diff --git a/Solutions/Fortinet FortiNDR Cloud/Data Connectors/azuredeploy_FortinetFortiNdrCloud_API_FunctionApp.json b/Solutions/Fortinet FortiNDR Cloud/Data Connectors/azuredeploy_FortinetFortiNdrCloud_API_FunctionApp.json index d743a9ebc22..eb86223227b 100644 --- a/Solutions/Fortinet FortiNDR Cloud/Data Connectors/azuredeploy_FortinetFortiNdrCloud_API_FunctionApp.json +++ b/Solutions/Fortinet FortiNDR Cloud/Data Connectors/azuredeploy_FortinetFortiNdrCloud_API_FunctionApp.json @@ -60,14 +60,6 @@ "type": "string", "defaultValue": "" }, - "IncludePdns": { - "type": "bool", - "defaultValue": false - }, - "IncludeDhcp": { - "type": "bool", - "defaultValue": false - }, "IncludeEvents": { "type": "bool", "defaultValue": false @@ -237,7 +229,7 @@ "alwaysOn": true, "reserved": true, "siteConfig": { - "linuxFxVersion": "python|3.10" + "linuxFxVersion": "python|3.11" } }, "resources": [ @@ -269,8 +261,6 @@ "FncApiToken": "[parameters('FncApiToken')]", "FncAccountUuid": "[parameters('FncAccountUuid')]", "FncApiDomain": "[parameters('FncApiDomain')]", - "IncludePdns": "[parameters('IncludePdns')]", - "IncludeDhcp": "[parameters('IncludeDhcp')]", "IncludeEvents": "[parameters('IncludeEvents')]", "IncludeDescription": "[parameters('IncludeDescription')]", "IncludeSignature": "[parameters('IncludeSignature')]", diff --git a/Solutions/Fortinet FortiNDR Cloud/Data Connectors/fortinetFortiNdrCloudDataConn.zip b/Solutions/Fortinet FortiNDR Cloud/Data Connectors/fortinetFortiNdrCloudDataConn.zip index bea16868b71..09bb07381d2 100644 Binary files a/Solutions/Fortinet FortiNDR Cloud/Data Connectors/fortinetFortiNdrCloudDataConn.zip and b/Solutions/Fortinet FortiNDR Cloud/Data Connectors/fortinetFortiNdrCloudDataConn.zip differ diff --git a/Solutions/Fortinet FortiNDR Cloud/Data Connectors/fortinetFortiNdrCloudDataConn/FetchAndSendDetections/__init__.py b/Solutions/Fortinet FortiNDR Cloud/Data Connectors/fortinetFortiNdrCloudDataConn/FetchAndSendDetections/__init__.py index a2ee0fb0115..99bde0febe1 100644 --- a/Solutions/Fortinet FortiNDR Cloud/Data Connectors/fortinetFortiNdrCloudDataConn/FetchAndSendDetections/__init__.py +++ b/Solutions/Fortinet FortiNDR Cloud/Data Connectors/fortinetFortiNdrCloudDataConn/FetchAndSendDetections/__init__.py @@ -2,6 +2,7 @@ import logging import os +import FncRestClient from fnc.api.api_client import ApiContext from fnc.fnc_client import FncClient from globalVariables import INTEGRATION_NAME @@ -9,8 +10,6 @@ API_TOKEN = os.environ.get("FncApiToken") ACCOUNT_UUID = os.environ.get("FncAccountUuid") -INCLUDE_PDNS = os.environ.get("FncAccountUuid") -INCLUDE_DHCP = os.environ.get("IncludeDhcp") INCLUDE_EVENTS = os.environ.get("IncludeEvents") POLLING_DELAY = int(os.environ.get("PollingDelay") or 10) DOMAIN = os.environ.get("FncApiDomain") @@ -80,8 +79,9 @@ def add_events_to_detections(detections, detection_events): def fetch_and_send_detections( ctx: ApiContext, event_type: str, start_date: str ): + rest_client = FncRestClient.FncSentinelRestClient() client = FncClient.get_api_client( - name=INTEGRATION_NAME, api_token=API_TOKEN, domain=DOMAIN + name=INTEGRATION_NAME, api_token=API_TOKEN, domain=DOMAIN, rest_client=rest_client ) loggerLever = logging.getLevelName(LOGGER_LEVEL.upper()) client.get_logger().set_level(level=loggerLever) @@ -94,8 +94,6 @@ def fetch_and_send_detections( "pull_muted_devices": PULL_MUTED, "include_description": INCLUDE_DESCRIPTION, "include_signature": INCLUDE_SIGNATURE, - "include_pdns": INCLUDE_PDNS, - "include_dhcp": INCLUDE_DHCP, "include_events": INCLUDE_EVENTS, "filter_training_detections": True, "start_date": start_date, diff --git a/Solutions/Fortinet FortiNDR Cloud/Data Connectors/fortinetFortiNdrCloudDataConn/FetchAndSendDetectionsHistory/__init__.py b/Solutions/Fortinet FortiNDR Cloud/Data Connectors/fortinetFortiNdrCloudDataConn/FetchAndSendDetectionsHistory/__init__.py index 6d4532031ce..92dac24c7e0 100644 --- a/Solutions/Fortinet FortiNDR Cloud/Data Connectors/fortinetFortiNdrCloudDataConn/FetchAndSendDetectionsHistory/__init__.py +++ b/Solutions/Fortinet FortiNDR Cloud/Data Connectors/fortinetFortiNdrCloudDataConn/FetchAndSendDetectionsHistory/__init__.py @@ -3,6 +3,7 @@ import os from datetime import datetime, timezone +import FncRestClient from fnc.api.api_client import ApiContext from fnc.fnc_client import FncClient from globalVariables import INTEGRATION_NAME @@ -10,8 +11,6 @@ API_TOKEN = os.environ.get("FncApiToken") ACCOUNT_UUID = os.environ.get("FncAccountUuid") -INCLUDE_PDNS = os.environ.get("FncAccountUuid") -INCLUDE_DHCP = os.environ.get("IncludeDhcp") INCLUDE_EVENTS = os.environ.get("IncludeEvents") POLLING_DELAY = int(os.environ.get("PollingDelay") or 10) DOMAIN = os.environ.get("FncApiDomain") @@ -96,8 +95,9 @@ def add_events_to_detections(detections, detection_events): def fetch_and_send_detections(ctx: ApiContext, event_type: str, start_date: str): + rest_client = FncRestClient.FncSentinelRestClient() client = FncClient.get_api_client( - name=INTEGRATION_NAME, api_token=API_TOKEN, domain=DOMAIN + name=INTEGRATION_NAME, api_token=API_TOKEN, domain=DOMAIN, rest_client=rest_client ) loggerLever = logging.getLevelName(LOGGER_LEVEL.upper()) client.get_logger().set_level(level=loggerLever) @@ -110,8 +110,6 @@ def fetch_and_send_detections(ctx: ApiContext, event_type: str, start_date: str) "pull_muted_devices": PULL_MUTED, "include_description": INCLUDE_DESCRIPTION, "include_signature": INCLUDE_SIGNATURE, - "include_pdns": INCLUDE_PDNS, - "include_dhcp": INCLUDE_DHCP, "include_events": INCLUDE_EVENTS, "filter_training_detections": True, "limit": 100, diff --git a/Solutions/Fortinet FortiNDR Cloud/Data Connectors/fortinetFortiNdrCloudDataConn/FncRestClient.py b/Solutions/Fortinet FortiNDR Cloud/Data Connectors/fortinetFortiNdrCloudDataConn/FncRestClient.py new file mode 100644 index 00000000000..8ed4f8449a4 --- /dev/null +++ b/Solutions/Fortinet FortiNDR Cloud/Data Connectors/fortinetFortiNdrCloudDataConn/FncRestClient.py @@ -0,0 +1,30 @@ +from fnc.api import FncRestClient +from fnc.errors import ErrorMessages, ErrorType, FncClientError +import requests + +class FncSentinelRestClient(FncRestClient): + def validate_request(self, req_args: dict): + if not req_args or 'url' not in req_args: + raise FncClientError( + error_type=ErrorType.REQUEST_VALIDATION_ERROR, + error_message=ErrorMessages.REQUEST_URL_NOT_PROVIDED + ) + + if 'method' not in req_args: + raise FncClientError( + error_type=ErrorType.REQUEST_VALIDATION_ERROR, + error_message=ErrorMessages.REQUEST_METHOD_NOT_PROVIDED + ) + + def send_request(self, req_args: dict = None): + url = req_args['url'] + method = req_args['method'] + headers = req_args.get('headers', {}) + timeout = req_args.get('timeout', 70) + verify = req_args.get('verify', True) + parameters = req_args.get('params', {}) + json = req_args.get('json', None) + data = req_args.get('data', None) + payload = json or data + response = requests.request(method, url, headers=headers, timeout=timeout, params=parameters, json=payload, verify=verify) + return response \ No newline at end of file diff --git a/Solutions/Fortinet FortiNDR Cloud/Data Connectors/fortinetFortiNdrCloudDataConn/OrchestratorWatchdog/__init__.py b/Solutions/Fortinet FortiNDR Cloud/Data Connectors/fortinetFortiNdrCloudDataConn/OrchestratorWatchdog/__init__.py index e71d56a9849..63196de571b 100644 --- a/Solutions/Fortinet FortiNDR Cloud/Data Connectors/fortinetFortiNdrCloudDataConn/OrchestratorWatchdog/__init__.py +++ b/Solutions/Fortinet FortiNDR Cloud/Data Connectors/fortinetFortiNdrCloudDataConn/OrchestratorWatchdog/__init__.py @@ -4,6 +4,7 @@ import azure.durable_functions as df import azure.functions as func +import FncRestClient from azure.durable_functions.models import DurableOrchestrationStatus from errors import InputError from fnc.fnc_client import FncClient @@ -124,8 +125,9 @@ def get_detection_args(): # Create detection client to get context for history # and real time detections + rest_client = FncRestClient.FncSentinelRestClient() detection_client = FncClient.get_api_client( - name=INTEGRATION_NAME, api_token=API_TOKEN, domain=DOMAIN + name=INTEGRATION_NAME, api_token=API_TOKEN, domain=DOMAIN, rest_client=rest_client ) h_context, context = detection_client.get_splitted_context( args=detection_args) diff --git a/Solutions/Fortinet FortiNDR Cloud/Data/Solution_FortiNdrCloud.json b/Solutions/Fortinet FortiNDR Cloud/Data/Solution_FortiNdrCloud.json index 5b8edd44cb4..e4263f12c96 100644 --- a/Solutions/Fortinet FortiNDR Cloud/Data/Solution_FortiNdrCloud.json +++ b/Solutions/Fortinet FortiNDR Cloud/Data/Solution_FortiNdrCloud.json @@ -13,7 +13,7 @@ "Workbooks/FortinetFortiNdrCloudWorkbook.json" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Fortinet FortiNDR Cloud", - "Version": "3.0.1", + "Version": "3.0.2", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false diff --git a/Solutions/Fortinet FortiNDR Cloud/Package/3.0.2.zip b/Solutions/Fortinet FortiNDR Cloud/Package/3.0.2.zip new file mode 100644 index 00000000000..99e4cebfb2d Binary files /dev/null and b/Solutions/Fortinet FortiNDR Cloud/Package/3.0.2.zip differ diff --git a/Solutions/Fortinet FortiNDR Cloud/Package/mainTemplate.json b/Solutions/Fortinet FortiNDR Cloud/Package/mainTemplate.json index e454593c2dd..8c259a69f31 100644 --- a/Solutions/Fortinet FortiNDR Cloud/Package/mainTemplate.json +++ b/Solutions/Fortinet FortiNDR Cloud/Package/mainTemplate.json @@ -41,7 +41,7 @@ "email": "cs@fortinet.com", "_email": "[variables('email')]", "_solutionName": "Fortinet FortiNDR Cloud", - "_solutionVersion": "3.0.1", + "_solutionVersion": "3.0.2", "solutionId": "fortinet.fortindrcloud-sentinel", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "FortinetFortiNdrCloudDataConnector", @@ -79,7 +79,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Fortinet FortiNDR Cloud data connector with template version 3.0.1", + "description": "Fortinet FortiNDR Cloud data connector with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -512,7 +512,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Fortinet_FortiNDR_Cloud Data Parser with template version 3.0.1", + "description": "Fortinet_FortiNDR_Cloud Data Parser with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -529,7 +529,7 @@ "displayName": "Parser for Fortinet_FortiNDR_Cloud", "category": "Microsoft Sentinel Parser", "functionAlias": "Fortinet_FortiNDR_Cloud", - "query": "let FortiNDR_Cloud_suricata_view = view () {\n FncEventsSuricata_CL\n | extend\n su_timestamp=column_ifexists('timestamp_t',''),\n su_uuid=column_ifexists('uuid_g',''),\n su_event_type=column_ifexists('event_type_s',''),\n su_customer_id=column_ifexists('customer_id_s',''),\n su_sensor_id=column_ifexists('sensor_id_s',''),\n su_source=column_ifexists('source_s',''),\n su_src_ip=column_ifexists('src_ip_s',''),\n su_src_port=column_ifexists('src_port_d',''),\n su_dst_ip=column_ifexists('dest_ip_s',''),\n su_dst_port=column_ifexists('dest_port_d',''),\n su_proto=column_ifexists('proto_s',''),\n su_sig_id=column_ifexists('alert_signature_id_d',''),\n su_sig_rev=column_ifexists('alert_rev_d',''),\n su_sig_name=column_ifexists('alert_signature_s',''),\n su_sig_category=column_ifexists('alert_category_s',''),\n su_sig_severity=column_ifexists('alert_severity_d',''),\n su_src_internal=column_ifexists('src_ip_enrichments_internal_b',''),\n su_src_geo_lat=column_ifexists('src_ip_enrichments_geo_location_lat_d',''),\n su_src_geo_lon=column_ifexists('src_ip_enrichments_geo_location_lon_d',''),\n su_src_geo_country=column_ifexists('src_ip_enrichments_geo_country_s',''),\n su_src_geo_subdivision=column_ifexists('src_ip_enrichments_geo_subdivision_s',''),\n su_src_geo_city=column_ifexists('src_ip_enrichments_geo_city_s',''),\n su_src_asn_asn=column_ifexists('src_ip_enrichments_asn_asn_d',''),\n su_src_asn_org=column_ifexists('src_ip_enrichments_asn_org_s',''),\n su_src_asn_isp=column_ifexists('src_ip_enrichments_asn_isp_s',''),\n su_src_asn_asn_org=column_ifexists('src_ip_enrichments_asn_asn_org_s',''),\n su_src_annotations_applications=column_ifexists('src_ip_enrichments_annotations_applications_s',''),\n su_src_annotations_environments=column_ifexists('src_ip_enrichments_annotations_environments_s',''),\n su_src_annotations_locations=column_ifexists('src_ip_enrichments_annotations_locations_s',''),\n su_src_annotations_owners=column_ifexists('src_ip_enrichments_annotations_owners_s',''),\n su_src_annotations_roles=column_ifexists('src_ip_enrichments_annotations_roles_s',''),\n su_src_annotations_tags=column_ifexists('src_ip_enrichments_annotations_tags_s',''),\n su_dst_internal=column_ifexists('dst_ip_enrichments_internal_b',''),\n su_dst_geo_lat=column_ifexists('dst_ip_enrichments_geo_location_lat_d',''),\n su_dst_geo_lon=column_ifexists('dst_ip_enrichments_geo_location_lon_d',''),\n su_dst_geo_country=column_ifexists('dst_ip_enrichments_geo_country_s',''),\n su_dst_geo_subdivision=column_ifexists('dst_ip_enrichments_geo_subdivision_s',''),\n su_dst_geo_city=column_ifexists('dst_ip_enrichments_geo_city_s',''),\n su_dst_asn_asn=column_ifexists('dst_ip_enrichments_asn_asn_d',''),\n su_dst_asn_org=column_ifexists('dst_ip_enrichments_asn_org_s',''),\n su_dst_asn_isp=column_ifexists('dst_ip_enrichments_asn_isp_s',''),\n su_dst_asn_asn_org=column_ifexists('dst_ip_enrichments_asn_asn_org_s',''),\n su_dst_annotations_applications=column_ifexists('dst_ip_enrichments_annotations_applications_s',''),\n su_dst_annotations_environments=column_ifexists('dst_ip_enrichments_annotations_environments_s',''),\n su_dst_annotations_locations=column_ifexists('dst_ip_enrichments_annotations_locations_s',''),\n su_dst_annotations_owners=column_ifexists('dst_ip_enrichments_annotations_owners_s',''),\n su_dst_annotations_roles=column_ifexists('dst_ip_enrichments_annotations_roles_s',''),\n su_dst_annotations_tags=column_ifexists('dst_ip_enrichments_annotations_tags_s',''),\n su_geo_distance=column_ifexists('geo_distance_d',''),\n su_http_status=column_ifexists('http_status_d',''),\n su_http_protocol=column_ifexists('http_protocol_s',''),\n su_http_url=column_ifexists('http_url_s',''),\n su_http_hostname=column_ifexists('http_hostname_s',''),\n su_http_host_internal=column_ifexists('http_hostname_enrichments_ip_enrichments_internal_b',''),\n su_http_host_geo_lat=column_ifexists('http_hostname_enrichments_ip_enrichments_geo_location_lat_d',''),\n su_http_host_geo_lon=column_ifexists('http_hostname_enrichments_ip_enrichments_geo_location_lon_d',''),\n su_http_host_geo_subdivision=column_ifexists('http_hostname_enrichments_ip_enrichments_geo_subdivision_s',''),\n su_http_host_geo_city=column_ifexists('http_hostname_enrichments_ip_enrichments_geo_city_s',''),\n su_http_host_asn_asn=column_ifexists('http_hostname_enrichments_ip_enrichments_asn_asn_d',''),\n su_http_host_asn_org=column_ifexists('http_hostname_enrichments_ip_enrichments_asn_org_s',''),\n su_http_host_asn_isp=column_ifexists('http_hostname_enrichments_ip_enrichments_asn_isp_s',''),\n su_http_host_asn_asn_org=column_ifexists('http_hostname_enrichments_ip_enrichments_asn_asn_org_s',''),\n su_http_host_geo_country=column_ifexists('http_hostname_enrichments_ip_enrichments_geo_country_s',''),\n su_http_host_annotations_applications=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_applications_s',''),\n su_http_host_annotations_environments=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_environments_s',''),\n su_http_host_annotations_locations=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_locations_s',''),\n su_http_host_annotations_owners=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_owners_s',''),\n su_http_host_annotations_roles=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_roles_s',''),\n su_http_host_annotations_tags=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_tags_s',''),\n su_http_host_domain_entropy=column_ifexists('http_hostname_enrichments_domain_enrichments_domain_entropy_d',''),\n su_http_length=column_ifexists('http_length_d',''),\n su_http_method=column_ifexists('http_http_method_s',''),\n su_http_content_type=column_ifexists('http_http_content_type_s',''),\n su_http_refer=column_ifexists('http_http_refer_s',''),\n su_http_user_agent=column_ifexists('http_http_user_agent_s',''),\n su_http_redirect=column_ifexists('http_redirect_s',''),\n su_http_xtf=column_ifexists('http_xtf_s',''),\n su_payload=column_ifexists('payload_s',''),\n su_intel=column_ifexists('intel_s','')\n | project\n su_timestamp,\n su_event_type,\n su_src_ip,\n su_src_port,\n su_dst_ip,\n su_dst_port,\n su_intel,\n su_sig_name,\n su_sig_id,\n su_sig_rev,\n su_sig_category,\n su_sig_severity,\n su_payload,\n su_source,\n su_proto,\n su_sensor_id,\n su_src_internal,\n su_src_geo_lat,\n su_src_geo_lon,\n su_src_geo_country,\n su_src_geo_subdivision,\n su_src_geo_city,\n su_src_asn_asn,\n su_src_asn_org,\n su_src_asn_isp,\n su_src_asn_asn_org,\n su_src_annotations_applications,\n su_src_annotations_environments,\n su_src_annotations_locations,\n su_src_annotations_owners,\n su_src_annotations_roles,\n su_src_annotations_tags,\n su_dst_internal,\n su_dst_geo_lat,\n su_dst_geo_lon,\n su_dst_geo_country,\n su_dst_geo_subdivision,\n su_dst_geo_city,\n su_dst_asn_asn,\n su_dst_asn_org,\n su_dst_asn_isp,\n su_dst_asn_asn_org,\n su_dst_annotations_applications,\n su_dst_annotations_environments,\n su_dst_annotations_locations,\n su_dst_annotations_owners,\n su_dst_annotations_roles,\n su_dst_annotations_tags,\n su_geo_distance,\n su_http_status,\n su_http_protocol,\n su_http_url,\n su_http_hostname,\n su_http_host_internal,\n su_http_host_geo_lat,\n su_http_host_geo_lon,\n su_http_host_geo_country,\n su_http_host_geo_subdivision,\n su_http_host_geo_city,\n su_http_host_asn_asn,\n su_http_host_asn_org,\n su_http_host_asn_isp,\n su_http_host_asn_asn_org,\n su_http_host_annotations_applications,\n su_http_host_annotations_environments,\n su_http_host_annotations_locations,\n su_http_host_annotations_owners,\n su_http_host_annotations_roles,\n su_http_host_annotations_tags,\n su_http_host_domain_entropy,\n su_http_length,\n su_http_method,\n su_http_content_type,\n su_http_refer,\n su_http_user_agent,\n su_http_redirect,\n su_http_xtf,\n su_uuid,\n su_customer_id,\n Type\n};\n\nlet FortiNDR_Cloud_observation_view = view () {\n FncEventsObservation_CL\n | extend\n ob_timestamp=column_ifexists('timestamp_t',''),\n ob_uuid=column_ifexists('uuid_g',''),\n ob_event_type=column_ifexists('event_type_s',''),\n ob_customer_id=column_ifexists('customer_id_s',''),\n ob_sensor_id=column_ifexists('sensor_id_s',''),\n ob_source=column_ifexists('source_s',''),\n ob_evidence_start_timestamp=column_ifexists('evidence_start_timestamp_t',''),\n ob_evidence_end_timestamp=column_ifexists('evidence_end_timestamp_t',''),\n ob_observation_uuid=column_ifexists('observation_uuid_g',''),\n ob_observation_title=column_ifexists('title_s',''),\n ob_confidence=column_ifexists('confidence_s',''),\n ob_src_ip=column_ifexists('src_ip_s',''),\n ob_dst_ip=column_ifexists('dst_ip_s',''),\n ob_src_internal=column_ifexists('src_ip_enrichments_internal_b',''),\n ob_src_geo_lat=column_ifexists('src_ip_enrichments_geo_location_lat_d',''),\n ob_src_geo_lon=column_ifexists('src_ip_enrichments_geo_location_lon_d',''),\n ob_src_geo_country=column_ifexists('src_ip_enrichments_geo_country_s',''),\n ob_src_geo_subdivision=column_ifexists('src_ip_enrichments_geo_subdivision_s',''),\n ob_src_geo_city=column_ifexists('src_ip_enrichments_geo_city_s',''),\n ob_src_asn_asn=column_ifexists('src_ip_enrichments_asn_asn_d',''),\n ob_src_asn_org=column_ifexists('src_ip_enrichments_asn_org_s',''),\n ob_src_asn_isp=column_ifexists('src_ip_enrichments_asn_isp_s',''),\n ob_src_asn_asn_org=column_ifexists('src_ip_enrichments_asn_asn_org_s',''),\n ob_src_annotations_applications=column_ifexists('src_ip_enrichments_annotations_applications_s',''),\n ob_src_annotations_environments=column_ifexists('src_ip_enrichments_annotations_environments_s',''),\n ob_src_annotations_locations=column_ifexists('src_ip_enrichments_annotations_locations_s',''),\n ob_src_annotations_owners=column_ifexists('src_ip_enrichments_annotations_owners_s',''),\n ob_src_annotations_roles=column_ifexists('src_ip_enrichments_annotations_roles_s',''),\n ob_src_annotations_tags=column_ifexists('src_ip_enrichments_annotations_tags_s',''),\n ob_dst_internal=column_ifexists('dst_ip_enrichments_internal_b',''),\n ob_dst_geo_lat=column_ifexists('dst_ip_enrichments_geo_location_lat_d',''),\n ob_dst_geo_lon=column_ifexists('dst_ip_enrichments_geo_location_lon_d',''),\n ob_dst_geo_country=column_ifexists('dst_ip_enrichments_geo_country_s',''),\n ob_dst_geo_subdivision=column_ifexists('dst_ip_enrichments_geo_subdivision_s',''),\n ob_dst_geo_city=column_ifexists('dst_ip_enrichments_geo_city_s',''),\n ob_dst_asn_asn=column_ifexists('dst_ip_enrichments_asn_asn_d',''),\n ob_dst_asn_org=column_ifexists('dst_ip_enrichments_asn_org_s',''),\n ob_dst_asn_isp=column_ifexists('dst_ip_enrichments_asn_isp_s',''),\n ob_dst_asn_asn_org=column_ifexists('dst_ip_enrichments_asn_asn_org_s',''),\n ob_dst_annotations_applications=column_ifexists('dst_ip_enrichments_annotations_applications_s',''),\n ob_dst_annotations_environments=column_ifexists('dst_ip_enrichments_annotations_environments_s',''),\n ob_dst_annotations_locations=column_ifexists('dst_ip_enrichments_annotations_locations_s',''),\n ob_dst_annotations_owners=column_ifexists('dst_ip_enrichments_annotations_owners_s',''),\n ob_dst_annotations_roles=column_ifexists('dst_ip_enrichments_annotations_roles_s',''),\n ob_dst_annotations_tags=column_ifexists('dst_ip_enrichments_annotations_tags_s',''),\n ob_geo_distance=column_ifexists('geo_distance_d',''),\n ob_sensor_ids=column_ifexists('sensor_ids_s',''),\n ob_evidence_iql=column_ifexists('evidence_iql_s',''),\n ob_description=column_ifexists('description_s',''),\n ob_context=column_ifexists('context_s',''),\n ob_class=column_ifexists('class_s',''),\n ob_intel=column_ifexists('intel_s', ''),\n ob_category=column_ifexists('Category', '')\n | project\n ob_timestamp,\n ob_observation_title,\n ob_confidence,\n ob_category,\n ob_class,\n ob_context,\n ob_evidence_iql,\n ob_evidence_end_timestamp,\n ob_evidence_start_timestamp,\n ob_description,\n ob_observation_uuid,\n ob_sensor_ids,\n ob_event_type,\n ob_src_ip,\n ob_dst_ip,\n ob_intel,\n ob_source,\n ob_sensor_id,\n ob_src_internal,\n ob_src_geo_lat,\n ob_src_geo_lon,\n ob_src_geo_country,\n ob_src_geo_subdivision,\n ob_src_geo_city,\n ob_src_asn_asn,\n ob_src_asn_org,\n ob_src_asn_isp,\n ob_src_asn_asn_org,\n ob_src_annotations_applications,\n ob_src_annotations_environments,\n ob_src_annotations_locations,\n ob_src_annotations_owners,\n ob_src_annotations_roles,\n ob_src_annotations_tags,\n ob_dst_internal,\n ob_dst_geo_lat,\n ob_dst_geo_lon,\n ob_dst_geo_country,\n ob_dst_geo_subdivision,\n ob_dst_geo_city,\n ob_dst_asn_asn,\n ob_dst_asn_org,\n ob_dst_asn_isp,\n ob_dst_asn_asn_org,\n ob_dst_annotations_applications,\n ob_dst_annotations_environments,\n ob_dst_annotations_locations,\n ob_dst_annotations_owners,\n ob_dst_annotations_roles,\n ob_dst_annotations_tags,\n ob_geo_distance,\n ob_uuid,\n ob_customer_id,\n Type\n};\n\nlet FortiNDR_Cloud_detections_view = view () {\n FncEventsDetections_CL\n | extend\n de_account_id=column_ifexists('account_uuid_g', ''),\n de_device_ip=column_ifexists('device_ip_s',''),\n de_rule_name=column_ifexists('rule_name_s',''),\n de_severity=column_ifexists('rule_severity_s',''),\n de_confidence=column_ifexists('rule_confidence_s',''),\n de_sensor_id=column_ifexists('sensor_id_s',''),\n de_muted=column_ifexists('muted_b',''),\n de_rule_muted=column_ifexists('muted_rule_b',''),\n de_rule_uuid=column_ifexists('rule_uuid_g',''),\n de_mute_comment=column_ifexists('muted_comment_s',''),\n de_muted_by=column_ifexists('muted_user_uuid_g', ''),\n de_date_muted=column_ifexists('muted_timestamp_t', ''),\n de_resolved_by=column_ifexists('resolution_user_uuid_g', ''),\n de_date_resolved=column_ifexists('resolution_timestamp_t', ''),\n de_resolution=column_ifexists('resolution_s', ''),\n de_resolution_comment=column_ifexists('resolution_comment_s', ''),\n de_first_seen=column_ifexists('first_seen_t',''),\n de_last_seen=column_ifexists('last_seen_t',''),\n de_created=column_ifexists('created_t',''),\n de_updated=column_ifexists('updated_t',''),\n de_uuid=column_ifexists('uuid_g',''),\n de_status=column_ifexists('status_s',''),\n de_indicators=column_ifexists('indicators_s',''),\n de_username=column_ifexists('username_s', ''),\n de_hostname=column_ifexists('hostname_s', ''),\n de_category=column_ifexists('rule_category_s', ''),\n de_dhcp=column_ifexists('dhcp_s', ''),\n de_pdns=column_ifexists('PDNS_s', ''),\n de_event_count=column_ifexists('event_count_d', ''),\n de_events=column_ifexists('events_s', '')\n | project\n de_device_ip,\n de_event_count,\n de_events,\n de_indicators,\n de_last_seen,\n de_status,\n de_rule_name,\n de_severity,\n de_confidence,\n de_resolved_by,\n de_resolution,\n de_resolution_comment,\n de_date_resolved,\n de_rule_uuid,\n de_category,\n de_created,\n de_updated,\n de_first_seen,\n de_muted,\n de_rule_muted,\n de_mute_comment,\n de_muted_by,\n de_date_muted,\n de_sensor_id,\n de_account_id,\n de_uuid,\n de_username,\n de_hostname,\n de_dhcp,\n de_pdns,\n Type\n}; \n\nunion isfuzzy=true\n FortiNDR_Cloud_suricata_view,\n FortiNDR_Cloud_observation_view,\n FortiNDR_Cloud_detections_view\n", + "query": "let FortiNDR_Cloud_suricata_view = view () {\n FncEventsSuricata_CL\n | extend\n su_timestamp=column_ifexists('timestamp_t',''),\n su_uuid=column_ifexists('uuid_g',''),\n su_event_type=column_ifexists('event_type_s',''),\n su_customer_id=column_ifexists('customer_id_s',''),\n su_sensor_id=column_ifexists('sensor_id_s',''),\n su_source=column_ifexists('source_s',''),\n su_src_ip=column_ifexists('src_ip_s',''),\n su_src_port=column_ifexists('src_port_d',''),\n su_dst_ip=column_ifexists('dest_ip_s',''),\n su_dst_port=column_ifexists('dest_port_d',''),\n su_proto=column_ifexists('proto_s',''),\n su_sig_id=column_ifexists('alert_signature_id_d',''),\n su_sig_rev=column_ifexists('alert_rev_d',''),\n su_sig_name=column_ifexists('alert_signature_s',''),\n su_sig_category=column_ifexists('alert_category_s',''),\n su_sig_severity=column_ifexists('alert_severity_d',''),\n su_src_internal=column_ifexists('src_ip_enrichments_internal_b',''),\n su_src_geo_lat=column_ifexists('src_ip_enrichments_geo_location_lat_d',''),\n su_src_geo_lon=column_ifexists('src_ip_enrichments_geo_location_lon_d',''),\n su_src_geo_country=column_ifexists('src_ip_enrichments_geo_country_s',''),\n su_src_geo_subdivision=column_ifexists('src_ip_enrichments_geo_subdivision_s',''),\n su_src_geo_city=column_ifexists('src_ip_enrichments_geo_city_s',''),\n su_src_asn_asn=column_ifexists('src_ip_enrichments_asn_asn_d',''),\n su_src_asn_org=column_ifexists('src_ip_enrichments_asn_org_s',''),\n su_src_asn_isp=column_ifexists('src_ip_enrichments_asn_isp_s',''),\n su_src_asn_asn_org=column_ifexists('src_ip_enrichments_asn_asn_org_s',''),\n su_src_annotations_applications=column_ifexists('src_ip_enrichments_annotations_applications_s',''),\n su_src_annotations_environments=column_ifexists('src_ip_enrichments_annotations_environments_s',''),\n su_src_annotations_locations=column_ifexists('src_ip_enrichments_annotations_locations_s',''),\n su_src_annotations_owners=column_ifexists('src_ip_enrichments_annotations_owners_s',''),\n su_src_annotations_roles=column_ifexists('src_ip_enrichments_annotations_roles_s',''),\n su_src_annotations_tags=column_ifexists('src_ip_enrichments_annotations_tags_s',''),\n su_dst_internal=column_ifexists('dst_ip_enrichments_internal_b',''),\n su_dst_geo_lat=column_ifexists('dst_ip_enrichments_geo_location_lat_d',''),\n su_dst_geo_lon=column_ifexists('dst_ip_enrichments_geo_location_lon_d',''),\n su_dst_geo_country=column_ifexists('dst_ip_enrichments_geo_country_s',''),\n su_dst_geo_subdivision=column_ifexists('dst_ip_enrichments_geo_subdivision_s',''),\n su_dst_geo_city=column_ifexists('dst_ip_enrichments_geo_city_s',''),\n su_dst_asn_asn=column_ifexists('dst_ip_enrichments_asn_asn_d',''),\n su_dst_asn_org=column_ifexists('dst_ip_enrichments_asn_org_s',''),\n su_dst_asn_isp=column_ifexists('dst_ip_enrichments_asn_isp_s',''),\n su_dst_asn_asn_org=column_ifexists('dst_ip_enrichments_asn_asn_org_s',''),\n su_dst_annotations_applications=column_ifexists('dst_ip_enrichments_annotations_applications_s',''),\n su_dst_annotations_environments=column_ifexists('dst_ip_enrichments_annotations_environments_s',''),\n su_dst_annotations_locations=column_ifexists('dst_ip_enrichments_annotations_locations_s',''),\n su_dst_annotations_owners=column_ifexists('dst_ip_enrichments_annotations_owners_s',''),\n su_dst_annotations_roles=column_ifexists('dst_ip_enrichments_annotations_roles_s',''),\n su_dst_annotations_tags=column_ifexists('dst_ip_enrichments_annotations_tags_s',''),\n su_geo_distance=column_ifexists('geo_distance_d',''),\n su_http_status=column_ifexists('http_status_d',''),\n su_http_protocol=column_ifexists('http_protocol_s',''),\n su_http_url=column_ifexists('http_url_s',''),\n su_http_hostname=column_ifexists('http_hostname_s',''),\n su_http_host_internal=column_ifexists('http_hostname_enrichments_ip_enrichments_internal_b',''),\n su_http_host_geo_lat=column_ifexists('http_hostname_enrichments_ip_enrichments_geo_location_lat_d',''),\n su_http_host_geo_lon=column_ifexists('http_hostname_enrichments_ip_enrichments_geo_location_lon_d',''),\n su_http_host_geo_subdivision=column_ifexists('http_hostname_enrichments_ip_enrichments_geo_subdivision_s',''),\n su_http_host_geo_city=column_ifexists('http_hostname_enrichments_ip_enrichments_geo_city_s',''),\n su_http_host_asn_asn=column_ifexists('http_hostname_enrichments_ip_enrichments_asn_asn_d',''),\n su_http_host_asn_org=column_ifexists('http_hostname_enrichments_ip_enrichments_asn_org_s',''),\n su_http_host_asn_isp=column_ifexists('http_hostname_enrichments_ip_enrichments_asn_isp_s',''),\n su_http_host_asn_asn_org=column_ifexists('http_hostname_enrichments_ip_enrichments_asn_asn_org_s',''),\n su_http_host_geo_country=column_ifexists('http_hostname_enrichments_ip_enrichments_geo_country_s',''),\n su_http_host_annotations_applications=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_applications_s',''),\n su_http_host_annotations_environments=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_environments_s',''),\n su_http_host_annotations_locations=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_locations_s',''),\n su_http_host_annotations_owners=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_owners_s',''),\n su_http_host_annotations_roles=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_roles_s',''),\n su_http_host_annotations_tags=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_tags_s',''),\n su_http_host_domain_entropy=column_ifexists('http_hostname_enrichments_domain_enrichments_domain_entropy_d',''),\n su_http_length=column_ifexists('http_length_d',''),\n su_http_method=column_ifexists('http_http_method_s',''),\n su_http_content_type=column_ifexists('http_http_content_type_s',''),\n su_http_refer=column_ifexists('http_http_refer_s',''),\n su_http_user_agent=column_ifexists('http_http_user_agent_s',''),\n su_http_redirect=column_ifexists('http_redirect_s',''),\n su_http_xtf=column_ifexists('http_xtf_s',''),\n su_payload=column_ifexists('payload_s',''),\n su_intel=column_ifexists('intel_s','')\n | project\n su_timestamp,\n su_event_type,\n su_src_ip,\n su_src_port,\n su_dst_ip,\n su_dst_port,\n su_intel,\n su_sig_name,\n su_sig_id,\n su_sig_rev,\n su_sig_category,\n su_sig_severity,\n su_payload,\n su_source,\n su_proto,\n su_sensor_id,\n su_src_internal,\n su_src_geo_lat,\n su_src_geo_lon,\n su_src_geo_country,\n su_src_geo_subdivision,\n su_src_geo_city,\n su_src_asn_asn,\n su_src_asn_org,\n su_src_asn_isp,\n su_src_asn_asn_org,\n su_src_annotations_applications,\n su_src_annotations_environments,\n su_src_annotations_locations,\n su_src_annotations_owners,\n su_src_annotations_roles,\n su_src_annotations_tags,\n su_dst_internal,\n su_dst_geo_lat,\n su_dst_geo_lon,\n su_dst_geo_country,\n su_dst_geo_subdivision,\n su_dst_geo_city,\n su_dst_asn_asn,\n su_dst_asn_org,\n su_dst_asn_isp,\n su_dst_asn_asn_org,\n su_dst_annotations_applications,\n su_dst_annotations_environments,\n su_dst_annotations_locations,\n su_dst_annotations_owners,\n su_dst_annotations_roles,\n su_dst_annotations_tags,\n su_geo_distance,\n su_http_status,\n su_http_protocol,\n su_http_url,\n su_http_hostname,\n su_http_host_internal,\n su_http_host_geo_lat,\n su_http_host_geo_lon,\n su_http_host_geo_country,\n su_http_host_geo_subdivision,\n su_http_host_geo_city,\n su_http_host_asn_asn,\n su_http_host_asn_org,\n su_http_host_asn_isp,\n su_http_host_asn_asn_org,\n su_http_host_annotations_applications,\n su_http_host_annotations_environments,\n su_http_host_annotations_locations,\n su_http_host_annotations_owners,\n su_http_host_annotations_roles,\n su_http_host_annotations_tags,\n su_http_host_domain_entropy,\n su_http_length,\n su_http_method,\n su_http_content_type,\n su_http_refer,\n su_http_user_agent,\n su_http_redirect,\n su_http_xtf,\n su_uuid,\n su_customer_id,\n Type\n};\n\nlet FortiNDR_Cloud_observation_view = view () {\n FncEventsObservation_CL\n | extend\n ob_timestamp=column_ifexists('timestamp_t',''),\n ob_uuid=column_ifexists('uuid_g',''),\n ob_event_type=column_ifexists('event_type_s',''),\n ob_customer_id=column_ifexists('customer_id_s',''),\n ob_sensor_id=column_ifexists('sensor_id_s',''),\n ob_source=column_ifexists('source_s',''),\n ob_evidence_start_timestamp=column_ifexists('evidence_start_timestamp_t',''),\n ob_evidence_end_timestamp=column_ifexists('evidence_end_timestamp_t',''),\n ob_observation_uuid=column_ifexists('observation_uuid_g',''),\n ob_observation_title=column_ifexists('title_s',''),\n ob_confidence=column_ifexists('confidence_s',''),\n ob_src_ip=column_ifexists('src_ip_s',''),\n ob_dst_ip=column_ifexists('dst_ip_s',''),\n ob_src_internal=column_ifexists('src_ip_enrichments_internal_b',''),\n ob_src_geo_lat=column_ifexists('src_ip_enrichments_geo_location_lat_d',''),\n ob_src_geo_lon=column_ifexists('src_ip_enrichments_geo_location_lon_d',''),\n ob_src_geo_country=column_ifexists('src_ip_enrichments_geo_country_s',''),\n ob_src_geo_subdivision=column_ifexists('src_ip_enrichments_geo_subdivision_s',''),\n ob_src_geo_city=column_ifexists('src_ip_enrichments_geo_city_s',''),\n ob_src_asn_asn=column_ifexists('src_ip_enrichments_asn_asn_d',''),\n ob_src_asn_org=column_ifexists('src_ip_enrichments_asn_org_s',''),\n ob_src_asn_isp=column_ifexists('src_ip_enrichments_asn_isp_s',''),\n ob_src_asn_asn_org=column_ifexists('src_ip_enrichments_asn_asn_org_s',''),\n ob_src_annotations_applications=column_ifexists('src_ip_enrichments_annotations_applications_s',''),\n ob_src_annotations_environments=column_ifexists('src_ip_enrichments_annotations_environments_s',''),\n ob_src_annotations_locations=column_ifexists('src_ip_enrichments_annotations_locations_s',''),\n ob_src_annotations_owners=column_ifexists('src_ip_enrichments_annotations_owners_s',''),\n ob_src_annotations_roles=column_ifexists('src_ip_enrichments_annotations_roles_s',''),\n ob_src_annotations_tags=column_ifexists('src_ip_enrichments_annotations_tags_s',''),\n ob_dst_internal=column_ifexists('dst_ip_enrichments_internal_b',''),\n ob_dst_geo_lat=column_ifexists('dst_ip_enrichments_geo_location_lat_d',''),\n ob_dst_geo_lon=column_ifexists('dst_ip_enrichments_geo_location_lon_d',''),\n ob_dst_geo_country=column_ifexists('dst_ip_enrichments_geo_country_s',''),\n ob_dst_geo_subdivision=column_ifexists('dst_ip_enrichments_geo_subdivision_s',''),\n ob_dst_geo_city=column_ifexists('dst_ip_enrichments_geo_city_s',''),\n ob_dst_asn_asn=column_ifexists('dst_ip_enrichments_asn_asn_d',''),\n ob_dst_asn_org=column_ifexists('dst_ip_enrichments_asn_org_s',''),\n ob_dst_asn_isp=column_ifexists('dst_ip_enrichments_asn_isp_s',''),\n ob_dst_asn_asn_org=column_ifexists('dst_ip_enrichments_asn_asn_org_s',''),\n ob_dst_annotations_applications=column_ifexists('dst_ip_enrichments_annotations_applications_s',''),\n ob_dst_annotations_environments=column_ifexists('dst_ip_enrichments_annotations_environments_s',''),\n ob_dst_annotations_locations=column_ifexists('dst_ip_enrichments_annotations_locations_s',''),\n ob_dst_annotations_owners=column_ifexists('dst_ip_enrichments_annotations_owners_s',''),\n ob_dst_annotations_roles=column_ifexists('dst_ip_enrichments_annotations_roles_s',''),\n ob_dst_annotations_tags=column_ifexists('dst_ip_enrichments_annotations_tags_s',''),\n ob_geo_distance=column_ifexists('geo_distance_d',''),\n ob_sensor_ids=column_ifexists('sensor_ids_s',''),\n ob_evidence_iql=column_ifexists('evidence_iql_s',''),\n ob_description=column_ifexists('description_s',''),\n ob_context=column_ifexists('context_s',''),\n ob_class=column_ifexists('class_s',''),\n ob_intel=column_ifexists('intel_s', ''),\n ob_category=column_ifexists('Category', '')\n | project\n ob_timestamp,\n ob_observation_title,\n ob_confidence,\n ob_category,\n ob_class,\n ob_context,\n ob_evidence_iql,\n ob_evidence_end_timestamp,\n ob_evidence_start_timestamp,\n ob_description,\n ob_observation_uuid,\n ob_sensor_ids,\n ob_event_type,\n ob_src_ip,\n ob_dst_ip,\n ob_intel,\n ob_source,\n ob_sensor_id,\n ob_src_internal,\n ob_src_geo_lat,\n ob_src_geo_lon,\n ob_src_geo_country,\n ob_src_geo_subdivision,\n ob_src_geo_city,\n ob_src_asn_asn,\n ob_src_asn_org,\n ob_src_asn_isp,\n ob_src_asn_asn_org,\n ob_src_annotations_applications,\n ob_src_annotations_environments,\n ob_src_annotations_locations,\n ob_src_annotations_owners,\n ob_src_annotations_roles,\n ob_src_annotations_tags,\n ob_dst_internal,\n ob_dst_geo_lat,\n ob_dst_geo_lon,\n ob_dst_geo_country,\n ob_dst_geo_subdivision,\n ob_dst_geo_city,\n ob_dst_asn_asn,\n ob_dst_asn_org,\n ob_dst_asn_isp,\n ob_dst_asn_asn_org,\n ob_dst_annotations_applications,\n ob_dst_annotations_environments,\n ob_dst_annotations_locations,\n ob_dst_annotations_owners,\n ob_dst_annotations_roles,\n ob_dst_annotations_tags,\n ob_geo_distance,\n ob_uuid,\n ob_customer_id,\n Type\n};\n\nlet FortiNDR_Cloud_detections_view = view () {\n FncEventsDetections_CL\n | extend\n de_account_id=column_ifexists('account_uuid_g', ''),\n de_device_ip=column_ifexists('device_ip_s',''),\n de_rule_name=column_ifexists('rule_name_s',''),\n de_severity=column_ifexists('rule_severity_s',''),\n de_confidence=column_ifexists('rule_confidence_s',''),\n de_sensor_id=column_ifexists('sensor_id_s',''),\n de_muted=column_ifexists('muted_b',''),\n de_rule_muted=column_ifexists('muted_rule_b',''),\n de_rule_uuid=column_ifexists('rule_uuid_g',''),\n de_mute_comment=column_ifexists('muted_comment_s',''),\n de_muted_by=column_ifexists('muted_user_uuid_g', ''),\n de_date_muted=column_ifexists('muted_timestamp_t', ''),\n de_resolved_by=column_ifexists('resolution_user_uuid_g', ''),\n de_date_resolved=column_ifexists('resolution_timestamp_t', ''),\n de_resolution=column_ifexists('resolution_s', ''),\n de_resolution_comment=column_ifexists('resolution_comment_s', ''),\n de_first_seen=column_ifexists('first_seen_t',''),\n de_last_seen=column_ifexists('last_seen_t',''),\n de_created=column_ifexists('created_t',''),\n de_updated=column_ifexists('updated_t',''),\n de_uuid=column_ifexists('uuid_g',''),\n de_status=column_ifexists('status_s',''),\n de_indicators=column_ifexists('indicators_s',''),\n de_username=column_ifexists('username_s', ''),\n de_hostname=column_ifexists('hostname_s', ''),\n de_category=column_ifexists('rule_category_s', ''),\n de_event_count=column_ifexists('event_count_d', ''),\n de_events=column_ifexists('events_s', ''),\n de_primary_attack_id=column_ifexists('rule_primary_attack_id_s', ''),\n de_secondary_attack_id=column_ifexists('rule_secondary_attack_id_s', ''),\n de_rule_url=column_ifexists('rule_url_s', '')\n | project\n de_device_ip,\n de_event_count,\n de_events,\n de_indicators,\n de_last_seen,\n de_status,\n de_rule_name,\n de_severity,\n de_confidence,\n de_resolved_by,\n de_resolution,\n de_resolution_comment,\n de_date_resolved,\n de_rule_uuid,\n de_category,\n de_created,\n de_updated,\n de_first_seen,\n de_muted,\n de_rule_muted,\n de_mute_comment,\n de_muted_by,\n de_date_muted,\n de_sensor_id,\n de_account_id,\n de_uuid,\n de_username,\n de_hostname,\n de_primary_attack_id,\n de_secondary_attack_id,\n de_rule_url,\n Type\n}; \n\nunion isfuzzy=true\n FortiNDR_Cloud_suricata_view,\n FortiNDR_Cloud_observation_view,\n FortiNDR_Cloud_detections_view\n", "functionParameters": "", "version": 2, "tags": [ @@ -594,7 +594,7 @@ "displayName": "Parser for Fortinet_FortiNDR_Cloud", "category": "Microsoft Sentinel Parser", "functionAlias": "Fortinet_FortiNDR_Cloud", - "query": "let FortiNDR_Cloud_suricata_view = view () {\n FncEventsSuricata_CL\n | extend\n su_timestamp=column_ifexists('timestamp_t',''),\n su_uuid=column_ifexists('uuid_g',''),\n su_event_type=column_ifexists('event_type_s',''),\n su_customer_id=column_ifexists('customer_id_s',''),\n su_sensor_id=column_ifexists('sensor_id_s',''),\n su_source=column_ifexists('source_s',''),\n su_src_ip=column_ifexists('src_ip_s',''),\n su_src_port=column_ifexists('src_port_d',''),\n su_dst_ip=column_ifexists('dest_ip_s',''),\n su_dst_port=column_ifexists('dest_port_d',''),\n su_proto=column_ifexists('proto_s',''),\n su_sig_id=column_ifexists('alert_signature_id_d',''),\n su_sig_rev=column_ifexists('alert_rev_d',''),\n su_sig_name=column_ifexists('alert_signature_s',''),\n su_sig_category=column_ifexists('alert_category_s',''),\n su_sig_severity=column_ifexists('alert_severity_d',''),\n su_src_internal=column_ifexists('src_ip_enrichments_internal_b',''),\n su_src_geo_lat=column_ifexists('src_ip_enrichments_geo_location_lat_d',''),\n su_src_geo_lon=column_ifexists('src_ip_enrichments_geo_location_lon_d',''),\n su_src_geo_country=column_ifexists('src_ip_enrichments_geo_country_s',''),\n su_src_geo_subdivision=column_ifexists('src_ip_enrichments_geo_subdivision_s',''),\n su_src_geo_city=column_ifexists('src_ip_enrichments_geo_city_s',''),\n su_src_asn_asn=column_ifexists('src_ip_enrichments_asn_asn_d',''),\n su_src_asn_org=column_ifexists('src_ip_enrichments_asn_org_s',''),\n su_src_asn_isp=column_ifexists('src_ip_enrichments_asn_isp_s',''),\n su_src_asn_asn_org=column_ifexists('src_ip_enrichments_asn_asn_org_s',''),\n su_src_annotations_applications=column_ifexists('src_ip_enrichments_annotations_applications_s',''),\n su_src_annotations_environments=column_ifexists('src_ip_enrichments_annotations_environments_s',''),\n su_src_annotations_locations=column_ifexists('src_ip_enrichments_annotations_locations_s',''),\n su_src_annotations_owners=column_ifexists('src_ip_enrichments_annotations_owners_s',''),\n su_src_annotations_roles=column_ifexists('src_ip_enrichments_annotations_roles_s',''),\n su_src_annotations_tags=column_ifexists('src_ip_enrichments_annotations_tags_s',''),\n su_dst_internal=column_ifexists('dst_ip_enrichments_internal_b',''),\n su_dst_geo_lat=column_ifexists('dst_ip_enrichments_geo_location_lat_d',''),\n su_dst_geo_lon=column_ifexists('dst_ip_enrichments_geo_location_lon_d',''),\n su_dst_geo_country=column_ifexists('dst_ip_enrichments_geo_country_s',''),\n su_dst_geo_subdivision=column_ifexists('dst_ip_enrichments_geo_subdivision_s',''),\n su_dst_geo_city=column_ifexists('dst_ip_enrichments_geo_city_s',''),\n su_dst_asn_asn=column_ifexists('dst_ip_enrichments_asn_asn_d',''),\n su_dst_asn_org=column_ifexists('dst_ip_enrichments_asn_org_s',''),\n su_dst_asn_isp=column_ifexists('dst_ip_enrichments_asn_isp_s',''),\n su_dst_asn_asn_org=column_ifexists('dst_ip_enrichments_asn_asn_org_s',''),\n su_dst_annotations_applications=column_ifexists('dst_ip_enrichments_annotations_applications_s',''),\n su_dst_annotations_environments=column_ifexists('dst_ip_enrichments_annotations_environments_s',''),\n su_dst_annotations_locations=column_ifexists('dst_ip_enrichments_annotations_locations_s',''),\n su_dst_annotations_owners=column_ifexists('dst_ip_enrichments_annotations_owners_s',''),\n su_dst_annotations_roles=column_ifexists('dst_ip_enrichments_annotations_roles_s',''),\n su_dst_annotations_tags=column_ifexists('dst_ip_enrichments_annotations_tags_s',''),\n su_geo_distance=column_ifexists('geo_distance_d',''),\n su_http_status=column_ifexists('http_status_d',''),\n su_http_protocol=column_ifexists('http_protocol_s',''),\n su_http_url=column_ifexists('http_url_s',''),\n su_http_hostname=column_ifexists('http_hostname_s',''),\n su_http_host_internal=column_ifexists('http_hostname_enrichments_ip_enrichments_internal_b',''),\n su_http_host_geo_lat=column_ifexists('http_hostname_enrichments_ip_enrichments_geo_location_lat_d',''),\n su_http_host_geo_lon=column_ifexists('http_hostname_enrichments_ip_enrichments_geo_location_lon_d',''),\n su_http_host_geo_subdivision=column_ifexists('http_hostname_enrichments_ip_enrichments_geo_subdivision_s',''),\n su_http_host_geo_city=column_ifexists('http_hostname_enrichments_ip_enrichments_geo_city_s',''),\n su_http_host_asn_asn=column_ifexists('http_hostname_enrichments_ip_enrichments_asn_asn_d',''),\n su_http_host_asn_org=column_ifexists('http_hostname_enrichments_ip_enrichments_asn_org_s',''),\n su_http_host_asn_isp=column_ifexists('http_hostname_enrichments_ip_enrichments_asn_isp_s',''),\n su_http_host_asn_asn_org=column_ifexists('http_hostname_enrichments_ip_enrichments_asn_asn_org_s',''),\n su_http_host_geo_country=column_ifexists('http_hostname_enrichments_ip_enrichments_geo_country_s',''),\n su_http_host_annotations_applications=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_applications_s',''),\n su_http_host_annotations_environments=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_environments_s',''),\n su_http_host_annotations_locations=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_locations_s',''),\n su_http_host_annotations_owners=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_owners_s',''),\n su_http_host_annotations_roles=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_roles_s',''),\n su_http_host_annotations_tags=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_tags_s',''),\n su_http_host_domain_entropy=column_ifexists('http_hostname_enrichments_domain_enrichments_domain_entropy_d',''),\n su_http_length=column_ifexists('http_length_d',''),\n su_http_method=column_ifexists('http_http_method_s',''),\n su_http_content_type=column_ifexists('http_http_content_type_s',''),\n su_http_refer=column_ifexists('http_http_refer_s',''),\n su_http_user_agent=column_ifexists('http_http_user_agent_s',''),\n su_http_redirect=column_ifexists('http_redirect_s',''),\n su_http_xtf=column_ifexists('http_xtf_s',''),\n su_payload=column_ifexists('payload_s',''),\n su_intel=column_ifexists('intel_s','')\n | project\n su_timestamp,\n su_event_type,\n su_src_ip,\n su_src_port,\n su_dst_ip,\n su_dst_port,\n su_intel,\n su_sig_name,\n su_sig_id,\n su_sig_rev,\n su_sig_category,\n su_sig_severity,\n su_payload,\n su_source,\n su_proto,\n su_sensor_id,\n su_src_internal,\n su_src_geo_lat,\n su_src_geo_lon,\n su_src_geo_country,\n su_src_geo_subdivision,\n su_src_geo_city,\n su_src_asn_asn,\n su_src_asn_org,\n su_src_asn_isp,\n su_src_asn_asn_org,\n su_src_annotations_applications,\n su_src_annotations_environments,\n su_src_annotations_locations,\n su_src_annotations_owners,\n su_src_annotations_roles,\n su_src_annotations_tags,\n su_dst_internal,\n su_dst_geo_lat,\n su_dst_geo_lon,\n su_dst_geo_country,\n su_dst_geo_subdivision,\n su_dst_geo_city,\n su_dst_asn_asn,\n su_dst_asn_org,\n su_dst_asn_isp,\n su_dst_asn_asn_org,\n su_dst_annotations_applications,\n su_dst_annotations_environments,\n su_dst_annotations_locations,\n su_dst_annotations_owners,\n su_dst_annotations_roles,\n su_dst_annotations_tags,\n su_geo_distance,\n su_http_status,\n su_http_protocol,\n su_http_url,\n su_http_hostname,\n su_http_host_internal,\n su_http_host_geo_lat,\n su_http_host_geo_lon,\n su_http_host_geo_country,\n su_http_host_geo_subdivision,\n su_http_host_geo_city,\n su_http_host_asn_asn,\n su_http_host_asn_org,\n su_http_host_asn_isp,\n su_http_host_asn_asn_org,\n su_http_host_annotations_applications,\n su_http_host_annotations_environments,\n su_http_host_annotations_locations,\n su_http_host_annotations_owners,\n su_http_host_annotations_roles,\n su_http_host_annotations_tags,\n su_http_host_domain_entropy,\n su_http_length,\n su_http_method,\n su_http_content_type,\n su_http_refer,\n su_http_user_agent,\n su_http_redirect,\n su_http_xtf,\n su_uuid,\n su_customer_id,\n Type\n};\n\nlet FortiNDR_Cloud_observation_view = view () {\n FncEventsObservation_CL\n | extend\n ob_timestamp=column_ifexists('timestamp_t',''),\n ob_uuid=column_ifexists('uuid_g',''),\n ob_event_type=column_ifexists('event_type_s',''),\n ob_customer_id=column_ifexists('customer_id_s',''),\n ob_sensor_id=column_ifexists('sensor_id_s',''),\n ob_source=column_ifexists('source_s',''),\n ob_evidence_start_timestamp=column_ifexists('evidence_start_timestamp_t',''),\n ob_evidence_end_timestamp=column_ifexists('evidence_end_timestamp_t',''),\n ob_observation_uuid=column_ifexists('observation_uuid_g',''),\n ob_observation_title=column_ifexists('title_s',''),\n ob_confidence=column_ifexists('confidence_s',''),\n ob_src_ip=column_ifexists('src_ip_s',''),\n ob_dst_ip=column_ifexists('dst_ip_s',''),\n ob_src_internal=column_ifexists('src_ip_enrichments_internal_b',''),\n ob_src_geo_lat=column_ifexists('src_ip_enrichments_geo_location_lat_d',''),\n ob_src_geo_lon=column_ifexists('src_ip_enrichments_geo_location_lon_d',''),\n ob_src_geo_country=column_ifexists('src_ip_enrichments_geo_country_s',''),\n ob_src_geo_subdivision=column_ifexists('src_ip_enrichments_geo_subdivision_s',''),\n ob_src_geo_city=column_ifexists('src_ip_enrichments_geo_city_s',''),\n ob_src_asn_asn=column_ifexists('src_ip_enrichments_asn_asn_d',''),\n ob_src_asn_org=column_ifexists('src_ip_enrichments_asn_org_s',''),\n ob_src_asn_isp=column_ifexists('src_ip_enrichments_asn_isp_s',''),\n ob_src_asn_asn_org=column_ifexists('src_ip_enrichments_asn_asn_org_s',''),\n ob_src_annotations_applications=column_ifexists('src_ip_enrichments_annotations_applications_s',''),\n ob_src_annotations_environments=column_ifexists('src_ip_enrichments_annotations_environments_s',''),\n ob_src_annotations_locations=column_ifexists('src_ip_enrichments_annotations_locations_s',''),\n ob_src_annotations_owners=column_ifexists('src_ip_enrichments_annotations_owners_s',''),\n ob_src_annotations_roles=column_ifexists('src_ip_enrichments_annotations_roles_s',''),\n ob_src_annotations_tags=column_ifexists('src_ip_enrichments_annotations_tags_s',''),\n ob_dst_internal=column_ifexists('dst_ip_enrichments_internal_b',''),\n ob_dst_geo_lat=column_ifexists('dst_ip_enrichments_geo_location_lat_d',''),\n ob_dst_geo_lon=column_ifexists('dst_ip_enrichments_geo_location_lon_d',''),\n ob_dst_geo_country=column_ifexists('dst_ip_enrichments_geo_country_s',''),\n ob_dst_geo_subdivision=column_ifexists('dst_ip_enrichments_geo_subdivision_s',''),\n ob_dst_geo_city=column_ifexists('dst_ip_enrichments_geo_city_s',''),\n ob_dst_asn_asn=column_ifexists('dst_ip_enrichments_asn_asn_d',''),\n ob_dst_asn_org=column_ifexists('dst_ip_enrichments_asn_org_s',''),\n ob_dst_asn_isp=column_ifexists('dst_ip_enrichments_asn_isp_s',''),\n ob_dst_asn_asn_org=column_ifexists('dst_ip_enrichments_asn_asn_org_s',''),\n ob_dst_annotations_applications=column_ifexists('dst_ip_enrichments_annotations_applications_s',''),\n ob_dst_annotations_environments=column_ifexists('dst_ip_enrichments_annotations_environments_s',''),\n ob_dst_annotations_locations=column_ifexists('dst_ip_enrichments_annotations_locations_s',''),\n ob_dst_annotations_owners=column_ifexists('dst_ip_enrichments_annotations_owners_s',''),\n ob_dst_annotations_roles=column_ifexists('dst_ip_enrichments_annotations_roles_s',''),\n ob_dst_annotations_tags=column_ifexists('dst_ip_enrichments_annotations_tags_s',''),\n ob_geo_distance=column_ifexists('geo_distance_d',''),\n ob_sensor_ids=column_ifexists('sensor_ids_s',''),\n ob_evidence_iql=column_ifexists('evidence_iql_s',''),\n ob_description=column_ifexists('description_s',''),\n ob_context=column_ifexists('context_s',''),\n ob_class=column_ifexists('class_s',''),\n ob_intel=column_ifexists('intel_s', ''),\n ob_category=column_ifexists('Category', '')\n | project\n ob_timestamp,\n ob_observation_title,\n ob_confidence,\n ob_category,\n ob_class,\n ob_context,\n ob_evidence_iql,\n ob_evidence_end_timestamp,\n ob_evidence_start_timestamp,\n ob_description,\n ob_observation_uuid,\n ob_sensor_ids,\n ob_event_type,\n ob_src_ip,\n ob_dst_ip,\n ob_intel,\n ob_source,\n ob_sensor_id,\n ob_src_internal,\n ob_src_geo_lat,\n ob_src_geo_lon,\n ob_src_geo_country,\n ob_src_geo_subdivision,\n ob_src_geo_city,\n ob_src_asn_asn,\n ob_src_asn_org,\n ob_src_asn_isp,\n ob_src_asn_asn_org,\n ob_src_annotations_applications,\n ob_src_annotations_environments,\n ob_src_annotations_locations,\n ob_src_annotations_owners,\n ob_src_annotations_roles,\n ob_src_annotations_tags,\n ob_dst_internal,\n ob_dst_geo_lat,\n ob_dst_geo_lon,\n ob_dst_geo_country,\n ob_dst_geo_subdivision,\n ob_dst_geo_city,\n ob_dst_asn_asn,\n ob_dst_asn_org,\n ob_dst_asn_isp,\n ob_dst_asn_asn_org,\n ob_dst_annotations_applications,\n ob_dst_annotations_environments,\n ob_dst_annotations_locations,\n ob_dst_annotations_owners,\n ob_dst_annotations_roles,\n ob_dst_annotations_tags,\n ob_geo_distance,\n ob_uuid,\n ob_customer_id,\n Type\n};\n\nlet FortiNDR_Cloud_detections_view = view () {\n FncEventsDetections_CL\n | extend\n de_account_id=column_ifexists('account_uuid_g', ''),\n de_device_ip=column_ifexists('device_ip_s',''),\n de_rule_name=column_ifexists('rule_name_s',''),\n de_severity=column_ifexists('rule_severity_s',''),\n de_confidence=column_ifexists('rule_confidence_s',''),\n de_sensor_id=column_ifexists('sensor_id_s',''),\n de_muted=column_ifexists('muted_b',''),\n de_rule_muted=column_ifexists('muted_rule_b',''),\n de_rule_uuid=column_ifexists('rule_uuid_g',''),\n de_mute_comment=column_ifexists('muted_comment_s',''),\n de_muted_by=column_ifexists('muted_user_uuid_g', ''),\n de_date_muted=column_ifexists('muted_timestamp_t', ''),\n de_resolved_by=column_ifexists('resolution_user_uuid_g', ''),\n de_date_resolved=column_ifexists('resolution_timestamp_t', ''),\n de_resolution=column_ifexists('resolution_s', ''),\n de_resolution_comment=column_ifexists('resolution_comment_s', ''),\n de_first_seen=column_ifexists('first_seen_t',''),\n de_last_seen=column_ifexists('last_seen_t',''),\n de_created=column_ifexists('created_t',''),\n de_updated=column_ifexists('updated_t',''),\n de_uuid=column_ifexists('uuid_g',''),\n de_status=column_ifexists('status_s',''),\n de_indicators=column_ifexists('indicators_s',''),\n de_username=column_ifexists('username_s', ''),\n de_hostname=column_ifexists('hostname_s', ''),\n de_category=column_ifexists('rule_category_s', ''),\n de_dhcp=column_ifexists('dhcp_s', ''),\n de_pdns=column_ifexists('PDNS_s', ''),\n de_event_count=column_ifexists('event_count_d', ''),\n de_events=column_ifexists('events_s', '')\n | project\n de_device_ip,\n de_event_count,\n de_events,\n de_indicators,\n de_last_seen,\n de_status,\n de_rule_name,\n de_severity,\n de_confidence,\n de_resolved_by,\n de_resolution,\n de_resolution_comment,\n de_date_resolved,\n de_rule_uuid,\n de_category,\n de_created,\n de_updated,\n de_first_seen,\n de_muted,\n de_rule_muted,\n de_mute_comment,\n de_muted_by,\n de_date_muted,\n de_sensor_id,\n de_account_id,\n de_uuid,\n de_username,\n de_hostname,\n de_dhcp,\n de_pdns,\n Type\n}; \n\nunion isfuzzy=true\n FortiNDR_Cloud_suricata_view,\n FortiNDR_Cloud_observation_view,\n FortiNDR_Cloud_detections_view\n", + "query": "let FortiNDR_Cloud_suricata_view = view () {\n FncEventsSuricata_CL\n | extend\n su_timestamp=column_ifexists('timestamp_t',''),\n su_uuid=column_ifexists('uuid_g',''),\n su_event_type=column_ifexists('event_type_s',''),\n su_customer_id=column_ifexists('customer_id_s',''),\n su_sensor_id=column_ifexists('sensor_id_s',''),\n su_source=column_ifexists('source_s',''),\n su_src_ip=column_ifexists('src_ip_s',''),\n su_src_port=column_ifexists('src_port_d',''),\n su_dst_ip=column_ifexists('dest_ip_s',''),\n su_dst_port=column_ifexists('dest_port_d',''),\n su_proto=column_ifexists('proto_s',''),\n su_sig_id=column_ifexists('alert_signature_id_d',''),\n su_sig_rev=column_ifexists('alert_rev_d',''),\n su_sig_name=column_ifexists('alert_signature_s',''),\n su_sig_category=column_ifexists('alert_category_s',''),\n su_sig_severity=column_ifexists('alert_severity_d',''),\n su_src_internal=column_ifexists('src_ip_enrichments_internal_b',''),\n su_src_geo_lat=column_ifexists('src_ip_enrichments_geo_location_lat_d',''),\n su_src_geo_lon=column_ifexists('src_ip_enrichments_geo_location_lon_d',''),\n su_src_geo_country=column_ifexists('src_ip_enrichments_geo_country_s',''),\n su_src_geo_subdivision=column_ifexists('src_ip_enrichments_geo_subdivision_s',''),\n su_src_geo_city=column_ifexists('src_ip_enrichments_geo_city_s',''),\n su_src_asn_asn=column_ifexists('src_ip_enrichments_asn_asn_d',''),\n su_src_asn_org=column_ifexists('src_ip_enrichments_asn_org_s',''),\n su_src_asn_isp=column_ifexists('src_ip_enrichments_asn_isp_s',''),\n su_src_asn_asn_org=column_ifexists('src_ip_enrichments_asn_asn_org_s',''),\n su_src_annotations_applications=column_ifexists('src_ip_enrichments_annotations_applications_s',''),\n su_src_annotations_environments=column_ifexists('src_ip_enrichments_annotations_environments_s',''),\n su_src_annotations_locations=column_ifexists('src_ip_enrichments_annotations_locations_s',''),\n su_src_annotations_owners=column_ifexists('src_ip_enrichments_annotations_owners_s',''),\n su_src_annotations_roles=column_ifexists('src_ip_enrichments_annotations_roles_s',''),\n su_src_annotations_tags=column_ifexists('src_ip_enrichments_annotations_tags_s',''),\n su_dst_internal=column_ifexists('dst_ip_enrichments_internal_b',''),\n su_dst_geo_lat=column_ifexists('dst_ip_enrichments_geo_location_lat_d',''),\n su_dst_geo_lon=column_ifexists('dst_ip_enrichments_geo_location_lon_d',''),\n su_dst_geo_country=column_ifexists('dst_ip_enrichments_geo_country_s',''),\n su_dst_geo_subdivision=column_ifexists('dst_ip_enrichments_geo_subdivision_s',''),\n su_dst_geo_city=column_ifexists('dst_ip_enrichments_geo_city_s',''),\n su_dst_asn_asn=column_ifexists('dst_ip_enrichments_asn_asn_d',''),\n su_dst_asn_org=column_ifexists('dst_ip_enrichments_asn_org_s',''),\n su_dst_asn_isp=column_ifexists('dst_ip_enrichments_asn_isp_s',''),\n su_dst_asn_asn_org=column_ifexists('dst_ip_enrichments_asn_asn_org_s',''),\n su_dst_annotations_applications=column_ifexists('dst_ip_enrichments_annotations_applications_s',''),\n su_dst_annotations_environments=column_ifexists('dst_ip_enrichments_annotations_environments_s',''),\n su_dst_annotations_locations=column_ifexists('dst_ip_enrichments_annotations_locations_s',''),\n su_dst_annotations_owners=column_ifexists('dst_ip_enrichments_annotations_owners_s',''),\n su_dst_annotations_roles=column_ifexists('dst_ip_enrichments_annotations_roles_s',''),\n su_dst_annotations_tags=column_ifexists('dst_ip_enrichments_annotations_tags_s',''),\n su_geo_distance=column_ifexists('geo_distance_d',''),\n su_http_status=column_ifexists('http_status_d',''),\n su_http_protocol=column_ifexists('http_protocol_s',''),\n su_http_url=column_ifexists('http_url_s',''),\n su_http_hostname=column_ifexists('http_hostname_s',''),\n su_http_host_internal=column_ifexists('http_hostname_enrichments_ip_enrichments_internal_b',''),\n su_http_host_geo_lat=column_ifexists('http_hostname_enrichments_ip_enrichments_geo_location_lat_d',''),\n su_http_host_geo_lon=column_ifexists('http_hostname_enrichments_ip_enrichments_geo_location_lon_d',''),\n su_http_host_geo_subdivision=column_ifexists('http_hostname_enrichments_ip_enrichments_geo_subdivision_s',''),\n su_http_host_geo_city=column_ifexists('http_hostname_enrichments_ip_enrichments_geo_city_s',''),\n su_http_host_asn_asn=column_ifexists('http_hostname_enrichments_ip_enrichments_asn_asn_d',''),\n su_http_host_asn_org=column_ifexists('http_hostname_enrichments_ip_enrichments_asn_org_s',''),\n su_http_host_asn_isp=column_ifexists('http_hostname_enrichments_ip_enrichments_asn_isp_s',''),\n su_http_host_asn_asn_org=column_ifexists('http_hostname_enrichments_ip_enrichments_asn_asn_org_s',''),\n su_http_host_geo_country=column_ifexists('http_hostname_enrichments_ip_enrichments_geo_country_s',''),\n su_http_host_annotations_applications=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_applications_s',''),\n su_http_host_annotations_environments=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_environments_s',''),\n su_http_host_annotations_locations=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_locations_s',''),\n su_http_host_annotations_owners=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_owners_s',''),\n su_http_host_annotations_roles=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_roles_s',''),\n su_http_host_annotations_tags=column_ifexists('http_hostname_enrichments_ip_enrichments_annotations_tags_s',''),\n su_http_host_domain_entropy=column_ifexists('http_hostname_enrichments_domain_enrichments_domain_entropy_d',''),\n su_http_length=column_ifexists('http_length_d',''),\n su_http_method=column_ifexists('http_http_method_s',''),\n su_http_content_type=column_ifexists('http_http_content_type_s',''),\n su_http_refer=column_ifexists('http_http_refer_s',''),\n su_http_user_agent=column_ifexists('http_http_user_agent_s',''),\n su_http_redirect=column_ifexists('http_redirect_s',''),\n su_http_xtf=column_ifexists('http_xtf_s',''),\n su_payload=column_ifexists('payload_s',''),\n su_intel=column_ifexists('intel_s','')\n | project\n su_timestamp,\n su_event_type,\n su_src_ip,\n su_src_port,\n su_dst_ip,\n su_dst_port,\n su_intel,\n su_sig_name,\n su_sig_id,\n su_sig_rev,\n su_sig_category,\n su_sig_severity,\n su_payload,\n su_source,\n su_proto,\n su_sensor_id,\n su_src_internal,\n su_src_geo_lat,\n su_src_geo_lon,\n su_src_geo_country,\n su_src_geo_subdivision,\n su_src_geo_city,\n su_src_asn_asn,\n su_src_asn_org,\n su_src_asn_isp,\n su_src_asn_asn_org,\n su_src_annotations_applications,\n su_src_annotations_environments,\n su_src_annotations_locations,\n su_src_annotations_owners,\n su_src_annotations_roles,\n su_src_annotations_tags,\n su_dst_internal,\n su_dst_geo_lat,\n su_dst_geo_lon,\n su_dst_geo_country,\n su_dst_geo_subdivision,\n su_dst_geo_city,\n su_dst_asn_asn,\n su_dst_asn_org,\n su_dst_asn_isp,\n su_dst_asn_asn_org,\n su_dst_annotations_applications,\n su_dst_annotations_environments,\n su_dst_annotations_locations,\n su_dst_annotations_owners,\n su_dst_annotations_roles,\n su_dst_annotations_tags,\n su_geo_distance,\n su_http_status,\n su_http_protocol,\n su_http_url,\n su_http_hostname,\n su_http_host_internal,\n su_http_host_geo_lat,\n su_http_host_geo_lon,\n su_http_host_geo_country,\n su_http_host_geo_subdivision,\n su_http_host_geo_city,\n su_http_host_asn_asn,\n su_http_host_asn_org,\n su_http_host_asn_isp,\n su_http_host_asn_asn_org,\n su_http_host_annotations_applications,\n su_http_host_annotations_environments,\n su_http_host_annotations_locations,\n su_http_host_annotations_owners,\n su_http_host_annotations_roles,\n su_http_host_annotations_tags,\n su_http_host_domain_entropy,\n su_http_length,\n su_http_method,\n su_http_content_type,\n su_http_refer,\n su_http_user_agent,\n su_http_redirect,\n su_http_xtf,\n su_uuid,\n su_customer_id,\n Type\n};\n\nlet FortiNDR_Cloud_observation_view = view () {\n FncEventsObservation_CL\n | extend\n ob_timestamp=column_ifexists('timestamp_t',''),\n ob_uuid=column_ifexists('uuid_g',''),\n ob_event_type=column_ifexists('event_type_s',''),\n ob_customer_id=column_ifexists('customer_id_s',''),\n ob_sensor_id=column_ifexists('sensor_id_s',''),\n ob_source=column_ifexists('source_s',''),\n ob_evidence_start_timestamp=column_ifexists('evidence_start_timestamp_t',''),\n ob_evidence_end_timestamp=column_ifexists('evidence_end_timestamp_t',''),\n ob_observation_uuid=column_ifexists('observation_uuid_g',''),\n ob_observation_title=column_ifexists('title_s',''),\n ob_confidence=column_ifexists('confidence_s',''),\n ob_src_ip=column_ifexists('src_ip_s',''),\n ob_dst_ip=column_ifexists('dst_ip_s',''),\n ob_src_internal=column_ifexists('src_ip_enrichments_internal_b',''),\n ob_src_geo_lat=column_ifexists('src_ip_enrichments_geo_location_lat_d',''),\n ob_src_geo_lon=column_ifexists('src_ip_enrichments_geo_location_lon_d',''),\n ob_src_geo_country=column_ifexists('src_ip_enrichments_geo_country_s',''),\n ob_src_geo_subdivision=column_ifexists('src_ip_enrichments_geo_subdivision_s',''),\n ob_src_geo_city=column_ifexists('src_ip_enrichments_geo_city_s',''),\n ob_src_asn_asn=column_ifexists('src_ip_enrichments_asn_asn_d',''),\n ob_src_asn_org=column_ifexists('src_ip_enrichments_asn_org_s',''),\n ob_src_asn_isp=column_ifexists('src_ip_enrichments_asn_isp_s',''),\n ob_src_asn_asn_org=column_ifexists('src_ip_enrichments_asn_asn_org_s',''),\n ob_src_annotations_applications=column_ifexists('src_ip_enrichments_annotations_applications_s',''),\n ob_src_annotations_environments=column_ifexists('src_ip_enrichments_annotations_environments_s',''),\n ob_src_annotations_locations=column_ifexists('src_ip_enrichments_annotations_locations_s',''),\n ob_src_annotations_owners=column_ifexists('src_ip_enrichments_annotations_owners_s',''),\n ob_src_annotations_roles=column_ifexists('src_ip_enrichments_annotations_roles_s',''),\n ob_src_annotations_tags=column_ifexists('src_ip_enrichments_annotations_tags_s',''),\n ob_dst_internal=column_ifexists('dst_ip_enrichments_internal_b',''),\n ob_dst_geo_lat=column_ifexists('dst_ip_enrichments_geo_location_lat_d',''),\n ob_dst_geo_lon=column_ifexists('dst_ip_enrichments_geo_location_lon_d',''),\n ob_dst_geo_country=column_ifexists('dst_ip_enrichments_geo_country_s',''),\n ob_dst_geo_subdivision=column_ifexists('dst_ip_enrichments_geo_subdivision_s',''),\n ob_dst_geo_city=column_ifexists('dst_ip_enrichments_geo_city_s',''),\n ob_dst_asn_asn=column_ifexists('dst_ip_enrichments_asn_asn_d',''),\n ob_dst_asn_org=column_ifexists('dst_ip_enrichments_asn_org_s',''),\n ob_dst_asn_isp=column_ifexists('dst_ip_enrichments_asn_isp_s',''),\n ob_dst_asn_asn_org=column_ifexists('dst_ip_enrichments_asn_asn_org_s',''),\n ob_dst_annotations_applications=column_ifexists('dst_ip_enrichments_annotations_applications_s',''),\n ob_dst_annotations_environments=column_ifexists('dst_ip_enrichments_annotations_environments_s',''),\n ob_dst_annotations_locations=column_ifexists('dst_ip_enrichments_annotations_locations_s',''),\n ob_dst_annotations_owners=column_ifexists('dst_ip_enrichments_annotations_owners_s',''),\n ob_dst_annotations_roles=column_ifexists('dst_ip_enrichments_annotations_roles_s',''),\n ob_dst_annotations_tags=column_ifexists('dst_ip_enrichments_annotations_tags_s',''),\n ob_geo_distance=column_ifexists('geo_distance_d',''),\n ob_sensor_ids=column_ifexists('sensor_ids_s',''),\n ob_evidence_iql=column_ifexists('evidence_iql_s',''),\n ob_description=column_ifexists('description_s',''),\n ob_context=column_ifexists('context_s',''),\n ob_class=column_ifexists('class_s',''),\n ob_intel=column_ifexists('intel_s', ''),\n ob_category=column_ifexists('Category', '')\n | project\n ob_timestamp,\n ob_observation_title,\n ob_confidence,\n ob_category,\n ob_class,\n ob_context,\n ob_evidence_iql,\n ob_evidence_end_timestamp,\n ob_evidence_start_timestamp,\n ob_description,\n ob_observation_uuid,\n ob_sensor_ids,\n ob_event_type,\n ob_src_ip,\n ob_dst_ip,\n ob_intel,\n ob_source,\n ob_sensor_id,\n ob_src_internal,\n ob_src_geo_lat,\n ob_src_geo_lon,\n ob_src_geo_country,\n ob_src_geo_subdivision,\n ob_src_geo_city,\n ob_src_asn_asn,\n ob_src_asn_org,\n ob_src_asn_isp,\n ob_src_asn_asn_org,\n ob_src_annotations_applications,\n ob_src_annotations_environments,\n ob_src_annotations_locations,\n ob_src_annotations_owners,\n ob_src_annotations_roles,\n ob_src_annotations_tags,\n ob_dst_internal,\n ob_dst_geo_lat,\n ob_dst_geo_lon,\n ob_dst_geo_country,\n ob_dst_geo_subdivision,\n ob_dst_geo_city,\n ob_dst_asn_asn,\n ob_dst_asn_org,\n ob_dst_asn_isp,\n ob_dst_asn_asn_org,\n ob_dst_annotations_applications,\n ob_dst_annotations_environments,\n ob_dst_annotations_locations,\n ob_dst_annotations_owners,\n ob_dst_annotations_roles,\n ob_dst_annotations_tags,\n ob_geo_distance,\n ob_uuid,\n ob_customer_id,\n Type\n};\n\nlet FortiNDR_Cloud_detections_view = view () {\n FncEventsDetections_CL\n | extend\n de_account_id=column_ifexists('account_uuid_g', ''),\n de_device_ip=column_ifexists('device_ip_s',''),\n de_rule_name=column_ifexists('rule_name_s',''),\n de_severity=column_ifexists('rule_severity_s',''),\n de_confidence=column_ifexists('rule_confidence_s',''),\n de_sensor_id=column_ifexists('sensor_id_s',''),\n de_muted=column_ifexists('muted_b',''),\n de_rule_muted=column_ifexists('muted_rule_b',''),\n de_rule_uuid=column_ifexists('rule_uuid_g',''),\n de_mute_comment=column_ifexists('muted_comment_s',''),\n de_muted_by=column_ifexists('muted_user_uuid_g', ''),\n de_date_muted=column_ifexists('muted_timestamp_t', ''),\n de_resolved_by=column_ifexists('resolution_user_uuid_g', ''),\n de_date_resolved=column_ifexists('resolution_timestamp_t', ''),\n de_resolution=column_ifexists('resolution_s', ''),\n de_resolution_comment=column_ifexists('resolution_comment_s', ''),\n de_first_seen=column_ifexists('first_seen_t',''),\n de_last_seen=column_ifexists('last_seen_t',''),\n de_created=column_ifexists('created_t',''),\n de_updated=column_ifexists('updated_t',''),\n de_uuid=column_ifexists('uuid_g',''),\n de_status=column_ifexists('status_s',''),\n de_indicators=column_ifexists('indicators_s',''),\n de_username=column_ifexists('username_s', ''),\n de_hostname=column_ifexists('hostname_s', ''),\n de_category=column_ifexists('rule_category_s', ''),\n de_event_count=column_ifexists('event_count_d', ''),\n de_events=column_ifexists('events_s', ''),\n de_primary_attack_id=column_ifexists('rule_primary_attack_id_s', ''),\n de_secondary_attack_id=column_ifexists('rule_secondary_attack_id_s', ''),\n de_rule_url=column_ifexists('rule_url_s', '')\n | project\n de_device_ip,\n de_event_count,\n de_events,\n de_indicators,\n de_last_seen,\n de_status,\n de_rule_name,\n de_severity,\n de_confidence,\n de_resolved_by,\n de_resolution,\n de_resolution_comment,\n de_date_resolved,\n de_rule_uuid,\n de_category,\n de_created,\n de_updated,\n de_first_seen,\n de_muted,\n de_rule_muted,\n de_mute_comment,\n de_muted_by,\n de_date_muted,\n de_sensor_id,\n de_account_id,\n de_uuid,\n de_username,\n de_hostname,\n de_primary_attack_id,\n de_secondary_attack_id,\n de_rule_url,\n Type\n}; \n\nunion isfuzzy=true\n FortiNDR_Cloud_suricata_view,\n FortiNDR_Cloud_observation_view,\n FortiNDR_Cloud_detections_view\n", "functionParameters": "", "version": 2, "tags": [ @@ -644,7 +644,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FortinetFortiNdrCloudWorkbook Workbook with template version 3.0.1", + "description": "FortinetFortiNdrCloudWorkbook Workbook with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -662,7 +662,7 @@ }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## FortiNDR Cloud workbook\\n---\\n>**NOTE:** This workbook uses a parser based on a Kusto Function to normalize fields. [Follow these steps](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Fortinet%20FortiNDR%20Cloud/Parsers/Fortinet_FortiNDR_Cloud.md) to create the Kusto function alias **Fortinet_FortiNDR_Cloud**.\"},\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"29a65c20-978d-447b-b11c-f437f6c7fd7e\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"FortiNDR Cloud Main Dashboard\",\"subTarget\":\"Main\",\"style\":\"link\"},{\"id\":\"514047f6-4d61-4f59-9f79-6c22c20645c0\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"FortiNDR Cloud Suricata Dashboard\",\"subTarget\":\"Suricata\",\"style\":\"link\"},{\"id\":\"f20fabf1-3a44-417d-9e97-3d62d1990c8d\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"FortiNDR Cloud Observation Dashboard\",\"subTarget\":\"Observation\",\"style\":\"link\"},{\"id\":\"392a41e1-a18c-4a6d-8144-c51e27a8bf4e\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"FortiNDR Cloud Detection Dashboard\",\"subTarget\":\"Detection\",\"style\":\"link\"}]},\"name\":\"links - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"50650aa0-d12f-49ad-ba0d-e7a6a10b0a85\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsSuricata_CL'\\n| where su_timestamp between ({TimeRange:start} .. {TimeRange:end})\\n| summarize Count=count() by su_sig_category\",\"size\":0,\"showAnalytics\":true,\"title\":\"Suricata Counts By Category\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"main-Suricata\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsObservation_CL'\\n| where ob_timestamp between ({TimeRange:start} .. {TimeRange:end})\\n| summarize Count=count() by ob_observation_title\",\"size\":0,\"showAnalytics\":true,\"title\":\"Observation Counts by Title\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"main-observation\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsDetections_CL'\\n| where de_created between ({TimeRange:start} .. {TimeRange:end})\\n| summarize Count = count() by de_severity\",\"size\":0,\"showAnalytics\":true,\"title\":\"Detection Counts by Severity\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"main-detections-s\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsDetections_CL'\\n| where de_created between ({TimeRange:start} .. {TimeRange:end})\\n| summarize Count = count() by de_confidence\",\"size\":0,\"showAnalytics\":true,\"title\":\"Detection Counts by Confidence\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"main-detections-s - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Main\"},\"name\":\"Main Dashboard\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**FortiDNR Cloud Suricata Chart:**\"},\"name\":\"text - 4\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"7b566fdf-c574-466d-8a25-eec9e314f560\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"},{\"id\":\"0ce88674-9bf5-4c52-8286-28d3cf030e18\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"query\":\"FncEventsSuricata_CL\\n| summarize by alert_category_s\\n| order by alert_category_s asc\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"label\":\"Signature Category\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\",\"styleSettings\":{\"padding\":\"0px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsSuricata_CL'\\n| where su_timestamp between ({TimeRange:start} .. {TimeRange:end})\\n| where isempty('{Category}') or (su_sig_category == '{Category}')\\n| summarize Count=count() by su_sig_category, bin(su_timestamp, 1d)\",\"size\":0,\"showAnalytics\":true,\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"showLegend\":true}},\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"**FortiDNR Cloud Suricata List:**\"},\"name\":\"text - 4 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"5d5a54f3-6fca-4368-aea2-a2d0326daa62\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"},{\"id\":\"03cace3a-c0d6-4184-a1aa-346c67578b6b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"query\":\"FncEventsSuricata_CL\\n| summarize by alert_category_s\\n| order by alert_category_s asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"label\":\"Signature Category\"},{\"id\":\"0eea038f-b090-4021-9998-3b85c1abe20b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Name\",\"label\":\"Signature Name\",\"type\":2,\"query\":\"FncEventsSuricata_CL\\n| summarize by alert_signature_s\\n| order by alert_signature_s asc\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"d60df3de-0e80-4f12-8234-bb8a4ea27cfb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SensorID\",\"label\":\"Sensor ID\",\"type\":2,\"query\":\"FncEventsSuricata_CL\\n| summarize by sensor_id_s\\n| order by sensor_id_s asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsSuricata_CL'\\n| where su_timestamp between ({TimeRange:start} .. {TimeRange:end})\\n| where isempty('{Category}') or (su_sig_category == '{Category}')\\n| where isempty('{Name}') or (su_sig_name == '{Name}')\\n| where isempty('{SensorID}') or (su_sensor_id == '{SensorID}')\\n| project-away ob_*, de_*\",\"size\":0,\"showAnalytics\":true,\"showRefreshButton\":true,\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"observation_title\",\"formatter\":5},{\"columnMatch\":\"confidence\",\"formatter\":5},{\"columnMatch\":\"Category\",\"formatter\":5},{\"columnMatch\":\"class\",\"formatter\":5},{\"columnMatch\":\"context\",\"formatter\":5},{\"columnMatch\":\"evidence_iql\",\"formatter\":5},{\"columnMatch\":\"evidence_end_timestamp\",\"formatter\":5},{\"columnMatch\":\"evidence_start_timestamp\",\"formatter\":5},{\"columnMatch\":\"description\",\"formatter\":5},{\"columnMatch\":\"observation_uuid\",\"formatter\":5},{\"columnMatch\":\"sensor_ids\",\"formatter\":5},{\"columnMatch\":\"device_ip\",\"formatter\":5},{\"columnMatch\":\"status\",\"formatter\":5},{\"columnMatch\":\"indicators\",\"formatter\":5},{\"columnMatch\":\"last_seen\",\"formatter\":5}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"su_timestamp\",\"label\":\"timestamp\"},{\"columnId\":\"su_event_type\",\"label\":\"event_type\"},{\"columnId\":\"su_src_ip\",\"label\":\"src_ip\"},{\"columnId\":\"su_src_port\",\"label\":\"src_port\"},{\"columnId\":\"su_dst_ip\",\"label\":\"dst_ip\"},{\"columnId\":\"su_dst_port\",\"label\":\"dst_port\"},{\"columnId\":\"su_intel\",\"label\":\"intel\"},{\"columnId\":\"su_sig_name\",\"label\":\"sig_name\"},{\"columnId\":\"su_sig_id\",\"label\":\"sig_id\"},{\"columnId\":\"su_sig_rev\",\"label\":\"sig_rev\"},{\"columnId\":\"su_sig_category\",\"label\":\"sig_category\"},{\"columnId\":\"su_sig_severity\",\"label\":\"sig_severity\"},{\"columnId\":\"su_payload\",\"label\":\"payload\"},{\"columnId\":\"su_source\",\"label\":\"source\"},{\"columnId\":\"su_proto\",\"label\":\"proto\"},{\"columnId\":\"su_sensor_id\",\"label\":\"sensor_id\"},{\"columnId\":\"su_src_internal\",\"label\":\"src_internal\"},{\"columnId\":\"su_src_geo_lat\",\"label\":\"src_geo_lat\"},{\"columnId\":\"su_src_geo_lon\",\"label\":\"src_geo_lon\"},{\"columnId\":\"su_src_geo_country\",\"label\":\"src_geo_country\"},{\"columnId\":\"su_src_geo_subdivision\",\"label\":\"src_geo_subdivision\"},{\"columnId\":\"su_src_geo_city\",\"label\":\"src_geo_city\"},{\"columnId\":\"su_src_asn_asn\",\"label\":\"src_asn_asn\"},{\"columnId\":\"su_src_asn_org\",\"label\":\"src_asn_org\"},{\"columnId\":\"su_src_asn_isp\",\"label\":\"src_asn_isp\"},{\"columnId\":\"su_src_asn_asn_org\",\"label\":\"src_asn_asn_org\"},{\"columnId\":\"su_src_annotations_applications\",\"label\":\"src_annotations_applications\"},{\"columnId\":\"su_src_annotations_environments\",\"label\":\"src_annotations_environments\"},{\"columnId\":\"su_src_annotations_locations\",\"label\":\"src_annotations_locations\"},{\"columnId\":\"su_src_annotations_owners\",\"label\":\"src_annotations_owners\"},{\"columnId\":\"su_src_annotations_roles\",\"label\":\"src_annotations_roles\"},{\"columnId\":\"su_src_annotations_tags\",\"label\":\"src_annotations_tags\"},{\"columnId\":\"su_dst_internal\",\"label\":\"dst_internal\"},{\"columnId\":\"su_dst_geo_lat\",\"label\":\"dst_geo_lat\"},{\"columnId\":\"su_dst_geo_lon\",\"label\":\"dst_geo_lon\"},{\"columnId\":\"su_dst_geo_country\",\"label\":\"dst_geo_country\"},{\"columnId\":\"su_dst_geo_subdivision\",\"label\":\"dst_geo_subdivision\"},{\"columnId\":\"su_dst_geo_city\",\"label\":\"dst_geo_city\"},{\"columnId\":\"su_dst_asn_asn\",\"label\":\"dst_asn_asn\"},{\"columnId\":\"su_dst_asn_org\",\"label\":\"dst_asn_org\"},{\"columnId\":\"su_dst_asn_isp\",\"label\":\"dst_asn_isp\"},{\"columnId\":\"su_dst_asn_asn_org\",\"label\":\"dst_asn_asn_org\"},{\"columnId\":\"su_dst_annotations_applications\",\"label\":\"dst_annotations_applications\"},{\"columnId\":\"su_dst_annotations_environments\",\"label\":\"dst_annotations_environments\"},{\"columnId\":\"su_dst_annotations_locations\",\"label\":\"dst_annotations_locations\"},{\"columnId\":\"su_dst_annotations_owners\",\"label\":\"dst_annotations_owners\"},{\"columnId\":\"su_dst_annotations_roles\",\"label\":\"dst_annotations_roles\"},{\"columnId\":\"su_dst_annotations_tags\",\"label\":\"dst_annotations_tags\"},{\"columnId\":\"su_geo_distance\",\"label\":\"geo_distance\"},{\"columnId\":\"su_http_status\",\"label\":\"http_status\"},{\"columnId\":\"su_http_protocol\",\"label\":\"http_protocol\"},{\"columnId\":\"su_http_url\",\"label\":\"http_url\"},{\"columnId\":\"su_http_hostname\",\"label\":\"http_hostname\"},{\"columnId\":\"su_http_host_internal\",\"label\":\"http_host_internal\"},{\"columnId\":\"su_http_host_geo_lat\",\"label\":\"http_host_geo_lat\"},{\"columnId\":\"su_http_host_geo_lon\",\"label\":\"http_host_geo_lon\"},{\"columnId\":\"su_http_host_geo_country\",\"label\":\"http_host_geo_country\"},{\"columnId\":\"su_http_host_geo_subdivision\",\"label\":\"http_host_geo_subdivision\"},{\"columnId\":\"su_http_host_geo_city\",\"label\":\"http_host_geo_city\"},{\"columnId\":\"su_http_host_asn_asn\",\"label\":\"http_host_asn_asn\"},{\"columnId\":\"su_http_host_asn_org\",\"label\":\"http_host_asn_org\"},{\"columnId\":\"su_http_host_asn_isp\",\"label\":\"http_host_asn_isp\"},{\"columnId\":\"su_http_host_asn_asn_org\",\"label\":\"http_host_asn_asn_org\"},{\"columnId\":\"su_http_host_annotations_applications\",\"label\":\"http_host_annotations_applications\"},{\"columnId\":\"su_http_host_annotations_environments\",\"label\":\"http_host_annotations_environments\"},{\"columnId\":\"su_http_host_annotations_locations\",\"label\":\"http_host_annotations_locations\"},{\"columnId\":\"su_http_host_annotations_owners\",\"label\":\"http_host_annotations_owners\"},{\"columnId\":\"su_http_host_annotations_roles\",\"label\":\"http_host_annotations_roles\"},{\"columnId\":\"su_http_host_annotations_tags\",\"label\":\"http_host_annotations_tags\"},{\"columnId\":\"su_http_host_domain_entropy\",\"label\":\"http_host_domain_entropy\"},{\"columnId\":\"su_http_length\",\"label\":\"http_length\"},{\"columnId\":\"su_http_method\",\"label\":\"http_method\"},{\"columnId\":\"su_http_content_type\",\"label\":\"http_content_type\"},{\"columnId\":\"su_http_refer\",\"label\":\"http_refer\"},{\"columnId\":\"su_http_user_agent\",\"label\":\"http_user_agent\"},{\"columnId\":\"su_http_redirect\",\"label\":\"http_redirect\"},{\"columnId\":\"su_http_xtf\",\"label\":\"http_xtf\"},{\"columnId\":\"su_uuid\",\"label\":\"uuid\"},{\"columnId\":\"su_customer_id\",\"label\":\"customer_id\"}]},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"http_hostname_enrichments_ip_enrichments_asn_asn_d\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"http_hostname_enrichments_ip_enrichments_asn_asn_d\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"http_hostname_enrichments_ip_enrichments_asn_asn_d\",\"heatmapPalette\":\"greenRed\"}}},\"name\":\"FNC Suricata List\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Suricata\"},\"name\":\"Suricata\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**FortiNDR Cloud Observation Chart:**\"},\"name\":\"text - 4\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"fcd15fc8-790a-448e-8a61-1a1ec5f70e05\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"},{\"id\":\"fd7ebd99-2ba4-4240-86de-1c109bc10fba\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Title\",\"label\":\"Observation Title\",\"type\":2,\"query\":\"FncEventsObservation_CL\\n| summarize by title_s\\n| order by title_s asc\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsObservation_CL'\\n| where ob_timestamp between({TimeRange:start} .. {TimeRange:end})\\n| where isempty('{Title}') or (ob_observation_title == '{Title}')\\n| summarize Count = count() by ob_observation_title, bin(ob_timestamp, 1d)\",\"size\":0,\"showAnalytics\":true,\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false},\"graphSettings\":{\"type\":0},\"chartSettings\":{\"showLegend\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"High\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"High\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"High\",\"heatmapPalette\":\"greenRed\"}}},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"**FortiNDR Cloud Observation List:**\"},\"name\":\"text - 4 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"55ad269b-ead8-4f61-b429-669d632b53e1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"},{\"id\":\"43131f54-c638-41a3-a54c-d8768c2df468\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Title\",\"label\":\"Ovbservation Title\",\"type\":2,\"query\":\"FncEventsObservation_CL\\n| summarize by title_s\\n| order by title_s asc\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"9ff7f038-1fa5-4ac1-84cb-ef8c6e91a183\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Sensor_ID\",\"type\":2,\"query\":\"FncEventsObservation_CL\\n| summarize by sensor_id_s\\n| order by sensor_id_s asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"3e100d32-5ad3-4a4f-a486-f65be2c62101\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Confidence\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\n {\\\"value\\\":\\\"high\\\", \\\"label\\\":\\\"High\\\"},\\n {\\\"value\\\":\\\"moderate\\\", \\\"label\\\":\\\"Moderate\\\"},\\n {\\\"value\\\":\\\"low\\\", \\\"label\\\":\\\"Low\\\"}\\n]\",\"defaultValue\":\"value::all\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsObservation_CL'\\n| where ob_timestamp between({TimeRange:start} .. {TimeRange:end})\\n| where ob_confidence in ({Confidence})\\n| where isempty('{Sensor_ID}') or (ob_sensor_id == '{Sensor_ID}')\\n| where isempty('{Title}') or (ob_observation_title == '{Title}')\\n| project-away su_*, de_*\",\"size\":0,\"showAnalytics\":true,\"showRefreshButton\":true,\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ob_confidence\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"moderate\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ob_context\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkLabel\":\"Context\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"ob_evidence_iql\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkLabel\":\"Evidence IQL\",\"linkIsContextBlade\":true}}],\"rowLimit\":1000,\"filter\":true,\"labelSettings\":[{\"columnId\":\"Type\",\"label\":\"Type\"},{\"columnId\":\"ob_timestamp\",\"label\":\"timestamp\"},{\"columnId\":\"ob_observation_title\",\"label\":\"observation_title\"},{\"columnId\":\"ob_confidence\",\"label\":\"confidence\"},{\"columnId\":\"ob_category\",\"label\":\"category\"},{\"columnId\":\"ob_class\",\"label\":\"class\"},{\"columnId\":\"ob_context\",\"label\":\"context\"},{\"columnId\":\"ob_evidence_iql\",\"label\":\"evidence_iql\"},{\"columnId\":\"ob_evidence_end_timestamp\",\"label\":\"evidence_end_timestamp\"},{\"columnId\":\"ob_evidence_start_timestamp\",\"label\":\"evidence_start_timestamp\"},{\"columnId\":\"ob_description\",\"label\":\"description\"},{\"columnId\":\"ob_observation_uuid\",\"label\":\"observation_uuid\"},{\"columnId\":\"ob_sensor_ids\",\"label\":\"sensor_ids\"},{\"columnId\":\"ob_event_type\",\"label\":\"event_type\"},{\"columnId\":\"ob_src_ip\",\"label\":\"src_ip\"},{\"columnId\":\"ob_dst_ip\",\"label\":\"dst_ip\"},{\"columnId\":\"ob_intel\",\"label\":\"intel\"},{\"columnId\":\"ob_source\",\"label\":\"source\"},{\"columnId\":\"ob_sensor_id\",\"label\":\"sensor_id\"},{\"columnId\":\"ob_src_internal\",\"label\":\"src_internal\"},{\"columnId\":\"ob_src_geo_lat\",\"label\":\"src_geo_lat\"},{\"columnId\":\"ob_src_geo_lon\",\"label\":\"src_geo_lon\"},{\"columnId\":\"ob_src_geo_country\",\"label\":\"src_geo_country\"},{\"columnId\":\"ob_src_geo_subdivision\",\"label\":\"src_geo_subdivision\"},{\"columnId\":\"ob_src_geo_city\",\"label\":\"_src_geo_city\"},{\"columnId\":\"ob_src_asn_asn\",\"label\":\"src_asn_asn\"},{\"columnId\":\"ob_src_asn_org\",\"label\":\"src_asn_org\"},{\"columnId\":\"ob_src_asn_isp\",\"label\":\"src_asn_isp\"},{\"columnId\":\"ob_src_asn_asn_org\",\"label\":\"src_asn_asn_org\"},{\"columnId\":\"ob_src_annotations_applications\",\"label\":\"src_annotations_applications\"},{\"columnId\":\"ob_src_annotations_environments\",\"label\":\"src_annotations_environments\"},{\"columnId\":\"ob_src_annotations_locations\",\"label\":\"src_annotations_locations\"},{\"columnId\":\"ob_src_annotations_owners\",\"label\":\"src_annotations_owners\"},{\"columnId\":\"ob_src_annotations_roles\",\"label\":\"src_annotations_roles\"},{\"columnId\":\"ob_src_annotations_tags\",\"label\":\"src_annotations_tags\"},{\"columnId\":\"ob_dst_internal\",\"label\":\"dst_internal\"},{\"columnId\":\"ob_dst_geo_lat\",\"label\":\"dst_geo_lat\"},{\"columnId\":\"ob_dst_geo_lon\",\"label\":\"dst_geo_lon\"},{\"columnId\":\"ob_dst_geo_country\",\"label\":\"dst_geo_country\"},{\"columnId\":\"ob_dst_geo_subdivision\",\"label\":\"dst_geo_subdivision\"},{\"columnId\":\"ob_dst_geo_city\",\"label\":\"dst_geo_city\"},{\"columnId\":\"ob_dst_asn_asn\",\"label\":\"dst_asn_asn\"},{\"columnId\":\"ob_dst_asn_org\",\"label\":\"dst_asn_org\"},{\"columnId\":\"ob_dst_asn_isp\",\"label\":\"dst_asn_isp\"},{\"columnId\":\"ob_dst_asn_asn_org\",\"label\":\"dst_asn_asn_org\"},{\"columnId\":\"ob_dst_annotations_applications\",\"label\":\"dst_annotations_applications\"},{\"columnId\":\"ob_dst_annotations_environments\",\"label\":\"dst_annotations_environments\"},{\"columnId\":\"ob_dst_annotations_locations\",\"label\":\"_dst_annotations_locations\"},{\"columnId\":\"ob_dst_annotations_owners\",\"label\":\"dst_annotations_owners\"},{\"columnId\":\"ob_dst_annotations_roles\",\"label\":\"dst_annotations_roles\"},{\"columnId\":\"ob_dst_annotations_tags\",\"label\":\"dst_annotations_tags\"},{\"columnId\":\"ob_geo_distance\",\"label\":\"geo_distance\"},{\"columnId\":\"ob_uuid\",\"label\":\"uuid\"},{\"columnId\":\"ob_customer_id\",\"label\":\"customer_id\"}]}},\"name\":\"FNC Observation List\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Observation\"},\"name\":\"Observation\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**FortiNDR Cloud Detections Charts**\"},\"name\":\"text - 5\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"3e9b6847-1b6c-4ba5-87d6-a3d4b0e36046\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"88270ace-134e-4577-b2fd-58b4a7a0cb36\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Severity\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"jsonData\":\"[\\n {\\\"value\\\":\\\"high\\\", \\\"label\\\":\\\"High\\\"},\\n {\\\"value\\\":\\\"moderate\\\", \\\"label\\\":\\\"Moderate\\\"},\\n {\\\"value\\\":\\\"low\\\", \\\"label\\\":\\\"Low\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"value\":[\"value::all\"]},{\"id\":\"16f11673-0de7-4f81-94d8-5fcea8b83222\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Confidence\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\n {\\\"value\\\":\\\"high\\\", \\\"label\\\":\\\"High\\\"},\\n {\\\"value\\\":\\\"moderate\\\", \\\"label\\\":\\\"Moderate\\\"},\\n {\\\"value\\\":\\\"low\\\", \\\"label\\\":\\\"Low\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"value\":[\"value::all\"]},{\"id\":\"cab3ce23-4ea0-4565-a7fb-2009f888198f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"query\":\"FncEventsDetections_CL\\n| summarize by rule_category_s\\n| order by rule_category_s asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsDetections_CL'\\n| where de_created between ({TimeRange:start} .. {TimeRange:end})\\n| where de_severity in ({Severity})\\n| where isempty('{Category}') or (de_category == '{Category}')\\n| summarize Count = count() by de_severity, bin(de_created, 1d)\\n| render barchart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Detection Counts by Severity\",\"color\":\"lightBlue\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"moderate\",\"color\":\"orange\"},{\"seriesName\":\"low\",\"color\":\"yellow\"},{\"seriesName\":\"high\",\"color\":\"redBright\"}]}},\"customWidth\":\"50\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsDetections_CL'\\n| where de_created between ({TimeRange:start} .. {TimeRange:end})\\n| where de_confidence in ({Confidence})\\n| where isempty('{Category}') or (de_category == '{Category}')\\n| summarize Count = count() by de_confidence, bin(de_created, 1d)\\n| render barchart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Detection Counts by Confidence\",\"color\":\"lightBlue\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"moderate\",\"color\":\"orange\"},{\"seriesName\":\"low\",\"color\":\"yellow\"},{\"seriesName\":\"high\",\"color\":\"redBright\"}]}},\"customWidth\":\"50\",\"name\":\"query - 8 - Copy - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"**FortiNDR Cloud Detections List**\"},\"name\":\"text - 5 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a613556b-fcd7-440a-af79-47b839e8f76b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":7776000000}},{\"id\":\"9196914a-cd13-4897-8d8f-2e497721452a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Severity\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"jsonData\":\"[\\n {\\\"value\\\":\\\"high\\\", \\\"label\\\":\\\"High\\\"},\\n {\\\"value\\\":\\\"moderate\\\", \\\"label\\\":\\\"Moderate\\\"},\\n {\\\"value\\\":\\\"low\\\", \\\"label\\\":\\\"Low\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"value\":[\"value::all\"]},{\"id\":\"0b5bbec6-76d8-422c-89a4-95162c9300cb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Confidence\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\n {\\\"value\\\":\\\"high\\\", \\\"label\\\":\\\"High\\\"},\\n {\\\"value\\\":\\\"moderate\\\", \\\"label\\\":\\\"Moderate\\\"},\\n {\\\"value\\\":\\\"low\\\", \\\"label\\\":\\\"Low\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\"},{\"id\":\"876e2140-cacb-4d7c-88ed-354ecd7e86a2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"query\":\"FncEventsDetections_CL\\n| summarize by rule_category_s\\n| order by rule_category_s asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"fb9f063f-c68e-4f27-8693-160f8759f8b2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RuleNames\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"FncEventsDetections_CL\\n| summarize by rule_name_s\\n| order by rule_name_s asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsDetections_CL'\\n| where de_created between ({TimeRange:start} .. {TimeRange:end})\\n| where de_severity in ({Severity})\\n| where de_confidence in ({Confidence})\\n| where de_rule_name in ({RuleNames})\\n| where isempty('{Category}') or (de_category == '{Category}')\\n| sort by de_created desc\\n| project-away su_*, ob_*\\n\\n\\n\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"FNC Detection List\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"showExpandCollapseGrid\":true,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"de_event_count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"yellowGreen\",\"compositeBarSettings\":{\"labelText\":\"\"}}},{\"columnMatch\":\"de_events\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkLabel\":\"Events\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"de_indicators\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkLabel\":\"Indicators\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"de_status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"active\",\"representation\":\"greenDark\",\"text\":\"Active\"},{\"operator\":\"==\",\"thresholdValue\":\"resolved\",\"representation\":\"gray\",\"text\":\"Resolved\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"de_severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"Sev0\",\"text\":\"High\"},{\"operator\":\"==\",\"thresholdValue\":\"moderate\",\"representation\":\"Sev1\",\"text\":\"Moderate\"},{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"Sev2\",\"text\":\"Low\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\"}}},{\"columnMatch\":\"de_confidence\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"Sev2\",\"text\":\"Low\"},{\"operator\":\"==\",\"thresholdValue\":\"moderate\",\"representation\":\"Sev1\",\"text\":\"Moderate\"},{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"Sev0\",\"text\":\"High\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"de_dhcp\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkLabel\":\"DHCP\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"de_pdns\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkLabel\":\"PDNS\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"indicators\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}}],\"rowLimit\":1000,\"filter\":true},\"tileSettings\":{\"showBorder\":false}},\"name\":\"query - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Detection\"},\"name\":\"Detection\"}],\"fromTemplateId\":\"sentinel-FortiNdrCloud\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## FortiNDR Cloud workbook\\n---\\n>**NOTE:** This workbook uses a parser based on a Kusto Function to normalize fields. [Follow these steps](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Fortinet%20FortiNDR%20Cloud/Parsers/Fortinet_FortiNDR_Cloud.md) to create the Kusto function alias **Fortinet_FortiNDR_Cloud**.\"},\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"29a65c20-978d-447b-b11c-f437f6c7fd7e\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"FortiNDR Cloud Main Dashboard\",\"subTarget\":\"Main\",\"style\":\"link\"},{\"id\":\"514047f6-4d61-4f59-9f79-6c22c20645c0\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"FortiNDR Cloud Suricata Dashboard\",\"subTarget\":\"Suricata\",\"style\":\"link\"},{\"id\":\"f20fabf1-3a44-417d-9e97-3d62d1990c8d\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"FortiNDR Cloud Observation Dashboard\",\"subTarget\":\"Observation\",\"style\":\"link\"},{\"id\":\"392a41e1-a18c-4a6d-8144-c51e27a8bf4e\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"FortiNDR Cloud Detection Dashboard\",\"subTarget\":\"Detection\",\"style\":\"link\"}]},\"name\":\"links - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"50650aa0-d12f-49ad-ba0d-e7a6a10b0a85\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsSuricata_CL'\\n| where su_timestamp between ({TimeRange:start} .. {TimeRange:end})\\n| summarize Count=count() by su_sig_category\",\"size\":0,\"showAnalytics\":true,\"title\":\"Suricata Counts By Category\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"main-Suricata\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsObservation_CL'\\n| where ob_timestamp between ({TimeRange:start} .. {TimeRange:end})\\n| summarize Count=count() by ob_observation_title\",\"size\":0,\"showAnalytics\":true,\"title\":\"Observation Counts by Title\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"main-observation\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsDetections_CL'\\n| where de_created between ({TimeRange:start} .. {TimeRange:end})\\n| summarize Count = count() by de_severity\",\"size\":0,\"showAnalytics\":true,\"title\":\"Detection Counts by Severity\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"main-detections-s\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsDetections_CL'\\n| where de_created between ({TimeRange:start} .. {TimeRange:end})\\n| summarize Count = count() by de_confidence\",\"size\":0,\"showAnalytics\":true,\"title\":\"Detection Counts by Confidence\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"main-detections-s - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Main\"},\"name\":\"Main Dashboard\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**FortiDNR Cloud Suricata Chart:**\"},\"name\":\"text - 4\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"7b566fdf-c574-466d-8a25-eec9e314f560\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"},{\"id\":\"0ce88674-9bf5-4c52-8286-28d3cf030e18\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"query\":\"FncEventsSuricata_CL\\n| summarize by alert_category_s\\n| order by alert_category_s asc\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"label\":\"Signature Category\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\",\"styleSettings\":{\"padding\":\"0px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsSuricata_CL'\\n| where su_timestamp between ({TimeRange:start} .. {TimeRange:end})\\n| where isempty('{Category}') or (su_sig_category == '{Category}')\\n| summarize Count=count() by su_sig_category, bin(su_timestamp, 1d)\",\"size\":0,\"showAnalytics\":true,\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"showLegend\":true}},\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"**FortiDNR Cloud Suricata List:**\"},\"name\":\"text - 4 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"5d5a54f3-6fca-4368-aea2-a2d0326daa62\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"},{\"id\":\"03cace3a-c0d6-4184-a1aa-346c67578b6b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"query\":\"FncEventsSuricata_CL\\n| summarize by alert_category_s\\n| order by alert_category_s asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"label\":\"Signature Category\"},{\"id\":\"0eea038f-b090-4021-9998-3b85c1abe20b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Name\",\"label\":\"Signature Name\",\"type\":2,\"query\":\"FncEventsSuricata_CL\\n| summarize by alert_signature_s\\n| order by alert_signature_s asc\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"d60df3de-0e80-4f12-8234-bb8a4ea27cfb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SensorID\",\"label\":\"Sensor ID\",\"type\":2,\"query\":\"FncEventsSuricata_CL\\n| summarize by sensor_id_s\\n| order by sensor_id_s asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsSuricata_CL'\\n| where su_timestamp between ({TimeRange:start} .. {TimeRange:end})\\n| where isempty('{Category}') or (su_sig_category == '{Category}')\\n| where isempty('{Name}') or (su_sig_name == '{Name}')\\n| where isempty('{SensorID}') or (su_sensor_id == '{SensorID}')\\n| project-away ob_*, de_*\",\"size\":0,\"showAnalytics\":true,\"showRefreshButton\":true,\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"observation_title\",\"formatter\":5},{\"columnMatch\":\"confidence\",\"formatter\":5},{\"columnMatch\":\"Category\",\"formatter\":5},{\"columnMatch\":\"class\",\"formatter\":5},{\"columnMatch\":\"context\",\"formatter\":5},{\"columnMatch\":\"evidence_iql\",\"formatter\":5},{\"columnMatch\":\"evidence_end_timestamp\",\"formatter\":5},{\"columnMatch\":\"evidence_start_timestamp\",\"formatter\":5},{\"columnMatch\":\"description\",\"formatter\":5},{\"columnMatch\":\"observation_uuid\",\"formatter\":5},{\"columnMatch\":\"sensor_ids\",\"formatter\":5},{\"columnMatch\":\"device_ip\",\"formatter\":5},{\"columnMatch\":\"status\",\"formatter\":5},{\"columnMatch\":\"indicators\",\"formatter\":5},{\"columnMatch\":\"last_seen\",\"formatter\":5}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"su_timestamp\",\"label\":\"timestamp\"},{\"columnId\":\"su_event_type\",\"label\":\"event_type\"},{\"columnId\":\"su_src_ip\",\"label\":\"src_ip\"},{\"columnId\":\"su_src_port\",\"label\":\"src_port\"},{\"columnId\":\"su_dst_ip\",\"label\":\"dst_ip\"},{\"columnId\":\"su_dst_port\",\"label\":\"dst_port\"},{\"columnId\":\"su_intel\",\"label\":\"intel\"},{\"columnId\":\"su_sig_name\",\"label\":\"sig_name\"},{\"columnId\":\"su_sig_id\",\"label\":\"sig_id\"},{\"columnId\":\"su_sig_rev\",\"label\":\"sig_rev\"},{\"columnId\":\"su_sig_category\",\"label\":\"sig_category\"},{\"columnId\":\"su_sig_severity\",\"label\":\"sig_severity\"},{\"columnId\":\"su_payload\",\"label\":\"payload\"},{\"columnId\":\"su_source\",\"label\":\"source\"},{\"columnId\":\"su_proto\",\"label\":\"proto\"},{\"columnId\":\"su_sensor_id\",\"label\":\"sensor_id\"},{\"columnId\":\"su_src_internal\",\"label\":\"src_internal\"},{\"columnId\":\"su_src_geo_lat\",\"label\":\"src_geo_lat\"},{\"columnId\":\"su_src_geo_lon\",\"label\":\"src_geo_lon\"},{\"columnId\":\"su_src_geo_country\",\"label\":\"src_geo_country\"},{\"columnId\":\"su_src_geo_subdivision\",\"label\":\"src_geo_subdivision\"},{\"columnId\":\"su_src_geo_city\",\"label\":\"src_geo_city\"},{\"columnId\":\"su_src_asn_asn\",\"label\":\"src_asn_asn\"},{\"columnId\":\"su_src_asn_org\",\"label\":\"src_asn_org\"},{\"columnId\":\"su_src_asn_isp\",\"label\":\"src_asn_isp\"},{\"columnId\":\"su_src_asn_asn_org\",\"label\":\"src_asn_asn_org\"},{\"columnId\":\"su_src_annotations_applications\",\"label\":\"src_annotations_applications\"},{\"columnId\":\"su_src_annotations_environments\",\"label\":\"src_annotations_environments\"},{\"columnId\":\"su_src_annotations_locations\",\"label\":\"src_annotations_locations\"},{\"columnId\":\"su_src_annotations_owners\",\"label\":\"src_annotations_owners\"},{\"columnId\":\"su_src_annotations_roles\",\"label\":\"src_annotations_roles\"},{\"columnId\":\"su_src_annotations_tags\",\"label\":\"src_annotations_tags\"},{\"columnId\":\"su_dst_internal\",\"label\":\"dst_internal\"},{\"columnId\":\"su_dst_geo_lat\",\"label\":\"dst_geo_lat\"},{\"columnId\":\"su_dst_geo_lon\",\"label\":\"dst_geo_lon\"},{\"columnId\":\"su_dst_geo_country\",\"label\":\"dst_geo_country\"},{\"columnId\":\"su_dst_geo_subdivision\",\"label\":\"dst_geo_subdivision\"},{\"columnId\":\"su_dst_geo_city\",\"label\":\"dst_geo_city\"},{\"columnId\":\"su_dst_asn_asn\",\"label\":\"dst_asn_asn\"},{\"columnId\":\"su_dst_asn_org\",\"label\":\"dst_asn_org\"},{\"columnId\":\"su_dst_asn_isp\",\"label\":\"dst_asn_isp\"},{\"columnId\":\"su_dst_asn_asn_org\",\"label\":\"dst_asn_asn_org\"},{\"columnId\":\"su_dst_annotations_applications\",\"label\":\"dst_annotations_applications\"},{\"columnId\":\"su_dst_annotations_environments\",\"label\":\"dst_annotations_environments\"},{\"columnId\":\"su_dst_annotations_locations\",\"label\":\"dst_annotations_locations\"},{\"columnId\":\"su_dst_annotations_owners\",\"label\":\"dst_annotations_owners\"},{\"columnId\":\"su_dst_annotations_roles\",\"label\":\"dst_annotations_roles\"},{\"columnId\":\"su_dst_annotations_tags\",\"label\":\"dst_annotations_tags\"},{\"columnId\":\"su_geo_distance\",\"label\":\"geo_distance\"},{\"columnId\":\"su_http_status\",\"label\":\"http_status\"},{\"columnId\":\"su_http_protocol\",\"label\":\"http_protocol\"},{\"columnId\":\"su_http_url\",\"label\":\"http_url\"},{\"columnId\":\"su_http_hostname\",\"label\":\"http_hostname\"},{\"columnId\":\"su_http_host_internal\",\"label\":\"http_host_internal\"},{\"columnId\":\"su_http_host_geo_lat\",\"label\":\"http_host_geo_lat\"},{\"columnId\":\"su_http_host_geo_lon\",\"label\":\"http_host_geo_lon\"},{\"columnId\":\"su_http_host_geo_country\",\"label\":\"http_host_geo_country\"},{\"columnId\":\"su_http_host_geo_subdivision\",\"label\":\"http_host_geo_subdivision\"},{\"columnId\":\"su_http_host_geo_city\",\"label\":\"http_host_geo_city\"},{\"columnId\":\"su_http_host_asn_asn\",\"label\":\"http_host_asn_asn\"},{\"columnId\":\"su_http_host_asn_org\",\"label\":\"http_host_asn_org\"},{\"columnId\":\"su_http_host_asn_isp\",\"label\":\"http_host_asn_isp\"},{\"columnId\":\"su_http_host_asn_asn_org\",\"label\":\"http_host_asn_asn_org\"},{\"columnId\":\"su_http_host_annotations_applications\",\"label\":\"http_host_annotations_applications\"},{\"columnId\":\"su_http_host_annotations_environments\",\"label\":\"http_host_annotations_environments\"},{\"columnId\":\"su_http_host_annotations_locations\",\"label\":\"http_host_annotations_locations\"},{\"columnId\":\"su_http_host_annotations_owners\",\"label\":\"http_host_annotations_owners\"},{\"columnId\":\"su_http_host_annotations_roles\",\"label\":\"http_host_annotations_roles\"},{\"columnId\":\"su_http_host_annotations_tags\",\"label\":\"http_host_annotations_tags\"},{\"columnId\":\"su_http_host_domain_entropy\",\"label\":\"http_host_domain_entropy\"},{\"columnId\":\"su_http_length\",\"label\":\"http_length\"},{\"columnId\":\"su_http_method\",\"label\":\"http_method\"},{\"columnId\":\"su_http_content_type\",\"label\":\"http_content_type\"},{\"columnId\":\"su_http_refer\",\"label\":\"http_refer\"},{\"columnId\":\"su_http_user_agent\",\"label\":\"http_user_agent\"},{\"columnId\":\"su_http_redirect\",\"label\":\"http_redirect\"},{\"columnId\":\"su_http_xtf\",\"label\":\"http_xtf\"},{\"columnId\":\"su_uuid\",\"label\":\"uuid\"},{\"columnId\":\"su_customer_id\",\"label\":\"customer_id\"}]},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"http_hostname_enrichments_ip_enrichments_asn_asn_d\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"http_hostname_enrichments_ip_enrichments_asn_asn_d\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"http_hostname_enrichments_ip_enrichments_asn_asn_d\",\"heatmapPalette\":\"greenRed\"}}},\"name\":\"FNC Suricata List\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Suricata\"},\"name\":\"Suricata\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**FortiNDR Cloud Observation Chart:**\"},\"name\":\"text - 4\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"fcd15fc8-790a-448e-8a61-1a1ec5f70e05\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"},{\"id\":\"fd7ebd99-2ba4-4240-86de-1c109bc10fba\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Title\",\"label\":\"Observation Title\",\"type\":2,\"query\":\"FncEventsObservation_CL\\n| summarize by title_s\\n| order by title_s asc\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsObservation_CL'\\n| where ob_timestamp between({TimeRange:start} .. {TimeRange:end})\\n| where isempty('{Title}') or (ob_observation_title == '{Title}')\\n| summarize Count = count() by ob_observation_title, bin(ob_timestamp, 1d)\",\"size\":0,\"showAnalytics\":true,\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false},\"graphSettings\":{\"type\":0},\"chartSettings\":{\"showLegend\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"High\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"High\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"High\",\"heatmapPalette\":\"greenRed\"}}},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"**FortiNDR Cloud Observation List:**\"},\"name\":\"text - 4 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"55ad269b-ead8-4f61-b429-669d632b53e1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"},{\"id\":\"43131f54-c638-41a3-a54c-d8768c2df468\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Title\",\"label\":\"Ovbservation Title\",\"type\":2,\"query\":\"FncEventsObservation_CL\\n| summarize by title_s\\n| order by title_s asc\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"9ff7f038-1fa5-4ac1-84cb-ef8c6e91a183\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Sensor_ID\",\"type\":2,\"query\":\"FncEventsObservation_CL\\n| summarize by sensor_id_s\\n| order by sensor_id_s asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"3e100d32-5ad3-4a4f-a486-f65be2c62101\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Confidence\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\n {\\\"value\\\":\\\"high\\\", \\\"label\\\":\\\"High\\\"},\\n {\\\"value\\\":\\\"moderate\\\", \\\"label\\\":\\\"Moderate\\\"},\\n {\\\"value\\\":\\\"low\\\", \\\"label\\\":\\\"Low\\\"}\\n]\",\"defaultValue\":\"value::all\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsObservation_CL'\\n| where ob_timestamp between({TimeRange:start} .. {TimeRange:end})\\n| where ob_confidence in ({Confidence})\\n| where isempty('{Sensor_ID}') or (ob_sensor_id == '{Sensor_ID}')\\n| where isempty('{Title}') or (ob_observation_title == '{Title}')\\n| project-away su_*, de_*\",\"size\":0,\"showAnalytics\":true,\"showRefreshButton\":true,\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ob_confidence\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"moderate\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ob_context\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkLabel\":\"Context\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"ob_evidence_iql\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkLabel\":\"Evidence IQL\",\"linkIsContextBlade\":true}}],\"rowLimit\":1000,\"filter\":true,\"labelSettings\":[{\"columnId\":\"Type\",\"label\":\"Type\"},{\"columnId\":\"ob_timestamp\",\"label\":\"timestamp\"},{\"columnId\":\"ob_observation_title\",\"label\":\"observation_title\"},{\"columnId\":\"ob_confidence\",\"label\":\"confidence\"},{\"columnId\":\"ob_category\",\"label\":\"category\"},{\"columnId\":\"ob_class\",\"label\":\"class\"},{\"columnId\":\"ob_context\",\"label\":\"context\"},{\"columnId\":\"ob_evidence_iql\",\"label\":\"evidence_iql\"},{\"columnId\":\"ob_evidence_end_timestamp\",\"label\":\"evidence_end_timestamp\"},{\"columnId\":\"ob_evidence_start_timestamp\",\"label\":\"evidence_start_timestamp\"},{\"columnId\":\"ob_description\",\"label\":\"description\"},{\"columnId\":\"ob_observation_uuid\",\"label\":\"observation_uuid\"},{\"columnId\":\"ob_sensor_ids\",\"label\":\"sensor_ids\"},{\"columnId\":\"ob_event_type\",\"label\":\"event_type\"},{\"columnId\":\"ob_src_ip\",\"label\":\"src_ip\"},{\"columnId\":\"ob_dst_ip\",\"label\":\"dst_ip\"},{\"columnId\":\"ob_intel\",\"label\":\"intel\"},{\"columnId\":\"ob_source\",\"label\":\"source\"},{\"columnId\":\"ob_sensor_id\",\"label\":\"sensor_id\"},{\"columnId\":\"ob_src_internal\",\"label\":\"src_internal\"},{\"columnId\":\"ob_src_geo_lat\",\"label\":\"src_geo_lat\"},{\"columnId\":\"ob_src_geo_lon\",\"label\":\"src_geo_lon\"},{\"columnId\":\"ob_src_geo_country\",\"label\":\"src_geo_country\"},{\"columnId\":\"ob_src_geo_subdivision\",\"label\":\"src_geo_subdivision\"},{\"columnId\":\"ob_src_geo_city\",\"label\":\"_src_geo_city\"},{\"columnId\":\"ob_src_asn_asn\",\"label\":\"src_asn_asn\"},{\"columnId\":\"ob_src_asn_org\",\"label\":\"src_asn_org\"},{\"columnId\":\"ob_src_asn_isp\",\"label\":\"src_asn_isp\"},{\"columnId\":\"ob_src_asn_asn_org\",\"label\":\"src_asn_asn_org\"},{\"columnId\":\"ob_src_annotations_applications\",\"label\":\"src_annotations_applications\"},{\"columnId\":\"ob_src_annotations_environments\",\"label\":\"src_annotations_environments\"},{\"columnId\":\"ob_src_annotations_locations\",\"label\":\"src_annotations_locations\"},{\"columnId\":\"ob_src_annotations_owners\",\"label\":\"src_annotations_owners\"},{\"columnId\":\"ob_src_annotations_roles\",\"label\":\"src_annotations_roles\"},{\"columnId\":\"ob_src_annotations_tags\",\"label\":\"src_annotations_tags\"},{\"columnId\":\"ob_dst_internal\",\"label\":\"dst_internal\"},{\"columnId\":\"ob_dst_geo_lat\",\"label\":\"dst_geo_lat\"},{\"columnId\":\"ob_dst_geo_lon\",\"label\":\"dst_geo_lon\"},{\"columnId\":\"ob_dst_geo_country\",\"label\":\"dst_geo_country\"},{\"columnId\":\"ob_dst_geo_subdivision\",\"label\":\"dst_geo_subdivision\"},{\"columnId\":\"ob_dst_geo_city\",\"label\":\"dst_geo_city\"},{\"columnId\":\"ob_dst_asn_asn\",\"label\":\"dst_asn_asn\"},{\"columnId\":\"ob_dst_asn_org\",\"label\":\"dst_asn_org\"},{\"columnId\":\"ob_dst_asn_isp\",\"label\":\"dst_asn_isp\"},{\"columnId\":\"ob_dst_asn_asn_org\",\"label\":\"dst_asn_asn_org\"},{\"columnId\":\"ob_dst_annotations_applications\",\"label\":\"dst_annotations_applications\"},{\"columnId\":\"ob_dst_annotations_environments\",\"label\":\"dst_annotations_environments\"},{\"columnId\":\"ob_dst_annotations_locations\",\"label\":\"_dst_annotations_locations\"},{\"columnId\":\"ob_dst_annotations_owners\",\"label\":\"dst_annotations_owners\"},{\"columnId\":\"ob_dst_annotations_roles\",\"label\":\"dst_annotations_roles\"},{\"columnId\":\"ob_dst_annotations_tags\",\"label\":\"dst_annotations_tags\"},{\"columnId\":\"ob_geo_distance\",\"label\":\"geo_distance\"},{\"columnId\":\"ob_uuid\",\"label\":\"uuid\"},{\"columnId\":\"ob_customer_id\",\"label\":\"customer_id\"}]}},\"name\":\"FNC Observation List\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Observation\"},\"name\":\"Observation\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**FortiNDR Cloud Detections Charts**\"},\"name\":\"text - 5\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"3e9b6847-1b6c-4ba5-87d6-a3d4b0e36046\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"88270ace-134e-4577-b2fd-58b4a7a0cb36\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Severity\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"jsonData\":\"[\\n {\\\"value\\\":\\\"high\\\", \\\"label\\\":\\\"High\\\"},\\n {\\\"value\\\":\\\"moderate\\\", \\\"label\\\":\\\"Moderate\\\"},\\n {\\\"value\\\":\\\"low\\\", \\\"label\\\":\\\"Low\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"value\":[\"value::all\"]},{\"id\":\"16f11673-0de7-4f81-94d8-5fcea8b83222\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Confidence\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\n {\\\"value\\\":\\\"high\\\", \\\"label\\\":\\\"High\\\"},\\n {\\\"value\\\":\\\"moderate\\\", \\\"label\\\":\\\"Moderate\\\"},\\n {\\\"value\\\":\\\"low\\\", \\\"label\\\":\\\"Low\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"value\":[\"value::all\"]},{\"id\":\"cab3ce23-4ea0-4565-a7fb-2009f888198f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"query\":\"FncEventsDetections_CL\\n| summarize by rule_category_s\\n| order by rule_category_s asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsDetections_CL'\\n| where de_created between ({TimeRange:start} .. {TimeRange:end})\\n| where de_severity in ({Severity})\\n| where isempty('{Category}') or (de_category == '{Category}')\\n| summarize Count = count() by de_severity, bin(de_created, 1d)\\n| render barchart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Detection Counts by Severity\",\"color\":\"lightBlue\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"moderate\",\"color\":\"orange\"},{\"seriesName\":\"low\",\"color\":\"yellow\"},{\"seriesName\":\"high\",\"color\":\"redBright\"}]}},\"customWidth\":\"50\",\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsDetections_CL'\\n| where de_created between ({TimeRange:start} .. {TimeRange:end})\\n| where de_confidence in ({Confidence})\\n| where isempty('{Category}') or (de_category == '{Category}')\\n| summarize Count = count() by de_confidence, bin(de_created, 1d)\\n| render barchart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Detection Counts by Confidence\",\"color\":\"lightBlue\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"moderate\",\"color\":\"orange\"},{\"seriesName\":\"low\",\"color\":\"yellow\"},{\"seriesName\":\"high\",\"color\":\"redBright\"}]}},\"customWidth\":\"50\",\"name\":\"query - 8 - Copy - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"**FortiNDR Cloud Detections List**\"},\"name\":\"text - 5 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a613556b-fcd7-440a-af79-47b839e8f76b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":7776000000}},{\"id\":\"9196914a-cd13-4897-8d8f-2e497721452a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Severity\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"jsonData\":\"[\\n {\\\"value\\\":\\\"high\\\", \\\"label\\\":\\\"High\\\"},\\n {\\\"value\\\":\\\"moderate\\\", \\\"label\\\":\\\"Moderate\\\"},\\n {\\\"value\\\":\\\"low\\\", \\\"label\\\":\\\"Low\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\",\"value\":[\"value::all\"]},{\"id\":\"0b5bbec6-76d8-422c-89a4-95162c9300cb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Confidence\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\n {\\\"value\\\":\\\"high\\\", \\\"label\\\":\\\"High\\\"},\\n {\\\"value\\\":\\\"moderate\\\", \\\"label\\\":\\\"Moderate\\\"},\\n {\\\"value\\\":\\\"low\\\", \\\"label\\\":\\\"Low\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"defaultValue\":\"value::all\"},{\"id\":\"876e2140-cacb-4d7c-88ed-354ecd7e86a2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Category\",\"type\":2,\"query\":\"FncEventsDetections_CL\\n| summarize by rule_category_s\\n| order by rule_category_s asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"fb9f063f-c68e-4f27-8693-160f8759f8b2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RuleNames\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"FncEventsDetections_CL\\n| summarize by rule_name_s\\n| order by rule_name_s asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Fortinet_FortiNDR_Cloud\\n| where Type == 'FncEventsDetections_CL'\\n| where de_created between ({TimeRange:start} .. {TimeRange:end})\\n| where de_severity in ({Severity})\\n| where de_confidence in ({Confidence})\\n| where de_rule_name in ({RuleNames})\\n| where isempty('{Category}') or (de_category == '{Category}')\\n| sort by de_created desc\\n| project-away su_*, ob_*\\n\\n\\n\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"FNC Detection List\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"showExpandCollapseGrid\":true,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"de_event_count\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"yellowGreen\",\"compositeBarSettings\":{\"labelText\":\"\"}}},{\"columnMatch\":\"de_events\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkLabel\":\"Events\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"de_indicators\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkLabel\":\"Indicators\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"de_status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"active\",\"representation\":\"greenDark\",\"text\":\"Active\"},{\"operator\":\"==\",\"thresholdValue\":\"resolved\",\"representation\":\"gray\",\"text\":\"Resolved\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"de_severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"Sev0\",\"text\":\"High\"},{\"operator\":\"==\",\"thresholdValue\":\"moderate\",\"representation\":\"Sev1\",\"text\":\"Moderate\"},{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"Sev2\",\"text\":\"Low\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}],\"compositeBarSettings\":{\"labelText\":\"\"}}},{\"columnMatch\":\"de_confidence\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"low\",\"representation\":\"Sev2\",\"text\":\"Low\"},{\"operator\":\"==\",\"thresholdValue\":\"moderate\",\"representation\":\"Sev1\",\"text\":\"Moderate\"},{\"operator\":\"==\",\"thresholdValue\":\"high\",\"representation\":\"Sev0\",\"text\":\"High\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"de_rule_url\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"indicators\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"CellDetails\",\"linkIsContextBlade\":true}}],\"rowLimit\":1000,\"filter\":true,\"labelSettings\":[{\"columnId\":\"de_device_ip\",\"label\":\"device_ip\"},{\"columnId\":\"de_event_count\",\"label\":\"event_count\"},{\"columnId\":\"de_events\",\"label\":\"events\"},{\"columnId\":\"de_indicators\",\"label\":\"indicators\"},{\"columnId\":\"de_last_seen\",\"label\":\"last_seen\"},{\"columnId\":\"de_status\",\"label\":\"status\"},{\"columnId\":\"de_rule_name\",\"label\":\"rule_name\"},{\"columnId\":\"de_severity\",\"label\":\"severity\"},{\"columnId\":\"de_confidence\",\"label\":\"confidence\"},{\"columnId\":\"de_resolved_by\",\"label\":\"resolved_by\"},{\"columnId\":\"de_resolution\",\"label\":\"resolution\"},{\"columnId\":\"de_resolution_comment\",\"label\":\"resolution_comment\"},{\"columnId\":\"de_date_resolved\",\"label\":\"date_resolved\"},{\"columnId\":\"de_rule_uuid\",\"label\":\"rule_uuid\"},{\"columnId\":\"de_category\",\"label\":\"category\"},{\"columnId\":\"de_created\",\"label\":\"created\"},{\"columnId\":\"de_updated\",\"label\":\"updated\"},{\"columnId\":\"de_first_seen\",\"label\":\"first_seen\"},{\"columnId\":\"de_muted\",\"label\":\"muted\"},{\"columnId\":\"de_rule_muted\",\"label\":\"rule_muted\"},{\"columnId\":\"de_mute_comment\",\"label\":\"mute_comment\"},{\"columnId\":\"de_muted_by\",\"label\":\"muted_by\"},{\"columnId\":\"de_date_muted\",\"label\":\"date_muted\"},{\"columnId\":\"de_sensor_id\",\"label\":\"sensor_id\"},{\"columnId\":\"de_account_id\",\"label\":\"account_id\"},{\"columnId\":\"de_uuid\",\"label\":\"uuid\"},{\"columnId\":\"de_username\",\"label\":\"username\"},{\"columnId\":\"de_hostname\",\"label\":\"hostname\"},{\"columnId\":\"de_primary_attack_id\",\"label\":\"primary_attack_id\"},{\"columnId\":\"de_secondary_attack_id\",\"label\":\"secondary_attack_id\"},{\"columnId\":\"de_rule_url\",\"label\":\"rule_url\"}]},\"tileSettings\":{\"showBorder\":false}},\"name\":\"query - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Detection\"},\"name\":\"Detection\"}],\"fromTemplateId\":\"sentinel-FortiNdrCloud\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -736,7 +736,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.1", + "version": "3.0.2", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Fortinet FortiNDR Cloud", diff --git a/Solutions/Fortinet FortiNDR Cloud/Parsers/Fortinet_FortiNDR_Cloud.md b/Solutions/Fortinet FortiNDR Cloud/Parsers/Fortinet_FortiNDR_Cloud.md index 495d14038d3..5bdf76bccc0 100644 --- a/Solutions/Fortinet FortiNDR Cloud/Parsers/Fortinet_FortiNDR_Cloud.md +++ b/Solutions/Fortinet FortiNDR Cloud/Parsers/Fortinet_FortiNDR_Cloud.md @@ -310,10 +310,11 @@ let FortiNDR_Cloud_detections_view = view () { de_username=column_ifexists('username_s', ''), de_hostname=column_ifexists('hostname_s', ''), de_category=column_ifexists('rule_category_s', ''), - de_dhcp=column_ifexists('dhcp_s', ''), - de_pdns=column_ifexists('PDNS_s', ''), de_event_count=column_ifexists('event_count_d', ''), - de_events=column_ifexists('events_s', '') + de_events=column_ifexists('events_s', ''), + de_primary_attack_id=column_ifexists('rule_primary_attack_id_s', ''), + de_secondary_attack_id=column_ifexists('rule_secondary_attack_id_s', ''), + de_rule_url=column_ifexists('rule_url_s', '') | project de_device_ip, de_event_count, @@ -343,8 +344,9 @@ let FortiNDR_Cloud_detections_view = view () { de_uuid, de_username, de_hostname, - de_dhcp, - de_pdns, + de_primary_attack_id, + de_secondary_attack_id, + de_rule_url, Type }; diff --git a/Solutions/Fortinet FortiNDR Cloud/Parsers/Fortinet_FortiNDR_Cloud.yaml b/Solutions/Fortinet FortiNDR Cloud/Parsers/Fortinet_FortiNDR_Cloud.yaml index 2d9e4bc94d5..b947a331ad3 100644 --- a/Solutions/Fortinet FortiNDR Cloud/Parsers/Fortinet_FortiNDR_Cloud.yaml +++ b/Solutions/Fortinet FortiNDR Cloud/Parsers/Fortinet_FortiNDR_Cloud.yaml @@ -314,10 +314,11 @@ FunctionQuery: | de_username=column_ifexists('username_s', ''), de_hostname=column_ifexists('hostname_s', ''), de_category=column_ifexists('rule_category_s', ''), - de_dhcp=column_ifexists('dhcp_s', ''), - de_pdns=column_ifexists('PDNS_s', ''), de_event_count=column_ifexists('event_count_d', ''), - de_events=column_ifexists('events_s', '') + de_events=column_ifexists('events_s', ''), + de_primary_attack_id=column_ifexists('rule_primary_attack_id_s', ''), + de_secondary_attack_id=column_ifexists('rule_secondary_attack_id_s', ''), + de_rule_url=column_ifexists('rule_url_s', '') | project de_device_ip, de_event_count, @@ -347,8 +348,9 @@ FunctionQuery: | de_uuid, de_username, de_hostname, - de_dhcp, - de_pdns, + de_primary_attack_id, + de_secondary_attack_id, + de_rule_url, Type }; diff --git a/Solutions/Fortinet FortiNDR Cloud/ReleaseNotes.md b/Solutions/Fortinet FortiNDR Cloud/ReleaseNotes.md index 757d916821f..10b5e7f6d00 100644 --- a/Solutions/Fortinet FortiNDR Cloud/ReleaseNotes.md +++ b/Solutions/Fortinet FortiNDR Cloud/ReleaseNotes.md @@ -1,4 +1,5 @@ -| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | -|-------------|--------------------------------|---------------------------------------------| -| 3.0.1 | 31-05-2024 | Replace Metastream with FortiNDR Cloud API | -| 3.0.0 | 29-02-2024 | Initial Solution Release | +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|-------------------------------------------------------| +| 3.0.2 | 30-09-2024 | Show mitre attack ids and link to detection rule page | +| 3.0.1 | 31-05-2024 | Replace Metastream with FortiNDR Cloud API | +| 3.0.0 | 29-02-2024 | Initial Solution Release | diff --git a/Solutions/Fortinet FortiNDR Cloud/Workbooks/FortinetFortiNdrCloudWorkbook.json b/Solutions/Fortinet FortiNDR Cloud/Workbooks/FortinetFortiNdrCloudWorkbook.json index be03b2c8bbb..66e2d928827 100644 --- a/Solutions/Fortinet FortiNDR Cloud/Workbooks/FortinetFortiNdrCloudWorkbook.json +++ b/Solutions/Fortinet FortiNDR Cloud/Workbooks/FortinetFortiNdrCloudWorkbook.json @@ -1964,21 +1964,10 @@ } }, { - "columnMatch": "de_dhcp", + "columnMatch": "de_rule_url", "formatter": 7, "formatOptions": { - "linkTarget": "CellDetails", - "linkLabel": "DHCP", - "linkIsContextBlade": true - } - }, - { - "columnMatch": "de_pdns", - "formatter": 7, - "formatOptions": { - "linkTarget": "CellDetails", - "linkLabel": "PDNS", - "linkIsContextBlade": true + "linkTarget": "Url" } }, { @@ -1991,7 +1980,133 @@ } ], "rowLimit": 1000, - "filter": true + "filter": true, + "labelSettings": [ + { + "columnId": "de_device_ip", + "label": "device_ip" + }, + { + "columnId": "de_event_count", + "label": "event_count" + }, + { + "columnId": "de_events", + "label": "events" + }, + { + "columnId": "de_indicators", + "label": "indicators" + }, + { + "columnId": "de_last_seen", + "label": "last_seen" + }, + { + "columnId": "de_status", + "label": "status" + }, + { + "columnId": "de_rule_name", + "label": "rule_name" + }, + { + "columnId": "de_severity", + "label": "severity" + }, + { + "columnId": "de_confidence", + "label": "confidence" + }, + { + "columnId": "de_resolved_by", + "label": "resolved_by" + }, + { + "columnId": "de_resolution", + "label": "resolution" + }, + { + "columnId": "de_resolution_comment", + "label": "resolution_comment" + }, + { + "columnId": "de_date_resolved", + "label": "date_resolved" + }, + { + "columnId": "de_rule_uuid", + "label": "rule_uuid" + }, + { + "columnId": "de_category", + "label": "category" + }, + { + "columnId": "de_created", + "label": "created" + }, + { + "columnId": "de_updated", + "label": "updated" + }, + { + "columnId": "de_first_seen", + "label": "first_seen" + }, + { + "columnId": "de_muted", + "label": "muted" + }, + { + "columnId": "de_rule_muted", + "label": "rule_muted" + }, + { + "columnId": "de_mute_comment", + "label": "mute_comment" + }, + { + "columnId": "de_muted_by", + "label": "muted_by" + }, + { + "columnId": "de_date_muted", + "label": "date_muted" + }, + { + "columnId": "de_sensor_id", + "label": "sensor_id" + }, + { + "columnId": "de_account_id", + "label": "account_id" + }, + { + "columnId": "de_uuid", + "label": "uuid" + }, + { + "columnId": "de_username", + "label": "username" + }, + { + "columnId": "de_hostname", + "label": "hostname" + }, + { + "columnId": "de_primary_attack_id", + "label": "primary_attack_id" + }, + { + "columnId": "de_secondary_attack_id", + "label": "secondary_attack_id" + }, + { + "columnId": "de_rule_url", + "label": "rule_url" + } + ] }, "tileSettings": { "showBorder": false