diff --git a/Solutions/GoogleCloudPlatformDNS/Parsers/GCPCloudDNS.yaml b/Solutions/GoogleCloudPlatformDNS/Parsers/GCPCloudDNS.yaml index f5d59b0cff..4c2ddfd924 100644 --- a/Solutions/GoogleCloudPlatformDNS/Parsers/GCPCloudDNS.yaml +++ b/Solutions/GoogleCloudPlatformDNS/Parsers/GCPCloudDNS.yaml @@ -9,121 +9,123 @@ FunctionAlias: GCPCloudDNS FunctionQuery: | let GCPCloudDNS_view = view () { let DNSQuery_GcpDns_empty = datatable( - Query:string, - QueryTypeName:string, - ResponseName:string, - EventResultDetails:string, - NetworkProtocol:string, - SrcIpAddr:string, - EventOriginalUid:string, - EventSeverity:string, - EventCount:int, - EventProduct:string, - EventVendor:string, - EventSchemaVersion:string, - Dvc:string, - EventType:string, - EventResult:string, - EventSubType:string, - EventEndTime:datetime, - ResponseCodeName:string, - Domain:string, - IpAddr:string, - EventStartTime:datetime + Query_e:string, + QueryTypeName_e:string, + ResponseName_e:string, + EventResultDetails_e:string, + NetworkProtocol_e:string, + SrcIpAddr_e:string, + EventOriginalUid_e:string, + EventSeverity_e:string, + EventCount_e:int, + EventProduct_e:string, + EventVendor_e:string, + EventSchemaVersion_e:string, + Dvc_e:string, + EventType_e:string, + EventResult_e:string, + EventSubType_e:string, + EventEndTime_e:datetime, + ResponseCodeName_e:string, + Domain_e:string, + IpAddr_e:string, + EventStartTime_e:datetime )[]; let DNSQuery_GcpDns = union isfuzzy=true GCP_DNS_CL, DNSQuery_GcpDns_empty | extend - Query=column_ifexists('payload_queryName_s', ''), - QueryTypeName=column_ifexists('payload_queryType_s', ''), - ResponseName=column_ifexists('payload_rdata_s', ''), - EventResultDetails=column_ifexists('payload_responseCode_s', ''), - NetworkProtocol=column_ifexists('payload_protocol_s', ''), - SrcIpAddr=column_ifexists('payload_sourceIP_s', ''), - EventOriginalUid=column_ifexists('insert_id_s', ''), - EventSeverity=column_ifexists('severity_s', ''), - EventCount=(1), - EventProduct="Cloud DNS", - EventVendor="GCP", - EventSchemaVersion="0.1.0", - Dvc="GCPDNS", - EventType = iif (column_ifexists('resource_type_s', '') == "dns_query", "lookup", column_ifexists('resource_type_s', '')), - EventResult=iff(EventResultDetails =~ 'NOERROR', 'Success', 'Failure'), - EventSubType='response', - EventEndTime=todatetime(column_ifexists('timestamp_t', '')) + Query_e=column_ifexists('payload_queryName_s', ''), + QueryTypeName_e=column_ifexists('payload_queryType_s', ''), + ResponseName_e=column_ifexists('payload_rdata_s', ''), + EventResultDetails_e=column_ifexists('payload_responseCode_s', ''), + NetworkProtocol_e=column_ifexists('payload_protocol_s', ''), + SrcIpAddr_e=column_ifexists('payload_sourceIP_s', ''), + EventOriginalUid_e=column_ifexists('insert_id_s', ''), + EventSeverity_e=column_ifexists('severity_s', ''), + EventCount_e=(1), + EventProduct_e="Cloud DNS", + EventVendor_e="GCP", + EventSchemaVersion_e="0.1.0", + Dvc_e="GCPDNS", + EventType_e=iif (column_ifexists('resource_type_s', '') == "dns_query", "lookup", column_ifexists('resource_type_s', '')), + EventResult_e=iff(EventResultDetails_e =~ 'NOERROR', 'Success', 'Failure'), + EventSubType_e='response', + EventEndTime_e=todatetime(column_ifexists('timestamp_t', '')) + // ---Aliases | extend - ResponseCodeName=EventResultDetails, - Domain=Query, - IpAddr=SrcIpAddr, - EventStartTime = EventEndTime + ResponseCodeName_e=EventResultDetails_e, + Domain_e=Query_e, + IpAddr_e=SrcIpAddr_e, + EventStartTime_e=EventEndTime_e | project-rename - Query=Query, - QueryTypeName=QueryTypeName, - ResponseName=ResponseName, - EventResultDetails=EventResultDetails, - NetworkProtocol=NetworkProtocol, - SrcIpAddr=SrcIpAddr, - EventOriginalUid=EventOriginalUid, - EventSeverity=EventSeverity, - EventCount=EventCount, - EventProduct=EventProduct, - EventVendor=EventVendor, - EventSchemaVersion=EventSchemaVersion, - Dvc=Dvc, - EventType=EventType, - EventResult=EventResult, - EventSubType=EventSubType, - EventEndTime=EventEndTime, - ResponseCodeName=ResponseCodeName, - Domain=Domain, - IpAddr=IpAddr, - EventStartTime=EventStartTime; + Query=Query_e, + QueryTypeName=QueryTypeName_e, + ResponseName=ResponseName_e, + EventResultDetails=EventResultDetails_e, + NetworkProtocol=NetworkProtocol_e, + SrcIpAddr=SrcIpAddr_e, + EventOriginalUid=EventOriginalUid_e, + EventSeverity=EventSeverity_e, + EventCount=EventCount_e, + EventProduct=EventProduct_e, + EventVendor=EventVendor_e, + EventSchemaVersion=EventSchemaVersion_e, + Dvc=Dvc_e, + EventType=EventType_e, + EventResult=EventResult_e, + EventSubType=EventSubType_e, + EventEndTime=EventEndTime_e, + ResponseCodeName=ResponseCodeName_e, + Domain=Domain_e, + IpAddr=IpAddr_e, + EventStartTime=EventStartTime_e; let DNSQuery_GcpDnsV2 = union isfuzzy=true GCP_DNSV2_CL, DNSQuery_GcpDns_empty | extend - Query=column_ifexists('payload_queryName', ''), - QueryTypeName=column_ifexists('payload_queryType', ''), - ResponseName=column_ifexists('payload_rdata', ''), - EventResultDetails=column_ifexists('payload_responseCode', ''), - NetworkProtocol=column_ifexists('payload_protocol', ''), - SrcIpAddr=column_ifexists('payload_sourceIP', ''), - EventOriginalUid=column_ifexists('insert_id', ''), - EventSeverity=column_ifexists('severity', ''), - EventCount=(1), - EventProduct="Cloud DNS", - EventVendor="GCP", - EventSchemaVersion="0.1.0", - Dvc="GCPDNS", - EventType = iif (column_ifexists('resource_type', '') == "dns_query", "lookup", column_ifexists('resource_type', '')), - EventResult=iff(EventResultDetails =~ 'NOERROR', 'Success', 'Failure'), - EventSubType='response', - EventEndTime=todatetime(column_ifexists('timestamp', '')) + Query_e=column_ifexists('payload_queryName', ''), + QueryTypeName_e=column_ifexists('payload_queryType', ''), + ResponseName_e=column_ifexists('payload_rdata', ''), + EventResultDetails_e=column_ifexists('payload_responseCode', ''), + NetworkProtocol_e=column_ifexists('payload_protocol', ''), + SrcIpAddr_e=column_ifexists('payload_sourceIP', ''), + EventOriginalUid_e=column_ifexists('insert_id', ''), + EventSeverity_e=column_ifexists('severity', ''), + EventCount_e=(1), + EventProduct_e="Cloud DNS", + EventVendor_e="GCP", + EventSchemaVersion_e="0.1.0", + Dvc_e="GCPDNS", + EventType_e=iif (column_ifexists('resource_type', '') == "dns_query", "lookup", column_ifexists('resource_type', '')), + EventResult_e=iff(EventResultDetails_e =~ 'NOERROR', 'Success', 'Failure'), + EventSubType_e='response', + EventEndTime_e=todatetime(column_ifexists('timestamp', '')) + // ---Aliases | extend - ResponseCodeName=EventResultDetails, - Domain=Query, - IpAddr=SrcIpAddr, - EventStartTime = EventEndTime + ResponseCodeName_e=EventResultDetails_e, + Domain_e=Query_e, + IpAddr_e=SrcIpAddr_e, + EventStartTime_e=EventEndTime_e | project-rename - Query=Query, - QueryTypeName=QueryTypeName, - ResponseName=ResponseName, - EventResultDetails=EventResultDetails, - NetworkProtocol=NetworkProtocol, - SrcIpAddr=SrcIpAddr, - EventOriginalUid=EventOriginalUid, - EventSeverity=EventSeverity, - EventCount=EventCount, - EventProduct=EventProduct, - EventVendor=EventVendor, - EventSchemaVersion=EventSchemaVersion, - Dvc=Dvc, - EventType=EventType, - EventResult=EventResult, - EventSubType=EventSubType, - EventEndTime=EventEndTime, - ResponseCodeName=ResponseCodeName, - Domain=Domain, - IpAddr=IpAddr, - EventStartTime=EventStartTime; + Query=Query_e, + QueryTypeName=QueryTypeName_e, + ResponseName=ResponseName_e, + EventResultDetails=EventResultDetails_e, + NetworkProtocol=NetworkProtocol_e, + SrcIpAddr=SrcIpAddr_e, + EventOriginalUid=EventOriginalUid_e, + EventSeverity=EventSeverity_e, + EventCount=EventCount_e, + EventProduct=EventProduct_e, + EventVendor=EventVendor_e, + EventSchemaVersion=EventSchemaVersion_e, + Dvc=Dvc_e, + EventType=EventType_e, + EventResult=EventResult_e, + EventSubType=EventSubType_e, + EventEndTime=EventEndTime_e, + ResponseCodeName=ResponseCodeName_e, + Domain=Domain_e, + IpAddr=IpAddr_e, + EventStartTime=EventStartTime_e; union isfuzzy=true DNSQuery_GcpDns, DNSQuery_GcpDnsV2 - | project-reorder EventEndTime, IpAddr, Query, QueryTypeName, ResponseName, EventResult, EventSeverity, EventProduct, EventVendor, EventSchemaVersion, Dvc, EventType, EventSubType, ResponseCodeName, Domain, EventStartTime; + | project-reorder Query, QueryTypeName, ResponseName, EventResultDetails, NetworkProtocol, SrcIpAddr, EventOriginalUid, EventSeverity, EventCount, EventProduct, EventVendor, EventSchemaVersion, Dvc, EventType, EventResult, EventSubType, EventEndTime, ResponseCodeName, Domain, IpAddr, EventStartTime; }; GCPCloudDNS_view \ No newline at end of file