Azure App Service Modeling Rule

Modeling Rule

Azure App Service

Details

IDAzure_App_Service_ModelingRule
From Version8.7.0

Rules (XIF)

/*-------------------------------
   ----------- RULES -------------
   ------------------------------- */
[RULE: msft_azure_app_service_map_common_event_fields]
alter
        tmp_resource_id = if(resourceId != null and resourceId != "", resourceId, _ResourceId != null and _ResourceId != "", _ResourceId, null)
| alter
		xdm.event.original_event_type = category,
		xdm.event.type = if(
                category = "AppServiceHTTPLogs", "App Service HTTP Logs",
                category = "AppServiceConsoleLogs", "App Service Console Logs",
                category = "AppServiceAppLogs", "App Service App Logs",
                category = "AppServiceIPSecAuditLogs", "App Service IPSec Audit Logs",
                category = "AppServicePlatformLogs", "App Service Platform Logs",
                category = "AppServiceAntivirusScanAuditLogs", "App Service Antivirus Scan Audit Logs",
                category = "AppServiceFileAuditLogs", "App Service File Audit Logs",
                category = "FunctionAppLogs", "Function App Logs",
                category = "AppServiceAuditLogs", "App Service Audit Logs",
                category = "AppServiceEnvironmentPlatformLogs", "App Service Environment Platform Logs",
                category),
        xdm.source.cloud.provider = XDM_CONST.CLOUD_PROVIDER_AZURE,
        xdm.source.cloud.project_id = arrayindex(split(tmp_resource_id, "/"), 2),
        xdm.source.cloud.region = location,
        xdm.target.resource.name = arrayindex(regextract(tmp_resource_id, "/([^\/]+)$"), -1),
        xdm.target.resource.id = tmp_resource_id,
        xdm.target.resource.type = concat(arrayindex(split(tmp_resource_id, "/"), -3), "/", arrayindex(split(tmp_resource_id, "/"), -2));

[RULE: msft_azure_app_service_map_common_app_fields]
alter
        log_level = if(to_string(Level) !~= "^\d+$", uppercase(to_string(Level)), null)
| alter
        xdm.event.log_level = if(
            log_level in ("CRITICAL"), XDM_CONST.LOG_LEVEL_CRITICAL,
            log_level in ("ERROR"), XDM_CONST.LOG_LEVEL_ERROR,
            log_level in ("WARNING"), XDM_CONST.LOG_LEVEL_WARNING,
            log_level in ("INFO*"), XDM_CONST.LOG_LEVEL_INFORMATIONAL,
            null),
        xdm.source.host.hostname = Host,
        xdm.event.operation_sub_type = operationName,
        xdm.event.description = if(resultDescription != null and resultDescription != "", resultDescription, properties -> message != null, properties -> message, Message),
        xdm.source.process.container_id = containerId;

[RULE: msft_azure_app_service_map_common_http_fields]
alter
        tmp_source_ip = coalesce(properties -> CIp, CIp)
| alter
		xdm.target.host.hostname = coalesce(properties -> CsHost, CsHost),
		xdm.source.ipv4 = if(tmp_source_ip ~= "(?:\d{1,3}\.){3}\d{1,3}", arrayindex(regextract(tmp_source_ip, "((?:\d{1,3}\.){3}\d{1,3})"), 0), null),
		xdm.source.ipv6 = if(tmp_source_ip ~= "(?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4}", arrayindex(regextract(tmp_source_ip, "((?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4})"), 0), null),
		xdm.source.port = to_number(if(tmp_source_ip ~= "(?:\d{1,3}\.){3}\d{1,3}", arrayindex(regextract(tmp_source_ip, "(?:\d{1,3}\.){3}\d{1,3}:(\d+)"), 0), tmp_source_ip ~= "(?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4}", arrayindex(regextract(tmp_source_ip, "(?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4}\]:(\d+)"), 0), null));

/*-------------------------------
   ----------- MODEL -------------
   ------------------------------- */

// supported log categories: "AppServiceHTTPLogs", "AppServiceConsoleLogs", "AppServiceAppLogs", "AppServiceIPSecAuditLogs", "AppServicePlatformLogs", "AppServiceAntivirusScanAuditLogs", "AppServiceFileAuditLogs", "FunctionAppLogs", "AppServiceAuditLogs", "WorkflowRuntime", "AppServiceEnvironmentPlatformLogs"
[MODEL: dataset = msft_azure_app_service_raw]
// Azure App Service - "App Service HTTP Logs"
filter category = "AppServiceHTTPLogs"
| call msft_azure_app_service_map_common_event_fields
| call msft_azure_app_service_map_common_http_fields
| alter
        tmp_http_request_method = coalesce(properties -> CsMethod, CsMethod),
        tmp_http_status = coalesce(properties -> ScStatus, to_string(ScStatus)),
        tmp_result = lowercase(coalesce(properties -> Result, Result))
| alter
        xdm.event.duration = to_integer(coalesce(properties -> TimeTaken, to_string(TimeTaken))),
        xdm.event.outcome = if(tmp_result = "success", XDM_CONST.OUTCOME_SUCCESS, tmp_result = "failure", XDM_CONST.OUTCOME_FAILED, null),
        xdm.observer.name = coalesce(properties -> ComputerName, ComputerName),
        xdm.network.http.method = if(tmp_http_request_method = "ACL", XDM_CONST.HTTP_METHOD_ACL, tmp_http_request_method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, tmp_http_request_method = "BIND", XDM_CONST.HTTP_METHOD_BIND, tmp_http_request_method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, tmp_http_request_method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, tmp_http_request_method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, tmp_http_request_method = "COPY", XDM_CONST.HTTP_METHOD_COPY, tmp_http_request_method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, tmp_http_request_method = "GET", XDM_CONST.HTTP_METHOD_GET, tmp_http_request_method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, tmp_http_request_method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, tmp_http_request_method = "LINK", XDM_CONST.HTTP_METHOD_LINK, tmp_http_request_method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, tmp_http_request_method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, tmp_http_request_method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, tmp_http_request_method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, tmp_http_request_method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, tmp_http_request_method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, tmp_http_request_method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, tmp_http_request_method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, tmp_http_request_method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, tmp_http_request_method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, tmp_http_request_method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, tmp_http_request_method = "POST", XDM_CONST.HTTP_METHOD_POST, tmp_http_request_method = "PRI", XDM_CONST.HTTP_METHOD_PRI, tmp_http_request_method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, tmp_http_request_method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, tmp_http_request_method = "PUT", XDM_CONST.HTTP_METHOD_PUT, tmp_http_request_method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, tmp_http_request_method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, tmp_http_request_method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, tmp_http_request_method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, tmp_http_request_method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, tmp_http_request_method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, tmp_http_request_method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, tmp_http_request_method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, tmp_http_request_method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, tmp_http_request_method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, tmp_http_request_method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, to_string(tmp_http_request_method)),
        xdm.network.http.response_code = if(tmp_http_status = null, null, tmp_http_status = "200", XDM_CONST.HTTP_RSP_CODE_OK, tmp_http_status = "201", XDM_CONST.HTTP_RSP_CODE_CREATED, tmp_http_status = "302", XDM_CONST.HTTP_RSP_CODE_FOUND, tmp_http_status = "401", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, tmp_http_status = "403", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, tmp_http_status = "404", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, tmp_http_status = "500", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, tmp_http_status = "501", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, tmp_http_status = "502", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, tmp_http_status = "503", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, tmp_http_status = "504", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, tmp_http_status = "505", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, tmp_http_status = "506", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, tmp_http_status = "507", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, tmp_http_status = "508", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, tmp_http_status = "511", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, tmp_http_status = "100", XDM_CONST.HTTP_RSP_CODE_CONTINUE, tmp_http_status = "101", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, tmp_http_status = "102", XDM_CONST.HTTP_RSP_CODE_PROCESSING, tmp_http_status = "103", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, tmp_http_status = "202", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, tmp_http_status = "203", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, tmp_http_status = "204", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, tmp_http_status = "205", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, tmp_http_status = "206", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, tmp_http_status = "207", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, tmp_http_status = "208", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, tmp_http_status = "226", XDM_CONST.HTTP_RSP_CODE_IM_USED, tmp_http_status = "300", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, tmp_http_status = "301", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, tmp_http_status = "303", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, tmp_http_status = "304", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, tmp_http_status = "305", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, tmp_http_status = "307", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, tmp_http_status = "308", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, tmp_http_status = "400", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, tmp_http_status = "402", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, tmp_http_status = "405", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, tmp_http_status = "406", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, tmp_http_status = "407", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, tmp_http_status = "408", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, tmp_http_status = "409", XDM_CONST.HTTP_RSP_CODE_CONFLICT, tmp_http_status = "410", XDM_CONST.HTTP_RSP_CODE_GONE, tmp_http_status = "411", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, tmp_http_status = "412", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, tmp_http_status = "413", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, tmp_http_status = "414", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, tmp_http_status = "415", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, tmp_http_status = "416", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, tmp_http_status = "417", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, tmp_http_status = "421", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, tmp_http_status = "422", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, tmp_http_status = "423", XDM_CONST.HTTP_RSP_CODE_LOCKED, tmp_http_status = "424", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, tmp_http_status = "425", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, tmp_http_status = "426", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, tmp_http_status = "428", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, tmp_http_status = "429", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, tmp_http_status = "431", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, tmp_http_status = "451", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, to_string(tmp_http_status)),
        xdm.network.http.referrer = coalesce(properties -> Referer, Referer),
        xdm.source.user_agent = coalesce(properties -> UserAgent, userAgent),
        xdm.source.user.username = coalesce(properties -> CsUsername, CsUsername),
        xdm.source.sent_bytes = to_number(coalesce(properties -> CsBytes, to_string(CsBytes))),
        xdm.target.sent_bytes = to_number(coalesce(properties -> ScBytes, to_string(ScBytes))),
        xdm.target.port = to_number(coalesce(properties -> SPort, SPort));

// Azure App Service - "App Service Console Logs", "App Service App Logs", "App Service Platform Logs"
filter category in ("AppServiceConsoleLogs", "AppServiceAppLogs", "AppServicePlatformLogs")
| call msft_azure_app_service_map_common_event_fields
| call msft_azure_app_service_map_common_app_fields;

// Azure App Service - "App Service IPSec Audit Logs"
filter (category = "AppServiceIPSecAuditLogs")
| call msft_azure_app_service_map_common_event_fields
| call msft_azure_app_service_map_common_http_fields
| alter
        xdm.event.description = coalesce(properties -> Details, Details),
        xdm.observer.action = coalesce(properties -> Result, Result),
        xdm.event.operation_sub_type = operationName;

// Azure App Service - "App Service Antivirus Scan Audit Logs"
filter category = "AppServiceAntivirusScanAuditLogs"
| call msft_azure_app_service_map_common_event_fields
| alter
        tmp_infected_files = arraystring(coalesce(properties -> ListOfInfectedFiles[], ListOfInfectedFiles -> []), ", "),
        tmp_ScanStatus = lowercase(coalesce(properties -> ScanStatus, ScanStatus))
| alter
        xdm.event.outcome = if(tmp_ScanStatus contains "succ", XDM_CONST.OUTCOME_SUCCESS, tmp_ScanStatus contains "fail", XDM_CONST.OUTCOME_FAILED, null),
        xdm.target.file.filename = if(tmp_infected_files != "" and tmp_infected_files != null, tmp_infected_files, null);

// Azure App Service - "App Service File AuditLogs"
filter category = "AppServiceFileAuditLogs"
| call msft_azure_app_service_map_common_event_fields
| alter
        lower_operationName = lowercase(operationName),
        tmp_path = coalesce(properties -> Path, Path)
| alter
        xdm.target.file.path = tmp_path,
        xdm.target.file.filename = arrayindex(regextract(tmp_path, "[\\\/]([^\\\/]+)$"), 0),
        xdm.event.operation = if(lower_operationName contains "rename", XDM_CONST.OPERATION_TYPE_FILE_RENAME, lower_operationName contains "delete", XDM_CONST.OPERATION_TYPE_FILE_REMOVE, lower_operationName contains "create", XDM_CONST.OPERATION_TYPE_FILE_CREATE, operationName),
        xdm.source.process.name = coalesce(properties -> Process, Process);

// Azure App Service - "Function App Logs"
filter category = "FunctionAppLogs"
| call msft_azure_app_service_map_common_event_fields
| alter
        properties_json = to_json_string(properties),
        log_level = if(to_string(Level) !~= "^\d+$", uppercase(to_string(Level)), null)
| alter
        xdm.event.log_level = if(
            log_level in ("CRITICAL"), XDM_CONST.LOG_LEVEL_CRITICAL,
            log_level in ("ERROR"), XDM_CONST.LOG_LEVEL_ERROR,
            log_level in ("WARNING"), XDM_CONST.LOG_LEVEL_WARNING,
            log_level in ("INFO*"), XDM_CONST.LOG_LEVEL_INFORMATIONAL,
            log_level in ("DEBUG"), XDM_CONST.LOG_LEVEL_DEBUG,
            to_string(log_level)),
        xdm.source.application.name = coalesce(properties_json -> appName, AppName),
        xdm.event.operation_sub_type = coalesce(properties_json -> eventName, EventName),
        xdm.source.host.hostname = if(Host != "" and Host != null, Host, properties -> hostInstanceId != null, properties -> hostInstanceId, HostInstanceId),
        xdm.event.description = coalesce(properties -> message, Message),
        xdm.source.process.pid = to_integer(coalesce(properties -> processId, ProcessId));

// Azure App Service - "App Service Audit Logs"
filter category = "AppServiceAuditLogs"
| call msft_azure_app_service_map_common_event_fields
| alter
        tmp_UserAddress = coalesce(properties -> UserAddress, UserAddress),
        tmp_UserDisplayName = coalesce(properties -> UserDisplayName, UserDisplayName)
| alter
        xdm.event.operation_sub_type = operationName,
        xdm.auth.service = coalesce(properties -> Protocol, Protocol),
        xdm.network.application_protocol = coalesce(properties -> Protocol, Protocol),
        xdm.source.user.username = coalesce(properties -> User, User),
        xdm.source.user.upn = if(tmp_UserDisplayName contains "@", tmp_UserDisplayName, null),
        xdm.source.ipv4 = if(tmp_UserAddress ~= "(?:\d{1,3}\.){3}\d{1,3}", arrayindex(regextract(tmp_UserAddress, "((?:\d{1,3}\.){3}\d{1,3})"), 0), null),
		xdm.source.ipv6 = if(tmp_UserAddress ~= "(?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4}", arrayindex(regextract(tmp_UserAddress, "((?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4})"), 0), null);

// Azure App Service - "Workflow Runtime"
filter category = "WorkflowRuntime"
// Common fields from general rule
| alter
        xdm.event.original_event_type = category,
        xdm.event.type = "Workflow Runtime",
        xdm.source.cloud.provider = XDM_CONST.CLOUD_PROVIDER_AZURE,
        xdm.source.cloud.project_id = arrayindex(split(resourceId, "/"), 2),
        xdm.source.cloud.region = location
| alter
        tmp_code = coalesce(properties -> code, Code),
        tmp_actionName = coalesce(properties -> resource.actionName, ActionName),
        tmp_status = lowercase(coalesce(properties -> status, Status)),
        tmp_startTime = to_string(coalesce(properties -> startTime, StartTime)),
        tmp_endTime = to_string(coalesce(properties -> startTime, EndTime))
| alter
        log_level = if(to_string(Level) !~= "^\d+$", uppercase(to_string(Level)), null),
        code = uppercase(tmp_code)
| alter
        xdm.event.log_level = if(
            log_level in ("CRITICAL"), XDM_CONST.LOG_LEVEL_CRITICAL,
            log_level in ("ERROR"), XDM_CONST.LOG_LEVEL_ERROR,
            log_level in ("WARNING"), XDM_CONST.LOG_LEVEL_WARNING,
            log_level in ("INFO*"), XDM_CONST.LOG_LEVEL_INFORMATIONAL,
            null),
        xdm.event.operation_sub_type = if(tmp_actionName != null and tmp_actionName != "", concat(operationName, " - ", tmp_actionName), operationName),
        xdm.event.outcome = if(tmp_status contains "succ", XDM_CONST.OUTCOME_SUCCESS, tmp_status contains "fail", XDM_CONST.OUTCOME_FAILED, tmp_status),
        xdm.network.http.response_code = if(code = "CONTINUE", XDM_CONST.HTTP_RSP_CODE_CONTINUE, code = "SWITCHINGPROTOCOLS", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, code = "PROCESSING", XDM_CONST.HTTP_RSP_CODE_PROCESSING, code = "EARLYHINTS", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, code = "OK", XDM_CONST.HTTP_RSP_CODE_OK, code = "CREATED", XDM_CONST.HTTP_RSP_CODE_CREATED, code = "ACCEPTED", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, code = "NONAUTHORITATIVEINFORMATION", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, code = "NOCONTENT", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, code = "RESETCONTENT", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, code = "PARTIALCONTENT", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, code = "MULTISTATUS", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, code = "ALREADYREPORTED", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, code = "IMUSED", XDM_CONST.HTTP_RSP_CODE_IM_USED, code = "MULTIPLECHOICES", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, code = "MOVEDPERMANENTLY", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, code = "FOUND", XDM_CONST.HTTP_RSP_CODE_FOUND, code = "SEEOTHER", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, code = "NOTMODIFIED", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, code = "USEPROXY", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, code = "TEMPORARYREDIRECT", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, code = "PERMANENTREDIRECT", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, code = "BADREQUEST", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, code = "UNAUTHORIZED", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, code = "PAYMENTREQUIRED", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, code = "FORBIDDEN", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, code = "NOTFOUND", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, code = "METHODNOTALLOWED", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, code = "NOTACCEPTABLE", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, code = "PROXYAUTHENTICATIONREQUIRED", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, code = "REQUESTTIMEOUT", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, code = "CONFLICT", XDM_CONST.HTTP_RSP_CODE_CONFLICT, code = "GONE", XDM_CONST.HTTP_RSP_CODE_GONE, code = "LENGTHREQUIRED", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, code = "PRECONDITIONFAILED", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, code = "CONTENTTOOLARGE", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, code = "URITOOLONG", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, code = "UNSUPPORTEDMEDIATYPE", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, code = "RANGENOTSATISFIABLE", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, code = "EXPECTATIONFAILED", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, code = "MISDIRECTEDREQUEST", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, code = "UNPROCESSABLECONTENT", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, code = "LOCKED", XDM_CONST.HTTP_RSP_CODE_LOCKED, code = "FAILEDDEPENDENCY", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, code = "TOOEARLY", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, code = "UPGRADEREQUIRED", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, code = "PRECONDITIONREQUIRED", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, code = "TOOMANYREQUESTS", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, code = "REQUESTHEADERFIELDSTOOLARGE", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, code = "UNAVAILABLEFORLEGALREASONS", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, code = "INTERNALSERVERERROR", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, code = "NOTIMPLEMENTED", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, code = "BADGATEWAY", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, code = "SERVICEUNAVAILABLE", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, code = "GATEWAYTIMEOUT", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, code = "HTTPVERSIONNOTSUPPORTED", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, code = "VARIANTALSONEGOTIATES", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, code = "INSUFFICIENTSTORAGE", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, code = "LOOPDETECTED", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, code = "NETWORKAUTHENTICATIONREQUIRED", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, to_string(code)),
        xdm.event.outcome_reason = coalesce(properties -> error.message, Message),
        xdm.target.resource.id = coalesce(properties -> resource.workflowId, WorkflowId),
        xdm.target.resource.name = coalesce(properties -> resource.workflowName, WorkflowName),
        xdm.source.process.identifier = coalesce(properties -> resource.runId, RunId),
        xdm.source.process.parent_id = coalesce(properties -> resource.originRunId, OriginRunId),
        xdm.target.resource.type = tmp_actionName,
        xdm.event.duration = to_integer(timestamp_diff(parse_timestamp("%FT%H:%M:%E*SZ", tmp_endTime), parse_timestamp("%FT%H:%M:%E*SZ", tmp_startTime), "MILLISECOND"));

// Azure App Service - "App Service Environment Platform Logs"
filter category = "AppServiceEnvironmentPlatformLogs"
| call msft_azure_app_service_map_common_event_fields
| alter
        xdm.event.operation_sub_type = operationName,
        xdm.event.outcome = if(lowercase(resultType) contains "succ", XDM_CONST.OUTCOME_SUCCESS, lowercase(resultType) contains "fail", XDM_CONST.OUTCOME_FAILED, null);








Schema

msft_azure_app_service_raw

Field Type Array?
ActionName string
AppName string
CIp string
Code string
ComputerName string
CsBytes int
CsHost string
CsMethod string
CsUsername string
Details string
EndTime string
EventName string
Host string
HostInstanceId string
Level string
ListOfInfectedFiles string
Message string
OriginRunId string
Path string
Process string
ProcessId string
Protocol string
Referer string
Result string
RunId string
SPort string
ScBytes int
ScStatus int
ScanStatus string
StartTime string
Status string
TimeTaken int
User string
UserAddress string
UserDisplayName string
WorkflowId string
WorkflowName string
_ResourceId string
category string
containerId string
location string
operationName string
properties string
resourceId string
resultDescription string
resultType string
userAgent string
Raw JSON
{
    "msft_azure_app_service_raw": {
        "resourceId": {
            "type": "string",
            "is_array": false
        },
        "category": {
            "type": "string",
            "is_array": false
        },
        "properties": {
            "type": "string",
            "is_array": false
        },
        "location": {
            "type": "string",
            "is_array": false
        },
        "Level": {
            "type": "string",
            "is_array": false
        },
        "Host": {
            "type": "string",
            "is_array": false
        },
        "operationName": {
            "type": "string",
            "is_array": false
        },
        "resultDescription": {
            "type": "string",
            "is_array": false
        },
        "containerId": {
            "type": "string",
            "is_array": false
        },
        "resultType": {
            "type": "string",
            "is_array": false
        },
        "_ResourceId": {
            "type": "string",
            "is_array": false
        },
        "CIp": {
            "type": "string",
            "is_array": false
        },
        "CsHost": {
            "type": "string",
            "is_array": false
        },
        "CsMethod": {
            "type": "string",
            "is_array": false
        },
        "ScStatus": {
            "type": "int",
            "is_array": false
        },
        "Result": {
            "type": "string",
            "is_array": false
        },
        "TimeTaken": {
            "type": "int",
            "is_array": false
        },
        "ComputerName": {
            "type": "string",
            "is_array": false
        },
        "Referer": {
            "type": "string",
            "is_array": false
        },
        "userAgent": {
            "type": "string",
            "is_array": false
        },
        "CsUsername": {
            "type": "string",
            "is_array": false
        },
        "CsBytes": {
            "type": "int",
            "is_array": false
        },
        "ScBytes": {
            "type": "int",
            "is_array": false
        },
        "SPort": {
            "type": "string",
            "is_array": false
        },
        "Details": {
            "type": "string",
            "is_array": false
        },
        "ListOfInfectedFiles": {
            "type": "string",
            "is_array": false
        },
        "ScanStatus": {
            "type": "string",
            "is_array": false
        },
        "Path": {
            "type": "string",
            "is_array": false
        },
        "Process": {
            "type": "string",
            "is_array": false
        },
        "AppName": {
            "type": "string",
            "is_array": false
        },
        "EventName": {
            "type": "string",
            "is_array": false
        },
        "Message": {
            "type": "string",
            "is_array": false
        },
        "ProcessId": {
            "type": "string",
            "is_array": false
        },
        "HostInstanceId": {
            "type": "string",
            "is_array": false
        },
        "Protocol": {
            "type": "string",
            "is_array": false
        },
        "User": {
            "type": "string",
            "is_array": false
        },
        "UserAddress": {
            "type": "string",
            "is_array": false
        },
        "UserDisplayName": {
            "type": "string",
            "is_array": false
        },
        "Code": {
            "type": "string",
            "is_array": false
        },
        "ActionName": {
            "type": "string",
            "is_array": false
        },
        "Status": {
            "type": "string",
            "is_array": false
        },
        "WorkflowId": {
            "type": "string",
            "is_array": false
        },
        "WorkflowName": {
            "type": "string",
            "is_array": false
        },
        "RunId": {
            "type": "string",
            "is_array": false
        },
        "OriginRunId": {
            "type": "string",
            "is_array": false
        },
        "StartTime": {
            "type": "string",
            "is_array": false
        },
        "EndTime": {
            "type": "string",
            "is_array": false
        }
    }
}