diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CSFDRv2_Deploymnet/azuredeploy_cdfdrv2_connector.json b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CSFDRv2_Deploymnet/azuredeploy_cdfdrv2_connector.json
index fc4bbe2f9a2..66b2dfeb2dd 100644
--- a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CSFDRv2_Deploymnet/azuredeploy_cdfdrv2_connector.json
+++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CSFDRv2_Deploymnet/azuredeploy_cdfdrv2_connector.json
@@ -153,13 +153,10 @@
"cust-table-csdns": "CrowdStrike_DNS_Events_CL",
"cust-table-csauth": "CrowdStrike_Auth_Events_CL",
"cust-table-csaudit": "CrowdStrike_Audit_Events_CL",
- "norm-table-csfile": "ASimFileEventLogs_CL",
- "norm-table-csregistry": "ASimRegistryEventLogs_CL",
- "norm-table-csusermgmt": "ASimUserManagementLogs_CL",
"FunctionName": "[concat(toLower(parameters('function-name')), uniqueString(resourceGroup().id))]",
"StorageSuffix": "[environment().suffixes.storage]",
"Expected_EPS_volume": "[parameters('Expected_EPS_volume')]",
- "functionapp-hosting-plan": "[if(lessOrEquals(variables('Expected_EPS_volume'), 40000), 'Consumption',if(lessOrEquals(variables('Expected_EPS_volume'), 60000), 'EP1','EP2'))]",
+ "functionapp-hosting-plan": "[if(lessOrEquals(variables('Expected_EPS_volume'), 100000), 'Consumption','EP1')]",
"HostingPlanName-Premium": "[concat('ASP-',substring(variables('FunctionName'), 0, 20))]",
"HostingPlanName-Consumption": "[concat('CSP-',substring(variables('FunctionName'), 0, 20))]",
"CrowdStrike_AWS_Key": "[parameters('CrowdStrike_AWS_Key')]",
@@ -198,1317 +195,6 @@
"parameters": {},
"variables": {},
"resources": [
- {
- "name": "[concat(variables('loganalyticsworkspace'),'/',variables('norm-table-csfile'))]",
- "type": "Microsoft.OperationalInsights/workspaces/tables",
- "apiVersion": "2022-10-01",
- "tags": {},
- "properties": {
- "plan": "Analytics",
- "schema": {
- "name": "[variables('norm-table-csfile')]",
- "columns": [
- {
- "name": "TimeGenerated",
- "type": "DateTime",
- "description": "The timestamp reflecting the time in which the event was generated."
- },
- {
- "name": "EventMessage",
- "type": "String",
- "description": "A general message or description."
- },
- {
- "name": "EventCount",
- "type": "Int",
- "description": "This value is used when the source supports aggregation, and a single record may represent multiple events."
- },
- {
- "name": "EventStartTime",
- "type": "DateTime",
- "description": "The time in which the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field."
- },
- {
- "name": "EventEndTime",
- "type": "DateTime",
- "description": "The time in which the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field."
- },
- {
- "name": "EventType",
- "type": "String",
- "description": "The operation reported by the record."
- },
- {
- "name": "EventSubType",
- "type": "String",
- "description": "Additional description of the event type, if applicable."
- },
- {
- "name": "EventResult",
- "type": "String",
- "description": "The outcome of the event, represented by one of the following values: Success, Partial, Failure, NA (Not Applicable). The value may not be provided directly by the sources, in which case it is derived from other event fields, for example, the EventResultDetails field."
- },
- {
- "name": "EventResultDetails",
- "type": "String",
- "description": "The HTTP status code."
- },
- {
- "name": "EventOriginalUid",
- "type": "String",
- "description": "A unique ID of the original record, if provided by the source."
- },
- {
- "name": "EventOriginalType",
- "type": "String",
- "description": "The original event type or ID, if provided by the source."
- },
- {
- "name": "EventOriginalSubType",
- "type": "String",
- "description": "The original event subtype or ID, if provided by the source. For example, this field will be used to store the original Windows logon type. This value is used to derive EventSubType, which should have only one of the values documented for each schema."
- },
- {
- "name": "EventOriginalResultDetails",
- "type": "String",
- "description": "The original result details provided by the source. This value is used to derive EventResultDetails, which should have only one of the values documented for each schema."
- },
- {
- "name": "EventSeverity",
- "type": "String",
- "description": "The severity of the event. Valid values are: Informational, Low, Medium, or High."
- },
- {
- "name": "EventOriginalSeverity",
- "type": "String",
- "description": "The original severity as provided by the reporting device. This value is used to derive EventSeverity."
- },
- {
- "name": "EventProduct",
- "type": "String",
- "description": "The product generating the event."
- },
- {
- "name": "EventProductVersion",
- "type": "String",
- "description": "The version of the product generating the event."
- },
- {
- "name": "EventVendor",
- "type": "String",
- "description": "The vendor of the product generating the event."
- },
- {
- "name": "EventSchema",
- "type": "String",
- "description": "The schema the event is normalized to. Each schema documents its schema name."
- },
- {
- "name": "EventSchemaVersion",
- "type": "String",
- "description": "The version of the schema."
- },
- {
- "name": "EventReportUrl",
- "type": "String",
- "dataTypeHint": "URI",
- "description": "A URL provided in the event for a resource that provides more information about the event."
- },
- {
- "name": "EventOwner",
- "type": "String",
- "description": "The owner of the event, which is usually the department or subsidiary in which it was generated."
- },
- {
- "name": "Dvc",
- "type": "String",
- "description": "A unique identifier of the device on which the event occurred or which reported the event."
- },
- {
- "name": "DvcIpAddr",
- "type": "String",
- "dataTypeHint": "IP",
- "description": "The IP address of the device reporting the event."
- },
- {
- "name": "DvcHostname",
- "type": "String",
- "description": "The hostname of the device reporting the event."
- },
- {
- "name": "DvcDomain",
- "type": "String",
- "description": "The domain of the device reporting the event."
- },
- {
- "name": "DvcDomainType",
- "type": "String",
- "description": "The type of DvcDomain. Valid values include 'Windows' and 'FQDN'."
- },
- {
- "name": "DvcFQDN",
- "type": "String",
- "description": "The hostname of the device on which the event occurred or which reported the event."
- },
- {
- "name": "DvcDescription",
- "type": "String",
- "description": "A descriptive text associated with the device."
- },
- {
- "name": "DvcId",
- "type": "String",
- "description": "The unique ID of the device on which the event occurred or which reported the event."
- },
- {
- "name": "DvcIdType",
- "type": "String",
- "description": "The type of DvcId."
- },
- {
- "name": "DvcMacAddr",
- "type": "String",
- "description": "The MAC address of the device on which the event occurred or which reported the event. Example: 00:1B:44:11:3A:B7"
- },
- {
- "name": "DvcZone",
- "type": "String",
- "description": "The network on which the event occurred or which reported the event, depending on the schema."
- },
- {
- "name": "DvcOs",
- "type": "String",
- "description": "The operating system running on the device on which the event occurred or which reported the event."
- },
- {
- "name": "DvcOsVersion",
- "type": "String",
- "description": "The version of the operating system on the device on which the event occurred or which reported the event."
- },
- {
- "name": "DvcAction",
- "type": "String",
- "description": "The action taken on the web session."
- },
- {
- "name": "DvcOriginalAction",
- "type": "String",
- "description": "The original DvcAction as provided by the reporting device."
- },
- {
- "name": "DvcInterface",
- "type": "String",
- "description": "The original DvcAction as provided by the reporting device."
- },
- {
- "name": "DvcScopeId",
- "type": "String",
- "description": "The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS."
- },
- {
- "name": "DvcScope",
- "type": "String",
- "description": "The cloud platform scope the device belongs to. DvcScope map to a subscription ID on Azure and to an account ID on AWS."
- },
- {
- "name": "AdditionalFields",
- "type": "dynamic",
- "description": "Additional information, represented using key/value pairs provided by the source which do not map to ASim."
- },
- {
- "name": "TargetFileCreationTime",
- "type": "DateTime",
- "description": "The time at which the target file was created."
- },
- {
- "name": "TargetFileDirectory",
- "type": "String",
- "description": "The target file folder or location."
- },
- {
- "name": "TargetFileExtension",
- "type": "String",
- "description": "The target file extension."
- },
- {
- "name": "TargetFileMimeType",
- "type": "String",
- "description": "The Mime or Media type of the target file."
- },
- {
- "name": "TargetFileName",
- "type": "String",
- "description": "The name of the target file, without a path or a location, but with an extension if relevant."
- },
- {
- "name": "TargetFilePath",
- "type": "String",
- "description": "The full, normalized path of the target file, including the folder or location, the file name, and the extension."
- },
- {
- "name": "TargetFilePathType",
- "type": "String",
- "description": "The type of TargetFilePath."
- },
- {
- "name": "TargetFileMD5",
- "type": "String",
- "description": "The MD5 hash of the target file."
- },
- {
- "name": "TargetFileSHA1",
- "type": "String",
- "description": "The SHA-1 hash of the target file."
- },
- {
- "name": "TargetFileSHA256",
- "type": "String",
- "description": "The SHA-256 hash of the target file."
- },
- {
- "name": "TargetFileSHA512",
- "type": "String",
- "description": "The SHA-512 hash of the source file."
- },
- {
- "name": "HashType",
- "type": "String",
- "description": "The type of hash stored in the Hash alias field."
- },
- {
- "name": "TargetFileSize",
- "type": "Long",
- "description": "The size of the target file in bytes."
- },
- {
- "name": "SrcFileCreationTime",
- "type": "DateTime",
- "description": "The time at which the source file was created."
- },
- {
- "name": "SrcFileDirectory",
- "type": "String",
- "description": "The source file folder or location."
- },
- {
- "name": "SrcFileExtension",
- "type": "String",
- "description": "The source file extension."
- },
- {
- "name": "SrcFileMimeType",
- "type": "String",
- "description": "The Mime or Media type of the source file."
- },
- {
- "name": "SrcFileName",
- "type": "String",
- "description": "The name of the source file, without a path or a location, but with an extension if relevant."
- },
- {
- "name": "SrcFilePath",
- "type": "String",
- "description": "The full, normalized path of the source file, including the folder or location, the file name, and the extension."
- },
- {
- "name": "SrcFilePathType",
- "type": "String",
- "description": "The type of SrcFilePath."
- },
- {
- "name": "SrcFileMD5",
- "type": "String",
- "description": "The MD5 hash of the source file."
- },
- {
- "name": "SrcFileSHA1",
- "type": "String",
- "description": "The SHA-1 hash of the source file."
- },
- {
- "name": "SrcFileSHA256",
- "type": "String",
- "description": "The SHA-256 hash of the source file."
- },
- {
- "name": "SrcFileSHA512",
- "type": "String",
- "description": "The SHA-512 hash of the source file."
- },
- {
- "name": "SrcFileSize",
- "description": "The size of the source file in bytes.",
- "type": "Long"
- },
- {
- "name": "ActorUserId",
- "type": "String",
- "description": "A machine-readable, alphanumeric, unique representation of the actor."
- },
- {
- "name": "ActorScope",
- "type": "String",
- "description": "The scope, such as Azure AD tenant, in which ActorUserId and ActorUsername are defined."
- },
- {
- "name": "ActorUserIdType",
- "type": "String",
- "description": "The type of the ID stored in the ActorUserId field."
- },
- {
- "name": "ActorUsername",
- "type": "String",
- "description": "The Actor username, including domain information when available."
- },
- {
- "name": "ActorUsernameType",
- "type": "String",
- "description": "Specifies the type of the user name stored in the ActorUsername field."
- },
- {
- "name": "ActorSessionId",
- "type": "String",
- "description": "The unique ID of the login session of the Actor."
- },
- {
- "name": "ActorUserType",
- "type": "String",
- "description": "The type of actor."
- },
- {
- "name": "ActorOriginalUserType",
- "type": "String",
- "description": "The original actor user type as provided by the reporting device."
- },
- {
- "name": "ActingProcessCommandLine",
- "type": "String",
- "description": "The command line used to run the acting process."
- },
- {
- "name": "ActingProcessName",
- "type": "String",
- "description": "The name of the acting process."
- },
- {
- "name": "ActingProcessId",
- "type": "String",
- "description": "The process ID (PID) of the acting process."
- },
- {
- "name": "ActingProcessGuid",
- "type": "String",
- "description": "A generated unique identifier (GUID) of the acting process."
- },
- {
- "name": "HttpUserAgent",
- "type": "String",
- "description": "When the operation is initiated using HTTP or HTTPS, the HTTP user agent header."
- },
- {
- "name": "NetworkApplicationProtocol",
- "type": "String",
- "description": "When the operation is initiated by a remote system, the application layer protocol used by the connection or session."
- },
- {
- "name": "SrcIpAddr",
- "type": "String",
- "dataTypeHint": "IP",
- "description": "When the operation is initiated by a remote system, the IP address of this system."
- },
- {
- "name": "SrcGeoCountry",
- "type": "String",
- "description": "The country associated with the source IP address."
- },
- {
- "name": "SrcGeoRegion",
- "type": "String",
- "description": "The region within a country associated with the source IP address."
- },
- {
- "name": "SrcGeoCity",
- "type": "String",
- "description": "The city associated with the source IP address."
- },
- {
- "name": "SrcGeoLatitude",
- "type": "Real",
- "description": "The latitude of the geographical coordinate associated with the source IP address."
- },
- {
- "name": "SrcGeoLongitude",
- "type": "Real",
- "description": "The longitude of the geographical coordinate associated with the source IP address."
- },
- {
- "name": "TargetAppName",
- "type": "String",
- "description": "The name of the destination application."
- },
- {
- "name": "TargetAppId",
- "type": "String",
- "description": "The ID of the destination application, as reported by the reporting device."
- },
- {
- "name": "TargetAppType",
- "type": "String",
- "description": "The type of the destination application."
- },
- {
- "name": "TargetUrl",
- "type": "String",
- "dataTypeHint": "URI",
- "description": "When the operation is initiated using HTTP or HTTPS, the URL used."
- },
- {
- "name": "RuleName",
- "type": "String",
- "description": "The name or ID of the rule by associated with the inspection results."
- },
- {
- "name": "RuleNumber",
- "type": "Int",
- "description": "The number of the rule associated with the inspection results."
- },
- {
- "name": "ThreatId",
- "type": "String",
- "description": "The ID of the threat or malware identified in the file activity."
- },
- {
- "name": "ThreatName",
- "type": "String",
- "description": "The name of the threat or malware identified in the file activity."
- },
- {
- "name": "ThreatCategory",
- "type": "String",
- "description": "The category of the threat or malware identified in the file activity."
- },
- {
- "name": "ThreatRiskLevel",
- "type": "Int",
- "description": "The risk level associated with the identified threat. The level should be a number between 0 and 100."
- },
- {
- "name": "ThreatOriginalRiskLevel",
- "type": "String",
- "description": "The risk level as reported by the reporting device."
- },
- {
- "name": "ThreatFilePath",
- "type": "String",
- "description": "A file path for which a threat was identified. The field ThreatField contains the name of the field ThreatFilePath represents."
- },
- {
- "name": "ThreatField",
- "type": "String",
- "description": "The field for which a threat was identified. The value is either SrcFilePath or DstFilePath."
- },
- {
- "name": "ThreatConfidence",
- "type": "Int",
- "description": "The confidence level of the threat identified, normalized to a value between 0 and a 100."
- },
- {
- "name": "ThreatOriginalConfidence",
- "type": "String",
- "description": "The original confidence level of the threat identified, as reported by the reporting device."
- },
- {
- "name": "ThreatIsActive",
- "type": "Bool",
- "description": "True ID the threat identified is considered an active threat."
- },
- {
- "name": "ThreatFirstReportedTime",
- "type": "DateTime",
- "description": "The first time the IP address or domain were identified as a threat."
- },
- {
- "name": "ThreatLastReportedTime",
- "type": "DateTime",
- "description": "The last time the IP address or domain were identified as a threat."
- },
- {
- "name": "DvcSubscriptionId",
- "type": "String",
- "description": "The cloud platform subscription ID the device belongs to. DvcSubscriptionId map to a subscription ID on Azure and to an account ID on AWS."
- },
- {
- "name": "Hash",
- "type": "String",
- "description": "Alias to the best available Target File hash."
- }
- ]
- }
- }
- },
- {
- "name": "[concat(variables('loganalyticsworkspace'),'/',variables('norm-table-csregistry'))]",
- "type": "Microsoft.OperationalInsights/workspaces/tables",
- "apiVersion": "2022-10-01",
- "tags": {},
- "properties": {
- "plan": "Analytics",
- "schema": {
- "name": "[variables('norm-table-csregistry')]",
- "columns": [
- {
- "name": "TimeGenerated",
- "type": "Datetime",
- "description": "The timestamp (UTC) reflecting the time in which the event was generated."
- },
- {
- "name": "AdditionalFields",
- "type": "dynamic",
- "description": "Additional information, represented using key/value pairs provided by the source which do not map to ASim."
- },
- {
- "name": "EventMessage",
- "type": "String",
- "description": "A general message or description."
- },
- {
- "name": "EventCount",
- "type": "Int",
- "description": "The number of events described by the record."
- },
- {
- "name": "EventStartTime",
- "type": "Datetime",
- "description": "The time in which the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field."
- },
- {
- "name": "EventEndTime",
- "type": "Datetime",
- "description": "The time in which the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field."
- },
- {
- "name": "EventType",
- "type": "String",
- "description": "Describes the operation reported by the record."
- },
- {
- "name": "EventSubType",
- "type": "String",
- "description": "Describes a subdivision of the operation reported in the EventType field."
- },
- {
- "name": "EventResult",
- "type": "String",
- "description": "The outcome of the event, represented by one of the following values: Success, Partial, Failure, NA (Not Applicable). The value may not be provided directly by the sources, in which case it is derived from other event fields, for example, the EventResultDetails field."
- },
- {
- "name": "EventResultDetails",
- "type": "String",
- "description": "Reason or details for the result reported in the EventResult field."
- },
- {
- "name": "EventOriginalUid",
- "type": "String",
- "description": "A unique ID of the original record, if provided by the source."
- },
- {
- "name": "EventOriginalType",
- "type": "String",
- "description": "The original event type or ID, if provided by the source."
- },
- {
- "name": "EventOriginalSubType",
- "type": "String",
- "description": "The original event subtype or ID, if provided by the source."
- },
- {
- "name": "EventOriginalResultDetails",
- "type": "String",
- "description": "The original result details provided by the source."
- },
- {
- "name": "EventSeverity",
- "type": "String",
- "description": "The severity of the event. Valid values are: Informational, Low, Medium, or High."
- },
- {
- "name": "EventOriginalSeverity",
- "type": "String",
- "description": "The original severity as provided by the reporting device. "
- },
- {
- "name": "EventProduct",
- "type": "String",
- "description": "The product generating the event."
- },
- {
- "name": "EventProductVersion",
- "type": "String",
- "description": "The version of the product generating the event."
- },
- {
- "name": "EventVendor",
- "type": "String",
- "description": "The vendor of the product generating the event."
- },
- {
- "name": "EventSchemaVersion",
- "type": "String",
- "description": "The version of the schema."
- },
- {
- "name": "EventOwner",
- "type": "String",
- "description": "The owner of the event, which is usually the department or subsidiary in which it was generated."
- },
- {
- "name": "EventReportUrl",
- "type": "String",
- "description": "A URL provided in the event for a resource that provides more information about the event."
- },
- {
- "name": "DvcIpAddr",
- "type": "String",
- "description": "The IP Address of the device reporting the event."
- },
- {
- "name": "DvcHostname",
- "type": "String",
- "description": "The hostname of the device reporting the event."
- },
- {
- "name": "DvcDomain",
- "type": "String",
- "description": "The domain of the device reporting the event."
- },
- {
- "name": "DvcDomainType",
- "type": "String",
- "description": "The type of DvcDomain."
- },
- {
- "name": "DvcFQDN",
- "type": "String",
- "description": "The hostname of the device on which the event occurred or which reported the event."
- },
- {
- "name": "DvcDescription",
- "type": "String",
- "description": "A descriptive text associated with the device."
- },
- {
- "name": "DvcId",
- "type": "String",
- "description": "The unique ID of the device on which the event occurred or which reported the event."
- },
- {
- "name": "DvcIdType",
- "type": "String",
- "description": "The type of DvcId."
- },
- {
- "name": "DvcMacAddr",
- "type": "String",
- "description": "The MAC address of the device on which the event occurred or which reported the event."
- },
- {
- "name": "DvcZone",
- "type": "String",
- "description": "The network on which the event occurred or which reported the event."
- },
- {
- "name": "DvcOs",
- "type": "String",
- "description": "The operating system running on the device on which the event occurred or which reported the event."
- },
- {
- "name": "DvcOsVersion",
- "type": "String",
- "description": "The version of the operating system on the device on which the event occurred or which reported the event."
- },
- {
- "name": "DvcAction",
- "type": "String",
- "description": "For reporting security systems, the action taken by the system."
- },
- {
- "name": "DvcOriginalAction",
- "type": "String",
- "description": "The original DvcAction as provided by the reporting device."
- },
- {
- "name": "DvcInterface",
- "type": "String",
- "description": "The network interface on which data was captured."
- },
- {
- "name": "DvcScopeId",
- "type": "String",
- "description": "The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS."
- },
- {
- "name": "DvcScope",
- "type": "String",
- "description": "The cloud platform scope the device belongs to. DvcScope map to a subscription ID on Azure and to an account ID on AWS."
- },
- {
- "name": "ActorUserId",
- "type": "String",
- "description": "A unique ID of the Actor."
- },
- {
- "name": "ActorUserIdType",
- "type": "String",
- "description": "The type of the ID stored in the ActorUserId field."
- },
- {
- "name": "ActorScopeId",
- "type": "String",
- "description": "The scope ID, such as Azure AD tenant ID, in which ActorUserId and ActorUsername are defined."
- },
- {
- "name": "ActorScope",
- "type": "String",
- "description": "The scope, such as Azure AD tenant, in which ActorUserId and ActorUsername are defined."
- },
- {
- "name": "ActorUsername",
- "type": "String",
- "description": "The user name of the user who initiated the event."
- },
- {
- "name": "ActorUsernameType",
- "type": "String",
- "description": "Specifies the type of the user name stored in the ActorUsername field."
- },
- {
- "name": "ActorSessionId",
- "type": "String",
- "description": "The unique ID of the login session of the Actor"
- },
- {
- "name": "ActingProcessName",
- "type": "String",
- "description": "The file name of the acting process image file."
- },
- {
- "name": "ActingProcessId",
- "type": "String",
- "description": "The process ID of the acting process."
- },
- {
- "name": "ActingProcessGuid",
- "type": "String",
- "description": "A generated unique identifier of the acting process."
- },
- {
- "name": "ParentProcessName",
- "type": "String",
- "description": "The file name of the parent process image file."
- },
- {
- "name": "ParentProcessId",
- "type": "String",
- "description": "The process ID of the parent process."
- },
- {
- "name": "ParentProcessGuid",
- "type": "String",
- "description": "A generated unique identifier of the parent process."
- },
- {
- "name": "RegistryKey",
- "type": "String",
- "description": "The registry key associated with the operation, normalized to standard root key naming conventions."
- },
- {
- "name": "RegistryValue",
- "type": "String",
- "description": "The registry value associated with the operation."
- },
- {
- "name": "RegistryValueType",
- "type": "String",
- "description": "The type of registry value, normalized to standard form."
- },
- {
- "name": "RegistryValueData",
- "type": "String",
- "description": "The data stored in the registry value."
- },
- {
- "name": "RegistryPreviousKey",
- "type": "String",
- "description": "For operations that modify the registry, the original registry key, normalized to standard root key naming"
- },
- {
- "name": "RegistryPreviousValue",
- "type": "String",
- "description": "For operations that modify the registry, the original value type, normalized to the standard form."
- },
- {
- "name": "RegistryPreviousValueType",
- "type": "String",
- "description": "For operations that modify the registry, the original value type."
- },
- {
- "name": "RegistryPreviousValueData",
- "type": "String",
- "description": "The original registry data, for operations that modify the registry."
- }
- ]
- }
- }
- },
- {
- "name": "[concat(variables('loganalyticsworkspace'),'/',variables('norm-table-csusermgmt'))]",
- "type": "Microsoft.OperationalInsights/workspaces/tables",
- "apiVersion": "2022-10-01",
- "tags": {},
- "properties": {
- "plan": "Analytics",
- "schema": {
- "name": "[variables('norm-table-csusermgmt')]",
- "columns": [
- {
- "name": "TimeGenerated",
- "type": "Datetime",
- "description": "The timestamp (UTC) reflecting the time in which the event was generated."
- },
- {
- "name": "AdditionalFields",
- "type": "dynamic",
- "description": "Additional information, represented using key/value pairs provided by the source which do not map to ASim."
- },
- {
- "name": "EventMessage",
- "type": "String",
- "description": "A general message or description."
- },
- {
- "name": "EventCount",
- "type": "Int",
- "description": "The number of events described by the record."
- },
- {
- "name": "EventStartTime",
- "type": "Datetime",
- "description": "The time in which the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field."
- },
- {
- "name": "EventEndTime",
- "type": "Datetime",
- "description": "The time in which the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field."
- },
- {
- "name": "EventType",
- "type": "String",
- "description": "Describes the operation reported by the record"
- },
- {
- "name": "EventSubType",
- "type": "String",
- "description": "Describes a subdivision of the operation reported in the EventType field."
- },
- {
- "name": "EventResult",
- "type": "String",
- "description": "The outcome of the event, represented by one of the following values: Success, Partial, Failure, NA (Not Applicable). The value may not be provided directly by the sources, in which case it is derived from other event fields, for example, the EventResultDetails field."
- },
- {
- "name": "EventResultDetails",
- "type": "String",
- "description": "Reason or details for the result reported in the EventResult field."
- },
- {
- "name": "EventOriginalUid",
- "type": "String",
- "description": "A unique ID of the original record, if provided by the source."
- },
- {
- "name": "EventOriginalType",
- "type": "String",
- "description": "The original event type or ID, if provided by the source."
- },
- {
- "name": "EventOriginalSubType",
- "type": "String",
- "description": "The original event subtype or ID, if provided by the source."
- },
- {
- "name": "EventOriginalResultDetails",
- "type": "String",
- "description": "The original result details provided by the source."
- },
- {
- "name": "EventSeverity",
- "type": "String",
- "description": "The severity of the event. Valid values are: Informational, Low, Medium, or High."
- },
- {
- "name": "EventOriginalSeverity",
- "type": "String",
- "description": "The original severity as provided by the reporting device. "
- },
- {
- "name": "EventProduct",
- "type": "String",
- "description": "The product generating the event."
- },
- {
- "name": "EventProductVersion",
- "type": "String",
- "description": "The version of the product generating the event."
- },
- {
- "name": "EventVendor",
- "type": "String",
- "description": "The vendor of the product generating the event."
- },
- {
- "name": "EventSchemaVersion",
- "type": "String",
- "description": "The version of the schema."
- },
- {
- "name": "EventOwner",
- "type": "String",
- "description": "The owner of the event, which is usually the department or subsidiary in which it was generated."
- },
- {
- "name": "EventReportUrl",
- "type": "String",
- "description": "A URL provided in the event for a resource that provides more information about the event."
- },
- {
- "name": "DvcIpAddr",
- "type": "String",
- "description": "The IP Address of the device reporting the event."
- },
- {
- "name": "DvcHostname",
- "type": "String",
- "description": "The hostname of the device reporting the event."
- },
- {
- "name": "DvcDomain",
- "type": "String",
- "description": "The domain of the device reporting the event."
- },
- {
- "name": "DvcDomainType",
- "type": "String",
- "description": "The type of DvcDomain."
- },
- {
- "name": "DvcFQDN",
- "type": "String",
- "description": "The hostname of the device on which the event occurred or which reported the event."
- },
- {
- "name": "DvcDescription",
- "type": "String",
- "description": "A descriptive text associated with the device."
- },
- {
- "name": "DvcId",
- "type": "String",
- "description": "The unique ID of the device on which the event occurred or which reported the event."
- },
- {
- "name": "DvcIdType",
- "type": "String",
- "description": "The type of DvcId."
- },
- {
- "name": "DvcMacAddr",
- "type": "String",
- "description": "The MAC address of the device on which the event occurred or which reported the event."
- },
- {
- "name": "DvcZone",
- "type": "String",
- "description": "The network on which the event occurred or which reported the event."
- },
- {
- "name": "DvcOs",
- "type": "String",
- "description": "The operating system running on the device on which the event occurred or which reported the event."
- },
- {
- "name": "DvcOsVersion",
- "type": "String",
- "description": "The version of the operating system on the device on which the event occurred or which reported the event."
- },
- {
- "name": "DvcAction",
- "type": "String",
- "description": "For reporting security systems, the action taken by the system."
- },
- {
- "name": "DvcOriginalAction",
- "type": "String",
- "description": "The original DvcAction as provided by the reporting device."
- },
- {
- "name": "DvcInterface",
- "type": "String",
- "description": "The network interface on which data was captured."
- },
- {
- "name": "DvcScopeId",
- "type": "String",
- "description": "The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS."
- },
- {
- "name": "DvcScope",
- "type": "String",
- "description": "The cloud platform scope the device belongs to. DvcScope map to a subscription ID on Azure and to an account ID on AWS."
- },
- {
- "name": "ActorUserId",
- "type": "String",
- "description": "A machine-readable, alphanumeric, unique representation of the actor."
- },
- {
- "name": "ActorUserIdType",
- "type": "String",
- "description": "The type of the ID stored in the ActorUserId field."
- },
- {
- "name": "ActorScopeId",
- "type": "String",
- "description": "The scope ID, such as Azure AD tenant ID, in which ActorUserId and ActorUsername are defined."
- },
- {
- "name": "ActorScope",
- "type": "String",
- "description": "The scope, such as Azure AD tenant, in which ActorUserId and ActorUsername are defined."
- },
- {
- "name": "ActorUsername",
- "type": "String",
- "description": "The Actor's username, including domain information when available."
- },
- {
- "name": "ActorUsernameType",
- "type": "String",
- "description": "Specifies the type of the user name stored in the ActorUsername field."
- },
- {
- "name": "ActorUserType",
- "type": "String",
- "description": "The type of the Actor."
- },
- {
- "name": "ActorOriginalUserType",
- "type": "String",
- "description": "The original actor user type, if provided by the source."
- },
- {
- "name": "ActorSessionId",
- "type": "String",
- "description": "The unique ID of the sign-in session of the Actor."
- },
- {
- "name": "TargetUserId",
- "type": "String",
- "description": "A machine-readable, alphanumeric, unique representation of the target user."
- },
- {
- "name": "TargetUserIdType",
- "type": "String",
- "description": "The type of the ID stored in the TargetUserId field."
- },
- {
- "name": "TargetScopeId",
- "type": "String",
- "description": "The scope ID, such as Azure AD tenant ID, in which TargetUserId and TargetUsername are defined."
- },
- {
- "name": "TargetScope",
- "type": "String",
- "description": "The scope, such as Azure AD tenant, in which TargetUserId and TargetUsername are defined."
- },
- {
- "name": "TargetUsername",
- "type": "String",
- "description": "The target username, including domain information when available."
- },
- {
- "name": "TargetUsernameType",
- "type": "String",
- "description": "Specifies the type of the username stored in the TargetUsername field."
- },
- {
- "name": "TargetUserType",
- "type": "String",
- "description": "The type of target user."
- },
- {
- "name": "TargetOriginalUserType",
- "type": "String",
- "description": "The original destination user type, if provided by the source."
- },
- {
- "name": "GroupId",
- "type": "String",
- "description": "A machine-readable, alphanumeric, unique representation of the group, for activities involving a group."
- },
- {
- "name": "GroupIdType",
- "type": "String",
- "description": "The type of the ID stored in the GroupId field."
- },
- {
- "name": "GroupName",
- "type": "String",
- "description": "The group name, including domain information when available, for activities involving a group."
- },
- {
- "name": "GroupNameType",
- "type": "String",
- "description": "Specifies the type of the group name stored in the GroupName field."
- },
- {
- "name": "GroupType",
- "type": "String",
- "description": "The type of the group, for activities involving a group."
- },
- {
- "name": "GroupOriginalType",
- "type": "String",
- "description": "The original group type, if provided by the source."
- },
- {
- "name": "SrcIpAddr",
- "type": "String",
- "description": "The IP address of the source device."
- },
- {
- "name": "SrcPortNumber",
- "type": "Int",
- "description": "The Source IP port from which the connection originated."
- },
- {
- "name": "SrcHostname",
- "type": "String",
- "description": "The source device hostname, excluding domain information."
- },
- {
- "name": "SrcDomain",
- "type": "String",
- "description": "The domain of the source device."
- },
- {
- "name": "SrcDomainType",
- "type": "String",
- "description": "The type of SrcDomain."
- },
- {
- "name": "SrcFQDN",
- "type": "String",
- "description": "The source device hostname, including domain information when available."
- },
- {
- "name": "SrcDescription",
- "type": "String",
- "description": "A descriptive text associated with the source device."
- },
- {
- "name": "SrcDvcId",
- "type": "String",
- "description": "The ID of the source device as reported in the record."
- },
- {
- "name": "SrcDvcIdType",
- "type": "String",
- "description": "The type of SrcDvcId."
- },
- {
- "name": "SrcDvcScopeId",
- "type": "String",
- "description": "The cloud platform scope ID the source device belongs to. SrcDvcScopeId map to a subscription ID on Azure and to an account ID on AWS."
- },
- {
- "name": "SrcDvcScope",
- "type": "String",
- "description": "The cloud platform scope the source device belongs to. SrcDvcScope map to a subscription ID on Azure and to an account ID on AWS."
- },
- {
- "name": "SrcDeviceType",
- "type": "String",
- "description": "The type of the source device."
- },
- {
- "name": "SrcGeoCountry",
- "type": "String",
- "description": "The country associated with the source IP address."
- },
- {
- "name": "SrcGeoLatitude",
- "type": "Real",
- "description": "The latitude of the geographical coordinate associated with the source IP address."
- },
- {
- "name": "SrcGeoLongitude",
- "type": "Real",
- "description": "The longitude of the geographical coordinate associated with the source IP address."
- },
- {
- "name": "SrcGeoRegion",
- "type": "String",
- "description": "The region within a country associated with the source IP address."
- },
- {
- "name": "SrcGeoCity",
- "type": "String",
- "description": "The city associated with the source IP address."
- },
- {
- "name": "SrcRiskLevel",
- "type": "Int",
- "description": "The risk level associated with the identified Source."
- },
- {
- "name": "SrcOriginalRiskLevel",
- "type": "String",
- "description": "The risk level associaeted with the identified Source as reported by the reporting device."
- },
- {
- "name": "ActingAppId",
- "type": "String",
- "description": "The ID of the application used by the actor to perform the activity, including a process, browser, or service."
- },
- {
- "name": "ActingAppName",
- "type": "String",
- "description": "The name of the application used by the actor to perform the activity, including a process, browser, or service."
- },
- {
- "name": "ActingAppType",
- "type": "String",
- "description": "The type of acting application."
- },
- {
- "name": "HttpUserAgent",
- "type": "String",
- "description": "When authentication is performed over HTTP or HTTPS, this field's value is the user_agent HTTP header provided by the acting application when performing the authentication."
- },
- {
- "name": "PreviousPropertyValue",
- "type": "String",
- "description": "The previous value that was stored in the specified property."
- },
- {
- "name": "NewPropertyValue",
- "type": "String",
- "description": "The new value stored in the specified property."
- }
- ]
- }
- }
- },
{
"name": "[concat(variables('loganalyticsworkspace'),'/',variables('cust-table-additionaldata'))]",
"type": "Microsoft.OperationalInsights/workspaces/tables",
@@ -10070,7 +8756,7 @@
],
"destinations": [ "myworkspace" ],
"transformKql": "let EventTypeSimpleNameLookup = parse_json('{\"ZipFileWritten\": \"FileModified\", \"XarFileWritten\": \"FileModified\", \"VmdkFileWritten\": \"FileModified\", \"VdiFileWritten\": \"FileModified\", \"TiffFileWritten\": \"FileModified\", \"TarFileWritten\": \"FileModified\", \"SuspiciousPeFileWritten\": \"FileModified\", \"SuspiciousEseFileWritten\": \"FileModified\", \"SldFileWritten\": \"FileModified\", \"SevenZipFileWritten\": \"FileModified\", \"RtfFileWritten\": \"FileModified\", \"RpmFileWritten\": \"FileModified\", \"RarFileWritten\": \"FileModified\", \"RansomwareRenameFile\": \"FileRenamed\", \"RansomwareOpenFile\": \"FileAccessed\", \"RansomwareFileAccessPattern\": \"FileAccessed\", \"RansomwareCreateFile\": \"FileCreated\", \"PngFileWritten\": \"FileModified\", \"PeFileWritten\": \"FileCreated\", \"PdfFileWritten\": \"FileModified\", \"OoxmlFileWritten\": \"FileModified\", \"OleFileWritten\": \"FileModified\", \"NewScriptWritten\": \"FileCreated\", \"NewExecutableWritten\": \"FileCreated\", \"NewExecutableRenamed\": \"FileRenamed\", \"MSXlsxFileWritten\": \"FileModified\", \"MSVsdxFileWritten\": \"FileModified\", \"MSPptxFileWritten\": \"FileModified\", \"MsiFileWritten\": \"FileModified\", \"MSDocxFileWritten\": \"FileModified\", \"MachOFileWritten\": \"FileModified\", \"LnkFileWritten\": \"FileModified\", \"JpegFileWritten\": \"FileModified\", \"JavaClassFileWritten\": \"FileModified\", \"JarFileWritten\": \"FileModified\", \"IdwFileWritten\": \"FileModified\", \"GzipFileWritten\": \"FileModified\", \"GifFileWritten\": \"FileModified\", \"GenericFileWritten\": \"FileModified\", \"EseFileWritten\": \"FileModified\", \"EmailFileWritten\": \"FileModified\", \"EmailArchiveFileWritten\": \"FileModified\", \"ELFFileWritten\": \"FileModified\", \"DxfFileWritten\": \"FileModified\", \"DwgFileWritten\": \"FileModified\", \"DmpFileWritten\": \"FileModified\", \"DmgFileWritten\": \"FileModified\", \"DirectoryCreate\": \"FolderCreated\", \"CriticalFileModified\": \"FileModified\", \"CriticalFileAccessed\": \"FileAccessed\", \"CabFileWritten\": \"FileModified\", \"BZip2FileWritten\": \"FileModified\", \"BmpFileWritten\": \"FileModified\", \"BlfFileWritten\": \"FileModified\", \"AsepFileChange\": \"FileModified\", \"ArjFileWritten\": \"FileModified\", \"ArcFileWritten\": \"FileModified\"}');\r\n let EventSeverityLookup = parse_json('{\"SuspiciousPeFileWritten\": \"Medium\",\"SuspiciousEseFileWritten\": \"Medium\",\"RansomwareRenameFile\": \"High\",\"RansomwareOpenFile\": \"High\",\"RansomwareFileAccessPattern\": \"High\",\"RansomwareCreateFile\": \"High\",\"CriticalFileModified\": \"Medium\",\"CriticalFileAccessed\": \"Medium\"}');\r\n let EventResultStatusLookup = parse_json('{0: {\"EventResultDetails\": \"\",\"EventResult\": \"Success\"},538181633: {\"EventResultDetails\": \"Component Enabled\",\"EventResult\": \"Success\"},1611530273: {\"EventResultDetails\": \"Mask Adjusted\",\"EventResult\": \"Success\"},1611726866: {\"EventResultDetails\": \"DEP disabled appcompat\",\"EventResult\": \"Success\"},1611792386: {\"EventResultDetails\": \"No existing credentials\",\"EventResult\": \"Failure\"},1611923478: {\"EventResultDetails\": \"Component Stopped\",\"EventResult\": \"Success\"},1612251168: {\"EventResultDetails\": \"HTTP Visibility enabled\",\"EventResult\": \"Success\"},3221225506: {\"EventResultDetails\": \"Access Denied\",\"EventResult\": \"Failure\"},3221225533: {\"EventResultDetails\": \"Data late error\",\"EventResult\": \"Failure\"},3221225541: {\"EventResultDetails\": \"Invalid page protection\",\"EventResult\": \"Failure\"},3221226347: {\"EventResultDetails\": \"Driver blocked critical\",\"EventResult\": \"Failure\"},3759013928: {\"EventResultDetails\": \"Process Critical\",\"EventResult\": \"Failure\"},3759013929: {\"EventResultDetails\": \"Process Whitelisted\",\"EventResult\": \"Success\"},3759013930: {\"EventResultDetails\": \"Process Microsoft signed\",\"EventResult\": \"Success\"},3759013931: {\"EventResultDetails\": \"Process Apple signed\",\"EventResult\": \"Success\"},3759407166: {\"EventResultDetails\": \"Component Disabled\",\"EventResult\": \"Failure\"}}');\r\n let EventResultFileWrittenLookup = parse_json('{0: {\"EventResultDetails\": \"\",\"EventResult\": \"Success\"},1: {\"EventResultDetails\": \"Hash failed\",\"EventResult\": \"Failure\"},2: {\"EventResultDetails\": \"Hash aborted too large\",\"EventResult\": \"Failure\"}}');\r\n let EventTypeFileLookup = parse_json('{0: \"FileRenamed\",1: \"FileModified\",2: \"FileDeleted\"}');\r\n let EventTypeSystemOperationLookup = parse_json('{1: \"FileRenamed\",2: \"FileDeleted\"}');source\r\n | extend eventDatetime = datetime_add('Millisecond', tolong(timestamp), todatetime('1970-01-01')),\r\n contextDatetime = datetime_add('MilliSecond', tolong(todouble(ContextTimeStamp) * 1000), todatetime('1970-01-01'))\r\n | extend TimeGenerated = iff(isnotempty(eventDatetime), eventDatetime, now())\r\n | project-rename\r\n DvcIpAddr = aip,\r\n DvcId = aid,\r\n ActorUsername = UserName,\r\n EventOriginalType = name,\r\n EventOriginalUid = id,\r\n EventProductVersion = ConfigBuild,\r\n ActingProcessId = ContextProcessId,\r\n TargetFilePath = TargetFileName,\r\n SrcFileName = SourceFileName,\r\n TargetFileDirectory = TargetDirectoryName,\r\n ActingProcessCommandLine = CommandLine\r\n | extend \r\n DvcOs = case(event_platform == \"Win\", \"Windows\", \r\n event_platform == \"Mac\", \"Macintosh\",\r\n event_platform == \"Lin\", \"Linux\", \r\n \"\"), \r\n ActorUserId = iff(isnotempty(FileOperatorSid), FileOperatorSid, UID),\r\n EventStartTime = iff(isnotempty(contextDatetime),contextDatetime,TimeGenerated),\r\n TargetFileSize = tolong(Size),\r\n TargetFilePathSplit = iff(event_platform == \"Win\" and ImageFileName == \"\", \r\n split(TargetFilePath,'\\\\'),\r\n split(ImageFileName,'\\\\')\r\n ),\r\n TargetFileSHA256 = SHA256HashData\r\n | extend EventEndTime = EventStartTime,\r\n TargetFileName = tostring(TargetFilePathSplit[array_length(TargetFilePathSplit)-1]),\r\n EventSeverity = tostring(EventSeverityLookup[event_simpleName]),\r\n EventResultStatus = tostring(EventResultStatusLookup[Status].EventResult),\r\n EventResultDetailsStatus = tostring(EventResultStatusLookup[Status].EventResultDetails),\r\n EventResultFileWritten = tostring(EventResultFileWrittenLookup[FileWrittenFlags].EventResult),\r\n EventResultDetailsFileWritten = tostring(EventResultFileWrittenLookup[FileWrittenFlags].EventResultDetails),\r\n EventTypeSimple = tostring(EventTypeSimpleNameLookup[event_simpleName]),\r\n EventTypeFile = tostring(EventTypeFileLookup[FileEventType]),\r\n EventTypeSystemOperation = tostring(EventTypeSystemOperationLookup[FileSystemOperationType]),\r\n ActorUsername = case(isnotempty(ActorUsername), ActorUsername,\r\n ActorUserId == \"S-1-5-18\", \"Local System\",\r\n ActorUserId == \"S-1-0-0\", \"Nobody\",\r\n \"\")\r\n | extend \r\n AdditionalFields = todynamic(AdditionalFields),\r\n TargetFileExtension = tostring(split(TargetFileName,\".\",1)[0]),\r\n TargetFilePathType = iff(DvcOs == \"Windows\", \"Windows Share\",\"\"),\r\n ActorUsernameType = iff(ActorUsername == \"\",\"\",\"Simple\"),\r\n ActorUserIdType = case(FileOperatorSid != \"\",\"SID\",\r\n UID != \"\",\"RID\",\r\n \"\"),\r\n HashType = iff(TargetFileSHA256 == \"\", \"\", \"SHA256\"),\r\n EventType = case(isnotempty(EventTypeSystemOperation), EventTypeSystemOperation,\r\n isnotempty(EventTypeFile), EventTypeFile,\r\n EventTypeSimple),\r\n TargetFileCreationTime = iff(event_simpleName in~ (\"RansomwareCreateFile\", \"PeFileWritten\", \"NewScriptWritten\", \"NewExecutableWritten\"), EventStartTime, todatetime(\"\")),\r\n EventCount = toint(1),\r\n EventSchemaVersion = \"0.2.1\",\r\n EventVendor = \"CrowdStrike\",\r\n EventProduct = \"Falcon Data Replicator\",\r\n EventResult = case(isnotempty(EventResultStatus), EventResultStatus,\r\n isnotempty(EventResultFileWritten), EventResultFileWritten,\r\n \"Success\"),\r\n EventResultDetails = case(isnotempty(EventResultDetailsStatus), EventResultDetailsStatus,\r\n isnotempty(EventResultDetailsFileWritten), EventResultDetailsFileWritten,\r\n \"\"),\r\n EventSeverity = iff(EventSeverity == \"\", \"Informational\", EventSeverity)",
- "outputStream": "[concat('Custom-', variables('norm-table-csfile'))]"
+ "outputStream": "Microsoft-ASimFileEventLogs"
},
{
"streams": [
@@ -10094,7 +8780,7 @@
],
"destinations": [ "myworkspace" ],
"transformKql": "let EventTypeLookup = parse_json('{\"1\": \"RegistryValueSet\",\"2\": \"RegistryValueDeleted\",\"3\": \"RegistryKeyCreated\",\"4\": \"RegistryKeyDeleted\",\"5\": \"RegistryValueSet\",\"6\": \"RegistryKeyCreated\",\"7\": \"RegistryKeyRenamed\",\"8\": \"Others\",\"9\": \"Others\",\"101\": \"RegistryValueSet\",\"102\": \"RegistryValueDeleted\"}');\r\n let RegistryValueTypeLookup = parse_json('{\"0\": \"Reg_None\",\"1\": \"Reg_Sz\",\"2\": \"Reg_Expand_Sz\",\"3\": \"Reg_Expand\",\"4\": \"Reg_Dword\",\"5\": \"Reg_Dword_Big_Endian\",\"6\": \"Reg_Link\",\"7\": \"Reg_Multi_Sz\",\"8\": \"Reg_Resource_List\",\"9\": \"Reg_Full_Resource_Descriptor\",\"10\": \"Reg_Resource_Requirements_List\",\"11\": \"Reg_Qword\"}');\r\n source\r\n | extend eventDatetime = datetime_add('Millisecond', tolong(timestamp), todatetime('1970-01-01')),\r\n contextDatetime = datetime_add('MilliSecond', tolong(todouble(ContextTimeStamp) * 1000), todatetime('1970-01-01'))\r\n | extend TimeGenerated = iff(isnotempty(eventDatetime), eventDatetime, now())\r\n | project-rename\r\n DvcIpAddr = aip,\r\n DvcId = aid,\r\n EventOriginalType = name,\r\n EventOriginalUid = id,\r\n EventProductVersion = ConfigBuild,\r\n ActingProcessId = ContextProcessId,\r\n RegistryKey = RegObjectName,\r\n RegistryValue = RegValueName\r\n | extend\r\n AdditionalFields = todynamic(AdditionalFields),\r\n DvcOs = case(event_platform == \"Win\", \"Windows\", \r\n event_platform == \"Mac\", \"Macintosh\",\r\n event_platform == \"Lin\", \"Linux\", \r\n \"\"),\r\n RegistryValueData = case(isnotempty(RegStringValue),RegStringValue,\r\n isnotempty(RegNumericValue),RegNumericValue,\r\n isnotempty(RegBinaryValue),RegBinaryValue,\r\n \"\"),\r\n RegistryValueType = tostring(RegistryValueTypeLookup[RegType]),\r\n EventStartTime = iff(isnotempty(contextDatetime),contextDatetime,TimeGenerated)\r\n | extend EventEndTime = EventStartTime,\r\n EventType = tostring(EventTypeLookup[RegOperationType]),\r\n EventCount = toint(1),\r\n EventSchemaVersion = \"0.2.1\",\r\n EventVendor = \"CrowdStrike\",\r\n EventProduct = \"Falcon Data Replicator\",\r\n EventResult = \"Success\",\r\n EventSeverity = \"Informational\"",
- "outputStream": "[concat('Custom-', variables('norm-table-csregistry'))]"
+ "outputStream": "Microsoft-ASimRegistryEventLogs"
},
{
"streams": [
@@ -10110,7 +8796,7 @@
],
"destinations": [ "myworkspace" ],
"transformKql": "let EventTypeLookup = parse_json('{\"UserAccountDeleted\": \"UserCreated\",\"UserAccountCreated\": \"UserDeleted\",\"UserAccountAddedToGroup\": \"UserAddedToGroup\"}');\r\n source\r\n | extend eventDatetime = datetime_add('Millisecond', tolong(timestamp), todatetime('1970-01-01')),\r\n contextDatetime = datetime_add('MilliSecond', tolong(todouble(ContextTimeStamp) * 1000), todatetime('1970-01-01'))\r\n | extend TimeGenerated = iff(isnotempty(eventDatetime), eventDatetime, now())\r\n | project-rename\r\n DvcIpAddr = aip,\r\n DvcId = aid,\r\n ActorUsername = UserName,\r\n EventOriginalType = name,\r\n EventOriginalUid = id,\r\n DvcInterfaceGuid = InterfaceGuid,\r\n EventProductVersion = ConfigBuild,\r\n TargetUserId = UserRid,\r\n GroupId = GroupRid\r\n | extend \r\n AdditionalFields = todynamic(AdditionalFields),\r\n DvcOs = case(event_platform == \"Win\", \"Windows\", \r\n event_platform == \"Mac\", \"Macintosh\",\r\n event_platform == \"Lin\", \"Linux\", \r\n \"\"), \r\n EventStartTime = iff(isnotempty(contextDatetime),contextDatetime,TimeGenerated),\r\n TargetUserIdType = \"RID\",\r\n GroupIdType = \"RID\"\r\n | extend EventEndTime = EventStartTime,\r\n EventType = tostring(EventTypeLookup[event_simpleName]),\r\n EventCount = toint(1),\r\n EventSchemaVersion = \"0.1.1\",\r\n EventVendor = \"CrowdStrike\",\r\n EventProduct = \"Falcon Data Replicator\",\r\n EventResult = \"Success\",\r\n EventSeverity = \"Informational\"",
- "outputStream": "[concat('Custom-', variables('norm-table-csusermgmt'))]"
+ "outputStream": "Microsoft-ASimUserManagementActivityLogs"
},
{
"streams": [
diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CSFDRv2_Deploymnet/createUiDefinition_csfdrv2_connector.json b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CSFDRv2_Deploymnet/createUiDefinition_csfdrv2_connector.json
index ec2c790cfda..98c86ebba1a 100644
--- a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CSFDRv2_Deploymnet/createUiDefinition_csfdrv2_connector.json
+++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CSFDRv2_Deploymnet/createUiDefinition_csfdrv2_connector.json
@@ -133,8 +133,8 @@
"name": "CrowdStrike_AWS_Key",
"type": "Microsoft.Common.TextBox",
"label": "AWS Access Key ID",
- "placeholder": "AKIARJFBAG3EGHFG2FPN",
- "toolTip": "Enter valid AWS Key Id. For example AKIARKFBAG3EGIFG9FPN",
+ "placeholder": "AKIPRJFBAG3EGHFG2FPN",
+ "toolTip": "Enter valid AWS Key Id. For example AKIPRJFBAG3EGHFG2FPN",
"constraints": {
"required": true,
"regex": "([A-Z0-9+/]{20})",
@@ -146,8 +146,8 @@
"name": "CrowdStrike_AWS_Secret",
"type": "Microsoft.Common.TextBox",
"label": "AWS Secret Access Key",
- "placeholder": "Js6IDrwAIkvSY+8fSJ5bcep05ENlNvXgc+JRRr7Y",
- "toolTip": "Enter valid AWS Secret key. For example. For example Js6IDrpAIkvSS+8fSK5bcep05EMlNvXgc+JRRr7Y ",
+ "placeholder": "Js6IDopAIkvSY+8fSJ5bcep05ENlNvXgc+JRRr7Y",
+ "toolTip": "Enter valid AWS Secret key. For example. For example Js6IDopAIkvSY+8fSK5bcep05EMlNvXgc+JRRr7Y ",
"constraints": {
"required": true,
"regex": "([a-zA-Z0-9+/]{40})",
@@ -192,8 +192,8 @@
"name": "AADTenantId",
"type": "Microsoft.Common.TextBox",
"label": "AAD Tenant Id",
- "placeholder": "72f988bf-86f1-41af-91ab-2d7cd011db47",
- "toolTip": "If you dont have AAD application created, create one by following [instructions provided here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#create-azure-ad-application).Copy Tenant Id and enter here. For example: 72f988bf-86f1-41af-91ab-2d7cd011db47",
+ "placeholder": "87f988bf-86f1-41af-91ab-2d7cd011db47",
+ "toolTip": "If you dont have AAD application created, create one by following [instructions provided here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#create-azure-ad-application).Copy Tenant Id and enter here. For example: 87f988bf-86f1-41af-91ab-2d7cd011db47",
"constraints": {
"required": true,
"regex": "(^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$)",
@@ -205,8 +205,8 @@
"name": "AADApplicationId",
"type": "Microsoft.Common.TextBox",
"label": "AAD App (client) Id",
- "placeholder": "969f7b17-415f-4d01-8ab5-7a7db3aa39cb",
- "toolTip": "If you dont have AAD application created, create one by following [instructions provided here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#create-azure-ad-application).Copy Application Id and enter here. For example: 969f7b17-415f-4d01-8ab5-7a7db3aa39cb",
+ "placeholder": "899f7b17-415f-4d01-8ab5-7a7db3aa39cb",
+ "toolTip": "If you dont have AAD application created, create one by following [instructions provided here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#create-azure-ad-application).Copy Application Id and enter here. For example: 899f7b17-415f-4d01-8ab5-7a7db3aa39cb",
"constraints": {
"required": true,
"regex": "(^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$)",
@@ -218,8 +218,8 @@
"name": "AADPrincipalId",
"type": "Microsoft.Common.TextBox",
"label": "AAD Principal Id",
- "placeholder": "69925b10-2dc5-4b1e-9340-ba6b993b82dd",
- "toolTip": "If you dont have AAD application created, create one by following [instructions provided here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#create-azure-ad-application).Copy Object Id of AAD app from [AAD Portal](https://aad.portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId/) and enter here. For example: 69925b10-2dc5-4b1e-9340-ba6b993b82dd",
+ "placeholder": "61125b10-2dc5-4b1e-9340-ba6b993b82dd",
+ "toolTip": "If you dont have AAD application created, create one by following [instructions provided here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#create-azure-ad-application).Copy Object Id of AAD app from [AAD Portal](https://aad.portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId/) and enter here. For example: 61125b10-2dc5-4b1e-9340-ba6b993b82dd",
"constraints": {
"required": true,
"regex": "(^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$)",
@@ -251,12 +251,12 @@
"name": "Expected_EPS_volume",
"type": "Microsoft.Common.Slider",
"min": 1,
- "max": 120000,
+ "max": 150000,
"label": "CrowdStrike Ingestion EPS (Approx)",
"subLabel": "EPS",
- "defaultValue": 40000,
+ "defaultValue": 50000,
"showStepMarkers": false,
- "toolTip": "Pick the expected ingestion EPS for this connector. We use this to determine the function app plan that requires to handles this workloads",
+ "toolTip": "Pick the expected ingestion EPS for this connector. We use this to determine the function app plan that requires to handles this workloads. This is just an indication and we dont charge you based on this.",
"constraints": {
"required": true
},
@@ -265,29 +265,20 @@
{
"name": "FunctionAppSelectedPlanConsumption",
"type": "Microsoft.Common.InfoBox",
- "visible": "[lessOrEquals(steps('AzureFunctionsAppConfig').CrowdStrikeEPSSection.Expected_EPS_volume,40000)]",
+ "visible": "[lessOrEquals(steps('AzureFunctionsAppConfig').CrowdStrikeEPSSection.Expected_EPS_volume,100000)]",
"options": {
"icon": "Info",
- "text": "Based on the EPS you have selected above, we are auto selecting Consumption plan for azure functions. To know more details about different plans, you can visit https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans"
+ "text": "Based on the EPS you have selected above, we are auto selecting Consumption plan for azure functions. To deploy EP1 instance (purely based on your need), select EPS > 100,000. To know more details about different plans, you can visit https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans"
}
},
{
"name": "FunctionAppSelectedPlanEP1",
"type": "Microsoft.Common.InfoBox",
- "visible": "[and(greater(steps('AzureFunctionsAppConfig').CrowdStrikeEPSSection.Expected_EPS_volume,40000),lessOrEquals(steps('AzureFunctionsAppConfig').CrowdStrikeEPSSection.Expected_EPS_volume,60000))]",
+ "visible": "[and(greater(steps('AzureFunctionsAppConfig').CrowdStrikeEPSSection.Expected_EPS_volume,100000),lessOrEquals(steps('AzureFunctionsAppConfig').CrowdStrikeEPSSection.Expected_EPS_volume,150000))]",
"options": {
"icon": "Info",
"text": "Based on the EPS you have selected above, we are auto selecting Elastic Premium EP1 plan for azure functions. Creating multiple instances with lower EPS is a recommended and cost effective solution. To create multiple instances, redeploy the data connector with increamented Instance number. To know more details about different plans, you can visit https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans"
}
- },
- {
- "name": "FunctionAppSelectedPlanEP2",
- "type": "Microsoft.Common.InfoBox",
- "visible": "[greater(steps('AzureFunctionsAppConfig').CrowdStrikeEPSSection.Expected_EPS_volume,60000)]",
- "options": {
- "icon": "Info",
- "text": "Based on the EPS you have selected above, we are auto selecting Elastic Premium EP2 plan for azure functions. Creating multiple instances with lower EPS is a recommended and cost effective solution. To create multiple instances, redeploy the data connector with increamented Instance number. To know more details about different plans, you can visit https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale#overview-of-plans"
- }
}
]
}
diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn.zip b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn.zip
index 2f25924ab1c..3dbdc07f5f5 100644
Binary files a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn.zip and b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn.zip differ
diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn/QueueTriggerCS/__init__.py b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn/QueueTriggerCS/__init__.py
index 3f6ad0f9ccb..072e3582121 100644
--- a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn/QueueTriggerCS/__init__.py
+++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn/QueueTriggerCS/__init__.py
@@ -13,10 +13,11 @@
import time
from datetime import datetime
+QUEUE_URL = os.environ['QUEUE_URL']
+
AWS_KEY = os.environ['AWS_KEY']
AWS_SECRET = os.environ['AWS_SECRET']
AWS_REGION_NAME = os.environ['AWS_REGION_NAME']
-AZURE_TENANT_ID = os.environ['AZURE_TENANT_ID']
LINE_SEPARATOR = os.environ.get('lineSeparator', '[\n\r\x0b\v\x0c\f\x1c\x1d\x85\x1e\u2028\u2029]+')
AZURE_TENANT_ID = os.environ['AZURE_TENANT_ID']
AZURE_CLIENT_ID = os.environ['AZURE_CLIENT_ID']
@@ -28,6 +29,7 @@
NORMALIZED_SCHEMA_NAMES = '{"Dns": "Custom-CrowdstrikeDns","File": "Custom-CrowdstrikeFile","Process": "Custom-CrowdstrikeProcess","Network": "Custom-CrowdstrikeNetwork","Auth": "Custom-CrowdstrikeAuth","Registry": "Custom-CrowdstrikeRegistry","Audit": "Custom-CrowdstrikeAudit","User": "Custom-CrowdstrikeUser","Additional": "Custom-CrowdstrikeAdditional"}'
CUSTOM_SCHEMA_NAMES = '{"Dns": "Custom-CrowdstrikeDns","File": "Custom-CrowdstrikeFile","Process": "Custom-CrowdstrikeProcess","Network": "Custom-CrowdstrikeNetwork","Auth": "Custom-CrowdstrikeAuth","Registry": "Custom-CrowdstrikeRegistry","Audit": "Custom-CrowdstrikeAudit","User": "Custom-CrowdstrikeUser"}'
REQUIRE_RAW_STRING = os.environ.get('USER_SELECTION_REQUIRE_RAW', 'false')
+REQUIRE_SECONDARY_STRING = os.environ.get('USER_SELECTION_REQUIRE_SECONDARY', 'false')
SECONDARY_DATA_SCHEMA = "Custom-CrowdStrikeSecondary"
EVENT_TO_TABLE_MAPPING_LINK = os.environ.get('EVENT_TO_TABLE_MAPPING_LINK', 'https://aka.ms/CrowdStrikeEventsToTableMapping')
REQUIRED_FIELDS_SCHEMA_LINK = os.environ.get('REQUIRED_FIELDS_SCHEMA_LINK', 'https://aka.ms/CrowdStrikeRequiredFieldsSchema')
@@ -50,8 +52,7 @@ def _create_s3_client():
)
async def main(msg: func.QueueMessage) -> None:
- logging.info('Starting script')
- logging.info("Required Raw String - {}".format(REQUIRE_RAW))
+ logging.info("Starting script. Parameter Selection- REQUIRE_RAW_STRING: {} REQUIRE_SECONDARY_STRING: {} AZURE_TENANT_ID: {} AZURE_CLIENT_ID: {} AZURE_CLIENT_SECRET: ItsASecret AWS_KEY: {} AWS_REGION_NAME: {} AWS_SECRET: IWontReveal NORMALIZED_DCE_ENDPOINT: {} RAW_DATA_DCE_ENDPOINT: {} NORMALIZED_DCR_ID: {} RAW_DATA_DCR_ID: {} ".format(REQUIRE_RAW_STRING, REQUIRE_SECONDARY_STRING, AZURE_TENANT_ID, AZURE_CLIENT_ID, AWS_KEY, AWS_REGION_NAME, NORMALIZED_DCE_ENDPOINT, RAW_DATA_DCE_ENDPOINT, NORMALIZED_DCR_ID, RAW_DATA_DCR_ID))
link = ""
bucket = ""
messageId = ""
@@ -64,7 +65,7 @@ async def main(msg: func.QueueMessage) -> None:
bucket = req_body.get('bucket')
messageId = req_body.get('messageId')
- logging.info("Processing {} file from {} bucket of {} messageId".format(link,bucket,messageId))
+ logging.info("Information received from Azure Storage queue. S3file: {} S3Bucket: {} SQSMessageId: {}".format(link,bucket,messageId))
eventsSchemaMapping = FileHelper(
EVENT_TO_TABLE_MAPPING_LINK,
@@ -83,15 +84,19 @@ async def main(msg: func.QueueMessage) -> None:
async with _create_s3_client() as client:
async with aiohttp.ClientSession() as session:
if link:
- logging.info("Processing file {}".format(link))
try:
if "fdrv2/" in link:
- logging.info('Processing a secondary data bucket.')
+ logging.info("Started processing a secondary data fdrv2 bucket. S3file: {} S3Bucket: {} SQSMessageId: {}".format(link,bucket,messageId))
await process_file_secondary_CLv2(bucket, link, client, session)
+ logging.info("Finished processing a secondary data fdrv2 bucket. S3file: {} S3Bucket: {} SQSMessageId: {}".format(link,bucket,messageId))
+
else:
+ logging.info("Started processing data bucket. S3file: {} S3Bucket: {} SQSMessageId: {}".format(link,bucket,messageId))
await process_file_primary_CLv2(bucket, link, client, session, eventsSchemaMappingDict, requiredFieldsMappingDict)
+ logging.info("Finished processing data bucket. S3file: {} S3Bucket: {} SQSMessageId: {}".format(link,bucket,messageId))
+
except Exception as e:
- logging.error('Error while processing bucket {}. Error: {}'.format(link, str(e)))
+ logging.error('Error while processing S3file: {} S3Bucket: {} SQSMessageId: {}. Error: {}'.format(link, bucket, messageId, str(e)))
raise e
# This method customizes the data before ingestion. Both normalized and raw data is returned from this method.
@@ -165,7 +170,7 @@ def customize_event(line, eventsSchemaMappingDict, requiredFieldsMappingDict, re
# eventsSchemaMappingDict : Dictionary
# requiredFieldsMappingDict : Dictionary
async def process_file_primary_CLv2(bucket, s3_path, client, session, eventsSchemaMappingDict, requiredFieldsMappingDict):
- logging.info("Start processing bucket {}".format(s3_path))
+ logging.debug("Inside method - process_file_primary_CLv2. Started processing S3file: {} S3Bucket: {}".format(s3_path, bucket))
normalizedSentinelHelperCollection = SentinelHelperCollection(session,
eventsSchemaMappingDict,
NORMALIZED_DCE_ENDPOINT,
@@ -181,16 +186,16 @@ async def process_file_primary_CLv2(bucket, s3_path, client, session, eventsSche
)
try:
- logging.info("Making request to AWS for downloading file started time: {} ".format(datetime.now()))
+ logging.info("Making request to AWS for downloading file startTime: {} S3file: {} S3Bucket: {}".format(datetime.now(), s3_path, bucket))
response = await client.get_object(Bucket=bucket, Key=s3_path)
response_body_size = sys.getsizeof(response["Body"])
- logging.info("downloaded S3 file: {} of size: {} from AWS S3 successfully time: {} ".format(s3_path, response_body_size,datetime.now()))
+ logging.info("Download from AWS completed. S3file: {} S3Bucket: {} size: {} from AWS S3 successfully time: {} ".format(s3_path, bucket, response_body_size,datetime.now()))
s = ''
async for decompressed_chunk in AsyncGZIPDecompressedStream(response["Body"]):
- #logging.info("Inside AsyncGZIPDecompressedStream time: {} ".format(datetime.now()))
+ logging.debug("Inside AsyncGZIPDecompressedStream time: {} ".format(datetime.now()))
s += decompressed_chunk.decode(errors='ignore')
lines = re.split(r'{0}'.format(LINE_SEPARATOR), s)
- #logging.info("Inside AsyncGZIPDecompressedStream File: {} downloaded and length: {} ".format(s3_path,len(lines)))
+ logging.debug("Inside AsyncGZIPDecompressedStream File: {} downloaded and length: {} ".format(s3_path,len(lines)))
for n, line in enumerate(lines):
if n < len(lines) - 1:
if line:
@@ -227,9 +232,9 @@ async def process_file_primary_CLv2(bucket, s3_path, client, session, eventsSche
else:
custom_total_events_success, custom_total_events_failure = 0,0
- logging.info("Finish processing file {} with {} normalized events and {} custom events.".format(s3_path,normalized_total_events_success,custom_total_events_success))
+ logging.info("Finish processing S3file: {} S3Bucket: {} SuccessNormalizedEventsCount: {} and SuccessRawDataEventsCount: {}".format(s3_path,bucket,normalized_total_events_success,custom_total_events_success))
if normalized_total_events_failure or custom_total_events_failure:
- logging.info("Failure in {}: {} normalized events failed and {} custom events failed.".format(s3_path,normalized_total_events_failure,custom_total_events_failure))
+ logging.info("Failure in processing S3file: {} S3Bucket: {} FailedNormalizedEventsCount: {} FailedRawDataEventsCount:{} ".format(s3_path, bucket, normalized_total_events_failure,custom_total_events_failure))
except Exception as e:
logging.warn("Processing file {} was failed. Error: {}".format(s3_path,e))
@@ -240,7 +245,7 @@ async def process_file_primary_CLv2(bucket, s3_path, client, session, eventsSche
# client : s3_session client
# session : aiohttp session
async def process_file_secondary_CLv2(bucket, s3_path, client, session):
- logging.info("Start processing bucket {}".format(s3_path))
+ logging.debug("Inside method - process_file_secondary_CLv2. Started processing S3file: {} S3Bucket: {}".format(s3_path, bucket))
AzureSentinelConnector = AzureSentinelConnectorCLv2Async(session, NORMALIZED_DCE_ENDPOINT, NORMALIZED_DCR_ID, SECONDARY_DATA_SCHEMA,
AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID)
@@ -279,12 +284,13 @@ async def process_file_secondary_CLv2(bucket, s3_path, client, session):
total_events_success = AzureSentinelConnector.get_success_count()
total_events_failure = AzureSentinelConnector.get_failure_count()
- logging.info("Finish processing file {} with {} secondary events.".format(s3_path,total_events_success))
+ logging.info("Finish processing Secondary data S3file: {} S3Bucket: {} SuccessEventsCount: {} ".format(s3_path,bucket,total_events_success))
if total_events_failure:
- logging.info("Failure in {} : {} secondary events failed".format(s3_path,total_events_failure))
+ logging.info("Failure in processing Secondary data S3file: {} S3Bucket: {} FailureEventsCount: {} ".format(s3_path,bucket,total_events_failure))
+
except Exception as e:
- logging.warn("Processing file {} was failed. Error: {}".format(s3_path,e))
+ logging.warn("Failed processing file S3File: {} S3Bucket: {} - Error: {}".format(s3_path,bucket,e))
raise e
class FileHelper:
diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn/QueueTriggerCS/sentinel_connector_clv2_async.py b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn/QueueTriggerCS/sentinel_connector_clv2_async.py
index 2aa578ae2f1..4d94d3ce42f 100644
--- a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn/QueueTriggerCS/sentinel_connector_clv2_async.py
+++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn/QueueTriggerCS/sentinel_connector_clv2_async.py
@@ -114,14 +114,14 @@ def _compress_data(self, data):
_compress = zlib.compressobj(wbits=zlib_mode)
compress_data = _compress.compress(bytes(body, encoding="utf-8"))
compress_data += _compress.flush()
- logging.info("Data getting into LA after compression SizeInKB: {}".format(len(compress_data)/1024))
+ logging.debug("Data getting into LA after compression SizeInKB: {}".format(len(compress_data)/1024))
return compress_data
# This method returns true if queue size is less than max allowed queue size
# queue : List of dictionary
def _check_size(self, queue):
data_bytes_len = len(json.dumps(queue).encode())
- #logging.info("Data size {}".format(data_bytes_len))
+ logging.debug("Data size {}".format(data_bytes_len))
return data_bytes_len < self.queue_size_bytes
# This method splits big list into two equal halves
@@ -130,7 +130,7 @@ def _split_big_request(self, queue):
if self._check_size(queue):
return [queue]
else:
- #logging.info("Split is required")
+ logging.debug("Split is required")
middle = int(len(queue) / 2)
queues_list = [queue[:middle], queue[middle:]]
return self._split_big_request(queues_list[0]) + self._split_big_request(queues_list[1])
diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn/Replicator/main_aws_queue.py b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn/Replicator/main_aws_queue.py
index 5ea9b74fc4b..f6335155c1e 100644
--- a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn/Replicator/main_aws_queue.py
+++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn/Replicator/main_aws_queue.py
@@ -21,6 +21,7 @@
MAX_SCRIPT_EXEC_TIME_MINUTES = int(os.environ.get('MAX_SCRIPT_EXEC_TIME_MINUTES', 10))
REQUIRE_SECONDARY_STRING = os.environ.get('USER_SELECTION_REQUIRE_SECONDARY', 'false')
+
if REQUIRE_SECONDARY_STRING.lower() == "true":
REQUIRE_SECONDARY = True
else:
@@ -46,25 +47,28 @@ def check_if_script_runs_too_long(percentage, script_start_time):
return duration > max_duration
async def main(mytimer: func.TimerRequest):
+ logging.getLogger().setLevel(logging.INFO)
script_start_time = int(time.time())
-
- logging.info("Creating SQS connection")
+ logging.info("TimeTrigger Starting script. Parameter Selection- REQUIRE_SECONDARY_STRING: {} MAX_QUEUE_MESSAGES_MAIN_QUEUE: {} MAX_SCRIPT_EXEC_TIME_MINUTES: {} AWS_KEY: {} AWS_REGION_NAME: {} AWS_SECRET: IWontReveal QUEUE_URL:{} ".format(REQUIRE_SECONDARY_STRING, MAX_QUEUE_MESSAGES_MAIN_QUEUE, MAX_SCRIPT_EXEC_TIME_MINUTES, AWS_KEY, AWS_REGION_NAME, QUEUE_URL))
async with _create_sqs_client() as client:
mainQueueHelper = AzureStorageQueueHelper(connectionString=AZURE_STORAGE_CONNECTION_STRING, queueName="python-queue-items")
backlogQueueHelper = AzureStorageQueueHelper(connectionString=AZURE_STORAGE_CONNECTION_STRING, queueName="python-queue-items-backlog")
-
- logging.info("Check if we already have enough backlog to process")
+ logging.getLogger().setLevel(logging.INFO)
+ logging.info("Check if we already have enough backlog to process in main queue. Maxmum set is MAX_QUEUE_MESSAGES_MAIN_QUEUE: {} ".format(MAX_QUEUE_MESSAGES_MAIN_QUEUE))
mainQueueCount = mainQueueHelper.get_queue_current_count()
+ logging.getLogger().setLevel(logging.INFO)
logging.info("Main queue size is {}".format(mainQueueCount))
while (mainQueueCount ) >= MAX_QUEUE_MESSAGES_MAIN_QUEUE:
time.sleep(15)
if check_if_script_runs_too_long(0.7, script_start_time):
- logging.warn("We already have queue already have enough messages to process. Not clearing any backlog or reading a new SQS message in this iteration.")
+ logging.warn("We already have enough messages to process. Not clearing any backlog or reading a new SQS message in this iteration.")
return
mainQueueCount = mainQueueHelper.get_queue_current_count()
- logging.info("Check if backlog queue have any records.")
+ logging.getLogger().setLevel(logging.INFO)
+ logging.info("Check if we already have files in backlog queue, these are pending to process. Moved to main queue when its get free")
backlogQueueCount = backlogQueueHelper.get_queue_current_count()
+ logging.getLogger().setLevel(logging.INFO)
logging.info("Backlog queue size is {}".format(backlogQueueCount))
mainQueueCount = mainQueueHelper.get_queue_current_count()
while backlogQueueCount > 0:
@@ -75,6 +79,7 @@ async def main(mytimer: func.TimerRequest):
if messageFromBacklog != None:
mainQueueHelper.send_to_queue(messageFromBacklog.content,False)
backlogQueueHelper.delete_queue_message(messageFromBacklog.id, messageFromBacklog.pop_receipt)
+ logging.getLogger().setLevel(logging.INFO)
backlogQueueCount = backlogQueueHelper.get_queue_current_count()
mainQueueCount = mainQueueHelper.get_queue_current_count()
if check_if_script_runs_too_long(0.7, script_start_time):
@@ -84,7 +89,8 @@ async def main(mytimer: func.TimerRequest):
if check_if_script_runs_too_long(0.5, script_start_time):
logging.warn("Queue already have enough messages to process. Read all messages from backlog queue but not reading a new SQS message in this iteration.")
return
-
+
+ logging.getLogger().setLevel(logging.INFO)
logging.info('Trying to check messages off the SQS...')
try:
response = await client.receive_message(
@@ -103,8 +109,9 @@ async def main(mytimer: func.TimerRequest):
diffFromNow = int(time.time()*1000) - int(body_obj["timestamp"])
if diffFromNow >= 3600:
logging.warn("More than 1 hour old records are getting processed now. This indicates requirement for additional function app.")
-
await download_message_files_queue(mainQueueHelper, backlogQueueHelper, msg["MessageId"], body_obj)
+
+ logging.getLogger().setLevel(logging.INFO)
logging.info("Finished processing {} files from MessageId {}. Bucket: {}. Path prefix: {}".format(body_obj["fileCount"], msg["MessageId"], body_obj["bucket"], body_obj["pathPrefix"]))
try:
await client.delete_message(
@@ -141,6 +148,7 @@ async def download_message_files_queue(mainQueueHelper, backlogQueueHelper, mess
class AzureStorageQueueHelper:
def __init__(self,connectionString,queueName):
+ logging.getLogger().setLevel(logging.WARNING)
self.__service_client = QueueServiceClient.from_connection_string(conn_str=connectionString)
self.__queue = self.__service_client.get_queue_client(queueName)
try:
@@ -160,11 +168,13 @@ def base64Encoded(self,message):
# This method is used to read messages from the queue.
# This will pop the message from the queue (deque operation)
def deque_from_queue(self):
+ logging.getLogger().setLevel(logging.WARNING)
message = self.__queue.receive_message()
return message
# This method send data into the queue
def send_to_queue(self, message, encoded):
+ logging.getLogger().setLevel(logging.WARNING)
if encoded:
self.__queue.send_message(self.base64Encoded(message))
else:
@@ -172,9 +182,11 @@ def send_to_queue(self, message, encoded):
# This method deletes the message based on messageId
def delete_queue_message(self, messageId, popReceipt):
+ logging.getLogger().setLevel(logging.WARNING)
self.__queue.delete_message(messageId,popReceipt)
# This method reads an approximate count of messages in the queue
def get_queue_current_count(self):
+ logging.getLogger().setLevel(logging.WARNING)
properties = self.__queue.get_queue_properties()
return properties.approximate_message_count
\ No newline at end of file
diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeReplicatorV2_ConnectorUI.json b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeReplicatorV2_ConnectorUI.json
index a1a445618a1..86252f001d1 100644
--- a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeReplicatorV2_ConnectorUI.json
+++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeReplicatorV2_ConnectorUI.json
@@ -35,8 +35,8 @@
"lastDataReceivedQuery": "ASimAuditEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
- "name": "ASimFileEventLogs_CL",
- "lastDataReceivedQuery": "ASimFileEventLogs_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ "name": "ASimFileEventLogs",
+ "lastDataReceivedQuery": "ASimFileEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "ASimAuthenticationEventLogs",
@@ -47,12 +47,12 @@
"lastDataReceivedQuery": "ASimProcessEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
- "name": "ASimRegistryEventLogs_CL",
- "lastDataReceivedQuery": "ASimRegistryEventLogs_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ "name": "ASimRegistryEventLogs",
+ "lastDataReceivedQuery": "ASimRegistryEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
- "name": "ASimUserManagementLogs_CL",
- "lastDataReceivedQuery": "ASimUserManagementLogs_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ "name": "ASimUserManagementActivityLogs",
+ "lastDataReceivedQuery": "ASimUserManagementActivityLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "CrowdStrike_Secondary_Data_CL",
diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/azuredeploy_CrowdstrikeReplicatorV2_ConnectorUI.json b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/azuredeploy_CrowdstrikeReplicatorV2_ConnectorUI.json
index 90a44339bb1..5dfb3da099b 100644
--- a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/azuredeploy_CrowdstrikeReplicatorV2_ConnectorUI.json
+++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/azuredeploy_CrowdstrikeReplicatorV2_ConnectorUI.json
@@ -52,24 +52,24 @@
"lastDataReceivedQuery": "ASimAuditEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
- "name": "ASimFileEventLogs_CL",
- "lastDataReceivedQuery": "ASimFileEventLogs_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ "name": "ASimFileEventLogs",
+ "lastDataReceivedQuery": "ASimFileEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
- "name": "ASimAuthenticationEventLogs_CL",
+ "name": "ASimAuthenticationEventLogs",
"lastDataReceivedQuery": "ASimAuthenticationEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
- "name": "ASimProcessEventLogs_CL",
- "lastDataReceivedQuery": "ASimProcessEventLogs_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ "name": "ASimProcessEventLogs",
+ "lastDataReceivedQuery": "ASimProcessEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
- "name": "ASimRegistryEventLogs_CL",
- "lastDataReceivedQuery": "ASimRegistryEventLogs_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ "name": "ASimRegistryEventLogs",
+ "lastDataReceivedQuery": "ASimRegistryEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
- "name": "ASimUserManagementLogs_CL",
- "lastDataReceivedQuery": "ASimUserManagementLogs_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ "name": "ASimUserManagementActivityLogs",
+ "lastDataReceivedQuery": "ASimUserManagementActivityLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "CrowdStrike_Secondary_Data_CL",
diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Parsers/CrowdStrikeReplicatorV2.yaml b/Solutions/CrowdStrike Falcon Endpoint Protection/Parsers/CrowdStrikeReplicatorV2.yaml
index 28ebf4ca72f..73e6310d08c 100644
--- a/Solutions/CrowdStrike Falcon Endpoint Protection/Parsers/CrowdStrikeReplicatorV2.yaml
+++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Parsers/CrowdStrikeReplicatorV2.yaml
@@ -43,6 +43,14 @@ FunctionQuery: |
| where (isnull(starttime) or TimeGenerated>=starttime)
and (isnull(endtime) or TimeGenerated<=endtime)
| where array_length(eventTypesRequired) == 0 or EventOriginalType in~ (eventTypesRequired)
+ ),
+ (
+ ASimFileEventLogs
+ | where EventVendor == "CrowdStrike" and EventProduct == "Falcon Data Replicator"
+ | where array_length(tablesRequired) == 0 or "File" in~ (tablesRequired)
+ | where (isnull(starttime) or TimeGenerated>=starttime)
+ and (isnull(endtime) or TimeGenerated<=endtime)
+ | where array_length(eventTypesRequired) == 0 or EventOriginalType in~ (eventTypesRequired)
),
(
ASimProcessEventLogs
@@ -99,6 +107,14 @@ FunctionQuery: |
| where (isnull(starttime) or TimeGenerated>=starttime)
and (isnull(endtime) or TimeGenerated<=endtime)
| where array_length(eventTypesRequired) == 0 or EventOriginalType in~ (eventTypesRequired)
+ ),
+ (
+ ASimRegistryEventLogs
+ | where EventVendor == "CrowdStrike" and EventProduct == "Falcon Data Replicator"
+ | where array_length(tablesRequired) == 0 or "Registry" in~ (tablesRequired)
+ | where (isnull(starttime) or TimeGenerated>=starttime)
+ and (isnull(endtime) or TimeGenerated<=endtime)
+ | where array_length(eventTypesRequired) == 0 or EventOriginalType in~ (eventTypesRequired)
),
(
ASimUserManagementLogs_CL
@@ -108,6 +124,14 @@ FunctionQuery: |
and (isnull(endtime) or TimeGenerated<=endtime)
| where array_length(eventTypesRequired) == 0 or EventOriginalType in~ (eventTypesRequired)
),
+ (
+ ASimUserManagementActivityLogs
+ | where EventVendor == "CrowdStrike" and EventProduct == "Falcon Data Replicator"
+ | where array_length(tablesRequired) == 0 or "User" in~ (tablesRequired)
+ | where (isnull(starttime) or TimeGenerated>=starttime)
+ and (isnull(endtime) or TimeGenerated<=endtime)
+ | where array_length(eventTypesRequired) == 0 or EventOriginalType in~ (eventTypesRequired)
+ ),
(
CrowdStrike_Additional_Events_CL
| where array_length(tablesRequired) == 0 or "Additional" in~ (tablesRequired)