Merge pull request #9522 from nlepagnez/Correct-Parser-paramteres

Correct Parser parameters in the Package.
Azure · Dec 4, 2023 · 6659244 · 6659244
2 parents ab6b698 + 1553ad2
commit 6659244
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 1 deletion.
diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Package/3.0.2.zip b/Solutions/Microsoft Exchange Security - Exchange Online/Package/3.0.2.zip
diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Package/mainTemplate.json b/Solutions/Microsoft Exchange Security - Exchange Online/Package/mainTemplate.json
@@ -733,7 +733,7 @@
         "category": "Microsoft Sentinel Parser",
         "functionAlias": "ExchangeConfiguration",
         "query": "// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SpecificSectionList = '';\n// let SpecificConfigurationDate = 'lastdate';\n// let SpecificConfigurationEnv = 'All';\n// let Target = 'On-Premises';\n//\n// Parameters definition\nlet _SpecificSectionList = split(SpecificSectionList,',');\nlet _configurationDate = iff(isnull(SpecificConfigurationDate) or isempty(SpecificConfigurationDate),\"lastdate\",tostring(SpecificConfigurationDate));\nlet _configurationEnv = split(iff(isnull(SpecificConfigurationEnv) or isempty(SpecificConfigurationEnv) or tolower(SpecificConfigurationEnv) == \"all\",\"All\",tostring(SpecificConfigurationEnv)),',');\nlet _target = iff(isnull(Target) or isempty(Target),\"On-Premises\",Target);\n// Building Base Request\nlet _targetDate = iff(_configurationDate == \"lastdate\", ago(7d), iif(_configurationDate == \"alllife\",ago(1080d),todatetime(_configurationDate)));\nlet baseRequest = materialize (union isfuzzy=true withsource=TableName ESIAPIExchange*,ESIExchange* \n    | where TimeGenerated > _targetDate\n    | extend Source = iff (TableName contains \"Online\", \"Online\", \"On-Premises\")\n    | where _target == 'All' or Source == _target\n    | extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \n    | where ScopedEnvironment in (_configurationEnv)\n    | extend EntryDate = todatetime(EntryDate_s)\n    | project-away EntryDate_s);\n// Find Config Id (can be multiple id in all)\nlet findConfigDate = baseRequest\n    | extend Env =strcat(Source, \"_\",ESIEnvironment_s)\n    | summarize count() by GenerationInstanceID_g,Env,EntryDate\n    | extend distance = iff(_configurationDate == \"lastdate\" or _configurationDate == \"alllife\", now() - EntryDate, (EntryDate - todatetime(_configurationDate)))\n    | top-nested of Env by Ignore0=max(1), \n        top-nested 1 of distance by Ignore1 = min(distance) asc nulls last, \n        top-nested of GenerationInstanceID_g by Ignore2=max(2) \n    | project GenerationInstanceID_g;\n// Parse Result\nlet ParseExchangeConfig = () { baseRequest \n | join kind=leftsemi (findConfigDate) on $left.GenerationInstanceID_g == $right.GenerationInstanceID_g\n | where isempty(_SpecificSectionList[0]) or Section_s in (_SpecificSectionList)\n | extend TimeGenerated = EntryDate\n | extend Identity = IdentityString_s\n | extend CmdletResultValue = parse_json(rawData_s)\n | project-rename ConfigurationInstanceID = GenerationInstanceID_g, ESIEnvironment = ESIEnvironment_s, Section = Section_s, PSCmdlet = PSCmdL_s, CmdletResultType = ExecutionResult_s, WhenChanged = WhenChanged_t, WhenCreated = WhenCreated_t, Name = Name_s\n | project-away TenantId,SourceSystem,Type,EntryDate\n};\nParseExchangeConfig\n",
-        "functionParameters": "SpecificSectionList:string,SpecificConfigurationDate:string,SpecificConfigurationEnv:string,Target:string",
+        "functionParameters": "SpecificSectionList:string = \"\", SpecificConfigurationDate:string = \"lastdate\", Target:string = \"On-Premises\", SpecificConfigurationEnv:string = \"All\"",
         "version": 2,
         "tags": [
           {