- "transformKql": "source | extend TimeGenerated = todatetime(created_time), id = iff(isempty(tostring(id)), tostring(oid), tostring(id)), event_type = tostring(type), log_type = tostring(type), actor_device_guid = tostring(actor.guid), device_guid = tostring(device.guid), device_activated_at = todatetime(device.activated_at), device_activation_status = tostring(device.activation_status), device_checkin_time = todatetime(device.checkin_time), device_customer_id = tostring(device.customer_device_id), device_deactivated_at = todatetime(device.deactivated_at), device_group_guid = tostring(device.device_group_guid), device_platform = tostring(device.platform), device_os_version = tostring(device.os_version), device_manufacturer = tostring(device.manufacturer), device_model = tostring(device.model), device_email_address = tostring(device.email_address), device_security_status = tostring(device.security_status), client_lookout_sdk_version = tostring(device.client.lookout_sdk_version), client_ota_version = tostring(device.client.ota_version), client_package_name = tostring(device.client.package_name), client_package_version = tostring(device.client.package_version), mdm_connector_id = toint(device.details.mdm_connector_id), mdm_connector_uuid = tostring(device.details.mdm_connector_uuid), mdm_external_id = tostring(device.details.external_id), threat_id = tostring(threat.id), threat_type = tostring(threat.type), threat_action = tostring(threat.action), threat_severity = tostring(threat.severity), threat_classification = tostring(threat.classification), threat_classifications = tostring(threat.classifications), threat_risk = tostring(threat.risk), threat_status = tostring(threat.status), threat_assessments = tostring(threat.assessments), threat_description = tostring(threat.description), threat_application_name = tostring(threat.application_name), threat_package_name = tostring(threat.package_name), threat_package_sha = tostring(threat.package_sha), threat_file_name = tostring(threat.file_name), threat_file_path = tostring(threat.path), threat_pcp_reporting_reason = tostring(threat.pcp_reporting_reason), threat_pcp_device_response = tostring(threat.pcp_device_response), audit_type = tostring(audit.type), actor_type = tostring(actor.type), actor_guid = tostring(actor.guid), target_type = tostring(target.type), target_guid = tostring(target.guid), target_email_address = tostring(target.email_address), target_platform = tostring(target.platform), target_os_version = tostring(target.os_version), target_manufacturer = tostring(target.manufacturer), target_model = tostring(target.model), smishing_alert_id = tostring(smishing_alert.id), smishing_alert_type = tostring(smishing_alert.type), smishing_alert_severity = tostring(smishing_alert.severity), smishing_alert_description = tostring(smishing_alert.description), device_permissions = device.device_permissions, device_settings = device.device_settings, device_vulns = device.device_vulns, risky_config = device.risky_config, audit_attribute_changes = audit.attribute_changes, smishing_detections = smishing_alert.detections",
0 commit comments