Skip to content

Commit

Permalink
Removing EventResultsDetails and HttpStatusCode.
Browse files Browse the repository at this point in the history
  • Loading branch information
t-pol authored Dec 11, 2024
1 parent 53de3f2 commit dd6cd9b
Showing 1 changed file with 4 additions and 5 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -52,10 +52,9 @@ ParserQuery: |
| where DeviceVendor == "Fortinet"
and DeviceProduct startswith "Fortigate"
and Activity has_all ('webfilter', 'utm')
| extend
EventResultDetails = "NA"
//| extend EventResultDetails = "NA" // HTTP response codes are not included in Fortigate logs.
| lookup EventLookup on DeviceAction
| project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated, DeviceExternalID, Type, _ItemId, Computer, EventResult, EventResultDetails, DvcAction, RequestURL, RequestContext, DestinationHostName, SourceHostName, SourceUserName, DestinationUserName, ApplicationProtocol
| project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated, DeviceExternalID, Type, _ItemId, Computer, EventResult, DvcAction, RequestURL, RequestContext, DestinationHostName, SourceHostName, SourceUserName, DestinationUserName, ApplicationProtocol
| project-rename
Url = RequestURL
, UrlCategory = RequestContext
Expand Down Expand Up @@ -121,8 +120,8 @@ ParserQuery: |
temp_HttpUserAgent = extract(@"rawdata=.*?User-Agent=(.*?)(?:\||\;|$)", 1, AdditionalExtensions)
| extend
HttpRequestMethod = coalesce(temp_HttpRequestMethod,HttpRequestMethod),
HttpUserAgent = coalesce(temp_HttpUserAgent,HttpUserAgent),
HttpStatusCode = EventResultDetails
HttpUserAgent = coalesce(temp_HttpUserAgent,HttpUserAgent)
//HttpStatusCode = EventResultDetails // HTTP response codes are not included in Fortigate logs.
| project-away temp_*
| extend
EventCount = int(1)
Expand Down

0 comments on commit dd6cd9b

Please sign in to comment.