Azure WAF Modeling Rule

Modeling Rule

Azure WAF

Details

IDAzure_WAF_ModelingRule
From Version8.5.0

Rules (XIF)

/*
Handles Azure WAF Common Fields
*/
[RULE: msft_azure_resourcelogs_common_fields]
alter
	xdm.event.type = if(
		Category = "FrontDoorAccessLog", "Front Door Access Log",
		Category = "FrontDoorWebApplicationFirewallLog", "Front Door Web Application Firewall Log",
        category = "ApplicationGatewayAccessLog", "Application Gateway Access Log",
        category = "ApplicationGatewayFirewallLog", "Application Gateway Firewall Log",
        type = "AGWAccessLogs", "Application Gateway Access Log",
        type = "AGWFirewallLogs", "Application Gateway Firewall Log"),
	xdm.event.log_level = if(level ~= "Information", XDM_CONST.LOG_LEVEL_INFORMATIONAL, level = "Warning", XDM_CONST.LOG_LEVEL_WARNING, level = "Error", XDM_CONST.LOG_LEVEL_ERROR, level = "Critical", XDM_CONST.LOG_LEVEL_CRITICAL, level = null, null, to_string(level)),
    xdm.event.original_event_type = coalesce(if(len(category) != 0, category, null),if(len(Category) != 0, Category, null), if(len(type) != 0, type, null)),
	xdm.event.operation_sub_type = operationName,
    xdm.source.user.username = to_string(identity),
    xdm.source.cloud.project_id = coalesce(SubscriptionId, arrayindex(regextract(resourceId, "/SUBSCRIPTIONS/([^\/]+)"), 0), tenantId),
    xdm.source.cloud.region = location,
	xdm.source.cloud.provider = XDM_CONST.CLOUD_PROVIDER_AZURE,
	xdm.session_context_id = correlationId,
    xdm.target.resource.id = resourceId;



/*
Handles Front Door Common Fields
FrontDoorAccessLog and FrontDoorWebApplicationFirewallLog
*/
[RULE: front_door_common_fields]
filter Category in ("FrontDoorAccessLog", "FrontDoorWebApplicationFirewallLog")
| alter CallerIPAddress = if(len(CallerIPAddress) = 0,null, CallerIPAddress )
| alter tmp_ip_address = coalesce(CallerIPAddress, clientIP_s) 
| alter
    source_ipv4 = arrayindex(regextract(tmp_ip_address, "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0),
    source_ipv6 = arrayindex(regextract(tmp_ip_address, "([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5})"),0),
    source_socket_ipv4 = regextract(socketIP_s, "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),
    source_socket_ipv6 = regextract(socketIP_s, "([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5})"),
    clientPort_s = to_integer(clientPort_s),
    clientPort_d = to_integer(clientPort_d)

| alter
    xdm.event.id = trackingReference_s,
    xdm.source.port = coalesce(to_integer(clientPort_d) , to_integer(clientPort_s)),
    xdm.source.ipv4 = source_ipv4 ,
    xdm.source.ipv6 = source_ipv6,
    xdm.source.host.ipv4_addresses = source_socket_ipv4,
    xdm.source.host.ipv6_addresses = source_socket_ipv6,
    xdm.target.url = requestUri_s, 
    xdm.target.resource.name = Resource,
    xdm.target.resource.parent_id = ResourceGroup ,
    xdm.target.resource.type = ResourceType;



/*
Handles Front Door WAF Logs
*/
[RULE: front_door_waf_log]
 alter
    xdm.event.description = details_data_s,
    xdm.observer.action	= action_s,
    xdm.network.rule = ruleName_s,
    xdm.target.domain = host_s;



/*
Handle Frond Door Access Logs
*/
[RULE: front_door_access_log]
 alter
    UserAgent = if(len(UserAgent ) = 0, null, UserAgent ),
    check_response_code = coalesce(to_integer(httpStatusCode_s) , to_integer(httpStatusCode_d) ,to_integer(httpStatusDetails_s)),
    http_method = httpMethod_s,
    tmp_tls_version = if(originCryptProtocol_s = "N/A", securityProtocol_s, originCryptProtocol_s ),
    target_ipv4 = arrayindex(regextract(originIp_s , "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0),
    target_ipv6 = arrayindex(regextract(originIp_s, "([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5})"),0),
    trim_domain = replex(domain_s , ":\d+",""),
    error_information_outcome = if(errorInfo_s = "NoError", XDM_CONST.OUTCOME_SUCCESS, XDM_CONST.OUTCOME_FAILED),
    error_information_outcome_reason= if(
    errorInfo_s ="NoError", "NoError: No error was found.",
    errorInfo_s ="CertificateError","CertificateError: Generic SSL certificate error.",
    errorInfo_s ="CertificateNameCheckFailed","CertificateNameCheckFailed: The host name in the SSL certificate is invalid or doesn't match the requested URL.",
    errorInfo_s ="ClientDisconnected","ClientDisconnected: The request failed because of a client network connection issue.",
    errorInfo_s ="ClientGeoBlocked","ClientGeoBlocked: The client was blocked due to the geographical location of the IP address.",
    errorInfo_s ="UnspecifiedClientError","UnspecifiedClientError: Generic client error.",
    errorInfo_s ="InvalidRequest","InvalidRequest: Invalid request. This response indicates a malformed header, body, or URL.",
    errorInfo_s ="DNSFailure","DNSFailure: A failure occurred during DNS resolution.",
    errorInfo_s ="DNSTimeout","DNSTimeout: The DNS query to resolve the origin IP address timed out.",
    errorInfo_s ="DNSNameNotResolved","DNSNameNotResolved: The server name or address couldn't be resolved.",
    errorInfo_s ="OriginConnectionAborted","OriginConnectionAborted: The connection with the origin was disconnected abnormally.",
    errorInfo_s ="OriginConnectionError","OriginConnectionError: Generic origin connection error.",
    errorInfo_s ="OriginConnectionRefused","OriginConnectionRefused: The connection with the origin wasn't established.",
    errorInfo_s ="OriginError","OriginError: Generic origin error.",
    errorInfo_s ="ResponseHeaderTooBig","ResponseHeaderTooBig: The origin returned a too large of a response header.",
    errorInfo_s ="OriginInvalidResponse","OriginInvalidResponse: The origin returned an invalid or unrecognized response.",
    errorInfo_s ="OriginTimeout","OriginTimeout: The time-out period for the origin request expired.",
    errorInfo_s ="ResponseHeaderTooBig","ResponseHeaderTooBig: The origin returned a too large of a response header.",
    errorInfo_s ="RestrictedIP","RestrictedIP: The request was blocked because of restricted IP address.",
    errorInfo_s ="SSLHandshakeError","SSLHandshakeError: Azure Front Door was unable to establish a connection with the origin because of an SSL handshake failure.",
    errorInfo_s ="SSLInvalidRootCA","SSLInvalidRootCA: The root certification authority's certificate was invalid.",
    errorInfo_s ="SSLInvalidCipher","SSLInvalidCipher: The HTTPS connection was established using an invalid cipher.",
    errorInfo_s ="OriginConnectionAborted","OriginConnectionAborted: The connection with the origin was disconnected abnormally.",
    errorInfo_s ="OriginConnectionRefused","OriginConnectionRefused: The connection with the origin wasn't established.",
    errorInfo_s ="UnspecifiedError","UnspecifiedError: An error occurred that did not fit in any of the errors in the table.")

    
| alter 
    xdm.network.tls.protocol_version = tmp_tls_version,
    xdm.network.http.response_code = if(check_response_code = 0, "The request to the origin timed out", check_response_code = 499, "The client closed the connection", check_response_code = 100, XDM_CONST.HTTP_RSP_CODE_CONTINUE, check_response_code = 101, XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, check_response_code = 102, XDM_CONST.HTTP_RSP_CODE_PROCESSING, check_response_code = 103, XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, check_response_code = 200, XDM_CONST.HTTP_RSP_CODE_OK, check_response_code = 201, XDM_CONST.HTTP_RSP_CODE_CREATED, check_response_code = 202, XDM_CONST.HTTP_RSP_CODE_ACCEPTED, check_response_code = 203, XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, check_response_code = 204, XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, check_response_code = 205, XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, check_response_code = 206, XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, check_response_code = 207, XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, check_response_code = 208, XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, check_response_code = 226, XDM_CONST.HTTP_RSP_CODE_IM_USED, check_response_code = 300, XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, check_response_code = 301, XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, check_response_code = 302, XDM_CONST.HTTP_RSP_CODE_FOUND, check_response_code = 303, XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, check_response_code = 304, XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, check_response_code = 305, XDM_CONST.HTTP_RSP_CODE_USE_PROXY, check_response_code = 307, XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, check_response_code = 308, XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, check_response_code = 400, XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, check_response_code = 401, XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, check_response_code = 402, XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, check_response_code = 403, XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, check_response_code = 404, XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, check_response_code = 405, XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, check_response_code = 406, XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, check_response_code = 407, XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, check_response_code = 408, XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, check_response_code = 409, XDM_CONST.HTTP_RSP_CODE_CONFLICT, check_response_code = 410, XDM_CONST.HTTP_RSP_CODE_GONE, check_response_code = 411, XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, check_response_code = 412, XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, check_response_code = 413, XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, check_response_code = 414, XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, check_response_code = 415, XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, check_response_code = 416, XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, check_response_code = 417, XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, check_response_code = 421, XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, check_response_code = 422, XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, check_response_code = 423, XDM_CONST.HTTP_RSP_CODE_LOCKED, check_response_code = 424, XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, check_response_code = 425, XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, check_response_code = 426, XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, check_response_code = 428, XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, check_response_code = 429, XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, check_response_code = 431, XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, check_response_code = 451, XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, check_response_code = 500, XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, check_response_code = 501, XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, check_response_code = 502, XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, check_response_code = 503, XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, check_response_code = 504, XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, check_response_code = 505, XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, check_response_code = 506, XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, check_response_code = 507, XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, check_response_code = 508, XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, check_response_code = 511, XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, check_response_code = null, null, to_string(check_response_code)),
    xdm.network.http.method = if(http_method = "GET", XDM_CONST.HTTP_METHOD_GET, http_method = "POST", XDM_CONST.HTTP_METHOD_POST, http_method = "PUT", XDM_CONST.HTTP_METHOD_PUT, http_method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, http_method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, http_method = "ACL", XDM_CONST.HTTP_METHOD_ACL, http_method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, http_method = "BIND", XDM_CONST.HTTP_METHOD_BIND, http_method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, http_method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, http_method = "COPY", XDM_CONST.HTTP_METHOD_COPY, http_method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, http_method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, http_method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, http_method = "LINK", XDM_CONST.HTTP_METHOD_LINK, http_method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, http_method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, http_method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, http_method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, http_method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, http_method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, http_method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, http_method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, http_method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, http_method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, http_method = "PRI", XDM_CONST.HTTP_METHOD_PRI, http_method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, http_method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, http_method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, http_method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, http_method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, http_method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, http_method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, http_method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, http_method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, http_method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, http_method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, http_method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, http_method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, http_method),
    xdm.source.sent_bytes = to_integer(requestBytes_s),
    xdm.target.sent_bytes = to_integer(responseBytes_s),
    xdm.network.application_protocol = requestProtocol_s,
    xdm.network.tls.cipher = securityCipher_s,
    xdm.network.http.referrer = referer_s,
    xdm.event.duration = to_integer(coalesce(multiply(to_float(timeTaken_d),1000), multiply(to_float(timeTaken_s),1000), multiply(to_float(TimeTaken),1000), to_integer(DurationMs))),
    xdm.source.user_agent = coalesce(userAgent , userAgent_s),
    xdm.source.location.country = clientCountry_s ,
    xdm.network.rule = routingRuleName_s,
    xdm.target.ipv4 = target_ipv4, 
    xdm.target.ipv6 = target_ipv6,
    xdm.network.http.url = originUrl_s ,
    xdm.target.host.fqdn = sni_s,
    xdm.target.domain = coalesce(sni_s ,trim_domain ),
    xdm.network.http.domain = coalesce(sni_s ,trim_domain ),
    xdm.intermediate.host.hostname = endpoint_s,
    xdm.target.host.hostname = if(originName_s = "N/A", "The request was served from the Azure Front Door cache", originName_s ),
    xdm.event.outcome = error_information_outcome , 
    xdm.event.outcome_reason = error_information_outcome_reason;



/*
Handles Application Gateway logs
*/
[RULE: application_gateway_access_and_waf_logs]
alter 
	get_properties_action = coalesce(properties -> action, action),
	get_properties_httpStatus = coalesce(to_integer(properties -> httpStatus),to_integer(httpstatus)),
	get_properties_host = coalesce(properties -> host, host),
	get_properties_hostname = coalesce(properties -> hostname, hostname),
	get_properties_originalHost = coalesce(properties -> originalHost, originalhost ),
	get_properties_httpMethod = coalesce(properties -> httpMethod,httpmethod),
	get_properties_requestQuery = properties -> requestQuery,
	get_properties_requestUri = coalesce(properties -> requestUri, requesturi),
	get_properties_originalRequestUriWithArgs = coalesce(properties -> originalRequestUriWithArgs,originalrequesturiwithargs),
	get_properties_clientip = if(properties -> clientIp != null, properties -> clientIp, properties -> clientIP != null, properties -> clientIP, len(clientip) > 0, clientip),
	get_resultSignature_resCode = if(resultSignature ~= "^\d{3}$", to_integer(resultSignature)),
	get_callerIpAddress_ipv4 = if(callerIpAddress ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", arrayindex(regextract(callerIpAddress, "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"), 0)),
	get_callerIpAddress_ipv6 = if(callerIpAddress ~= "(?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4}", arrayindex(regextract(callerIpAddress, "(?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4}"), 0)),
	get_ruleSetType = coalesce(rulesettype , properties -> ruleSetType),
	get_ruleSetVersion = coalesce(rulesetversion , properties -> ruleSetVersion),
	get_ruleID = coalesce(ruleid , properties -> ruleId),
	get_ruleGroup = coalesce(ruleGroup_s, properties -> ruleGroup),
	get_details = object_create("Detailed Data", detaileddata , "Detailed Message", detailedmessage , "Configuration Rule File Name", filedetails ),
    get_intermediate_port = to_integer(arrayindex(regextract(serverrouted ,":(\d+)"),0)),
    get_intermediate_ipv4 = arrayindex(regextract(serverrouted ,"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0)
	
| alter
	get_properties_clientip_ipv4 = if(get_properties_clientip ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", arrayindex(regextract(get_properties_clientip, "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"), 0)),
	get_properties_clientip_ipv6 = if(get_properties_clientip ~= "(?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4}", get_properties_clientip),
	get_properties_host_ipv4 = if(get_properties_host ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", arrayindex(regextract(get_properties_host, "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"), 0)),
	get_properties_host_ipv6 = if(get_properties_host ~= "(?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4}", get_properties_host),
	get_properties_host_name = if(get_properties_host ~= "[a-zA-Z0-9]", get_properties_host),
	get_properties_hostname_ipv4 = if(get_properties_hostname ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", arrayindex(regextract(get_properties_hostname, "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"), 0)),
	get_properties_hostname_ipv6 = if(get_properties_hostname ~= "(?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4}", get_properties_hostname),
	get_properties_hostname_name = if(get_properties_hostname ~= "[a-zA-Z0-9]", get_properties_hostname),
	get_properties_originalHost_ipv4 = if(get_properties_originalHost ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", arrayindex(regextract(get_properties_originalHost, "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"), 0)),
	get_properties_originalHost_ipv6 = if(get_properties_originalHost ~= "(?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4}", get_properties_originalHost),
	get_properties_originalHost_name = if(get_properties_originalHost ~= "[a-zA-Z0-9]", get_properties_originalHost),
    get_error_information_outcome = if(errorinfo = "ERRORINFO_NO_ERROR", XDM_CONST.OUTCOME_SUCCESS, XDM_CONST.OUTCOME_FAILED),
    get_error_information_outcome_reason = if(
        errorinfo = "ERRORINFO_NO_ERROR", "No error was found.",
        errorinfo = "ERRORINFO_INVALID_METHOD", "The client sent a request that is non-RFC compliant. Possible reasons: client using HTTP method not supported by server, misspelled method, incompatible HTTP protocol version etc.",
        errorinfo = "ERRORINFO_INVALID_REQUEST", "The server can't fulfill the request because of incorrect syntax.",
        errorinfo = "ERRORINFO_INVALID_VERSION", "The application gateway received a request with an invalid or unsupported HTTP version.",
        errorinfo = "ERRORINFO_INVALID_09_METHOD", "The client sent request with HTTP Protocol version 0.9.",
        errorinfo = "ERRORINFO_INVALID_HOST", "The value provided in the Host header is either missing, improperly formatted, or does not match the expected host value. For example, when there's no Basic listener, and none of the hostnames of Multisite listeners match with the host.",
        errorinfo = "ERRORINFO_INVALID_CONTENT_LENGTH", "The length of the content specified by the client in the content-Length header does not match the actual length of the content in the request.",
        errorinfo = "ERRORINFO_INVALID_METHOD_TRACE", "The client sent HTTP TRACE method, which the application gateway doesn't support.",
        errorinfo = "ERRORINFO_CLIENT_CLOSED_REQUEST", "The client closed the connection with the application gateway before the idle timeout period elapsed. Check whether the client timeout period is greater than the idle timeout period for the application gateway.",
        errorinfo = "ERRORINFO_REQUEST_URI_INVALID", "Indicates issue with the Uniform Resource Identifier (URI) provided in the client's request.",
        errorinfo = "ERRORINFO_HTTP_NO_HOST_HEADER", "Client sent a request without Host header.",
        errorinfo = "ERRORINFO_HTTP_TO_HTTPS_PORT", "The client sent a plain HTTP request to an HTTPS port.",
        errorinfo = "ERRORINFO_HTTPS_NO_CERT", "Indicates client isn't sending a valid and properly configured TLS certificate during Mutual TLS authentication.",
        errorinfo = "ERRORINFO_UPSTREAM_NO_LIVE", "The application gateway is unable to find any active or reachable backend servers to handle incoming requests.",
        errorinfo = "ERRORINFO_UPSTREAM_CLOSED_CONNECTION", "The backend server closed the connection unexpectedly or before the request was fully processed. This condition could happen due to backend server reaching its limits, crashing etc.",
        errorinfo = "ERRORINFO_UPSTREAM_TIMED_OUT", "The established TCP connection with the server was closed as the connection took longer than the configured timeout value.",
        errorinfo = "ERRORINFO_INVALID_HEADER", "Application Gateway detected a partial invalid header and forwarded the remaining header to the backend, which responded with 500. Ensure the client's request header does not contain CR, LF, NULL, or similar characters. Replace such characters with SP (whitespace)."),
    get_resultType_outcome_reason = if(resultType !~= "\d+", resultType, resultType ~= "\d+" and resultDescription != null, concat(resultDescription, " Error Code: ", resultType), concat("Error Code: ", resultType)),
	get_resultType_outcome= if(get_properties_action ~= "lock", XDM_CONST.OUTCOME_FAILED, get_properties_action = "Allowed", XDM_CONST.OUTCOME_SUCCESS, get_properties_action ~= "Matched|Detected", XDM_CONST.OUTCOME_PARTIAL, resultType ~= "Start", XDM_CONST.OUTCOME_UNKNOWN, resultType ~= "[Pp]rogress", XDM_CONST.OUTCOME_UNKNOWN, resultType ~= "Succe", XDM_CONST.OUTCOME_SUCCESS, resultType ~= "Fail", XDM_CONST.OUTCOME_FAILED, resultType ~= "Active", XDM_CONST.OUTCOME_UNKNOWN, resultType ~= "Resolv", XDM_CONST.OUTCOME_SUCCESS, resultType = null, null, to_string(resultType))
| alter
	check_response_code = coalesce(get_properties_httpStatus, get_resultSignature_resCode),
	check_duration = coalesce(to_integer(properties -> timeTaken), to_integer(durationMs),multiply(to_float(timetaken),1000)),
	check_hostname = arraydistinct(arraycreate(get_properties_host_name, get_properties_hostname_name, get_properties_originalHost_name)),
	check_type_for_rule_name = if(type = "AGWAccessLogs", rulename, type = "AGWFirewallLogs", to_string(object_create("ruleSetType", get_ruleSetType , "ruleSetVersion", get_ruleSetVersion , "ruleId", get_ruleID , "ruleGroup", get_ruleGroup )))
| alter
    xdm.alert.description = coalesce(properties -> message,message),
    xdm.event.description = coalesce(to_string(properties -> details{}), to_string(get_details)),
    xdm.event.duration = check_duration,
    xdm.event.id = coalesce(properties -> transactionId,transactionId),
    xdm.event.outcome_reason = coalesce(if(len(get_resultType_outcome_reason) > 0, get_resultType_outcome_reason, null) , if(len(get_error_information_outcome_reason) > 0, get_error_information_outcome_reason, null)),
	xdm.event.outcome = coalesce(get_resultType_outcome , get_error_information_outcome ),    
    xdm.network.http.content_type = properties -> contentType,
    xdm.network.http.method = if(get_properties_httpMethod = "ACL", XDM_CONST.HTTP_METHOD_ACL, get_properties_httpMethod = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, get_properties_httpMethod = "BIND", XDM_CONST.HTTP_METHOD_BIND, get_properties_httpMethod = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, get_properties_httpMethod = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, get_properties_httpMethod = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, get_properties_httpMethod = "COPY", XDM_CONST.HTTP_METHOD_COPY, get_properties_httpMethod = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, get_properties_httpMethod = "GET", XDM_CONST.HTTP_METHOD_GET, get_properties_httpMethod = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, get_properties_httpMethod = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, get_properties_httpMethod = "LINK", XDM_CONST.HTTP_METHOD_LINK, get_properties_httpMethod = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, get_properties_httpMethod = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, get_properties_httpMethod = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, get_properties_httpMethod = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, get_properties_httpMethod = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, get_properties_httpMethod = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, get_properties_httpMethod = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, get_properties_httpMethod = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, get_properties_httpMethod = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, get_properties_httpMethod = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, get_properties_httpMethod = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, get_properties_httpMethod = "POST", XDM_CONST.HTTP_METHOD_POST, get_properties_httpMethod = "PRI", XDM_CONST.HTTP_METHOD_PRI, get_properties_httpMethod = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, get_properties_httpMethod = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, get_properties_httpMethod = "PUT", XDM_CONST.HTTP_METHOD_PUT, get_properties_httpMethod = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, get_properties_httpMethod = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, get_properties_httpMethod = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, get_properties_httpMethod = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, get_properties_httpMethod = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, get_properties_httpMethod = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, get_properties_httpMethod = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, get_properties_httpMethod = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, get_properties_httpMethod = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, get_properties_httpMethod = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, get_properties_httpMethod = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, get_properties_httpMethod = null, null, to_string(get_properties_httpMethod)),
    xdm.network.http.response_code = if(check_response_code = 100, XDM_CONST.HTTP_RSP_CODE_CONTINUE, check_response_code = 101, XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, check_response_code = 102, XDM_CONST.HTTP_RSP_CODE_PROCESSING, check_response_code = 103, XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, check_response_code = 200, XDM_CONST.HTTP_RSP_CODE_OK, check_response_code = 201, XDM_CONST.HTTP_RSP_CODE_CREATED, check_response_code = 202, XDM_CONST.HTTP_RSP_CODE_ACCEPTED, check_response_code = 203, XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, check_response_code = 204, XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, check_response_code = 205, XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, check_response_code = 206, XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, check_response_code = 207, XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, check_response_code = 208, XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, check_response_code = 226, XDM_CONST.HTTP_RSP_CODE_IM_USED, check_response_code = 300, XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, check_response_code = 301, XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, check_response_code = 302, XDM_CONST.HTTP_RSP_CODE_FOUND, check_response_code = 303, XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, check_response_code = 304, XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, check_response_code = 305, XDM_CONST.HTTP_RSP_CODE_USE_PROXY, check_response_code = 307, XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, check_response_code = 308, XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, check_response_code = 400, XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, check_response_code = 401, XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, check_response_code = 402, XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, check_response_code = 403, XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, check_response_code = 404, XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, check_response_code = 405, XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, check_response_code = 406, XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, check_response_code = 407, XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, check_response_code = 408, XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, check_response_code = 409, XDM_CONST.HTTP_RSP_CODE_CONFLICT, check_response_code = 410, XDM_CONST.HTTP_RSP_CODE_GONE, check_response_code = 411, XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, check_response_code = 412, XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, check_response_code = 413, XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, check_response_code = 414, XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, check_response_code = 415, XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, check_response_code = 416, XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, check_response_code = 417, XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, check_response_code = 421, XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, check_response_code = 422, XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, check_response_code = 423, XDM_CONST.HTTP_RSP_CODE_LOCKED, check_response_code = 424, XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, check_response_code = 425, XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, check_response_code = 426, XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, check_response_code = 428, XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, check_response_code = 429, XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, check_response_code = 431, XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, check_response_code = 451, XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, check_response_code = 500, XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, check_response_code = 501, XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, check_response_code = 502, XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, check_response_code = 503, XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, check_response_code = 504, XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, check_response_code = 505, XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, check_response_code = 506, XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, check_response_code = 507, XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, check_response_code = 508, XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, check_response_code = 511, XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, check_response_code = null, null, to_string(check_response_code)),
    xdm.network.session_id = to_string(properties -> connectionSerialNumber),
    xdm.network.tls.cipher = coalesce(properties -> sslCipher, sslcipher),
    xdm.network.tls.client_certificate.issuer = properties -> sslClientCertificateIssuerName,
	xdm.network.tls.protocol_version = coalesce(properties -> sslProtocol, sslProtocol),
    xdm.network.rule = to_string(check_type_for_rule_name),
    xdm.source.cloud.project = Tenant,
    xdm.source.host.hostname = arrayindex(check_hostname, 0),
    xdm.source.host.ipv4_addresses = arraydistinct(arraycreate(get_properties_host_ipv4, get_properties_hostname_ipv4, get_properties_originalHost_ipv4)),
	xdm.source.host.ipv6_addresses = arraydistinct(arraycreate(get_properties_host_ipv6, get_properties_hostname_ipv6, get_properties_originalHost_ipv6)),
	xdm.source.ipv4 = coalesce(get_properties_clientip_ipv4, get_callerIpAddress_ipv4),
	xdm.source.ipv6	= coalesce(get_properties_clientip_ipv6, get_callerIpAddress_ipv6),
    xdm.source.port = to_integer(coalesce(to_string(properties -> clientPort), to_string(upstreamsourceport))),
    xdm.source.sent_bytes = coalesce(to_integer(properties -> sentBytes), to_integer(sentBytes)),
    xdm.source.user_agent = coalesce(properties -> userAgent,useragent),
	xdm.intermediate.host.hostname = coalesce(properties -> instanceId, instanceid),
    xdm.intermediate.port = get_intermediate_port,
    xdm.intermediate.ipv4 = get_intermediate_ipv4, 
    xdm.observer.action = get_properties_action,
    xdm.observer.name = coalesce(properties -> WAFMode, wafmode ,arrayindex(regextract(resourceId, "/([^\/]+)$"), -1)),
	xdm.observer.unique_identifier = properties -> WAFPolicyID,
	xdm.observer.type = if(properties -> engine = "Azwaf", "MICROSOFT.NETWORK/APPLICATIONGATEWAYS"),
	xdm.target.sent_bytes = coalesce(to_integer(properties -> receivedBytes), to_integer(receivedbytes)),
    xdm.target.resource.type = if(get_properties_requestQuery = null, null, get_properties_requestQuery ~= "^\s*$", null, "requestQuery"),
	xdm.target.resource.value = if(get_properties_requestQuery = null, null, get_properties_requestQuery ~= "^\s*$", null, get_properties_requestQuery),
    xdm.target.url = coalesce(get_properties_originalRequestUriWithArgs, get_properties_requestUri);



[MODEL: dataset=msft_azure_waf_raw]
filter Category = "FrontDoorAccessLog"
| call msft_azure_resourcelogs_common_fields
| call front_door_common_fields
| call front_door_access_log;

filter Category = "FrontDoorWebApplicationFirewallLog"
| call msft_azure_resourcelogs_common_fields
| call front_door_common_fields
| call front_door_waf_log ;

filter Category in ("ApplicationGatewayAccessLog", "ApplicationGatewayFirewallLog") OR type in ("AGWAccessLogs", "AGWFirewallLogs")
| call msft_azure_resourcelogs_common_fields
| call application_gateway_access_and_waf_logs;

Schema

msft_azure_waf_raw

Field Type Array?
Resource string
ResourceGroup string
ResourceType string
SubscriptionId string
Tenant string
TimeGenerated datetime
TimeTaken string
UserAgent string
action string
action_s string
callerIpAddress string
category string
clientCountry_s string
clientIP_s string
clientPort_d int
clientPort_s string
clientip string
correlationId string
detaileddata string
detailedmessage string
details_data_s string
domain_s string
durationMs string
endpoint_s string
errorInfo_s string
errorinfo string
filedetails string
host string
host_s string
hostname string
httpMethod_s string
httpStatusCode_d int
httpStatusCode_s string
httpStatusDetails_s string
httpmethod string
httpstatus int
identity string
instanceid string
level string
location string
message string
operationName string
originCryptProtocol_s string
originIp_s string
originName_s string
originUrl_s string
originalhost string
originalrequesturiwithargs string
properties string
receivedbytes int
referer_s string
requestBytes_s string
requestProtocol_s string
requestUri_s string
requesturi string
resourceId string
responseBytes_s string
resultDescription string
resultSignature string
resultType string
routingRuleName_s string
ruleGroup_s string
ruleName_s string
ruleid string
rulename string
rulesettype string
rulesetversion string
securityCipher_s string
securityProtocol_s string
sentbytes int
serverrouted string
sni_s string
socketIP_s string
sslcipher string
sslprotocol string
tenantId string
timeTaken_d float
timeTaken_s string
trackingReference_s string
transactionid string
type string
upstreamsourceport string
userAgent_s string
wafmode string
Raw JSON
{
    "msft_azure_waf_raw": {
        "type": {
            "type": "string",
            "is_array": false
        },
        "transactionid": {
            "type": "string",
            "is_array": false
        },
        "clientip": {
            "type": "string",
            "is_array": false
        },
        "instanceid": {
            "type": "string",
            "is_array": false
        },
        "requesturi": {
            "type": "string",
            "is_array": false
        },
        "upstreamsourceport": {
            "type": "string",
            "is_array": false
        },
        "errorinfo": {
            "type": "string",
            "is_array": false
        },
        "rulename": {
            "type": "string",
            "is_array": false
        },
        "serverrouted": {
            "type": "string",
            "is_array": false
        },
        "originalhost": {
            "type": "string",
            "is_array": false
        },
        "host": {
            "type": "string",
            "is_array": false
        },
        "httpmethod": {
            "type": "string",
            "is_array": false
        },
        "httpstatus": {
            "type": "int",
            "is_array": false
        },
        "originalrequesturiwithargs": {
            "type": "string",
            "is_array": false
        },
        "receivedbytes": {
            "type": "int",
            "is_array": false
        },
        "sentbytes": {
            "type": "int",
            "is_array": false
        },
        "sslcipher": {
            "type": "string",
            "is_array": false
        },
        "sslprotocol": {
            "type": "string",
            "is_array": false
        },
        "wafmode": {
            "type": "string",
            "is_array": false
        },
        "action": {
            "type": "string",
            "is_array": false
        },
        "message": {
            "type": "string",
            "is_array": false
        },
        "detaileddata": {
            "type": "string",
            "is_array": false
        },
        "detailedmessage": {
            "type": "string",
            "is_array": false
        },
        "filedetails": {
            "type": "string",
            "is_array": false
        },
        "hostname": {
            "type": "string",
            "is_array": false
        },
        "ruleid": {
            "type": "string",
            "is_array": false
        },
        "ruleGroup_s": {
            "type": "string",
            "is_array": false
        },
        "rulesettype": {
            "type": "string",
            "is_array": false
        },
        "rulesetversion": {
            "type": "string",
            "is_array": false
        },
        "resourceId": {
            "type": "string",
            "is_array": false
        },
        "tenantId": {
            "type": "string",
            "is_array": false
        },
        "operationName": {
            "type": "string",
            "is_array": false
        },
        "category": {
            "type": "string",
            "is_array": false
        },
        "resultType": {
            "type": "string",
            "is_array": false
        },
        "resultSignature": {
            "type": "string",
            "is_array": false
        },
        "resultDescription": {
            "type": "string",
            "is_array": false
        },
        "durationMs": {
            "type": "string",
            "is_array": false
        },
        "callerIpAddress": {
            "type": "string",
            "is_array": false
        },
        "correlationId": {
            "type": "string",
            "is_array": false
        },
        "SubscriptionId": {
            "type": "string",
            "is_array": false
        },
        "identity": {
            "type": "string",
            "is_array": false
        },
        "level": {
            "type": "string",
            "is_array": false
        },
        "location": {
            "type": "string",
            "is_array": false
        },
        "Tenant": {
            "type": "string",
            "is_array": false
        },
        "properties": {
            "type": "string",
            "is_array": false
        },
        "TimeGenerated": {
            "type": "datetime",
            "is_array": false
        },
        "Resource": {
            "type": "string",
            "is_array": false
        },
        "ResourceGroup": {
            "type": "string",
            "is_array": false
        },
        "ResourceType": {
            "type": "string",
            "is_array": false
        },
        "clientIP_s": {
            "type": "string",
            "is_array": false
        },
        "clientPort_d": {
            "type": "int",
            "is_array": false
        },
        "clientPort_s": {
            "type": "string",
            "is_array": false
        },
        "socketIP_s": {
            "type": "string",
            "is_array": false
        },
        "requestUri_s": {
            "type": "string",
            "is_array": false
        },
        "trackingReference_s": {
            "type": "string",
            "is_array": false
        },
        "errorInfo_s": {
            "type": "string",
            "is_array": false
        },
        "originIp_s": {
            "type": "string",
            "is_array": false
        },
        "endpoint_s": {
            "type": "string",
            "is_array": false
        },
        "originName_s": {
            "type": "string",
            "is_array": false
        },
        "originUrl_s": {
            "type": "string",
            "is_array": false
        },
        "domain_s": {
            "type": "string",
            "is_array": false
        },
        "sni_s": {
            "type": "string",
            "is_array": false
        },
        "httpStatusDetails_s": {
            "type": "string",
            "is_array": false
        },
        "httpStatusCode_s": {
            "type": "string",
            "is_array": false
        },
        "httpStatusCode_d": {
            "type": "int",
            "is_array": false
        },
        "requestProtocol_s": {
            "type": "string",
            "is_array": false
        },
        "requestBytes_s": {
            "type": "string",
            "is_array": false
        },
        "responseBytes_s": {
            "type": "string",
            "is_array": false
        },
        "securityCipher_s": {
            "type": "string",
            "is_array": false
        },
        "referer_s": {
            "type": "string",
            "is_array": false
        },
        "httpMethod_s": {
            "type": "string",
            "is_array": false
        },
        "timeTaken_d": {
            "type": "float",
            "is_array": false
        },
        "timeTaken_s": {
            "type": "string",
            "is_array": false
        },
        "TimeTaken": {
            "type": "string",
            "is_array": false
        },
        "userAgent_s": {
            "type": "string",
            "is_array": false
        },
        "UserAgent": {
            "type": "string",
            "is_array": false
        },
        "clientCountry_s": {
            "type": "string",
            "is_array": false
        },
        "securityProtocol_s": {
            "type": "string",
            "is_array": false
        },
        "originCryptProtocol_s": {
            "type": "string",
            "is_array": false
        },
        "routingRuleName_s": {
            "type": "string",
            "is_array": false
        },
        "action_s": {
            "type": "string",
            "is_array": false
        },
        "host_s": {
            "type": "string",
            "is_array": false
        },
        "ruleName_s": {
            "type": "string",
            "is_array": false
        },
        "details_data_s": {
            "type": "string",
            "is_array": false
        }
    }
}