-
Notifications
You must be signed in to change notification settings - Fork 0
/
airlock_serveractivities.kql
55 lines (55 loc) · 1.88 KB
/
airlock_serveractivities.kql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
Syslog
| where Computer == "airlock_server"
|extend DeviceVendor = tostring(split(SyslogMessage,"|")[1])
, DeviceProduct = tostring(split(SyslogMessage,"|")[2])
, DeviceVersion = tostring(split(SyslogMessage,"|")[3])
, DeviceEventClassID = tostring(split(SyslogMessage,"|")[4])
, DeviceEventName = tostring(split(SyslogMessage,"|")[5])
, DeviceSeverity = tostring(split(SyslogMessage,"|")[6])
, CefEvent = tostring(split(SyslogMessage,"|")[7])
| where DeviceEventName == "ServerActivityMessage"
// KQL is stupid and I had to rename the datetime field because parse-kv didn't like
// having a data type name as a field name. So I have renamed it with the below statement
| extend CefEvent = replace_string(CefEvent, "datetime", "eventstarttime")
| parse-kv CefEvent as (event:string
, eventstarttime:datetime
, task:string
, user:string
, description:string
) with (pair_delimiter=' ', kv_delimiter='=', greedy=true)
| extend EventSchema = "AuditEvent"
, EventSchemaVersion = "0.1"
, EventType = case(task == "Repository Add", "Create"
, task == "Definition Generation", "Create"
, task == "Policy Modify", "Set"
, task == "Definition Generation", "Create"
, task == "Definition Diff Generation", "Create"
, "Other"
)
| project-rename DvcHostname = Computer
, EventProduct = DeviceProduct
, EventVendor = DeviceVendor
, DvcVersion = DeviceVersion
, TargetUserName = user
, Operation = task
, EventMessage = description
, EventStartTime = eventstarttime
| extend Dvc = DvcHostname
, User = TargetUserName
| project-away Device*
, CefEvent
, SyslogMessage
, Facility
, HostName
, HostIP
, SeverityLevel
, Process*
, Type
, event
, TenantId
, SourceSystem
, EventTime
| project-reorder EventStartTime
, Operation
, TargetUserName
, EventMessage