events/netskope-transaction-events/) data connector provides the functionality of a docker image to pull the Netskope Web Transactions data from google pubsublite, process the data and ingest the processed data to Log Analytics. As part of this data connector two tables will be formed in Log Analytics, one for Web Transactions data and other for errors encountered during execution.\n\n\n For more details related to Web Transactions refer to the below documentation: \n 1. Netskope Web Transactions documentation: \n> https://docs.netskope.com/en/netskope-help/data-security/transaction-events/netskope-transaction-events/ \n", - "graphQueries": [ - { - "metricName": "Web Transactions data received", - "legend": "NetskopeWebtxData_CL", - "baseQuery": "NetskopeWebtxData_CL" - }, - { - "metricName": "Web Transactions Data Connector Errors", - "legend": "NetskopeWebtxErrors_CL", - "baseQuery": "NetskopeWebtxErrors_CL" - } - ], - "dataTypes": [ - { - "name": "NetskopeWebtxData_CL", - "lastDataReceivedQuery": "NetskopeWebtxData_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "NetskopeWebtxErrors_CL", - "lastDataReceivedQuery": "NetskopeWebtxErrors_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "NetskopeWebtxData_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - }, - { - "type": "IsConnectedQuery", - "value": [ - "NetskopeWebtxErrors_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Netskope Web Transactions Data", - "query": "NetskopeWebtxData_CL\n | sort by TimeGenerated desc" - }, - { - "description": "Netskope Web Transactions Data Connector Errors", - "query": "NetskopeWebtxErrors_CL\n | sort by TimeGenerated desc" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions on the workspace are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "name": "Azure Subscription", - "description": "Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group." - }, - { - "name": "Microsoft.Compute permissions", - "description": "Read and write permissions to Azure VMs is required. [See the documentation to learn more about Azure VMs](https://learn.microsoft.com/azure/virtual-machines/overview)." - }, - { - "name": "TransactionEvents Credentials and Permissions", - "description": "**Netskope Tenant** and **Netskope API Token** is required. [See the documentation to learn more about Transaction Events.](https://docs.netskope.com/en/netskope-help/data-security/transaction-events/netskope-transaction-events/)" - }, - { - "name": "Microsoft.Web/sites permissions", - "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This connector provides the functionality of ingesting Netskope Web Transactions data using a docker image to be deployed on a virtual machine (Either Azure VM/On Premise VM). Check the [Azure VM pricing page](https://azure.microsoft.com/pricing/details/virtual-machines/linux) for details." - }, - { - "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." - }, - { - "description": "**STEP 1 - Steps to create/get Credentials for the Netskope account** \n\n Follow the steps in this section to create/get **Netskope Hostname** and **Netskope API Token**:\n 1. Login to your **Netskope Tenant** and go to the **Settings menu** on the left navigation bar.\n 2. Click on Tools and then **REST API v2**\n 3. Now, click on the new token button. Then it will ask for token name, expiration duration and the endpoints that you want to fetch data from.\n 5. Once that is done click the save button, the token will be generated. Copy the token and save at a secure place for further usage." - }, - { - "description": "**STEP 2 - Choose one from the following two deployment options to deploy the docker based data connector to ingest Netskope Web Transactions data **\n\n>**IMPORTANT:** Before deploying Netskope data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available, as well as the Netskope API Authorization Key(s) [Make sure the token has permissions for transaction events].", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Workspace ID" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "fillWith": [ - "PrimaryKey" - ], - "label": "Primary Key" - }, - "type": "CopyableLabel" - } - ] - }, - { - "description": "Using the ARM template deploy an Azure VM, install the prerequisites and start execution.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-NetskopeV2WebTransactions-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tDocker Image Name (mgulledge/netskope-microsoft-sentinel-plugin:netskopewebtransactions)\n\t\tNetskope HostName \n\t\tNetskope API Token \n\t\tSeek Timestamp (The epoch timestamp that you want to seek the pubsublite pointer, can be left empty) \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tBackoff Retry Count (The retry count for token related errors before restarting the execution.) \n\t\tBackoff Sleep Time (Number of seconds to sleep before retrying) \n\t\tIdle Timeout (Number of seconds to wait for Web Transactions Data before restarting execution) \n\t\tVM Name \n\t\tAuthentication Type \n\t\tAdmin Password or Key \n\t\tDNS Label Prefix \n\t\tUbuntu OS Version \n\t\tLocation \n\t\tVM Size \n\t\tSubnet Name \n\t\tNetwork Security Group Name \n\t\tSecurity Type \n4. Click on **Review+Create**. \n5. Then after validation click on **Create** to deploy.", - "title": "Option 1 - Using Azure Resource Manager (ARM) Template to deploy VM [Recommended]" - }, - { - "description": "Use the following step-by-step instructions to deploy the docker based data connector manually on a previously created virtual machine.", - "title": "Option 2 - Manual Deployment on previously created virtual machine" - }, - { - "description": "**1. Install docker and pull docker Image**\n\n>**NOTE:** Make sure that the VM is linux based (preferably Ubuntu).\n\n1. Firstly you will need to [SSH into the virtual machine](https://learn.microsoft.com/azure/virtual-machines/linux-vm-connect?tabs=Linux).\n2. Now install [docker engine](https://docs.docker.com/engine/install/).\n3. Now pull the docker image from docker hub using the command: 'sudo docker pull mgulledge/netskope-microsoft-sentinel-plugin:netskopewebtransactions'.\n4. Now to run the docker image use the command: 'sudo docker run -it -v $(pwd)/docker_persistent_volume:/app mgulledge/netskope-microsoft-sentinel-plugin:netskopewebtransactions'. You can replace mgulledge/netskope-microsoft-sentinel-plugin:netskopewebtransactions with the image id. Here docker_persistent_volume is the name of the folder that would be created on the vm in which the files will get stored." - }, - { - "description": "**2. Configure the Parameters**\n\n1. Once the docker image is running it will ask for the required parameters.\n2. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tNetskope HostName \n\t\tNetskope API Token \n\t\tSeek Timestamp (The epoch timestamp that you want to seek the pubsublite pointer, can be left empty) \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tBackoff Retry Count (The retry count for token related errors before restarting the execution.) \n\t\tBackoff Sleep Time (Number of seconds to sleep before retrying) \n\t\tIdle Timeout (Number of seconds to wait for Web Transactions Data before restarting execution)\n3. Now the execution has started but is in interactive mode, so that shell cannot be stopped. To run it as a background process, stop the current execution by pressing Ctrl+C and then use the command: 'sudo docker run -d -v $(pwd)/docker_persistent_volume:/app mgulledge/netskope-microsoft-sentinel-plugin:netskopewebtransactions'." - }, - { - "description": "**3. Stop the docker container**\n\n1. Use the command 'sudo docker container ps' to list the running docker containers. Note down your container id.\n2. Now stop the container using the command: 'sudo docker stop *<*container-id*>*'." - } - ], - "id": "[variables('_uiConfigId2')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", - "apiVersion": "2023-04-01-preview", - "location": "[parameters('workspace-location')]", - "properties": { - "version": "3.0.2", - "kind": "Solution", - "contentSchemaVersion": "3.0.0", - "displayName": "Netskopev2", - "publisherDisplayName": "Netskope", - "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nNetskope solution for Microsoft Sentinel enables you to ingest Netskope alerts and events into Microsoft Sentinel. The connector provides visibility into Netskope Platform Events and Alerts in Microsoft Sentinel to improve monitoring and investigation capabilities.
\nData Connectors: 2, Parsers: 17, Workbooks: 1, Analytic Rules: 1, Playbooks: 2
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", - "contentKind": "Solution", - "contentProductId": "[variables('_solutioncontentProductId')]", - "id": "[variables('_solutioncontentProductId')]", - "icon": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Netskope.svg\")
",
- "contentId": "[variables('_solutionId')]",
- "parentId": "[variables('_solutionId')]",
- "source": {
- "kind": "Solution",
- "name": "Netskopev2",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Netskope"
- },
- "support": {
- "name": "Netskope",
- "tier": "Partner",
- "link": "https://www.netskope.com/services#support"
- },
- "dependencies": {
- "operator": "AND",
- "criteria": [
- {
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
- "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
- },
- {
- "kind": "Workbook",
- "contentId": "[variables('_workbookContentId1')]",
- "version": "[variables('workbookVersion1')]"
- },
- {
- "kind": "Playbook",
- "contentId": "[variables('_NetskopeDataConnectorsTriggerSync')]",
- "version": "[variables('playbookVersion1')]"
- },
- {
- "kind": "Playbook",
- "contentId": "[variables('_NetskopeWebTxErrorEmail')]",
- "version": "[variables('playbookVersion2')]"
- },
- {
- "kind": "Parser",
- "contentId": "[variables('parserObject1').parserContentId1]",
- "version": "[variables('parserObject1').parserVersion1]"
- },
- {
- "kind": "Parser",
- "contentId": "[variables('parserObject2').parserContentId2]",
- "version": "[variables('parserObject2').parserVersion2]"
- },
- {
- "kind": "Parser",
- "contentId": "[variables('parserObject3').parserContentId3]",
- "version": "[variables('parserObject3').parserVersion3]"
- },
- {
- "kind": "Parser",
- "contentId": "[variables('parserObject4').parserContentId4]",
- "version": "[variables('parserObject4').parserVersion4]"
- },
- {
- "kind": "Parser",
- "contentId": "[variables('parserObject5').parserContentId5]",
- "version": "[variables('parserObject5').parserVersion5]"
- },
- {
- "kind": "Parser",
- "contentId": "[variables('parserObject6').parserContentId6]",
- "version": "[variables('parserObject6').parserVersion6]"
- },
- {
- "kind": "Parser",
- "contentId": "[variables('parserObject7').parserContentId7]",
- "version": "[variables('parserObject7').parserVersion7]"
- },
- {
- "kind": "Parser",
- "contentId": "[variables('parserObject8').parserContentId8]",
- "version": "[variables('parserObject8').parserVersion8]"
- },
- {
- "kind": "Parser",
- "contentId": "[variables('parserObject9').parserContentId9]",
- "version": "[variables('parserObject9').parserVersion9]"
- },
- {
- "kind": "Parser",
- "contentId": "[variables('parserObject10').parserContentId10]",
- "version": "[variables('parserObject10').parserVersion10]"
- },
- {
- "kind": "Parser",
- "contentId": "[variables('parserObject11').parserContentId11]",
- "version": "[variables('parserObject11').parserVersion11]"
- },
- {
- "kind": "Parser",
- "contentId": "[variables('parserObject12').parserContentId12]",
- "version": "[variables('parserObject12').parserVersion12]"
- },
- {
- "kind": "Parser",
- "contentId": "[variables('parserObject13').parserContentId13]",
- "version": "[variables('parserObject13').parserVersion13]"
- },
- {
- "kind": "Parser",
- "contentId": "[variables('parserObject14').parserContentId14]",
- "version": "[variables('parserObject14').parserVersion14]"
- },
- {
- "kind": "Parser",
- "contentId": "[variables('parserObject15').parserContentId15]",
- "version": "[variables('parserObject15').parserVersion15]"
- },
- {
- "kind": "Parser",
- "contentId": "[variables('parserObject16').parserContentId16]",
- "version": "[variables('parserObject16').parserVersion16]"
- },
- {
- "kind": "Parser",
- "contentId": "[variables('parserObject17').parserContentId17]",
- "version": "[variables('parserObject17').parserVersion17]"
- },
- {
- "kind": "DataConnector",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- },
- {
- "kind": "DataConnector",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- }
- ]
- },
- "firstPublishDate": "2024-03-18",
- "lastPublishDate": "2024-03-18",
- "providers": [
- "Netskope"
- ],
- "categories": {
- "domains": [
- "Security - Network"
- ]
- }
- },
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
- }
- ],
- "outputs": {}
-}
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "author": "Netskope",
+ "comments": "Solution template for Netskopev2"
+ },
+ "parameters": {
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ },
+ "workbook1-name": {
+ "type": "string",
+ "defaultValue": "NetskopeDashboard",
+ "minLength": 1,
+ "metadata": {
+ "description": "Name for the workbook"
+ }
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().name]",
+ "metadata": {
+ "description": "resource group name where Microsoft Sentinel is setup"
+ }
+ },
+ "subscription": {
+ "type": "string",
+ "defaultValue": "[last(split(subscription().id, '/'))]",
+ "metadata": {
+ "description": "subscription id where Microsoft Sentinel is setup"
+ }
+ }
+ },
+ "variables": {
+ "_solutionName": "Netskopev2",
+ "_solutionVersion": "3.0.0",
+ "solutionId": "netskope.netskope_mss",
+ "_solutionId": "[variables('solutionId')]",
+ "workbookVersion1": "1.0.0",
+ "workbookContentId1": "NetskopeDashboard",
+ "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
+ "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
+ "_workbookContentId1": "[variables('workbookContentId1')]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
+ "NetskopeDataConnectorsTriggerSync": "NetskopeDataConnectorsTriggerSync",
+ "_NetskopeDataConnectorsTriggerSync": "[variables('NetskopeDataConnectorsTriggerSync')]",
+ "TemplateEmptyArray": "[json('[]')]",
+ "playbookVersion1": "1.0",
+ "playbookContentId1": "NetskopeDataConnectorsTriggerSync",
+ "_playbookContentId1": "[variables('playbookContentId1')]",
+ "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]",
+ "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]",
+ "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]",
+ "blanks": "[replace('b', 'b', '')]",
+ "NetskopeWebTxErrorEmail": "NetskopeWebTxErrorEmail",
+ "_NetskopeWebTxErrorEmail": "[variables('NetskopeWebTxErrorEmail')]",
+ "playbookVersion2": "1.0",
+ "playbookContentId2": "NetskopeWebTxErrorEmail",
+ "_playbookContentId2": "[variables('playbookContentId2')]",
+ "playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]",
+ "playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))))]",
+ "_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]",
+ "uiConfigId1": "NetskopeDataConnector",
+ "_uiConfigId1": "[variables('uiConfigId1')]",
+ "dataConnectorContentId1": "NetskopeDataConnector",
+ "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
+ "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "_dataConnectorId1": "[variables('dataConnectorId1')]",
+ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
+ "dataConnectorVersion1": "1.0.0",
+ "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
+ "uiConfigId2": "NetskopeWebTransactionsDataConnector",
+ "_uiConfigId2": "[variables('uiConfigId2')]",
+ "dataConnectorContentId2": "NetskopeWebTransactionsDataConnector",
+ "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
+ "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+ "_dataConnectorId2": "[variables('dataConnectorId2')]",
+ "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
+ "dataConnectorVersion2": "1.0.0",
+ "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
+ "dataConnectorCCPVersion": "1.0.0",
+ "_dataConnectorContentIdConnectorDefinition3": "NetskopeCCP",
+ "dataConnectorTemplateNameConnectorDefinition3": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition3')))]",
+ "_dataConnectorContentIdConnections3": "NetskopeCCPConnections",
+ "dataConnectorTemplateNameConnections3": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections3')))]",
+ "dataCollectionEndpointId3": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('workbookTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "NetskopeDashboard Workbook with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('workbookVersion1')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.Insights/workbooks",
+ "name": "[variables('workbookContentId1')]",
+ "location": "[parameters('workspace-location')]",
+ "kind": "shared",
+ "apiVersion": "2021-08-01",
+ "metadata": {
+ "description": "A workbook providing insights into Netskope Alerts, Events and WebTransactions."
+ },
+ "properties": {
+ "displayName": "[parameters('workbook1-name')]",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"bea257bd-19ed-4afd-b2db-817eb5aced6f\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Application Overview\",\"subTarget\":\"tab1\",\"style\":\"link\"},{\"id\":\"61b82b1b-1290-4757-b181-a3fa015b5aae\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Alert Overview\",\"subTarget\":\"tab2\",\"style\":\"link\"},{\"id\":\"d33934aa-be63-4925-826c-54dcc185e4c9\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Web Transactions Overview\",\"subTarget\":\"tab3\",\"style\":\"link\"}]},\"name\":\"links - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"66dab7e6-5f19-48d6-b11c-5a94f84dafdb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"TimeRange\",\"comparison\":\"isNotEqualTo\",\"value\":\"None\"},\"name\":\"parameters - 11\",\"styleSettings\":{\"margin\":\"5px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EventsApplication\\n| where isnotempty(App)\\n| summarize arg_max(TimeGenerated,*) by Id\\n| summarize Count = count() by Application = App\\n| sort by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top Applications By Usage\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"Application\",\"exportParameterName\":\"ApplicationName1\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_bar_Count_1\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_bar_Count_1\",\"sortOrder\":2}]},\"customWidth\":\"50\",\"name\":\"Top Applications By Usage\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50%\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EventsApplication \\r\\n| where App == '{ApplicationName1}'\\r\\n| summarize arg_max(TimeGenerated,*) by Id\\r\\n| summarize Count = count() by User\\r\\n| top 50 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 50 Users Of {ApplicationName1}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"ApplicationName1\",\"comparison\":\"isNotEqualTo\",\"value\":\"\"},\"name\":\"Top 50 Users Of Application : {ApplicationName1}\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EventsApplication \\r\\n| where isnotempty(App)\\r\\n| summarize arg_max(TimeGenerated,*) by App\\r\\n| sort by CCI desc\\r\\n| project Application = App, ['CCI SCORE'] = CCI\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top Applications By CCI Score\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"Application\",\"exportParameterName\":\"ApplicationName2\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CCI SCORE\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"Top Applications By CCI Score\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EventsApplication \\r\\n| where App == '{ApplicationName2}'\\r\\n| summarize arg_max(TimeGenerated,*) by Id\\r\\n| summarize Count = count() by User\\r\\n| top 50 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 50 Users Of {ApplicationName2}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"blue\"}}],\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"ApplicationName2\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Top 50 Users Of {ApplicationName2}\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50%\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 _Click on a row in the above 'Top Applications By Usage' and 'Top Applications By CCI score' grid to view more details_\\r\\n\"},\"name\":\"text - 24\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EventsApplication \\r\\n| where isnotempty(AppCategory)\\r\\n| summarize arg_max(TimeGenerated,*) by Id\\r\\n| summarize Count = count() by AppCategory\\r\\n| sort by Count desc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top Categories\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"CategoryName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true},\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"Top Categories\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"50px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EventsApplication \\r\\n| where isnotempty(Browser)\\r\\n| summarize arg_max(TimeGenerated,*) by Id \\r\\n| summarize Count = count() by Browser\\r\\n| sort by Count desc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Browser Breakdown\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"BrowserName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"Browser Breakdown\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"50px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 _Click on the above 'Top Categories' pie chart to view more details_\"},\"customWidth\":\"50\",\"name\":\"text - 25\"},{\"type\":1,\"content\":{\"json\":\"💡 _Click on the above 'Browser Breakdown' pie chart to view more details_\"},\"customWidth\":\"50\",\"name\":\"text - 26\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EventsApplication \\r\\n| where AppCategory == '{CategoryName}'\\r\\n| summarize arg_max(TimeGenerated,*) by Id\",\"size\":0,\"showAnalytics\":true,\"title\":\"Application Details For {CategoryName}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"CategoryName\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Applications Data For Category : {CategoryName}\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EventsApplication \\r\\n| where Browser == '{BrowserName}'\\r\\n| summarize arg_max(TimeGenerated,*) by Id \",\"size\":0,\"showAnalytics\":true,\"title\":\"Application Details For {BrowserName}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"BrowserName\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Application Details For {BrowserName}\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EventsApplication\\r\\n| where isnotempty(DeviceClassification)\\r\\n| summarize arg_max(TimeGenerated,*) by Id\\r\\n| summarize Count = count() by DeviceClassification\\r\\n| sort by Count desc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Device Classification\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"DeviceClassificationName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"\",\"label\":\"@{items('For_each_alert')?['properties']?['alertDisplayName']} @{items('For_each_alert')?['properties']?['description']}
", + "Importance": "High", + "Subject": "Netskope Webtx Error Encountered", + "To": "[[parameters('ReceiverEmailId')]" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['outlook']['connectionId']" + } + }, + "method": "post", + "path": "/v2/Mail" + } + } + }, + "type": "Foreach" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel_1": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "outlook": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('OutlookConnectionName'))]", + "connectionName": "[[variables('OutlookConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Outlook')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "NetskopeWebTxErrorEmail", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('OutlookConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('OutlookConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('OutlookConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId2')]", + "contentId": "[variables('_playbookContentId2')]", + "kind": "Playbook", + "version": "[variables('playbookVersion2')]", + "source": { + "kind": "Solution", + "name": "Netskopev2", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Netskope" + }, + "support": { + "name": "Netskope", + "tier": "Partner", + "link": "https://www.netskope.com/services#support" + } + } + } + ], + "metadata": { + "title": "NetskopeWebTxErrorEmail", + "description": "This playbook sends email when Netskope Web Transaction data connector error is detected.", + "postDeployment": [ + "**Authorize connections**", + "Once deployment is complete, authorize each connection.", + "1. Click the MicrosoftSentinelConnection resource", + "2. Click edit API connections", + "3. Click Authorize", + "4. Provide Required Parameters", + "5. Click Save", + "6. Repeat same steps for OutlookConnection", + "**In Microsoft Sentinel, analytics rules should be configured to trigger an incident.**", + "1. Select the **Netskope - WebTx Error Detection** analytic rule you have deployed.", + "2. Click on **Edit**", + "3. Go to **Automated response** tab", + "4. Click on **Add new**", + "5. Provide name for your rule, In Actions dropdown select **Run playbook**", + "6. In second dropdown select your deployed playbook", + "7. Click on **Apply**", + "8. Save the Analytic rule." + ], + "tags": [ + "Netskope", + "Email", + "WebTransaction" + ], + "lastUpdateTime": "2025-02-05T18:06:18.848Z", + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId2')]", + "contentKind": "Playbook", + "displayName": "NetskopeWebTxErrorEmail", + "contentProductId": "[variables('_playbookcontentProductId2')]", + "id": "[variables('_playbookcontentProductId2')]", + "version": "[variables('playbookVersion2')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Netskopev2 data connector with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId1')]", + "title": "Netskope Data Connector (using Azure Functions)", + "publisher": "Netskope", + "descriptionMarkdown": "The [Netskope](https://docs.netskope.com/en/netskope-help/admin-console/rest-api/rest-api-v2-overview-312207/) data connector provides the following capabilities: \n 1. NetskopeToAzureStorage : \n >* Get the Netskope Alerts and Events data from Netskope and post to Azure storage. \n 2. StorageToSentinel : \n >* Get the Netskope Alerts and Events data from Azure storage and post to custom log table in log analytics workspace. \n 3. WebTxMetrics : \n >* Get the WebTxMetrics data from Netskope and post to custom log table in log analytics workspace.\n\n\n For more details of REST APIs refer to the below documentations: \n 1. Netskope API documentation: \n> https://docs.netskope.com/en/netskope-help/admin-console/rest-api/rest-api-v2-overview-312207/ \n 2. Azure storage documentation: \n> https://learn.microsoft.com/azure/storage/common/storage-introduction \n 3. Microsoft log analytic documentation: \n> https://learn.microsoft.com/azure/azure-monitor/logs/log-analytics-overview", + "graphQueries": [ + { + "metricName": "Compromised Credential data received", + "legend": "alertscompromisedcredentialdata_CL", + "baseQuery": "alertscompromisedcredentialdata_CL" + }, + { + "metricName": "CTEP data received", + "legend": "alertsctepdata_CL", + "baseQuery": "alertsctepdata_CL" + }, + { + "metricName": "DLP data received", + "legend": "alertsdlpdata_CL", + "baseQuery": "alertsdlpdata_CL" + }, + { + "metricName": "Malsite data received", + "legend": "alertsmalsitedata_CL", + "baseQuery": "alertsmalsitedata_CL" + }, + { + "metricName": "Malware data received", + "legend": "alertsmalwaredata_CL", + "baseQuery": "alertsmalwaredata_CL" + }, + { + "metricName": "Policy data received", + "legend": "alertspolicydata_CL", + "baseQuery": "alertspolicydata_CL" + }, + { + "metricName": "Quarantine data received", + "legend": "alertsquarantinedata_CL", + "baseQuery": "alertsquarantinedata_CL" + }, + { + "metricName": "Remediation data received", + "legend": "alertsremediationdata_CL", + "baseQuery": "alertsremediationdata_CL" + }, + { + "metricName": "SecurityAssessment data received", + "legend": "alertssecurityassessmentdata_CL", + "baseQuery": "alertssecurityassessmentdata_CL" + }, + { + "metricName": "UBA data received", + "legend": "alertsubadata_CL", + "baseQuery": "alertsubadata_CL" + }, + { + "metricName": "Application data received", + "legend": "eventsapplicationdata_CL", + "baseQuery": "eventsapplicationdata_CL" + }, + { + "metricName": "Audit data received", + "legend": "eventsauditdata_CL", + "baseQuery": "eventsauditdata_CL" + }, + { + "metricName": "Connection data received", + "legend": "eventsconnectiondata_CL", + "baseQuery": "eventsconnectiondata_CL" + }, + { + "metricName": "Incident data received", + "legend": "eventsincidentdata_CL", + "baseQuery": "eventsincidentdata_CL" + }, + { + "metricName": "Network data received", + "legend": "eventsnetworkdata_CL", + "baseQuery": "eventsnetworkdata_CL" + }, + { + "metricName": "Page data received", + "legend": "eventspagedata_CL", + "baseQuery": "eventspagedata_CL" + }, + { + "metricName": "WebTxMetrics data received", + "legend": "Netskope_WebTx_metrics_CL", + "baseQuery": "Netskope_WebTx_metrics_CL" + } + ], + "sampleQueries": [ + { + "description": "Netskope CompromisedCredential Alerts Data", + "query": "alertscompromisedcredentialdata_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope CTEP Alerts Data", + "query": "alertsctepdata_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope DLP Alerts Data", + "query": "alertsdlpdata_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope Malsite Alerts Data", + "query": "alertsmalsitedata_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope Malware Alerts Data", + "query": "alertsmalwaredata_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope Policy Alerts Data", + "query": "alertspolicydata_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope Quarantine Alerts Data", + "query": "alertsquarantinedata_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope Remediation Alerts Data", + "query": "alertsremediationdata_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope SecurityAssessment Alerts Data", + "query": "alertssecurityassessmentdata_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope Uba Alerts Data", + "query": "alertsubadata_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope Application Events Data.", + "query": "eventsapplicationdata_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope Audit Events Data", + "query": "eventsauditdata_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope Connection Events Data", + "query": "eventsconnectiondata_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope Incident Events Data", + "query": "eventsincidentdata_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope Network Events Data", + "query": "eventsnetworkdata_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope Page Events Data", + "query": "eventspagedata_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope WebTransactions Metrics Data", + "query": "Netskope_WebTx_metrics_CL\n | sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "alertscompromisedcredentialdata_CL", + "lastDataReceivedQuery": "alertscompromisedcredentialdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "alertsctepdata_CL", + "lastDataReceivedQuery": "alertsctepdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "alertsdlpdata_CL", + "lastDataReceivedQuery": "alertsdlpdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "alertsmalsitedata_CL", + "lastDataReceivedQuery": "alertsmalsitedata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "alertsmalwaredata_CL", + "lastDataReceivedQuery": "alertsmalwaredata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "alertspolicydata_CL", + "lastDataReceivedQuery": "alertspolicydata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "alertsquarantinedata_CL", + "lastDataReceivedQuery": "alertsquarantinedata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "alertsremediationdata_CL", + "lastDataReceivedQuery": "alertsremediationdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "alertssecurityassessmentdata_CL", + "lastDataReceivedQuery": "alertssecurityassessmentdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "alertsubadata_CL", + "lastDataReceivedQuery": "alertsubadata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "eventsapplicationdata_CL", + "lastDataReceivedQuery": "eventsapplicationdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "eventsauditdata_CL", + "lastDataReceivedQuery": "eventsauditdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "eventsconnectiondata_CL", + "lastDataReceivedQuery": "eventsconnectiondata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "eventsincidentdata_CL", + "lastDataReceivedQuery": "eventsincidentdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "eventsnetworkdata_CL", + "lastDataReceivedQuery": "eventsnetworkdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "eventspagedata_CL", + "lastDataReceivedQuery": "eventspagedata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Netskope_WebTx_metrics_CL", + "lastDataReceivedQuery": "Netskope_WebTx_metrics_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "alertscompromisedcredentialdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "alertsctepdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "alertsdlpdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "alertsmalsitedata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "alertsmalwaredata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "alertspolicydata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "alertsquarantinedata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "alertsremediationdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "alertssecurityassessmentdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "alertsubadata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "eventsapplicationdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "eventsauditdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "eventsconnectiondata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "eventsincidentdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "eventsnetworkdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "eventspagedata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "Netskope_WebTx_metrics_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Subscription", + "description": "Azure Subscription with owner role is required to register an application in azure active directory() and assign role of contributor to app in resource group." + }, + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "REST API Credentials/permissions", + "description": "**Netskope Tenant** and **Netskope API Token** is required. See the documentation to learn more about API on the [Rest API reference](https://docs.netskope.com/en/netskope-help/admin-console/rest-api/rest-api-v2-overview-312207/)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to the Netskope APIs to pull its Alerts and Events data into custom log table. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "**STEP 1 - App Registration steps for the Application in Microsoft Entra ID**\n\n This integration requires an App registration in the Azure portal. Follow the steps in this section to create a new application in Microsoft Entra ID:\n 1. Sign in to the [Azure portal](https://portal.azure.com/).\n 2. Search for and select **Microsoft Entra ID**.\n 3. Under **Manage**, select **App registrations > New registration**.\n 4. Enter a display **Name** for your application.\n 5. Select **Register** to complete the initial app registration.\n 6. When registration finishes, the Azure portal displays the app registration's Overview pane. You see the **Application (client) ID** and **Tenant ID**. The client ID and Tenant ID is required as configuration parameters for the execution of the TriggersSync playbook. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app)" + }, + { + "description": "**STEP 2 - Add a client secret for application in Microsoft Entra ID**\n\n Sometimes called an application password, a client secret is a string value required for the execution of TriggersSync playbook. Follow the steps in this section to create a new Client Secret:\n 1. In the Azure portal, in **App registrations**, select your application.\n 2. Select **Certificates & secrets > Client secrets > New client secret**.\n 3. Add a description for your client secret.\n 4. Select an expiration for the secret or specify a custom lifetime. Limit is 24 months.\n 5. Select **Add**. \n 6. *Record the secret's value for use in your client application code. This secret value is never displayed again after you leave this page.* The secret value is required as configuration parameter for the execution of TriggersSync playbook. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret)" + }, + { + "description": "**STEP 3 - Assign role of Contributor to application in Microsoft Entra ID**\n\n Follow the steps in this section to assign the role:\n 1. In the Azure portal, Go to **Resource Group** and select your resource group.\n 2. Go to **Access control (IAM)** from left panel.\n 3. Click on **Add**, and then select **Add role assignment**.\n 4. Select **Contributor** as role and click on next.\n 5. In **Assign access to**, select `User, group, or service principal`.\n 6. Click on **add members** and type **your app name** that you have created and select it.\n 7. Now click on **Review + assign** and then again click on **Review + assign**. \n\n> **Reference link:** [https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal)" + }, + { + "description": "**STEP 4 - Steps to create/get Credentials for the Netskope account** \n\n Follow the steps in this section to create/get **Netskope Hostname** and **Netskope API Token**:\n 1. Login to your **Netskope Tenant** and go to the **Settings menu** on the left navigation bar.\n 2. Click on Tools and then **REST API v2**\n 3. Now, click on the new token button. Then it will ask for token name, expiration duration and the endpoints that you want to fetch data from.\n 5. Once that is done click the save button, the token will be generated. Copy the token and save at a secure place for further usage." + }, + { + "description": "**STEP 5 - Steps to create the azure functions for Netskope Alerts and Events Data Collection**\n\n>**IMPORTANT:** Before deploying Netskope data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available.., as well as the Netskope API Authorization Key(s).", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "description": "Using the ARM template deploy the function apps for ingestion of Netskope events and alerts data to Sentinel.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-NetskopeV2-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tNetskope HostName \n\t\tNetskope API Token \n\t\tSelect Yes in Alerts and Events types dropdown for that endpoint you want to fetch Alerts and Events \n\t\tLog Level \n\t\tWorkspace ID \n\t\tWorkspace Key \n4. Click on **Review+Create**. \n5. Then after validation click on **Create** to deploy." + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "Netskopev2", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Netskope" + }, + "support": { + "name": "Netskope", + "tier": "Partner", + "link": "https://www.netskope.com/services#support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "Netskope Data Connector (using Azure Functions)", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId1')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "Netskopev2", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Netskope" + }, + "support": { + "name": "Netskope", + "tier": "Partner", + "link": "https://www.netskope.com/services#support" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Netskope Data Connector (using Azure Functions)", + "publisher": "Netskope", + "descriptionMarkdown": "The [Netskope](https://docs.netskope.com/en/netskope-help/admin-console/rest-api/rest-api-v2-overview-312207/) data connector provides the following capabilities: \n 1. NetskopeToAzureStorage : \n >* Get the Netskope Alerts and Events data from Netskope and post to Azure storage. \n 2. StorageToSentinel : \n >* Get the Netskope Alerts and Events data from Azure storage and post to custom log table in log analytics workspace. \n 3. WebTxMetrics : \n >* Get the WebTxMetrics data from Netskope and post to custom log table in log analytics workspace.\n\n\n For more details of REST APIs refer to the below documentations: \n 1. Netskope API documentation: \n> https://docs.netskope.com/en/netskope-help/admin-console/rest-api/rest-api-v2-overview-312207/ \n 2. Azure storage documentation: \n> https://learn.microsoft.com/azure/storage/common/storage-introduction \n 3. Microsoft log analytic documentation: \n> https://learn.microsoft.com/azure/azure-monitor/logs/log-analytics-overview", + "graphQueries": [ + { + "metricName": "Compromised Credential data received", + "legend": "alertscompromisedcredentialdata_CL", + "baseQuery": "alertscompromisedcredentialdata_CL" + }, + { + "metricName": "CTEP data received", + "legend": "alertsctepdata_CL", + "baseQuery": "alertsctepdata_CL" + }, + { + "metricName": "DLP data received", + "legend": "alertsdlpdata_CL", + "baseQuery": "alertsdlpdata_CL" + }, + { + "metricName": "Malsite data received", + "legend": "alertsmalsitedata_CL", + "baseQuery": "alertsmalsitedata_CL" + }, + { + "metricName": "Malware data received", + "legend": "alertsmalwaredata_CL", + "baseQuery": "alertsmalwaredata_CL" + }, + { + "metricName": "Policy data received", + "legend": "alertspolicydata_CL", + "baseQuery": "alertspolicydata_CL" + }, + { + "metricName": "Quarantine data received", + "legend": "alertsquarantinedata_CL", + "baseQuery": "alertsquarantinedata_CL" + }, + { + "metricName": "Remediation data received", + "legend": "alertsremediationdata_CL", + "baseQuery": "alertsremediationdata_CL" + }, + { + "metricName": "SecurityAssessment data received", + "legend": "alertssecurityassessmentdata_CL", + "baseQuery": "alertssecurityassessmentdata_CL" + }, + { + "metricName": "UBA data received", + "legend": "alertsubadata_CL", + "baseQuery": "alertsubadata_CL" + }, + { + "metricName": "Application data received", + "legend": "eventsapplicationdata_CL", + "baseQuery": "eventsapplicationdata_CL" + }, + { + "metricName": "Audit data received", + "legend": "eventsauditdata_CL", + "baseQuery": "eventsauditdata_CL" + }, + { + "metricName": "Connection data received", + "legend": "eventsconnectiondata_CL", + "baseQuery": "eventsconnectiondata_CL" + }, + { + "metricName": "Incident data received", + "legend": "eventsincidentdata_CL", + "baseQuery": "eventsincidentdata_CL" + }, + { + "metricName": "Network data received", + "legend": "eventsnetworkdata_CL", + "baseQuery": "eventsnetworkdata_CL" + }, + { + "metricName": "Page data received", + "legend": "eventspagedata_CL", + "baseQuery": "eventspagedata_CL" + }, + { + "metricName": "WebTxMetrics data received", + "legend": "Netskope_WebTx_metrics_CL", + "baseQuery": "Netskope_WebTx_metrics_CL" + } + ], + "dataTypes": [ + { + "name": "alertscompromisedcredentialdata_CL", + "lastDataReceivedQuery": "alertscompromisedcredentialdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "alertsctepdata_CL", + "lastDataReceivedQuery": "alertsctepdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "alertsdlpdata_CL", + "lastDataReceivedQuery": "alertsdlpdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "alertsmalsitedata_CL", + "lastDataReceivedQuery": "alertsmalsitedata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "alertsmalwaredata_CL", + "lastDataReceivedQuery": "alertsmalwaredata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "alertspolicydata_CL", + "lastDataReceivedQuery": "alertspolicydata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "alertsquarantinedata_CL", + "lastDataReceivedQuery": "alertsquarantinedata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "alertsremediationdata_CL", + "lastDataReceivedQuery": "alertsremediationdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "alertssecurityassessmentdata_CL", + "lastDataReceivedQuery": "alertssecurityassessmentdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "alertsubadata_CL", + "lastDataReceivedQuery": "alertsubadata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "eventsapplicationdata_CL", + "lastDataReceivedQuery": "eventsapplicationdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "eventsauditdata_CL", + "lastDataReceivedQuery": "eventsauditdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "eventsconnectiondata_CL", + "lastDataReceivedQuery": "eventsconnectiondata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "eventsincidentdata_CL", + "lastDataReceivedQuery": "eventsincidentdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "eventsnetworkdata_CL", + "lastDataReceivedQuery": "eventsnetworkdata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "eventspagedata_CL", + "lastDataReceivedQuery": "eventspagedata_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Netskope_WebTx_metrics_CL", + "lastDataReceivedQuery": "Netskope_WebTx_metrics_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "alertscompromisedcredentialdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "alertsctepdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "alertsdlpdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "alertsmalsitedata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "alertsmalwaredata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "alertspolicydata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "alertsquarantinedata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "alertsremediationdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "alertssecurityassessmentdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "alertsubadata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "eventsapplicationdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "eventsauditdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "eventsconnectiondata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "eventsincidentdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "eventsnetworkdata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "eventspagedata_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "Netskope_WebTx_metrics_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "Netskope CompromisedCredential Alerts Data", + "query": "alertscompromisedcredentialdata_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope CTEP Alerts Data", + "query": "alertsctepdata_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope DLP Alerts Data", + "query": "alertsdlpdata_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope Malsite Alerts Data", + "query": "alertsmalsitedata_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope Malware Alerts Data", + "query": "alertsmalwaredata_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope Policy Alerts Data", + "query": "alertspolicydata_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope Quarantine Alerts Data", + "query": "alertsquarantinedata_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope Remediation Alerts Data", + "query": "alertsremediationdata_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope SecurityAssessment Alerts Data", + "query": "alertssecurityassessmentdata_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope Uba Alerts Data", + "query": "alertsubadata_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope Application Events Data.", + "query": "eventsapplicationdata_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope Audit Events Data", + "query": "eventsauditdata_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope Connection Events Data", + "query": "eventsconnectiondata_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope Incident Events Data", + "query": "eventsincidentdata_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope Network Events Data", + "query": "eventsnetworkdata_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope Page Events Data", + "query": "eventspagedata_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope WebTransactions Metrics Data", + "query": "Netskope_WebTx_metrics_CL\n | sort by TimeGenerated desc" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Subscription", + "description": "Azure Subscription with owner role is required to register an application in azure active directory() and assign role of contributor to app in resource group." + }, + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "REST API Credentials/permissions", + "description": "**Netskope Tenant** and **Netskope API Token** is required. See the documentation to learn more about API on the [Rest API reference](https://docs.netskope.com/en/netskope-help/admin-console/rest-api/rest-api-v2-overview-312207/)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to the Netskope APIs to pull its Alerts and Events data into custom log table. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "**STEP 1 - App Registration steps for the Application in Microsoft Entra ID**\n\n This integration requires an App registration in the Azure portal. Follow the steps in this section to create a new application in Microsoft Entra ID:\n 1. Sign in to the [Azure portal](https://portal.azure.com/).\n 2. Search for and select **Microsoft Entra ID**.\n 3. Under **Manage**, select **App registrations > New registration**.\n 4. Enter a display **Name** for your application.\n 5. Select **Register** to complete the initial app registration.\n 6. When registration finishes, the Azure portal displays the app registration's Overview pane. You see the **Application (client) ID** and **Tenant ID**. The client ID and Tenant ID is required as configuration parameters for the execution of the TriggersSync playbook. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app)" + }, + { + "description": "**STEP 2 - Add a client secret for application in Microsoft Entra ID**\n\n Sometimes called an application password, a client secret is a string value required for the execution of TriggersSync playbook. Follow the steps in this section to create a new Client Secret:\n 1. In the Azure portal, in **App registrations**, select your application.\n 2. Select **Certificates & secrets > Client secrets > New client secret**.\n 3. Add a description for your client secret.\n 4. Select an expiration for the secret or specify a custom lifetime. Limit is 24 months.\n 5. Select **Add**. \n 6. *Record the secret's value for use in your client application code. This secret value is never displayed again after you leave this page.* The secret value is required as configuration parameter for the execution of TriggersSync playbook. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret)" + }, + { + "description": "**STEP 3 - Assign role of Contributor to application in Microsoft Entra ID**\n\n Follow the steps in this section to assign the role:\n 1. In the Azure portal, Go to **Resource Group** and select your resource group.\n 2. Go to **Access control (IAM)** from left panel.\n 3. Click on **Add**, and then select **Add role assignment**.\n 4. Select **Contributor** as role and click on next.\n 5. In **Assign access to**, select `User, group, or service principal`.\n 6. Click on **add members** and type **your app name** that you have created and select it.\n 7. Now click on **Review + assign** and then again click on **Review + assign**. \n\n> **Reference link:** [https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal)" + }, + { + "description": "**STEP 4 - Steps to create/get Credentials for the Netskope account** \n\n Follow the steps in this section to create/get **Netskope Hostname** and **Netskope API Token**:\n 1. Login to your **Netskope Tenant** and go to the **Settings menu** on the left navigation bar.\n 2. Click on Tools and then **REST API v2**\n 3. Now, click on the new token button. Then it will ask for token name, expiration duration and the endpoints that you want to fetch data from.\n 5. Once that is done click the save button, the token will be generated. Copy the token and save at a secure place for further usage." + }, + { + "description": "**STEP 5 - Steps to create the azure functions for Netskope Alerts and Events Data Collection**\n\n>**IMPORTANT:** Before deploying Netskope data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available.., as well as the Netskope API Authorization Key(s).", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "description": "Using the ARM template deploy the function apps for ingestion of Netskope events and alerts data to Sentinel.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-NetskopeV2-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tNetskope HostName \n\t\tNetskope API Token \n\t\tSelect Yes in Alerts and Events types dropdown for that endpoint you want to fetch Alerts and Events \n\t\tLog Level \n\t\tWorkspace ID \n\t\tWorkspace Key \n4. Click on **Review+Create**. \n5. Then after validation click on **Create** to deploy." + } + ], + "id": "[variables('_uiConfigId1')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Netskopev2 data connector with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion2')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId2')]", + "title": "Netskope Web Transactions Data Connector (using Azure Functions)", + "publisher": "Netskope", + "descriptionMarkdown": "The [Netskope Web Transactions](https://docs.netskope.com/en/netskope-help/data-security/transaction-events/netskope-transaction-events/) data connector provides the functionality of a docker image to pull the Netskope Web Transactions data from google pubsublite, process the data and ingest the processed data to Log Analytics. As part of this data connector two tables will be formed in Log Analytics, one for Web Transactions data and other for errors encountered during execution.\n\n\n For more details related to Web Transactions refer to the below documentation: \n 1. Netskope Web Transactions documentation: \n> https://docs.netskope.com/en/netskope-help/data-security/transaction-events/netskope-transaction-events/ \n", + "graphQueries": [ + { + "metricName": "Web Transactions data received", + "legend": "NetskopeWebtxData_CL", + "baseQuery": "NetskopeWebtxData_CL" + }, + { + "metricName": "Web Transactions Data Connector Errors", + "legend": "NetskopeWebtxErrors_CL", + "baseQuery": "NetskopeWebtxErrors_CL" + } + ], + "sampleQueries": [ + { + "description": "Netskope Web Transactions Data", + "query": "NetskopeWebtxData_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope Web Transactions Data Connector Errors", + "query": "NetskopeWebtxErrors_CL\n | sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "NetskopeWebtxData_CL", + "lastDataReceivedQuery": "NetskopeWebtxData_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "NetskopeWebtxErrors_CL", + "lastDataReceivedQuery": "NetskopeWebtxErrors_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "NetskopeWebtxData_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "NetskopeWebtxErrors_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Subscription", + "description": "Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group." + }, + { + "name": "Microsoft.Compute permissions", + "description": "Read and write permissions to Azure VMs is required. [See the documentation to learn more about Azure VMs](https://learn.microsoft.com/azure/virtual-machines/overview)." + }, + { + "name": "TransactionEvents Credentials and Permissions", + "description": "**Netskope Tenant** and **Netskope API Token** is required. [See the documentation to learn more about Transaction Events.](https://docs.netskope.com/en/netskope-help/data-security/transaction-events/netskope-transaction-events/)" + }, + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This connector provides the functionality of ingesting Netskope Web Transactions data using a docker image to be deployed on a virtual machine (Either Azure VM/On Premise VM). Check the [Azure VM pricing page](https://azure.microsoft.com/pricing/details/virtual-machines/linux) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "**STEP 1 - Steps to create/get Credentials for the Netskope account** \n\n Follow the steps in this section to create/get **Netskope Hostname** and **Netskope API Token**:\n 1. Login to your **Netskope Tenant** and go to the **Settings menu** on the left navigation bar.\n 2. Click on Tools and then **REST API v2**\n 3. Now, click on the new token button. Then it will ask for token name, expiration duration and the endpoints that you want to fetch data from.\n 5. Once that is done click the save button, the token will be generated. Copy the token and save at a secure place for further usage." + }, + { + "description": "**STEP 2 - Choose one from the following two deployment options to deploy the docker based data connector to ingest Netskope Web Transactions data **\n\n>**IMPORTANT:** Before deploying Netskope data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available, as well as the Netskope API Authorization Key(s) [Make sure the token has permissions for transaction events].", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "description": "Using the ARM template deploy an Azure VM, install the prerequisites and start execution.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-NetskopeV2WebTransactions-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tDocker Image Name (mgulledge/netskope-microsoft-sentinel-plugin:netskopewebtransactions)\n\t\tNetskope HostName \n\t\tNetskope API Token \n\t\tSeek Timestamp (The epoch timestamp that you want to seek the pubsublite pointer, can be left empty) \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tBackoff Retry Count (The retry count for token related errors before restarting the execution.) \n\t\tBackoff Sleep Time (Number of seconds to sleep before retrying) \n\t\tIdle Timeout (Number of seconds to wait for Web Transactions Data before restarting execution) \n\t\tVM Name \n\t\tAuthentication Type \n\t\tAdmin Password or Key \n\t\tDNS Label Prefix \n\t\tUbuntu OS Version \n\t\tLocation \n\t\tVM Size \n\t\tSubnet Name \n\t\tNetwork Security Group Name \n\t\tSecurity Type \n4. Click on **Review+Create**. \n5. Then after validation click on **Create** to deploy.", + "title": "Option 1 - Using Azure Resource Manager (ARM) Template to deploy VM [Recommended]" + }, + { + "description": "Use the following step-by-step instructions to deploy the docker based data connector manually on a previously created virtual machine.", + "title": "Option 2 - Manual Deployment on previously created virtual machine" + }, + { + "description": "**1. Install docker and pull docker Image**\n\n>**NOTE:** Make sure that the VM is linux based (preferably Ubuntu).\n\n1. Firstly you will need to [SSH into the virtual machine](https://learn.microsoft.com/azure/virtual-machines/linux-vm-connect?tabs=Linux).\n2. Now install [docker engine](https://docs.docker.com/engine/install/).\n3. Now pull the docker image from docker hub using the command: 'sudo docker pull mgulledge/netskope-microsoft-sentinel-plugin:netskopewebtransactions'.\n4. Now to run the docker image use the command: 'sudo docker run -it -v $(pwd)/docker_persistent_volume:/app mgulledge/netskope-microsoft-sentinel-plugin:netskopewebtransactions'. You can replace mgulledge/netskope-microsoft-sentinel-plugin:netskopewebtransactions with the image id. Here docker_persistent_volume is the name of the folder that would be created on the vm in which the files will get stored." + }, + { + "description": "**2. Configure the Parameters**\n\n1. Once the docker image is running it will ask for the required parameters.\n2. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tNetskope HostName \n\t\tNetskope API Token \n\t\tSeek Timestamp (The epoch timestamp that you want to seek the pubsublite pointer, can be left empty) \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tBackoff Retry Count (The retry count for token related errors before restarting the execution.) \n\t\tBackoff Sleep Time (Number of seconds to sleep before retrying) \n\t\tIdle Timeout (Number of seconds to wait for Web Transactions Data before restarting execution)\n3. Now the execution has started but is in interactive mode, so that shell cannot be stopped. To run it as a background process, stop the current execution by pressing Ctrl+C and then use the command: 'sudo docker run -d -v $(pwd)/docker_persistent_volume:/app mgulledge/netskope-microsoft-sentinel-plugin:netskopewebtransactions'." + }, + { + "description": "**3. Stop the docker container**\n\n1. Use the command 'sudo docker container ps' to list the running docker containers. Note down your container id.\n2. Now stop the container using the command: 'sudo docker stop *<*container-id*>*'." + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "contentId": "[variables('_dataConnectorContentId2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion2')]", + "source": { + "kind": "Solution", + "name": "Netskopev2", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Netskope" + }, + "support": { + "name": "Netskope", + "tier": "Partner", + "link": "https://www.netskope.com/services#support" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId2')]", + "contentKind": "DataConnector", + "displayName": "Netskope Web Transactions Data Connector (using Azure Functions)", + "contentProductId": "[variables('_dataConnectorcontentProductId2')]", + "id": "[variables('_dataConnectorcontentProductId2')]", + "version": "[variables('dataConnectorVersion2')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId2')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "contentId": "[variables('_dataConnectorContentId2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion2')]", + "source": { + "kind": "Solution", + "name": "Netskopev2", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Netskope" + }, + "support": { + "name": "Netskope", + "tier": "Partner", + "link": "https://www.netskope.com/services#support" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Netskope Web Transactions Data Connector (using Azure Functions)", + "publisher": "Netskope", + "descriptionMarkdown": "The [Netskope Web Transactions](https://docs.netskope.com/en/netskope-help/data-security/transaction-events/netskope-transaction-events/) data connector provides the functionality of a docker image to pull the Netskope Web Transactions data from google pubsublite, process the data and ingest the processed data to Log Analytics. As part of this data connector two tables will be formed in Log Analytics, one for Web Transactions data and other for errors encountered during execution.\n\n\n For more details related to Web Transactions refer to the below documentation: \n 1. Netskope Web Transactions documentation: \n> https://docs.netskope.com/en/netskope-help/data-security/transaction-events/netskope-transaction-events/ \n", + "graphQueries": [ + { + "metricName": "Web Transactions data received", + "legend": "NetskopeWebtxData_CL", + "baseQuery": "NetskopeWebtxData_CL" + }, + { + "metricName": "Web Transactions Data Connector Errors", + "legend": "NetskopeWebtxErrors_CL", + "baseQuery": "NetskopeWebtxErrors_CL" + } + ], + "dataTypes": [ + { + "name": "NetskopeWebtxData_CL", + "lastDataReceivedQuery": "NetskopeWebtxData_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "NetskopeWebtxErrors_CL", + "lastDataReceivedQuery": "NetskopeWebtxErrors_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "NetskopeWebtxData_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "NetskopeWebtxErrors_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "Netskope Web Transactions Data", + "query": "NetskopeWebtxData_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Netskope Web Transactions Data Connector Errors", + "query": "NetskopeWebtxErrors_CL\n | sort by TimeGenerated desc" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Subscription", + "description": "Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group." + }, + { + "name": "Microsoft.Compute permissions", + "description": "Read and write permissions to Azure VMs is required. [See the documentation to learn more about Azure VMs](https://learn.microsoft.com/azure/virtual-machines/overview)." + }, + { + "name": "TransactionEvents Credentials and Permissions", + "description": "**Netskope Tenant** and **Netskope API Token** is required. [See the documentation to learn more about Transaction Events.](https://docs.netskope.com/en/netskope-help/data-security/transaction-events/netskope-transaction-events/)" + }, + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This connector provides the functionality of ingesting Netskope Web Transactions data using a docker image to be deployed on a virtual machine (Either Azure VM/On Premise VM). Check the [Azure VM pricing page](https://azure.microsoft.com/pricing/details/virtual-machines/linux) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "**STEP 1 - Steps to create/get Credentials for the Netskope account** \n\n Follow the steps in this section to create/get **Netskope Hostname** and **Netskope API Token**:\n 1. Login to your **Netskope Tenant** and go to the **Settings menu** on the left navigation bar.\n 2. Click on Tools and then **REST API v2**\n 3. Now, click on the new token button. Then it will ask for token name, expiration duration and the endpoints that you want to fetch data from.\n 5. Once that is done click the save button, the token will be generated. Copy the token and save at a secure place for further usage." + }, + { + "description": "**STEP 2 - Choose one from the following two deployment options to deploy the docker based data connector to ingest Netskope Web Transactions data **\n\n>**IMPORTANT:** Before deploying Netskope data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available, as well as the Netskope API Authorization Key(s) [Make sure the token has permissions for transaction events].", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "description": "Using the ARM template deploy an Azure VM, install the prerequisites and start execution.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinel-NetskopeV2WebTransactions-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tDocker Image Name (mgulledge/netskope-microsoft-sentinel-plugin:netskopewebtransactions)\n\t\tNetskope HostName \n\t\tNetskope API Token \n\t\tSeek Timestamp (The epoch timestamp that you want to seek the pubsublite pointer, can be left empty) \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tBackoff Retry Count (The retry count for token related errors before restarting the execution.) \n\t\tBackoff Sleep Time (Number of seconds to sleep before retrying) \n\t\tIdle Timeout (Number of seconds to wait for Web Transactions Data before restarting execution) \n\t\tVM Name \n\t\tAuthentication Type \n\t\tAdmin Password or Key \n\t\tDNS Label Prefix \n\t\tUbuntu OS Version \n\t\tLocation \n\t\tVM Size \n\t\tSubnet Name \n\t\tNetwork Security Group Name \n\t\tSecurity Type \n4. Click on **Review+Create**. \n5. Then after validation click on **Create** to deploy.", + "title": "Option 1 - Using Azure Resource Manager (ARM) Template to deploy VM [Recommended]" + }, + { + "description": "Use the following step-by-step instructions to deploy the docker based data connector manually on a previously created virtual machine.", + "title": "Option 2 - Manual Deployment on previously created virtual machine" + }, + { + "description": "**1. Install docker and pull docker Image**\n\n>**NOTE:** Make sure that the VM is linux based (preferably Ubuntu).\n\n1. Firstly you will need to [SSH into the virtual machine](https://learn.microsoft.com/azure/virtual-machines/linux-vm-connect?tabs=Linux).\n2. Now install [docker engine](https://docs.docker.com/engine/install/).\n3. Now pull the docker image from docker hub using the command: 'sudo docker pull mgulledge/netskope-microsoft-sentinel-plugin:netskopewebtransactions'.\n4. Now to run the docker image use the command: 'sudo docker run -it -v $(pwd)/docker_persistent_volume:/app mgulledge/netskope-microsoft-sentinel-plugin:netskopewebtransactions'. You can replace mgulledge/netskope-microsoft-sentinel-plugin:netskopewebtransactions with the image id. Here docker_persistent_volume is the name of the folder that would be created on the vm in which the files will get stored." + }, + { + "description": "**2. Configure the Parameters**\n\n1. Once the docker image is running it will ask for the required parameters.\n2. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tNetskope HostName \n\t\tNetskope API Token \n\t\tSeek Timestamp (The epoch timestamp that you want to seek the pubsublite pointer, can be left empty) \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tBackoff Retry Count (The retry count for token related errors before restarting the execution.) \n\t\tBackoff Sleep Time (Number of seconds to sleep before retrying) \n\t\tIdle Timeout (Number of seconds to wait for Web Transactions Data before restarting execution)\n3. Now the execution has started but is in interactive mode, so that shell cannot be stopped. To run it as a background process, stop the current execution by pressing Ctrl+C and then use the command: 'sudo docker run -d -v $(pwd)/docker_persistent_volume:/app mgulledge/netskope-microsoft-sentinel-plugin:netskopewebtransactions'." + }, + { + "description": "**3. Stop the docker container**\n\n1. Use the command 'sudo docker container ps' to list the running docker containers. Note down your container id.\n2. Now stop the container using the command: 'sudo docker stop *<*container-id*>*'." + } + ], + "id": "[variables('_uiConfigId2')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition3'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition3')]", + "displayName": "Netskope Alerts and Events", + "contentKind": "DataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition3'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "NetskopeCCP", + "title": "Netskope Alerts and Events", + "publisher": "Netskope", + "descriptionMarkdown": "Netskope Security Alerts and Events", + "graphQueriesTableName": "NetskopeAlerts_CL", + "graphQueries": [ + { + "metricName": "Total Netskope Alerts received", + "legend": "Netskope Alerts", + "baseQuery": "NetskopeAlerts_CL" + }, + { + "metricName": "Total Netskope Application Events", + "legend": "Netskope Application Events", + "baseQuery": "NetskopeEventsApplication_CL" + }, + { + "metricName": "Total Netskope Audit Events", + "legend": "Netskope Audit Events", + "baseQuery": "NetskopeEventsAudit_CL" + }, + { + "metricName": "Total Netskope Connection Events", + "legend": "Netskope Connection Events", + "baseQuery": "NetskopeEventsConnection_CL" + }, + { + "metricName": "Total Netskope DLP Events", + "legend": "Netskope DLP Events", + "baseQuery": "NetskopeEventsDLP_CL" + }, + { + "metricName": "Total Netskope Endpoint Events", + "legend": "Netskope Endpoint Events", + "baseQuery": "NetskopeEventsEndpoint_CL" + }, + { + "metricName": "Total Netskope Infrastructure Events", + "legend": "Netskope Infrastructure Events", + "baseQuery": "NetskopeEventsInfrastructure_CL" + }, + { + "metricName": "Total Netskope Network Events", + "legend": "Netskope Network Events", + "baseQuery": "NetskopeEventsNetwork_CL" + }, + { + "metricName": "Total Netskope Page Events", + "legend": "Netskope Page Events", + "baseQuery": "NetskopeEventsPage_CL" + } + ], + "sampleQueries": [ + { + "description": "Get Sample of Netskope events", + "query": "NetskopeAlerts_CL\n | take 10" + } + ], + "dataTypes": [ + { + "name": "NetskopeAlerts_CL", + "lastDataReceivedQuery": "NetskopeAlerts_CL \n | where TimeGenerated > ago(7d) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "NetskopeEventsApplication_CL", + "lastDataReceivedQuery": "NetskopeEventsApplication_CL \n | where TimeGenerated > ago(7d) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "NetskopeEventsAudit_CL", + "lastDataReceivedQuery": "NetskopeEventsAudit_CL \n | where TimeGenerated > ago(7d) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "NetskopeEventsConnection_CL", + "lastDataReceivedQuery": "NetskopeEventsConnection_CL \n | where TimeGenerated > ago(7d) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "NetskopeEventsDLP_CL", + "lastDataReceivedQuery": "NetskopeEventsDLP_CL \n | where TimeGenerated > ago(7d) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "NetskopeEventsEndpoint_CL", + "lastDataReceivedQuery": "NetskopeEventsEndpoint_CL \n | where TimeGenerated > ago(7d) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "NetskopeEventsInfrastructure_CL", + "lastDataReceivedQuery": "NetskopeEventsInfrastructure_CL \n | where TimeGenerated > ago(7d) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "NetskopeEventsNetwork_CL", + "lastDataReceivedQuery": "NetskopeEventsNetwork_CL \n | where TimeGenerated > ago(7d) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "NetskopeEventsPage_CL", + "lastDataReceivedQuery": "NetskopeEventsPage_CL \n | where TimeGenerated > ago(7d) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "Netskope organisation url", + "description": "The Netskope data connector requires you to provide your organisation url. You can find your organisation url by signing into the Netskope portal." + }, + { + "name": "Netskope API key", + "description": "The Netskope data connector requires you to provide a valid API key. You can create one by following the [Netskope documentation](https://docs.netskope.com/en/rest-api-v2-overview-312207/)." + } + ] + }, + "instructionSteps": [ + { + "title": "STEP 1 - Create a Netskope API key.", + "description": "Follow the [Netskope documentation](https://docs.netskope.com/en/rest-api-v2-overview-312207/) for guidance on this step." + }, + { + "title": "STEP 2 - Enter your Netskope product Details", + "description": "Enter your Netskope organisation url & API Token below:", + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "Organisation URL", + "placeholder": "Enter your organisation url", + "type": "text", + "name": "OrganisationURL" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "API Key", + "placeholder": "Enter your API Key", + "type": "password", + "name": "apikey" + } + }, + { + "type": "InstructionStepsGroup", + "parameters": { + "instructionSteps": [ + { + "title": "OPTIONAL: Specify the Index the API uses.", + "description": "**Configuring the index is optional and only required in advanced scenario's.** \n Netskope uses an [index](https://docs.netskope.com/en/using-the-rest-api-v2-dataexport-iterator-endpoints/#how-do-iterator-endpoints-function) to retrieve events. In some advanced cases (consuming the event in multiple Sentinel workspaces, or pre-fatiguing the index to only retrieve recent data), a customer might want to have direct controll over the index.", + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "Index", + "placeholder": "NetskopeCCP", + "type": "text", + "name": "Index" + } + } + ] + } + ] + } + } + ] + }, + { + "title": "STEP 3 - Click Connect", + "description": "Verify all fields above were filled in correctly. Press the Connect to connect Netskope to Sentinel.", + "instructions": [ + { + "type": "ConnectionToggleButton", + "parameters": { + "connectLabel": "connect", + "name": "connect" + } + } + ] + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition3')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition3'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition3')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Netskope" + }, + "support": { + "name": "Netskope", + "tier": "Partner", + "link": "https://www.netskope.com/services#support" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections3')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "name": "Netskope_DCR", + "apiVersion": "2022-06-01", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "[parameters('workspace-location')]", + "kind": "[variables('blanks')]", + "properties": { + "dataCollectionEndpointId": "[variables('dataCollectionEndpointId3')]", + "streamDeclarations": { + "Custom-NetskopeAlerts": { + "columns": [ + { + "name": "_id", + "type": "string" + }, + { + "name": "access_method", + "type": "string" + }, + { + "name": "account_id", + "type": "string" + }, + { + "name": "account_name", + "type": "string" + }, + { + "name": "acked", + "type": "string" + }, + { + "name": "action", + "type": "string" + }, + { + "name": "activity", + "type": "string" + }, + { + "name": "alert", + "type": "string" + }, + { + "name": "alert_id", + "type": "string" + }, + { + "name": "alert_name", + "type": "string" + }, + { + "name": "alert_type", + "type": "string" + }, + { + "name": "app", + "type": "string" + }, + { + "name": "app_activity", + "type": "string" + }, + { + "name": "app_session_id", + "type": "int" + }, + { + "name": "appcategory", + "type": "string" + }, + { + "name": "appsuite", + "type": "string" + }, + { + "name": "asset_id", + "type": "string" + }, + { + "name": "asset_object_id", + "type": "string" + }, + { + "name": "breach_date", + "type": "int" + }, + { + "name": "breach_description", + "type": "string" + }, + { + "name": "breach_id", + "type": "string" + }, + { + "name": "breach_media_references", + "type": "string" + }, + { + "name": "breach_score", + "type": "string" + }, + { + "name": "breach_target_references", + "type": "string" + }, + { + "name": "browser", + "type": "string" + }, + { + "name": "browser_session_id", + "type": "int" + }, + { + "name": "browser_version", + "type": "string" + }, + { + "name": "bypass_traffic", + "type": "string" + }, + { + "name": "category", + "type": "string" + }, + { + "name": "cci", + "type": "int" + }, + { + "name": "ccl", + "type": "string" + }, + { + "name": "client_bytes", + "type": "int" + }, + { + "name": "compliance_standards", + "type": "dynamic" + }, + { + "name": "conn_duration", + "type": "int" + }, + { + "name": "conn_endtime", + "type": "int" + }, + { + "name": "conn_starttime", + "type": "int" + }, + { + "name": "connection_id", + "type": "int" + }, + { + "name": "CononicalName", + "type": "string" + }, + { + "name": "count", + "type": "int" + }, + { + "name": "data_type", + "type": "string" + }, + { + "name": "device", + "type": "string" + }, + { + "name": "device_classification", + "type": "string" + }, + { + "name": "dlp_file", + "type": "string" + }, + { + "name": "dlp_incident_id", + "type": "int" + }, + { + "name": "dlp_is_unique_count", + "type": "string" + }, + { + "name": "dlp_mail_parent_id", + "type": "string" + }, + { + "name": "dlp_parent_id", + "type": "int" + }, + { + "name": "dlp_profile", + "type": "string" + }, + { + "name": "dlp_rule", + "type": "string" + }, + { + "name": "dlp_rule_count", + "type": "int" + }, + { + "name": "dlp_rule_severity", + "type": "string" + }, + { + "name": "dlp_unique_count", + "type": "int" + }, + { + "name": "domain", + "type": "string" + }, + { + "name": "dst_country", + "type": "string" + }, + { + "name": "dst_geoip_src", + "type": "int" + }, + { + "name": "dst_latitude", + "type": "int" + }, + { + "name": "dst_location", + "type": "string" + }, + { + "name": "dst_longitude", + "type": "int" + }, + { + "name": "dst_region", + "type": "string" + }, + { + "name": "dst_timezone", + "type": "string" + }, + { + "name": "dst_zipcode", + "type": "string" + }, + { + "name": "dstip", + "type": "string" + }, + { + "name": "dsthost", + "type": "string" + }, + { + "name": "dstport", + "type": "int" + }, + { + "name": "email_source", + "type": "string" + }, + { + "name": "event_type", + "type": "string" + }, + { + "name": "evt_src_chnl", + "type": "string" + }, + { + "name": "exposure", + "type": "string" + }, + { + "name": "external_collaborator_count", + "type": "int" + }, + { + "name": "external_email", + "type": "int" + }, + { + "name": "file_cls_encrypted", + "type": "boolean" + }, + { + "name": "file_lang", + "type": "string" + }, + { + "name": "file_path", + "type": "string" + }, + { + "name": "file_size", + "type": "int" + }, + { + "name": "file_type", + "type": "string" + }, + { + "name": "from_user", + "type": "string" + }, + { + "name": "fromlogs", + "type": "string" + }, + { + "name": "hostname", + "type": "string" + }, + { + "name": "http_transaction_count", + "type": "int" + }, + { + "name": "iaas_asset_tags", + "type": "dynamic" + }, + { + "name": "iaas_remediated", + "type": "string" + }, + { + "name": "instance", + "type": "string" + }, + { + "name": "instance_id", + "type": "string" + }, + { + "name": "internal_collaborator_count", + "type": "int" + }, + { + "name": "justification_reason", + "type": "string" + }, + { + "name": "justification_type", + "type": "string" + }, + { + "name": "last_app", + "type": "string" + }, + { + "name": "last_country", + "type": "string" + }, + { + "name": "last_device", + "type": "string" + }, + { + "name": "last_location", + "type": "string" + }, + { + "name": "last_region", + "type": "string" + }, + { + "name": "last_timestamp", + "type": "int" + }, + { + "name": "log_file_name", + "type": "string" + }, + { + "name": "malicious", + "type": "string" + }, + { + "name": "malsite_category", + "type": "dynamic" + }, + { + "name": "malsite_country", + "type": "string" + }, + { + "name": "malsite_id", + "type": "string" + }, + { + "name": "malsite_ip_host", + "type": "string" + }, + { + "name": "malsite_latitude", + "type": "int" + }, + { + "name": "malsite_longitude", + "type": "int" + }, + { + "name": "malsite_region", + "type": "string" + }, + { + "name": "managed_app", + "type": "string" + }, + { + "name": "managementID", + "type": "string" + }, + { + "name": "matched_username", + "type": "string" + }, + { + "name": "md5", + "type": "string" + }, + { + "name": "mime_type", + "type": "string" + }, + { + "name": "modified", + "type": "int" + }, + { + "name": "netskope_activity", + "type": "string" + }, + { + "name": "netskope_pop", + "type": "string" + }, + { + "name": "notify_template", + "type": "string" + }, + { + "name": "nsdeviceuid", + "type": "string" + }, + { + "name": "numbytes", + "type": "int" + }, + { + "name": "object", + "type": "string" + }, + { + "name": "object_id", + "type": "string" + }, + { + "name": "object_type", + "type": "string" + }, + { + "name": "org", + "type": "string" + }, + { + "name": "organization_unit", + "type": "string" + }, + { + "name": "orig_ty", + "type": "string" + }, + { + "name": "orignal_file_path", + "type": "string" + }, + { + "name": "os", + "type": "string" + }, + { + "name": "os_version", + "type": "string" + }, + { + "name": "other_categories", + "type": "dynamic" + }, + { + "name": "outer_doc_type", + "type": "int" + }, + { + "name": "owner", + "type": "string" + }, + { + "name": "page", + "type": "string" + }, + { + "name": "page_site", + "type": "string" + }, + { + "name": "parent_id", + "type": "string" + }, + { + "name": "password_type", + "type": "string" + }, + { + "name": "policy", + "type": "string" + }, + { + "name": "policy_actions", + "type": "dynamic" + }, + { + "name": "policy_id", + "type": "string" + }, + { + "name": "profile_id", + "type": "string" + }, + { + "name": "protocol", + "type": "string" + }, + { + "name": "referer", + "type": "string" + }, + { + "name": "region_id", + "type": "string" + }, + { + "name": "region_name", + "type": "string" + }, + { + "name": "req_cnt", + "type": "int" + }, + { + "name": "request_id", + "type": "int" + }, + { + "name": "resource_category", + "type": "string" + }, + { + "name": "resource_group", + "type": "string" + }, + { + "name": "resp_cnt", + "type": "int" + }, + { + "name": "sa_profile_id", + "type": "int" + }, + { + "name": "sa_profile_name", + "type": "string" + }, + { + "name": "sa_rule_id", + "type": "string" + }, + { + "name": "sa_rule_name", + "type": "string" + }, + { + "name": "sa_rule_severity", + "type": "string" + }, + { + "name": "sAMAccountName", + "type": "string" + }, + { + "name": "sanctioned_instance", + "type": "string" + }, + { + "name": "scan_type", + "type": "string" + }, + { + "name": "serial", + "type": "string" + }, + { + "name": "server_bytes", + "type": "int" + }, + { + "name": "sessionid", + "type": "string" + }, + { + "name": "severity", + "type": "string" + }, + { + "name": "severity_level", + "type": "string" + }, + { + "name": "severity_level_id", + "type": "int" + }, + { + "name": "sfwder", + "type": "string" + }, + { + "name": "sha256", + "type": "string" + }, + { + "name": "shared_domains", + "type": "string" + }, + { + "name": "shared_with", + "type": "string" + }, + { + "name": "site", + "type": "string" + }, + { + "name": "src_country", + "type": "string" + }, + { + "name": "src_geoip_src", + "type": "int" + }, + { + "name": "src_latitude", + "type": "int" + }, + { + "name": "src_location", + "type": "string" + }, + { + "name": "src_longitude", + "type": "int" + }, + { + "name": "src_region", + "type": "string" + }, + { + "name": "src_time", + "type": "string" + }, + { + "name": "src_timezone", + "type": "string" + }, + { + "name": "src_zipcode", + "type": "string" + }, + { + "name": "srcip", + "type": "string" + }, + { + "name": "suppression_end_time", + "type": "int" + }, + { + "name": "suppression_key", + "type": "string" + }, + { + "name": "suppression_start_time", + "type": "int" + }, + { + "name": "telemetry_app", + "type": "string" + }, + { + "name": "threat_match_field", + "type": "string" + }, + { + "name": "threat_match_value", + "type": "string" + }, + { + "name": "threat_source_id", + "type": "int" + }, + { + "name": "threshold", + "type": "int" + }, + { + "name": "threshold_time", + "type": "int" + }, + { + "name": "timestamp", + "type": "int" + }, + { + "name": "title", + "type": "string" + }, + { + "name": "to_object", + "type": "string" + }, + { + "name": "total_collaborator_count", + "type": "int" + }, + { + "name": "traffic_type", + "type": "string" + }, + { + "name": "transaction_id", + "type": "int" + }, + { + "name": "true_obj_category", + "type": "string" + }, + { + "name": "true_obj_type", + "type": "string" + }, + { + "name": "tss_mode", + "type": "string" + }, + { + "name": "two_factor_auth", + "type": "string" + }, + { + "name": "type", + "type": "string" + }, + { + "name": "universal_connector", + "type": "string" + }, + { + "name": "ur_normalized", + "type": "string" + }, + { + "name": "url", + "type": "string" + }, + { + "name": "user", + "type": "string" + }, + { + "name": "user_generated", + "type": "string" + }, + { + "name": "user_id", + "type": "string" + }, + { + "name": "useragent", + "type": "string" + }, + { + "name": "userip", + "type": "string" + }, + { + "name": "userkey", + "type": "string" + }, + { + "name": "userPrincipalName", + "type": "string" + }, + { + "name": "web_universal_connector", + "type": "string" + } + ] + }, + "Custom-NetskopeEventsApplication": { + "columns": [ + { + "name": "_id", + "type": "string" + }, + { + "name": "access_method", + "type": "string" + }, + { + "name": "action", + "type": "string" + }, + { + "name": "activity", + "type": "string" + }, + { + "name": "alert", + "type": "string" + }, + { + "name": "alert_type", + "type": "string" + }, + { + "name": "app", + "type": "string" + }, + { + "name": "app_activity", + "type": "string" + }, + { + "name": "app_session_id", + "type": "int" + }, + { + "name": "appcategory", + "type": "string" + }, + { + "name": "appsuite", + "type": "string" + }, + { + "name": "audit_category", + "type": "string" + }, + { + "name": "audit_type", + "type": "string" + }, + { + "name": "browser", + "type": "string" + }, + { + "name": "browser_session_id", + "type": "int" + }, + { + "name": "browser_version", + "type": "string" + }, + { + "name": "category", + "type": "string" + }, + { + "name": "cci", + "type": "int" + }, + { + "name": "ccl", + "type": "string" + }, + { + "name": "channel_id", + "type": "string" + }, + { + "name": "client_bytes", + "type": "int" + }, + { + "name": "conn_duration", + "type": "int" + }, + { + "name": "connection_id", + "type": "int" + }, + { + "name": "CononicalName", + "type": "string" + }, + { + "name": "count", + "type": "int" + }, + { + "name": "custom_connector", + "type": "string" + }, + { + "name": "data_center", + "type": "string" + }, + { + "name": "data_type", + "type": "string" + }, + { + "name": "device", + "type": "string" + }, + { + "name": "device_classification", + "type": "string" + }, + { + "name": "dlp_file", + "type": "string" + }, + { + "name": "dlp_incident_id", + "type": "int" + }, + { + "name": "dlp_is_unique_count", + "type": "string" + }, + { + "name": "dlp_mail_parent_id", + "type": "string" + }, + { + "name": "dlp_parent_id", + "type": "int" + }, + { + "name": "dlp_profile", + "type": "string" + }, + { + "name": "dlp_rule", + "type": "string" + }, + { + "name": "dlp_rule_count", + "type": "int" + }, + { + "name": "dlp_rule_severity", + "type": "string" + }, + { + "name": "dlp_unique_count", + "type": "int" + }, + { + "name": "dst_country", + "type": "string" + }, + { + "name": "dst_geoip_src", + "type": "int" + }, + { + "name": "dst_latitude", + "type": "int" + }, + { + "name": "dst_location", + "type": "string" + }, + { + "name": "dst_longitude", + "type": "int" + }, + { + "name": "dst_region", + "type": "string" + }, + { + "name": "dst_timezone", + "type": "string" + }, + { + "name": "dst_zipcode", + "type": "string" + }, + { + "name": "dsthost", + "type": "string" + }, + { + "name": "dstip", + "type": "string" + }, + { + "name": "dstport", + "type": "int" + }, + { + "name": "exposure", + "type": "string" + }, + { + "name": "file_lang", + "type": "string" + }, + { + "name": "file_path", + "type": "string" + }, + { + "name": "file_size", + "type": "int" + }, + { + "name": "file_type", + "type": "string" + }, + { + "name": "from_user", + "type": "string" + }, + { + "name": "from_user_category", + "type": "string" + }, + { + "name": "fromlogs", + "type": "string" + }, + { + "name": "hostname", + "type": "string" + }, + { + "name": "instance", + "type": "string" + }, + { + "name": "instance_id", + "type": "string" + }, + { + "name": "internal_collaborator_count", + "type": "int" + }, + { + "name": "log_file_name", + "type": "string" + }, + { + "name": "logintype", + "type": "string" + }, + { + "name": "loginurl", + "type": "string" + }, + { + "name": "managed_app", + "type": "string" + }, + { + "name": "managementID", + "type": "string" + }, + { + "name": "md5", + "type": "string" + }, + { + "name": "mime_type", + "type": "string" + }, + { + "name": "modified", + "type": "int" + }, + { + "name": "netskope_activity", + "type": "string" + }, + { + "name": "netskope_pop", + "type": "string" + }, + { + "name": "notify_template", + "type": "string" + }, + { + "name": "nsdeviceuid", + "type": "string" + }, + { + "name": "numbytes", + "type": "int" + }, + { + "name": "object", + "type": "string" + }, + { + "name": "object_id", + "type": "string" + }, + { + "name": "object_type", + "type": "string" + }, + { + "name": "org", + "type": "string" + }, + { + "name": "organization_unit", + "type": "string" + }, + { + "name": "orignal_file_path", + "type": "string" + }, + { + "name": "os", + "type": "string" + }, + { + "name": "os_version", + "type": "string" + }, + { + "name": "other_categories", + "type": "dynamic" + }, + { + "name": "outer_doc_type", + "type": "int" + }, + { + "name": "owner", + "type": "string" + }, + { + "name": "page", + "type": "string" + }, + { + "name": "page_site", + "type": "string" + }, + { + "name": "parent_id", + "type": "string" + }, + { + "name": "policy", + "type": "string" + }, + { + "name": "policy_id", + "type": "string" + }, + { + "name": "protocol", + "type": "string" + }, + { + "name": "referer", + "type": "string" + }, + { + "name": "req_cnt", + "type": "int" + }, + { + "name": "request_id", + "type": "int" + }, + { + "name": "resp_cnt", + "type": "int" + }, + { + "name": "sAMAccountName", + "type": "string" + }, + { + "name": "sanctioned_instance", + "type": "string" + }, + { + "name": "scan_type", + "type": "string" + }, + { + "name": "serial", + "type": "string" + }, + { + "name": "server_bytes", + "type": "int" + }, + { + "name": "sessionid", + "type": "string" + }, + { + "name": "severity", + "type": "string" + }, + { + "name": "sfwder", + "type": "string" + }, + { + "name": "sha256", + "type": "string" + }, + { + "name": "shared_with", + "type": "string" + }, + { + "name": "site", + "type": "string" + }, + { + "name": "smtp_to", + "type": "dynamic" + }, + { + "name": "src_country", + "type": "string" + }, + { + "name": "src_geoip_src", + "type": "int" + }, + { + "name": "src_latitude", + "type": "int" + }, + { + "name": "src_location", + "type": "string" + }, + { + "name": "src_longitude", + "type": "int" + }, + { + "name": "src_region", + "type": "string" + }, + { + "name": "src_time", + "type": "string" + }, + { + "name": "src_timezone", + "type": "string" + }, + { + "name": "src_zipcode", + "type": "string" + }, + { + "name": "srcip", + "type": "string" + }, + { + "name": "suppression_end_time", + "type": "int" + }, + { + "name": "suppression_key", + "type": "string" + }, + { + "name": "suppression_start_time", + "type": "int" + }, + { + "name": "telemetry_app", + "type": "string" + }, + { + "name": "timestamp", + "type": "int" + }, + { + "name": "title", + "type": "string" + }, + { + "name": "to_user", + "type": "string" + }, + { + "name": "total_collaborator_count", + "type": "int" + }, + { + "name": "traffic_type", + "type": "string" + }, + { + "name": "transaction_id", + "type": "int" + }, + { + "name": "true_obj_category", + "type": "string" + }, + { + "name": "true_obj_type", + "type": "string" + }, + { + "name": "tss_mode", + "type": "string" + }, + { + "name": "type", + "type": "string" + }, + { + "name": "universal_connector", + "type": "string" + }, + { + "name": "ur_normalized", + "type": "string" + }, + { + "name": "url", + "type": "string" + }, + { + "name": "user", + "type": "string" + }, + { + "name": "user_category", + "type": "string" + }, + { + "name": "user_id", + "type": "string" + }, + { + "name": "useragent", + "type": "string" + }, + { + "name": "userip", + "type": "string" + }, + { + "name": "userkey", + "type": "string" + }, + { + "name": "userPrincipalName", + "type": "string" + }, + { + "name": "web_universal_connector", + "type": "string" + }, + { + "name": "workspace", + "type": "string" + }, + { + "name": "workspace_id", + "type": "string" + } + ] + }, + "Custom-NetskopeEventsAudit": { + "columns": [ + { + "name": "_id", + "type": "string" + }, + { + "name": "audit_log_event", + "type": "string" + }, + { + "name": "ccl", + "type": "string" + }, + { + "name": "count", + "type": "int" + }, + { + "name": "organization_unit", + "type": "string" + }, + { + "name": "sAMAccountName", + "type": "string" + }, + { + "name": "severity_level", + "type": "int" + }, + { + "name": "supporting_data", + "type": "dynamic" + }, + { + "name": "timestamp", + "type": "int" + }, + { + "name": "type", + "type": "string" + }, + { + "name": "ur_normalized", + "type": "string" + }, + { + "name": "user", + "type": "string" + }, + { + "name": "userPrincipalName", + "type": "string" + } + ] + }, + "Custom-NetskopeEventsConnection": { + "columns": [ + { + "name": "_id", + "type": "string" + }, + { + "name": "access_method", + "type": "string" + }, + { + "name": "app", + "type": "string" + }, + { + "name": "app_session_id", + "type": "int" + }, + { + "name": "appcategory", + "type": "string" + }, + { + "name": "browser", + "type": "string" + }, + { + "name": "browser_session_id", + "type": "int" + }, + { + "name": "browser_version", + "type": "string" + }, + { + "name": "bypass_reason", + "type": "string" + }, + { + "name": "bypass_traffic", + "type": "string" + }, + { + "name": "category", + "type": "string" + }, + { + "name": "cci", + "type": "int" + }, + { + "name": "ccl", + "type": "string" + }, + { + "name": "client_bytes", + "type": "int" + }, + { + "name": "conn_duration", + "type": "int" + }, + { + "name": "conn_endtime", + "type": "int" + }, + { + "name": "conn_starttime", + "type": "int" + }, + { + "name": "connection_id", + "type": "int" + }, + { + "name": "CononicalName", + "type": "string" + }, + { + "name": "count", + "type": "int" + }, + { + "name": "device", + "type": "string" + }, + { + "name": "domain", + "type": "string" + }, + { + "name": "dst_country", + "type": "string" + }, + { + "name": "dst_geoip_src", + "type": "int" + }, + { + "name": "dst_latitude", + "type": "int" + }, + { + "name": "dst_location", + "type": "string" + }, + { + "name": "dst_longitude", + "type": "int" + }, + { + "name": "dst_region", + "type": "string" + }, + { + "name": "dst_timezone", + "type": "string" + }, + { + "name": "dst_zipcode", + "type": "string" + }, + { + "name": "dsthost", + "type": "string" + }, + { + "name": "dstip", + "type": "string" + }, + { + "name": "dstport", + "type": "int" + }, + { + "name": "dynamic_classification", + "type": "string" + }, + { + "name": "forward_to_proxy_profile", + "type": "string" + }, + { + "name": "fromlogs", + "type": "string" + }, + { + "name": "hostname", + "type": "string" + }, + { + "name": "http_transaction_count", + "type": "int" + }, + { + "name": "log_file_name", + "type": "string" + }, + { + "name": "netskope_pop", + "type": "string" + }, + { + "name": "network", + "type": "string" + }, + { + "name": "numbytes", + "type": "int" + }, + { + "name": "org", + "type": "string" + }, + { + "name": "organization_unit", + "type": "string" + }, + { + "name": "os", + "type": "string" + }, + { + "name": "os_version", + "type": "string" + }, + { + "name": "page", + "type": "string" + }, + { + "name": "policy", + "type": "string" + }, + { + "name": "protocol", + "type": "string" + }, + { + "name": "req_cnt", + "type": "int" + }, + { + "name": "request_id", + "type": "int" + }, + { + "name": "resp_cnt", + "type": "int" + }, + { + "name": "resp_content_len", + "type": "int" + }, + { + "name": "resp_content_type", + "type": "string" + }, + { + "name": "sAMAccountName", + "type": "string" + }, + { + "name": "serial", + "type": "string" + }, + { + "name": "server_bytes", + "type": "int" + }, + { + "name": "sessionid", + "type": "string" + }, + { + "name": "severity", + "type": "string" + }, + { + "name": "sfwder", + "type": "string" + }, + { + "name": "site", + "type": "string" + }, + { + "name": "src_country", + "type": "string" + }, + { + "name": "src_geoip_src", + "type": "int" + }, + { + "name": "src_latitude", + "type": "int" + }, + { + "name": "src_location", + "type": "string" + }, + { + "name": "src_longitude", + "type": "int" + }, + { + "name": "src_region", + "type": "string" + }, + { + "name": "src_time", + "type": "string" + }, + { + "name": "src_timezone", + "type": "string" + }, + { + "name": "src_zipcode", + "type": "string" + }, + { + "name": "srcip", + "type": "string" + }, + { + "name": "ssl_decrypt_policy", + "type": "string" + }, + { + "name": "suppression_end_time", + "type": "int" + }, + { + "name": "suppression_start_time", + "type": "int" + }, + { + "name": "timestamp", + "type": "int" + }, + { + "name": "traffic_type", + "type": "string" + }, + { + "name": "transaction_id", + "type": "int" + }, + { + "name": "type", + "type": "string" + }, + { + "name": "ur_normalized", + "type": "string" + }, + { + "name": "url", + "type": "string" + }, + { + "name": "user", + "type": "string" + }, + { + "name": "user_generated", + "type": "string" + }, + { + "name": "useragent", + "type": "string" + }, + { + "name": "userip", + "type": "string" + }, + { + "name": "userkey", + "type": "string" + }, + { + "name": "userPrincipalName", + "type": "string" + } + ] + }, + "Custom-NetskopeEventsDLP": { + "columns": [ + { + "name": "_id", + "type": "string" + }, + { + "name": "title", + "type": "string" + }, + { + "name": "object", + "type": "string" + }, + { + "name": "app", + "type": "string" + }, + { + "name": "site", + "type": "string" + }, + { + "name": "status", + "type": "string" + }, + { + "name": "assignee", + "type": "string" + }, + { + "name": "severity", + "type": "string" + }, + { + "name": "instance_id", + "type": "string" + }, + { + "name": "timestamp", + "type": "int" + }, + { + "name": "exposure", + "type": "string" + }, + { + "name": "acting_user", + "type": "string" + }, + { + "name": "user", + "type": "string" + }, + { + "name": "file_path", + "type": "string" + }, + { + "name": "file_size", + "type": "int" + }, + { + "name": "file_type", + "type": "string" + }, + { + "name": "dlp_match_info", + "type": "dynamic" + }, + { + "name": "inline_dlp_match_info", + "type": "dynamic" + }, + { + "name": "access_method", + "type": "string" + }, + { + "name": "activity", + "type": "string" + }, + { + "name": "instance", + "type": "string" + }, + { + "name": "url", + "type": "string" + }, + { + "name": "object_type", + "type": "string" + }, + { + "name": "owner", + "type": "string" + }, + { + "name": "owner_pdl", + "type": "string" + }, + { + "name": "file_lang", + "type": "string" + }, + { + "name": "true_obj_category", + "type": "string" + }, + { + "name": "true_obj_type", + "type": "string" + }, + { + "name": "dlp_incident_id", + "type": "int" + }, + { + "name": "latest_incident_id", + "type": "int" + }, + { + "name": "dlp_parent_id", + "type": "int" + }, + { + "name": "from_user", + "type": "string" + }, + { + "name": "md5", + "type": "string" + }, + { + "name": "connection_id", + "type": "int" + }, + { + "name": "app_session_id", + "type": "int" + }, + { + "name": "referer", + "type": "string" + }, + { + "name": "dst_location", + "type": "string" + }, + { + "name": "src_location", + "type": "string" + }, + { + "name": "channel", + "type": "string" + }, + { + "name": "to_user", + "type": "string" + }, + { + "name": "cc", + "type": "string" + }, + { + "name": "bcc", + "type": "string" + }, + { + "name": "classification", + "type": "string" + }, + { + "name": "user_id", + "type": "string" + }, + { + "name": "destination_app", + "type": "string" + }, + { + "name": "destination_instance_id", + "type": "string" + }, + { + "name": "zip_file_id", + "type": "string" + }, + { + "name": "original_file_snapshot_id", + "type": "string" + }, + { + "name": "dlp_file", + "type": "string" + } + ] + }, + "Custom-NetskopeEventsEndpoint": { + "columns": [ + { + "name": "_id", + "type": "string" + }, + { + "name": "access_method", + "type": "string" + }, + { + "name": "action", + "type": "string" + }, + { + "name": "activity", + "type": "string" + }, + { + "name": "activity_type", + "type": "string" + }, + { + "name": "alert", + "type": "string" + }, + { + "name": "alert_generated", + "type": "boolean" + }, + { + "name": "alert_name", + "type": "string" + }, + { + "name": "alert_type", + "type": "string" + }, + { + "name": "app", + "type": "string" + }, + { + "name": "computer_name", + "type": "string" + }, + { + "name": "connection_type", + "type": "string" + }, + { + "name": "destination_file_directory", + "type": "string" + }, + { + "name": "destination_file_name", + "type": "string" + }, + { + "name": "destination_file_path", + "type": "string" + }, + { + "name": "device", + "type": "string" + }, + { + "name": "device_id", + "type": "string" + }, + { + "name": "device_name", + "type": "string" + }, + { + "name": "device_sn", + "type": "string" + }, + { + "name": "device_type", + "type": "string" + }, + { + "name": "dlp_incident_id", + "type": "int" + }, + { + "name": "dlp_profile", + "type": "string" + }, + { + "name": "dlp_profile_name", + "type": "string" + }, + { + "name": "dlp_rule", + "type": "string" + }, + { + "name": "driver", + "type": "string" + }, + { + "name": "event_recovered", + "type": "boolean" + }, + { + "name": "executable_hash", + "type": "string" + }, + { + "name": "executable_signed", + "type": "boolean" + }, + { + "name": "file_origin", + "type": "string" + }, + { + "name": "file_size", + "type": "int" + }, + { + "name": "file_type", + "type": "string" + }, + { + "name": "incident_id", + "type": "int" + }, + { + "name": "justification", + "type": "string" + }, + { + "name": "location", + "type": "string" + }, + { + "name": "md5", + "type": "string" + }, + { + "name": "os", + "type": "string" + }, + { + "name": "os_details", + "type": "string" + }, + { + "name": "os_user_name", + "type": "string" + }, + { + "name": "pid", + "type": "string" + }, + { + "name": "policy_action", + "type": "string" + }, + { + "name": "policy_action_enforced", + "type": "string" + }, + { + "name": "policy_name", + "type": "string" + }, + { + "name": "policy_name_enforced", + "type": "string" + }, + { + "name": "policy_version", + "type": "string" + }, + { + "name": "port", + "type": "string" + }, + { + "name": "printer_identifier", + "type": "string" + }, + { + "name": "process_cert_subject", + "type": "string" + }, + { + "name": "process_name", + "type": "string" + }, + { + "name": "process_path", + "type": "string" + }, + { + "name": "product_id", + "type": "string" + }, + { + "name": "sha256", + "type": "string" + }, + { + "name": "source_file_directory", + "type": "string" + }, + { + "name": "source_file_name", + "type": "string" + }, + { + "name": "sub_type", + "type": "string" + }, + { + "name": "timestamp", + "type": "int" + }, + { + "name": "type", + "type": "string" + }, + { + "name": "unc_path", + "type": "string" + }, + { + "name": "user", + "type": "string" + }, + { + "name": "vendor_id", + "type": "string" + } + ] + }, + "Custom-NetskopeEventsInfrastructure": { + "columns": [ + { + "name": "_id", + "type": "string" + }, + { + "name": "boolean_metric_value", + "type": "string" + }, + { + "name": "hostname", + "type": "string" + }, + { + "name": "metric_name", + "type": "string" + }, + { + "name": "metric_true_count", + "type": "string" + }, + { + "name": "metric_type", + "type": "string" + }, + { + "name": "metric_value", + "type": "string" + }, + { + "name": "package_version", + "type": "string" + }, + { + "name": "serial", + "type": "string" + }, + { + "name": "timestamp", + "type": "int" + } + ] + }, + "Custom-NetskopeEventsNetwork": { + "columns": [ + { + "name": "_id", + "type": "string" + }, + { + "name": "access_method", + "type": "string" + }, + { + "name": "action", + "type": "string" + }, + { + "name": "app", + "type": "string" + }, + { + "name": "appcategory", + "type": "string" + }, + { + "name": "category", + "type": "string" + }, + { + "name": "cci", + "type": "int" + }, + { + "name": "ccl", + "type": "string" + }, + { + "name": "client_bytes", + "type": "int" + }, + { + "name": "client_packets", + "type": "int" + }, + { + "name": "count", + "type": "int" + }, + { + "name": "device", + "type": "string" + }, + { + "name": "domain", + "type": "string" + }, + { + "name": "dst_country", + "type": "string" + }, + { + "name": "dst_geoip_src", + "type": "int" + }, + { + "name": "dst_latitude", + "type": "int" + }, + { + "name": "dst_location", + "type": "string" + }, + { + "name": "dst_longitude", + "type": "int" + }, + { + "name": "dst_region", + "type": "string" + }, + { + "name": "dst_zipcode", + "type": "string" + }, + { + "name": "dsthost", + "type": "string" + }, + { + "name": "dstip", + "type": "string" + }, + { + "name": "dstport", + "type": "int" + }, + { + "name": "end_time", + "type": "string" + }, + { + "name": "flow_status", + "type": "string" + }, + { + "name": "hostname", + "type": "string" + }, + { + "name": "ip_protocol", + "type": "string" + }, + { + "name": "netskope_pop", + "type": "string" + }, + { + "name": "network_session_id", + "type": "string" + }, + { + "name": "num_sessions", + "type": "int" + }, + { + "name": "numbytes", + "type": "int" + }, + { + "name": "organization_unit", + "type": "string" + }, + { + "name": "os", + "type": "string" + }, + { + "name": "os_version", + "type": "string" + }, + { + "name": "policy", + "type": "string" + }, + { + "name": "pop_id", + "type": "string" + }, + { + "name": "protocol", + "type": "string" + }, + { + "name": "protocol_port", + "type": "string" + }, + { + "name": "publisher_cn", + "type": "string" + }, + { + "name": "publisher_name", + "type": "string" + }, + { + "name": "sAMAccountName", + "type": "string" + }, + { + "name": "server_bytes", + "type": "int" + }, + { + "name": "server_packets", + "type": "int" + }, + { + "name": "session_duration", + "type": "int" + }, + { + "name": "site", + "type": "string" + }, + { + "name": "src_country", + "type": "string" + }, + { + "name": "src_geoip_src", + "type": "int" + }, + { + "name": "src_latitude", + "type": "int" + }, + { + "name": "src_location", + "type": "string" + }, + { + "name": "src_longitude", + "type": "int" + }, + { + "name": "src_region", + "type": "string" + }, + { + "name": "src_zipcode", + "type": "string" + }, + { + "name": "srcip", + "type": "string" + }, + { + "name": "srcport", + "type": "int" + }, + { + "name": "start_time", + "type": "string" + }, + { + "name": "timestamp", + "type": "int" + }, + { + "name": "total_packets", + "type": "int" + }, + { + "name": "traffic_type", + "type": "string" + }, + { + "name": "tunnel_id", + "type": "string" + }, + { + "name": "tunnel_type", + "type": "string" + }, + { + "name": "tunnel_up_time", + "type": "int" + }, + { + "name": "type", + "type": "string" + }, + { + "name": "ur_normalized", + "type": "string" + }, + { + "name": "user", + "type": "string" + }, + { + "name": "userip", + "type": "string" + }, + { + "name": "userkey", + "type": "string" + }, + { + "name": "userPrincipalName", + "type": "string" + } + ] + }, + "Custom-NetskopeEventsPage": { + "columns": [ + { + "name": "_id", + "type": "string" + }, + { + "name": "access_method", + "type": "string" + }, + { + "name": "app", + "type": "string" + }, + { + "name": "app_session_id", + "type": "int" + }, + { + "name": "appcategory", + "type": "string" + }, + { + "name": "browser", + "type": "string" + }, + { + "name": "browser_session_id", + "type": "int" + }, + { + "name": "browser_version", + "type": "string" + }, + { + "name": "bypass_reason", + "type": "string" + }, + { + "name": "bypass_traffic", + "type": "string" + }, + { + "name": "category", + "type": "string" + }, + { + "name": "cci", + "type": "int" + }, + { + "name": "ccl", + "type": "string" + }, + { + "name": "client_bytes", + "type": "int" + }, + { + "name": "conn_duration", + "type": "int" + }, + { + "name": "conn_endtime", + "type": "int" + }, + { + "name": "conn_starttime", + "type": "int" + }, + { + "name": "connection_id", + "type": "int" + }, + { + "name": "CononicalName", + "type": "string" + }, + { + "name": "count", + "type": "int" + }, + { + "name": "device", + "type": "string" + }, + { + "name": "domain", + "type": "string" + }, + { + "name": "dst_country", + "type": "string" + }, + { + "name": "dst_geoip_src", + "type": "int" + }, + { + "name": "dst_latitude", + "type": "int" + }, + { + "name": "dst_location", + "type": "string" + }, + { + "name": "dst_longitude", + "type": "int" + }, + { + "name": "dst_region", + "type": "string" + }, + { + "name": "dst_timezone", + "type": "string" + }, + { + "name": "dst_zipcode", + "type": "string" + }, + { + "name": "dsthost", + "type": "string" + }, + { + "name": "dstip", + "type": "string" + }, + { + "name": "dstport", + "type": "int" + }, + { + "name": "dynamic_classification", + "type": "string" + }, + { + "name": "forward_to_proxy_profile", + "type": "string" + }, + { + "name": "fromlogs", + "type": "string" + }, + { + "name": "hostname", + "type": "string" + }, + { + "name": "http_transaction_count", + "type": "int" + }, + { + "name": "log_file_name", + "type": "string" + }, + { + "name": "netskope_pop", + "type": "string" + }, + { + "name": "network", + "type": "string" + }, + { + "name": "numbytes", + "type": "int" + }, + { + "name": "org", + "type": "string" + }, + { + "name": "organization_unit", + "type": "string" + }, + { + "name": "os", + "type": "string" + }, + { + "name": "os_version", + "type": "string" + }, + { + "name": "page", + "type": "string" + }, + { + "name": "policy", + "type": "string" + }, + { + "name": "protocol", + "type": "string" + }, + { + "name": "req_cnt", + "type": "int" + }, + { + "name": "request_id", + "type": "int" + }, + { + "name": "resp_cnt", + "type": "int" + }, + { + "name": "resp_content_len", + "type": "int" + }, + { + "name": "resp_content_type", + "type": "string" + }, + { + "name": "sAMAccountName", + "type": "string" + }, + { + "name": "serial", + "type": "string" + }, + { + "name": "server_bytes", + "type": "int" + }, + { + "name": "sessionid", + "type": "string" + }, + { + "name": "severity", + "type": "string" + }, + { + "name": "sfwder", + "type": "string" + }, + { + "name": "site", + "type": "string" + }, + { + "name": "src_country", + "type": "string" + }, + { + "name": "src_geoip_src", + "type": "int" + }, + { + "name": "src_latitude", + "type": "int" + }, + { + "name": "src_location", + "type": "string" + }, + { + "name": "src_longitude", + "type": "int" + }, + { + "name": "src_region", + "type": "string" + }, + { + "name": "src_time", + "type": "string" + }, + { + "name": "src_timezone", + "type": "string" + }, + { + "name": "src_zipcode", + "type": "string" + }, + { + "name": "srcip", + "type": "string" + }, + { + "name": "ssl_decrypt_policy", + "type": "string" + }, + { + "name": "suppression_end_time", + "type": "int" + }, + { + "name": "suppression_start_time", + "type": "int" + }, + { + "name": "timestamp", + "type": "int" + }, + { + "name": "traffic_type", + "type": "string" + }, + { + "name": "transaction_id", + "type": "int" + }, + { + "name": "type", + "type": "string" + }, + { + "name": "ur_normalized", + "type": "string" + }, + { + "name": "url", + "type": "string" + }, + { + "name": "user", + "type": "string" + }, + { + "name": "user_generated", + "type": "string" + }, + { + "name": "useragent", + "type": "string" + }, + { + "name": "userip", + "type": "string" + }, + { + "name": "userkey", + "type": "string" + }, + { + "name": "userPrincipalName", + "type": "string" + } + ] + } + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('workspaceResourceId')]", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-NetskopeAlerts" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source | extend TimeGenerated = datetime(1970-01-01) + timestamp * 1sec | project-rename count_i = ['count'], title_s = ['title'], type_s = ['type'] | project-away _id ", + "outputStream": "Custom-NetskopeAlerts_CL" + }, + { + "streams": [ + "Custom-NetskopeEventsApplication" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source | extend TimeGenerated = datetime(1970-01-01) + timestamp * 1sec | project-rename count_i = ['count'], title_s = ['title'], type_s = ['type'] | project-away _id ", + "outputStream": "Custom-NetskopeEventsApplication_CL" + }, + { + "streams": [ + "Custom-NetskopeEventsAudit" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source | extend TimeGenerated = datetime(1970-01-01) + timestamp * 1sec | project-rename count_i = ['count'], type_s = ['type'] | project-away _id ", + "outputStream": "Custom-NetskopeEventsAudit_CL" + }, + { + "streams": [ + "Custom-NetskopeEventsConnection" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source | extend TimeGenerated = datetime(1970-01-01) + timestamp * 1sec | project-rename count_i = ['count'], type_s = ['type'] | project-away _id ", + "outputStream": "Custom-NetskopeEventsConnection_CL" + }, + { + "streams": [ + "Custom-NetskopeEventsDLP" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source | extend TimeGenerated = datetime(1970-01-01) + timestamp * 1sec | project-rename title_s = ['title'] | project-away _id ", + "outputStream": "Custom-NetskopeEventsDLP_CL" + }, + { + "streams": [ + "Custom-NetskopeEventsEndpoint" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source | extend TimeGenerated = datetime(1970-01-01) + timestamp * 1sec | project-rename type_s = ['type'] | project-away _id ", + "outputStream": "Custom-NetskopeEventsEndpoint_CL" + }, + { + "streams": [ + "Custom-NetskopeEventsInfrastructure" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source | extend TimeGenerated = datetime(1970-01-01) + timestamp * 1sec | project-away _id ", + "outputStream": "Custom-NetskopeEventsInfrastructure_CL" + }, + { + "streams": [ + "Custom-NetskopeEventsNetwork" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source | extend TimeGenerated = datetime(1970-01-01) + timestamp * 1sec | project-rename count_i = ['count'], type_s = ['type'] | project-away _id ", + "outputStream": "Custom-NetskopeEventsNetwork_CL" + }, + { + "streams": [ + "Custom-NetskopeEventsPage" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source | extend TimeGenerated = datetime(1970-01-01) + timestamp * 1sec | project-rename count_i = ['count'], type_s = ['type'] | project-away _id ", + "outputStream": "Custom-NetskopeEventsPage_CL" + } + ] + } + }, + { + "name": "NetskopeAlerts_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "properties": { + "schema": { + "name": "NetskopeAlerts_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "access_method", + "type": "string" + }, + { + "name": "account_id", + "type": "string" + }, + { + "name": "account_name", + "type": "string" + }, + { + "name": "acked", + "type": "string" + }, + { + "name": "action", + "type": "string" + }, + { + "name": "activity", + "type": "string" + }, + { + "name": "alert", + "type": "string" + }, + { + "name": "alert_id", + "type": "string" + }, + { + "name": "alert_name", + "type": "string" + }, + { + "name": "alert_type", + "type": "string" + }, + { + "name": "app", + "type": "string" + }, + { + "name": "app_activity", + "type": "string" + }, + { + "name": "app_session_id", + "type": "int" + }, + { + "name": "appcategory", + "type": "string" + }, + { + "name": "appsuite", + "type": "string" + }, + { + "name": "asset_id", + "type": "string" + }, + { + "name": "asset_object_id", + "type": "string" + }, + { + "name": "breach_date", + "type": "int" + }, + { + "name": "breach_description", + "type": "string" + }, + { + "name": "breach_id", + "type": "string" + }, + { + "name": "breach_media_references", + "type": "string" + }, + { + "name": "breach_score", + "type": "string" + }, + { + "name": "breach_target_references", + "type": "string" + }, + { + "name": "browser", + "type": "string" + }, + { + "name": "browser_session_id", + "type": "int" + }, + { + "name": "browser_version", + "type": "string" + }, + { + "name": "bypass_traffic", + "type": "string" + }, + { + "name": "category", + "type": "string" + }, + { + "name": "cci", + "type": "int" + }, + { + "name": "ccl", + "type": "string" + }, + { + "name": "client_bytes", + "type": "int" + }, + { + "name": "compliance_standards", + "type": "dynamic" + }, + { + "name": "conn_duration", + "type": "int" + }, + { + "name": "conn_endtime", + "type": "int" + }, + { + "name": "conn_starttime", + "type": "int" + }, + { + "name": "connection_id", + "type": "int" + }, + { + "name": "CononicalName", + "type": "string" + }, + { + "name": "count_i", + "type": "int" + }, + { + "name": "data_type", + "type": "string" + }, + { + "name": "device", + "type": "string" + }, + { + "name": "device_classification", + "type": "string" + }, + { + "name": "dlp_file", + "type": "string" + }, + { + "name": "dlp_incident_id", + "type": "int" + }, + { + "name": "dlp_is_unique_count", + "type": "string" + }, + { + "name": "dlp_mail_parent_id", + "type": "string" + }, + { + "name": "dlp_parent_id", + "type": "int" + }, + { + "name": "dlp_profile", + "type": "string" + }, + { + "name": "dlp_rule", + "type": "string" + }, + { + "name": "dlp_rule_count", + "type": "int" + }, + { + "name": "dlp_rule_severity", + "type": "string" + }, + { + "name": "dlp_unique_count", + "type": "int" + }, + { + "name": "domain", + "type": "string" + }, + { + "name": "dst_country", + "type": "string" + }, + { + "name": "dst_geoip_src", + "type": "int" + }, + { + "name": "dst_latitude", + "type": "int" + }, + { + "name": "dst_location", + "type": "string" + }, + { + "name": "dst_longitude", + "type": "int" + }, + { + "name": "dst_region", + "type": "string" + }, + { + "name": "dst_timezone", + "type": "string" + }, + { + "name": "dst_zipcode", + "type": "string" + }, + { + "name": "dstip", + "type": "string" + }, + { + "name": "dsthost", + "type": "string" + }, + { + "name": "dstport", + "type": "int" + }, + { + "name": "email_source", + "type": "string" + }, + { + "name": "event_type", + "type": "string" + }, + { + "name": "evt_src_chnl", + "type": "string" + }, + { + "name": "exposure", + "type": "string" + }, + { + "name": "external_collaborator_count", + "type": "int" + }, + { + "name": "external_email", + "type": "int" + }, + { + "name": "file_cls_encrypted", + "type": "boolean" + }, + { + "name": "file_lang", + "type": "string" + }, + { + "name": "file_path", + "type": "string" + }, + { + "name": "file_size", + "type": "int" + }, + { + "name": "file_type", + "type": "string" + }, + { + "name": "from_user", + "type": "string" + }, + { + "name": "fromlogs", + "type": "string" + }, + { + "name": "hostname", + "type": "string" + }, + { + "name": "http_transaction_count", + "type": "int" + }, + { + "name": "iaas_asset_tags", + "type": "dynamic" + }, + { + "name": "iaas_remediated", + "type": "string" + }, + { + "name": "instance", + "type": "string" + }, + { + "name": "instance_id", + "type": "string" + }, + { + "name": "internal_collaborator_count", + "type": "int" + }, + { + "name": "justification_reason", + "type": "string" + }, + { + "name": "justification_type", + "type": "string" + }, + { + "name": "last_app", + "type": "string" + }, + { + "name": "last_country", + "type": "string" + }, + { + "name": "last_device", + "type": "string" + }, + { + "name": "last_location", + "type": "string" + }, + { + "name": "last_region", + "type": "string" + }, + { + "name": "last_timestamp", + "type": "int" + }, + { + "name": "log_file_name", + "type": "string" + }, + { + "name": "malicious", + "type": "string" + }, + { + "name": "malsite_category", + "type": "dynamic" + }, + { + "name": "malsite_country", + "type": "string" + }, + { + "name": "malsite_id", + "type": "string" + }, + { + "name": "malsite_ip_host", + "type": "string" + }, + { + "name": "malsite_latitude", + "type": "int" + }, + { + "name": "malsite_longitude", + "type": "int" + }, + { + "name": "malsite_region", + "type": "string" + }, + { + "name": "managed_app", + "type": "string" + }, + { + "name": "managementID", + "type": "string" + }, + { + "name": "matched_username", + "type": "string" + }, + { + "name": "md5", + "type": "string" + }, + { + "name": "mime_type", + "type": "string" + }, + { + "name": "modified", + "type": "int" + }, + { + "name": "netskope_activity", + "type": "string" + }, + { + "name": "netskope_pop", + "type": "string" + }, + { + "name": "notify_template", + "type": "string" + }, + { + "name": "nsdeviceuid", + "type": "string" + }, + { + "name": "numbytes", + "type": "int" + }, + { + "name": "object", + "type": "string" + }, + { + "name": "object_id", + "type": "string" + }, + { + "name": "object_type", + "type": "string" + }, + { + "name": "org", + "type": "string" + }, + { + "name": "organization_unit", + "type": "string" + }, + { + "name": "orig_ty", + "type": "string" + }, + { + "name": "orignal_file_path", + "type": "string" + }, + { + "name": "os", + "type": "string" + }, + { + "name": "os_version", + "type": "string" + }, + { + "name": "other_categories", + "type": "dynamic" + }, + { + "name": "outer_doc_type", + "type": "int" + }, + { + "name": "owner", + "type": "string" + }, + { + "name": "page", + "type": "string" + }, + { + "name": "page_site", + "type": "string" + }, + { + "name": "parent_id", + "type": "string" + }, + { + "name": "password_type", + "type": "string" + }, + { + "name": "policy", + "type": "string" + }, + { + "name": "policy_actions", + "type": "dynamic" + }, + { + "name": "policy_id", + "type": "string" + }, + { + "name": "profile_id", + "type": "string" + }, + { + "name": "protocol", + "type": "string" + }, + { + "name": "referer", + "type": "string" + }, + { + "name": "region_id", + "type": "string" + }, + { + "name": "region_name", + "type": "string" + }, + { + "name": "req_cnt", + "type": "int" + }, + { + "name": "request_id", + "type": "int" + }, + { + "name": "resource_category", + "type": "string" + }, + { + "name": "resource_group", + "type": "string" + }, + { + "name": "resp_cnt", + "type": "int" + }, + { + "name": "sa_profile_id", + "type": "int" + }, + { + "name": "sa_profile_name", + "type": "string" + }, + { + "name": "sa_rule_id", + "type": "string" + }, + { + "name": "sa_rule_name", + "type": "string" + }, + { + "name": "sa_rule_severity", + "type": "string" + }, + { + "name": "sAMAccountName", + "type": "string" + }, + { + "name": "sanctioned_instance", + "type": "string" + }, + { + "name": "scan_type", + "type": "string" + }, + { + "name": "serial", + "type": "string" + }, + { + "name": "server_bytes", + "type": "int" + }, + { + "name": "sessionid", + "type": "string" + }, + { + "name": "severity", + "type": "string" + }, + { + "name": "severity_level", + "type": "string" + }, + { + "name": "severity_level_id", + "type": "int" + }, + { + "name": "sfwder", + "type": "string" + }, + { + "name": "sha256", + "type": "string" + }, + { + "name": "shared_domains", + "type": "string" + }, + { + "name": "shared_with", + "type": "string" + }, + { + "name": "site", + "type": "string" + }, + { + "name": "src_country", + "type": "string" + }, + { + "name": "src_geoip_src", + "type": "int" + }, + { + "name": "src_latitude", + "type": "int" + }, + { + "name": "src_location", + "type": "string" + }, + { + "name": "src_longitude", + "type": "int" + }, + { + "name": "src_region", + "type": "string" + }, + { + "name": "src_time", + "type": "string" + }, + { + "name": "src_timezone", + "type": "string" + }, + { + "name": "src_zipcode", + "type": "string" + }, + { + "name": "srcip", + "type": "string" + }, + { + "name": "suppression_end_time", + "type": "int" + }, + { + "name": "suppression_key", + "type": "string" + }, + { + "name": "suppression_start_time", + "type": "int" + }, + { + "name": "telemetry_app", + "type": "string" + }, + { + "name": "threat_match_field", + "type": "string" + }, + { + "name": "threat_match_value", + "type": "string" + }, + { + "name": "threat_source_id", + "type": "int" + }, + { + "name": "threshold", + "type": "int" + }, + { + "name": "threshold_time", + "type": "int" + }, + { + "name": "timestamp", + "type": "int" + }, + { + "name": "title_s", + "type": "string" + }, + { + "name": "to_object", + "type": "string" + }, + { + "name": "total_collaborator_count", + "type": "int" + }, + { + "name": "traffic_type", + "type": "string" + }, + { + "name": "transaction_id", + "type": "int" + }, + { + "name": "true_obj_category", + "type": "string" + }, + { + "name": "true_obj_type", + "type": "string" + }, + { + "name": "tss_mode", + "type": "string" + }, + { + "name": "two_factor_auth", + "type": "string" + }, + { + "name": "type_s", + "type": "string" + }, + { + "name": "universal_connector", + "type": "string" + }, + { + "name": "ur_normalized", + "type": "string" + }, + { + "name": "url", + "type": "string" + }, + { + "name": "user", + "type": "string" + }, + { + "name": "user_generated", + "type": "string" + }, + { + "name": "user_id", + "type": "string" + }, + { + "name": "useragent", + "type": "string" + }, + { + "name": "userip", + "type": "string" + }, + { + "name": "userkey", + "type": "string" + }, + { + "name": "userPrincipalName", + "type": "string" + }, + { + "name": "web_universal_connector", + "type": "string" + } + ] + } + } + }, + { + "name": "NetskopeEventsApplication_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "properties": { + "schema": { + "name": "NetskopeEventsApplication_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "access_method", + "type": "string" + }, + { + "name": "action", + "type": "string" + }, + { + "name": "activity", + "type": "string" + }, + { + "name": "alert", + "type": "string" + }, + { + "name": "alert_type", + "type": "string" + }, + { + "name": "app", + "type": "string" + }, + { + "name": "app_activity", + "type": "string" + }, + { + "name": "app_session_id", + "type": "int" + }, + { + "name": "appcategory", + "type": "string" + }, + { + "name": "appsuite", + "type": "string" + }, + { + "name": "audit_category", + "type": "string" + }, + { + "name": "audit_type", + "type": "string" + }, + { + "name": "browser", + "type": "string" + }, + { + "name": "browser_session_id", + "type": "int" + }, + { + "name": "browser_version", + "type": "string" + }, + { + "name": "category", + "type": "string" + }, + { + "name": "cci", + "type": "int" + }, + { + "name": "ccl", + "type": "string" + }, + { + "name": "channel_id", + "type": "string" + }, + { + "name": "client_bytes", + "type": "int" + }, + { + "name": "conn_duration", + "type": "int" + }, + { + "name": "connection_id", + "type": "int" + }, + { + "name": "CononicalName", + "type": "string" + }, + { + "name": "count_i", + "type": "int" + }, + { + "name": "custom_connector", + "type": "string" + }, + { + "name": "data_center", + "type": "string" + }, + { + "name": "data_type", + "type": "string" + }, + { + "name": "device", + "type": "string" + }, + { + "name": "device_classification", + "type": "string" + }, + { + "name": "dlp_file", + "type": "string" + }, + { + "name": "dlp_incident_id", + "type": "int" + }, + { + "name": "dlp_is_unique_count", + "type": "string" + }, + { + "name": "dlp_mail_parent_id", + "type": "string" + }, + { + "name": "dlp_parent_id", + "type": "int" + }, + { + "name": "dlp_profile", + "type": "string" + }, + { + "name": "dlp_rule", + "type": "string" + }, + { + "name": "dlp_rule_count", + "type": "int" + }, + { + "name": "dlp_rule_severity", + "type": "string" + }, + { + "name": "dlp_unique_count", + "type": "int" + }, + { + "name": "dst_country", + "type": "string" + }, + { + "name": "dst_geoip_src", + "type": "int" + }, + { + "name": "dst_latitude", + "type": "int" + }, + { + "name": "dst_location", + "type": "string" + }, + { + "name": "dst_longitude", + "type": "int" + }, + { + "name": "dst_region", + "type": "string" + }, + { + "name": "dst_timezone", + "type": "string" + }, + { + "name": "dst_zipcode", + "type": "string" + }, + { + "name": "dsthost", + "type": "string" + }, + { + "name": "dstip", + "type": "string" + }, + { + "name": "dstport", + "type": "int" + }, + { + "name": "exposure", + "type": "string" + }, + { + "name": "file_lang", + "type": "string" + }, + { + "name": "file_path", + "type": "string" + }, + { + "name": "file_size", + "type": "int" + }, + { + "name": "file_type", + "type": "string" + }, + { + "name": "from_user", + "type": "string" + }, + { + "name": "from_user_category", + "type": "string" + }, + { + "name": "fromlogs", + "type": "string" + }, + { + "name": "hostname", + "type": "string" + }, + { + "name": "instance", + "type": "string" + }, + { + "name": "instance_id", + "type": "string" + }, + { + "name": "internal_collaborator_count", + "type": "int" + }, + { + "name": "log_file_name", + "type": "string" + }, + { + "name": "logintype", + "type": "string" + }, + { + "name": "loginurl", + "type": "string" + }, + { + "name": "managed_app", + "type": "string" + }, + { + "name": "managementID", + "type": "string" + }, + { + "name": "md5", + "type": "string" + }, + { + "name": "mime_type", + "type": "string" + }, + { + "name": "modified", + "type": "int" + }, + { + "name": "netskope_activity", + "type": "string" + }, + { + "name": "netskope_pop", + "type": "string" + }, + { + "name": "notify_template", + "type": "string" + }, + { + "name": "nsdeviceuid", + "type": "string" + }, + { + "name": "numbytes", + "type": "int" + }, + { + "name": "object", + "type": "string" + }, + { + "name": "object_id", + "type": "string" + }, + { + "name": "object_type", + "type": "string" + }, + { + "name": "org", + "type": "string" + }, + { + "name": "organization_unit", + "type": "string" + }, + { + "name": "orignal_file_path", + "type": "string" + }, + { + "name": "os", + "type": "string" + }, + { + "name": "os_version", + "type": "string" + }, + { + "name": "other_categories", + "type": "dynamic" + }, + { + "name": "outer_doc_type", + "type": "int" + }, + { + "name": "owner", + "type": "string" + }, + { + "name": "page", + "type": "string" + }, + { + "name": "page_site", + "type": "string" + }, + { + "name": "parent_id", + "type": "string" + }, + { + "name": "policy", + "type": "string" + }, + { + "name": "policy_id", + "type": "string" + }, + { + "name": "protocol", + "type": "string" + }, + { + "name": "referer", + "type": "string" + }, + { + "name": "req_cnt", + "type": "int" + }, + { + "name": "request_id", + "type": "int" + }, + { + "name": "resp_cnt", + "type": "int" + }, + { + "name": "sAMAccountName", + "type": "string" + }, + { + "name": "sanctioned_instance", + "type": "string" + }, + { + "name": "scan_type", + "type": "string" + }, + { + "name": "serial", + "type": "string" + }, + { + "name": "server_bytes", + "type": "int" + }, + { + "name": "sessionid", + "type": "string" + }, + { + "name": "severity", + "type": "string" + }, + { + "name": "sfwder", + "type": "string" + }, + { + "name": "sha256", + "type": "string" + }, + { + "name": "shared_with", + "type": "string" + }, + { + "name": "site", + "type": "string" + }, + { + "name": "smtp_to", + "type": "dynamic" + }, + { + "name": "src_country", + "type": "string" + }, + { + "name": "src_geoip_src", + "type": "int" + }, + { + "name": "src_latitude", + "type": "int" + }, + { + "name": "src_location", + "type": "string" + }, + { + "name": "src_longitude", + "type": "int" + }, + { + "name": "src_region", + "type": "string" + }, + { + "name": "src_time", + "type": "string" + }, + { + "name": "src_timezone", + "type": "string" + }, + { + "name": "src_zipcode", + "type": "string" + }, + { + "name": "srcip", + "type": "string" + }, + { + "name": "suppression_end_time", + "type": "int" + }, + { + "name": "suppression_key", + "type": "string" + }, + { + "name": "suppression_start_time", + "type": "int" + }, + { + "name": "telemetry_app", + "type": "string" + }, + { + "name": "timestamp", + "type": "int" + }, + { + "name": "title_s", + "type": "string" + }, + { + "name": "to_user", + "type": "string" + }, + { + "name": "total_collaborator_count", + "type": "int" + }, + { + "name": "traffic_type", + "type": "string" + }, + { + "name": "transaction_id", + "type": "int" + }, + { + "name": "true_obj_category", + "type": "string" + }, + { + "name": "true_obj_type", + "type": "string" + }, + { + "name": "tss_mode", + "type": "string" + }, + { + "name": "type_s", + "type": "string" + }, + { + "name": "universal_connector", + "type": "string" + }, + { + "name": "ur_normalized", + "type": "string" + }, + { + "name": "url", + "type": "string" + }, + { + "name": "user", + "type": "string" + }, + { + "name": "user_category", + "type": "string" + }, + { + "name": "user_id", + "type": "string" + }, + { + "name": "useragent", + "type": "string" + }, + { + "name": "userip", + "type": "string" + }, + { + "name": "userkey", + "type": "string" + }, + { + "name": "userPrincipalName", + "type": "string" + }, + { + "name": "web_universal_connector", + "type": "string" + }, + { + "name": "workspace", + "type": "string" + }, + { + "name": "workspace_id", + "type": "string" + } + ] + } + } + }, + { + "name": "NetskopeEventsAudit_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "properties": { + "schema": { + "name": "NetskopeEventsAudit_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "audit_log_event", + "type": "string" + }, + { + "name": "ccl", + "type": "string" + }, + { + "name": "count_i", + "type": "int" + }, + { + "name": "organization_unit", + "type": "string" + }, + { + "name": "sAMAccountName", + "type": "string" + }, + { + "name": "severity_level", + "type": "int" + }, + { + "name": "supporting_data", + "type": "dynamic" + }, + { + "name": "timestamp", + "type": "int" + }, + { + "name": "type_s", + "type": "string" + }, + { + "name": "ur_normalized", + "type": "string" + }, + { + "name": "user", + "type": "string" + }, + { + "name": "userPrincipalName", + "type": "string" + } + ] + } + } + }, + { + "name": "NetskopeEventsConnection_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "properties": { + "schema": { + "name": "NetskopeEventsConnection_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "access_method", + "type": "string" + }, + { + "name": "app", + "type": "string" + }, + { + "name": "app_session_id", + "type": "int" + }, + { + "name": "appcategory", + "type": "string" + }, + { + "name": "browser", + "type": "string" + }, + { + "name": "browser_session_id", + "type": "int" + }, + { + "name": "browser_version", + "type": "string" + }, + { + "name": "bypass_reason", + "type": "string" + }, + { + "name": "bypass_traffic", + "type": "string" + }, + { + "name": "category", + "type": "string" + }, + { + "name": "cci", + "type": "int" + }, + { + "name": "ccl", + "type": "string" + }, + { + "name": "client_bytes", + "type": "int" + }, + { + "name": "conn_duration", + "type": "int" + }, + { + "name": "conn_endtime", + "type": "int" + }, + { + "name": "conn_starttime", + "type": "int" + }, + { + "name": "connection_id", + "type": "int" + }, + { + "name": "CononicalName", + "type": "string" + }, + { + "name": "count_i", + "type": "int" + }, + { + "name": "device", + "type": "string" + }, + { + "name": "domain", + "type": "string" + }, + { + "name": "dst_country", + "type": "string" + }, + { + "name": "dst_geoip_src", + "type": "int" + }, + { + "name": "dst_latitude", + "type": "int" + }, + { + "name": "dst_location", + "type": "string" + }, + { + "name": "dst_longitude", + "type": "int" + }, + { + "name": "dst_region", + "type": "string" + }, + { + "name": "dst_timezone", + "type": "string" + }, + { + "name": "dst_zipcode", + "type": "string" + }, + { + "name": "dsthost", + "type": "string" + }, + { + "name": "dstip", + "type": "string" + }, + { + "name": "dstport", + "type": "int" + }, + { + "name": "dynamic_classification", + "type": "string" + }, + { + "name": "forward_to_proxy_profile", + "type": "string" + }, + { + "name": "fromlogs", + "type": "string" + }, + { + "name": "hostname", + "type": "string" + }, + { + "name": "http_transaction_count", + "type": "int" + }, + { + "name": "log_file_name", + "type": "string" + }, + { + "name": "netskope_pop", + "type": "string" + }, + { + "name": "network", + "type": "string" + }, + { + "name": "numbytes", + "type": "int" + }, + { + "name": "org", + "type": "string" + }, + { + "name": "organization_unit", + "type": "string" + }, + { + "name": "os", + "type": "string" + }, + { + "name": "os_version", + "type": "string" + }, + { + "name": "page", + "type": "string" + }, + { + "name": "policy", + "type": "string" + }, + { + "name": "protocol", + "type": "string" + }, + { + "name": "req_cnt", + "type": "int" + }, + { + "name": "request_id", + "type": "int" + }, + { + "name": "resp_cnt", + "type": "int" + }, + { + "name": "resp_content_len", + "type": "int" + }, + { + "name": "resp_content_type", + "type": "string" + }, + { + "name": "sAMAccountName", + "type": "string" + }, + { + "name": "serial", + "type": "string" + }, + { + "name": "server_bytes", + "type": "int" + }, + { + "name": "sessionid", + "type": "string" + }, + { + "name": "severity", + "type": "string" + }, + { + "name": "sfwder", + "type": "string" + }, + { + "name": "site", + "type": "string" + }, + { + "name": "src_country", + "type": "string" + }, + { + "name": "src_geoip_src", + "type": "int" + }, + { + "name": "src_latitude", + "type": "int" + }, + { + "name": "src_location", + "type": "string" + }, + { + "name": "src_longitude", + "type": "int" + }, + { + "name": "src_region", + "type": "string" + }, + { + "name": "src_time", + "type": "string" + }, + { + "name": "src_timezone", + "type": "string" + }, + { + "name": "src_zipcode", + "type": "string" + }, + { + "name": "srcip", + "type": "string" + }, + { + "name": "ssl_decrypt_policy", + "type": "string" + }, + { + "name": "suppression_end_time", + "type": "int" + }, + { + "name": "suppression_start_time", + "type": "int" + }, + { + "name": "timestamp", + "type": "int" + }, + { + "name": "traffic_type", + "type": "string" + }, + { + "name": "transaction_id", + "type": "int" + }, + { + "name": "type_s", + "type": "string" + }, + { + "name": "ur_normalized", + "type": "string" + }, + { + "name": "url", + "type": "string" + }, + { + "name": "user", + "type": "string" + }, + { + "name": "user_generated", + "type": "string" + }, + { + "name": "useragent", + "type": "string" + }, + { + "name": "userip", + "type": "string" + }, + { + "name": "userkey", + "type": "string" + }, + { + "name": "userPrincipalName", + "type": "string" + } + ] + } + } + }, + { + "name": "NetskopeEventsDLP_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "properties": { + "schema": { + "name": "NetskopeEventsDLP_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "title_s", + "type": "string" + }, + { + "name": "object", + "type": "string" + }, + { + "name": "app", + "type": "string" + }, + { + "name": "site", + "type": "string" + }, + { + "name": "status", + "type": "string" + }, + { + "name": "assignee", + "type": "string" + }, + { + "name": "severity", + "type": "string" + }, + { + "name": "instance_id", + "type": "string" + }, + { + "name": "timestamp", + "type": "int" + }, + { + "name": "exposure", + "type": "string" + }, + { + "name": "acting_user", + "type": "string" + }, + { + "name": "user", + "type": "string" + }, + { + "name": "file_path", + "type": "string" + }, + { + "name": "file_size", + "type": "int" + }, + { + "name": "file_type", + "type": "string" + }, + { + "name": "dlp_match_info", + "type": "dynamic" + }, + { + "name": "inline_dlp_match_info", + "type": "dynamic" + }, + { + "name": "access_method", + "type": "string" + }, + { + "name": "activity", + "type": "string" + }, + { + "name": "instance", + "type": "string" + }, + { + "name": "url", + "type": "string" + }, + { + "name": "object_type", + "type": "string" + }, + { + "name": "owner", + "type": "string" + }, + { + "name": "owner_pdl", + "type": "string" + }, + { + "name": "file_lang", + "type": "string" + }, + { + "name": "true_obj_category", + "type": "string" + }, + { + "name": "true_obj_type", + "type": "string" + }, + { + "name": "dlp_incident_id", + "type": "int" + }, + { + "name": "latest_incident_id", + "type": "int" + }, + { + "name": "dlp_parent_id", + "type": "int" + }, + { + "name": "from_user", + "type": "string" + }, + { + "name": "md5", + "type": "string" + }, + { + "name": "connection_id", + "type": "int" + }, + { + "name": "app_session_id", + "type": "int" + }, + { + "name": "referer", + "type": "string" + }, + { + "name": "dst_location", + "type": "string" + }, + { + "name": "src_location", + "type": "string" + }, + { + "name": "channel", + "type": "string" + }, + { + "name": "to_user", + "type": "string" + }, + { + "name": "cc", + "type": "string" + }, + { + "name": "bcc", + "type": "string" + }, + { + "name": "classification", + "type": "string" + }, + { + "name": "user_id", + "type": "string" + }, + { + "name": "destination_app", + "type": "string" + }, + { + "name": "destination_instance_id", + "type": "string" + }, + { + "name": "zip_file_id", + "type": "string" + }, + { + "name": "original_file_snapshot_id", + "type": "string" + }, + { + "name": "dlp_file", + "type": "string" + } + ] + } + } + }, + { + "name": "NetskopeEventsEndpoint_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "properties": { + "schema": { + "name": "NetskopeEventsEndpoint_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "access_method", + "type": "string" + }, + { + "name": "action", + "type": "string" + }, + { + "name": "activity", + "type": "string" + }, + { + "name": "activity_type", + "type": "string" + }, + { + "name": "alert", + "type": "string" + }, + { + "name": "alert_generated", + "type": "boolean" + }, + { + "name": "alert_name", + "type": "string" + }, + { + "name": "alert_type", + "type": "string" + }, + { + "name": "app", + "type": "string" + }, + { + "name": "computer_name", + "type": "string" + }, + { + "name": "connection_type", + "type": "string" + }, + { + "name": "destination_file_directory", + "type": "string" + }, + { + "name": "destination_file_name", + "type": "string" + }, + { + "name": "destination_file_path", + "type": "string" + }, + { + "name": "device", + "type": "string" + }, + { + "name": "device_id", + "type": "string" + }, + { + "name": "device_name", + "type": "string" + }, + { + "name": "device_sn", + "type": "string" + }, + { + "name": "device_type", + "type": "string" + }, + { + "name": "dlp_incident_id", + "type": "int" + }, + { + "name": "dlp_profile", + "type": "string" + }, + { + "name": "dlp_profile_name", + "type": "string" + }, + { + "name": "dlp_rule", + "type": "string" + }, + { + "name": "driver", + "type": "string" + }, + { + "name": "event_recovered", + "type": "boolean" + }, + { + "name": "executable_hash", + "type": "string" + }, + { + "name": "executable_signed", + "type": "boolean" + }, + { + "name": "file_origin", + "type": "string" + }, + { + "name": "file_size", + "type": "int" + }, + { + "name": "file_type", + "type": "string" + }, + { + "name": "incident_id", + "type": "int" + }, + { + "name": "justification", + "type": "string" + }, + { + "name": "location", + "type": "string" + }, + { + "name": "md5", + "type": "string" + }, + { + "name": "os", + "type": "string" + }, + { + "name": "os_details", + "type": "string" + }, + { + "name": "os_user_name", + "type": "string" + }, + { + "name": "pid", + "type": "string" + }, + { + "name": "policy_action", + "type": "string" + }, + { + "name": "policy_action_enforced", + "type": "string" + }, + { + "name": "policy_name", + "type": "string" + }, + { + "name": "policy_name_enforced", + "type": "string" + }, + { + "name": "policy_version", + "type": "string" + }, + { + "name": "port", + "type": "string" + }, + { + "name": "printer_identifier", + "type": "string" + }, + { + "name": "process_cert_subject", + "type": "string" + }, + { + "name": "process_name", + "type": "string" + }, + { + "name": "process_path", + "type": "string" + }, + { + "name": "product_id", + "type": "string" + }, + { + "name": "sha256", + "type": "string" + }, + { + "name": "source_file_directory", + "type": "string" + }, + { + "name": "source_file_name", + "type": "string" + }, + { + "name": "sub_type", + "type": "string" + }, + { + "name": "timestamp", + "type": "int" + }, + { + "name": "type_s", + "type": "string" + }, + { + "name": "unc_path", + "type": "string" + }, + { + "name": "user", + "type": "string" + }, + { + "name": "vendor_id", + "type": "string" + } + ] + } + } + }, + { + "name": "NetskopeEventsInfrastructure_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "properties": { + "schema": { + "name": "NetskopeEventsInfrastructure_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "boolean_metric_value", + "type": "string" + }, + { + "name": "hostname", + "type": "string" + }, + { + "name": "metric_name", + "type": "string" + }, + { + "name": "metric_true_count", + "type": "string" + }, + { + "name": "metric_type", + "type": "string" + }, + { + "name": "metric_value", + "type": "string" + }, + { + "name": "package_version", + "type": "string" + }, + { + "name": "serial", + "type": "string" + }, + { + "name": "timestamp", + "type": "int" + } + ] + } + } + }, + { + "name": "NetskopeEventsNetwork_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "properties": { + "schema": { + "name": "NetskopeEventsNetwork_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "access_method", + "type": "string" + }, + { + "name": "action", + "type": "string" + }, + { + "name": "app", + "type": "string" + }, + { + "name": "appcategory", + "type": "string" + }, + { + "name": "category", + "type": "string" + }, + { + "name": "cci", + "type": "int" + }, + { + "name": "ccl", + "type": "string" + }, + { + "name": "client_bytes", + "type": "int" + }, + { + "name": "client_packets", + "type": "int" + }, + { + "name": "count_i", + "type": "int" + }, + { + "name": "device", + "type": "string" + }, + { + "name": "domain", + "type": "string" + }, + { + "name": "dst_country", + "type": "string" + }, + { + "name": "dst_geoip_src", + "type": "int" + }, + { + "name": "dst_latitude", + "type": "int" + }, + { + "name": "dst_location", + "type": "string" + }, + { + "name": "dst_longitude", + "type": "int" + }, + { + "name": "dst_region", + "type": "string" + }, + { + "name": "dst_zipcode", + "type": "string" + }, + { + "name": "dsthost", + "type": "string" + }, + { + "name": "dstip", + "type": "string" + }, + { + "name": "dstport", + "type": "int" + }, + { + "name": "end_time", + "type": "string" + }, + { + "name": "flow_status", + "type": "string" + }, + { + "name": "hostname", + "type": "string" + }, + { + "name": "ip_protocol", + "type": "string" + }, + { + "name": "netskope_pop", + "type": "string" + }, + { + "name": "network_session_id", + "type": "string" + }, + { + "name": "num_sessions", + "type": "int" + }, + { + "name": "numbytes", + "type": "int" + }, + { + "name": "organization_unit", + "type": "string" + }, + { + "name": "os", + "type": "string" + }, + { + "name": "os_version", + "type": "string" + }, + { + "name": "policy", + "type": "string" + }, + { + "name": "pop_id", + "type": "string" + }, + { + "name": "protocol", + "type": "string" + }, + { + "name": "protocol_port", + "type": "string" + }, + { + "name": "publisher_cn", + "type": "string" + }, + { + "name": "publisher_name", + "type": "string" + }, + { + "name": "sAMAccountName", + "type": "string" + }, + { + "name": "server_bytes", + "type": "int" + }, + { + "name": "server_packets", + "type": "int" + }, + { + "name": "session_duration", + "type": "int" + }, + { + "name": "site", + "type": "string" + }, + { + "name": "src_country", + "type": "string" + }, + { + "name": "src_geoip_src", + "type": "int" + }, + { + "name": "src_latitude", + "type": "int" + }, + { + "name": "src_location", + "type": "string" + }, + { + "name": "src_longitude", + "type": "int" + }, + { + "name": "src_region", + "type": "string" + }, + { + "name": "src_zipcode", + "type": "string" + }, + { + "name": "srcip", + "type": "string" + }, + { + "name": "srcport", + "type": "int" + }, + { + "name": "start_time", + "type": "string" + }, + { + "name": "timestamp", + "type": "int" + }, + { + "name": "total_packets", + "type": "int" + }, + { + "name": "traffic_type", + "type": "string" + }, + { + "name": "tunnel_id", + "type": "string" + }, + { + "name": "tunnel_type", + "type": "string" + }, + { + "name": "tunnel_up_time", + "type": "int" + }, + { + "name": "type_s", + "type": "string" + }, + { + "name": "ur_normalized", + "type": "string" + }, + { + "name": "user", + "type": "string" + }, + { + "name": "userip", + "type": "string" + }, + { + "name": "userkey", + "type": "string" + }, + { + "name": "userPrincipalName", + "type": "string" + } + ] + } + } + }, + { + "name": "NetskopeEventsPage_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "properties": { + "schema": { + "name": "NetskopeEventsPage_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "access_method", + "type": "string" + }, + { + "name": "app", + "type": "string" + }, + { + "name": "app_session_id", + "type": "int" + }, + { + "name": "appcategory", + "type": "string" + }, + { + "name": "browser", + "type": "string" + }, + { + "name": "browser_session_id", + "type": "int" + }, + { + "name": "browser_version", + "type": "string" + }, + { + "name": "bypass_reason", + "type": "string" + }, + { + "name": "bypass_traffic", + "type": "string" + }, + { + "name": "category", + "type": "string" + }, + { + "name": "cci", + "type": "int" + }, + { + "name": "ccl", + "type": "string" + }, + { + "name": "client_bytes", + "type": "int" + }, + { + "name": "conn_duration", + "type": "int" + }, + { + "name": "conn_endtime", + "type": "int" + }, + { + "name": "conn_starttime", + "type": "int" + }, + { + "name": "connection_id", + "type": "int" + }, + { + "name": "CononicalName", + "type": "string" + }, + { + "name": "count_i", + "type": "int" + }, + { + "name": "device", + "type": "string" + }, + { + "name": "domain", + "type": "string" + }, + { + "name": "dst_country", + "type": "string" + }, + { + "name": "dst_geoip_src", + "type": "int" + }, + { + "name": "dst_latitude", + "type": "int" + }, + { + "name": "dst_location", + "type": "string" + }, + { + "name": "dst_longitude", + "type": "int" + }, + { + "name": "dst_region", + "type": "string" + }, + { + "name": "dst_timezone", + "type": "string" + }, + { + "name": "dst_zipcode", + "type": "string" + }, + { + "name": "dsthost", + "type": "string" + }, + { + "name": "dstip", + "type": "string" + }, + { + "name": "dstport", + "type": "int" + }, + { + "name": "dynamic_classification", + "type": "string" + }, + { + "name": "forward_to_proxy_profile", + "type": "string" + }, + { + "name": "fromlogs", + "type": "string" + }, + { + "name": "hostname", + "type": "string" + }, + { + "name": "http_transaction_count", + "type": "int" + }, + { + "name": "log_file_name", + "type": "string" + }, + { + "name": "netskope_pop", + "type": "string" + }, + { + "name": "network", + "type": "string" + }, + { + "name": "numbytes", + "type": "int" + }, + { + "name": "org", + "type": "string" + }, + { + "name": "organization_unit", + "type": "string" + }, + { + "name": "os", + "type": "string" + }, + { + "name": "os_version", + "type": "string" + }, + { + "name": "page", + "type": "string" + }, + { + "name": "policy", + "type": "string" + }, + { + "name": "protocol", + "type": "string" + }, + { + "name": "req_cnt", + "type": "int" + }, + { + "name": "request_id", + "type": "int" + }, + { + "name": "resp_cnt", + "type": "int" + }, + { + "name": "resp_content_len", + "type": "int" + }, + { + "name": "resp_content_type", + "type": "string" + }, + { + "name": "sAMAccountName", + "type": "string" + }, + { + "name": "serial", + "type": "string" + }, + { + "name": "server_bytes", + "type": "int" + }, + { + "name": "sessionid", + "type": "string" + }, + { + "name": "severity", + "type": "string" + }, + { + "name": "sfwder", + "type": "string" + }, + { + "name": "site", + "type": "string" + }, + { + "name": "src_country", + "type": "string" + }, + { + "name": "src_geoip_src", + "type": "int" + }, + { + "name": "src_latitude", + "type": "int" + }, + { + "name": "src_location", + "type": "string" + }, + { + "name": "src_longitude", + "type": "int" + }, + { + "name": "src_region", + "type": "string" + }, + { + "name": "src_time", + "type": "string" + }, + { + "name": "src_timezone", + "type": "string" + }, + { + "name": "src_zipcode", + "type": "string" + }, + { + "name": "srcip", + "type": "string" + }, + { + "name": "ssl_decrypt_policy", + "type": "string" + }, + { + "name": "suppression_end_time", + "type": "int" + }, + { + "name": "suppression_start_time", + "type": "int" + }, + { + "name": "timestamp", + "type": "int" + }, + { + "name": "traffic_type", + "type": "string" + }, + { + "name": "transaction_id", + "type": "int" + }, + { + "name": "type_s", + "type": "string" + }, + { + "name": "ur_normalized", + "type": "string" + }, + { + "name": "url", + "type": "string" + }, + { + "name": "user", + "type": "string" + }, + { + "name": "user_generated", + "type": "string" + }, + { + "name": "useragent", + "type": "string" + }, + { + "name": "userip", + "type": "string" + }, + { + "name": "userkey", + "type": "string" + }, + { + "name": "userPrincipalName", + "type": "string" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition3'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition3'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "NetskopeCCP", + "title": "Netskope Alerts and Events", + "publisher": "Netskope", + "descriptionMarkdown": "Netskope Security Alerts and Events", + "graphQueriesTableName": "NetskopeAlerts_CL", + "graphQueries": [ + { + "metricName": "Total Netskope Alerts received", + "legend": "Netskope Alerts", + "baseQuery": "NetskopeAlerts_CL" + }, + { + "metricName": "Total Netskope Application Events", + "legend": "Netskope Application Events", + "baseQuery": "NetskopeEventsApplication_CL" + }, + { + "metricName": "Total Netskope Audit Events", + "legend": "Netskope Audit Events", + "baseQuery": "NetskopeEventsAudit_CL" + }, + { + "metricName": "Total Netskope Connection Events", + "legend": "Netskope Connection Events", + "baseQuery": "NetskopeEventsConnection_CL" + }, + { + "metricName": "Total Netskope DLP Events", + "legend": "Netskope DLP Events", + "baseQuery": "NetskopeEventsDLP_CL" + }, + { + "metricName": "Total Netskope Endpoint Events", + "legend": "Netskope Endpoint Events", + "baseQuery": "NetskopeEventsEndpoint_CL" + }, + { + "metricName": "Total Netskope Infrastructure Events", + "legend": "Netskope Infrastructure Events", + "baseQuery": "NetskopeEventsInfrastructure_CL" + }, + { + "metricName": "Total Netskope Network Events", + "legend": "Netskope Network Events", + "baseQuery": "NetskopeEventsNetwork_CL" + }, + { + "metricName": "Total Netskope Page Events", + "legend": "Netskope Page Events", + "baseQuery": "NetskopeEventsPage_CL" + } + ], + "sampleQueries": [ + { + "description": "Get Sample of Netskope events", + "query": "NetskopeAlerts_CL\n | take 10" + } + ], + "dataTypes": [ + { + "name": "NetskopeAlerts_CL", + "lastDataReceivedQuery": "NetskopeAlerts_CL \n | where TimeGenerated > ago(7d) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "NetskopeEventsApplication_CL", + "lastDataReceivedQuery": "NetskopeEventsApplication_CL \n | where TimeGenerated > ago(7d) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "NetskopeEventsAudit_CL", + "lastDataReceivedQuery": "NetskopeEventsAudit_CL \n | where TimeGenerated > ago(7d) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "NetskopeEventsConnection_CL", + "lastDataReceivedQuery": "NetskopeEventsConnection_CL \n | where TimeGenerated > ago(7d) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "NetskopeEventsDLP_CL", + "lastDataReceivedQuery": "NetskopeEventsDLP_CL \n | where TimeGenerated > ago(7d) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "NetskopeEventsEndpoint_CL", + "lastDataReceivedQuery": "NetskopeEventsEndpoint_CL \n | where TimeGenerated > ago(7d) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "NetskopeEventsInfrastructure_CL", + "lastDataReceivedQuery": "NetskopeEventsInfrastructure_CL \n | where TimeGenerated > ago(7d) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "NetskopeEventsNetwork_CL", + "lastDataReceivedQuery": "NetskopeEventsNetwork_CL \n | where TimeGenerated > ago(7d) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "NetskopeEventsPage_CL", + "lastDataReceivedQuery": "NetskopeEventsPage_CL \n | where TimeGenerated > ago(7d) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "Netskope organisation url", + "description": "The Netskope data connector requires you to provide your organisation url. You can find your organisation url by signing into the Netskope portal." + }, + { + "name": "Netskope API key", + "description": "The Netskope data connector requires you to provide a valid API key. You can create one by following the [Netskope documentation](https://docs.netskope.com/en/rest-api-v2-overview-312207/)." + } + ] + }, + "instructionSteps": [ + { + "title": "STEP 1 - Create a Netskope API key.", + "description": "Follow the [Netskope documentation](https://docs.netskope.com/en/rest-api-v2-overview-312207/) for guidance on this step." + }, + { + "title": "STEP 2 - Enter your Netskope product Details", + "description": "Enter your Netskope organisation url & API Token below:", + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "Organisation URL", + "placeholder": "Enter your organisation url", + "type": "text", + "name": "OrganisationURL" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "API Key", + "placeholder": "Enter your API Key", + "type": "password", + "name": "apikey" + } + }, + { + "type": "InstructionStepsGroup", + "parameters": { + "instructionSteps": [ + { + "title": "OPTIONAL: Specify the Index the API uses.", + "description": "**Configuring the index is optional and only required in advanced scenario's.** \n Netskope uses an [index](https://docs.netskope.com/en/using-the-rest-api-v2-dataexport-iterator-endpoints/#how-do-iterator-endpoints-function) to retrieve events. In some advanced cases (consuming the event in multiple Sentinel workspaces, or pre-fatiguing the index to only retrieve recent data), a customer might want to have direct controll over the index.", + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "Index", + "placeholder": "NetskopeCCP", + "type": "text", + "name": "Index" + } + } + ] + } + ] + } + } + ] + }, + { + "title": "STEP 3 - Click Connect", + "description": "Verify all fields above were filled in correctly. Press the Connect to connect Netskope to Sentinel.", + "instructions": [ + { + "type": "ConnectionToggleButton", + "parameters": { + "connectLabel": "connect", + "name": "connect" + } + } + ] + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition3')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition3'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition3')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Netskope" + }, + "support": { + "name": "Netskope", + "tier": "Partner", + "link": "https://www.netskope.com/services#support" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections3')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections3'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnections3')]", + "displayName": "Netskope Alerts and Events", + "contentKind": "ResourcesDataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": { + "connectorDefinitionName": { + "defaultValue": "Netskope Alerts and Events", + "type": "string", + "minLength": 1 + }, + "workspace": { + "defaultValue": "[parameters('workspace')]", + "type": "string" + }, + "dcrConfig": { + "defaultValue": { + "dataCollectionEndpoint": "data collection Endpoint", + "dataCollectionRuleImmutableId": "data collection rule immutableId" + }, + "type": "object" + }, + "OrganisationURL": { + "defaultValue": "OrganisationURL", + "type": "string", + "minLength": 1 + }, + "apikey": { + "defaultValue": "apikey", + "type": "string", + "minLength": 1 + }, + "Index": { + "defaultValue": "NetskopeCCP", + "type": "string", + "minLength": 1 + } + }, + "variables": { + "_dataConnectorContentIdConnections3": "[variables('_dataConnectorContentIdConnections3')]" + }, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections3')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections3'))]", + "contentId": "[variables('_dataConnectorContentIdConnections3')]", + "kind": "ResourcesDataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Netskope" + }, + "support": { + "name": "Netskope", + "tier": "Partner", + "link": "https://www.netskope.com/services#support" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'NetskopeAlertsRemediation')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "NetskopeCCP", + "dataType": "NetskopeAlerts_CL", + "dcrConfig": { + "streamName": "Custom-NetskopeAlerts", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "auth": { + "type": "APIKey", + "ApiKeyName": "Netskope-Api-Token", + "ApiKey": "[[parameters('apikey')]" + }, + "request": { + "apiEndpoint": "[[concat('https://', parameters('OrganisationURL'), '/api/v2/events/dataexport/alerts/remediation?operation=next&index=', parameters('Index'))]", + "httpMethod": "GET", + "queryWindowInMin": 5, + "queryTimeFormat": "UnixTimestamp", + "rateLimitQps": 10, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json" + } + }, + "response": { + "eventsJsonPaths": [ + "$.result" + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'NetskopeAlertsUba')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "NetskopeCCP", + "dataType": "NetskopeAlerts_CL", + "dcrConfig": { + "streamName": "Custom-NetskopeAlerts", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "auth": { + "type": "APIKey", + "ApiKeyName": "Netskope-Api-Token", + "ApiKey": "[[parameters('apikey')]" + }, + "request": { + "apiEndpoint": "[[concat('https://', parameters('OrganisationURL'), '/api/v2/events/dataexport/alerts/uba?operation=next&index=', parameters('Index'))]", + "httpMethod": "GET", + "queryWindowInMin": 5, + "queryTimeFormat": "UnixTimestamp", + "rateLimitQps": 10, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json" + } + }, + "response": { + "eventsJsonPaths": [ + "$.result" + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'NetskopeAlertsSecurityAssessment')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "NetskopeCCP", + "dataType": "NetskopeAlerts_CL", + "dcrConfig": { + "streamName": "Custom-NetskopeAlerts", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "auth": { + "type": "APIKey", + "ApiKeyName": "Netskope-Api-Token", + "ApiKey": "[[parameters('apikey')]" + }, + "request": { + "apiEndpoint": "[[concat('https://', parameters('OrganisationURL'), '/api/v2/events/dataexport/alerts/securityassessment?operation=next&index=', parameters('Index'))]", + "httpMethod": "GET", + "queryWindowInMin": 5, + "queryTimeFormat": "UnixTimestamp", + "rateLimitQps": 10, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json" + } + }, + "response": { + "eventsJsonPaths": [ + "$.result" + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'NetskopeAlertsQuarantine')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "NetskopeCCP", + "dataType": "NetskopeAlerts_CL", + "dcrConfig": { + "streamName": "Custom-NetskopeAlerts", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "auth": { + "type": "APIKey", + "ApiKeyName": "Netskope-Api-Token", + "ApiKey": "[[parameters('apikey')]" + }, + "request": { + "apiEndpoint": "[[concat('https://', parameters('OrganisationURL'), '/api/v2/events/dataexport/alerts/quarantine?operation=next&index=', parameters('Index'))]", + "httpMethod": "GET", + "queryWindowInMin": 5, + "queryTimeFormat": "UnixTimestamp", + "rateLimitQps": 10, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json" + } + }, + "response": { + "eventsJsonPaths": [ + "$.result" + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'NetskopeAlertsPolicy')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "NetskopeCCP", + "dataType": "NetskopeAlerts_CL", + "dcrConfig": { + "streamName": "Custom-NetskopeAlerts", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "auth": { + "type": "APIKey", + "ApiKeyName": "Netskope-Api-Token", + "ApiKey": "[[parameters('apikey')]" + }, + "request": { + "apiEndpoint": "[[concat('https://', parameters('OrganisationURL'), '/api/v2/events/dataexport/alerts/policy?operation=next&index=', parameters('Index'))]", + "httpMethod": "GET", + "queryWindowInMin": 5, + "queryTimeFormat": "UnixTimestamp", + "rateLimitQps": 10, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json" + } + }, + "response": { + "eventsJsonPaths": [ + "$.result" + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'NetskopeAlertsMalware')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "NetskopeCCP", + "dataType": "NetskopeAlerts_CL", + "dcrConfig": { + "streamName": "Custom-NetskopeAlerts", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "auth": { + "type": "APIKey", + "ApiKeyName": "Netskope-Api-Token", + "ApiKey": "[[parameters('apikey')]" + }, + "request": { + "apiEndpoint": "[[concat('https://', parameters('OrganisationURL'), '/api/v2/events/dataexport/alerts/malware?operation=next&index=', parameters('Index'))]", + "httpMethod": "GET", + "queryWindowInMin": 5, + "queryTimeFormat": "UnixTimestamp", + "rateLimitQps": 10, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json" + } + }, + "response": { + "eventsJsonPaths": [ + "$.result" + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'NetskopeAlertsMalsite')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "NetskopeCCP", + "dataType": "NetskopeAlerts_CL", + "dcrConfig": { + "streamName": "Custom-NetskopeAlerts", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "auth": { + "type": "APIKey", + "ApiKeyName": "Netskope-Api-Token", + "ApiKey": "[[parameters('apikey')]" + }, + "request": { + "apiEndpoint": "[[concat('https://', parameters('OrganisationURL'), '/api/v2/events/dataexport/alerts/malsite?operation=next&index=', parameters('Index'))]", + "httpMethod": "GET", + "queryWindowInMin": 5, + "queryTimeFormat": "UnixTimestamp", + "rateLimitQps": 10, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json" + } + }, + "response": { + "eventsJsonPaths": [ + "$.result" + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'NetskopeAlertsDlp')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "NetskopeCCP", + "dataType": "NetskopeAlerts_CL", + "dcrConfig": { + "streamName": "Custom-NetskopeAlerts", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "auth": { + "type": "APIKey", + "ApiKeyName": "Netskope-Api-Token", + "ApiKey": "[[parameters('apikey')]" + }, + "request": { + "apiEndpoint": "[[concat('https://', parameters('OrganisationURL'), '/api/v2/events/dataexport/alerts/dlp?operation=next&index=', parameters('Index'))]", + "httpMethod": "GET", + "queryWindowInMin": 5, + "queryTimeFormat": "UnixTimestamp", + "rateLimitQps": 10, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json" + } + }, + "response": { + "eventsJsonPaths": [ + "$.result" + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'NetskopeAlertsCtep')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "NetskopeCCP", + "dataType": "NetskopeAlerts_CL", + "dcrConfig": { + "streamName": "Custom-NetskopeAlerts", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "auth": { + "type": "APIKey", + "ApiKeyName": "Netskope-Api-Token", + "ApiKey": "[[parameters('apikey')]" + }, + "request": { + "apiEndpoint": "[[concat('https://', parameters('OrganisationURL'), '/api/v2/events/dataexport/alerts/ctep?operation=next&index=', parameters('Index'))]", + "httpMethod": "GET", + "queryWindowInMin": 5, + "queryTimeFormat": "UnixTimestamp", + "rateLimitQps": 10, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json" + } + }, + "response": { + "eventsJsonPaths": [ + "$.result" + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'NetskopeAlertsWatchlist')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "NetskopeCCP", + "dataType": "NetskopeAlerts_CL", + "dcrConfig": { + "streamName": "Custom-NetskopeAlerts", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "auth": { + "type": "APIKey", + "ApiKeyName": "Netskope-Api-Token", + "ApiKey": "[[parameters('apikey')]" + }, + "request": { + "apiEndpoint": "[[concat('https://', parameters('OrganisationURL'), '/api/v2/events/dataexport/alerts/watchlist?operation=next&index=', parameters('Index'))]", + "httpMethod": "GET", + "queryWindowInMin": 5, + "queryTimeFormat": "UnixTimestamp", + "rateLimitQps": 10, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json" + } + }, + "response": { + "eventsJsonPaths": [ + "$.result" + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'NetskopeAlertsCompromisedCredentials')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "NetskopeCCP", + "dataType": "NetskopeAlerts_CL", + "dcrConfig": { + "streamName": "Custom-NetskopeAlerts", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "auth": { + "type": "APIKey", + "ApiKeyName": "Netskope-Api-Token", + "ApiKey": "[[parameters('apikey')]" + }, + "request": { + "apiEndpoint": "[[concat('https://', parameters('OrganisationURL'), '/api/v2/events/dataexport/alerts/compromisedcredential?operation=next&index=', parameters('Index'))]", + "httpMethod": "GET", + "queryWindowInMin": 5, + "queryTimeFormat": "UnixTimestamp", + "rateLimitQps": 10, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json" + } + }, + "response": { + "eventsJsonPaths": [ + "$.result" + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'NetskopeAlertsContent')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "NetskopeCCP", + "dataType": "NetskopeAlerts_CL", + "dcrConfig": { + "streamName": "Custom-NetskopeAlerts", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "auth": { + "type": "APIKey", + "ApiKeyName": "Netskope-Api-Token", + "ApiKey": "[[parameters('apikey')]" + }, + "request": { + "apiEndpoint": "[[concat('https://', parameters('OrganisationURL'), '/api/v2/events/dataexport/alerts/content?operation=next&index=', parameters('Index'))]", + "httpMethod": "GET", + "queryWindowInMin": 5, + "queryTimeFormat": "UnixTimestamp", + "rateLimitQps": 10, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json" + } + }, + "response": { + "eventsJsonPaths": [ + "$.result" + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'NetskopeAlertsDevice')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "NetskopeCCP", + "dataType": "NetskopeAlerts_CL", + "dcrConfig": { + "streamName": "Custom-NetskopeAlerts", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "auth": { + "type": "APIKey", + "ApiKeyName": "Netskope-Api-Token", + "ApiKey": "[[parameters('apikey')]" + }, + "request": { + "apiEndpoint": "[[concat('https://', parameters('OrganisationURL'), '/api/v2/events/dataexport/alerts/device?operation=next&index=', parameters('Index'))]", + "httpMethod": "GET", + "queryWindowInMin": 5, + "queryTimeFormat": "UnixTimestamp", + "rateLimitQps": 10, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json" + } + }, + "response": { + "eventsJsonPaths": [ + "$.result" + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'NetskopeEventsApplication')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "NetskopeCCP", + "dataType": "NetskopeEventsApplication_CL", + "dcrConfig": { + "streamName": "Custom-NetskopeEventsApplication", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "auth": { + "type": "APIKey", + "ApiKeyName": "Netskope-Api-Token", + "ApiKey": "[[parameters('apikey')]" + }, + "request": { + "apiEndpoint": "[[concat('https://', parameters('OrganisationURL'), '/api/v2/events/dataexport/events/application?operation=next&index=', parameters('Index'))]", + "httpMethod": "GET", + "queryWindowInMin": 5, + "queryTimeFormat": "UnixTimestamp", + "rateLimitQps": 10, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json" + } + }, + "response": { + "eventsJsonPaths": [ + "$.result" + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'NetskopeEventsAudit')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "NetskopeCCP", + "dataType": "NetskopeEventsAudit_CL", + "dcrConfig": { + "streamName": "Custom-NetskopeEventsAudit", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "auth": { + "type": "APIKey", + "ApiKeyName": "Netskope-Api-Token", + "ApiKey": "[[parameters('apikey')]" + }, + "request": { + "apiEndpoint": "[[concat('https://', parameters('OrganisationURL'), '/api/v2/events/dataexport/events/audit?operation=next&index=', parameters('Index'))]", + "httpMethod": "GET", + "queryWindowInMin": 5, + "queryTimeFormat": "UnixTimestamp", + "rateLimitQps": 10, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json" + } + }, + "response": { + "eventsJsonPaths": [ + "$.result" + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'NetskopeEventsConnection')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "NetskopeCCP", + "dataType": "NetskopeEventsConnection_CL", + "dcrConfig": { + "streamName": "Custom-NetskopeEventsConnection", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "auth": { + "type": "APIKey", + "ApiKeyName": "Netskope-Api-Token", + "ApiKey": "[[parameters('apikey')]" + }, + "request": { + "apiEndpoint": "[[concat('https://', parameters('OrganisationURL'), '/api/v2/events/dataexport/events/connection?operation=next&index=', parameters('Index'))]", + "httpMethod": "GET", + "queryWindowInMin": 5, + "queryTimeFormat": "UnixTimestamp", + "rateLimitQps": 10, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json" + } + }, + "response": { + "eventsJsonPaths": [ + "$.result" + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'NetskopeEventsDLP')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "NetskopeCCP", + "dataType": "NetskopeEventsDLP_CL", + "dcrConfig": { + "streamName": "Custom-NetskopeEventsDLP", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "auth": { + "type": "APIKey", + "ApiKeyName": "Netskope-Api-Token", + "ApiKey": "[[parameters('apikey')]" + }, + "request": { + "apiEndpoint": "[[concat('https://', parameters('OrganisationURL'), '/api/v2/events/dataexport/events/incident?operation=next&index=', parameters('Index'))]", + "httpMethod": "GET", + "queryWindowInMin": 5, + "queryTimeFormat": "UnixTimestamp", + "rateLimitQps": 10, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json" + } + }, + "response": { + "eventsJsonPaths": [ + "$.result" + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'NetskopeEventsEndpoint')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "NetskopeCCP", + "dataType": "NetskopeEventsEndpoint_CL", + "dcrConfig": { + "streamName": "Custom-NetskopeEventsEndpoint", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "auth": { + "type": "APIKey", + "ApiKeyName": "Netskope-Api-Token", + "ApiKey": "[[parameters('apikey')]" + }, + "request": { + "apiEndpoint": "[[concat('https://', parameters('OrganisationURL'), '/api/v2/events/dataexport/events/endpoint?operation=next&index=', parameters('Index'))]", + "httpMethod": "GET", + "queryWindowInMin": 5, + "queryTimeFormat": "UnixTimestamp", + "rateLimitQps": 10, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json" + } + }, + "response": { + "eventsJsonPaths": [ + "$.result" + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'NetskopeEventsInfrastructure')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "NetskopeCCP", + "dataType": "NetskopeEventsInfrastructure_CL", + "dcrConfig": { + "streamName": "Custom-NetskopeEventsInfrastructure", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "auth": { + "type": "APIKey", + "ApiKeyName": "Netskope-Api-Token", + "ApiKey": "[[parameters('apikey')]" + }, + "request": { + "apiEndpoint": "[[concat('https://', parameters('OrganisationURL'), '/api/v2/events/dataexport/events/infrastructure?operation=next&index=', parameters('Index'))]", + "httpMethod": "GET", + "queryWindowInMin": 5, + "queryTimeFormat": "UnixTimestamp", + "rateLimitQps": 10, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json" + } + }, + "response": { + "eventsJsonPaths": [ + "$.result" + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'NetskopeEventsNetwork')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "NetskopeCCP", + "dataType": "NetskopeEventsNetwork_CL", + "dcrConfig": { + "streamName": "Custom-NetskopeEventsNetwork", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "auth": { + "type": "APIKey", + "ApiKeyName": "Netskope-Api-Token", + "ApiKey": "[[parameters('apikey')]" + }, + "request": { + "apiEndpoint": "[[concat('https://', parameters('OrganisationURL'), '/api/v2/events/dataexport/events/network?operation=next&index=', parameters('Index'))]", + "httpMethod": "GET", + "queryWindowInMin": 5, + "queryTimeFormat": "UnixTimestamp", + "rateLimitQps": 10, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json" + } + }, + "response": { + "eventsJsonPaths": [ + "$.result" + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'NetskopeEventsPage')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "NetskopeCCP", + "dataType": "NetskopeEventsPage_CL", + "dcrConfig": { + "streamName": "Custom-NetskopeEventsPage", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "auth": { + "type": "APIKey", + "ApiKeyName": "Netskope-Api-Token", + "ApiKey": "[[parameters('apikey')]" + }, + "request": { + "apiEndpoint": "[[concat('https://', parameters('OrganisationURL'), '/api/v2/events/dataexport/events/page?operation=next&index=', parameters('Index'))]", + "httpMethod": "GET", + "queryWindowInMin": 5, + "queryTimeFormat": "UnixTimestamp", + "rateLimitQps": 10, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Accept": "application/json" + } + }, + "response": { + "eventsJsonPaths": [ + "$.result" + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections3'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.0.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "Netskopev2", + "publisherDisplayName": "Netskope", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nNetskope solution for Microsoft Sentinel enables you to ingest Netskope alerts and events into Microsoft Sentinel. The connector provides visibility into Netskope Platform Events and Alerts in Microsoft Sentinel to improve monitoring and investigation capabilities.
\nData Connectors: 3, Workbooks: 1, Playbooks: 2
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "",
+ "contentId": "[variables('_solutionId')]",
+ "parentId": "[variables('_solutionId')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Netskopev2",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Netskope"
+ },
+ "support": {
+ "name": "Netskope",
+ "tier": "Partner",
+ "link": "https://www.netskope.com/services#support"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "kind": "Workbook",
+ "contentId": "[variables('_workbookContentId1')]",
+ "version": "[variables('workbookVersion1')]"
+ },
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_NetskopeDataConnectorsTriggerSync')]",
+ "version": "[variables('playbookVersion1')]"
+ },
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_NetskopeWebTxErrorEmail')]",
+ "version": "[variables('playbookVersion2')]"
+ },
+ {
+ "kind": "DataConnector",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
+ },
+ {
+ "kind": "DataConnector",
+ "contentId": "[variables('_dataConnectorContentId2')]",
+ "version": "[variables('dataConnectorVersion2')]"
+ },
+ {
+ "kind": "DataConnector",
+ "contentId": "[variables('_dataConnectorContentIdConnections3')]",
+ "version": "[variables('dataConnectorCCPVersion')]"
+ }
+ ]
+ },
+ "firstPublishDate": "2024-03-18",
+ "lastPublishDate": "2024-03-18",
+ "providers": [
+ "Netskope"
+ ],
+ "categories": {
+ "domains": [
+ "Security - Network"
+ ]
+ }
+ },
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
+ }
+ ],
+ "outputs": {}
+}
diff --git a/Solutions/Netskopev2/Package/testParameters.json b/Solutions/Netskopev2/Package/testParameters.json
index afb0c4975dd..e45a0b9ff03 100644
--- a/Solutions/Netskopev2/Package/testParameters.json
+++ b/Solutions/Netskopev2/Package/testParameters.json
@@ -1,32 +1,46 @@
-{
- "location": {
- "type": "string",
- "minLength": 1,
- "defaultValue": "[resourceGroup().location]",
- "metadata": {
- "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
- }
- },
- "workspace-location": {
- "type": "string",
- "defaultValue": "",
- "metadata": {
- "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
- }
- },
- "workspace": {
- "defaultValue": "",
- "type": "string",
- "metadata": {
- "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
- }
- },
- "workbook1-name": {
- "type": "string",
- "defaultValue": "NetskopeDashboard",
- "minLength": 1,
- "metadata": {
- "description": "Name for the workbook"
- }
- }
-}
+{
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ },
+ "workbook1-name": {
+ "type": "string",
+ "defaultValue": "NetskopeDashboard",
+ "minLength": 1,
+ "metadata": {
+ "description": "Name for the workbook"
+ }
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().name]",
+ "metadata": {
+ "description": "resource group name where Microsoft Sentinel is setup"
+ }
+ },
+ "subscription": {
+ "type": "string",
+ "defaultValue": "[last(split(subscription().id, '/'))]",
+ "metadata": {
+ "description": "subscription id where Microsoft Sentinel is setup"
+ }
+ }
+}