SchemaTemplate.yaml

$schema: https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#
contentVersion: 1.0.0.0
parameters:
  Workspace:
    type: string
    metadata:
      description: The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group.
  WorkspaceRegion:
    type: string
    defaultValue: '[resourceGroup().location]'
    metadata:
      description: The region of the selected workspace. The default value will use the Region selection above.
resources:
- type: Microsoft.OperationalInsights/workspaces
  apiVersion: 2017-03-15-preview
  name: "[parameters('Workspace')]"
  location: "[parameters('WorkspaceRegion')]"
  resources:
  - type: savedSearches
    apiVersion: 2020-08-01
    name: _ASIM_ProjectxxxSchema
    dependsOn:
    - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
    properties:
      etag: '*'
      displayName: ASIM_ProjectxxxSchema
      category: ASIM
      FunctionAlias: ASIM_ProjectxxxSchema
      query: |-
        T
        | project
            // Common Mandatory Fields
              todatetime(column_ifexists('TimeGenerated', ''))
            , tostring(column_ifexists('Type', ''))
            , toint(column_ifexists('EventCount', ''))
            , todatetime(column_ifexists('EventStartTime', ''))
            , todatetime(column_ifexists('EventEndTime', ''))
            , tostring(column_ifexists('EventType', ''))
            , tostring(column_ifexists('EventResult', ''))
            , tostring(column_ifexists('EventProduct', ''))
            , tostring(column_ifexists('EventVendor', ''))
            , tostring(column_ifexists('EventSchema', ''))
            , tostring(column_ifexists('EventSchemaVersion', ''))
            , tostring(column_ifexists('Dvc', ''))
            // Common Recommended Fields
            , tostring(column_ifexists('EventResultDetails', ''))
            , tostring(column_ifexists('EventSeverity', ''))
            , tostring(column_ifexists('EventUid', ''))
            , tostring(column_ifexists('DvcIpAddr', ''))
            , tostring(column_ifexists('DvcHostname', ''))
            , tostring(column_ifexists('DvcDomain', ''))
            , tostring(column_ifexists('DvcDomainType', ''))
            , tostring(column_ifexists('DvcFQDN', ''))
            , tostring(column_ifexists('DvcId', ''))
            , tostring(column_ifexists('DvcIdType', ''))
            , tostring(column_ifexists('DvcAction', ''))
            // xxx Mandatory Fields
            , tostring(column_ifexists('xxx', ''))
            // xxx Recommended Fields
            , tostring(column_ifexists('xxx', ''))
            // xxx Optional Fields
            , column_ifexists('AdditionalFields', '')
        | project-away Column*
      version: 1
      functionParameters: T:(TimeGenerated:datetime)