+ "query": "let parser=(disabled:boolean=false)\n {\n DeviceProcessEvents \n | where not(disabled)\n | extend\n Type = \"DeviceProcessEvents\",\n EventOriginalUid = tostring(ReportId),\n EventCount = int(1),\n EventProduct = 'M365 Defender for Endpoint',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.4',\n EventSchema = 'ProcessEvent',\n EventStartTime = todatetime(Timestamp),\n EventEndTime = todatetime(Timestamp),\n EventResult = 'Success'\n | extend\n EventUid = EventOriginalUid,\n ActorUsername = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)),\n TargetUsername = iff (AccountDomain == '', AccountName, strcat(AccountDomain, '\\\\', AccountName)),\n TargetUsernameType = iff(AccountDomain == '','Simple', 'Windows'),\n ActorUsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'),\n ActorUserIdType = 'SID',\n TargetUserIdType = 'SID',\n ActorSessionId = tostring(InitiatingProcessLogonId),\n TargetUserSessionId = tostring(LogonId),\n Hash = coalesce (SHA256, SHA1, MD5, \"\"),\n TargetProcessId = tostring(ProcessId),\n ActingProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId),\n DvcOs = iff (AdditionalFields has \"ProcessPosixProcessGroupId\", \"Linux\", \"Windows\"),\n TargetProcessFileSize = iif(FileSize != 0, FileSize, dynamic(null)),\n ActingProcessFileSize = iif(InitiatingProcessFileSize != 0, InitiatingProcessFileSize, dynamic(null))\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, MD5),Hash)])\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | project-rename\n DvcId = DeviceId,\n EventType = ActionType,\n ActorUserId = InitiatingProcessAccountSid,\n ActorUserAadId = InitiatingProcessAccountObjectId,\n ActorUserUpn = InitiatingProcessAccountUpn,\n TargetUserId = AccountSid,\n TargetUserAadId = AccountObjectId,\n TargetUserUpn = AccountUpn,\n ParentProcessName = InitiatingProcessParentFileName,\n TargetProcessFilename = FileName,\n TargetProcessFileCompany = ProcessVersionInfoCompanyName,\n TargetProcessFileDescription = ProcessVersionInfoFileDescription,\n TargetProcessFileProduct = ProcessVersionInfoProductName,\n TargetProcessFileVersion = ProcessVersionInfoProductVersion,\n TargetProcessFileInternalName = ProcessVersionInfoInternalFileName,\n TargetProcessFileOriginalName = ProcessVersionInfoOriginalFileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime,\n TargetProcessName = FolderPath,\n TargetProcessCommandLine = ProcessCommandLine,\n TargetProcessMD5 = MD5,\n TargetProcessSHA1 = SHA1,\n TargetProcessSHA256 = SHA256,\n TargetProcessIntegrityLevel = ProcessIntegrityLevel,\n TargetProcessTokenElevation = ProcessTokenElevation,\n TargetProcessCreationTime = ProcessCreationTime,\n ActingProcessName = InitiatingProcessFolderPath, \n ActingProcessFilename = InitiatingProcessFileName,\n ActingProcessFileCompany = InitiatingProcessVersionInfoCompanyName,\n ActingProcessFileDescription = InitiatingProcessVersionInfoFileDescription,\n ActingProcessFileProduct = InitiatingProcessVersionInfoProductName,\n ActingProcessFileVersion = InitiatingProcessVersionInfoProductVersion,\n ActingProcessFileInternalName = InitiatingProcessVersionInfoInternalFileName,\n ActingProcessFileOriginalName = InitiatingProcessVersionInfoOriginalFileName,\n ActingProcessCommandLine = InitiatingProcessCommandLine, \n ActingProcessMD5 = InitiatingProcessMD5, \n ActingProcessSHA1 = InitiatingProcessSHA1, \n ActingProcessSHA256 = InitiatingProcessSHA256, \n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n ActingProcessTokenElevation = InitiatingProcessTokenElevation,\n ActingProcessCreationTime = InitiatingProcessCreationTime\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\n | extend // -- aliases\n User = coalesce(TargetUsername, ActorUsername),\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n Dvc = DvcHostname\n | project\n TimeGenerated,\n Type,\n EventUid,\n EventOriginalUid,\n EventCount,\n EventProduct,\n EventVendor,\n EventSchemaVersion,\n EventSchema,\n EventStartTime,\n EventEndTime,\n EventResult,\n ActorUsername,\n ActorUserIdType,\n TargetUserIdType,\n ActorUsernameType,\n TargetUsername,\n TargetUsernameType,\n ActorSessionId,\n Hash,\n TargetProcessId,\n ActingProcessId,\n ParentProcessId,\n DvcOs,\n HashType,\n DvcId,\n DvcHostname,\n DvcDomain,\n DvcDomainType,\n EventType,\n ActorUserId,\n ActorUserAadId,\n ActorUserUpn,\n TargetUserId,\n TargetUserAadId,\n TargetUserUpn,\n ParentProcessName,\n TargetProcessFilename,\n ParentProcessCreationTime,\n TargetProcessName,\n TargetProcessCommandLine,\n TargetProcessMD5,\n TargetProcessSHA1,\n TargetProcessSHA256,\n TargetProcessIntegrityLevel,\n TargetProcessTokenElevation,\n TargetProcessCreationTime,\n TargetProcessFileCompany,\n TargetProcessFileDescription,\n TargetProcessFileProduct,\n TargetProcessFileVersion,\n TargetProcessFileInternalName,\n TargetProcessFileOriginalName,\n TargetProcessFileSize,\n ActingProcessName,\n ActingProcessFilename,\n ActingProcessCommandLine,\n ActingProcessMD5,\n ActingProcessSHA1,\n ActingProcessSHA256,\n ActingProcessIntegrityLevel,\n ActingProcessTokenElevation,\n ActingProcessCreationTime,\n ActingProcessFileCompany,\n ActingProcessFileDescription,\n ActingProcessFileProduct,\n ActingProcessFileVersion,\n ActingProcessFileInternalName,\n ActingProcessFileOriginalName,\n ActingProcessFileSize,\n User,\n CommandLine,\n Process,\n Dvc,\n AdditionalFields\n };\n parser (disabled = disabled)",
0 commit comments