Rules (XQL)
[INGEST:vendor="msft", product="azure", target_dataset="msft_azure_raw", no_hit=drop]
//
// Azure Services categories and types that are excluded from this pack and are available in a dedicated pack.
//
filter
category not in(
"AZFW*",
"FrontDoorAccessLog",
"FrontDoorWebApplicationFirewallLog",
"ApplicationGateway*",
"AppServiceHTTPLogs",
"AppServiceConsoleLogs",
"AppServiceAppLogs",
"AppServiceIPSecAuditLogs",
"AppServicePlatformLogs",
"AppServiceAntivirusScanAuditLogs",
"AppServiceFileAuditLogs",
"FunctionAppLogs",
"AppServiceAuditLogs",
"WorkflowRuntime",
"AppServiceEnvironmentPlatformLogs",
"cloud-controller-manager",
"cluster-autoscaler",
"kube-audit",
"kube-audit-admin",
"kube-apiserver",
"kube-controller-manager",
"kube-scheduler",
"csi-snapshot-controller",
"csi-azuredisk-controller",
"csi-azurefile-controller",
"SoftwareUpdateProfile",
"SoftwareUpdates",
"guard",
"NetworkSecurityGroupFlowEvent",
"FlowLogFlowEvent"
)
AND Type NOT IN (
"AzureDevOpsAuditing",
"AGWAccessLogs",
"AGWFirewallLogs",
"AKSAudit",
"AKSAuditAdmin",
"NTA*"
)
AND _raw_log ->[0].eventType NOT IN ("AzureDevOpsAuditEvent")
AND _raw_log -> Type NOT IN ("NTA*")
//
// The actual timestamp ingestion available for this pack:
//
| alter tmp_time = if(
category in ("AuditLogs", "ProvisioningLogs", "ServicePrincipalRiskEvents", "UserRiskEvents"), properties -> activityDateTime,
category in ("ADFSSignInLogs", "ManagedIdentitySignInLogs", "NonInteractiveUserSignInLogs", "ServicePrincipalSignInLogs", "SignInLogs"), properties -> createdDateTime,
category in ("RiskyServicePrincipals", "RiskyUsers"), properties -> riskLastUpdatedDateTime,
CategoryValue in("Administrative", "Policy", "Alert") and (category = null or category = ""), to_string(TimeGenerated),
to_string(time))
| alter tmp_time = if(tmp_time = null or tmp_time = "", to_string(TimeGenerated), tmp_time)
| alter tmp_time = replace(tmp_time, "Z", "+00:00") // normalize zulu time suffix notation to a numerical offset
| alter _time = if(tmp_time ~= "\d{4}\-\d{2}\-\d{2}T\d{1,2}:\d{1,2}:\d{1,2}(?:\.\d+)?[+-]\d{2}:\d{2}", parse_timestamp("%FT%H:%M:%E*S%Ez", tmp_time), _insert_time) // assert an RFC3339 compatible timestamp (e.g. "2024-09-24T19:41:59.698+03:00") or fallback to ingestion time
| fields - tmp_time;
[INGEST:vendor="msft", product="Azure AD", target_dataset="msft_azure_ad_raw", no_hit=keep]
filter to_string(createdDateTime) ~= ".*\d{2}:\d{2}:\d{2}.*"
| alter
_time = createdDateTime;
[INGEST:vendor="msft", product="Azure AD Audit", target_dataset="msft_azure_ad_audit_raw", no_hit=keep]
filter to_string(activityDateTime) ~= ".*\d{2}:\d{2}:\d{2}.*"
| alter
tmp_get_keys = rtrim(arraystring(arraymap(arraymap(to_string(additionalDetails) -> [], "@element" -> key), concat("(?P<", replex("@element", "[^a-zA-Z0-9_]", "_"), ">[^|]+)?\|")), ""), "\|"),
tmp_get_values = replex(replex(arraystring(arraymap(to_string(additionalDetails) -> [], if("@element" -> value = "" or "@element" -> value = null, "null", "@element" -> value)), "|"), "(?:^|)null(?:\||$)", "|"), "\|$", "")
| alter
parsed_fields = if(tmp_get_values = null or tmp_get_values ~= "^\s*$", null, regexcapture(tmp_get_values, tmp_get_keys)),
_time = parse_timestamp("%Y-%m-%dT%H:%M:%E*SZ", to_string(activityDateTime))
| fields -tmp_*;