diff --git a/Solutions/GoogleCloudPlatformDNS/Package/3.0.2.zip b/Solutions/GoogleCloudPlatformDNS/Package/3.0.2.zip index cf627e060e..0a19c59573 100644 Binary files a/Solutions/GoogleCloudPlatformDNS/Package/3.0.2.zip and b/Solutions/GoogleCloudPlatformDNS/Package/3.0.2.zip differ diff --git a/Solutions/GoogleCloudPlatformDNS/Package/mainTemplate.json b/Solutions/GoogleCloudPlatformDNS/Package/mainTemplate.json index fb2724fe31..b83bdaf0ac 100644 --- a/Solutions/GoogleCloudPlatformDNS/Package/mainTemplate.json +++ b/Solutions/GoogleCloudPlatformDNS/Package/mainTemplate.json @@ -1428,7 +1428,7 @@ "displayName": "Parser for GCPCloudDNS", "category": "Microsoft Sentinel Parser", "functionAlias": "GCPCloudDNS", - "query": "let GCPCloudDNS_view = view () {\nlet DNSQuery_GcpDns_empty = datatable(\n Query_e:string,\n QueryTypeName_e:string,\n ResponseName_e:string,\n EventResultDetails_e:string,\n NetworkProtocol_e:string,\n SrcIpAddr_e:string,\n EventOriginalUid_e:string,\n EventSeverity_e:string,\n EventCount_e:int,\n EventProduct_e:string,\n EventVendor_e:string,\n EventSchemaVersion_e:string,\n Dvc_e:string,\n EventType_e:string,\n EventResult_e:string,\n EventSubType_e:string,\n EventEndTime_e:datetime,\n ResponseCodeName_e:string,\n Domain_e:string,\n IpAddr_e:string,\n EventStartTime_e:datetime\n)[];\nlet DNSQuery_GcpDns = union isfuzzy=true GCP_DNS_CL, DNSQuery_GcpDns_empty\n | extend \n Query_e=column_ifexists('payload_queryName_s', ''),\n QueryTypeName_e=column_ifexists('payload_queryType_s', ''),\n ResponseName_e=column_ifexists('payload_rdata_s', ''),\n EventResultDetails_e=column_ifexists('payload_responseCode_s', ''),\n NetworkProtocol_e=column_ifexists('payload_protocol_s', ''),\n SrcIpAddr_e=column_ifexists('payload_sourceIP_s', ''),\n EventOriginalUid_e=column_ifexists('insert_id_s', ''),\n EventSeverity_e=column_ifexists('severity_s', ''),\n EventCount_e=(1),\n EventProduct_e=\"Cloud DNS\",\n EventVendor_e=\"GCP\",\n EventSchemaVersion_e=\"0.1.0\",\n Dvc_e=\"GCPDNS\",\n EventType_e=iif (column_ifexists('resource_type_s', '') == \"dns_query\", \"lookup\", column_ifexists('resource_type_s', '')),\n EventResult_e=iff(EventResultDetails_e =~ 'NOERROR', 'Success', 'Failure'),\n EventSubType_e='response',\n EventEndTime_e=todatetime(column_ifexists('timestamp_t', ''))\n // ---Aliases \n | extend\n ResponseCodeName_e=EventResultDetails_e, \n Domain_e=Query_e,\n IpAddr_e=SrcIpAddr_e,\n EventStartTime_e=EventEndTime_e\n | project-rename\n Query=Query_e,\n QueryTypeName=QueryTypeName_e,\n ResponseName=ResponseName_e,\n EventResultDetails=EventResultDetails_e,\n NetworkProtocol=NetworkProtocol_e,\n SrcIpAddr=SrcIpAddr_e,\n EventOriginalUid=EventOriginalUid_e,\n EventSeverity=EventSeverity_e,\n EventCount=EventCount_e,\n EventProduct=EventProduct_e,\n EventVendor=EventVendor_e,\n EventSchemaVersion=EventSchemaVersion_e,\n Dvc=Dvc_e,\n EventType=EventType_e,\n EventResult=EventResult_e,\n EventSubType=EventSubType_e,\n EventEndTime=EventEndTime_e,\n ResponseCodeName=ResponseCodeName_e,\n Domain=Domain_e,\n IpAddr=IpAddr_e,\n EventStartTime=EventStartTime_e;\nlet DNSQuery_GcpDnsV2 = union isfuzzy=true GCP_DNSV2_CL, DNSQuery_GcpDns_empty\n | extend \n Query_e=column_ifexists('payload_queryName', ''),\n QueryTypeName_e=column_ifexists('payload_queryType', ''),\n ResponseName_e=column_ifexists('payload_rdata', ''),\n EventResultDetails_e=column_ifexists('payload_responseCode', ''),\n NetworkProtocol_e=column_ifexists('payload_protocol', ''),\n SrcIpAddr_e=column_ifexists('payload_sourceIP', ''),\n EventOriginalUid_e=column_ifexists('insert_id', ''),\n EventSeverity_e=column_ifexists('severity', ''),\n EventCount_e=(1),\n EventProduct_e=\"Cloud DNS\",\n EventVendor_e=\"GCP\",\n EventSchemaVersion_e=\"0.1.0\",\n Dvc_e=\"GCPDNS\",\n EventType_e=iif (column_ifexists('resource_type', '') == \"dns_query\", \"lookup\", column_ifexists('resource_type', '')),\n EventResult_e=iff(EventResultDetails_e =~ 'NOERROR', 'Success', 'Failure'),\n EventSubType_e='response',\n EventEndTime_e=todatetime(column_ifexists('timestamp', ''))\n // ---Aliases\n | extend\n ResponseCodeName_e=EventResultDetails_e, \n Domain_e=Query_e,\n IpAddr_e=SrcIpAddr_e,\n EventStartTime_e=EventEndTime_e\n | project-rename\n Query=Query_e,\n QueryTypeName=QueryTypeName_e,\n ResponseName=ResponseName_e,\n EventResultDetails=EventResultDetails_e,\n NetworkProtocol=NetworkProtocol_e,\n SrcIpAddr=SrcIpAddr_e,\n EventOriginalUid=EventOriginalUid_e,\n EventSeverity=EventSeverity_e,\n EventCount=EventCount_e,\n EventProduct=EventProduct_e,\n EventVendor=EventVendor_e,\n EventSchemaVersion=EventSchemaVersion_e,\n Dvc=Dvc_e,\n EventType=EventType_e,\n EventResult=EventResult_e,\n EventSubType=EventSubType_e,\n EventEndTime=EventEndTime_e,\n ResponseCodeName=ResponseCodeName_e,\n Domain=Domain_e,\n IpAddr=IpAddr_e,\n EventStartTime=EventStartTime_e;\n union isfuzzy=true DNSQuery_GcpDns, DNSQuery_GcpDnsV2\n | project-reorder Query, QueryTypeName, ResponseName, EventResultDetails, NetworkProtocol, SrcIpAddr, EventOriginalUid, EventSeverity, EventCount, EventProduct, EventVendor, EventSchemaVersion, Dvc, EventType, EventResult, EventSubType, EventEndTime, ResponseCodeName, Domain, IpAddr, EventStartTime;\n};\nGCPCloudDNS_view\n", + "query": "let DNSQuery_GcpDns_empty = datatable(\n Query_e:string,\n QueryTypeName_e:string,\n ResponseName_e:string,\n EventResultDetails_e:string,\n NetworkProtocol_e:string,\n SrcIpAddr_e:string,\n EventOriginalUid_e:string,\n EventSeverity_e:string,\n EventCount_e:int,\n EventProduct_e:string,\n EventVendor_e:string,\n EventSchemaVersion_e:string,\n Dvc_e:string,\n EventType_e:string,\n EventResult_e:string,\n EventSubType_e:string,\n EventEndTime_e:datetime,\n ResponseCodeName_e:string,\n Domain_e:string,\n IpAddr_e:string,\n EventStartTime_e:datetime\n)[];\nlet DNSQuery_GcpDns = union isfuzzy=true GCP_DNS_CL, DNSQuery_GcpDns_empty\n | extend \n Query_e = column_ifexists('payload_queryName_s', ''),\n QueryTypeName_e = column_ifexists('payload_queryType_s', ''),\n ResponseName_e = column_ifexists('payload_rdata_s', ''),\n EventResultDetails_e = column_ifexists('payload_responseCode_s', ''),\n NetworkProtocol_e = column_ifexists('payload_protocol_s', ''),\n SrcIpAddr_e = column_ifexists('payload_sourceIP_s', ''),\n EventOriginalUid_e = column_ifexists('insert_id_s', ''),\n EventSeverity_e = column_ifexists('severity_s', ''),\n EventCount_e = 1,\n EventProduct_e = \"Cloud DNS\",\n EventVendor_e = \"GCP\",\n EventSchemaVersion_e = \"0.1.0\",\n Dvc_e = \"GCPDNS\",\n EventType_e = iif (column_ifexists('resource_type_s', '') == \"dns_query\", \"lookup\", column_ifexists('resource_type_s', '')),\n EventResult_e = iff(EventResultDetails_e =~ 'NOERROR', 'Success', 'Failure'),\n EventSubType_e = 'response',\n EventEndTime_e = todatetime(column_ifexists('timestamp_t', ''))\n | extend\n ResponseCodeName_e = EventResultDetails_e, \n Domain_e = Query_e,\n IpAddr_e = SrcIpAddr_e,\n EventStartTime_e = EventEndTime_e\n | project-rename\n Query = Query_e,\n QueryTypeName = QueryTypeName_e,\n ResponseName = ResponseName_e,\n EventResultDetails = EventResultDetails_e,\n NetworkProtocol = NetworkProtocol_e,\n SrcIpAddr = SrcIpAddr_e,\n EventOriginalUid = EventOriginalUid_e,\n EventSeverity = EventSeverity_e,\n EventCount = EventCount_e,\n EventProduct = EventProduct_e,\n EventVendor = EventVendor_e,\n EventSchemaVersion = EventSchemaVersion_e,\n Dvc = Dvc_e,\n EventType = EventType_e,\n EventResult = EventResult_e,\n EventSubType = EventSubType_e,\n EventEndTime = EventEndTime_e,\n ResponseCodeName = ResponseCodeName_e,\n Domain = Domain_e,\n IpAddr = IpAddr_e,\n EventStartTime = EventStartTime_e;\nlet DNSQuery_GcpDnsV2 = union isfuzzy=true GCP_DNSV2_CL, DNSQuery_GcpDns_empty\n | extend \n Query_e = column_ifexists('payload_queryName', ''),\n QueryTypeName_e = column_ifexists('payload_queryType', ''),\n ResponseName_e = column_ifexists('payload_rdata', ''),\n EventResultDetails_e = column_ifexists('payload_responseCode', ''),\n NetworkProtocol_e = column_ifexists('payload_protocol', ''),\n SrcIpAddr_e = column_ifexists('payload_sourceIP', ''),\n EventOriginalUid_e = column_ifexists('insert_id', ''),\n EventSeverity_e = column_ifexists('severity', ''),\n EventCount_e = 1,\n EventProduct_e = \"Cloud DNS\",\n EventVendor_e = \"GCP\",\n EventSchemaVersion_e = \"0.1.0\",\n Dvc_e = \"GCPDNS\",\n EventType_e = iif (column_ifexists('resource_type', '') == \"dns_query\", \"lookup\", column_ifexists('resource_type', '')),\n EventResult_e = iff(EventResultDetails_e =~ 'NOERROR', 'Success', 'Failure'),\n EventSubType_e = 'response',\n EventEndTime_e = todatetime(column_ifexists('timestamp', ''))\n | extend\n ResponseCodeName_e = EventResultDetails_e, \n Domain_e = Query_e,\n IpAddr_e = SrcIpAddr_e,\n EventStartTime_e = EventEndTime_e\n | project-rename\n Query = Query_e,\n QueryTypeName = QueryTypeName_e,\n ResponseName = ResponseName_e,\n EventResultDetails = EventResultDetails_e,\n NetworkProtocol = NetworkProtocol_e,\n SrcIpAddr = SrcIpAddr_e,\n EventOriginalUid = EventOriginalUid_e,\n EventSeverity = EventSeverity_e,\n EventCount = EventCount_e,\n EventProduct = EventProduct_e,\n EventVendor = EventVendor_e,\n EventSchemaVersion = EventSchemaVersion_e,\n Dvc = Dvc_e,\n EventType = EventType_e,\n EventResult = EventResult_e,\n EventSubType = EventSubType_e,\n EventEndTime = EventEndTime_e,\n ResponseCodeName = ResponseCodeName_e,\n Domain = Domain_e,\n IpAddr = IpAddr_e,\n EventStartTime = EventStartTime_e;\nlet GCPCloudDNS_view = \n union isfuzzy=true DNSQuery_GcpDns, DNSQuery_GcpDnsV2\n | project-reorder \n Query, QueryTypeName, ResponseName, EventResultDetails, NetworkProtocol, \n SrcIpAddr, EventOriginalUid, EventSeverity, EventCount, EventProduct, \n EventVendor, EventSchemaVersion, Dvc, EventType, EventResult, EventSubType, \n EventEndTime, ResponseCodeName, Domain, IpAddr, EventStartTime;\nGCPCloudDNS_view\n", "functionParameters": "", "version": 2, "tags": [ @@ -1493,7 +1493,7 @@ "displayName": "Parser for GCPCloudDNS", "category": "Microsoft Sentinel Parser", "functionAlias": "GCPCloudDNS", - "query": "let GCPCloudDNS_view = view () {\nlet DNSQuery_GcpDns_empty = datatable(\n Query_e:string,\n QueryTypeName_e:string,\n ResponseName_e:string,\n EventResultDetails_e:string,\n NetworkProtocol_e:string,\n SrcIpAddr_e:string,\n EventOriginalUid_e:string,\n EventSeverity_e:string,\n EventCount_e:int,\n EventProduct_e:string,\n EventVendor_e:string,\n EventSchemaVersion_e:string,\n Dvc_e:string,\n EventType_e:string,\n EventResult_e:string,\n EventSubType_e:string,\n EventEndTime_e:datetime,\n ResponseCodeName_e:string,\n Domain_e:string,\n IpAddr_e:string,\n EventStartTime_e:datetime\n)[];\nlet DNSQuery_GcpDns = union isfuzzy=true GCP_DNS_CL, DNSQuery_GcpDns_empty\n | extend \n Query_e=column_ifexists('payload_queryName_s', ''),\n QueryTypeName_e=column_ifexists('payload_queryType_s', ''),\n ResponseName_e=column_ifexists('payload_rdata_s', ''),\n EventResultDetails_e=column_ifexists('payload_responseCode_s', ''),\n NetworkProtocol_e=column_ifexists('payload_protocol_s', ''),\n SrcIpAddr_e=column_ifexists('payload_sourceIP_s', ''),\n EventOriginalUid_e=column_ifexists('insert_id_s', ''),\n EventSeverity_e=column_ifexists('severity_s', ''),\n EventCount_e=(1),\n EventProduct_e=\"Cloud DNS\",\n EventVendor_e=\"GCP\",\n EventSchemaVersion_e=\"0.1.0\",\n Dvc_e=\"GCPDNS\",\n EventType_e=iif (column_ifexists('resource_type_s', '') == \"dns_query\", \"lookup\", column_ifexists('resource_type_s', '')),\n EventResult_e=iff(EventResultDetails_e =~ 'NOERROR', 'Success', 'Failure'),\n EventSubType_e='response',\n EventEndTime_e=todatetime(column_ifexists('timestamp_t', ''))\n // ---Aliases \n | extend\n ResponseCodeName_e=EventResultDetails_e, \n Domain_e=Query_e,\n IpAddr_e=SrcIpAddr_e,\n EventStartTime_e=EventEndTime_e\n | project-rename\n Query=Query_e,\n QueryTypeName=QueryTypeName_e,\n ResponseName=ResponseName_e,\n EventResultDetails=EventResultDetails_e,\n NetworkProtocol=NetworkProtocol_e,\n SrcIpAddr=SrcIpAddr_e,\n EventOriginalUid=EventOriginalUid_e,\n EventSeverity=EventSeverity_e,\n EventCount=EventCount_e,\n EventProduct=EventProduct_e,\n EventVendor=EventVendor_e,\n EventSchemaVersion=EventSchemaVersion_e,\n Dvc=Dvc_e,\n EventType=EventType_e,\n EventResult=EventResult_e,\n EventSubType=EventSubType_e,\n EventEndTime=EventEndTime_e,\n ResponseCodeName=ResponseCodeName_e,\n Domain=Domain_e,\n IpAddr=IpAddr_e,\n EventStartTime=EventStartTime_e;\nlet DNSQuery_GcpDnsV2 = union isfuzzy=true GCP_DNSV2_CL, DNSQuery_GcpDns_empty\n | extend \n Query_e=column_ifexists('payload_queryName', ''),\n QueryTypeName_e=column_ifexists('payload_queryType', ''),\n ResponseName_e=column_ifexists('payload_rdata', ''),\n EventResultDetails_e=column_ifexists('payload_responseCode', ''),\n NetworkProtocol_e=column_ifexists('payload_protocol', ''),\n SrcIpAddr_e=column_ifexists('payload_sourceIP', ''),\n EventOriginalUid_e=column_ifexists('insert_id', ''),\n EventSeverity_e=column_ifexists('severity', ''),\n EventCount_e=(1),\n EventProduct_e=\"Cloud DNS\",\n EventVendor_e=\"GCP\",\n EventSchemaVersion_e=\"0.1.0\",\n Dvc_e=\"GCPDNS\",\n EventType_e=iif (column_ifexists('resource_type', '') == \"dns_query\", \"lookup\", column_ifexists('resource_type', '')),\n EventResult_e=iff(EventResultDetails_e =~ 'NOERROR', 'Success', 'Failure'),\n EventSubType_e='response',\n EventEndTime_e=todatetime(column_ifexists('timestamp', ''))\n // ---Aliases\n | extend\n ResponseCodeName_e=EventResultDetails_e, \n Domain_e=Query_e,\n IpAddr_e=SrcIpAddr_e,\n EventStartTime_e=EventEndTime_e\n | project-rename\n Query=Query_e,\n QueryTypeName=QueryTypeName_e,\n ResponseName=ResponseName_e,\n EventResultDetails=EventResultDetails_e,\n NetworkProtocol=NetworkProtocol_e,\n SrcIpAddr=SrcIpAddr_e,\n EventOriginalUid=EventOriginalUid_e,\n EventSeverity=EventSeverity_e,\n EventCount=EventCount_e,\n EventProduct=EventProduct_e,\n EventVendor=EventVendor_e,\n EventSchemaVersion=EventSchemaVersion_e,\n Dvc=Dvc_e,\n EventType=EventType_e,\n EventResult=EventResult_e,\n EventSubType=EventSubType_e,\n EventEndTime=EventEndTime_e,\n ResponseCodeName=ResponseCodeName_e,\n Domain=Domain_e,\n IpAddr=IpAddr_e,\n EventStartTime=EventStartTime_e;\n union isfuzzy=true DNSQuery_GcpDns, DNSQuery_GcpDnsV2\n | project-reorder Query, QueryTypeName, ResponseName, EventResultDetails, NetworkProtocol, SrcIpAddr, EventOriginalUid, EventSeverity, EventCount, EventProduct, EventVendor, EventSchemaVersion, Dvc, EventType, EventResult, EventSubType, EventEndTime, ResponseCodeName, Domain, IpAddr, EventStartTime;\n};\nGCPCloudDNS_view\n", + "query": "let DNSQuery_GcpDns_empty = datatable(\n Query_e:string,\n QueryTypeName_e:string,\n ResponseName_e:string,\n EventResultDetails_e:string,\n NetworkProtocol_e:string,\n SrcIpAddr_e:string,\n EventOriginalUid_e:string,\n EventSeverity_e:string,\n EventCount_e:int,\n EventProduct_e:string,\n EventVendor_e:string,\n EventSchemaVersion_e:string,\n Dvc_e:string,\n EventType_e:string,\n EventResult_e:string,\n EventSubType_e:string,\n EventEndTime_e:datetime,\n ResponseCodeName_e:string,\n Domain_e:string,\n IpAddr_e:string,\n EventStartTime_e:datetime\n)[];\nlet DNSQuery_GcpDns = union isfuzzy=true GCP_DNS_CL, DNSQuery_GcpDns_empty\n | extend \n Query_e = column_ifexists('payload_queryName_s', ''),\n QueryTypeName_e = column_ifexists('payload_queryType_s', ''),\n ResponseName_e = column_ifexists('payload_rdata_s', ''),\n EventResultDetails_e = column_ifexists('payload_responseCode_s', ''),\n NetworkProtocol_e = column_ifexists('payload_protocol_s', ''),\n SrcIpAddr_e = column_ifexists('payload_sourceIP_s', ''),\n EventOriginalUid_e = column_ifexists('insert_id_s', ''),\n EventSeverity_e = column_ifexists('severity_s', ''),\n EventCount_e = 1,\n EventProduct_e = \"Cloud DNS\",\n EventVendor_e = \"GCP\",\n EventSchemaVersion_e = \"0.1.0\",\n Dvc_e = \"GCPDNS\",\n EventType_e = iif (column_ifexists('resource_type_s', '') == \"dns_query\", \"lookup\", column_ifexists('resource_type_s', '')),\n EventResult_e = iff(EventResultDetails_e =~ 'NOERROR', 'Success', 'Failure'),\n EventSubType_e = 'response',\n EventEndTime_e = todatetime(column_ifexists('timestamp_t', ''))\n | extend\n ResponseCodeName_e = EventResultDetails_e, \n Domain_e = Query_e,\n IpAddr_e = SrcIpAddr_e,\n EventStartTime_e = EventEndTime_e\n | project-rename\n Query = Query_e,\n QueryTypeName = QueryTypeName_e,\n ResponseName = ResponseName_e,\n EventResultDetails = EventResultDetails_e,\n NetworkProtocol = NetworkProtocol_e,\n SrcIpAddr = SrcIpAddr_e,\n EventOriginalUid = EventOriginalUid_e,\n EventSeverity = EventSeverity_e,\n EventCount = EventCount_e,\n EventProduct = EventProduct_e,\n EventVendor = EventVendor_e,\n EventSchemaVersion = EventSchemaVersion_e,\n Dvc = Dvc_e,\n EventType = EventType_e,\n EventResult = EventResult_e,\n EventSubType = EventSubType_e,\n EventEndTime = EventEndTime_e,\n ResponseCodeName = ResponseCodeName_e,\n Domain = Domain_e,\n IpAddr = IpAddr_e,\n EventStartTime = EventStartTime_e;\nlet DNSQuery_GcpDnsV2 = union isfuzzy=true GCP_DNSV2_CL, DNSQuery_GcpDns_empty\n | extend \n Query_e = column_ifexists('payload_queryName', ''),\n QueryTypeName_e = column_ifexists('payload_queryType', ''),\n ResponseName_e = column_ifexists('payload_rdata', ''),\n EventResultDetails_e = column_ifexists('payload_responseCode', ''),\n NetworkProtocol_e = column_ifexists('payload_protocol', ''),\n SrcIpAddr_e = column_ifexists('payload_sourceIP', ''),\n EventOriginalUid_e = column_ifexists('insert_id', ''),\n EventSeverity_e = column_ifexists('severity', ''),\n EventCount_e = 1,\n EventProduct_e = \"Cloud DNS\",\n EventVendor_e = \"GCP\",\n EventSchemaVersion_e = \"0.1.0\",\n Dvc_e = \"GCPDNS\",\n EventType_e = iif (column_ifexists('resource_type', '') == \"dns_query\", \"lookup\", column_ifexists('resource_type', '')),\n EventResult_e = iff(EventResultDetails_e =~ 'NOERROR', 'Success', 'Failure'),\n EventSubType_e = 'response',\n EventEndTime_e = todatetime(column_ifexists('timestamp', ''))\n | extend\n ResponseCodeName_e = EventResultDetails_e, \n Domain_e = Query_e,\n IpAddr_e = SrcIpAddr_e,\n EventStartTime_e = EventEndTime_e\n | project-rename\n Query = Query_e,\n QueryTypeName = QueryTypeName_e,\n ResponseName = ResponseName_e,\n EventResultDetails = EventResultDetails_e,\n NetworkProtocol = NetworkProtocol_e,\n SrcIpAddr = SrcIpAddr_e,\n EventOriginalUid = EventOriginalUid_e,\n EventSeverity = EventSeverity_e,\n EventCount = EventCount_e,\n EventProduct = EventProduct_e,\n EventVendor = EventVendor_e,\n EventSchemaVersion = EventSchemaVersion_e,\n Dvc = Dvc_e,\n EventType = EventType_e,\n EventResult = EventResult_e,\n EventSubType = EventSubType_e,\n EventEndTime = EventEndTime_e,\n ResponseCodeName = ResponseCodeName_e,\n Domain = Domain_e,\n IpAddr = IpAddr_e,\n EventStartTime = EventStartTime_e;\nlet GCPCloudDNS_view = \n union isfuzzy=true DNSQuery_GcpDns, DNSQuery_GcpDnsV2\n | project-reorder \n Query, QueryTypeName, ResponseName, EventResultDetails, NetworkProtocol, \n SrcIpAddr, EventOriginalUid, EventSeverity, EventCount, EventProduct, \n EventVendor, EventSchemaVersion, Dvc, EventType, EventResult, EventSubType, \n EventEndTime, ResponseCodeName, Domain, IpAddr, EventStartTime;\nGCPCloudDNS_view\n", "functionParameters": "", "version": 2, "tags": [ diff --git a/Solutions/GoogleCloudPlatformDNS/Parsers/GCPCloudDNS.yaml b/Solutions/GoogleCloudPlatformDNS/Parsers/GCPCloudDNS.yaml index 4c2ddfd924..e3bab785df 100644 --- a/Solutions/GoogleCloudPlatformDNS/Parsers/GCPCloudDNS.yaml +++ b/Solutions/GoogleCloudPlatformDNS/Parsers/GCPCloudDNS.yaml @@ -7,125 +7,126 @@ Category: Microsoft Sentinel Parser FunctionName: GCPCloudDNS FunctionAlias: GCPCloudDNS FunctionQuery: | - let GCPCloudDNS_view = view () { let DNSQuery_GcpDns_empty = datatable( - Query_e:string, - QueryTypeName_e:string, - ResponseName_e:string, - EventResultDetails_e:string, - NetworkProtocol_e:string, - SrcIpAddr_e:string, - EventOriginalUid_e:string, - EventSeverity_e:string, - EventCount_e:int, - EventProduct_e:string, - EventVendor_e:string, - EventSchemaVersion_e:string, - Dvc_e:string, - EventType_e:string, - EventResult_e:string, - EventSubType_e:string, - EventEndTime_e:datetime, - ResponseCodeName_e:string, - Domain_e:string, - IpAddr_e:string, - EventStartTime_e:datetime + Query_e:string, + QueryTypeName_e:string, + ResponseName_e:string, + EventResultDetails_e:string, + NetworkProtocol_e:string, + SrcIpAddr_e:string, + EventOriginalUid_e:string, + EventSeverity_e:string, + EventCount_e:int, + EventProduct_e:string, + EventVendor_e:string, + EventSchemaVersion_e:string, + Dvc_e:string, + EventType_e:string, + EventResult_e:string, + EventSubType_e:string, + EventEndTime_e:datetime, + ResponseCodeName_e:string, + Domain_e:string, + IpAddr_e:string, + EventStartTime_e:datetime )[]; let DNSQuery_GcpDns = union isfuzzy=true GCP_DNS_CL, DNSQuery_GcpDns_empty - | extend - Query_e=column_ifexists('payload_queryName_s', ''), - QueryTypeName_e=column_ifexists('payload_queryType_s', ''), - ResponseName_e=column_ifexists('payload_rdata_s', ''), - EventResultDetails_e=column_ifexists('payload_responseCode_s', ''), - NetworkProtocol_e=column_ifexists('payload_protocol_s', ''), - SrcIpAddr_e=column_ifexists('payload_sourceIP_s', ''), - EventOriginalUid_e=column_ifexists('insert_id_s', ''), - EventSeverity_e=column_ifexists('severity_s', ''), - EventCount_e=(1), - EventProduct_e="Cloud DNS", - EventVendor_e="GCP", - EventSchemaVersion_e="0.1.0", - Dvc_e="GCPDNS", - EventType_e=iif (column_ifexists('resource_type_s', '') == "dns_query", "lookup", column_ifexists('resource_type_s', '')), - EventResult_e=iff(EventResultDetails_e =~ 'NOERROR', 'Success', 'Failure'), - EventSubType_e='response', - EventEndTime_e=todatetime(column_ifexists('timestamp_t', '')) - // ---Aliases - | extend - ResponseCodeName_e=EventResultDetails_e, - Domain_e=Query_e, - IpAddr_e=SrcIpAddr_e, - EventStartTime_e=EventEndTime_e - | project-rename - Query=Query_e, - QueryTypeName=QueryTypeName_e, - ResponseName=ResponseName_e, - EventResultDetails=EventResultDetails_e, - NetworkProtocol=NetworkProtocol_e, - SrcIpAddr=SrcIpAddr_e, - EventOriginalUid=EventOriginalUid_e, - EventSeverity=EventSeverity_e, - EventCount=EventCount_e, - EventProduct=EventProduct_e, - EventVendor=EventVendor_e, - EventSchemaVersion=EventSchemaVersion_e, - Dvc=Dvc_e, - EventType=EventType_e, - EventResult=EventResult_e, - EventSubType=EventSubType_e, - EventEndTime=EventEndTime_e, - ResponseCodeName=ResponseCodeName_e, - Domain=Domain_e, - IpAddr=IpAddr_e, - EventStartTime=EventStartTime_e; + | extend + Query_e = column_ifexists('payload_queryName_s', ''), + QueryTypeName_e = column_ifexists('payload_queryType_s', ''), + ResponseName_e = column_ifexists('payload_rdata_s', ''), + EventResultDetails_e = column_ifexists('payload_responseCode_s', ''), + NetworkProtocol_e = column_ifexists('payload_protocol_s', ''), + SrcIpAddr_e = column_ifexists('payload_sourceIP_s', ''), + EventOriginalUid_e = column_ifexists('insert_id_s', ''), + EventSeverity_e = column_ifexists('severity_s', ''), + EventCount_e = 1, + EventProduct_e = "Cloud DNS", + EventVendor_e = "GCP", + EventSchemaVersion_e = "0.1.0", + Dvc_e = "GCPDNS", + EventType_e = iif (column_ifexists('resource_type_s', '') == "dns_query", "lookup", column_ifexists('resource_type_s', '')), + EventResult_e = iff(EventResultDetails_e =~ 'NOERROR', 'Success', 'Failure'), + EventSubType_e = 'response', + EventEndTime_e = todatetime(column_ifexists('timestamp_t', '')) + | extend + ResponseCodeName_e = EventResultDetails_e, + Domain_e = Query_e, + IpAddr_e = SrcIpAddr_e, + EventStartTime_e = EventEndTime_e + | project-rename + Query = Query_e, + QueryTypeName = QueryTypeName_e, + ResponseName = ResponseName_e, + EventResultDetails = EventResultDetails_e, + NetworkProtocol = NetworkProtocol_e, + SrcIpAddr = SrcIpAddr_e, + EventOriginalUid = EventOriginalUid_e, + EventSeverity = EventSeverity_e, + EventCount = EventCount_e, + EventProduct = EventProduct_e, + EventVendor = EventVendor_e, + EventSchemaVersion = EventSchemaVersion_e, + Dvc = Dvc_e, + EventType = EventType_e, + EventResult = EventResult_e, + EventSubType = EventSubType_e, + EventEndTime = EventEndTime_e, + ResponseCodeName = ResponseCodeName_e, + Domain = Domain_e, + IpAddr = IpAddr_e, + EventStartTime = EventStartTime_e; let DNSQuery_GcpDnsV2 = union isfuzzy=true GCP_DNSV2_CL, DNSQuery_GcpDns_empty - | extend - Query_e=column_ifexists('payload_queryName', ''), - QueryTypeName_e=column_ifexists('payload_queryType', ''), - ResponseName_e=column_ifexists('payload_rdata', ''), - EventResultDetails_e=column_ifexists('payload_responseCode', ''), - NetworkProtocol_e=column_ifexists('payload_protocol', ''), - SrcIpAddr_e=column_ifexists('payload_sourceIP', ''), - EventOriginalUid_e=column_ifexists('insert_id', ''), - EventSeverity_e=column_ifexists('severity', ''), - EventCount_e=(1), - EventProduct_e="Cloud DNS", - EventVendor_e="GCP", - EventSchemaVersion_e="0.1.0", - Dvc_e="GCPDNS", - EventType_e=iif (column_ifexists('resource_type', '') == "dns_query", "lookup", column_ifexists('resource_type', '')), - EventResult_e=iff(EventResultDetails_e =~ 'NOERROR', 'Success', 'Failure'), - EventSubType_e='response', - EventEndTime_e=todatetime(column_ifexists('timestamp', '')) - // ---Aliases - | extend - ResponseCodeName_e=EventResultDetails_e, - Domain_e=Query_e, - IpAddr_e=SrcIpAddr_e, - EventStartTime_e=EventEndTime_e - | project-rename - Query=Query_e, - QueryTypeName=QueryTypeName_e, - ResponseName=ResponseName_e, - EventResultDetails=EventResultDetails_e, - NetworkProtocol=NetworkProtocol_e, - SrcIpAddr=SrcIpAddr_e, - EventOriginalUid=EventOriginalUid_e, - EventSeverity=EventSeverity_e, - EventCount=EventCount_e, - EventProduct=EventProduct_e, - EventVendor=EventVendor_e, - EventSchemaVersion=EventSchemaVersion_e, - Dvc=Dvc_e, - EventType=EventType_e, - EventResult=EventResult_e, - EventSubType=EventSubType_e, - EventEndTime=EventEndTime_e, - ResponseCodeName=ResponseCodeName_e, - Domain=Domain_e, - IpAddr=IpAddr_e, - EventStartTime=EventStartTime_e; - union isfuzzy=true DNSQuery_GcpDns, DNSQuery_GcpDnsV2 - | project-reorder Query, QueryTypeName, ResponseName, EventResultDetails, NetworkProtocol, SrcIpAddr, EventOriginalUid, EventSeverity, EventCount, EventProduct, EventVendor, EventSchemaVersion, Dvc, EventType, EventResult, EventSubType, EventEndTime, ResponseCodeName, Domain, IpAddr, EventStartTime; - }; - GCPCloudDNS_view \ No newline at end of file + | extend + Query_e = column_ifexists('payload_queryName', ''), + QueryTypeName_e = column_ifexists('payload_queryType', ''), + ResponseName_e = column_ifexists('payload_rdata', ''), + EventResultDetails_e = column_ifexists('payload_responseCode', ''), + NetworkProtocol_e = column_ifexists('payload_protocol', ''), + SrcIpAddr_e = column_ifexists('payload_sourceIP', ''), + EventOriginalUid_e = column_ifexists('insert_id', ''), + EventSeverity_e = column_ifexists('severity', ''), + EventCount_e = 1, + EventProduct_e = "Cloud DNS", + EventVendor_e = "GCP", + EventSchemaVersion_e = "0.1.0", + Dvc_e = "GCPDNS", + EventType_e = iif (column_ifexists('resource_type', '') == "dns_query", "lookup", column_ifexists('resource_type', '')), + EventResult_e = iff(EventResultDetails_e =~ 'NOERROR', 'Success', 'Failure'), + EventSubType_e = 'response', + EventEndTime_e = todatetime(column_ifexists('timestamp', '')) + | extend + ResponseCodeName_e = EventResultDetails_e, + Domain_e = Query_e, + IpAddr_e = SrcIpAddr_e, + EventStartTime_e = EventEndTime_e + | project-rename + Query = Query_e, + QueryTypeName = QueryTypeName_e, + ResponseName = ResponseName_e, + EventResultDetails = EventResultDetails_e, + NetworkProtocol = NetworkProtocol_e, + SrcIpAddr = SrcIpAddr_e, + EventOriginalUid = EventOriginalUid_e, + EventSeverity = EventSeverity_e, + EventCount = EventCount_e, + EventProduct = EventProduct_e, + EventVendor = EventVendor_e, + EventSchemaVersion = EventSchemaVersion_e, + Dvc = Dvc_e, + EventType = EventType_e, + EventResult = EventResult_e, + EventSubType = EventSubType_e, + EventEndTime = EventEndTime_e, + ResponseCodeName = ResponseCodeName_e, + Domain = Domain_e, + IpAddr = IpAddr_e, + EventStartTime = EventStartTime_e; + let GCPCloudDNS_view = + union isfuzzy=true DNSQuery_GcpDns, DNSQuery_GcpDnsV2 + | project-reorder + Query, QueryTypeName, ResponseName, EventResultDetails, NetworkProtocol, + SrcIpAddr, EventOriginalUid, EventSeverity, EventCount, EventProduct, + EventVendor, EventSchemaVersion, Dvc, EventType, EventResult, EventSubType, + EventEndTime, ResponseCodeName, Domain, IpAddr, EventStartTime; + GCPCloudDNS_view