From 1f4196903797a069741a149999488f8840307a2e Mon Sep 17 00:00:00 2001 From: SecurityJedi Date: Tue, 8 Oct 2024 18:31:30 -0400 Subject: [PATCH 1/2] ZeroNetworks: update parsers with new auditTypes --- .../ZeroNetworks/Parsers/ZNSegmentAudit.txt | 157 ++++++++++++++--- .../ZeroNetworks/Parsers/ZNSegmentAudit.yaml | 159 +++++++++++++++--- 2 files changed, 263 insertions(+), 53 deletions(-) diff --git a/Solutions/ZeroNetworks/Parsers/ZNSegmentAudit.txt b/Solutions/ZeroNetworks/Parsers/ZNSegmentAudit.txt index 15a16325a56..e5cea5d4a6f 100644 --- a/Solutions/ZeroNetworks/Parsers/ZNSegmentAudit.txt +++ b/Solutions/ZeroNetworks/Parsers/ZNSegmentAudit.txt @@ -4,30 +4,30 @@ // Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions let AuditTypesTable = datatable(auditType_d: double, AuditType: string) [ 0, "Unspecified", - 1, "Asset is being added to protection", - 2, "Asset added to protection", - 3, "Asset failed adding to protection", - 4, "Asset is being removed from protection", - 5, "Removed asset from protection", - 6, "Failed removing asset from protection", - 7, "Asset added to learning", - 8, "Asset removed from learning", - 9, "Access rule created", - 10, "Access rule deleted", - 11, "Access rule expired", - 12, "Access rule edited", - 17, "MFA access policy created", - 18, "MFA access policy deleted", - 19, "MFA access policy edited", - 20, "JIT rule created", - 21, "JIT rule deleted", - 22, "JIT rule expired", - 23, "JIT rule revived", - 24, "JIT rule edited", + 1, "Asset is being segmented (network)", + 2, "Asset segmented (network)", + 3, "Asset failed being segmented (network)", + 4, "Asset is being unsegmented (network)", + 5, "Asset unsegmented (network)", + 6, "Asset failed being unsegmented (network)", + 7, "Asset added to learning (network)", + 8, "Asset removed from learning (network)", + 9, "Inbound allow rule created", + 10, "Inbound allow rule deleted", + 11, "Inbound allow rule expired", + 12, "Inbound allow rule edited", + 17, "Inbound MFA policy created", + 18, "Inbound MFA policy edited", + 19, "Inbound MFA policy deleted", + 20, "Inbound JIT rule created", + 21, "Inbound JIT rule deleted", + 22, "Inbound JIT rule expired", + 23, "Inbound JIT rule revived", + 24, "Inbound JIT rule edited", 25, "API Token created", 26, "API Token deleted", 27, "API Token regenerated", - 28, "Asset learning is extended", + 28, "Asset segmentation date postponed (network)", 29, "Outbound block rule created", 30, "Outbound block rule deleted", 31, "Outbound block rule expired", @@ -36,8 +36,107 @@ let AuditTypesTable = datatable(auditType_d: double, AuditType: string) [ 34, "Inbound block rule deleted", 35, "Inbound block rule expired", 36, "Inbound block rule edited", - 37, "Inbound rule pseudo edited", - 38, "Outbound rule pseudo edited" + 39, "Asset unsegmented (network) (overriding policy)", + 40, "Asset is being unsegmented (network) (overriding policy)", + 41, "Asset removed from learning (network) (overriding policy)", + 42, "Asset is being segmented (network) (policy)", + 43, "Asset segmented (network) (policy)", + 44, "Asset added to learning (network) (policy)", + 45, "Segmentation policy created", + 46, "Segmentation policy deleted", + 47, "Segmentation policy edited", + 48, "Inbound JIT access rejected", + 49, "Inbound JIT fallback rule created", + 50, "Inbound JIT fallback rule deleted", + 51, "Inbound JIT fallback rule expired", + 53, "Outbound allow rule created", + 54, "Outbound allow rule deleted", + 55, "Outbound allow rule expired", + 56, "Outbound allow rule edited", + 58, "Admin portal role changed to admin", + 59, "Admin portal role changed to viewer", + 60, "Admin portal role revoked", + 61, "Outbound JIT rule created", + 62, "Outbound JIT rule deleted", + 63, "Outbound JIT rule expired", + 64, "Outbound MFA policy created", + 65, "Outbound MFA policy deleted", + 66, "Outbound MFA policy edited", + 67, "Outbound JIT access rejected", + 68, "Asset learning is done (network)", + 69, "Asset learning (policy) is done (network)", + 70, "Manual Linux asset created", + 71, "Manual OT/IoT asset created", + 72, "Asset learning extended (network)", + 73, "Admin portal logon", + 74, "Asset manager added", + 75, "Asset manager removed", + 76, "Asset is monitored by Cloud connector", + 77, "Asset is no longer monitored by Cloud connector", + 78, "Asset is monitored by Segment server", + 79, "Asset is back to learning (network)", + 80, "Manual OT/IoT asset edited", + 81, "Admin portal role changed to operator", + 82, "Segment server deployed", + 83, "AI inbound allow rule rejected", + 84, "AI inbound block rule rejected", + 85, "AI outbound allow rule rejected", + 86, "AI outbound block rule rejected", + 87, "AI inbound allow rule approved", + 88, "AI inbound block rule approved", + 89, "AI outbound allow rule approved", + 90, "AI outbound block rule approved", + 91, "AI inbound allow rule approved with changes", + 92, "AI inbound block rule approved with changes", + 93, "AI outbound allow rule approved with changes", + 94, "AI outbound block rule approved with changes", + 95, "Connect region created", + 96, "Connect session created", + 97, "Connect session expired", + 98, "Connect session revoked", + 99, "Connect session logged out", + 100, "User access configuration created", + 101, "User access configuration edited", + 102, "User access configuration deleted", + 103, "Connect server deployed", + 104, "Connect asset created", + 105, "Asset segmentation postponed (network) (pending review rules)", + 106, "Connect region edited", + 107, "Connect server edited", + 108, "Asset is being segmented (identity)", + 109, "Asset segmented (identity)", + 110, "Asset is being unsegmented (identity)", + 111, "Asset unsegmented (identity)", + 112, "Identity rule created", + 113, "Identity rule deleted", + 114, "Identity rule expired", + 115, "Identity rule edited", + 116, "User segmented (identity)", + 117, "User unsegmented (identity)", + 118, "User added to learning (identity)", + 119, "User removed from learning (identity)", + 120, "Asset added to RPC monitoring", + 121, "Asset removed from RPC monitoring", + 122, "User classification changed", + 123, "Connect session extended", + 124, "Asset marked as inactive by repository (deleted)", + 125, "Asset marked as active by repository", + 126, "Asset marked as inactive by user", + 127, "Asset marked as active by user", + 128, "Break glass configuration activated", + 129, "Break glass configuration deactivated", + 130, "Asset marked as inactive by repository (disable)", + 131, "Asset marked as active by repository (enable)", + 132, "Break glass configuration activated (asset)", + 133, "Break glass configuration deactivated (asset)", + 134, "Asset is being segmented (RPC)", + 135, "Asset segmented (RPC)", + 136, "Asset is being unsegmented (RPC)", + 137, "Asset unsegmented (RPC)", + 138, "Rules RPC rule created", + 139, "Rules RPC rule deleted", + 140, "Rules RPC rule expired", + 141, "Rules RPC rule edited" ]; let EnforcementSourceTypeTable = datatable (enforcementSource_d: double, EnforcementSource: string) [ 1, "Reactive Policy", @@ -45,7 +144,8 @@ let EnforcementSourceTypeTable = datatable (enforcementSource_d: double, Enforce 3, "Access Portal", 4, "Admin Portal", 5, "AI", - 6, "API" + 6, "API", + 7, "Setup" ]; let UserRoleTypeTable = datatable (userRole_d: double, UserRole: string) [ 1, "Admin", @@ -53,7 +153,12 @@ let UserRoleTypeTable = datatable (userRole_d: double, UserRole: string) [ 3, "Regular", 4, "API - Full Access", 5, "API - Read Only", - 6, "Self Service" + 6, "Self Service", + 7, "CloudConnectorProvisioning", + 8, "JAMF Asset", + 9, "Asset Manager", + 10, "Operator", + 11, "Service Now Token" ]; union isfuzzy=true ZNSegmentAuditNativePoller_CL, ZNSegmentAudit_CL | project-away TimeGenerated @@ -95,4 +200,4 @@ union isfuzzy=true ZNSegmentAuditNativePoller_CL, ZNSegmentAudit_CL UserRoleId, UserRole, Rule, - ReactivePolicy + ReactivePolicy \ No newline at end of file diff --git a/Solutions/ZeroNetworks/Parsers/ZNSegmentAudit.yaml b/Solutions/ZeroNetworks/Parsers/ZNSegmentAudit.yaml index be2f94cb775..0315e2fff68 100644 --- a/Solutions/ZeroNetworks/Parsers/ZNSegmentAudit.yaml +++ b/Solutions/ZeroNetworks/Parsers/ZNSegmentAudit.yaml @@ -1,38 +1,38 @@ id: 4677df99-9bff-4b87-a7b9-575091361d82 Function: Title: Parser for ZNSegmentAudit - Version: '1.0.0' - LastUpdated: '2023-08-23' + Version: '1.0.1' + LastUpdated: '2024-10-08' Category: Microsoft Sentinel Parser FunctionName: ZNSegmentAudit FunctionAlias: ZNSegmentAudit FunctionQuery: | let AuditTypesTable = datatable(auditType_d: double, AuditType: string) [ 0, "Unspecified", - 1, "Asset is being added to protection", - 2, "Asset added to protection", - 3, "Asset failed adding to protection", - 4, "Asset is being removed from protection", - 5, "Removed asset from protection", - 6, "Failed removing asset from protection", - 7, "Asset added to learning", - 8, "Asset removed from learning", - 9, "Access rule created", - 10, "Access rule deleted", - 11, "Access rule expired", - 12, "Access rule edited", - 17, "MFA access policy created", - 18, "MFA access policy deleted", - 19, "MFA access policy edited", - 20, "JIT rule created", - 21, "JIT rule deleted", - 22, "JIT rule expired", - 23, "JIT rule revived", - 24, "JIT rule edited", + 1, "Asset is being segmented (network)", + 2, "Asset segmented (network)", + 3, "Asset failed being segmented (network)", + 4, "Asset is being unsegmented (network)", + 5, "Asset unsegmented (network)", + 6, "Asset failed being unsegmented (network)", + 7, "Asset added to learning (network)", + 8, "Asset removed from learning (network)", + 9, "Inbound allow rule created", + 10, "Inbound allow rule deleted", + 11, "Inbound allow rule expired", + 12, "Inbound allow rule edited", + 17, "Inbound MFA policy created", + 18, "Inbound MFA policy edited", + 19, "Inbound MFA policy deleted", + 20, "Inbound JIT rule created", + 21, "Inbound JIT rule deleted", + 22, "Inbound JIT rule expired", + 23, "Inbound JIT rule revived", + 24, "Inbound JIT rule edited", 25, "API Token created", 26, "API Token deleted", 27, "API Token regenerated", - 28, "Asset learning is extended", + 28, "Asset segmentation date postponed (network)", 29, "Outbound block rule created", 30, "Outbound block rule deleted", 31, "Outbound block rule expired", @@ -41,8 +41,107 @@ FunctionQuery: | 34, "Inbound block rule deleted", 35, "Inbound block rule expired", 36, "Inbound block rule edited", - 37, "Inbound rule pseudo edited", - 38, "Outbound rule pseudo edited" + 39, "Asset unsegmented (network) (overriding policy)", + 40, "Asset is being unsegmented (network) (overriding policy)", + 41, "Asset removed from learning (network) (overriding policy)", + 42, "Asset is being segmented (network) (policy)", + 43, "Asset segmented (network) (policy)", + 44, "Asset added to learning (network) (policy)", + 45, "Segmentation policy created", + 46, "Segmentation policy deleted", + 47, "Segmentation policy edited", + 48, "Inbound JIT access rejected", + 49, "Inbound JIT fallback rule created", + 50, "Inbound JIT fallback rule deleted", + 51, "Inbound JIT fallback rule expired", + 53, "Outbound allow rule created", + 54, "Outbound allow rule deleted", + 55, "Outbound allow rule expired", + 56, "Outbound allow rule edited", + 58, "Admin portal role changed to admin", + 59, "Admin portal role changed to viewer", + 60, "Admin portal role revoked", + 61, "Outbound JIT rule created", + 62, "Outbound JIT rule deleted", + 63, "Outbound JIT rule expired", + 64, "Outbound MFA policy created", + 65, "Outbound MFA policy deleted", + 66, "Outbound MFA policy edited", + 67, "Outbound JIT access rejected", + 68, "Asset learning is done (network)", + 69, "Asset learning (policy) is done (network)", + 70, "Manual Linux asset created", + 71, "Manual OT/IoT asset created", + 72, "Asset learning extended (network)", + 73, "Admin portal logon", + 74, "Asset manager added", + 75, "Asset manager removed", + 76, "Asset is monitored by Cloud connector", + 77, "Asset is no longer monitored by Cloud connector", + 78, "Asset is monitored by Segment server", + 79, "Asset is back to learning (network)", + 80, "Manual OT/IoT asset edited", + 81, "Admin portal role changed to operator", + 82, "Segment server deployed", + 83, "AI inbound allow rule rejected", + 84, "AI inbound block rule rejected", + 85, "AI outbound allow rule rejected", + 86, "AI outbound block rule rejected", + 87, "AI inbound allow rule approved", + 88, "AI inbound block rule approved", + 89, "AI outbound allow rule approved", + 90, "AI outbound block rule approved", + 91, "AI inbound allow rule approved with changes", + 92, "AI inbound block rule approved with changes", + 93, "AI outbound allow rule approved with changes", + 94, "AI outbound block rule approved with changes", + 95, "Connect region created", + 96, "Connect session created", + 97, "Connect session expired", + 98, "Connect session revoked", + 99, "Connect session logged out", + 100, "User access configuration created", + 101, "User access configuration edited", + 102, "User access configuration deleted", + 103, "Connect server deployed", + 104, "Connect asset created", + 105, "Asset segmentation postponed (network) (pending review rules)", + 106, "Connect region edited", + 107, "Connect server edited", + 108, "Asset is being segmented (identity)", + 109, "Asset segmented (identity)", + 110, "Asset is being unsegmented (identity)", + 111, "Asset unsegmented (identity)", + 112, "Identity rule created", + 113, "Identity rule deleted", + 114, "Identity rule expired", + 115, "Identity rule edited", + 116, "User segmented (identity)", + 117, "User unsegmented (identity)", + 118, "User added to learning (identity)", + 119, "User removed from learning (identity)", + 120, "Asset added to RPC monitoring", + 121, "Asset removed from RPC monitoring", + 122, "User classification changed", + 123, "Connect session extended", + 124, "Asset marked as inactive by repository (deleted)", + 125, "Asset marked as active by repository", + 126, "Asset marked as inactive by user", + 127, "Asset marked as active by user", + 128, "Break glass configuration activated", + 129, "Break glass configuration deactivated", + 130, "Asset marked as inactive by repository (disable)", + 131, "Asset marked as active by repository (enable)", + 132, "Break glass configuration activated (asset)", + 133, "Break glass configuration deactivated (asset)", + 134, "Asset is being segmented (RPC)", + 135, "Asset segmented (RPC)", + 136, "Asset is being unsegmented (RPC)", + 137, "Asset unsegmented (RPC)", + 138, "Rules RPC rule created", + 139, "Rules RPC rule deleted", + 140, "Rules RPC rule expired", + 141, "Rules RPC rule edited" ]; let EnforcementSourceTypeTable = datatable (enforcementSource_d: double, EnforcementSource: string) [ 1, "Reactive Policy", @@ -50,7 +149,8 @@ FunctionQuery: | 3, "Access Portal", 4, "Admin Portal", 5, "AI", - 6, "API" + 6, "API", + 7, "Setup" ]; let UserRoleTypeTable = datatable (userRole_d: double, UserRole: string) [ 1, "Admin", @@ -58,7 +158,12 @@ FunctionQuery: | 3, "Regular", 4, "API - Full Access", 5, "API - Read Only", - 6, "Self Service" + 6, "Self Service", + 7, "CloudConnectorProvisioning", + 8, "JAMF Asset", + 9, "Asset Manager", + 10, "Operator", + 11, "Service Now Token" ]; union isfuzzy=true ZNSegmentAuditNativePoller_CL, ZNSegmentAudit_CL | project-away TimeGenerated From 781f6f40cc1e7f26117293577618a5d72fb6efde Mon Sep 17 00:00:00 2001 From: Vijay-Sodadasi Date: Thu, 10 Oct 2024 11:59:44 +0530 Subject: [PATCH 2/2] Delete ZNSegmentAudit.txt --- .../ZeroNetworks/Parsers/ZNSegmentAudit.txt | 203 ------------------ 1 file changed, 203 deletions(-) delete mode 100644 Solutions/ZeroNetworks/Parsers/ZNSegmentAudit.txt diff --git a/Solutions/ZeroNetworks/Parsers/ZNSegmentAudit.txt b/Solutions/ZeroNetworks/Parsers/ZNSegmentAudit.txt deleted file mode 100644 index e5cea5d4a6f..00000000000 --- a/Solutions/ZeroNetworks/Parsers/ZNSegmentAudit.txt +++ /dev/null @@ -1,203 +0,0 @@ -// Usage Instruction : -// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as ZNSegmentAudit. -// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. ZNSegmentAudit | take 10). -// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions -let AuditTypesTable = datatable(auditType_d: double, AuditType: string) [ - 0, "Unspecified", - 1, "Asset is being segmented (network)", - 2, "Asset segmented (network)", - 3, "Asset failed being segmented (network)", - 4, "Asset is being unsegmented (network)", - 5, "Asset unsegmented (network)", - 6, "Asset failed being unsegmented (network)", - 7, "Asset added to learning (network)", - 8, "Asset removed from learning (network)", - 9, "Inbound allow rule created", - 10, "Inbound allow rule deleted", - 11, "Inbound allow rule expired", - 12, "Inbound allow rule edited", - 17, "Inbound MFA policy created", - 18, "Inbound MFA policy edited", - 19, "Inbound MFA policy deleted", - 20, "Inbound JIT rule created", - 21, "Inbound JIT rule deleted", - 22, "Inbound JIT rule expired", - 23, "Inbound JIT rule revived", - 24, "Inbound JIT rule edited", - 25, "API Token created", - 26, "API Token deleted", - 27, "API Token regenerated", - 28, "Asset segmentation date postponed (network)", - 29, "Outbound block rule created", - 30, "Outbound block rule deleted", - 31, "Outbound block rule expired", - 32, "Outbound block rule edited", - 33, "Inbound block rule created", - 34, "Inbound block rule deleted", - 35, "Inbound block rule expired", - 36, "Inbound block rule edited", - 39, "Asset unsegmented (network) (overriding policy)", - 40, "Asset is being unsegmented (network) (overriding policy)", - 41, "Asset removed from learning (network) (overriding policy)", - 42, "Asset is being segmented (network) (policy)", - 43, "Asset segmented (network) (policy)", - 44, "Asset added to learning (network) (policy)", - 45, "Segmentation policy created", - 46, "Segmentation policy deleted", - 47, "Segmentation policy edited", - 48, "Inbound JIT access rejected", - 49, "Inbound JIT fallback rule created", - 50, "Inbound JIT fallback rule deleted", - 51, "Inbound JIT fallback rule expired", - 53, "Outbound allow rule created", - 54, "Outbound allow rule deleted", - 55, "Outbound allow rule expired", - 56, "Outbound allow rule edited", - 58, "Admin portal role changed to admin", - 59, "Admin portal role changed to viewer", - 60, "Admin portal role revoked", - 61, "Outbound JIT rule created", - 62, "Outbound JIT rule deleted", - 63, "Outbound JIT rule expired", - 64, "Outbound MFA policy created", - 65, "Outbound MFA policy deleted", - 66, "Outbound MFA policy edited", - 67, "Outbound JIT access rejected", - 68, "Asset learning is done (network)", - 69, "Asset learning (policy) is done (network)", - 70, "Manual Linux asset created", - 71, "Manual OT/IoT asset created", - 72, "Asset learning extended (network)", - 73, "Admin portal logon", - 74, "Asset manager added", - 75, "Asset manager removed", - 76, "Asset is monitored by Cloud connector", - 77, "Asset is no longer monitored by Cloud connector", - 78, "Asset is monitored by Segment server", - 79, "Asset is back to learning (network)", - 80, "Manual OT/IoT asset edited", - 81, "Admin portal role changed to operator", - 82, "Segment server deployed", - 83, "AI inbound allow rule rejected", - 84, "AI inbound block rule rejected", - 85, "AI outbound allow rule rejected", - 86, "AI outbound block rule rejected", - 87, "AI inbound allow rule approved", - 88, "AI inbound block rule approved", - 89, "AI outbound allow rule approved", - 90, "AI outbound block rule approved", - 91, "AI inbound allow rule approved with changes", - 92, "AI inbound block rule approved with changes", - 93, "AI outbound allow rule approved with changes", - 94, "AI outbound block rule approved with changes", - 95, "Connect region created", - 96, "Connect session created", - 97, "Connect session expired", - 98, "Connect session revoked", - 99, "Connect session logged out", - 100, "User access configuration created", - 101, "User access configuration edited", - 102, "User access configuration deleted", - 103, "Connect server deployed", - 104, "Connect asset created", - 105, "Asset segmentation postponed (network) (pending review rules)", - 106, "Connect region edited", - 107, "Connect server edited", - 108, "Asset is being segmented (identity)", - 109, "Asset segmented (identity)", - 110, "Asset is being unsegmented (identity)", - 111, "Asset unsegmented (identity)", - 112, "Identity rule created", - 113, "Identity rule deleted", - 114, "Identity rule expired", - 115, "Identity rule edited", - 116, "User segmented (identity)", - 117, "User unsegmented (identity)", - 118, "User added to learning (identity)", - 119, "User removed from learning (identity)", - 120, "Asset added to RPC monitoring", - 121, "Asset removed from RPC monitoring", - 122, "User classification changed", - 123, "Connect session extended", - 124, "Asset marked as inactive by repository (deleted)", - 125, "Asset marked as active by repository", - 126, "Asset marked as inactive by user", - 127, "Asset marked as active by user", - 128, "Break glass configuration activated", - 129, "Break glass configuration deactivated", - 130, "Asset marked as inactive by repository (disable)", - 131, "Asset marked as active by repository (enable)", - 132, "Break glass configuration activated (asset)", - 133, "Break glass configuration deactivated (asset)", - 134, "Asset is being segmented (RPC)", - 135, "Asset segmented (RPC)", - 136, "Asset is being unsegmented (RPC)", - 137, "Asset unsegmented (RPC)", - 138, "Rules RPC rule created", - 139, "Rules RPC rule deleted", - 140, "Rules RPC rule expired", - 141, "Rules RPC rule edited" -]; -let EnforcementSourceTypeTable = datatable (enforcementSource_d: double, EnforcementSource: string) [ - 1, "Reactive Policy", - 2, "Automated", - 3, "Access Portal", - 4, "Admin Portal", - 5, "AI", - 6, "API", - 7, "Setup" -]; -let UserRoleTypeTable = datatable (userRole_d: double, UserRole: string) [ - 1, "Admin", - 2, "Viewer", - 3, "Regular", - 4, "API - Full Access", - 5, "API - Read Only", - 6, "Self Service", - 7, "CloudConnectorProvisioning", - 8, "JAMF Asset", - 9, "Asset Manager", - 10, "Operator", - 11, "Service Now Token" -]; -union isfuzzy=true ZNSegmentAuditNativePoller_CL, ZNSegmentAudit_CL -| project-away TimeGenerated -| lookup kind=leftouter AuditTypesTable on auditType_d -| lookup kind=leftouter EnforcementSourceTypeTable on enforcementSource_d -| lookup kind=leftouter UserRoleTypeTable on userRole_d -| extend entity=parse_json(destinationEntitiesList_s) -| extend EventVendor="Zero Networks", - EventProduct="Segment Audit", - AuditTypeId=column_ifexists('auditType_d', ''), - TimeGenerated=unixtime_milliseconds_todatetime(timestamp_d), - EnforcementSourceId=column_ifexists('enforcementSource_d', ''), - UserRoleId=column_ifexists('userRole_d', ''), - DestinationEntityName = ['entity'][0].name, - DestinationEntityId = ['entity'][0].id, - Details=column_ifexists('details_s', ''), - PerformedById=column_ifexists('performedBy_id_s', ''), - PerformedByName=column_ifexists('performedBy_name_s', ''), - PerformedByGuid=column_ifexists('performedBy_id_g', ''), - ReportedObjectGuid=column_ifexists('reportedObjectId_g', ''), - ReportedObjectId=column_ifexists('reportedObjectId_s', '') -| extend Rule=parse_json(Details).rule, - ReactivePolicy=parse_json(Details).rp -| project - TimeGenerated, - EventVendor, - EventProduct, - AuditTypeId, - AuditType, - DestinationEntityId, - DestinationEntityName, - EnforcementSourceId, - EnforcementSource, - PerformedByGuid, - PerformedById, - PerformedByName, - ReportedObjectGuid, - ReportedObjectId, - UserRoleId, - UserRole, - Rule, - ReactivePolicy \ No newline at end of file