From c42eb7ded6f523dca7a2029dc8d837e85d696e9c Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <> Date: Mon, 25 Nov 2024 16:57:06 +0000 Subject: [PATCH] [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. --- .../ASimAlertEventSentinelOneSingularity.json | 2 +- .../vimAlertEventSentinelOneSingularity.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Parsers/ASimAlertEvent/ARM/ASimAlertEventSentinelOneSingularity/ASimAlertEventSentinelOneSingularity.json b/Parsers/ASimAlertEvent/ARM/ASimAlertEventSentinelOneSingularity/ASimAlertEventSentinelOneSingularity.json index 141a6f0a678..b1296c0ddc6 100644 --- a/Parsers/ASimAlertEvent/ARM/ASimAlertEventSentinelOneSingularity/ASimAlertEventSentinelOneSingularity.json +++ b/Parsers/ASimAlertEvent/ARM/ASimAlertEventSentinelOneSingularity/ASimAlertEventSentinelOneSingularity.json @@ -27,7 +27,7 @@ "displayName": "Alert Event ASIM parser for SentinelOne Singularity platform", "category": "ASIM", "FunctionAlias": "ASimAlertEventSentinelOneSingularity", - "query": "let AlertVerdictLookup = datatable (analystVerdict_s: string, AlertVerdict: string)\n [\n \"Undefined\", \"Unknown\",\n \"true_positive\", \"True Positive\",\n \"suspicious\", \"True Positive\",\n \"false_positive\", \"False Positive\"\n];\nlet ThreatCategoryArray = dynamic([\"Malware\", \"Ransomware\", \"Trojan\", \"Virus\", \"Worm\", \"Adware\", \"Spyware\", \"Rootkit\", \"Cryptominor\", \"Phishing\", \"Spam\", \"MaliciousUrl\", \"Spoofing\", \"Security Policy Violation\", \"Unknown\", \"SuspiciousActivity\"]);\nlet DetectionMethodLookup = datatable (\n threatInfo_engines_s: string,\n DetectionMethod: string\n)\n [\n \"Intrusion Detection\", \"Intrusion Detection\",\n \"User-Defined Blocklist\", \"User Defined Blocked List\",\n \"Reputation\", \"Reputation\"\n];\nlet parser = (\n disabled: bool=false) {\n SentinelOne_CL\n | where not(disabled)\n | where event_name_s in (\"Threats.\")\n // Mapping Inspection Fields\n | extend \n AlertId = threatInfo_threatId_s,\n AlertName = threatInfo_threatName_s,\n AlertStatus = iif(threatInfo_incidentStatus_s == \"resolved\", \"Closed\", \"Active\"),\n AlertOriginalStatus = threatInfo_incidentStatus_s,\n Names = extract_all('\"name\":\"([^\"]+)\"', dynamic([1]), indicators_s),\n ThreatId = threatInfo_threatId_s,\n ThreatName = threatInfo_threatName_s,\n ThreatFirstReportedTime = threatInfo_identifiedAt_t,\n ThreatLastReportedTime = threatInfo_updatedAt_t,\n ThreatCategory = iif(threatInfo_classification_s in (ThreatCategoryArray), threatInfo_classification_s, \"\"),\n ThreatOriginalCategory = threatInfo_classification_s\n | extend\n AttackTechniques = tostring(extract_all('\"(T[0-9]+\\\\.[0-9]+|T[0-9]+)\"', dynamic([1]), tostring(Names))),\n AttackTactics = tostring(extract_all('\"([^T][^0-9]+)\"', dynamic([1]), tostring(Names)))\n | project-away Names\n | lookup DetectionMethodLookup on threatInfo_engines_s\n | extend analystVerdict_s = threatInfo_analystVerdict_s\n | lookup AlertVerdictLookup on analystVerdict_s\n // Mapping Dvc Fields\n | extend \n DvcHostname = agentRealtimeInfo_agentComputerName_s,\n DvcOs = agentRealtimeInfo_agentOsName_s,\n DvcOsVersion = agentRealtimeInfo_agentOsRevision_s,\n DvcId = agentRealtimeInfo_agentId_s,\n DvcIdType = \"Other\",\n DvcDomain = agentRealtimeInfo_agentDomain_s,\n DvcDomainType = \"Windows\",\n DvcIpAddr = agentDetectionInfo_agentIpV4_s\n // Mapping Process Entity\n | extend\n ProcessCommandLine = threatInfo_maliciousProcessArguments_s,\n ProcessName = threatInfo_originatorProcess_s\n // Mapping File Fields\n | extend \n FileMD5 = threatInfo_md5_g,\n FileSHA1 = threatInfo_sha1_s,\n FileSHA256 = threatInfo_sha256_s,\n FilePath=threatInfo_filePath_s,\n FileSize = threatInfo_fileSize_d\n // Mapping User Fields\n | extend \n Username = coalesce(agentDetectionInfo_agentLastLoggedInUpn_s, threatInfo_processUser_s)\n | extend UsernameType = _ASIM_GetUsernameType(Username)\n // Event Fields\n | extend\n EventType = 'Alert',\n EventOriginalType = event_name_s,\n EventUid = threatInfo_threatId_s,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventProduct = 'Singularity',\n EventVendor = 'SentinelOne',\n EventSchemaVersion = '0.1',\n EventSchema = \"AlertEvent\"\n | extend EventSubType = \"Threat\"\n // Aliases\n | extend\n IpAddr = DvcIpAddr,\n User = Username,\n Hostname = DvcHostname\n | project-away *_s, *_g, SourceSystem, ManagementGroupName, Computer, RawData, *_t, *_b, *_d\n};\nparser (\n disabled = disabled\n)", + "query": "let AlertVerdictLookup = datatable (analystVerdict_s: string, AlertVerdict: string)\n [\n \"Undefined\", \"Unknown\",\n \"true_positive\", \"True Positive\",\n \"suspicious\", \"True Positive\",\n \"false_positive\", \"False Positive\"\n];\nlet ThreatCategoryArray = dynamic([\"Malware\", \"Ransomware\", \"Trojan\", \"Virus\", \"Worm\", \"Adware\", \"Spyware\", \"Rootkit\", \"Cryptominor\", \"Phishing\", \"Spam\", \"MaliciousUrl\", \"Spoofing\", \"Security Policy Violation\", \"Unknown\", \"SuspiciousActivity\"]);\nlet DetectionMethodLookup = datatable (\n threatInfo_engines_s: string,\n DetectionMethod: string\n)\n [\n \"Intrusion Detection\", \"Intrusion Detection\",\n \"User-Defined Blocklist\", \"User Defined Blocked List\",\n \"Reputation\", \"Reputation\"\n];\nlet parser = (\n disabled: bool=false) {\n SentinelOne_CL\n | where not(disabled)\n | where event_name_s in (\"Threats.\")\n // Mapping Inspection Fields\n | extend \n AlertId = threatInfo_threatId_s,\n AlertName = threatInfo_threatName_s,\n AlertStatus = iif(threatInfo_incidentStatus_s == \"resolved\", \"Closed\", \"Active\"),\n AlertOriginalStatus = threatInfo_incidentStatus_s,\n Names = extract_all('\"name\":\"([^\"]+)\"', dynamic([1]), indicators_s),\n ThreatId = threatInfo_threatId_s,\n ThreatName = threatInfo_threatName_s,\n ThreatFirstReportedTime = threatInfo_identifiedAt_t,\n ThreatLastReportedTime = threatInfo_updatedAt_t,\n ThreatCategory = iif(threatInfo_classification_s in (ThreatCategoryArray), threatInfo_classification_s, \"\"),\n ThreatOriginalCategory = threatInfo_classification_s\n | extend\n AttackTechniques = tostring(extract_all('\"(T[0-9]+\\\\.[0-9]+|T[0-9]+)\"', dynamic([1]), tostring(Names))),\n AttackTactics = tostring(extract_all('\"([^T][^0-9\",]+)\"', dynamic([1]), tostring(Names)))\n | project-away Names\n | lookup DetectionMethodLookup on threatInfo_engines_s\n | extend analystVerdict_s = threatInfo_analystVerdict_s\n | lookup AlertVerdictLookup on analystVerdict_s\n // Mapping Dvc Fields\n | extend \n DvcHostname = agentRealtimeInfo_agentComputerName_s,\n DvcOs = agentRealtimeInfo_agentOsName_s,\n DvcOsVersion = agentRealtimeInfo_agentOsRevision_s,\n DvcId = agentRealtimeInfo_agentId_s,\n DvcIdType = \"Other\",\n DvcDomain = agentRealtimeInfo_agentDomain_s,\n DvcDomainType = \"Windows\",\n DvcIpAddr = agentDetectionInfo_agentIpV4_s\n // Mapping Process Entity\n | extend\n ProcessCommandLine = threatInfo_maliciousProcessArguments_s,\n ProcessName = threatInfo_originatorProcess_s\n // Mapping File Fields\n | extend \n FileMD5 = threatInfo_md5_g,\n FileSHA1 = threatInfo_sha1_s,\n FileSHA256 = threatInfo_sha256_s,\n FilePath=threatInfo_filePath_s,\n FileSize = threatInfo_fileSize_d\n // Mapping User Fields\n | extend \n Username = coalesce(agentDetectionInfo_agentLastLoggedInUpn_s, threatInfo_processUser_s)\n | extend UsernameType = _ASIM_GetUsernameType(Username)\n // Event Fields\n | extend\n EventType = 'Alert',\n EventOriginalType = event_name_s,\n EventUid = threatInfo_threatId_s,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventProduct = 'Singularity',\n EventVendor = 'SentinelOne',\n EventSchemaVersion = '0.1',\n EventSchema = \"AlertEvent\"\n | extend EventSubType = \"Threat\"\n // Aliases\n | extend\n IpAddr = DvcIpAddr,\n User = Username,\n Hostname = DvcHostname\n | project-away *_s, *_g, SourceSystem, ManagementGroupName, Computer, RawData, *_t, *_b, *_d\n};\nparser (\n disabled = disabled\n)", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimAlertEvent/ARM/vimAlertEventSentinelOneSingularity/vimAlertEventSentinelOneSingularity.json b/Parsers/ASimAlertEvent/ARM/vimAlertEventSentinelOneSingularity/vimAlertEventSentinelOneSingularity.json index baa5bc19e65..0b5b8a34a56 100644 --- a/Parsers/ASimAlertEvent/ARM/vimAlertEventSentinelOneSingularity/vimAlertEventSentinelOneSingularity.json +++ b/Parsers/ASimAlertEvent/ARM/vimAlertEventSentinelOneSingularity/vimAlertEventSentinelOneSingularity.json @@ -27,7 +27,7 @@ "displayName": "Alert Event ASIM filtering parser for SentinelOne Singularity platform", "category": "ASIM", "FunctionAlias": "vimAlertEventSentinelOneSingularity", - "query": "let AlertVerdictLookup = datatable (analystVerdict_s: string, AlertVerdict: string)\n [\n \"Undefined\", \"Unknown\",\n \"true_positive\", \"True Positive\",\n \"suspicious\", \"True Positive\",\n \"false_positive\", \"False Positive\"\n];\nlet ThreatCategoryArray = dynamic([\"Malware\", \"Ransomware\", \"Trojan\", \"Virus\", \"Worm\", \"Adware\", \"Spyware\", \"Rootkit\", \"Cryptominor\", \"Phishing\", \"Spam\", \"MaliciousUrl\", \"Spoofing\", \"Security Policy Violation\", \"Unknown\", \"SuspiciousActivity\"]);\nlet DetectionMethodLookup = datatable (\n threatInfo_engines_s: string,\n DetectionMethod: string\n)\n [\n \"Intrusion Detection\", \"Intrusion Detection\",\n \"User-Defined Blocklist\", \"User Defined Blocked List\",\n \"Reputation\", \"Reputation\"\n];\nlet parser = (starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n ipaddr_has_any_prefix: dynamic=dynamic([]),\n hostname_has_any: dynamic=dynamic([]),\n username_has_any: dynamic=dynamic([]),\n attacktactics_has_any: dynamic=dynamic([]),\n attacktechniques_has_any: dynamic=dynamic([]),\n threatcategory_has_any: dynamic=dynamic([]),\n alertverdict_has_any: dynamic=dynamic([]),\n eventseverity_has_any: dynamic=dynamic([]),\n disabled: bool=false) {\n SentinelOne_CL\n | where not(disabled)\n | where event_name_s in (\"Threats.\")\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(ipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(agentDetectionInfo_agentIpV4_s, ipaddr_has_any_prefix)))\n and ((array_length(hostname_has_any) == 0) or (agentRealtimeInfo_agentComputerName_s has_any (hostname_has_any)))\n //and ((array_length(username_has_any) == 0) or (agentDetectionInfo_agentLastLoggedInUpn_s has_any (username_has_any)) or (threatInfo_processUser_s has_any (username_has_any)))\n and ((array_length(attacktactics_has_any) == 0) or (indicators_s has_any (attacktactics_has_any)))\n and ((array_length(attacktechniques_has_any) == 0) or (indicators_s has_any (attacktechniques_has_any)))\n // ThreatCategory filtering done later in the parser\n // AlertVerdict filtering done later in the parser\n and (array_length(eventseverity_has_any) == 0) // EventSeverity details not coming from source\n // Mapping Inspection Fields\n | extend \n AlertId = threatInfo_threatId_s,\n AlertName = threatInfo_threatName_s,\n AlertStatus = iif(threatInfo_incidentStatus_s == \"resolved\", \"Closed\", \"Active\"),\n AlertOriginalStatus = threatInfo_incidentStatus_s,\n Names = extract_all('\"name\":\"([^\"]+)\"', dynamic([1]), indicators_s),\n ThreatId = threatInfo_threatId_s,\n ThreatName = threatInfo_threatName_s,\n ThreatFirstReportedTime = threatInfo_identifiedAt_t,\n ThreatLastReportedTime = threatInfo_updatedAt_t,\n ThreatCategory = iif(threatInfo_classification_s in (ThreatCategoryArray), threatInfo_classification_s, \"\"),\n ThreatOriginalCategory = threatInfo_classification_s\n // Filter for ThreatCategory\n | where ((array_length(threatcategory_has_any) == 0) or (ThreatCategory has_any (threatcategory_has_any)))\n | extend\n AttackTechniques = tostring(extract_all('\"(T[0-9]+\\\\.[0-9]+|T[0-9]+)\"', dynamic([1]), tostring(Names))),\n AttackTactics = tostring(extract_all('\"([^T][^0-9]+)\"', dynamic([1]), tostring(Names)))\n | project-away Names\n | lookup DetectionMethodLookup on threatInfo_engines_s\n | extend analystVerdict_s = threatInfo_analystVerdict_s\n | lookup AlertVerdictLookup on analystVerdict_s\n // Filter for AlertVerdict\n | where ((array_length(alertverdict_has_any) == 0) or (AlertVerdict has_any (alertverdict_has_any)))\n // Mapping Dvc Fields\n | extend \n DvcHostname = agentRealtimeInfo_agentComputerName_s,\n DvcOs = agentRealtimeInfo_agentOsName_s,\n DvcOsVersion = agentRealtimeInfo_agentOsRevision_s,\n DvcId = agentRealtimeInfo_agentId_s,\n DvcIdType = \"Other\",\n DvcDomain = agentRealtimeInfo_agentDomain_s,\n DvcDomainType = \"Windows\",\n DvcIpAddr = agentDetectionInfo_agentIpV4_s\n // Mapping Process Entity\n | extend\n ProcessCommandLine = threatInfo_maliciousProcessArguments_s,\n ProcessName = threatInfo_originatorProcess_s\n // Mapping File Fields\n | extend \n FileMD5 = threatInfo_md5_g,\n FileSHA1 = threatInfo_sha1_s,\n FileSHA256 = threatInfo_sha256_s,\n FilePath=threatInfo_filePath_s,\n FileSize = threatInfo_fileSize_d\n // Mapping User Fields\n | extend \n Username = coalesce(agentDetectionInfo_agentLastLoggedInUpn_s, threatInfo_processUser_s)\n | extend UsernameType = _ASIM_GetUsernameType(Username)\n // Event Fields\n | extend\n EventType = 'Alert',\n EventOriginalType = event_name_s,\n EventUid = threatInfo_threatId_s,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventProduct = 'Singularity',\n EventVendor = 'SentinelOne',\n EventSchemaVersion = '0.1',\n EventSchema = \"AlertEvent\"\n | extend EventSubType = \"Threat\"\n // Aliases\n | extend\n IpAddr = DvcIpAddr,\n User = Username,\n Hostname = DvcHostname\n | project-away *_s, *_g, SourceSystem, ManagementGroupName, Computer, RawData, *_t, *_b, *_d\n};\nparser (\n starttime = starttime, \n endtime = endtime, \n ipaddr_has_any_prefix = ipaddr_has_any_prefix,\n hostname_has_any = hostname_has_any,\n username_has_any = username_has_any,\n attacktactics_has_any = attacktactics_has_any,\n attacktechniques_has_any = attacktechniques_has_any,\n threatcategory_has_any = threatcategory_has_any,\n alertverdict_has_any = alertverdict_has_any,\n eventseverity_has_any = eventseverity_has_any,\n disabled = disabled\n)\n", + "query": "let AlertVerdictLookup = datatable (analystVerdict_s: string, AlertVerdict: string)\n [\n \"Undefined\", \"Unknown\",\n \"true_positive\", \"True Positive\",\n \"suspicious\", \"True Positive\",\n \"false_positive\", \"False Positive\"\n];\nlet ThreatCategoryArray = dynamic([\"Malware\", \"Ransomware\", \"Trojan\", \"Virus\", \"Worm\", \"Adware\", \"Spyware\", \"Rootkit\", \"Cryptominor\", \"Phishing\", \"Spam\", \"MaliciousUrl\", \"Spoofing\", \"Security Policy Violation\", \"Unknown\", \"SuspiciousActivity\"]);\nlet DetectionMethodLookup = datatable (\n threatInfo_engines_s: string,\n DetectionMethod: string\n)\n [\n \"Intrusion Detection\", \"Intrusion Detection\",\n \"User-Defined Blocklist\", \"User Defined Blocked List\",\n \"Reputation\", \"Reputation\"\n];\nlet parser = (starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n ipaddr_has_any_prefix: dynamic=dynamic([]),\n hostname_has_any: dynamic=dynamic([]),\n username_has_any: dynamic=dynamic([]),\n attacktactics_has_any: dynamic=dynamic([]),\n attacktechniques_has_any: dynamic=dynamic([]),\n threatcategory_has_any: dynamic=dynamic([]),\n alertverdict_has_any: dynamic=dynamic([]),\n eventseverity_has_any: dynamic=dynamic([]),\n disabled: bool=false) {\n SentinelOne_CL\n | where not(disabled)\n | where event_name_s in (\"Threats.\")\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(ipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(agentDetectionInfo_agentIpV4_s, ipaddr_has_any_prefix)))\n and ((array_length(hostname_has_any) == 0) or (agentRealtimeInfo_agentComputerName_s has_any (hostname_has_any)))\n //and ((array_length(username_has_any) == 0) or (agentDetectionInfo_agentLastLoggedInUpn_s has_any (username_has_any)) or (threatInfo_processUser_s has_any (username_has_any)))\n and ((array_length(attacktactics_has_any) == 0) or (indicators_s has_any (attacktactics_has_any)))\n and ((array_length(attacktechniques_has_any) == 0) or (indicators_s has_any (attacktechniques_has_any)))\n // ThreatCategory filtering done later in the parser\n // AlertVerdict filtering done later in the parser\n and (array_length(eventseverity_has_any) == 0) // EventSeverity details not coming from source\n // Mapping Inspection Fields\n | extend \n AlertId = threatInfo_threatId_s,\n AlertName = threatInfo_threatName_s,\n AlertStatus = iif(threatInfo_incidentStatus_s == \"resolved\", \"Closed\", \"Active\"),\n AlertOriginalStatus = threatInfo_incidentStatus_s,\n Names = extract_all('\"name\":\"([^\"]+)\"', dynamic([1]), indicators_s),\n ThreatId = threatInfo_threatId_s,\n ThreatName = threatInfo_threatName_s,\n ThreatFirstReportedTime = threatInfo_identifiedAt_t,\n ThreatLastReportedTime = threatInfo_updatedAt_t,\n ThreatCategory = iif(threatInfo_classification_s in (ThreatCategoryArray), threatInfo_classification_s, \"\"),\n ThreatOriginalCategory = threatInfo_classification_s\n // Filter for ThreatCategory\n | where ((array_length(threatcategory_has_any) == 0) or (ThreatCategory has_any (threatcategory_has_any)))\n | extend\n AttackTechniques = tostring(extract_all('\"(T[0-9]+\\\\.[0-9]+|T[0-9]+)\"', dynamic([1]), tostring(Names))),\n AttackTactics = tostring(extract_all('\"([^T][^0-9\",]+)\"', dynamic([1]), tostring(Names)))\n | project-away Names\n | lookup DetectionMethodLookup on threatInfo_engines_s\n | extend analystVerdict_s = threatInfo_analystVerdict_s\n | lookup AlertVerdictLookup on analystVerdict_s\n // Filter for AlertVerdict\n | where ((array_length(alertverdict_has_any) == 0) or (AlertVerdict has_any (alertverdict_has_any)))\n // Mapping Dvc Fields\n | extend \n DvcHostname = agentRealtimeInfo_agentComputerName_s,\n DvcOs = agentRealtimeInfo_agentOsName_s,\n DvcOsVersion = agentRealtimeInfo_agentOsRevision_s,\n DvcId = agentRealtimeInfo_agentId_s,\n DvcIdType = \"Other\",\n DvcDomain = agentRealtimeInfo_agentDomain_s,\n DvcDomainType = \"Windows\",\n DvcIpAddr = agentDetectionInfo_agentIpV4_s\n // Mapping Process Entity\n | extend\n ProcessCommandLine = threatInfo_maliciousProcessArguments_s,\n ProcessName = threatInfo_originatorProcess_s\n // Mapping File Fields\n | extend \n FileMD5 = threatInfo_md5_g,\n FileSHA1 = threatInfo_sha1_s,\n FileSHA256 = threatInfo_sha256_s,\n FilePath=threatInfo_filePath_s,\n FileSize = threatInfo_fileSize_d\n // Mapping User Fields\n | extend \n Username = coalesce(agentDetectionInfo_agentLastLoggedInUpn_s, threatInfo_processUser_s)\n | extend UsernameType = _ASIM_GetUsernameType(Username)\n // Event Fields\n | extend\n EventType = 'Alert',\n EventOriginalType = event_name_s,\n EventUid = threatInfo_threatId_s,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventProduct = 'Singularity',\n EventVendor = 'SentinelOne',\n EventSchemaVersion = '0.1',\n EventSchema = \"AlertEvent\"\n | extend EventSubType = \"Threat\"\n // Aliases\n | extend\n IpAddr = DvcIpAddr,\n User = Username,\n Hostname = DvcHostname\n | project-away *_s, *_g, SourceSystem, ManagementGroupName, Computer, RawData, *_t, *_b, *_d\n};\nparser (\n starttime = starttime, \n endtime = endtime, \n ipaddr_has_any_prefix = ipaddr_has_any_prefix,\n hostname_has_any = hostname_has_any,\n username_has_any = username_has_any,\n attacktactics_has_any = attacktactics_has_any,\n attacktechniques_has_any = attacktechniques_has_any,\n threatcategory_has_any = threatcategory_has_any,\n alertverdict_has_any = alertverdict_has_any,\n eventseverity_has_any = eventseverity_has_any,\n disabled = disabled\n)\n", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),ipaddr_has_any_prefix:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),username_has_any:dynamic=dynamic([]),attacktactics_has_any:dynamic=dynamic([]),attacktechniques_has_any:dynamic=dynamic([]),threatcategory_has_any:dynamic=dynamic([]),alertverdict_has_any:dynamic=dynamic([]),eventseverity_has_any:dynamic=dynamic([]),disabled:bool=False" }