Merge pull request #9275 from Azure/Applying-File-Filters

Apply Filters for File Parsers
Azure · Nov 21, 2023 · b586cbf · b586cbf
2 parents d36e949 + 3e9ba72
commit b586cbf
Show file tree

Hide file tree

Showing 67 changed files with 3,910 additions and 821 deletions.
diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEvent/ASimFileEvent.json b/Parsers/ASimFileEvent/ARM/ASimFileEvent/ASimFileEvent.json
@@ -35,8 +35,9 @@
             "displayName": "File event ASIM parser",
             "category": "ASIM",
             "FunctionAlias": "ASimFileEvent",
-            "query": "union isfuzzy=true\n  vimFileEventEmpty,\n  ASimFileEventSentinelOne\n",
-            "version": 1
+            "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimFile') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimFileEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));\nlet parser=(pack:bool=false){\nunion isfuzzy=true\n  vimFileEventEmpty,\n  ASimFileEventLinuxSysmonFileCreated(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventLinuxSysmonFileCreated' in (DisabledParsers) ))),\n  ASimFileEventLinuxSysmonFileDeleted(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventLinuxSysmonFileDeleted' in (DisabledParsers) ))),\n  ASimFileEventAzureBlobStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureBlobStorage' in (DisabledParsers) ))),\n  ASimFileEventMicrosoft365D(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoft365D' in (DisabledParsers) ))),\n  ASimFileEventAzureFileStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureFileStorage' in (DisabledParsers) ))),\n  ASimFileEventAzureQueueStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureQueueStorage' in (DisabledParsers) ))),\n  ASimFileEventMicrosoftSharePoint(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSharePoint' in (DisabledParsers) ))),\n  ASimFileEventMicrosoftSysmon(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSysmon' in (DisabledParsers) ))),\n  ASimFileEventAzureTableStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureTableStorage' in (DisabledParsers) ))),\n  ASimFileEventMicrosoftWindowsEvents(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftWindowsEvents' in (DisabledParsers) ))),\n  ASimFileEventNative(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventNative' in (DisabledParsers) ))),\n  ASimFileEventSentinelOne(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventSentinelOne' in (DisabledParsers) )))\n  };\n  parser (pack=pack)\n",
+            "version": 1,
+            "functionParameters": "pack:bool=False"
           }
         }
       ]

diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventAzureBlobStorage/ASimFileEventAzureBlobStorage.json b/Parsers/ASimFileEvent/ARM/ASimFileEventAzureBlobStorage/ASimFileEventAzureBlobStorage.json
@@ -0,0 +1,46 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "Workspace": {
+      "type": "string",
+      "metadata": {
+        "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+      }
+    },
+    "WorkspaceRegion": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The region of the selected workspace. The default value will use the Region selection above."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('Workspace')]",
+      "location": "[parameters('WorkspaceRegion')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "ASimFileEventAzureBlobStorage",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "File Activity ASIM parser for Azure Blob Storage",
+            "category": "ASIM",
+            "FunctionAlias": "ASimFileEventAzureBlobStorage",
+            "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(disabled: bool=false)\n{\n    let bloboperations=datatable(OperationName: string, EventType: string)\n[\n    \"PutBlock\", \"FileCreated\",\n    \"PutBlob\", \"FileCreated\",\n    \"PutPage\", \"FileCreated\",\n    \"CreateContainer\", \"FolderCreated\",\n    \"CopyBlob\", \"FileCopied\",\n    \"QueryBlobContents\", \"FileAccessed\",\n    \"GetBlob\", \"FileAccessed\",\n    \"AppendBlock\", \"FileModified\",\n    \"ClearPage\", \"FileModified\",\n    \"PutBlockFromURL\", \"FileModified\",\n    \"DeleteBlob\", \"FileDeleted\",\n    \"DeleteContainer\", \"FolderDeleted\"\n];\n    StorageBlobLogs\n    | where not(disabled)\n    // **** relevant data filtering;\n    | where OperationName in (bloboperations)\n    //\n    | lookup bloboperations on OperationName\n    | project-rename \n        EventOriginalUid = CorrelationId\n        ,\n        EventOriginalType=OperationName\n        ,\n        HttpUserAgent=UserAgentHeader\n        ,\n        TargetUrl=Uri\n    | extend \n        EventCount=int(1)\n        ,\n        EventStartTime=TimeGenerated\n        ,\n        EventEndTime=TimeGenerated\n        //\t, EventType :string  ---> see lookup below\n        ,\n        EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n        ,\n        EventProduct='Azure File Storage' \n        ,\n        EventVendor='Microsoft'\n        ,\n        EventSchemaVersion='0.1.0'\n        ,\n        TargetFilePath=tostring(split(TargetUrl, '?')[0]) \n        ,\n        TargetFilePathType='URL'\n        ,\n        SrcIpAddr=tostring(split(CallerIpAddress, ':')[0])\n        ,\n        SrcPortNumber=tostring(split(CallerIpAddress, ':')[1])\n    | extend TargetFileName=tostring(split(TargetFilePath, '/')[-1])\n    // Aliases\n    | extend \n        FilePath=TargetFilePath\n};\nparser (disabled = disabled)\n",
+            "version": 1,
+            "functionParameters": "disabled:bool=False"
+          }
+        }
+      ]
+    }
+  ]
+}
diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventAzureBlobStorage/README.md b/Parsers/ASimFileEvent/ARM/ASimFileEventAzureBlobStorage/README.md
@@ -0,0 +1,17 @@
+# Microsoft Azure Blob Storage ASIM FileEvent Normalization Parser
+
+ARM template for ASIM FileEvent schema parser for Microsoft Azure Blob Storage.
+
+This ASIM parser supports normalizing Azure Blob Storage events, stored in the StorageBlobLogs table, to the ASIM file activity schema.
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM FileEvent normalization schema reference](https://aka.ms/ASimFileEventDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimFileEvent%2FARM%2FASimFileEventAzureBlobStorage%2FASimFileEventAzureBlobStorage.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimFileEvent%2FARM%2FASimFileEventAzureBlobStorage%2FASimFileEventAzureBlobStorage.json)
diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventAzureFileStorage/ASimFileEventAzureFileStorage.json b/Parsers/ASimFileEvent/ARM/ASimFileEventAzureFileStorage/ASimFileEventAzureFileStorage.json
@@ -0,0 +1,46 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "Workspace": {
+      "type": "string",
+      "metadata": {
+        "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+      }
+    },
+    "WorkspaceRegion": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The region of the selected workspace. The default value will use the Region selection above."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('Workspace')]",
+      "location": "[parameters('WorkspaceRegion')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "ASimFileEventAzureFileStorage",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "File Activity ASIM parser for Azure File Storage",
+            "category": "ASIM",
+            "FunctionAlias": "ASimFileEventAzureFileStorage",
+            "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(disabled:bool=false){\nlet fileoperations=datatable(OperationName:string, EventType:string)[\n\"DeleteFile\", \"FileDeleted\"\n, \"DeleteDirectory\", \"FolderDeleted\"\n, \"GetFile\", \"FileAccessed\"\n, \"CopyFile\", \"FileCopied\"\n, \"CreateFileSnapshot\", \"FileCreated\"\n, \"CreateDirectory\", \"FolderCreated\"\n, \"CreateFile\", \"FileCreated\"\n, \"CreateShare\", \"FolderCreated\"\n, \"DeleteShare\", \"FileDeleted\"\n, \"PutRange\", \"FileModified\"\n, \"CopyFileDestination\", \"FileCopied\"\n, \"CopyFileSource\", \"FileCopied\"\n];\nStorageFileLogs\n| where not(disabled)\n// **** relevant data filtering;\n| where OperationName in (fileoperations)\n//\n| extend \n      EventCount=int(1)\n    , EventStartTime=TimeGenerated\n    , EventEndTime=TimeGenerated\n//\t, EventType :string  ---> see lookup below\n    , EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n  \t, EventOriginalUid = CorrelationId\n    , EventOriginalType=OperationName\n    , EventProduct='Azure File Storage' \n    , EventVendor='Microsoft'\n    , EventSchemaVersion='0.1.0'\n\t, TargetFilePath=tostring(split(Uri,'?')[0]) \n\t, TargetFilePathType='URL'\n  \t, TargetUrl=Uri\n    ,  SrcIpAddr=tostring(split(CallerIpAddress,':')[0])\n    ,  SrcPortNumber=tostring(split(CallerIpAddress,':')[0])\n  \t, HttpUserAgent=UserAgentHeader\n| extend TargetFileName=tostring(split(TargetFilePath,'/')[-1])\n| lookup fileoperations on OperationName\n// Aliases\n| extend \n   FilePath=TargetFilePath\n   };\nparser (disabled = disabled)\n",
+            "version": 1,
+            "functionParameters": "disabled:bool=False"
+          }
+        }
+      ]
+    }
+  ]
+}
diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventAzureFileStorage/README.md b/Parsers/ASimFileEvent/ARM/ASimFileEventAzureFileStorage/README.md
@@ -0,0 +1,17 @@
+# Microsoft Azure File Storage ASIM FileEvent Normalization Parser
+
+ARM template for ASIM FileEvent schema parser for Microsoft Azure File Storage.
+
+This ASIM parser supports normalizing Azure File Storage events, stored in the StorageFileLogs table, to the ASIM file activity schema.
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM FileEvent normalization schema reference](https://aka.ms/ASimFileEventDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimFileEvent%2FARM%2FASimFileEventAzureFileStorage%2FASimFileEventAzureFileStorage.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimFileEvent%2FARM%2FASimFileEventAzureFileStorage%2FASimFileEventAzureFileStorage.json)
diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventAzureQueueStorage/ASimFileEventAzureQueueStorage.json b/Parsers/ASimFileEvent/ARM/ASimFileEventAzureQueueStorage/ASimFileEventAzureQueueStorage.json
@@ -0,0 +1,46 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "Workspace": {
+      "type": "string",
+      "metadata": {
+        "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+      }
+    },
+    "WorkspaceRegion": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The region of the selected workspace. The default value will use the Region selection above."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('Workspace')]",
+      "location": "[parameters('WorkspaceRegion')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "ASimFileEventAzureQueueStorage",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "File Activity ASIM parser for Azure Queue Storage",
+            "category": "ASIM",
+            "FunctionAlias": "ASimFileEventAzureQueueStorage",
+            "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(disabled: bool=false)\n{\n    let queueoperations=datatable(OperationName: string, EventType: string)\n[\n    \"ClearMessages\", \"FileDeleted\"\n        ,\n    \"CreateQueue\", \"FileCreated\"\n        ,\n    \"DeleteQueue\", \"FileDeleted\"\n        ,\n    \"DeleteMessage\", \"FileDeleted\"\n        ,\n    \"GetQueue\", \"FileAccessed\"\n        ,\n    \"GetMessage\", \"FileAccessed\"\n        ,\n    \"GetMessages\", \"FileAccessed\"\n        ,\n    \"PeekMessage\", \"FileAccessed\"\n        ,\n    \"PeekMessages\", \"FileAccessed\"\n        ,\n    \"PutMessage\", \"FileCreated\"\n        ,\n    \"UpdateMessage\", \"FileModified\" \n];\n    StorageQueueLogs\n    | where not(disabled)\n    // **** relevant data filtering;\n    | where OperationName in (queueoperations)\n    //\n    | extend \n        EventCount=int(1)\n        ,\n        EventStartTime=TimeGenerated\n        ,\n        EventEndTime=TimeGenerated\n        //\t, EventType :string  ---> see lookup below\n        ,\n        EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n        ,\n        EventOriginalUid = CorrelationId\n        ,\n        EventOriginalType=OperationName\n        ,\n        EventProduct='Azure File Storage' \n        ,\n        EventVendor='Microsoft'\n        ,\n        EventSchemaVersion='0.1.0'\n        ,\n        TargetFilePath=tostring(split(Uri, '?')[0]) \n        ,\n        TargetFilePathType='URL'\n        ,\n        TargetUrl=Uri\n        ,\n        SrcIpAddr=tostring(split(CallerIpAddress, ':')[0])\n        ,\n        SrcPortNumber=tostring(split(CallerIpAddress, ':')[0])\n        ,\n        HttpUserAgent=UserAgentHeader\n    | extend TargetFileName=tostring(split(TargetFilePath, '/')[-1])\n    | lookup queueoperations on OperationName\n    // Aliases\n    | extend \n        FilePath=TargetFilePath\n};\nparser (disabled = disabled)",
+            "version": 1,
+            "functionParameters": "disabled:bool=False"
+          }
+        }
+      ]
+    }
+  ]
+}
diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventAzureQueueStorage/README.md b/Parsers/ASimFileEvent/ARM/ASimFileEventAzureQueueStorage/README.md
@@ -0,0 +1,17 @@
+# Microsoft Azure Queue Storage ASIM FileEvent Normalization Parser
+
+ARM template for ASIM FileEvent schema parser for Microsoft Azure Queue Storage.
+
+This ASIM parser supports normalizing Azure Queue Storage events, stored in the StorageQueueLogs table, to the ASIM file activity schema.
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM FileEvent normalization schema reference](https://aka.ms/ASimFileEventDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimFileEvent%2FARM%2FASimFileEventAzureQueueStorage%2FASimFileEventAzureQueueStorage.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimFileEvent%2FARM%2FASimFileEventAzureQueueStorage%2FASimFileEventAzureQueueStorage.json)
diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventAzureTableStorage/ASimFileEventAzureTableStorage.json b/Parsers/ASimFileEvent/ARM/ASimFileEventAzureTableStorage/ASimFileEventAzureTableStorage.json
@@ -0,0 +1,46 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "Workspace": {
+      "type": "string",
+      "metadata": {
+        "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+      }
+    },
+    "WorkspaceRegion": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The region of the selected workspace. The default value will use the Region selection above."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('Workspace')]",
+      "location": "[parameters('WorkspaceRegion')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "ASimFileEventAzureTableStorage",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "File Activity ASIM parser for Azure Table Storage",
+            "category": "ASIM",
+            "FunctionAlias": "ASimFileEventAzureTableStorage",
+            "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(disabled:bool=false){\nlet tableoperations=datatable(OperationName:string, EventType:string)[\n, \"CreateTable\", \"FileCreated\"\n, \"DeleteTable\", \"FileDeleted\"\n, \"DeleteEntity\", \"FileModified\"\n, \"InsertEntity\", \"FileModified\"\n, \"InsertOrMergeEntity\", \"FileModified\"\n, \"InsertOrReplaceEntity\", \"FileModified\"\n, \"QueryEntity\", \"FileAccessed\"\n, \"QueryEntities\", \"FileAccessed\"\n, \"QueryTable\", \"FileAccessed\"\n, \"QueryTables\", \"FileAccessed\"\n, \"UpdateEntity\", \"FileModified\"\n, \"MergeEntity\", \"FileModified\"\n    ];\n    StorageTableLogs\n    | where not(disabled)\n    // **** relevant data filtering;\n    | where OperationName in (tableoperations)\n    //\n    | extend \n          EventCount=int(1)\n        , EventStartTime=TimeGenerated\n        , EventEndTime=TimeGenerated\n    //\t, EventType :string  ---> see lookup below\n        , EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n        , EventOriginalUid = CorrelationId\n        , EventOriginalType=OperationName\n        , EventProduct='Azure File Storage' \n        , EventVendor='Microsoft'\n        , EventSchemaVersion='0.1.0'\n      , TargetFilePath=tostring(split(Uri,'?')[0]) \n      , TargetFilePathType='URL'\n        , TargetUrl=Uri\n        ,  SrcIpAddr=tostring(split(CallerIpAddress,':')[0])\n        ,  SrcPortNumber=tostring(split(CallerIpAddress,':')[0])\n        , HttpUserAgent=UserAgentHeader\n    | extend TargetFileName=tostring(split(TargetFilePath,'/')['-1'])\n    | lookup tableoperations on OperationName\n    // Aliases\n    | extend \n       FilePath=TargetFilePath\n       };\n  parser (disabled = disabled)",
+            "version": 1,
+            "functionParameters": "disabled:bool=False"
+          }
+        }
+      ]
+    }
+  ]
+}