From b7b7e2c1835f6388959925119b2c83b8325186ce Mon Sep 17 00:00:00 2001 From: Kyle West Date: Thu, 19 Mar 2026 11:43:20 -0600 Subject: [PATCH 1/4] update solution to handle events with ocsf schemas --- .../Halcyon_ccp/Halcyon_DCR.json | 1590 +----- .../Halcyon_connectorDefinition.json | 80 +- .../Halcyon_table_AuthenticationEvent.json | 483 -- .../Halcyon_table_DnsActivity.json | 455 -- .../Halcyon_table_FileActivity.json | 435 -- .../Halcyon_table_NetworkSession.json | 659 --- .../Halcyon_table_ProcessEvent.json | 511 -- .../Halcyon_ccp/Halcyon_table_events.json | 155 + Solutions/Halcyon/Data/Solution_Halcyon.json | 6 +- Solutions/Halcyon/Package/3.1.0.zip | Bin 0 -> 10002 bytes .../Halcyon/Package/createUiDefinition.json | 2 +- Solutions/Halcyon/Package/mainTemplate.json | 4512 +---------------- .../Parsers/ASimAuthenticationHalcyon.yaml | 38 +- Solutions/Halcyon/Parsers/ASimDnsHalcyon.yaml | 45 +- .../Halcyon/Parsers/ASimFileEventHalcyon.yaml | 45 +- .../Parsers/ASimNetworkSessionHalcyon.yaml | 48 +- .../Parsers/ASimProcessEventHalcyon.yaml | 50 +- Solutions/Halcyon/ReleaseNotes.md | 3 +- Solutions/Halcyon/SolutionMetadata.json | 2 +- 19 files changed, 702 insertions(+), 8417 deletions(-) delete mode 100644 Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_AuthenticationEvent.json delete mode 100644 Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_DnsActivity.json delete mode 100644 Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_FileActivity.json delete mode 100644 Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_NetworkSession.json delete mode 100644 Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_ProcessEvent.json create mode 100644 Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_events.json create mode 100644 Solutions/Halcyon/Package/3.1.0.zip diff --git a/Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_DCR.json b/Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_DCR.json index 9c2976715ce..68f938630ed 100644 --- a/Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_DCR.json +++ b/Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_DCR.json @@ -9,1580 +9,148 @@ "Custom-Halcyon": { "columns": [ { - "name": "ActingAppId", - "type": "string" - }, - { - "name": "ActingAppName", - "type": "string" - }, - { - "name": "ActingAppType", - "type": "string" - }, - { - "name": "ActingOriginalAppType", - "type": "string" - }, - { - "name": "ActingProcessCommandLine", - "type": "string" - }, - { - "name": "ActingProcessCreationTime", - "type": "datetime" - }, - { - "name": "ActingProcessFileCompany", - "type": "string" - }, - { - "name": "ActingProcessFileDescription", - "type": "string" - }, - { - "name": "ActingProcessFileInternalName", - "type": "string" - }, - { - "name": "ActingProcessFilename", - "type": "string" - }, - { - "name": "ActingProcessFileOriginalName", - "type": "string" - }, - { - "name": "ActingProcessFileProduct", - "type": "string" - }, - { - "name": "ActingProcessFileSize", - "type": "long" - }, - { - "name": "ActingProcessFileVersion", - "type": "string" - }, - { - "name": "ActingProcessGuid", - "type": "string" - }, - { - "name": "ActingProcessId", - "type": "string" - }, - { - "name": "ActingProcessIMPHASH", - "type": "string" - }, - { - "name": "ActingProcessInjectedAddress", - "type": "string" - }, - { - "name": "ActingProcessIntegrityLevel", - "type": "string" - }, - { - "name": "ActingProcessIsHidden", - "type": "boolean" - }, - { - "name": "ActingProcessMD5", - "type": "string" - }, - { - "name": "ActingProcessName", - "type": "string" - }, - { - "name": "ActingProcessSHA1", - "type": "string" - }, - { - "name": "ActingProcessSHA256", - "type": "string" - }, - { - "name": "ActingProcessSHA512", - "type": "string" - }, - { - "name": "ActingProcessTokenElevation", - "type": "string" - }, - { - "name": "ActorOriginalUserType", - "type": "string" - }, - { - "name": "ActorScope", - "type": "string" - }, - { - "name": "ActorScopeId", - "type": "string" - }, - { - "name": "ActorSessionId", - "type": "string" - }, - { - "name": "ActorUserAadId", - "type": "string" - }, - { - "name": "ActorUserId", - "type": "string" - }, - { - "name": "ActorUserIdType", - "type": "string" - }, - { - "name": "ActorUsername", - "type": "string" - }, - { - "name": "ActorUsernameType", - "type": "string" - }, - { - "name": "ActorUserSid", - "type": "string" - }, - { - "name": "ActorUserType", - "type": "string" - }, - { - "name": "AdditionalFields", - "type": "dynamic" - }, - { - "name": "DhcpCircuitId", - "type": "string" - }, - { - "name": "DhcpLeaseDuration", - "type": "int" - }, - { - "name": "DhcpSessionDuration", - "type": "int" - }, - { - "name": "DhcpSessionId", - "type": "string" - }, - { - "name": "DhcpSrcDHCId", - "type": "string" - }, - { - "name": "DhcpSubscriberId", - "type": "string" - }, - { - "name": "DhcpUserClass", - "type": "string" - }, - { - "name": "DhcpUserClassId", - "type": "string" - }, - { - "name": "DhcpVendorClass", - "type": "string" - }, - { - "name": "DhcpVendorClassId", - "type": "string" - }, - { - "name": "DnsFlags", - "type": "string" - }, - { - "name": "DnsFlagsAuthenticated", - "type": "boolean" - }, - { - "name": "DnsFlagsAuthoritative", - "type": "boolean" - }, - { - "name": "DnsFlagsCheckingDisabled", - "type": "boolean" - }, - { - "name": "DnsFlagsRecursionAvailable", - "type": "boolean" - }, - { - "name": "DnsFlagsRecursionDesired", - "type": "boolean" - }, - { - "name": "DnsFlagsTruncated", - "type": "boolean" - }, - { - "name": "DnsFlagsZ", - "type": "boolean" - }, - { - "name": "DnsNetworkDuration", - "type": "int" - }, - { - "name": "DnsQuery", - "type": "string" - }, - { - "name": "DnsQueryClass", - "type": "int" - }, - { - "name": "DnsQueryClassName", - "type": "string" - }, - { - "name": "DnsQueryType", - "type": "int" - }, - { - "name": "DnsQueryTypeName", - "type": "string" - }, - { - "name": "DnsResponseCode", - "type": "int" - }, - { - "name": "DnsResponseIpCity", - "type": "string" - }, - { - "name": "DnsResponseIpCountry", - "type": "string" - }, - { - "name": "DnsResponseIpLatitude", - "type": "real" - }, - { - "name": "DnsResponseIpLongitude", - "type": "real" - }, - { - "name": "DnsResponseIpRegion", - "type": "string" - }, - { - "name": "DnsResponseName", - "type": "string" - }, - { - "name": "DnsSessionId", - "type": "string" - }, - { - "name": "Dst", - "type": "string" - }, - { - "name": "DstAppId", - "type": "string" - }, - { - "name": "DstAppName", - "type": "string" - }, - { - "name": "DstAppType", - "type": "string" - }, - { - "name": "DstBytes", - "type": "long" - }, - { - "name": "DstDescription", - "type": "string" - }, - { - "name": "DstDeviceType", - "type": "string" - }, - { - "name": "DstDomain", - "type": "string" - }, - { - "name": "DstDomainType", - "type": "string" - }, - { - "name": "DstDvcId", - "type": "string" - }, - { - "name": "DstDvcIdType", - "type": "string" - }, - { - "name": "DstDvcScope", - "type": "string" - }, - { - "name": "DstDvcScopeId", - "type": "string" - }, - { - "name": "DstFQDN", - "type": "string" - }, - { - "name": "DstGeoCity", - "type": "string" - }, - { - "name": "DstGeoCountry", - "type": "string" - }, - { - "name": "DstGeoLatitude", - "type": "real" - }, - { - "name": "DstGeoLongitude", - "type": "real" - }, - { - "name": "DstGeoRegion", - "type": "string" - }, - { - "name": "DstHostname", - "type": "string" - }, - { - "name": "DstInterfaceGuid", - "type": "string" - }, - { - "name": "DstInterfaceName", - "type": "string" - }, - { - "name": "DstIpAddr", - "type": "string" - }, - { - "name": "DstMacAddr", - "type": "string" - }, - { - "name": "DstNatIpAddr", - "type": "string" - }, - { - "name": "DstNatPortNumber", - "type": "int" - }, - { - "name": "DstOriginalRiskLevel", - "type": "string" - }, - { - "name": "DstOriginalUserType", - "type": "string" - }, - { - "name": "DstPackets", - "type": "long" - }, - { - "name": "DstPortNumber", - "type": "int" - }, - { - "name": "DstRiskLevel", - "type": "int" - }, - { - "name": "DstSubscriptionId", - "type": "string" - }, - { - "name": "DstUserId", - "type": "string" - }, - { - "name": "DstUserIdType", - "type": "string" - }, - { - "name": "DstUsername", - "type": "string" - }, - { - "name": "DstUsernameType", - "type": "string" - }, - { - "name": "DstUserType", - "type": "string" - }, - { - "name": "DstVlanId", - "type": "string" - }, - { - "name": "DstZone", - "type": "string" - }, - { - "name": "Dvc", - "type": "string" - }, - { - "name": "DvcAction", - "type": "string" - }, - { - "name": "DvcDescription", - "type": "string" - }, - { - "name": "DvcDomain", - "type": "string" - }, - { - "name": "DvcDomainType", - "type": "string" - }, - { - "name": "DvcFQDN", - "type": "string" - }, - { - "name": "DvcHostname", - "type": "string" - }, - { - "name": "DvcId", - "type": "string" - }, - { - "name": "DvcIdType", - "type": "string" - }, - { - "name": "DvcInboundInterface", - "type": "string" - }, - { - "name": "DvcInterface", - "type": "string" - }, - { - "name": "DvcIpAddr", - "type": "string" - }, - { - "name": "DvcMacAddr", - "type": "string" - }, - { - "name": "DvcOriginalAction", - "type": "string" - }, - { - "name": "DvcOs", - "type": "string" - }, - { - "name": "DvcOsVersion", - "type": "string" - }, - { - "name": "DvcOutboundInterface", - "type": "string" - }, - { - "name": "DvcScope", - "type": "string" - }, - { - "name": "DvcScopeId", - "type": "string" - }, - { - "name": "DvcSubscriptionId", - "type": "string" - }, - { - "name": "DvcZone", - "type": "string" - }, - { - "name": "EventCount", - "type": "int" - }, - { - "name": "EventEndTime", - "type": "datetime" - }, - { - "name": "EventMessage", - "type": "string" - }, - { - "name": "EventOriginalResultDetails", - "type": "string" - }, - { - "name": "EventOriginalSeverity", - "type": "string" - }, - { - "name": "EventOriginalSubType", - "type": "string" - }, - { - "name": "EventOriginalType", - "type": "string" - }, - { - "name": "EventOriginalUid", - "type": "string" - }, - { - "name": "EventOwner", - "type": "string" - }, - { - "name": "EventProduct", - "type": "string" - }, - { - "name": "EventProductVersion", - "type": "string" - }, - { - "name": "EventReportUrl", - "type": "string" - }, - { - "name": "EventResult", - "type": "string" - }, - { - "name": "EventResultDetails", - "type": "string" - }, - { - "name": "EventSchema", - "type": "string" - }, - { - "name": "EventSchemaVersion", - "type": "string" - }, - { - "name": "EventSeverity", - "type": "string" - }, - { - "name": "EventStartTime", - "type": "datetime" - }, - { - "name": "EventSubType", - "type": "string" - }, - { - "name": "EventType", - "type": "string" - }, - { - "name": "EventVendor", - "type": "string" - }, - { - "name": "FileContentType", - "type": "string" - }, - { - "name": "FileMD5", - "type": "string" - }, - { - "name": "FileName", - "type": "string" - }, - { - "name": "FileSHA1", - "type": "string" - }, - { - "name": "FileSHA256", - "type": "string" - }, - { - "name": "FileSHA512", - "type": "string" - }, - { - "name": "FileSize", - "type": "int" - }, - { - "name": "GroupId", - "type": "string" - }, - { - "name": "GroupIdType", - "type": "string" - }, - { - "name": "GroupName", - "type": "string" - }, - { - "name": "GroupNameType", - "type": "string" - }, - { - "name": "GroupOriginalType", - "type": "string" - }, - { - "name": "GroupType", - "type": "string" - }, - { - "name": "HashType", - "type": "string" - }, - { - "name": "HttpContentFormat", - "type": "string" - }, - { - "name": "HttpContentType", - "type": "string" - }, - { - "name": "HttpHost", - "type": "string" - }, - { - "name": "HttpReferrer", - "type": "string" - }, - { - "name": "HttpRequestMethod", - "type": "string" - }, - { - "name": "HttpRequestTime", - "type": "int" - }, - { - "name": "HttpRequestXff", - "type": "string" - }, - { - "name": "HttpResponseTime", - "type": "int" - }, - { - "name": "HttpUserAgent", - "type": "string" - }, - { - "name": "HttpVersion", - "type": "string" - }, - { - "name": "LogonMethod", - "type": "string" - }, - { - "name": "LogonProtocol", - "type": "string" - }, - { - "name": "NetworkApplicationProtocol", - "type": "string" - }, - { - "name": "NetworkBytes", - "type": "long" - }, - { - "name": "NetworkConnectionHistory", - "type": "string" - }, - { - "name": "NetworkDirection", - "type": "string" - }, - { - "name": "NetworkDuration", - "type": "int" - }, - { - "name": "NetworkIcmpCode", - "type": "int" - }, - { - "name": "NetworkIcmpType", - "type": "string" - }, - { - "name": "NetworkPackets", - "type": "long" - }, - { - "name": "NetworkProtocol", - "type": "string" - }, - { - "name": "NetworkProtocolVersion", - "type": "string" - }, - { - "name": "NetworkRuleName", - "type": "string" - }, - { - "name": "NetworkRuleNumber", - "type": "int" - }, - { - "name": "NetworkSessionId", - "type": "string" - }, - { - "name": "NewPropertyValue", - "type": "string" - }, - { - "name": "NewValue", - "type": "string" - }, - { - "name": "Object", - "type": "string" - }, - { - "name": "ObjectId", - "type": "string" - }, - { - "name": "ObjectType", - "type": "string" - }, - { - "name": "OldValue", - "type": "string" - }, - { - "name": "Operation", - "type": "string" - }, - { - "name": "OriginalObjectType", - "type": "string" - }, - { - "name": "ParentProcessCommandLine", - "type": "string" - }, - { - "name": "ParentProcessCreationTime", - "type": "datetime" - }, - { - "name": "ParentProcessFileCompany", - "type": "string" - }, - { - "name": "ParentProcessFileDescription", - "type": "string" - }, - { - "name": "ParentProcessFileProduct", - "type": "string" - }, - { - "name": "ParentProcessFileVersion", - "type": "string" - }, - { - "name": "ParentProcessGuid", - "type": "string" - }, - { - "name": "ParentProcessId", - "type": "string" - }, - { - "name": "ParentProcessIMPHASH", - "type": "string" - }, - { - "name": "ParentProcessInjectedAddress", - "type": "string" - }, - { - "name": "ParentProcessIntegrityLevel", - "type": "string" - }, - { - "name": "ParentProcessIsHidden", - "type": "boolean" - }, - { - "name": "ParentProcessMD5", - "type": "string" - }, - { - "name": "ParentProcessName", - "type": "string" - }, - { - "name": "ParentProcessSHA1", - "type": "string" - }, - { - "name": "ParentProcessSHA256", - "type": "string" - }, - { - "name": "ParentProcessSHA512", - "type": "string" - }, - { - "name": "ParentProcessTokenElevation", - "type": "string" - }, - { - "name": "PreviousPropertyValue", - "type": "string" - }, - { - "name": "RegistryKey", - "type": "string" - }, - { - "name": "RegistryPreviousKey", - "type": "string" - }, - { - "name": "RegistryPreviousValue", - "type": "string" - }, - { - "name": "RegistryPreviousValueData", - "type": "string" - }, - { - "name": "RegistryPreviousValueType", - "type": "string" - }, - { - "name": "RegistryValue", - "type": "string" - }, - { - "name": "RegistryValueData", - "type": "string" - }, - { - "name": "RegistryValueType", - "type": "string" - }, - { - "name": "RequestedIpAddr", - "type": "string" - }, - { - "name": "Rule", - "type": "string" - }, - { - "name": "RuleName", - "type": "string" - }, - { - "name": "RuleNumber", - "type": "int" - }, - { - "name": "SourceSystem", - "type": "string" - }, - { - "name": "Src", - "type": "string" - }, - { - "name": "SrcAppId", - "type": "string" - }, - { - "name": "SrcAppName", - "type": "string" - }, - { - "name": "SrcAppType", - "type": "string" - }, - { - "name": "SrcBytes", - "type": "long" - }, - { - "name": "SrcDescription", - "type": "string" - }, - { - "name": "SrcDeviceType", - "type": "string" - }, - { - "name": "SrcDomain", - "type": "string" - }, - { - "name": "SrcDomainType", - "type": "string" - }, - { - "name": "SrcDvcId", - "type": "string" - }, - { - "name": "SrcDvcIdType", - "type": "string" - }, - { - "name": "SrcDvcOs", - "type": "string" - }, - { - "name": "SrcDvcScope", - "type": "string" - }, - { - "name": "SrcDvcScopeId", - "type": "string" - }, - { - "name": "SrcFileCreationTime", - "type": "datetime" - }, - { - "name": "SrcFileDirectory", - "type": "string" - }, - { - "name": "SrcFileExtension", - "type": "string" - }, - { - "name": "SrcFileMD5", - "type": "string" - }, - { - "name": "SrcFileMimeType", - "type": "string" - }, - { - "name": "SrcFileName", - "type": "string" - }, - { - "name": "SrcFilePath", - "type": "string" - }, - { - "name": "SrcFilePathType", - "type": "string" - }, - { - "name": "SrcFileSHA1", - "type": "string" - }, - { - "name": "SrcFileSHA256", - "type": "string" - }, - { - "name": "SrcFileSHA512", - "type": "string" - }, - { - "name": "SrcFileSize", - "type": "long" - }, - { - "name": "SrcFQDN", - "type": "string" - }, - { - "name": "SrcGeoCity", - "type": "string" - }, - { - "name": "SrcGeoCountry", - "type": "string" - }, - { - "name": "SrcGeoLatitude", - "type": "real" - }, - { - "name": "SrcGeoLongitude", - "type": "real" - }, - { - "name": "SrcGeoRegion", - "type": "string" - }, - { - "name": "SrcHostname", - "type": "string" - }, - { - "name": "SrcInterfaceGuid", - "type": "string" - }, - { - "name": "SrcInterfaceName", - "type": "string" - }, - { - "name": "SrcIpAddr", - "type": "string" - }, - { - "name": "SrcIsp", - "type": "string" - }, - { - "name": "SrcMacAddr", - "type": "string" - }, - { - "name": "SrcNatIpAddr", - "type": "string" - }, - { - "name": "SrcNatPortNumber", - "type": "int" - }, - { - "name": "SrcOriginalRiskLevel", - "type": "string" - }, - { - "name": "SrcOriginalUserType", - "type": "string" - }, - { - "name": "SrcPackets", - "type": "long" - }, - { - "name": "SrcPortNumber", - "type": "int" - }, - { - "name": "SrcProcessGuid", - "type": "string" - }, - { - "name": "SrcProcessId", - "type": "string" - }, - { - "name": "SrcProcessName", - "type": "string" - }, - { - "name": "SrcRiskLevel", - "type": "int" - }, - { - "name": "SrcSubscriptionId", - "type": "string" - }, - { - "name": "SrcUserId", - "type": "string" - }, - { - "name": "SrcUserIdType", - "type": "string" - }, - { - "name": "SrcUsername", - "type": "string" - }, - { - "name": "SrcUsernameType", - "type": "string" - }, - { - "name": "SrcUserScope", - "type": "string" - }, - { - "name": "SrcUserScopeId", - "type": "string" - }, - { - "name": "SrcUserSessionId", - "type": "string" - }, - { - "name": "SrcUserType", - "type": "string" - }, - { - "name": "SrcUserUid", - "type": "string" - }, - { - "name": "SrcVlanId", - "type": "string" - }, - { - "name": "SrcZone", - "type": "string" - }, - { - "name": "TargetAppId", - "type": "string" - }, - { - "name": "TargetAppName", - "type": "string" - }, - { - "name": "TargetAppType", - "type": "string" - }, - { - "name": "TargetDescription", - "type": "string" - }, - { - "name": "TargetDeviceType", - "type": "string" - }, - { - "name": "TargetDomain", - "type": "string" - }, - { - "name": "TargetDomainType", - "type": "string" - }, - { - "name": "TargetDvcId", - "type": "string" - }, - { - "name": "TargetDvcIdType", - "type": "string" - }, - { - "name": "TargetDvcOs", - "type": "string" - }, - { - "name": "TargetDvcScope", - "type": "string" - }, - { - "name": "TargetDvcScopeId", - "type": "string" - }, - { - "name": "TargetFileCreationTime", + "name": "TimeGenerated", "type": "datetime" }, { - "name": "TargetFileDirectory", - "type": "string" - }, - { - "name": "TargetFileExtension", - "type": "string" - }, - { - "name": "TargetFileMD5", - "type": "string" - }, - { - "name": "TargetFileMimeType", - "type": "string" - }, - { - "name": "TargetFileName", - "type": "string" - }, - { - "name": "TargetFilePath", - "type": "string" - }, - { - "name": "TargetFilePathType", - "type": "string" - }, - { - "name": "TargetFileSHA1", - "type": "string" - }, - { - "name": "TargetFileSHA256", - "type": "string" - }, - { - "name": "TargetFileSHA512", - "type": "string" - }, - { - "name": "TargetFileSize", - "type": "long" - }, - { - "name": "TargetFQDN", - "type": "string" - }, - { - "name": "TargetGeoCity", - "type": "string" - }, - { - "name": "TargetGeoCountry", - "type": "string" - }, - { - "name": "TargetGeoLatitude", - "type": "real" - }, - { - "name": "TargetGeoLongitude", - "type": "real" - }, - { - "name": "TargetGeoRegion", - "type": "string" - }, - { - "name": "TargetHostname", - "type": "string" - }, - { - "name": "TargetIpAddr", - "type": "string" - }, - { - "name": "TargetOriginalAppType", - "type": "string" - }, - { - "name": "TargetOriginalRiskLevel", - "type": "string" - }, - { - "name": "TargetOriginalUserType", - "type": "string" - }, - { - "name": "TargetPortNumber", + "name": "activity_id", "type": "int" }, { - "name": "TargetProcessCommandLine", - "type": "string" - }, - { - "name": "TargetProcessCreationTime", - "type": "datetime" - }, - { - "name": "TargetProcessCurrentDirectory", + "name": "activity_name", "type": "string" }, { - "name": "TargetProcessFileCompany", - "type": "string" + "name": "category_uid", + "type": "int" }, { - "name": "TargetProcessFileDescription", + "name": "category_name", "type": "string" }, { - "name": "TargetProcessFileInternalName", - "type": "string" + "name": "class_uid", + "type": "int" }, { - "name": "TargetProcessFilename", + "name": "class_name", "type": "string" }, { - "name": "TargetProcessFileOriginalName", - "type": "string" + "name": "severity_id", + "type": "int" }, { - "name": "TargetProcessFileProduct", + "name": "severity", "type": "string" }, { - "name": "TargetProcessFileSize", + "name": "time", "type": "long" }, { - "name": "TargetProcessFileVersion", - "type": "string" - }, - { - "name": "TargetProcessGuid", - "type": "string" - }, - { - "name": "TargetProcessId", - "type": "string" - }, - { - "name": "TargetProcessIMPHASH", - "type": "string" - }, - { - "name": "TargetProcessInjectedAddress", - "type": "string" - }, - { - "name": "TargetProcessIntegrityLevel", - "type": "string" - }, - { - "name": "TargetProcessIsHidden", - "type": "boolean" - }, - { - "name": "TargetProcessMD5", - "type": "string" - }, - { - "name": "TargetProcessName", - "type": "string" - }, - { - "name": "TargetProcessSHA1", - "type": "string" - }, - { - "name": "TargetProcessSHA256", - "type": "string" + "name": "type_uid", + "type": "long" }, { - "name": "TargetProcessSHA512", + "name": "type_name", "type": "string" }, { - "name": "TargetProcessStatusCode", + "name": "message", "type": "string" }, { - "name": "TargetProcessTokenElevation", + "name": "raw_data", "type": "string" }, { - "name": "TargetRiskLevel", + "name": "status_id", "type": "int" }, { - "name": "TargetScope", - "type": "string" - }, - { - "name": "TargetScopeId", - "type": "string" - }, - { - "name": "TargetSessionId", - "type": "string" - }, - { - "name": "TargetUrl", - "type": "string" - }, - { - "name": "TargetUserId", - "type": "string" - }, - { - "name": "TargetUserIdType", - "type": "string" - }, - { - "name": "TargetUsername", - "type": "string" - }, - { - "name": "TargetUsernameType", - "type": "string" - }, - { - "name": "TargetUserScope", + "name": "status", "type": "string" }, { - "name": "TargetUserScopeId", - "type": "string" - }, - { - "name": "TargetUserSessionGuid", - "type": "string" - }, - { - "name": "TargetUserSessionId", - "type": "string" - }, - { - "name": "TargetUserType", - "type": "string" - }, - { - "name": "TargetUserUid", - "type": "string" - }, - { - "name": "TcpFlagsAck", - "type": "boolean" - }, - { - "name": "TcpFlagsFin", - "type": "boolean" - }, - { - "name": "TcpFlagsPsh", - "type": "boolean" - }, - { - "name": "TcpFlagsRst", - "type": "boolean" - }, - { - "name": "TcpFlagsSyn", - "type": "boolean" - }, - { - "name": "TcpFlagsUrg", - "type": "boolean" - }, - { - "name": "ThreatCategory", - "type": "string" - }, - { - "name": "ThreatConfidence", + "name": "action_id", "type": "int" }, { - "name": "ThreatField", - "type": "string" - }, - { - "name": "ThreatFilePath", + "name": "action", "type": "string" }, { - "name": "ThreatFirstReportedTime", - "type": "datetime" - }, - { - "name": "ThreatFirstReportedTime_d", - "type": "datetime" + "name": "disposition_id", + "type": "int" }, { - "name": "ThreatId", + "name": "disposition", "type": "string" }, { - "name": "ThreatIpAddr", + "name": "rcode", "type": "string" }, { - "name": "ThreatIsActive", - "type": "boolean" + "name": "rcode_id", + "type": "int" }, { - "name": "ThreatLastReportedTime", - "type": "datetime" + "name": "metadata", + "type": "dynamic" }, { - "name": "ThreatLastReportedTime_d", - "type": "datetime" + "name": "unmapped", + "type": "dynamic" }, { - "name": "ThreatName", - "type": "string" + "name": "actor", + "type": "dynamic" }, { - "name": "ThreatOriginalConfidence", - "type": "string" + "name": "device", + "type": "dynamic" }, { - "name": "ThreatOriginalRiskLevel", - "type": "string" + "name": "file", + "type": "dynamic" }, { - "name": "ThreatOriginalRiskLevel_s", - "type": "string" + "name": "process", + "type": "dynamic" }, { - "name": "ThreatRiskLevel", - "type": "int" + "name": "user", + "type": "dynamic" }, { - "name": "TimeGenerated", - "type": "datetime" + "name": "dst_endpoint", + "type": "dynamic" }, { - "name": "TransactionIdHex", - "type": "string" + "name": "src_endpoint", + "type": "dynamic" }, { - "name": "Type", - "type": "string" + "name": "query", + "type": "dynamic" }, { - "name": "Url", - "type": "string" + "name": "answers", + "type": "dynamic" }, { - "name": "UrlCategory", - "type": "string" + "name": "driver", + "type": "dynamic" }, { - "name": "UrlOriginal", - "type": "string" + "name": "module", + "type": "dynamic" }, { - "name": "ValueType", - "type": "string" + "name": "app", + "type": "dynamic" } ] } @@ -1603,49 +171,9 @@ "destinations": [ "clv2ws1" ], - "transformKql": "source | where EventSchema=='Authentication'", - "outputStream": "Custom-HalcyonAuthenticationEvents_CL" - }, - { - "streams": [ - "Custom-Halcyon" - ], - "destinations": [ - "clv2ws1" - ], - "transformKql": "source | where EventSchema=='Dns'", - "outputStream": "Custom-HalcyonDnsActivity_CL" - }, - { - "streams": [ - "Custom-Halcyon" - ], - "destinations": [ - "clv2ws1" - ], - "transformKql": "source | where EventSchema=='FileEvent'", - "outputStream": "Custom-HalcyonFileActivity_CL" - }, - { - "streams": [ - "Custom-Halcyon" - ], - "destinations": [ - "clv2ws1" - ], - "transformKql": "source | where EventSchema=='NetworkSession'", - "outputStream": "Custom-HalcyonNetworkSession_CL" - }, - { - "streams": [ - "Custom-Halcyon" - ], - "destinations": [ - "clv2ws1" - ], - "transformKql": "source | where EventSchema=='ProcessEvent'", - "outputStream": "Custom-HalcyonProcessEvent_CL" + "transformKql": "source | extend TimeGenerated = datetime(1970-01-01) + (['time'] * 1ms) | project-away ['time']", + "outputStream": "Custom-HalcyonEvents_CL" } ] } -} \ No newline at end of file +} diff --git a/Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_connectorDefinition.json b/Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_connectorDefinition.json index b51119368f3..ec52d98cce5 100644 --- a/Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_connectorDefinition.json +++ b/Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_connectorDefinition.json @@ -11,80 +11,26 @@ "publisher": "Halcyon", "logo": "halcyon.svg", "descriptionMarkdown": "The [Halcyon](https://www.halcyon.ai) connector provides the capability to send data from Halcyon to Microsoft Sentinel.", + "sampleQueries": [], "graphQueries": [ { - "metricName": "Authentication Events", - "legend": "HalcyonAuthenticationEvents_CL", - "baseQuery": "HalcyonAuthenticationEvents_CL" - }, - { - "metricName": "DNS Activity", - "legend": "HalcyonDnsActivity_CL", - "baseQuery": "HalcyonDnsActivity_CL" - }, - { - "metricName": "File Activity", - "legend": "HalcyonFileActivity_CL", - "baseQuery": "HalcyonFileActivity_CL" - }, - { - "metricName": "Network Sessions", - "legend": "HalcyonNetworkSession_CL", - "baseQuery": "HalcyonNetworkSession_CL" - }, - { - "metricName": "Process Events", - "legend": "HalcyonProcessEvent_CL", - "baseQuery": "HalcyonProcessEvent_CL" - } - ], - "sampleQueries": [ - { - "description": "Get Sample Authentication Events", - "query": "HalcyonAuthenticationEvents_CL\n | take 10" - }, - { - "description": "Get Sample DNS Activity", - "query": "HalcyonDnsActivity_CL\n | take 10" - }, - { - "description": "Get Sample File Activity", - "query": "HalcyonFileActivity_CL\n | take 10" - }, - { - "description": "Get Sample Network Sessions", - "query": "HalcyonNetworkSession_CL\n | take 10" - }, - { - "description": "Get Sample Process Events", - "query": "HalcyonProcessEvent_CL\n | take 10" + "metricName": "Events", + "legend": "HalcyonEvents_CL", + "baseQuery": "HalcyonEvents_CL" } ], "dataTypes": [ { - "name": "Halcyon Authentication Events", - "lastDataReceivedQuery": "HalcyonAuthenticationEvents_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "Halcyon DNS Activity", - "lastDataReceivedQuery": "HalcyonDnsActivity_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "Halcyon File Activity", - "lastDataReceivedQuery": "HalcyonFileActivity_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "Halcyon Network Sessions", - "lastDataReceivedQuery": "HalcyonNetworkSession_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "Halcyon Process Events", - "lastDataReceivedQuery": "HalcyonProcessEvent_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "name": "Halcyon Events", + "lastDataReceivedQuery": "HalcyonEvents_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "connectivityCriteria": [ { - "type": "HasDataConnectors" + "type": "IsConnectedQuery", + "value": [ + "HalcyonEvents_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7d)" + ] } ], "availability": { @@ -129,14 +75,14 @@ { "parameters": { "label": "Deploy Halcyon Connector Resources", - "applicationDisplayName": "Halcyon Connector Application" + "applicationDisplayName": "Halcyon Sentinel Connector" }, "type": "DeployPushConnectorButton" } ] }, { - "title": "2. Configured your integration in the Halcyon Platform", + "title": "2. Configure your integration in the Halcyon Platform", "description": "Use the following parameters to configure your integration in the Halcyon Platform.", "instructions": [ { @@ -180,7 +126,7 @@ }, { "parameters": { - "label": "Data Collection Rule Immutable ID (Rule ID)", + "label": "Data Collection Rule ID (Rule ID)", "fillWith": [ "DataCollectionRuleId" ], diff --git a/Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_AuthenticationEvent.json b/Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_AuthenticationEvent.json deleted file mode 100644 index 472f3f90a15..00000000000 --- a/Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_AuthenticationEvent.json +++ /dev/null @@ -1,483 +0,0 @@ -{ - "type": "Microsoft.OperationalInsights/workspaces/tables", - "apiVersion": "2025-07-01", - "name": "HalcyonAuthenticationEvents_CL", - "location": "{{location}}", - "tags": {}, - "properties": { - "plan": "Analytics", - "schema": { - "name": "HalcyonAuthenticationEvents_CL", - "columns": [ - { - "name": "TimeGenerated", - "type": "datetime" - }, - { - "name": "EventCount", - "type": "int" - }, - { - "name": "EventStartTime", - "type": "datetime" - }, - { - "name": "EventEndTime", - "type": "datetime" - }, - { - "name": "EventType", - "type": "string" - }, - { - "name": "EventSubType", - "type": "string" - }, - { - "name": "EventResult", - "type": "string" - }, - { - "name": "EventResultDetails", - "type": "string" - }, - { - "name": "EventOriginalResultDetails", - "type": "string" - }, - { - "name": "EventSeverity", - "type": "string" - }, - { - "name": "EventOriginalSeverity", - "type": "string" - }, - { - "name": "EventProduct", - "type": "string" - }, - { - "name": "EventProductVersion", - "type": "string" - }, - { - "name": "EventVendor", - "type": "string" - }, - { - "name": "EventSchema", - "type": "string" - }, - { - "name": "EventSchemaVersion", - "type": "string" - }, - { - "name": "EventOriginalUid", - "type": "string" - }, - { - "name": "EventOriginalType", - "type": "string" - }, - { - "name": "EventMessage", - "type": "string" - }, - { - "name": "EventOwner", - "type": "string" - }, - { - "name": "EventReportUrl", - "type": "string" - }, - { - "name": "Dvc", - "type": "string" - }, - { - "name": "DvcHostname", - "type": "string" - }, - { - "name": "DvcIpAddr", - "type": "string" - }, - { - "name": "DvcDomain", - "type": "string" - }, - { - "name": "DvcDomainType", - "type": "string" - }, - { - "name": "DvcFQDN", - "type": "string" - }, - { - "name": "DvcId", - "type": "string" - }, - { - "name": "DvcIdType", - "type": "string" - }, - { - "name": "DvcMacAddr", - "type": "string" - }, - { - "name": "DvcOs", - "type": "string" - }, - { - "name": "DvcOsVersion", - "type": "string" - }, - { - "name": "DvcAction", - "type": "string" - }, - { - "name": "DvcOriginalAction", - "type": "string" - }, - { - "name": "DvcDescription", - "type": "string" - }, - { - "name": "DvcScope", - "type": "string" - }, - { - "name": "DvcScopeId", - "type": "string" - }, - { - "name": "DvcZone", - "type": "string" - }, - { - "name": "LogonMethod", - "type": "string" - }, - { - "name": "LogonProtocol", - "type": "string" - }, - { - "name": "ActorUsername", - "type": "string" - }, - { - "name": "ActorUsernameType", - "type": "string" - }, - { - "name": "ActorUserId", - "type": "string" - }, - { - "name": "ActorUserIdType", - "type": "string" - }, - { - "name": "ActorUserType", - "type": "string" - }, - { - "name": "ActorOriginalUserType", - "type": "string" - }, - { - "name": "ActorScope", - "type": "string" - }, - { - "name": "ActorScopeId", - "type": "string" - }, - { - "name": "ActorUserSid", - "type": "string" - }, - { - "name": "ActorUserAadId", - "type": "string" - }, - { - "name": "ActorSessionId", - "type": "string" - }, - { - "name": "TargetUsername", - "type": "string" - }, - { - "name": "TargetUsernameType", - "type": "string" - }, - { - "name": "TargetUserId", - "type": "string" - }, - { - "name": "TargetUserIdType", - "type": "string" - }, - { - "name": "TargetUserType", - "type": "string" - }, - { - "name": "TargetOriginalUserType", - "type": "string" - }, - { - "name": "TargetUserScope", - "type": "string" - }, - { - "name": "TargetUserScopeId", - "type": "string" - }, - { - "name": "TargetSessionId", - "type": "string" - }, - { - "name": "TargetUserSessionId", - "type": "string" - }, - { - "name": "TargetUserSessionGuid", - "type": "string" - }, - { - "name": "TargetAppName", - "type": "string" - }, - { - "name": "TargetAppId", - "type": "string" - }, - { - "name": "TargetAppType", - "type": "string" - }, - { - "name": "TargetOriginalAppType", - "type": "string" - }, - { - "name": "TargetUrl", - "type": "string" - }, - { - "name": "TargetHostname", - "type": "string" - }, - { - "name": "TargetDomain", - "type": "string" - }, - { - "name": "TargetDomainType", - "type": "string" - }, - { - "name": "TargetFQDN", - "type": "string" - }, - { - "name": "TargetDescription", - "type": "string" - }, - { - "name": "TargetDvcId", - "type": "string" - }, - { - "name": "TargetDvcIdType", - "type": "string" - }, - { - "name": "TargetDvcOs", - "type": "string" - }, - { - "name": "TargetPortNumber", - "type": "int" - }, - { - "name": "TargetIpAddr", - "type": "string" - }, - { - "name": "TargetGeoCity", - "type": "string" - }, - { - "name": "TargetGeoCountry", - "type": "string" - }, - { - "name": "TargetGeoLatitude", - "type": "real" - }, - { - "name": "TargetGeoLongitude", - "type": "real" - }, - { - "name": "TargetGeoRegion", - "type": "string" - }, - { - "name": "SrcIpAddr", - "type": "string" - }, - { - "name": "SrcPortNumber", - "type": "int" - }, - { - "name": "SrcHostname", - "type": "string" - }, - { - "name": "SrcDomain", - "type": "string" - }, - { - "name": "SrcDomainType", - "type": "string" - }, - { - "name": "SrcFQDN", - "type": "string" - }, - { - "name": "SrcDescription", - "type": "string" - }, - { - "name": "SrcDvcId", - "type": "string" - }, - { - "name": "SrcDvcIdType", - "type": "string" - }, - { - "name": "SrcDvcOs", - "type": "string" - }, - { - "name": "SrcIsp", - "type": "string" - }, - { - "name": "SrcGeoCity", - "type": "string" - }, - { - "name": "SrcGeoCountry", - "type": "string" - }, - { - "name": "SrcGeoLatitude", - "type": "real" - }, - { - "name": "SrcGeoLongitude", - "type": "real" - }, - { - "name": "SrcGeoRegion", - "type": "string" - }, - { - "name": "HttpUserAgent", - "type": "string" - }, - { - "name": "HttpRequestMethod", - "type": "string" - }, - { - "name": "RuleName", - "type": "string" - }, - { - "name": "RuleNumber", - "type": "int" - }, - { - "name": "Rule", - "type": "string" - }, - { - "name": "ThreatId", - "type": "string" - }, - { - "name": "ThreatName", - "type": "string" - }, - { - "name": "ThreatCategory", - "type": "string" - }, - { - "name": "ThreatRiskLevel", - "type": "int" - }, - { - "name": "ThreatOriginalRiskLevel", - "type": "string" - }, - { - "name": "ThreatConfidence", - "type": "int" - }, - { - "name": "ThreatOriginalConfidence", - "type": "string" - }, - { - "name": "ThreatIsActive", - "type": "boolean" - }, - { - "name": "ThreatFirstReportedTime", - "type": "datetime" - }, - { - "name": "ThreatLastReportedTime", - "type": "datetime" - }, - { - "name": "ThreatIpAddr", - "type": "string" - }, - { - "name": "ThreatField", - "type": "string" - }, - { - "name": "AdditionalFields", - "type": "dynamic" - }, - { - "name": "SourceSystem", - "type": "string" - } - ] - } - } -} diff --git a/Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_DnsActivity.json b/Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_DnsActivity.json deleted file mode 100644 index 48af7cdadac..00000000000 --- a/Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_DnsActivity.json +++ /dev/null @@ -1,455 +0,0 @@ -{ - "type": "Microsoft.OperationalInsights/workspaces/tables", - "apiVersion": "2025-07-01", - "name": "HalcyonDnsActivity_CL", - "location": "{{location}}", - "tags": {}, - "properties": { - "plan": "Analytics", - "schema": { - "name": "HalcyonDnsActivity_CL", - "columns": [ - { - "name": "TimeGenerated", - "type": "datetime" - }, - { - "name": "EventCount", - "type": "int" - }, - { - "name": "EventStartTime", - "type": "datetime" - }, - { - "name": "EventEndTime", - "type": "datetime" - }, - { - "name": "EventType", - "type": "string" - }, - { - "name": "EventSubType", - "type": "string" - }, - { - "name": "EventResult", - "type": "string" - }, - { - "name": "EventResultDetails", - "type": "string" - }, - { - "name": "EventOriginalResultDetails", - "type": "string" - }, - { - "name": "EventSeverity", - "type": "string" - }, - { - "name": "EventOriginalSeverity", - "type": "string" - }, - { - "name": "EventProduct", - "type": "string" - }, - { - "name": "EventProductVersion", - "type": "string" - }, - { - "name": "EventVendor", - "type": "string" - }, - { - "name": "EventSchema", - "type": "string" - }, - { - "name": "EventSchemaVersion", - "type": "string" - }, - { - "name": "EventOriginalUid", - "type": "string" - }, - { - "name": "EventOriginalType", - "type": "string" - }, - { - "name": "EventMessage", - "type": "string" - }, - { - "name": "Dvc", - "type": "string" - }, - { - "name": "DvcHostname", - "type": "string" - }, - { - "name": "DvcIpAddr", - "type": "string" - }, - { - "name": "DvcDomain", - "type": "string" - }, - { - "name": "DvcDomainType", - "type": "string" - }, - { - "name": "DvcFQDN", - "type": "string" - }, - { - "name": "DvcId", - "type": "string" - }, - { - "name": "DvcIdType", - "type": "string" - }, - { - "name": "DvcMacAddr", - "type": "string" - }, - { - "name": "DvcOs", - "type": "string" - }, - { - "name": "DvcOsVersion", - "type": "string" - }, - { - "name": "DvcAction", - "type": "string" - }, - { - "name": "DvcDescription", - "type": "string" - }, - { - "name": "DvcScope", - "type": "string" - }, - { - "name": "DvcScopeId", - "type": "string" - }, - { - "name": "DvcZone", - "type": "string" - }, - { - "name": "Src", - "type": "string" - }, - { - "name": "SrcIpAddr", - "type": "string" - }, - { - "name": "SrcPortNumber", - "type": "int" - }, - { - "name": "SrcHostname", - "type": "string" - }, - { - "name": "SrcDomain", - "type": "string" - }, - { - "name": "SrcDomainType", - "type": "string" - }, - { - "name": "SrcFQDN", - "type": "string" - }, - { - "name": "SrcDvcId", - "type": "string" - }, - { - "name": "SrcDvcIdType", - "type": "string" - }, - { - "name": "SrcDvcOs", - "type": "string" - }, - { - "name": "SrcGeoCity", - "type": "string" - }, - { - "name": "SrcGeoCountry", - "type": "string" - }, - { - "name": "SrcGeoLatitude", - "type": "real" - }, - { - "name": "SrcGeoLongitude", - "type": "real" - }, - { - "name": "SrcGeoRegion", - "type": "string" - }, - { - "name": "SrcUserId", - "type": "string" - }, - { - "name": "SrcUserIdType", - "type": "string" - }, - { - "name": "SrcUsername", - "type": "string" - }, - { - "name": "SrcUsernameType", - "type": "string" - }, - { - "name": "SrcUserType", - "type": "string" - }, - { - "name": "SrcProcessName", - "type": "string" - }, - { - "name": "SrcProcessId", - "type": "string" - }, - { - "name": "SrcProcessGuid", - "type": "string" - }, - { - "name": "DstIpAddr", - "type": "string" - }, - { - "name": "DstPortNumber", - "type": "int" - }, - { - "name": "DstHostname", - "type": "string" - }, - { - "name": "DstDomain", - "type": "string" - }, - { - "name": "DstDomainType", - "type": "string" - }, - { - "name": "DstFQDN", - "type": "string" - }, - { - "name": "DstDvcId", - "type": "string" - }, - { - "name": "DstDvcIdType", - "type": "string" - }, - { - "name": "DstGeoCity", - "type": "string" - }, - { - "name": "DstGeoCountry", - "type": "string" - }, - { - "name": "DstGeoLatitude", - "type": "real" - }, - { - "name": "DstGeoLongitude", - "type": "real" - }, - { - "name": "DstGeoRegion", - "type": "string" - }, - { - "name": "DnsQuery", - "type": "string" - }, - { - "name": "DnsQueryType", - "type": "int" - }, - { - "name": "DnsQueryTypeName", - "type": "string" - }, - { - "name": "DnsQueryClass", - "type": "int" - }, - { - "name": "DnsQueryClassName", - "type": "string" - }, - { - "name": "DnsResponseCode", - "type": "int" - }, - { - "name": "DnsResponseName", - "type": "string" - }, - { - "name": "DnsResponseIpCity", - "type": "string" - }, - { - "name": "DnsResponseIpCountry", - "type": "string" - }, - { - "name": "DnsResponseIpLatitude", - "type": "real" - }, - { - "name": "DnsResponseIpLongitude", - "type": "real" - }, - { - "name": "DnsResponseIpRegion", - "type": "string" - }, - { - "name": "DnsFlags", - "type": "string" - }, - { - "name": "DnsFlagsAuthenticated", - "type": "boolean" - }, - { - "name": "DnsFlagsAuthoritative", - "type": "boolean" - }, - { - "name": "DnsFlagsCheckingDisabled", - "type": "boolean" - }, - { - "name": "DnsFlagsRecursionAvailable", - "type": "boolean" - }, - { - "name": "DnsFlagsRecursionDesired", - "type": "boolean" - }, - { - "name": "DnsFlagsTruncated", - "type": "boolean" - }, - { - "name": "DnsFlagsZ", - "type": "boolean" - }, - { - "name": "DnsNetworkDuration", - "type": "int" - }, - { - "name": "DnsSessionId", - "type": "string" - }, - { - "name": "TransactionIdHex", - "type": "string" - }, - { - "name": "NetworkProtocol", - "type": "string" - }, - { - "name": "NetworkProtocolVersion", - "type": "string" - }, - { - "name": "ThreatId", - "type": "string" - }, - { - "name": "ThreatName", - "type": "string" - }, - { - "name": "ThreatCategory", - "type": "string" - }, - { - "name": "ThreatRiskLevel", - "type": "int" - }, - { - "name": "ThreatOriginalRiskLevel", - "type": "string" - }, - { - "name": "ThreatConfidence", - "type": "int" - }, - { - "name": "ThreatOriginalConfidence", - "type": "string" - }, - { - "name": "ThreatIsActive", - "type": "boolean" - }, - { - "name": "ThreatFirstReportedTime", - "type": "datetime" - }, - { - "name": "ThreatLastReportedTime", - "type": "datetime" - }, - { - "name": "ThreatIpAddr", - "type": "string" - }, - { - "name": "ThreatField", - "type": "string" - }, - { - "name": "AdditionalFields", - "type": "dynamic" - }, - { - "name": "SourceSystem", - "type": "string" - } - ] - } - } -} diff --git a/Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_FileActivity.json b/Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_FileActivity.json deleted file mode 100644 index c639264927e..00000000000 --- a/Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_FileActivity.json +++ /dev/null @@ -1,435 +0,0 @@ -{ - "type": "Microsoft.OperationalInsights/workspaces/tables", - "apiVersion": "2025-07-01", - "name": "HalcyonFileActivity_CL", - "location": "{{location}}", - "tags": {}, - "properties": { - "plan": "Analytics", - "schema": { - "name": "HalcyonFileActivity_CL", - "columns": [ - { - "name": "TimeGenerated", - "type": "datetime" - }, - { - "name": "EventCount", - "type": "int" - }, - { - "name": "EventStartTime", - "type": "datetime" - }, - { - "name": "EventEndTime", - "type": "datetime" - }, - { - "name": "EventType", - "type": "string" - }, - { - "name": "EventSubType", - "type": "string" - }, - { - "name": "EventResult", - "type": "string" - }, - { - "name": "EventResultDetails", - "type": "string" - }, - { - "name": "EventOriginalResultDetails", - "type": "string" - }, - { - "name": "EventSeverity", - "type": "string" - }, - { - "name": "EventOriginalSeverity", - "type": "string" - }, - { - "name": "EventProduct", - "type": "string" - }, - { - "name": "EventProductVersion", - "type": "string" - }, - { - "name": "EventVendor", - "type": "string" - }, - { - "name": "EventSchema", - "type": "string" - }, - { - "name": "EventSchemaVersion", - "type": "string" - }, - { - "name": "EventOriginalUid", - "type": "string" - }, - { - "name": "EventOriginalType", - "type": "string" - }, - { - "name": "EventMessage", - "type": "string" - }, - { - "name": "Dvc", - "type": "string" - }, - { - "name": "DvcHostname", - "type": "string" - }, - { - "name": "DvcIpAddr", - "type": "string" - }, - { - "name": "DvcDomain", - "type": "string" - }, - { - "name": "DvcDomainType", - "type": "string" - }, - { - "name": "DvcFQDN", - "type": "string" - }, - { - "name": "DvcId", - "type": "string" - }, - { - "name": "DvcIdType", - "type": "string" - }, - { - "name": "DvcMacAddr", - "type": "string" - }, - { - "name": "DvcOs", - "type": "string" - }, - { - "name": "DvcOsVersion", - "type": "string" - }, - { - "name": "DvcAction", - "type": "string" - }, - { - "name": "DvcOriginalAction", - "type": "string" - }, - { - "name": "DvcScope", - "type": "string" - }, - { - "name": "DvcScopeId", - "type": "string" - }, - { - "name": "ActorUsername", - "type": "string" - }, - { - "name": "ActorUsernameType", - "type": "string" - }, - { - "name": "ActorUserId", - "type": "string" - }, - { - "name": "ActorUserIdType", - "type": "string" - }, - { - "name": "ActorUserType", - "type": "string" - }, - { - "name": "ActorScope", - "type": "string" - }, - { - "name": "ActorScopeId", - "type": "string" - }, - { - "name": "ActorSessionId", - "type": "string" - }, - { - "name": "ActingProcessName", - "type": "string" - }, - { - "name": "ActingProcessId", - "type": "string" - }, - { - "name": "ActingProcessGuid", - "type": "string" - }, - { - "name": "ActingProcessCommandLine", - "type": "string" - }, - { - "name": "ActingProcessCreationTime", - "type": "datetime" - }, - { - "name": "ActingProcessFileCompany", - "type": "string" - }, - { - "name": "ActingProcessFileDescription", - "type": "string" - }, - { - "name": "ActingProcessFileProduct", - "type": "string" - }, - { - "name": "ActingProcessFileVersion", - "type": "string" - }, - { - "name": "ActingProcessFileSize", - "type": "long" - }, - { - "name": "ActingProcessMD5", - "type": "string" - }, - { - "name": "ActingProcessSHA1", - "type": "string" - }, - { - "name": "ActingProcessSHA256", - "type": "string" - }, - { - "name": "ActingProcessSHA512", - "type": "string" - }, - { - "name": "ActingProcessIMPHASH", - "type": "string" - }, - { - "name": "ActingProcessIntegrityLevel", - "type": "string" - }, - { - "name": "ActingProcessTokenElevation", - "type": "string" - }, - { - "name": "TargetFileName", - "type": "string" - }, - { - "name": "TargetFilePath", - "type": "string" - }, - { - "name": "TargetFilePathType", - "type": "string" - }, - { - "name": "TargetFileDirectory", - "type": "string" - }, - { - "name": "TargetFileExtension", - "type": "string" - }, - { - "name": "TargetFileMimeType", - "type": "string" - }, - { - "name": "TargetFileCreationTime", - "type": "datetime" - }, - { - "name": "TargetFileSize", - "type": "long" - }, - { - "name": "TargetFileMD5", - "type": "string" - }, - { - "name": "TargetFileSHA1", - "type": "string" - }, - { - "name": "TargetFileSHA256", - "type": "string" - }, - { - "name": "TargetFileSHA512", - "type": "string" - }, - { - "name": "SrcFileName", - "type": "string" - }, - { - "name": "SrcFilePath", - "type": "string" - }, - { - "name": "SrcFilePathType", - "type": "string" - }, - { - "name": "SrcFileDirectory", - "type": "string" - }, - { - "name": "SrcFileExtension", - "type": "string" - }, - { - "name": "SrcFileMimeType", - "type": "string" - }, - { - "name": "SrcFileCreationTime", - "type": "datetime" - }, - { - "name": "SrcFileSize", - "type": "long" - }, - { - "name": "SrcFileMD5", - "type": "string" - }, - { - "name": "SrcFileSHA1", - "type": "string" - }, - { - "name": "SrcFileSHA256", - "type": "string" - }, - { - "name": "SrcFileSHA512", - "type": "string" - }, - { - "name": "HashType", - "type": "string" - }, - { - "name": "FileMD5", - "type": "string" - }, - { - "name": "FileSHA1", - "type": "string" - }, - { - "name": "FileSHA256", - "type": "string" - }, - { - "name": "FileSHA512", - "type": "string" - }, - { - "name": "FileContentType", - "type": "string" - }, - { - "name": "FileSize", - "type": "int" - }, - { - "name": "FileName", - "type": "string" - }, - { - "name": "ThreatId", - "type": "string" - }, - { - "name": "ThreatName", - "type": "string" - }, - { - "name": "ThreatCategory", - "type": "string" - }, - { - "name": "ThreatRiskLevel", - "type": "int" - }, - { - "name": "ThreatOriginalRiskLevel", - "type": "string" - }, - { - "name": "ThreatConfidence", - "type": "int" - }, - { - "name": "ThreatOriginalConfidence", - "type": "string" - }, - { - "name": "ThreatIsActive", - "type": "boolean" - }, - { - "name": "ThreatFirstReportedTime", - "type": "datetime" - }, - { - "name": "ThreatLastReportedTime", - "type": "datetime" - }, - { - "name": "ThreatFilePath", - "type": "string" - }, - { - "name": "ThreatField", - "type": "string" - }, - { - "name": "AdditionalFields", - "type": "dynamic" - }, - { - "name": "SourceSystem", - "type": "string" - } - ] - } - } -} diff --git a/Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_NetworkSession.json b/Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_NetworkSession.json deleted file mode 100644 index d56b1a9f5d0..00000000000 --- a/Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_NetworkSession.json +++ /dev/null @@ -1,659 +0,0 @@ -{ - "type": "Microsoft.OperationalInsights/workspaces/tables", - "apiVersion": "2025-07-01", - "name": "HalcyonNetworkSession_CL", - "location": "{{location}}", - "tags": {}, - "properties": { - "plan": "Analytics", - "schema": { - "name": "HalcyonNetworkSession_CL", - "columns": [ - { - "name": "TimeGenerated", - "type": "datetime" - }, - { - "name": "EventCount", - "type": "int" - }, - { - "name": "EventStartTime", - "type": "datetime" - }, - { - "name": "EventEndTime", - "type": "datetime" - }, - { - "name": "EventType", - "type": "string" - }, - { - "name": "EventSubType", - "type": "string" - }, - { - "name": "EventResult", - "type": "string" - }, - { - "name": "EventResultDetails", - "type": "string" - }, - { - "name": "EventOriginalResultDetails", - "type": "string" - }, - { - "name": "EventSeverity", - "type": "string" - }, - { - "name": "EventOriginalSeverity", - "type": "string" - }, - { - "name": "EventProduct", - "type": "string" - }, - { - "name": "EventProductVersion", - "type": "string" - }, - { - "name": "EventVendor", - "type": "string" - }, - { - "name": "EventSchema", - "type": "string" - }, - { - "name": "EventSchemaVersion", - "type": "string" - }, - { - "name": "EventOriginalUid", - "type": "string" - }, - { - "name": "EventOriginalType", - "type": "string" - }, - { - "name": "EventMessage", - "type": "string" - }, - { - "name": "Dvc", - "type": "string" - }, - { - "name": "DvcHostname", - "type": "string" - }, - { - "name": "DvcIpAddr", - "type": "string" - }, - { - "name": "DvcDomain", - "type": "string" - }, - { - "name": "DvcDomainType", - "type": "string" - }, - { - "name": "DvcFQDN", - "type": "string" - }, - { - "name": "DvcId", - "type": "string" - }, - { - "name": "DvcIdType", - "type": "string" - }, - { - "name": "DvcMacAddr", - "type": "string" - }, - { - "name": "DvcOs", - "type": "string" - }, - { - "name": "DvcOsVersion", - "type": "string" - }, - { - "name": "DvcAction", - "type": "string" - }, - { - "name": "DvcOriginalAction", - "type": "string" - }, - { - "name": "DvcDescription", - "type": "string" - }, - { - "name": "DvcInterface", - "type": "string" - }, - { - "name": "DvcZone", - "type": "string" - }, - { - "name": "DvcScope", - "type": "string" - }, - { - "name": "DvcScopeId", - "type": "string" - }, - { - "name": "Src", - "type": "string" - }, - { - "name": "SrcIpAddr", - "type": "string" - }, - { - "name": "SrcPortNumber", - "type": "int" - }, - { - "name": "SrcHostname", - "type": "string" - }, - { - "name": "SrcDomain", - "type": "string" - }, - { - "name": "SrcDomainType", - "type": "string" - }, - { - "name": "SrcFQDN", - "type": "string" - }, - { - "name": "SrcDvcId", - "type": "string" - }, - { - "name": "SrcDvcIdType", - "type": "string" - }, - { - "name": "SrcDvcScopeId", - "type": "string" - }, - { - "name": "SrcDvcScope", - "type": "string" - }, - { - "name": "SrcDeviceType", - "type": "string" - }, - { - "name": "SrcUserId", - "type": "string" - }, - { - "name": "SrcUserIdType", - "type": "string" - }, - { - "name": "SrcUsername", - "type": "string" - }, - { - "name": "SrcUsernameType", - "type": "string" - }, - { - "name": "SrcUserType", - "type": "string" - }, - { - "name": "SrcOriginalUserType", - "type": "string" - }, - { - "name": "SrcUserScope", - "type": "string" - }, - { - "name": "SrcUserScopeId", - "type": "string" - }, - { - "name": "SrcMacAddr", - "type": "string" - }, - { - "name": "SrcDvcOs", - "type": "string" - }, - { - "name": "SrcIsp", - "type": "string" - }, - { - "name": "SrcGeoCity", - "type": "string" - }, - { - "name": "SrcGeoCountry", - "type": "string" - }, - { - "name": "SrcGeoLatitude", - "type": "real" - }, - { - "name": "SrcGeoLongitude", - "type": "real" - }, - { - "name": "SrcGeoRegion", - "type": "string" - }, - { - "name": "SrcRiskLevel", - "type": "int" - }, - { - "name": "SrcOriginalRiskLevel", - "type": "string" - }, - { - "name": "SrcProcessName", - "type": "string" - }, - { - "name": "SrcProcessId", - "type": "string" - }, - { - "name": "SrcProcessGuid", - "type": "string" - }, - { - "name": "SrcAppName", - "type": "string" - }, - { - "name": "SrcAppId", - "type": "string" - }, - { - "name": "SrcAppType", - "type": "string" - }, - { - "name": "SrcZone", - "type": "string" - }, - { - "name": "SrcInterfaceName", - "type": "string" - }, - { - "name": "SrcInterfaceGuid", - "type": "string" - }, - { - "name": "SrcVlanId", - "type": "string" - }, - { - "name": "SrcSubscriptionId", - "type": "string" - }, - { - "name": "Dst", - "type": "string" - }, - { - "name": "DstIpAddr", - "type": "string" - }, - { - "name": "DstPortNumber", - "type": "int" - }, - { - "name": "DstHostname", - "type": "string" - }, - { - "name": "DstDomain", - "type": "string" - }, - { - "name": "DstDomainType", - "type": "string" - }, - { - "name": "DstFQDN", - "type": "string" - }, - { - "name": "DstDvcId", - "type": "string" - }, - { - "name": "DstDvcIdType", - "type": "string" - }, - { - "name": "DstDvcScopeId", - "type": "string" - }, - { - "name": "DstDvcScope", - "type": "string" - }, - { - "name": "DstDeviceType", - "type": "string" - }, - { - "name": "DstUserId", - "type": "string" - }, - { - "name": "DstUserIdType", - "type": "string" - }, - { - "name": "DstUsername", - "type": "string" - }, - { - "name": "DstUsernameType", - "type": "string" - }, - { - "name": "DstUserType", - "type": "string" - }, - { - "name": "DstOriginalUserType", - "type": "string" - }, - { - "name": "DstUserScope", - "type": "string" - }, - { - "name": "DstUserScopeId", - "type": "string" - }, - { - "name": "DstMacAddr", - "type": "string" - }, - { - "name": "DstDvcOs", - "type": "string" - }, - { - "name": "DstIsp", - "type": "string" - }, - { - "name": "DstGeoCity", - "type": "string" - }, - { - "name": "DstGeoCountry", - "type": "string" - }, - { - "name": "DstGeoLatitude", - "type": "real" - }, - { - "name": "DstGeoLongitude", - "type": "real" - }, - { - "name": "DstGeoRegion", - "type": "string" - }, - { - "name": "DstRiskLevel", - "type": "int" - }, - { - "name": "DstOriginalRiskLevel", - "type": "string" - }, - { - "name": "DstProcessName", - "type": "string" - }, - { - "name": "DstProcessId", - "type": "string" - }, - { - "name": "DstProcessGuid", - "type": "string" - }, - { - "name": "DstAppName", - "type": "string" - }, - { - "name": "DstAppId", - "type": "string" - }, - { - "name": "DstAppType", - "type": "string" - }, - { - "name": "DstZone", - "type": "string" - }, - { - "name": "DstInterfaceName", - "type": "string" - }, - { - "name": "DstInterfaceGuid", - "type": "string" - }, - { - "name": "DstVlanId", - "type": "string" - }, - { - "name": "DstSubscriptionId", - "type": "string" - }, - { - "name": "NetworkApplicationProtocol", - "type": "string" - }, - { - "name": "NetworkProtocol", - "type": "string" - }, - { - "name": "NetworkProtocolVersion", - "type": "string" - }, - { - "name": "NetworkDirection", - "type": "string" - }, - { - "name": "NetworkDuration", - "type": "int" - }, - { - "name": "NetworkIcmpCode", - "type": "int" - }, - { - "name": "NetworkIcmpType", - "type": "string" - }, - { - "name": "NetworkConnectionHistory", - "type": "string" - }, - { - "name": "DstBytes", - "type": "long" - }, - { - "name": "SrcBytes", - "type": "long" - }, - { - "name": "NetworkBytes", - "type": "long" - }, - { - "name": "DstPackets", - "type": "long" - }, - { - "name": "SrcPackets", - "type": "long" - }, - { - "name": "NetworkPackets", - "type": "long" - }, - { - "name": "NetworkSessionId", - "type": "string" - }, - { - "name": "SessionId", - "type": "string" - }, - { - "name": "SrcNatIpAddr", - "type": "string" - }, - { - "name": "SrcNatPortNumber", - "type": "int" - }, - { - "name": "DstNatIpAddr", - "type": "string" - }, - { - "name": "DstNatPortNumber", - "type": "int" - }, - { - "name": "TcpFlags", - "type": "string" - }, - { - "name": "SrcVmName", - "type": "string" - }, - { - "name": "DstVmName", - "type": "string" - }, - { - "name": "NetworkRuleName", - "type": "string" - }, - { - "name": "NetworkRuleNumber", - "type": "int" - }, - { - "name": "Rule", - "type": "string" - }, - { - "name": "RuleName", - "type": "string" - }, - { - "name": "RuleNumber", - "type": "int" - }, - { - "name": "ThreatId", - "type": "string" - }, - { - "name": "ThreatName", - "type": "string" - }, - { - "name": "ThreatCategory", - "type": "string" - }, - { - "name": "ThreatRiskLevel", - "type": "int" - }, - { - "name": "ThreatOriginalRiskLevel", - "type": "string" - }, - { - "name": "ThreatConfidence", - "type": "int" - }, - { - "name": "ThreatOriginalConfidence", - "type": "string" - }, - { - "name": "ThreatIsActive", - "type": "boolean" - }, - { - "name": "ThreatFirstReportedTime", - "type": "datetime" - }, - { - "name": "ThreatLastReportedTime", - "type": "datetime" - }, - { - "name": "ThreatIpAddr", - "type": "string" - }, - { - "name": "ThreatField", - "type": "string" - }, - { - "name": "AdditionalFields", - "type": "dynamic" - }, - { - "name": "SourceSystem", - "type": "string" - } - ] - } - } -} diff --git a/Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_ProcessEvent.json b/Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_ProcessEvent.json deleted file mode 100644 index 5f7f382571e..00000000000 --- a/Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_ProcessEvent.json +++ /dev/null @@ -1,511 +0,0 @@ -{ - "type": "Microsoft.OperationalInsights/workspaces/tables", - "apiVersion": "2025-07-01", - "name": "HalcyonProcessEvent_CL", - "location": "{{location}}", - "tags": {}, - "properties": { - "plan": "Analytics", - "schema": { - "name": "HalcyonProcessEvent_CL", - "columns": [ - { - "name": "TimeGenerated", - "type": "datetime" - }, - { - "name": "EventCount", - "type": "int" - }, - { - "name": "EventStartTime", - "type": "datetime" - }, - { - "name": "EventEndTime", - "type": "datetime" - }, - { - "name": "EventType", - "type": "string" - }, - { - "name": "EventSubType", - "type": "string" - }, - { - "name": "EventResult", - "type": "string" - }, - { - "name": "EventResultDetails", - "type": "string" - }, - { - "name": "EventOriginalResultDetails", - "type": "string" - }, - { - "name": "EventSeverity", - "type": "string" - }, - { - "name": "EventOriginalSeverity", - "type": "string" - }, - { - "name": "EventProduct", - "type": "string" - }, - { - "name": "EventProductVersion", - "type": "string" - }, - { - "name": "EventVendor", - "type": "string" - }, - { - "name": "EventSchema", - "type": "string" - }, - { - "name": "EventSchemaVersion", - "type": "string" - }, - { - "name": "EventOriginalUid", - "type": "string" - }, - { - "name": "EventOriginalType", - "type": "string" - }, - { - "name": "EventMessage", - "type": "string" - }, - { - "name": "Dvc", - "type": "string" - }, - { - "name": "DvcHostname", - "type": "string" - }, - { - "name": "DvcIpAddr", - "type": "string" - }, - { - "name": "DvcDomain", - "type": "string" - }, - { - "name": "DvcDomainType", - "type": "string" - }, - { - "name": "DvcFQDN", - "type": "string" - }, - { - "name": "DvcId", - "type": "string" - }, - { - "name": "DvcIdType", - "type": "string" - }, - { - "name": "DvcMacAddr", - "type": "string" - }, - { - "name": "DvcOs", - "type": "string" - }, - { - "name": "DvcOsVersion", - "type": "string" - }, - { - "name": "DvcAction", - "type": "string" - }, - { - "name": "DvcOriginalAction", - "type": "string" - }, - { - "name": "DvcScope", - "type": "string" - }, - { - "name": "DvcScopeId", - "type": "string" - }, - { - "name": "DvcZone", - "type": "string" - }, - { - "name": "ActorUsername", - "type": "string" - }, - { - "name": "ActorUsernameType", - "type": "string" - }, - { - "name": "ActorUserId", - "type": "string" - }, - { - "name": "ActorUserIdType", - "type": "string" - }, - { - "name": "ActorUserType", - "type": "string" - }, - { - "name": "ActorScope", - "type": "string" - }, - { - "name": "ActorScopeId", - "type": "string" - }, - { - "name": "ActorSessionId", - "type": "string" - }, - { - "name": "ActingProcessName", - "type": "string" - }, - { - "name": "ActingProcessId", - "type": "string" - }, - { - "name": "ActingProcessGuid", - "type": "string" - }, - { - "name": "ActingProcessCommandLine", - "type": "string" - }, - { - "name": "ActingProcessCreationTime", - "type": "datetime" - }, - { - "name": "ActingProcessFileCompany", - "type": "string" - }, - { - "name": "ActingProcessFileDescription", - "type": "string" - }, - { - "name": "ActingProcessFileProduct", - "type": "string" - }, - { - "name": "ActingProcessFileVersion", - "type": "string" - }, - { - "name": "ActingProcessFileSize", - "type": "long" - }, - { - "name": "ActingProcessMD5", - "type": "string" - }, - { - "name": "ActingProcessSHA1", - "type": "string" - }, - { - "name": "ActingProcessSHA256", - "type": "string" - }, - { - "name": "ActingProcessSHA512", - "type": "string" - }, - { - "name": "ActingProcessIMPHASH", - "type": "string" - }, - { - "name": "ActingProcessIntegrityLevel", - "type": "string" - }, - { - "name": "ActingProcessTokenElevation", - "type": "string" - }, - { - "name": "ParentProcessName", - "type": "string" - }, - { - "name": "ParentProcessId", - "type": "string" - }, - { - "name": "ParentProcessGuid", - "type": "string" - }, - { - "name": "ParentProcessCommandLine", - "type": "string" - }, - { - "name": "ParentProcessCreationTime", - "type": "datetime" - }, - { - "name": "ParentProcessFileCompany", - "type": "string" - }, - { - "name": "ParentProcessFileDescription", - "type": "string" - }, - { - "name": "ParentProcessFileProduct", - "type": "string" - }, - { - "name": "ParentProcessFileVersion", - "type": "string" - }, - { - "name": "ParentProcessFileSize", - "type": "long" - }, - { - "name": "ParentProcessMD5", - "type": "string" - }, - { - "name": "ParentProcessSHA1", - "type": "string" - }, - { - "name": "ParentProcessSHA256", - "type": "string" - }, - { - "name": "ParentProcessSHA512", - "type": "string" - }, - { - "name": "ParentProcessIMPHASH", - "type": "string" - }, - { - "name": "ParentProcessIntegrityLevel", - "type": "string" - }, - { - "name": "ParentProcessTokenElevation", - "type": "string" - }, - { - "name": "TargetProcessName", - "type": "string" - }, - { - "name": "TargetProcessId", - "type": "string" - }, - { - "name": "TargetProcessGuid", - "type": "string" - }, - { - "name": "TargetProcessCommandLine", - "type": "string" - }, - { - "name": "TargetProcessCurrentDirectory", - "type": "string" - }, - { - "name": "TargetProcessCreationTime", - "type": "datetime" - }, - { - "name": "TargetProcessFileCompany", - "type": "string" - }, - { - "name": "TargetProcessFileDescription", - "type": "string" - }, - { - "name": "TargetProcessFileProduct", - "type": "string" - }, - { - "name": "TargetProcessFileVersion", - "type": "string" - }, - { - "name": "TargetProcessFileSize", - "type": "long" - }, - { - "name": "TargetProcessMD5", - "type": "string" - }, - { - "name": "TargetProcessSHA1", - "type": "string" - }, - { - "name": "TargetProcessSHA256", - "type": "string" - }, - { - "name": "TargetProcessSHA512", - "type": "string" - }, - { - "name": "TargetProcessIMPHASH", - "type": "string" - }, - { - "name": "TargetProcessIntegrityLevel", - "type": "string" - }, - { - "name": "TargetProcessTokenElevation", - "type": "string" - }, - { - "name": "TargetUsername", - "type": "string" - }, - { - "name": "TargetUsernameType", - "type": "string" - }, - { - "name": "TargetUserId", - "type": "string" - }, - { - "name": "TargetUserIdType", - "type": "string" - }, - { - "name": "TargetUserType", - "type": "string" - }, - { - "name": "TargetUserSessionId", - "type": "string" - }, - { - "name": "TargetUserScope", - "type": "string" - }, - { - "name": "TargetUserScopeId", - "type": "string" - }, - { - "name": "Hash", - "type": "string" - }, - { - "name": "HashType", - "type": "string" - }, - { - "name": "MD5", - "type": "string" - }, - { - "name": "SHA1", - "type": "string" - }, - { - "name": "SHA256", - "type": "string" - }, - { - "name": "SHA512", - "type": "string" - }, - { - "name": "IMPHASH", - "type": "string" - }, - { - "name": "ThreatId", - "type": "string" - }, - { - "name": "ThreatName", - "type": "string" - }, - { - "name": "ThreatCategory", - "type": "string" - }, - { - "name": "ThreatRiskLevel", - "type": "int" - }, - { - "name": "ThreatOriginalRiskLevel", - "type": "string" - }, - { - "name": "ThreatConfidence", - "type": "int" - }, - { - "name": "ThreatOriginalConfidence", - "type": "string" - }, - { - "name": "ThreatIsActive", - "type": "boolean" - }, - { - "name": "ThreatFirstReportedTime", - "type": "datetime" - }, - { - "name": "ThreatLastReportedTime", - "type": "datetime" - }, - { - "name": "ThreatFilePath", - "type": "string" - }, - { - "name": "ThreatField", - "type": "string" - }, - { - "name": "AdditionalFields", - "type": "dynamic" - }, - { - "name": "SourceSystem", - "type": "string" - } - ] - } - } -} diff --git a/Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_events.json b/Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_events.json new file mode 100644 index 00000000000..d2c73e8cea6 --- /dev/null +++ b/Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_table_events.json @@ -0,0 +1,155 @@ +{ + "type": "Microsoft.OperationalInsights/workspaces/tables", + "apiVersion": "2025-07-01", + "name": "HalcyonEvents_CL", + "location": "{{location}}", + "tags": {}, + "properties": { + "plan": "Analytics", + "schema": { + "name": "HalcyonEvents_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "activity_id", + "type": "int" + }, + { + "name": "activity_name", + "type": "string" + }, + { + "name": "category_uid", + "type": "int" + }, + { + "name": "category_name", + "type": "string" + }, + { + "name": "class_uid", + "type": "int" + }, + { + "name": "class_name", + "type": "string" + }, + { + "name": "severity_id", + "type": "int" + }, + { + "name": "severity", + "type": "string" + }, + { + "name": "type_uid", + "type": "long" + }, + { + "name": "type_name", + "type": "string" + }, + { + "name": "message", + "type": "string" + }, + { + "name": "raw_data", + "type": "string" + }, + { + "name": "status_id", + "type": "int" + }, + { + "name": "status", + "type": "string" + }, + { + "name": "action_id", + "type": "int" + }, + { + "name": "action", + "type": "string" + }, + { + "name": "disposition_id", + "type": "int" + }, + { + "name": "disposition", + "type": "string" + }, + { + "name": "rcode", + "type": "string" + }, + { + "name": "rcode_id", + "type": "int" + }, + { + "name": "metadata", + "type": "dynamic" + }, + { + "name": "unmapped", + "type": "dynamic" + }, + { + "name": "actor", + "type": "dynamic" + }, + { + "name": "device", + "type": "dynamic" + }, + { + "name": "file", + "type": "dynamic" + }, + { + "name": "process", + "type": "dynamic" + }, + { + "name": "user", + "type": "dynamic" + }, + { + "name": "dst_endpoint", + "type": "dynamic" + }, + { + "name": "src_endpoint", + "type": "dynamic" + }, + { + "name": "query", + "type": "dynamic" + }, + { + "name": "answers", + "type": "dynamic" + }, + { + "name": "driver", + "type": "dynamic" + }, + { + "name": "module", + "type": "dynamic" + }, + { + "name": "app", + "type": "dynamic" + } + ] + } + } +} diff --git a/Solutions/Halcyon/Data/Solution_Halcyon.json b/Solutions/Halcyon/Data/Solution_Halcyon.json index ea2ebf322c5..882e965747a 100644 --- a/Solutions/Halcyon/Data/Solution_Halcyon.json +++ b/Solutions/Halcyon/Data/Solution_Halcyon.json @@ -2,7 +2,7 @@ "Name": "Halcyon", "Author": "Halcyon", "Logo": "", - "Description": "The [Halcyon](https://www.halcyon.ai) solution for Microsoft Sentinel enables you to ingest Halcyon Events and Alerts into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.", + "Description": "The [Halcyon](https://www.halcyon.ai) solution for Microsoft Sentinel enables you to ingest Halcyon Events and Alerts into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.\n\nInstalling this solution automatically provisions a Data Collection Endpoint (DCE) and Data Collection Rule (DCR) in your Azure environment. These resources are updated automatically with each solution upgrade. To complete the connector setup, use the **Deploy** button on the Halcyon connector page to create the required Entra app registration and link it to the DCR.", "Data Connectors": [ "Data Connectors/Halcyon_ccp/Halcyon_connectorDefinition.json" ], @@ -18,8 +18,8 @@ "Hunting Queries": [], "Playbooks": [], "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\Halcyon", - "Version": "3.0.0", + "Version": "3.1.0", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false -} \ No newline at end of file +} diff --git a/Solutions/Halcyon/Package/3.1.0.zip b/Solutions/Halcyon/Package/3.1.0.zip new file mode 100644 index 0000000000000000000000000000000000000000..3eb413dc27d5e56c085759211fd552fca8b02194 GIT binary patch literal 10002 zcmZ{~bxa*V_bqy$xI4w&-QC?vad$7S2RJ}+C=SIb?i}2`cyV`!gF6)0+wZ$K@8$ho z?o6`w%>H9%vSyN%$zETTKEdDs000C)hrF+$R_W!23LF4njR^qY|I1pqS($lQY1v6z zS=%|;dDuBSv3_%Rc52dDb6S(d@PE)jS%$`gjjI0y!xB>xW>2I5C`Bc1k)e1plZhLy zO6wTEn2t&!JZia}d!`v=X44<3&%!&3wsNyM^gS5Anu8L*Egn;>l=gsDQ_$@AdEDs# zQ(H0`nrS{cDn53Qn@bCLP$GBi`s|=?(D}19Ge-|6RIE$%Pw{+G(adp{Y~pL1;&*r1 z@0c_W6*z)Awkz{Q8G4ZMq*;v`!LQS!oB5uzwy7JO3ptB@QAmhY(Ohuu`-)k|xSZ9IXjpA4v>Pse%`05#ZR?Y_fP`zobspO^6-$u&=yO~Kt7pUY-N+|dvCp}jSiFMp4 zki~brdYq879J@k8t_{pcny04p+`NADeJlIyXKqHgs<8&Y{b0EU6i4~pFU2CYB;xO5 zo4amVXEPahX4rtR;v^LUP&4`65|hzcysSqKpa6a7T4b?3Sf}I7^*Wf|)PW?s7UPbm zRCGk@HySS-Rbly1`!5l#3<&Xt)vP_o|xnYy>(t%#A5 zE8S6OA5r!o3l3#Xo=EP|m$r#b&3`pL(n{CR83F*V;X!8Bfm?+KUQtP+F;+G1%AddKxBx3ld z+iOL(maHB_Ail=aUh54=O(Hk38&Sck#HLNEW8c{7^@l!hbM2u&!X|u{{vmm3e`&>9 zEU?m-CN^b9$J>cBO*>@kmFFO>V+UfpdYn_ct5D-Dclick5M4I%YwlR#*5osoZzaI~ zY04C3tz<_M`%Wc=l+9K1rjx3Cg=6)I)Q${x$ihrUOFHeo`BZx$(DJCUij6V zt3lT?zRKy|jrS7$0{tEC>;FfA(#!`R|BwLyosLj|et&J();%u=wgSIJrTWTOQDr)BGqgQfgjEyq`CXlIy^aJ5em{)sEEP2OWUNyJVGse$S-+bOzVK+!6@1!xjST zv4g^rFa~#J0wwWj%wX8Y!?{uH_2uGy=i=REO12v!a^uElyCam4-z!#r7_e~s_nu|S zYS>DQLbC4g#wk3+|NZ+81lD{yJm%r!g$V#S>Is|>=|g@8ketrA%Sg=31_LFZ3V$5J zpnzCS>y_B=5F!~np|_)LHzHtIF{DCi&xLYeeHI?^0fJ{Ua-Djk2wpbzQmiCiYzaaZ ze<$tPW4<@d;J~51APNSR-35`Kzz#@mVY6LT$?^8=hs?1y3d--Ie%JXrOEWCMqIqM@Jy#1;V;Qt9fExASJxs z>+klr0X5%^BOjp6p~a8cifZfZm`yF2rQE{qKxF*AN2mwlj&VIb> zGCnKQV8d{uy(_5VNZ4-Uh~z2bK3IM0b+?=;tIE?mH6qg?BE$tlbq2!qa+Rf}KS9ZN zWtXOl8fz!#D772#8zMW{ck>!+P|MX-`o!ZG6unoI5{k?(I8PnKJr2V$xlB6`rtHbR zX++ARVl9Knv7)+3K_gO@U6-|zcJ>yJF3puC!!~n$I=%OcpL$Nj`l5U=!UQM zfs%X|3*GE&uD+<~Oc(4q{r-RD+Yl_iLUks!cp;eI^(zdzn z=p!I`kb9u-l)HzKFrSD%0Fr4YGvF||P5+3mB+R5!S53gh7$>zz?08fEeXp=sGr@Uj zj3}U`6Bm|-sWdDcr8A=#%hr~kE=SbOIBvLoc3yK1HS9H6N$d)iHam&KX)Bk}<=pnvcMhp)V%8?_ZGS{Y&C zVt1-4sm6xoLw2|(4o=-)2__d5?vjJtSiim1+b*K`;K!#=&#@F~z@OqMT~>WEP@U88 z8_+K@qUcpqF0`v0KE}bk0m>z$*M8EUwZ+MH#_8**e-6=?LN~7sZ%KLfy-Y4wk-gD#AXeI z!P}idbtQ3sRfn!eU6F;6)lMBWUaV4*mOnFQw$2gG!fqrxj`diS9D;N6-vP7%L4f z5|f``7yD9Mh$j7YSyf3DE-6CM$8pLbUboL}+Ke!g)Xa492^s_B`h!p}l8ltlv)!|o zED$almio~IVSO7G`j08p_tWc-SJF1&FXSM(WMp&&c2ALjo-tCHjBKq5N+X;ti+gWH zb}5+tXS^u$b%7KvZuM2$LXb~)(WN}jh(41Q7+HQLj4xWbl85LqWJ;(T_EVJUHowjj zOCVRxL#$&hEr3j?k+U;mInjL+1KUTlNau#;hL9bLT%~*-%w2s%Ro`Q-T7f=Z{&11v z*M;+Wi+gg1iM+z-Dc1TnxbX<$(&QNuV9|MJA0UrzMD#kofkh7sMU8-QYafVMe@DSV zRplUvWIO_OlVaW$>{Yh^bet(uOf^%@h!S0S)8m=k@8qP{hsHWzjvgu{RN`>(YYv2hHSB~DjuX29ZS)IuNxgGEX~K_1E@^}agEa^Jt~qVA!e0c^ z(D_556yJZONOqc%pizE^{CkE4vAnp~$}px*-Yz67U8CaG5!cpn<@J4gK|zeC@=hYO zULt`L6wym5P%_CvBAV->W|ITgRp?jT1SZP8B)i@0cf+5kdFv<48MT?C5MqB$*|WxM z^TLA-9_D)&ZJcP|b!?dLcUwrV0!iT6gKfB^`%nQuRO7)c>vScz0q-sLGhP8i_@&YL zcF(B{2k$sTnw~JXUg>I4m)aM-TOrY|gE_p0?xUarmn4cbiijfd7M4}6`BBa z7h<`4o1+cqPvkeXZJ4?{&gl5Ene@G6hi}m+b2Xd>l5MzOqU5?!KO;ZohKHZB_`E2= z4a|_|7$XS#LP0HC*`{`ewv9=bw7HRI`C6(8;Jwqg{nD6n?S#K@AE}Lg_OsIycA4x0!4aCA(sl8g*d47m10Q-N@@1|U#?|EbzEj0h<4d-k zr$4xUg~11RVu$zYR8=~Z95!}%|x+TpYn0|x=Zl4N4XnTvGJm_ z2r4(!xo?v}f){;mI#KLAaB~9v5Sv{F&P}{<`~qGjC|v_LEV8BE&n6$0dhB}FXvTBBPRNGmB}4I z0AbQz6`mdYuyu*_LC->XfJ@1B^3#dXH%UoR{K&@qT|PGyDV;3{HHk%^3MonZC54tH z7!kwfIWLNNOQA5i$M;2;J-f7;lmDsCE;KqpsGJ8AWjFYNDf?nfwy&3i1XAKumd;Py z?zON|0>(GSVV{p-#z;)N;gH2HOA<=fSK*ZNTgWU5x&(!4Ick7W^u?KtCF<)wQz=C30_n ztvyC73NAk0wy(bIoNm0Cr91@h(4v`8aLbFR$+33+DP%FeAL7_>nFVDY&?YlraRzUj z$1q21WwG$j{UpxZuw5lWw`7?@#0$ev52MPT{{ft#_{u%bYZ*1hgXHk3KsO;jLylAomZ(Xdc?eH;ASl^sl~^)-VlB7;B+V;oM9IKw zkBphbD8KEEdiQZuSmCr%hLQywgDt?B8lDa4?a)4_3b z-sXORBiewNrygJU zkRZO0L-%OKvaD=Cw7e4f17c^e2arn9Hz0VAo2Nh5&4aT^7%a%bWI1>y5j+^^j@}?k zSIg8z5g$+kI|Zof-t_!%nCmMi%NWW6T6E)pqV$&M>1(cq&x zGg~3!p4UK?P>R8P;HYs}+TuM{!4iZh;5*k@tiRYHy_J(>lbWA z(A|W79!`<-*EctpZnX_?;LU`c3DOW>1&9H`7z)~?{Bi;nL~yiWdsu7=Y#=p3a^pL? z9NhLQ^i2y{o#;M5%3G7Yt41*AEA_*@YF~NMM$qTmy0acPMpD;VTV-4GXW-v(co@v{ zXz))9oSE=4Mv&xN^CWm&ukFVTnnXqS#;tAB!(Xk!I7mVjNW$T`=f1AWR>b<6Y&(h9OqMJupuxHfWN!WOWx zc{3ASjxCGB5D}u?0`O>wnH9Kod3sHK%zI};gAKCfYpH`wU3YudgQSb4gFLZd78Ov^ zqh61p*l7XGLh2keuWP0SVhx!oSkL?1)xUab$X&O1sn1??XB5K_pQ5m?i``f7Xg0w~ zE~>z9O*t^23F<`yo_ymbXnb&-C5_Q{RNg5eDPnQ zFcC>yU&R_e)-YmCWWP|lRtJX`Hy%j4WXS_sEXm6c+3v79wMK+AlBTPCednVPjR`a4 zP8G+sM@(_C>N1Xgs3v=#ub@n0)2f4o8fBhF2}z9I|E%#B3@$aj#!t!5Gz0yipRuXAjpuORwyHW?AV0+=xo>ctG1G97J?1vgwG{Pdbj{j(J zBdS@zcB~TV)vg-QAA>nadq`BUJH3Y_t=+jQOyKD57bb;2-9UGjj?Y?g?13 zZm-xPeTtBo5+W0AJ=%Eztce)WN40fBE6;NTa79m|c^OG3LBNbypM`x`cCVK5zeJYN zsQQKI!{-%;&J$0HZ>7EGs0RX6#o>zf|H)Fhg0-TAE4W~I57Gp?Z}#koE@S+|DMt76}UadhHYbW55N)7nh`7~r_-f=l_H#D-YNt@<&tzVJ|_4(9doqylNR zkAJP?((;tJU$5WqDv`|s3u=KUw2YF$?UOe>#AKdOoL!CJTB%dUarH31?982O^QK++ zL3FPNIn^79YdCiSd$D7qx4%1W#fBrLeaQG+W>6%JZ-gEJA4U&*WB6U*Oni~!K}Y5< zK%2Z83k3Y))BK7z%L>AFWb9sPUe>WE^C(T)EV+Ph@76*uO4}`x?wgfk*ElW1PC1`p zzf6F*Fg+fyF2)>?*}-MIQj(ZHY+e!l7n9_#LMPU{RIWeGmL*F(Ddte5PXGHYK1AbG z=!x9McLn&-jFWPbWN?cnY{H|#^*0(giH(;7ne=q8X;ByT0;Ma_kZ~d(8D1$M7p~ZC zc3zDg9}~Xy5o+G?XNbWAnS6=Tl@1#}oXAc1z1}N~^hj^bwU}<;*q=204F}9Q z41`=^4WK=~E$%OHFQo$_o$1?1qluOk#GYdFIO8CHyRb% zp9K~FbWXmT^79Yl;v&z?r<1v-+B>J?hf4Gfpf(m+o)Bs`_hs0ZMx|+Qx17zs15vI# zRy8=sTz`MQmw4#Qa_#brm%F+480A~NTp`AMryaZXjJ4e^!V!bRD=Ndc;fZR`gxPhH zZ9!L$_vYJ@ID>(?4q#PnZxh|b7Vc;D!0N(*k94ypuvf8EWHV+`yi6hb*{ZA^O--a% z^rvm?c!V?4&2d&nvO#2zjQC0hQ14nhEGD$~6)tDuuWHh-Q6kj2RA%m!S1%b^AF%_t~o^((TcF7|KNQSou9%p^Zy zP9eC{s8{Ur{Qde;Mbxdb%hy|Xqe$-?Z&Yrd^W~Lt_c9-H`Djq~nU2&hhm#+ifyk#Y z{j*XFb$;k*)Bcdbt)16xUF~DuY9c~mXE)s0{b}%+^p51$su>Yp(cyjV*2dU52pOn# z4M9TQbO)tNg^E^t={AnvvveWxIv+ge*&9B4+UHy!0U0#dFkA=^OzIl`Q-ap?_kk8{vSjFG)-aeCcOBVD8mSS$ z+ZARyk?G|l>tgNsb;yOU5yOO`+dvQB!$)9AJeMol+R}0+Mjvm2P?y^xt^4zd@~%>S z?XIMOWHv!@T|`XabK9L;ITvIM(Ih;oYeSZvYvgQ&H)nk3{T(VoRuj9aXPDzC&POt? z!giQ%3Jvu*N_lK!)KvBsk>Y~ug@IYhzYqAB_8}7Rak2MW5AGpk$(!NMYlHQ=aye7WR-&l6jL;g6Kx!z3MTLtYk<^za0n$R3}U=Lrw)%s1l_Xq(RBM zg4xp7%ObOd)y_h!>q$}b)duP_8oR2a>Tm0$Rk@nUP9FqGQAvZ>jLHRSq(y{0f2bMP zC`VKEX%lh&3Es%NKJAR#98iE(?JoA?o-5J=&({g1U{#QrASxFzWH@HmF-}6$X0$R) zplEPNU%66IiG_C2+?<7$7T1oW4i7t;sU>~+=f6bDiIp38w6>~!o$*s@lm9v+wslj< z#D!vLg}Flojb>A51tVzg6IK369*t&I(APT>uLRw(?$7#KyK4U~MczOXEGYkplK|?D z>ui6vq7~UWRVO7|dTpqh@Zu6(ASt1a>+gsz_O^hH4J=Sk_NIh4^0bjR>|U{kG_z_QGDq-4g! zA8J%~a_3@&r~Wg)Q&VZ)zuD>0OsCY(i?yIHs*WkPe4yCrtu);+?p1~eZ+lJ?3xFL8 z84SLS=&5(6{-SxYAJH3A+1el0e8t+_>knMgWA5U%IqL(3mQ6-AAI@n%~Zd6e@?Hi?Y zJBJlbi4so&&xX6q_-GAdiDMBPF=(=$kJg}1UrBe(x-YZdN}vUONmW&eX}3c}X?^(7;@k9{ye zn{o%2%8LcDhGs`=rJ9UD!CQ_6(HWIm*av&ZYF}UJmm;3FpPdrDx13!%BUN5NQkNl8 z&h4%XQ9CAdjy0(x(VJ82?+;Y?1xgDR#EL3xZ3E=mW>#Aj@-HX++JTGIt-Qp<+JL2# z9(yH#gOa#|WWjMG{uaJULdj7Sp+sl7lZlQ~a&m`+Wss3x<4ev2<_=q%de4O&d54um zhi~mhEnYNd@7BGTuh2^1@+D8l{7r#_w&ss#$T5 zu$g)Bd(rchWlC)>!`AFq%X*87a!#R=tkHCy1@#|#Tr9_x4y|t;yKh?yPJpG3Po2*! z+bnJHos{}*+{SwNb=>RcM!R0la3-2vhSgr&xNbX@H0%{dEigl+p7y;Fq;|J)#vAr9rmY>L_Wxt(QPGwxJu zi;HF>y06N^(bk&Y?t6p!?$#{xgXWb@gSrMW|DXY@@w0t&UGx6~?{@5qsn1WG<+)b6 zc19d8(-CmM zs}LdhIRQ$@Y{4kg9(*$f>Gja}mvGMAwuY88QmLA)vytCDDIw%Cfq4v+fj<9QW9hze z5D`-#+{N@f6@qCR=Mn!a{=2Z-+miGBYfH-o(Z~76+tf#}JqJQL^foGtdvM90mO7yc z_AGc{aI{aKUdGPHg)IF9DHXyw3%OO~nG9_)NPVo!o_b(kaJsjz`@A#dH{g0MOXQK4 zW-b<>hIfUzP7%v~#YN0~M4FNy80)x$f=W%b1|&+N1cxVMu|jw0#h)K_boIll$T9pJwgZ)Ukr}; z5*!^GWsIAA|6CLHwCw;7x~k!kFsFmsl{>)QShoJv#0cges*{kW0Xl%Z*uceQuGaX8id5{`L z6s0e61I6j|UqP*=>N=8Wj4n^7a|;Q(+$$>a$6NC(wlT+-~!zd;zN6!8MC!z0)# z<6o@7xDb}m*D%$){M38rWuYPip)Pf_3VYW`#Yn=1X4(GNMO$4XTz@6?{2kg`g8e%J zmeMJD@RTj~v*wHTLDZHpNYcN;O3i?SZVLNEBUZapL_S_ z9z7E>1pEzN=C5tXZ>PxW+Y5?Iy|T4y=mU7>PQr(iG4KccS0yNDoKOFE=h?s3|9?kO x(0{`J#fSDki~LXX!2d1*02BoU|1-7y|EvUGm0\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Halcyon/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Halcyon](https://www.halcyon.ai) solution for Microsoft Sentinel enables you to ingest Halcyon Events and Alerts into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.\n\n**Data Connectors:** 1, **Parsers:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Halcyon/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Halcyon](https://www.halcyon.ai) solution for Microsoft Sentinel enables you to ingest Halcyon Events and Alerts into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.\n\nInstalling this solution automatically provisions a Data Collection Endpoint (DCE) and Data Collection Rule (DCR) in your Azure environment. These resources are updated automatically with each solution upgrade. To complete the connector setup, use the **Deploy** button on the Halcyon connector page to create the required Entra app registration and link it to the DCR.\n\n**Data Connectors:** 1, **Parsers:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", diff --git a/Solutions/Halcyon/Package/mainTemplate.json b/Solutions/Halcyon/Package/mainTemplate.json index 4ba7086073a..45da19c9694 100644 --- a/Solutions/Halcyon/Package/mainTemplate.json +++ b/Solutions/Halcyon/Package/mainTemplate.json @@ -45,11 +45,11 @@ }, "variables": { "_solutionName": "Halcyon", - "_solutionVersion": "3.0.0", + "_solutionVersion": "3.1.0", "solutionId": "halcyontech1743610828684.azure-sentinel-solution-halcyon", "_solutionId": "[variables('solutionId')]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", - "dataConnectorCCPVersion": "1.0.0", + "dataConnectorCCPVersion": "3.1.0", "_dataConnectorContentIdConnectorDefinition1": "HalcyonPush", "dataConnectorTemplateNameConnectorDefinition1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition1')))]", "_dataConnectorContentIdConnections1": "HalcyonPushConnections", @@ -60,35 +60,35 @@ "_parserName1": "[concat(parameters('workspace'),'/','ASimAuthenticationHalcyon')]", "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimAuthenticationHalcyon')]", "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('ASimAuthenticationHalcyon-Parser')))]", - "parserVersion1": "1.0.0", + "parserVersion1": "2.0.0", "parserContentId1": "ASimAuthenticationHalcyon-Parser" }, "parserObject2": { "_parserName2": "[concat(parameters('workspace'),'/','ASimDnsHalcyon')]", "_parserId2": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimDnsHalcyon')]", "parserTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('ASimDnsHalcyon-Parser')))]", - "parserVersion2": "1.0.0", + "parserVersion2": "2.0.0", "parserContentId2": "ASimDnsHalcyon-Parser" }, "parserObject3": { "_parserName3": "[concat(parameters('workspace'),'/','ASimFileEventHalcyon')]", "_parserId3": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimFileEventHalcyon')]", "parserTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('ASimFileEventHalcyon-Parser')))]", - "parserVersion3": "1.0.0", + "parserVersion3": "2.0.0", "parserContentId3": "ASimFileEventHalcyon-Parser" }, "parserObject4": { "_parserName4": "[concat(parameters('workspace'),'/','ASimNetworkSessionHalcyon')]", "_parserId4": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimNetworkSessionHalcyon')]", "parserTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('ASimNetworkSessionHalcyon-Parser')))]", - "parserVersion4": "1.0.0", + "parserVersion4": "2.0.0", "parserContentId4": "ASimNetworkSessionHalcyon-Parser" }, "parserObject5": { "_parserName5": "[concat(parameters('workspace'),'/','ASimProcessEventHalcyon')]", "_parserId5": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimProcessEventHalcyon')]", "parserTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('ASimProcessEventHalcyon-Parser')))]", - "parserVersion5": "1.0.0", + "parserVersion5": "2.0.0", "parserContentId5": "ASimProcessEventHalcyon-Parser" }, "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" @@ -125,80 +125,26 @@ "publisher": "Halcyon", "logo": "halcyon.svg", "descriptionMarkdown": "The [Halcyon](https://www.halcyon.ai) connector provides the capability to send data from Halcyon to Microsoft Sentinel.", + "sampleQueries": [], "graphQueries": [ { - "metricName": "Authentication Events", - "legend": "HalcyonAuthenticationEvents_CL", - "baseQuery": "HalcyonAuthenticationEvents_CL" - }, - { - "metricName": "DNS Activity", - "legend": "HalcyonDnsActivity_CL", - "baseQuery": "HalcyonDnsActivity_CL" - }, - { - "metricName": "File Activity", - "legend": "HalcyonFileActivity_CL", - "baseQuery": "HalcyonFileActivity_CL" - }, - { - "metricName": "Network Sessions", - "legend": "HalcyonNetworkSession_CL", - "baseQuery": "HalcyonNetworkSession_CL" - }, - { - "metricName": "Process Events", - "legend": "HalcyonProcessEvent_CL", - "baseQuery": "HalcyonProcessEvent_CL" - } - ], - "sampleQueries": [ - { - "description": "Get Sample Authentication Events", - "query": "HalcyonAuthenticationEvents_CL\n | take 10" - }, - { - "description": "Get Sample DNS Activity", - "query": "HalcyonDnsActivity_CL\n | take 10" - }, - { - "description": "Get Sample File Activity", - "query": "HalcyonFileActivity_CL\n | take 10" - }, - { - "description": "Get Sample Network Sessions", - "query": "HalcyonNetworkSession_CL\n | take 10" - }, - { - "description": "Get Sample Process Events", - "query": "HalcyonProcessEvent_CL\n | take 10" + "metricName": "Events", + "legend": "HalcyonEvents_CL", + "baseQuery": "HalcyonEvents_CL" } ], "dataTypes": [ { - "name": "Halcyon Authentication Events", - "lastDataReceivedQuery": "HalcyonAuthenticationEvents_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "Halcyon DNS Activity", - "lastDataReceivedQuery": "HalcyonDnsActivity_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "Halcyon File Activity", - "lastDataReceivedQuery": "HalcyonFileActivity_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "Halcyon Network Sessions", - "lastDataReceivedQuery": "HalcyonNetworkSession_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "Halcyon Process Events", - "lastDataReceivedQuery": "HalcyonProcessEvent_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "name": "Halcyon Events", + "lastDataReceivedQuery": "HalcyonEvents_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "connectivityCriteria": [ { - "type": "HasDataConnectors" + "type": "IsConnectedQuery", + "value": [ + "HalcyonEvents_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7d)" + ] } ], "availability": { @@ -243,14 +189,14 @@ { "parameters": { "label": "Deploy Halcyon Connector Resources", - "applicationDisplayName": "Halcyon Connector Application" + "applicationDisplayName": "Halcyon Sentinel Connector" }, "type": "DeployPushConnectorButton" } ] }, { - "title": "2. Configured your integration in the Halcyon Platform", + "title": "2. Configure your integration in the Halcyon Platform", "description": "Use the following parameters to configure your integration in the Halcyon Platform.", "instructions": [ { @@ -294,7 +240,7 @@ }, { "parameters": { - "label": "Data Collection Rule Immutable ID (Rule ID)", + "label": "Data Collection Rule ID (Rule ID)", "fillWith": [ "DataCollectionRuleId" ], @@ -354,4184 +300,324 @@ "Custom-Halcyon": { "columns": [ { - "name": "ActingAppId", - "type": "string" - }, - { - "name": "ActingAppName", - "type": "string" - }, - { - "name": "ActingAppType", - "type": "string" - }, - { - "name": "ActingOriginalAppType", - "type": "string" - }, - { - "name": "ActingProcessCommandLine", - "type": "string" - }, - { - "name": "ActingProcessCreationTime", + "name": "TimeGenerated", "type": "datetime" }, { - "name": "ActingProcessFileCompany", - "type": "string" - }, - { - "name": "ActingProcessFileDescription", - "type": "string" - }, - { - "name": "ActingProcessFileInternalName", - "type": "string" - }, - { - "name": "ActingProcessFilename", - "type": "string" - }, - { - "name": "ActingProcessFileOriginalName", - "type": "string" - }, - { - "name": "ActingProcessFileProduct", - "type": "string" - }, - { - "name": "ActingProcessFileSize", - "type": "long" - }, - { - "name": "ActingProcessFileVersion", - "type": "string" - }, - { - "name": "ActingProcessGuid", - "type": "string" - }, - { - "name": "ActingProcessId", - "type": "string" - }, - { - "name": "ActingProcessIMPHASH", - "type": "string" - }, - { - "name": "ActingProcessInjectedAddress", - "type": "string" - }, - { - "name": "ActingProcessIntegrityLevel", - "type": "string" - }, - { - "name": "ActingProcessIsHidden", - "type": "boolean" - }, - { - "name": "ActingProcessMD5", - "type": "string" - }, - { - "name": "ActingProcessName", - "type": "string" - }, - { - "name": "ActingProcessSHA1", - "type": "string" - }, - { - "name": "ActingProcessSHA256", - "type": "string" - }, - { - "name": "ActingProcessSHA512", - "type": "string" - }, - { - "name": "ActingProcessTokenElevation", - "type": "string" - }, - { - "name": "ActorOriginalUserType", - "type": "string" - }, - { - "name": "ActorScope", - "type": "string" - }, - { - "name": "ActorScopeId", - "type": "string" - }, - { - "name": "ActorSessionId", - "type": "string" - }, - { - "name": "ActorUserAadId", - "type": "string" - }, - { - "name": "ActorUserId", - "type": "string" - }, - { - "name": "ActorUserIdType", - "type": "string" - }, - { - "name": "ActorUsername", - "type": "string" - }, - { - "name": "ActorUsernameType", - "type": "string" - }, - { - "name": "ActorUserSid", - "type": "string" - }, - { - "name": "ActorUserType", - "type": "string" - }, - { - "name": "AdditionalFields", - "type": "dynamic" - }, - { - "name": "DhcpCircuitId", - "type": "string" - }, - { - "name": "DhcpLeaseDuration", - "type": "int" - }, - { - "name": "DhcpSessionDuration", - "type": "int" - }, - { - "name": "DhcpSessionId", - "type": "string" - }, - { - "name": "DhcpSrcDHCId", - "type": "string" - }, - { - "name": "DhcpSubscriberId", - "type": "string" - }, - { - "name": "DhcpUserClass", - "type": "string" - }, - { - "name": "DhcpUserClassId", - "type": "string" - }, - { - "name": "DhcpVendorClass", - "type": "string" - }, - { - "name": "DhcpVendorClassId", - "type": "string" - }, - { - "name": "DnsFlags", - "type": "string" - }, - { - "name": "DnsFlagsAuthenticated", - "type": "boolean" - }, - { - "name": "DnsFlagsAuthoritative", - "type": "boolean" - }, - { - "name": "DnsFlagsCheckingDisabled", - "type": "boolean" - }, - { - "name": "DnsFlagsRecursionAvailable", - "type": "boolean" - }, - { - "name": "DnsFlagsRecursionDesired", - "type": "boolean" - }, - { - "name": "DnsFlagsTruncated", - "type": "boolean" - }, - { - "name": "DnsFlagsZ", - "type": "boolean" - }, - { - "name": "DnsNetworkDuration", + "name": "activity_id", "type": "int" }, { - "name": "DnsQuery", + "name": "activity_name", "type": "string" }, { - "name": "DnsQueryClass", + "name": "category_uid", "type": "int" }, { - "name": "DnsQueryClassName", + "name": "category_name", "type": "string" }, { - "name": "DnsQueryType", + "name": "class_uid", "type": "int" }, { - "name": "DnsQueryTypeName", + "name": "class_name", "type": "string" }, { - "name": "DnsResponseCode", + "name": "severity_id", "type": "int" }, { - "name": "DnsResponseIpCity", - "type": "string" - }, - { - "name": "DnsResponseIpCountry", - "type": "string" - }, - { - "name": "DnsResponseIpLatitude", - "type": "real" - }, - { - "name": "DnsResponseIpLongitude", - "type": "real" - }, - { - "name": "DnsResponseIpRegion", - "type": "string" - }, - { - "name": "DnsResponseName", - "type": "string" - }, - { - "name": "DnsSessionId", - "type": "string" - }, - { - "name": "Dst", - "type": "string" - }, - { - "name": "DstAppId", + "name": "severity", "type": "string" }, { - "name": "DstAppName", - "type": "string" - }, - { - "name": "DstAppType", - "type": "string" - }, - { - "name": "DstBytes", + "name": "time", "type": "long" }, { - "name": "DstDescription", - "type": "string" - }, - { - "name": "DstDeviceType", - "type": "string" - }, - { - "name": "DstDomain", - "type": "string" - }, - { - "name": "DstDomainType", - "type": "string" - }, - { - "name": "DstDvcId", - "type": "string" - }, - { - "name": "DstDvcIdType", - "type": "string" - }, - { - "name": "DstDvcScope", - "type": "string" - }, - { - "name": "DstDvcScopeId", - "type": "string" - }, - { - "name": "DstFQDN", - "type": "string" - }, - { - "name": "DstGeoCity", - "type": "string" - }, - { - "name": "DstGeoCountry", - "type": "string" - }, - { - "name": "DstGeoLatitude", - "type": "real" - }, - { - "name": "DstGeoLongitude", - "type": "real" - }, - { - "name": "DstGeoRegion", - "type": "string" - }, - { - "name": "DstHostname", - "type": "string" + "name": "type_uid", + "type": "long" }, { - "name": "DstInterfaceGuid", + "name": "type_name", "type": "string" - }, - { - "name": "DstInterfaceName", - "type": "string" - }, - { - "name": "DstIpAddr", - "type": "string" - }, - { - "name": "DstMacAddr", - "type": "string" - }, - { - "name": "DstNatIpAddr", - "type": "string" - }, - { - "name": "DstNatPortNumber", - "type": "int" - }, - { - "name": "DstOriginalRiskLevel", - "type": "string" - }, - { - "name": "DstOriginalUserType", - "type": "string" - }, - { - "name": "DstPackets", - "type": "long" - }, - { - "name": "DstPortNumber", - "type": "int" - }, - { - "name": "DstRiskLevel", - "type": "int" - }, - { - "name": "DstSubscriptionId", - "type": "string" - }, - { - "name": "DstUserId", - "type": "string" - }, - { - "name": "DstUserIdType", - "type": "string" - }, - { - "name": "DstUsername", - "type": "string" - }, - { - "name": "DstUsernameType", - "type": "string" - }, - { - "name": "DstUserType", - "type": "string" - }, - { - "name": "DstVlanId", - "type": "string" - }, - { - "name": "DstZone", - "type": "string" - }, - { - "name": "Dvc", - "type": "string" - }, - { - "name": "DvcAction", - "type": "string" - }, - { - "name": "DvcDescription", - "type": "string" - }, - { - "name": "DvcDomain", - "type": "string" - }, - { - "name": "DvcDomainType", - "type": "string" - }, - { - "name": "DvcFQDN", - "type": "string" - }, - { - "name": "DvcHostname", - "type": "string" - }, - { - "name": "DvcId", - "type": "string" - }, - { - "name": "DvcIdType", - "type": "string" - }, - { - "name": "DvcInboundInterface", - "type": "string" - }, - { - "name": "DvcInterface", - "type": "string" - }, - { - "name": "DvcIpAddr", - "type": "string" - }, - { - "name": "DvcMacAddr", - "type": "string" - }, - { - "name": "DvcOriginalAction", - "type": "string" - }, - { - "name": "DvcOs", - "type": "string" - }, - { - "name": "DvcOsVersion", - "type": "string" - }, - { - "name": "DvcOutboundInterface", - "type": "string" - }, - { - "name": "DvcScope", - "type": "string" - }, - { - "name": "DvcScopeId", - "type": "string" - }, - { - "name": "DvcSubscriptionId", - "type": "string" - }, - { - "name": "DvcZone", - "type": "string" - }, - { - "name": "EventCount", - "type": "int" - }, - { - "name": "EventEndTime", - "type": "datetime" - }, - { - "name": "EventMessage", - "type": "string" - }, - { - "name": "EventOriginalResultDetails", - "type": "string" - }, - { - "name": "EventOriginalSeverity", - "type": "string" - }, - { - "name": "EventOriginalSubType", - "type": "string" - }, - { - "name": "EventOriginalType", - "type": "string" - }, - { - "name": "EventOriginalUid", - "type": "string" - }, - { - "name": "EventOwner", - "type": "string" - }, - { - "name": "EventProduct", - "type": "string" - }, - { - "name": "EventProductVersion", - "type": "string" - }, - { - "name": "EventReportUrl", - "type": "string" - }, - { - "name": "EventResult", - "type": "string" - }, - { - "name": "EventResultDetails", - "type": "string" - }, - { - "name": "EventSchema", - "type": "string" - }, - { - "name": "EventSchemaVersion", - "type": "string" - }, - { - "name": "EventSeverity", - "type": "string" - }, - { - "name": "EventStartTime", - "type": "datetime" - }, - { - "name": "EventSubType", - "type": "string" - }, - { - "name": "EventType", - "type": "string" - }, - { - "name": "EventVendor", - "type": "string" - }, - { - "name": "FileContentType", - "type": "string" - }, - { - "name": "FileMD5", - "type": "string" - }, - { - "name": "FileName", - "type": "string" - }, - { - "name": "FileSHA1", - "type": "string" - }, - { - "name": "FileSHA256", - "type": "string" - }, - { - "name": "FileSHA512", - "type": "string" - }, - { - "name": "FileSize", - "type": "int" - }, - { - "name": "GroupId", - "type": "string" - }, - { - "name": "GroupIdType", - "type": "string" - }, - { - "name": "GroupName", - "type": "string" - }, - { - "name": "GroupNameType", - "type": "string" - }, - { - "name": "GroupOriginalType", - "type": "string" - }, - { - "name": "GroupType", - "type": "string" - }, - { - "name": "HashType", - "type": "string" - }, - { - "name": "HttpContentFormat", - "type": "string" - }, - { - "name": "HttpContentType", - "type": "string" - }, - { - "name": "HttpHost", - "type": "string" - }, - { - "name": "HttpReferrer", - "type": "string" - }, - { - "name": "HttpRequestMethod", - "type": "string" - }, - { - "name": "HttpRequestTime", - "type": "int" - }, - { - "name": "HttpRequestXff", - "type": "string" - }, - { - "name": "HttpResponseTime", - "type": "int" - }, - { - "name": "HttpUserAgent", - "type": "string" - }, - { - "name": "HttpVersion", - "type": "string" - }, - { - "name": "LogonMethod", - "type": "string" - }, - { - "name": "LogonProtocol", - "type": "string" - }, - { - "name": "NetworkApplicationProtocol", - "type": "string" - }, - { - "name": "NetworkBytes", - "type": "long" - }, - { - "name": "NetworkConnectionHistory", - "type": "string" - }, - { - "name": "NetworkDirection", - "type": "string" - }, - { - "name": "NetworkDuration", - "type": "int" - }, - { - "name": "NetworkIcmpCode", - "type": "int" - }, - { - "name": "NetworkIcmpType", - "type": "string" - }, - { - "name": "NetworkPackets", - "type": "long" - }, - { - "name": "NetworkProtocol", - "type": "string" - }, - { - "name": "NetworkProtocolVersion", - "type": "string" - }, - { - "name": "NetworkRuleName", - "type": "string" - }, - { - "name": "NetworkRuleNumber", - "type": "int" - }, - { - "name": "NetworkSessionId", - "type": "string" - }, - { - "name": "NewPropertyValue", - "type": "string" - }, - { - "name": "NewValue", - "type": "string" - }, - { - "name": "Object", - "type": "string" - }, - { - "name": "ObjectId", - "type": "string" - }, - { - "name": "ObjectType", - "type": "string" - }, - { - "name": "OldValue", - "type": "string" - }, - { - "name": "Operation", - "type": "string" - }, - { - "name": "OriginalObjectType", - "type": "string" - }, - { - "name": "ParentProcessCommandLine", - "type": "string" - }, - { - "name": "ParentProcessCreationTime", - "type": "datetime" - }, - { - "name": "ParentProcessFileCompany", - "type": "string" - }, - { - "name": "ParentProcessFileDescription", - "type": "string" - }, - { - "name": "ParentProcessFileProduct", - "type": "string" - }, - { - "name": "ParentProcessFileVersion", - "type": "string" - }, - { - "name": "ParentProcessGuid", - "type": "string" - }, - { - "name": "ParentProcessId", - "type": "string" - }, - { - "name": "ParentProcessIMPHASH", - "type": "string" - }, - { - "name": "ParentProcessInjectedAddress", - "type": "string" - }, - { - "name": "ParentProcessIntegrityLevel", - "type": "string" - }, - { - "name": "ParentProcessIsHidden", - "type": "boolean" - }, - { - "name": "ParentProcessMD5", - "type": "string" - }, - { - "name": "ParentProcessName", - "type": "string" - }, - { - "name": "ParentProcessSHA1", - "type": "string" - }, - { - "name": "ParentProcessSHA256", - "type": "string" - }, - { - "name": "ParentProcessSHA512", - "type": "string" - }, - { - "name": "ParentProcessTokenElevation", - "type": "string" - }, - { - "name": "PreviousPropertyValue", - "type": "string" - }, - { - "name": "RegistryKey", - "type": "string" - }, - { - "name": "RegistryPreviousKey", - "type": "string" - }, - { - "name": "RegistryPreviousValue", - "type": "string" - }, - { - "name": "RegistryPreviousValueData", - "type": "string" - }, - { - "name": "RegistryPreviousValueType", - "type": "string" - }, - { - "name": "RegistryValue", - "type": "string" - }, - { - "name": "RegistryValueData", - "type": "string" - }, - { - "name": "RegistryValueType", - "type": "string" - }, - { - "name": "RequestedIpAddr", - "type": "string" - }, - { - "name": "Rule", - "type": "string" - }, - { - "name": "RuleName", - "type": "string" - }, - { - "name": "RuleNumber", - "type": "int" - }, - { - "name": "SourceSystem", - "type": "string" - }, - { - "name": "Src", - "type": "string" - }, - { - "name": "SrcAppId", - "type": "string" - }, - { - "name": "SrcAppName", - "type": "string" - }, - { - "name": "SrcAppType", - "type": "string" - }, - { - "name": "SrcBytes", - "type": "long" - }, - { - "name": "SrcDescription", - "type": "string" - }, - { - "name": "SrcDeviceType", - "type": "string" - }, - { - "name": "SrcDomain", - "type": "string" - }, - { - "name": "SrcDomainType", - "type": "string" - }, - { - "name": "SrcDvcId", - "type": "string" - }, - { - "name": "SrcDvcIdType", - "type": "string" - }, - { - "name": "SrcDvcOs", - "type": "string" - }, - { - "name": "SrcDvcScope", - "type": "string" - }, - { - "name": "SrcDvcScopeId", - "type": "string" - }, - { - "name": "SrcFileCreationTime", - "type": "datetime" - }, - { - "name": "SrcFileDirectory", - "type": "string" - }, - { - "name": "SrcFileExtension", - "type": "string" - }, - { - "name": "SrcFileMD5", - "type": "string" - }, - { - "name": "SrcFileMimeType", - "type": "string" - }, - { - "name": "SrcFileName", - "type": "string" - }, - { - "name": "SrcFilePath", - "type": "string" - }, - { - "name": "SrcFilePathType", - "type": "string" - }, - { - "name": "SrcFileSHA1", - "type": "string" - }, - { - "name": "SrcFileSHA256", - "type": "string" - }, - { - "name": "SrcFileSHA512", - "type": "string" - }, - { - "name": "SrcFileSize", - "type": "long" - }, - { - "name": "SrcFQDN", - "type": "string" - }, - { - "name": "SrcGeoCity", - "type": "string" - }, - { - "name": "SrcGeoCountry", - "type": "string" - }, - { - "name": "SrcGeoLatitude", - "type": "real" - }, - { - "name": "SrcGeoLongitude", - "type": "real" - }, - { - "name": "SrcGeoRegion", - "type": "string" - }, - { - "name": "SrcHostname", - "type": "string" - }, - { - "name": "SrcInterfaceGuid", - "type": "string" - }, - { - "name": "SrcInterfaceName", - "type": "string" - }, - { - "name": "SrcIpAddr", - "type": "string" - }, - { - "name": "SrcIsp", - "type": "string" - }, - { - "name": "SrcMacAddr", - "type": "string" - }, - { - "name": "SrcNatIpAddr", - "type": "string" - }, - { - "name": "SrcNatPortNumber", - "type": "int" - }, - { - "name": "SrcOriginalRiskLevel", - "type": "string" - }, - { - "name": "SrcOriginalUserType", - "type": "string" - }, - { - "name": "SrcPackets", - "type": "long" - }, - { - "name": "SrcPortNumber", - "type": "int" - }, - { - "name": "SrcProcessGuid", - "type": "string" - }, - { - "name": "SrcProcessId", - "type": "string" - }, - { - "name": "SrcProcessName", - "type": "string" - }, - { - "name": "SrcRiskLevel", - "type": "int" - }, - { - "name": "SrcSubscriptionId", - "type": "string" - }, - { - "name": "SrcUserId", - "type": "string" - }, - { - "name": "SrcUserIdType", - "type": "string" - }, - { - "name": "SrcUsername", - "type": "string" - }, - { - "name": "SrcUsernameType", - "type": "string" - }, - { - "name": "SrcUserScope", - "type": "string" - }, - { - "name": "SrcUserScopeId", - "type": "string" - }, - { - "name": "SrcUserSessionId", - "type": "string" - }, - { - "name": "SrcUserType", - "type": "string" - }, - { - "name": "SrcUserUid", - "type": "string" - }, - { - "name": "SrcVlanId", - "type": "string" - }, - { - "name": "SrcZone", - "type": "string" - }, - { - "name": "TargetAppId", - "type": "string" - }, - { - "name": "TargetAppName", - "type": "string" - }, - { - "name": "TargetAppType", - "type": "string" - }, - { - "name": "TargetDescription", - "type": "string" - }, - { - "name": "TargetDeviceType", - "type": "string" - }, - { - "name": "TargetDomain", - "type": "string" - }, - { - "name": "TargetDomainType", - "type": "string" - }, - { - "name": "TargetDvcId", - "type": "string" - }, - { - "name": "TargetDvcIdType", - "type": "string" - }, - { - "name": "TargetDvcOs", - "type": "string" - }, - { - "name": "TargetDvcScope", - "type": "string" - }, - { - "name": "TargetDvcScopeId", - "type": "string" - }, - { - "name": "TargetFileCreationTime", - "type": "datetime" - }, - { - "name": "TargetFileDirectory", - "type": "string" - }, - { - "name": "TargetFileExtension", - "type": "string" - }, - { - "name": "TargetFileMD5", - "type": "string" - }, - { - "name": "TargetFileMimeType", - "type": "string" - }, - { - "name": "TargetFileName", - "type": "string" - }, - { - "name": "TargetFilePath", - "type": "string" - }, - { - "name": "TargetFilePathType", - "type": "string" - }, - { - "name": "TargetFileSHA1", - "type": "string" - }, - { - "name": "TargetFileSHA256", - "type": "string" - }, - { - "name": "TargetFileSHA512", - "type": "string" - }, - { - "name": "TargetFileSize", - "type": "long" - }, - { - "name": "TargetFQDN", - "type": "string" - }, - { - "name": "TargetGeoCity", - "type": "string" - }, - { - "name": "TargetGeoCountry", - "type": "string" - }, - { - "name": "TargetGeoLatitude", - "type": "real" - }, - { - "name": "TargetGeoLongitude", - "type": "real" - }, - { - "name": "TargetGeoRegion", - "type": "string" - }, - { - "name": "TargetHostname", - "type": "string" - }, - { - "name": "TargetIpAddr", - "type": "string" - }, - { - "name": "TargetOriginalAppType", - "type": "string" - }, - { - "name": "TargetOriginalRiskLevel", - "type": "string" - }, - { - "name": "TargetOriginalUserType", - "type": "string" - }, - { - "name": "TargetPortNumber", - "type": "int" - }, - { - "name": "TargetProcessCommandLine", - "type": "string" - }, - { - "name": "TargetProcessCreationTime", - "type": "datetime" - }, - { - "name": "TargetProcessCurrentDirectory", - "type": "string" - }, - { - "name": "TargetProcessFileCompany", - "type": "string" - }, - { - "name": "TargetProcessFileDescription", - "type": "string" - }, - { - "name": "TargetProcessFileInternalName", - "type": "string" - }, - { - "name": "TargetProcessFilename", - "type": "string" - }, - { - "name": "TargetProcessFileOriginalName", - "type": "string" - }, - { - "name": "TargetProcessFileProduct", - "type": "string" - }, - { - "name": "TargetProcessFileSize", - "type": "long" - }, - { - "name": "TargetProcessFileVersion", - "type": "string" - }, - { - "name": "TargetProcessGuid", - "type": "string" - }, - { - "name": "TargetProcessId", - "type": "string" - }, - { - "name": "TargetProcessIMPHASH", - "type": "string" - }, - { - "name": "TargetProcessInjectedAddress", - "type": "string" - }, - { - "name": "TargetProcessIntegrityLevel", - "type": "string" - }, - { - "name": "TargetProcessIsHidden", - "type": "boolean" - }, - { - "name": "TargetProcessMD5", - "type": "string" - }, - { - "name": "TargetProcessName", - "type": "string" - }, - { - "name": "TargetProcessSHA1", - "type": "string" - }, - { - "name": "TargetProcessSHA256", - "type": "string" - }, - { - "name": "TargetProcessSHA512", - "type": "string" - }, - { - "name": "TargetProcessStatusCode", - "type": "string" - }, - { - "name": "TargetProcessTokenElevation", - "type": "string" - }, - { - "name": "TargetRiskLevel", - "type": "int" - }, - { - "name": "TargetScope", - "type": "string" - }, - { - "name": "TargetScopeId", - "type": "string" - }, - { - "name": "TargetSessionId", - "type": "string" - }, - { - "name": "TargetUrl", - "type": "string" - }, - { - "name": "TargetUserId", - "type": "string" - }, - { - "name": "TargetUserIdType", - "type": "string" - }, - { - "name": "TargetUsername", - "type": "string" - }, - { - "name": "TargetUsernameType", - "type": "string" - }, - { - "name": "TargetUserScope", - "type": "string" - }, - { - "name": "TargetUserScopeId", - "type": "string" - }, - { - "name": "TargetUserSessionGuid", - "type": "string" - }, - { - "name": "TargetUserSessionId", - "type": "string" - }, - { - "name": "TargetUserType", - "type": "string" - }, - { - "name": "TargetUserUid", - "type": "string" - }, - { - "name": "TcpFlagsAck", - "type": "boolean" - }, - { - "name": "TcpFlagsFin", - "type": "boolean" - }, - { - "name": "TcpFlagsPsh", - "type": "boolean" - }, - { - "name": "TcpFlagsRst", - "type": "boolean" - }, - { - "name": "TcpFlagsSyn", - "type": "boolean" - }, - { - "name": "TcpFlagsUrg", - "type": "boolean" - }, - { - "name": "ThreatCategory", - "type": "string" - }, - { - "name": "ThreatConfidence", - "type": "int" - }, - { - "name": "ThreatField", - "type": "string" - }, - { - "name": "ThreatFilePath", - "type": "string" - }, - { - "name": "ThreatFirstReportedTime", - "type": "datetime" - }, - { - "name": "ThreatFirstReportedTime_d", - "type": "datetime" - }, - { - "name": "ThreatId", - "type": "string" - }, - { - "name": "ThreatIpAddr", - "type": "string" - }, - { - "name": "ThreatIsActive", - "type": "boolean" - }, - { - "name": "ThreatLastReportedTime", - "type": "datetime" - }, - { - "name": "ThreatLastReportedTime_d", - "type": "datetime" - }, - { - "name": "ThreatName", - "type": "string" - }, - { - "name": "ThreatOriginalConfidence", - "type": "string" - }, - { - "name": "ThreatOriginalRiskLevel", - "type": "string" - }, - { - "name": "ThreatOriginalRiskLevel_s", - "type": "string" - }, - { - "name": "ThreatRiskLevel", - "type": "int" - }, - { - "name": "TimeGenerated", - "type": "datetime" - }, - { - "name": "TransactionIdHex", - "type": "string" - }, - { - "name": "Type", - "type": "string" - }, - { - "name": "Url", - "type": "string" - }, - { - "name": "UrlCategory", - "type": "string" - }, - { - "name": "UrlOriginal", - "type": "string" - }, - { - "name": "ValueType", - "type": "string" - } - ] - } - }, - "destinations": { - "logAnalytics": [ - { - "workspaceResourceId": "[variables('workspaceResourceId')]", - "name": "clv2ws1" - } - ] - }, - "dataFlows": [ - { - "streams": [ - "Custom-Halcyon" - ], - "destinations": [ - "clv2ws1" - ], - "transformKql": "source | where EventSchema=='Authentication'", - "outputStream": "Custom-HalcyonAuthenticationEvents_CL" - }, - { - "streams": [ - "Custom-Halcyon" - ], - "destinations": [ - "clv2ws1" - ], - "transformKql": "source | where EventSchema=='Dns'", - "outputStream": "Custom-HalcyonDnsActivity_CL" - }, - { - "streams": [ - "Custom-Halcyon" - ], - "destinations": [ - "clv2ws1" - ], - "transformKql": "source | where EventSchema=='FileEvent'", - "outputStream": "Custom-HalcyonFileActivity_CL" - }, - { - "streams": [ - "Custom-Halcyon" - ], - "destinations": [ - "clv2ws1" - ], - "transformKql": "source | where EventSchema=='NetworkSession'", - "outputStream": "Custom-HalcyonNetworkSession_CL" - }, - { - "streams": [ - "Custom-Halcyon" - ], - "destinations": [ - "clv2ws1" - ], - "transformKql": "source | where EventSchema=='ProcessEvent'", - "outputStream": "Custom-HalcyonProcessEvent_CL" - } - ] - } - }, - { - "name": "HalcyonAuthenticationEvents_CL", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/tables", - "location": "[parameters('workspace-location')]", - "kind": null, - "properties": { - "plan": "Analytics", - "schema": { - "name": "HalcyonAuthenticationEvents_CL", - "columns": [ - { - "name": "TimeGenerated", - "type": "datetime" - }, - { - "name": "EventCount", - "type": "int" - }, - { - "name": "EventStartTime", - "type": "datetime" - }, - { - "name": "EventEndTime", - "type": "datetime" - }, - { - "name": "EventType", - "type": "string" - }, - { - "name": "EventSubType", - "type": "string" - }, - { - "name": "EventResult", - "type": "string" - }, - { - "name": "EventResultDetails", - "type": "string" - }, - { - "name": "EventOriginalResultDetails", - "type": "string" - }, - { - "name": "EventSeverity", - "type": "string" - }, - { - "name": "EventOriginalSeverity", - "type": "string" - }, - { - "name": "EventProduct", - "type": "string" - }, - { - "name": "EventProductVersion", - "type": "string" - }, - { - "name": "EventVendor", - "type": "string" - }, - { - "name": "EventSchema", - "type": "string" - }, - { - "name": "EventSchemaVersion", - "type": "string" - }, - { - "name": "EventOriginalUid", - "type": "string" - }, - { - "name": "EventOriginalType", - "type": "string" - }, - { - "name": "EventMessage", - "type": "string" - }, - { - "name": "EventOwner", - "type": "string" - }, - { - "name": "EventReportUrl", - "type": "string" - }, - { - "name": "Dvc", - "type": "string" - }, - { - "name": "DvcHostname", - "type": "string" - }, - { - "name": "DvcIpAddr", - "type": "string" - }, - { - "name": "DvcDomain", - "type": "string" - }, - { - "name": "DvcDomainType", - "type": "string" - }, - { - "name": "DvcFQDN", - "type": "string" - }, - { - "name": "DvcId", - "type": "string" - }, - { - "name": "DvcIdType", - "type": "string" - }, - { - "name": "DvcMacAddr", - "type": "string" - }, - { - "name": "DvcOs", - "type": "string" - }, - { - "name": "DvcOsVersion", - "type": "string" - }, - { - "name": "DvcAction", - "type": "string" - }, - { - "name": "DvcOriginalAction", - "type": "string" - }, - { - "name": "DvcDescription", - "type": "string" - }, - { - "name": "DvcScope", - "type": "string" - }, - { - "name": "DvcScopeId", - "type": "string" - }, - { - "name": "DvcZone", - "type": "string" - }, - { - "name": "LogonMethod", - "type": "string" - }, - { - "name": "LogonProtocol", - "type": "string" - }, - { - "name": "ActorUsername", - "type": "string" - }, - { - "name": "ActorUsernameType", - "type": "string" - }, - { - "name": "ActorUserId", - "type": "string" - }, - { - "name": "ActorUserIdType", - "type": "string" - }, - { - "name": "ActorUserType", - "type": "string" - }, - { - "name": "ActorOriginalUserType", - "type": "string" - }, - { - "name": "ActorScope", - "type": "string" - }, - { - "name": "ActorScopeId", - "type": "string" - }, - { - "name": "ActorUserSid", - "type": "string" - }, - { - "name": "ActorUserAadId", - "type": "string" - }, - { - "name": "ActorSessionId", - "type": "string" - }, - { - "name": "TargetUsername", - "type": "string" - }, - { - "name": "TargetUsernameType", - "type": "string" - }, - { - "name": "TargetUserId", - "type": "string" - }, - { - "name": "TargetUserIdType", - "type": "string" - }, - { - "name": "TargetUserType", - "type": "string" - }, - { - "name": "TargetOriginalUserType", - "type": "string" - }, - { - "name": "TargetUserScope", - "type": "string" - }, - { - "name": "TargetUserScopeId", - "type": "string" - }, - { - "name": "TargetSessionId", - "type": "string" - }, - { - "name": "TargetUserSessionId", - "type": "string" - }, - { - "name": "TargetUserSessionGuid", - "type": "string" - }, - { - "name": "TargetAppName", - "type": "string" - }, - { - "name": "TargetAppId", - "type": "string" - }, - { - "name": "TargetAppType", - "type": "string" - }, - { - "name": "TargetOriginalAppType", - "type": "string" - }, - { - "name": "TargetUrl", - "type": "string" - }, - { - "name": "TargetHostname", - "type": "string" - }, - { - "name": "TargetDomain", - "type": "string" - }, - { - "name": "TargetDomainType", - "type": "string" - }, - { - "name": "TargetFQDN", - "type": "string" - }, - { - "name": "TargetDescription", - "type": "string" - }, - { - "name": "TargetDvcId", - "type": "string" - }, - { - "name": "TargetDvcIdType", - "type": "string" - }, - { - "name": "TargetDvcOs", - "type": "string" - }, - { - "name": "TargetPortNumber", - "type": "int" - }, - { - "name": "TargetIpAddr", - "type": "string" - }, - { - "name": "TargetGeoCity", - "type": "string" - }, - { - "name": "TargetGeoCountry", - "type": "string" - }, - { - "name": "TargetGeoLatitude", - "type": "real" - }, - { - "name": "TargetGeoLongitude", - "type": "real" - }, - { - "name": "TargetGeoRegion", - "type": "string" - }, - { - "name": "SrcIpAddr", - "type": "string" - }, - { - "name": "SrcPortNumber", - "type": "int" - }, - { - "name": "SrcHostname", - "type": "string" - }, - { - "name": "SrcDomain", - "type": "string" - }, - { - "name": "SrcDomainType", - "type": "string" - }, - { - "name": "SrcFQDN", - "type": "string" - }, - { - "name": "SrcDescription", - "type": "string" - }, - { - "name": "SrcDvcId", - "type": "string" - }, - { - "name": "SrcDvcIdType", - "type": "string" - }, - { - "name": "SrcDvcOs", - "type": "string" - }, - { - "name": "SrcIsp", - "type": "string" - }, - { - "name": "SrcGeoCity", - "type": "string" - }, - { - "name": "SrcGeoCountry", - "type": "string" - }, - { - "name": "SrcGeoLatitude", - "type": "real" - }, - { - "name": "SrcGeoLongitude", - "type": "real" - }, - { - "name": "SrcGeoRegion", - "type": "string" - }, - { - "name": "HttpUserAgent", - "type": "string" - }, - { - "name": "HttpRequestMethod", - "type": "string" - }, - { - "name": "RuleName", - "type": "string" - }, - { - "name": "RuleNumber", - "type": "int" - }, - { - "name": "Rule", - "type": "string" - }, - { - "name": "ThreatId", - "type": "string" - }, - { - "name": "ThreatName", - "type": "string" - }, - { - "name": "ThreatCategory", - "type": "string" - }, - { - "name": "ThreatRiskLevel", - "type": "int" - }, - { - "name": "ThreatOriginalRiskLevel", - "type": "string" - }, - { - "name": "ThreatConfidence", - "type": "int" - }, - { - "name": "ThreatOriginalConfidence", - "type": "string" - }, - { - "name": "ThreatIsActive", - "type": "boolean" - }, - { - "name": "ThreatFirstReportedTime", - "type": "datetime" - }, - { - "name": "ThreatLastReportedTime", - "type": "datetime" - }, - { - "name": "ThreatIpAddr", - "type": "string" - }, - { - "name": "ThreatField", - "type": "string" - }, - { - "name": "AdditionalFields", - "type": "dynamic" - }, - { - "name": "SourceSystem", - "type": "string" - } - ] - } - } - }, - { - "name": "HalcyonDnsActivity_CL", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/tables", - "location": "[parameters('workspace-location')]", - "kind": null, - "properties": { - "plan": "Analytics", - "schema": { - "name": "HalcyonDnsActivity_CL", - "columns": [ - { - "name": "TimeGenerated", - "type": "datetime" - }, - { - "name": "EventCount", - "type": "int" - }, - { - "name": "EventStartTime", - "type": "datetime" - }, - { - "name": "EventEndTime", - "type": "datetime" - }, - { - "name": "EventType", - "type": "string" - }, - { - "name": "EventSubType", - "type": "string" - }, - { - "name": "EventResult", - "type": "string" - }, - { - "name": "EventResultDetails", - "type": "string" - }, - { - "name": "EventOriginalResultDetails", - "type": "string" - }, - { - "name": "EventSeverity", - "type": "string" - }, - { - "name": "EventOriginalSeverity", - "type": "string" - }, - { - "name": "EventProduct", - "type": "string" - }, - { - "name": "EventProductVersion", - "type": "string" - }, - { - "name": "EventVendor", - "type": "string" - }, - { - "name": "EventSchema", - "type": "string" - }, - { - "name": "EventSchemaVersion", - "type": "string" - }, - { - "name": "EventOriginalUid", - "type": "string" - }, - { - "name": "EventOriginalType", - "type": "string" - }, - { - "name": "EventMessage", - "type": "string" - }, - { - "name": "Dvc", - "type": "string" - }, - { - "name": "DvcHostname", - "type": "string" - }, - { - "name": "DvcIpAddr", - "type": "string" - }, - { - "name": "DvcDomain", - "type": "string" - }, - { - "name": "DvcDomainType", - "type": "string" - }, - { - "name": "DvcFQDN", - "type": "string" - }, - { - "name": "DvcId", - "type": "string" - }, - { - "name": "DvcIdType", - "type": "string" - }, - { - "name": "DvcMacAddr", - "type": "string" - }, - { - "name": "DvcOs", - "type": "string" - }, - { - "name": "DvcOsVersion", - "type": "string" - }, - { - "name": "DvcAction", - "type": "string" - }, - { - "name": "DvcDescription", - "type": "string" - }, - { - "name": "DvcScope", - "type": "string" - }, - { - "name": "DvcScopeId", - "type": "string" - }, - { - "name": "DvcZone", - "type": "string" - }, - { - "name": "Src", - "type": "string" - }, - { - "name": "SrcIpAddr", - "type": "string" - }, - { - "name": "SrcPortNumber", - "type": "int" - }, - { - "name": "SrcHostname", - "type": "string" - }, - { - "name": "SrcDomain", - "type": "string" - }, - { - "name": "SrcDomainType", - "type": "string" - }, - { - "name": "SrcFQDN", - "type": "string" - }, - { - "name": "SrcDvcId", - "type": "string" - }, - { - "name": "SrcDvcIdType", - "type": "string" - }, - { - "name": "SrcDvcOs", - "type": "string" - }, - { - "name": "SrcGeoCity", - "type": "string" - }, - { - "name": "SrcGeoCountry", - "type": "string" - }, - { - "name": "SrcGeoLatitude", - "type": "real" - }, - { - "name": "SrcGeoLongitude", - "type": "real" - }, - { - "name": "SrcGeoRegion", - "type": "string" - }, - { - "name": "SrcUserId", - "type": "string" - }, - { - "name": "SrcUserIdType", - "type": "string" - }, - { - "name": "SrcUsername", - "type": "string" - }, - { - "name": "SrcUsernameType", - "type": "string" - }, - { - "name": "SrcUserType", - "type": "string" - }, - { - "name": "SrcProcessName", - "type": "string" - }, - { - "name": "SrcProcessId", - "type": "string" - }, - { - "name": "SrcProcessGuid", - "type": "string" - }, - { - "name": "DstIpAddr", - "type": "string" - }, - { - "name": "DstPortNumber", - "type": "int" - }, - { - "name": "DstHostname", - "type": "string" - }, - { - "name": "DstDomain", - "type": "string" - }, - { - "name": "DstDomainType", - "type": "string" - }, - { - "name": "DstFQDN", - "type": "string" - }, - { - "name": "DstDvcId", - "type": "string" - }, - { - "name": "DstDvcIdType", - "type": "string" - }, - { - "name": "DstGeoCity", - "type": "string" - }, - { - "name": "DstGeoCountry", - "type": "string" - }, - { - "name": "DstGeoLatitude", - "type": "real" - }, - { - "name": "DstGeoLongitude", - "type": "real" - }, - { - "name": "DstGeoRegion", - "type": "string" - }, - { - "name": "DnsQuery", - "type": "string" - }, - { - "name": "DnsQueryType", - "type": "int" - }, - { - "name": "DnsQueryTypeName", - "type": "string" - }, - { - "name": "DnsQueryClass", - "type": "int" - }, - { - "name": "DnsQueryClassName", - "type": "string" - }, - { - "name": "DnsResponseCode", - "type": "int" - }, - { - "name": "DnsResponseName", - "type": "string" - }, - { - "name": "DnsResponseIpCity", - "type": "string" - }, - { - "name": "DnsResponseIpCountry", - "type": "string" - }, - { - "name": "DnsResponseIpLatitude", - "type": "real" - }, - { - "name": "DnsResponseIpLongitude", - "type": "real" - }, - { - "name": "DnsResponseIpRegion", - "type": "string" - }, - { - "name": "DnsFlags", - "type": "string" - }, - { - "name": "DnsFlagsAuthenticated", - "type": "boolean" - }, - { - "name": "DnsFlagsAuthoritative", - "type": "boolean" - }, - { - "name": "DnsFlagsCheckingDisabled", - "type": "boolean" - }, - { - "name": "DnsFlagsRecursionAvailable", - "type": "boolean" - }, - { - "name": "DnsFlagsRecursionDesired", - "type": "boolean" - }, - { - "name": "DnsFlagsTruncated", - "type": "boolean" - }, - { - "name": "DnsFlagsZ", - "type": "boolean" - }, - { - "name": "DnsNetworkDuration", - "type": "int" - }, - { - "name": "DnsSessionId", - "type": "string" - }, - { - "name": "TransactionIdHex", - "type": "string" - }, - { - "name": "NetworkProtocol", - "type": "string" - }, - { - "name": "NetworkProtocolVersion", - "type": "string" - }, - { - "name": "ThreatId", - "type": "string" - }, - { - "name": "ThreatName", - "type": "string" - }, - { - "name": "ThreatCategory", - "type": "string" - }, - { - "name": "ThreatRiskLevel", - "type": "int" - }, - { - "name": "ThreatOriginalRiskLevel", - "type": "string" - }, - { - "name": "ThreatConfidence", - "type": "int" - }, - { - "name": "ThreatOriginalConfidence", - "type": "string" - }, - { - "name": "ThreatIsActive", - "type": "boolean" - }, - { - "name": "ThreatFirstReportedTime", - "type": "datetime" - }, - { - "name": "ThreatLastReportedTime", - "type": "datetime" - }, - { - "name": "ThreatIpAddr", - "type": "string" - }, - { - "name": "ThreatField", - "type": "string" - }, - { - "name": "AdditionalFields", - "type": "dynamic" - }, - { - "name": "SourceSystem", - "type": "string" - } - ] - } - } - }, - { - "name": "HalcyonFileActivity_CL", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/tables", - "location": "[parameters('workspace-location')]", - "kind": null, - "properties": { - "plan": "Analytics", - "schema": { - "name": "HalcyonFileActivity_CL", - "columns": [ - { - "name": "TimeGenerated", - "type": "datetime" - }, - { - "name": "EventCount", - "type": "int" - }, - { - "name": "EventStartTime", - "type": "datetime" - }, - { - "name": "EventEndTime", - "type": "datetime" - }, - { - "name": "EventType", - "type": "string" - }, - { - "name": "EventSubType", - "type": "string" - }, - { - "name": "EventResult", - "type": "string" - }, - { - "name": "EventResultDetails", - "type": "string" - }, - { - "name": "EventOriginalResultDetails", - "type": "string" - }, - { - "name": "EventSeverity", - "type": "string" - }, - { - "name": "EventOriginalSeverity", - "type": "string" - }, - { - "name": "EventProduct", - "type": "string" - }, - { - "name": "EventProductVersion", - "type": "string" - }, - { - "name": "EventVendor", - "type": "string" - }, - { - "name": "EventSchema", - "type": "string" - }, - { - "name": "EventSchemaVersion", - "type": "string" - }, - { - "name": "EventOriginalUid", - "type": "string" - }, - { - "name": "EventOriginalType", - "type": "string" - }, - { - "name": "EventMessage", - "type": "string" - }, - { - "name": "Dvc", - "type": "string" - }, - { - "name": "DvcHostname", - "type": "string" - }, - { - "name": "DvcIpAddr", - "type": "string" - }, - { - "name": "DvcDomain", - "type": "string" - }, - { - "name": "DvcDomainType", - "type": "string" - }, - { - "name": "DvcFQDN", - "type": "string" - }, - { - "name": "DvcId", - "type": "string" - }, - { - "name": "DvcIdType", - "type": "string" - }, - { - "name": "DvcMacAddr", - "type": "string" - }, - { - "name": "DvcOs", - "type": "string" - }, - { - "name": "DvcOsVersion", - "type": "string" - }, - { - "name": "DvcAction", - "type": "string" - }, - { - "name": "DvcOriginalAction", - "type": "string" - }, - { - "name": "DvcScope", - "type": "string" - }, - { - "name": "DvcScopeId", - "type": "string" - }, - { - "name": "ActorUsername", - "type": "string" - }, - { - "name": "ActorUsernameType", - "type": "string" - }, - { - "name": "ActorUserId", - "type": "string" - }, - { - "name": "ActorUserIdType", - "type": "string" - }, - { - "name": "ActorUserType", - "type": "string" - }, - { - "name": "ActorScope", - "type": "string" - }, - { - "name": "ActorScopeId", - "type": "string" - }, - { - "name": "ActorSessionId", - "type": "string" - }, - { - "name": "ActingProcessName", - "type": "string" - }, - { - "name": "ActingProcessId", - "type": "string" - }, - { - "name": "ActingProcessGuid", - "type": "string" - }, - { - "name": "ActingProcessCommandLine", - "type": "string" - }, - { - "name": "ActingProcessCreationTime", - "type": "datetime" - }, - { - "name": "ActingProcessFileCompany", - "type": "string" - }, - { - "name": "ActingProcessFileDescription", - "type": "string" - }, - { - "name": "ActingProcessFileProduct", - "type": "string" - }, - { - "name": "ActingProcessFileVersion", - "type": "string" - }, - { - "name": "ActingProcessFileSize", - "type": "long" - }, - { - "name": "ActingProcessMD5", - "type": "string" - }, - { - "name": "ActingProcessSHA1", - "type": "string" - }, - { - "name": "ActingProcessSHA256", - "type": "string" - }, - { - "name": "ActingProcessSHA512", - "type": "string" - }, - { - "name": "ActingProcessIMPHASH", - "type": "string" - }, - { - "name": "ActingProcessIntegrityLevel", - "type": "string" - }, - { - "name": "ActingProcessTokenElevation", - "type": "string" - }, - { - "name": "TargetFileName", - "type": "string" - }, - { - "name": "TargetFilePath", - "type": "string" - }, - { - "name": "TargetFilePathType", - "type": "string" - }, - { - "name": "TargetFileDirectory", - "type": "string" - }, - { - "name": "TargetFileExtension", - "type": "string" - }, - { - "name": "TargetFileMimeType", - "type": "string" - }, - { - "name": "TargetFileCreationTime", - "type": "datetime" - }, - { - "name": "TargetFileSize", - "type": "long" - }, - { - "name": "TargetFileMD5", - "type": "string" - }, - { - "name": "TargetFileSHA1", - "type": "string" - }, - { - "name": "TargetFileSHA256", - "type": "string" - }, - { - "name": "TargetFileSHA512", - "type": "string" - }, - { - "name": "SrcFileName", - "type": "string" - }, - { - "name": "SrcFilePath", - "type": "string" - }, - { - "name": "SrcFilePathType", - "type": "string" - }, - { - "name": "SrcFileDirectory", - "type": "string" - }, - { - "name": "SrcFileExtension", - "type": "string" - }, - { - "name": "SrcFileMimeType", - "type": "string" - }, - { - "name": "SrcFileCreationTime", - "type": "datetime" - }, - { - "name": "SrcFileSize", - "type": "long" - }, - { - "name": "SrcFileMD5", - "type": "string" - }, - { - "name": "SrcFileSHA1", - "type": "string" - }, - { - "name": "SrcFileSHA256", - "type": "string" - }, - { - "name": "SrcFileSHA512", - "type": "string" - }, - { - "name": "HashType", - "type": "string" - }, - { - "name": "FileMD5", - "type": "string" - }, - { - "name": "FileSHA1", - "type": "string" - }, - { - "name": "FileSHA256", - "type": "string" - }, - { - "name": "FileSHA512", - "type": "string" - }, - { - "name": "FileContentType", - "type": "string" - }, - { - "name": "FileSize", - "type": "int" - }, - { - "name": "FileName", - "type": "string" - }, - { - "name": "ThreatId", - "type": "string" - }, - { - "name": "ThreatName", - "type": "string" - }, - { - "name": "ThreatCategory", - "type": "string" - }, - { - "name": "ThreatRiskLevel", - "type": "int" - }, - { - "name": "ThreatOriginalRiskLevel", - "type": "string" - }, - { - "name": "ThreatConfidence", - "type": "int" - }, - { - "name": "ThreatOriginalConfidence", - "type": "string" - }, - { - "name": "ThreatIsActive", - "type": "boolean" - }, - { - "name": "ThreatFirstReportedTime", - "type": "datetime" - }, - { - "name": "ThreatLastReportedTime", - "type": "datetime" - }, - { - "name": "ThreatFilePath", - "type": "string" - }, - { - "name": "ThreatField", - "type": "string" - }, - { - "name": "AdditionalFields", - "type": "dynamic" - }, - { - "name": "SourceSystem", - "type": "string" - } - ] - } - } - }, - { - "name": "HalcyonNetworkSession_CL", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/tables", - "location": "[parameters('workspace-location')]", - "kind": null, - "properties": { - "plan": "Analytics", - "schema": { - "name": "HalcyonNetworkSession_CL", - "columns": [ - { - "name": "TimeGenerated", - "type": "datetime" - }, - { - "name": "EventCount", - "type": "int" - }, - { - "name": "EventStartTime", - "type": "datetime" - }, - { - "name": "EventEndTime", - "type": "datetime" - }, - { - "name": "EventType", - "type": "string" - }, - { - "name": "EventSubType", - "type": "string" - }, - { - "name": "EventResult", - "type": "string" - }, - { - "name": "EventResultDetails", - "type": "string" - }, - { - "name": "EventOriginalResultDetails", - "type": "string" - }, - { - "name": "EventSeverity", - "type": "string" - }, - { - "name": "EventOriginalSeverity", - "type": "string" - }, - { - "name": "EventProduct", - "type": "string" - }, - { - "name": "EventProductVersion", - "type": "string" - }, - { - "name": "EventVendor", - "type": "string" - }, - { - "name": "EventSchema", - "type": "string" - }, - { - "name": "EventSchemaVersion", - "type": "string" - }, - { - "name": "EventOriginalUid", - "type": "string" - }, - { - "name": "EventOriginalType", - "type": "string" - }, - { - "name": "EventMessage", - "type": "string" - }, - { - "name": "Dvc", - "type": "string" - }, - { - "name": "DvcHostname", - "type": "string" - }, - { - "name": "DvcIpAddr", - "type": "string" - }, - { - "name": "DvcDomain", - "type": "string" - }, - { - "name": "DvcDomainType", - "type": "string" - }, - { - "name": "DvcFQDN", - "type": "string" - }, - { - "name": "DvcId", - "type": "string" - }, - { - "name": "DvcIdType", - "type": "string" - }, - { - "name": "DvcMacAddr", - "type": "string" - }, - { - "name": "DvcOs", - "type": "string" - }, - { - "name": "DvcOsVersion", - "type": "string" - }, - { - "name": "DvcAction", - "type": "string" - }, - { - "name": "DvcOriginalAction", - "type": "string" - }, - { - "name": "DvcDescription", - "type": "string" - }, - { - "name": "DvcInterface", - "type": "string" - }, - { - "name": "DvcZone", - "type": "string" - }, - { - "name": "DvcScope", - "type": "string" - }, - { - "name": "DvcScopeId", - "type": "string" - }, - { - "name": "Src", - "type": "string" - }, - { - "name": "SrcIpAddr", - "type": "string" - }, - { - "name": "SrcPortNumber", - "type": "int" - }, - { - "name": "SrcHostname", - "type": "string" - }, - { - "name": "SrcDomain", - "type": "string" - }, - { - "name": "SrcDomainType", - "type": "string" - }, - { - "name": "SrcFQDN", - "type": "string" - }, - { - "name": "SrcDvcId", - "type": "string" - }, - { - "name": "SrcDvcIdType", - "type": "string" - }, - { - "name": "SrcDvcScopeId", - "type": "string" - }, - { - "name": "SrcDvcScope", - "type": "string" - }, - { - "name": "SrcDeviceType", - "type": "string" - }, - { - "name": "SrcUserId", - "type": "string" - }, - { - "name": "SrcUserIdType", - "type": "string" - }, - { - "name": "SrcUsername", - "type": "string" - }, - { - "name": "SrcUsernameType", - "type": "string" - }, - { - "name": "SrcUserType", - "type": "string" - }, - { - "name": "SrcOriginalUserType", - "type": "string" - }, - { - "name": "SrcUserScope", - "type": "string" - }, - { - "name": "SrcUserScopeId", - "type": "string" - }, - { - "name": "SrcMacAddr", - "type": "string" - }, - { - "name": "SrcDvcOs", - "type": "string" - }, - { - "name": "SrcIsp", - "type": "string" - }, - { - "name": "SrcGeoCity", - "type": "string" - }, - { - "name": "SrcGeoCountry", - "type": "string" - }, - { - "name": "SrcGeoLatitude", - "type": "real" - }, - { - "name": "SrcGeoLongitude", - "type": "real" - }, - { - "name": "SrcGeoRegion", - "type": "string" - }, - { - "name": "SrcRiskLevel", - "type": "int" - }, - { - "name": "SrcOriginalRiskLevel", - "type": "string" - }, - { - "name": "SrcProcessName", - "type": "string" - }, - { - "name": "SrcProcessId", - "type": "string" - }, - { - "name": "SrcProcessGuid", - "type": "string" - }, - { - "name": "SrcAppName", - "type": "string" - }, - { - "name": "SrcAppId", - "type": "string" - }, - { - "name": "SrcAppType", - "type": "string" - }, - { - "name": "SrcZone", - "type": "string" - }, - { - "name": "SrcInterfaceName", - "type": "string" - }, - { - "name": "SrcInterfaceGuid", - "type": "string" - }, - { - "name": "SrcVlanId", - "type": "string" - }, - { - "name": "SrcSubscriptionId", - "type": "string" - }, - { - "name": "Dst", - "type": "string" - }, - { - "name": "DstIpAddr", - "type": "string" - }, - { - "name": "DstPortNumber", - "type": "int" - }, - { - "name": "DstHostname", - "type": "string" - }, - { - "name": "DstDomain", - "type": "string" - }, - { - "name": "DstDomainType", - "type": "string" - }, - { - "name": "DstFQDN", - "type": "string" - }, - { - "name": "DstDvcId", - "type": "string" - }, - { - "name": "DstDvcIdType", - "type": "string" - }, - { - "name": "DstDvcScopeId", - "type": "string" - }, - { - "name": "DstDvcScope", - "type": "string" - }, - { - "name": "DstDeviceType", - "type": "string" - }, - { - "name": "DstUserId", - "type": "string" - }, - { - "name": "DstUserIdType", - "type": "string" - }, - { - "name": "DstUsername", - "type": "string" - }, - { - "name": "DstUsernameType", - "type": "string" - }, - { - "name": "DstUserType", - "type": "string" - }, - { - "name": "DstOriginalUserType", - "type": "string" - }, - { - "name": "DstUserScope", - "type": "string" - }, - { - "name": "DstUserScopeId", - "type": "string" - }, - { - "name": "DstMacAddr", - "type": "string" - }, - { - "name": "DstDvcOs", - "type": "string" - }, - { - "name": "DstIsp", - "type": "string" - }, - { - "name": "DstGeoCity", - "type": "string" - }, - { - "name": "DstGeoCountry", - "type": "string" - }, - { - "name": "DstGeoLatitude", - "type": "real" - }, - { - "name": "DstGeoLongitude", - "type": "real" - }, - { - "name": "DstGeoRegion", - "type": "string" - }, - { - "name": "DstRiskLevel", - "type": "int" - }, - { - "name": "DstOriginalRiskLevel", - "type": "string" - }, - { - "name": "DstProcessName", - "type": "string" - }, - { - "name": "DstProcessId", - "type": "string" - }, - { - "name": "DstProcessGuid", - "type": "string" - }, - { - "name": "DstAppName", - "type": "string" - }, - { - "name": "DstAppId", - "type": "string" - }, - { - "name": "DstAppType", - "type": "string" - }, - { - "name": "DstZone", - "type": "string" - }, - { - "name": "DstInterfaceName", - "type": "string" - }, - { - "name": "DstInterfaceGuid", - "type": "string" - }, - { - "name": "DstVlanId", - "type": "string" - }, - { - "name": "DstSubscriptionId", - "type": "string" - }, - { - "name": "NetworkApplicationProtocol", - "type": "string" - }, - { - "name": "NetworkProtocol", - "type": "string" - }, - { - "name": "NetworkProtocolVersion", - "type": "string" - }, - { - "name": "NetworkDirection", - "type": "string" - }, - { - "name": "NetworkDuration", - "type": "int" - }, - { - "name": "NetworkIcmpCode", - "type": "int" - }, - { - "name": "NetworkIcmpType", - "type": "string" - }, - { - "name": "NetworkConnectionHistory", - "type": "string" - }, - { - "name": "DstBytes", - "type": "long" - }, - { - "name": "SrcBytes", - "type": "long" - }, - { - "name": "NetworkBytes", - "type": "long" - }, - { - "name": "DstPackets", - "type": "long" - }, - { - "name": "SrcPackets", - "type": "long" - }, - { - "name": "NetworkPackets", - "type": "long" - }, - { - "name": "NetworkSessionId", - "type": "string" - }, - { - "name": "SessionId", - "type": "string" - }, - { - "name": "SrcNatIpAddr", - "type": "string" - }, - { - "name": "SrcNatPortNumber", - "type": "int" - }, - { - "name": "DstNatIpAddr", - "type": "string" - }, - { - "name": "DstNatPortNumber", - "type": "int" - }, - { - "name": "TcpFlags", - "type": "string" - }, - { - "name": "SrcVmName", - "type": "string" - }, - { - "name": "DstVmName", - "type": "string" - }, - { - "name": "NetworkRuleName", - "type": "string" - }, - { - "name": "NetworkRuleNumber", - "type": "int" - }, - { - "name": "Rule", - "type": "string" - }, - { - "name": "RuleName", - "type": "string" - }, - { - "name": "RuleNumber", - "type": "int" - }, - { - "name": "ThreatId", - "type": "string" - }, - { - "name": "ThreatName", - "type": "string" - }, - { - "name": "ThreatCategory", - "type": "string" - }, - { - "name": "ThreatRiskLevel", - "type": "int" - }, - { - "name": "ThreatOriginalRiskLevel", - "type": "string" - }, - { - "name": "ThreatConfidence", - "type": "int" - }, - { - "name": "ThreatOriginalConfidence", - "type": "string" - }, - { - "name": "ThreatIsActive", - "type": "boolean" - }, - { - "name": "ThreatFirstReportedTime", - "type": "datetime" - }, - { - "name": "ThreatLastReportedTime", - "type": "datetime" - }, - { - "name": "ThreatIpAddr", - "type": "string" - }, - { - "name": "ThreatField", - "type": "string" - }, - { - "name": "AdditionalFields", - "type": "dynamic" - }, - { - "name": "SourceSystem", - "type": "string" - } - ] - } - } - }, - { - "name": "HalcyonProcessEvent_CL", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/tables", - "location": "[parameters('workspace-location')]", - "kind": null, - "properties": { - "plan": "Analytics", - "schema": { - "name": "HalcyonProcessEvent_CL", - "columns": [ - { - "name": "TimeGenerated", - "type": "datetime" - }, - { - "name": "EventCount", - "type": "int" - }, - { - "name": "EventStartTime", - "type": "datetime" - }, - { - "name": "EventEndTime", - "type": "datetime" - }, - { - "name": "EventType", - "type": "string" - }, - { - "name": "EventSubType", - "type": "string" - }, - { - "name": "EventResult", - "type": "string" - }, - { - "name": "EventResultDetails", - "type": "string" - }, - { - "name": "EventOriginalResultDetails", - "type": "string" - }, - { - "name": "EventSeverity", - "type": "string" - }, - { - "name": "EventOriginalSeverity", - "type": "string" - }, - { - "name": "EventProduct", - "type": "string" - }, - { - "name": "EventProductVersion", - "type": "string" - }, - { - "name": "EventVendor", - "type": "string" - }, - { - "name": "EventSchema", - "type": "string" - }, - { - "name": "EventSchemaVersion", - "type": "string" - }, - { - "name": "EventOriginalUid", - "type": "string" - }, - { - "name": "EventOriginalType", - "type": "string" - }, - { - "name": "EventMessage", - "type": "string" - }, - { - "name": "Dvc", - "type": "string" - }, - { - "name": "DvcHostname", - "type": "string" - }, - { - "name": "DvcIpAddr", - "type": "string" - }, - { - "name": "DvcDomain", - "type": "string" - }, - { - "name": "DvcDomainType", - "type": "string" - }, - { - "name": "DvcFQDN", - "type": "string" - }, - { - "name": "DvcId", - "type": "string" - }, - { - "name": "DvcIdType", - "type": "string" - }, - { - "name": "DvcMacAddr", - "type": "string" - }, - { - "name": "DvcOs", - "type": "string" - }, - { - "name": "DvcOsVersion", - "type": "string" - }, - { - "name": "DvcAction", - "type": "string" - }, - { - "name": "DvcOriginalAction", - "type": "string" - }, - { - "name": "DvcScope", - "type": "string" - }, - { - "name": "DvcScopeId", - "type": "string" - }, - { - "name": "DvcZone", - "type": "string" - }, - { - "name": "ActorUsername", - "type": "string" - }, - { - "name": "ActorUsernameType", - "type": "string" - }, - { - "name": "ActorUserId", - "type": "string" - }, - { - "name": "ActorUserIdType", - "type": "string" - }, - { - "name": "ActorUserType", - "type": "string" - }, - { - "name": "ActorScope", - "type": "string" - }, - { - "name": "ActorScopeId", - "type": "string" - }, - { - "name": "ActorSessionId", - "type": "string" - }, - { - "name": "ActingProcessName", - "type": "string" - }, - { - "name": "ActingProcessId", - "type": "string" - }, - { - "name": "ActingProcessGuid", - "type": "string" - }, - { - "name": "ActingProcessCommandLine", - "type": "string" - }, - { - "name": "ActingProcessCreationTime", - "type": "datetime" - }, - { - "name": "ActingProcessFileCompany", - "type": "string" - }, - { - "name": "ActingProcessFileDescription", - "type": "string" - }, - { - "name": "ActingProcessFileProduct", - "type": "string" - }, - { - "name": "ActingProcessFileVersion", - "type": "string" - }, - { - "name": "ActingProcessFileSize", - "type": "long" - }, - { - "name": "ActingProcessMD5", - "type": "string" - }, - { - "name": "ActingProcessSHA1", - "type": "string" - }, - { - "name": "ActingProcessSHA256", - "type": "string" - }, - { - "name": "ActingProcessSHA512", - "type": "string" - }, - { - "name": "ActingProcessIMPHASH", - "type": "string" - }, - { - "name": "ActingProcessIntegrityLevel", - "type": "string" - }, - { - "name": "ActingProcessTokenElevation", - "type": "string" - }, - { - "name": "ParentProcessName", - "type": "string" - }, - { - "name": "ParentProcessId", - "type": "string" - }, - { - "name": "ParentProcessGuid", - "type": "string" - }, + }, + { + "name": "message", + "type": "string" + }, + { + "name": "raw_data", + "type": "string" + }, + { + "name": "status_id", + "type": "int" + }, + { + "name": "status", + "type": "string" + }, + { + "name": "action_id", + "type": "int" + }, + { + "name": "action", + "type": "string" + }, + { + "name": "disposition_id", + "type": "int" + }, + { + "name": "disposition", + "type": "string" + }, + { + "name": "rcode", + "type": "string" + }, + { + "name": "rcode_id", + "type": "int" + }, + { + "name": "metadata", + "type": "dynamic" + }, + { + "name": "unmapped", + "type": "dynamic" + }, + { + "name": "actor", + "type": "dynamic" + }, + { + "name": "device", + "type": "dynamic" + }, + { + "name": "file", + "type": "dynamic" + }, + { + "name": "process", + "type": "dynamic" + }, + { + "name": "user", + "type": "dynamic" + }, + { + "name": "dst_endpoint", + "type": "dynamic" + }, + { + "name": "src_endpoint", + "type": "dynamic" + }, + { + "name": "query", + "type": "dynamic" + }, + { + "name": "answers", + "type": "dynamic" + }, + { + "name": "driver", + "type": "dynamic" + }, + { + "name": "module", + "type": "dynamic" + }, + { + "name": "app", + "type": "dynamic" + } + ] + } + }, + "destinations": { + "logAnalytics": [ { - "name": "ParentProcessCommandLine", - "type": "string" - }, + "workspaceResourceId": "[variables('workspaceResourceId')]", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-Halcyon" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source | extend TimeGenerated = datetime(1970-01-01) + (['time'] * 1ms) | project-away ['time']", + "outputStream": "Custom-HalcyonEvents_CL" + } + ] + } + }, + { + "name": "HalcyonEvents_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "plan": "Analytics", + "schema": { + "name": "HalcyonEvents_CL", + "columns": [ { - "name": "ParentProcessCreationTime", + "name": "TimeGenerated", "type": "datetime" }, { - "name": "ParentProcessFileCompany", - "type": "string" - }, - { - "name": "ParentProcessFileDescription", - "type": "string" - }, - { - "name": "ParentProcessFileProduct", - "type": "string" - }, - { - "name": "ParentProcessFileVersion", - "type": "string" - }, - { - "name": "ParentProcessFileSize", - "type": "long" - }, - { - "name": "ParentProcessMD5", - "type": "string" - }, - { - "name": "ParentProcessSHA1", - "type": "string" - }, - { - "name": "ParentProcessSHA256", - "type": "string" - }, - { - "name": "ParentProcessSHA512", - "type": "string" - }, - { - "name": "ParentProcessIMPHASH", - "type": "string" - }, - { - "name": "ParentProcessIntegrityLevel", - "type": "string" - }, - { - "name": "ParentProcessTokenElevation", - "type": "string" - }, - { - "name": "TargetProcessName", - "type": "string" - }, - { - "name": "TargetProcessId", - "type": "string" + "name": "activity_id", + "type": "int" }, { - "name": "TargetProcessGuid", + "name": "activity_name", "type": "string" }, { - "name": "TargetProcessCommandLine", - "type": "string" + "name": "category_uid", + "type": "int" }, { - "name": "TargetProcessCurrentDirectory", + "name": "category_name", "type": "string" }, { - "name": "TargetProcessCreationTime", - "type": "datetime" - }, - { - "name": "TargetProcessFileCompany", - "type": "string" + "name": "class_uid", + "type": "int" }, { - "name": "TargetProcessFileDescription", + "name": "class_name", "type": "string" }, { - "name": "TargetProcessFileProduct", - "type": "string" + "name": "severity_id", + "type": "int" }, { - "name": "TargetProcessFileVersion", + "name": "severity", "type": "string" }, { - "name": "TargetProcessFileSize", + "name": "type_uid", "type": "long" }, { - "name": "TargetProcessMD5", - "type": "string" - }, - { - "name": "TargetProcessSHA1", + "name": "type_name", "type": "string" }, { - "name": "TargetProcessSHA256", + "name": "message", "type": "string" }, { - "name": "TargetProcessSHA512", + "name": "raw_data", "type": "string" }, { - "name": "TargetProcessIMPHASH", - "type": "string" - }, - { - "name": "TargetProcessIntegrityLevel", - "type": "string" - }, - { - "name": "TargetProcessTokenElevation", - "type": "string" - }, - { - "name": "TargetUsername", - "type": "string" - }, - { - "name": "TargetUsernameType", - "type": "string" - }, - { - "name": "TargetUserId", - "type": "string" - }, - { - "name": "TargetUserIdType", - "type": "string" - }, - { - "name": "TargetUserType", - "type": "string" - }, - { - "name": "TargetUserSessionId", - "type": "string" - }, - { - "name": "TargetUserScope", - "type": "string" - }, - { - "name": "TargetUserScopeId", - "type": "string" + "name": "status_id", + "type": "int" }, { - "name": "Hash", + "name": "status", "type": "string" }, { - "name": "HashType", - "type": "string" + "name": "action_id", + "type": "int" }, { - "name": "MD5", + "name": "action", "type": "string" }, { - "name": "SHA1", - "type": "string" + "name": "disposition_id", + "type": "int" }, { - "name": "SHA256", + "name": "disposition", "type": "string" }, { - "name": "SHA512", + "name": "rcode", "type": "string" }, { - "name": "IMPHASH", - "type": "string" + "name": "rcode_id", + "type": "int" }, { - "name": "ThreatId", - "type": "string" + "name": "metadata", + "type": "dynamic" }, { - "name": "ThreatName", - "type": "string" + "name": "unmapped", + "type": "dynamic" }, { - "name": "ThreatCategory", - "type": "string" + "name": "actor", + "type": "dynamic" }, { - "name": "ThreatRiskLevel", - "type": "int" + "name": "device", + "type": "dynamic" }, { - "name": "ThreatOriginalRiskLevel", - "type": "string" + "name": "file", + "type": "dynamic" }, { - "name": "ThreatConfidence", - "type": "int" + "name": "process", + "type": "dynamic" }, { - "name": "ThreatOriginalConfidence", - "type": "string" + "name": "user", + "type": "dynamic" }, { - "name": "ThreatIsActive", - "type": "boolean" + "name": "dst_endpoint", + "type": "dynamic" }, { - "name": "ThreatFirstReportedTime", - "type": "datetime" + "name": "src_endpoint", + "type": "dynamic" }, { - "name": "ThreatLastReportedTime", - "type": "datetime" + "name": "query", + "type": "dynamic" }, { - "name": "ThreatFilePath", - "type": "string" + "name": "answers", + "type": "dynamic" }, { - "name": "ThreatField", - "type": "string" + "name": "driver", + "type": "dynamic" }, { - "name": "AdditionalFields", + "name": "module", "type": "dynamic" }, { - "name": "SourceSystem", - "type": "string" + "name": "app", + "type": "dynamic" } ] } @@ -4561,80 +647,26 @@ "publisher": "Halcyon", "logo": "halcyon.svg", "descriptionMarkdown": "The [Halcyon](https://www.halcyon.ai) connector provides the capability to send data from Halcyon to Microsoft Sentinel.", + "sampleQueries": [], "graphQueries": [ { - "metricName": "Authentication Events", - "legend": "HalcyonAuthenticationEvents_CL", - "baseQuery": "HalcyonAuthenticationEvents_CL" - }, - { - "metricName": "DNS Activity", - "legend": "HalcyonDnsActivity_CL", - "baseQuery": "HalcyonDnsActivity_CL" - }, - { - "metricName": "File Activity", - "legend": "HalcyonFileActivity_CL", - "baseQuery": "HalcyonFileActivity_CL" - }, - { - "metricName": "Network Sessions", - "legend": "HalcyonNetworkSession_CL", - "baseQuery": "HalcyonNetworkSession_CL" - }, - { - "metricName": "Process Events", - "legend": "HalcyonProcessEvent_CL", - "baseQuery": "HalcyonProcessEvent_CL" - } - ], - "sampleQueries": [ - { - "description": "Get Sample Authentication Events", - "query": "HalcyonAuthenticationEvents_CL\n | take 10" - }, - { - "description": "Get Sample DNS Activity", - "query": "HalcyonDnsActivity_CL\n | take 10" - }, - { - "description": "Get Sample File Activity", - "query": "HalcyonFileActivity_CL\n | take 10" - }, - { - "description": "Get Sample Network Sessions", - "query": "HalcyonNetworkSession_CL\n | take 10" - }, - { - "description": "Get Sample Process Events", - "query": "HalcyonProcessEvent_CL\n | take 10" + "metricName": "Events", + "legend": "HalcyonEvents_CL", + "baseQuery": "HalcyonEvents_CL" } ], "dataTypes": [ { - "name": "Halcyon Authentication Events", - "lastDataReceivedQuery": "HalcyonAuthenticationEvents_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "Halcyon DNS Activity", - "lastDataReceivedQuery": "HalcyonDnsActivity_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "Halcyon File Activity", - "lastDataReceivedQuery": "HalcyonFileActivity_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "Halcyon Network Sessions", - "lastDataReceivedQuery": "HalcyonNetworkSession_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "Halcyon Process Events", - "lastDataReceivedQuery": "HalcyonProcessEvent_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "name": "Halcyon Events", + "lastDataReceivedQuery": "HalcyonEvents_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "connectivityCriteria": [ { - "type": "HasDataConnectors" + "type": "IsConnectedQuery", + "value": [ + "HalcyonEvents_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7d)" + ] } ], "availability": { @@ -4679,14 +711,14 @@ { "parameters": { "label": "Deploy Halcyon Connector Resources", - "applicationDisplayName": "Halcyon Connector Application" + "applicationDisplayName": "Halcyon Sentinel Connector" }, "type": "DeployPushConnectorButton" } ] }, { - "title": "2. Configured your integration in the Halcyon Platform", + "title": "2. Configure your integration in the Halcyon Platform", "description": "Use the following parameters to configure your integration in the Halcyon Platform.", "instructions": [ { @@ -4730,7 +762,7 @@ }, { "parameters": { - "label": "Data Collection Rule Immutable ID (Rule ID)", + "label": "Data Collection Rule ID (Rule ID)", "fillWith": [ "DataCollectionRuleId" ], @@ -4904,7 +936,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ASimAuthenticationHalcyon Data Parser with template version 3.0.0", + "description": "ASimAuthenticationHalcyon Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -4913,7 +945,7 @@ "resources": [ { "name": "[variables('parserObject1')._parserName1]", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "location": "[parameters('workspace-location')]", "properties": { @@ -4921,7 +953,7 @@ "displayName": "ASIM Authentication Event Parser for Halcyon", "category": "Microsoft Sentinel Parser", "functionAlias": "ASimAuthenticationHalcyon", - "query": "let parser = () {\n HalcyonAuthenticationEvents_CL\n | project-away SourceSystem, Type, TenantId\n};\nparser\n", + "query": "let parser = (disabled: bool = false) {\n HalcyonEvents_CL\n | where not(disabled)\n | where class_uid == 3002 // Authentication\n | extend\n EventVendor = tostring(metadata.product.vendor_name),\n EventProduct = tostring(metadata.product.name),\n EventProductVersion = tostring(metadata.product.version),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = iff(activity_id == 1, 'Logon', iff(activity_id == 2, 'Logoff', 'Other')),\n EventResult = case(status_id == 1, 'Success', status_id == 2, 'Failure', 'NA'),\n EventOriginalType = tostring(type_uid),\n EventOriginalSeverity = severity,\n EventSeverity = case(severity_id == 1, 'Informational', severity_id == 2, 'Low', severity_id == 3, 'Medium', severity_id == 4, 'High', severity_id == 5, 'Critical', 'Informational'),\n EventMessage = message,\n ActorUsername = tostring(user.name),\n ActorUserId = tostring(user.uid),\n ActorUsernameType = 'Simple',\n DvcHostname = tostring(device.hostname),\n DvcIpAddr = tostring(device.ip),\n DvcId = tostring(device.uid)\n | extend\n User = ActorUsername,\n Dvc = DvcHostname\n | project-away _ResourceId\n};\nparser(disabled=disabled)\n", "functionParameters": "disabled:bool=False", "version": 2, "tags": [ @@ -4970,14 +1002,14 @@ "contentId": "[variables('parserObject1').parserContentId1]", "contentKind": "Parser", "displayName": "ASIM Authentication Event Parser for Halcyon", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '2.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '2.0.0')))]", "version": "[variables('parserObject1').parserVersion1]" } }, { "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "[variables('parserObject1')._parserName1]", "location": "[parameters('workspace-location')]", "properties": { @@ -4985,7 +1017,7 @@ "displayName": "ASIM Authentication Event Parser for Halcyon", "category": "Microsoft Sentinel Parser", "functionAlias": "ASimAuthenticationHalcyon", - "query": "let parser = () {\n HalcyonAuthenticationEvents_CL\n | project-away SourceSystem, Type, TenantId\n};\nparser\n", + "query": "let parser = (disabled: bool = false) {\n HalcyonEvents_CL\n | where not(disabled)\n | where class_uid == 3002 // Authentication\n | extend\n EventVendor = tostring(metadata.product.vendor_name),\n EventProduct = tostring(metadata.product.name),\n EventProductVersion = tostring(metadata.product.version),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = iff(activity_id == 1, 'Logon', iff(activity_id == 2, 'Logoff', 'Other')),\n EventResult = case(status_id == 1, 'Success', status_id == 2, 'Failure', 'NA'),\n EventOriginalType = tostring(type_uid),\n EventOriginalSeverity = severity,\n EventSeverity = case(severity_id == 1, 'Informational', severity_id == 2, 'Low', severity_id == 3, 'Medium', severity_id == 4, 'High', severity_id == 5, 'Critical', 'Informational'),\n EventMessage = message,\n ActorUsername = tostring(user.name),\n ActorUserId = tostring(user.uid),\n ActorUsernameType = 'Simple',\n DvcHostname = tostring(device.hostname),\n DvcIpAddr = tostring(device.ip),\n DvcId = tostring(device.uid)\n | extend\n User = ActorUsername,\n Dvc = DvcHostname\n | project-away _ResourceId\n};\nparser(disabled=disabled)\n", "functionParameters": "disabled:bool=False", "version": 2, "tags": [ @@ -5034,7 +1066,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ASimDnsHalcyon Data Parser with template version 3.0.0", + "description": "ASimDnsHalcyon Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject2').parserVersion2]", @@ -5043,7 +1075,7 @@ "resources": [ { "name": "[variables('parserObject2')._parserName2]", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "location": "[parameters('workspace-location')]", "properties": { @@ -5051,7 +1083,7 @@ "displayName": "ASIM DNS Activity Parser for Halcyon", "category": "Microsoft Sentinel Parser", "functionAlias": "ASimDnsHalcyon", - "query": "let parser = () {\n HalcyonDnsActivity_CL\n | project-away SourceSystem, Type, TenantId\n};\nparser\n", + "query": "let parser = (disabled: bool = false) {\n HalcyonEvents_CL\n | where not(disabled)\n | where class_uid == 4003 // DNS Activity\n | extend\n EventVendor = tostring(metadata.product.vendor_name),\n EventProduct = tostring(metadata.product.name),\n EventProductVersion = tostring(metadata.product.version),\n EventSchema = 'Dns',\n EventSchemaVersion = '0.1.7',\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'Query',\n EventResult = case(rcode_id == 0, 'Success', rcode_id == 3, 'NXDOMAIN', 'Failure'),\n EventOriginalType = tostring(type_uid),\n EventOriginalSeverity = severity,\n EventSeverity = case(severity_id == 1, 'Informational', severity_id == 2, 'Low', severity_id == 3, 'Medium', severity_id == 4, 'High', severity_id == 5, 'Critical', 'Informational'),\n EventMessage = message,\n DnsQuery = tostring(query.hostname),\n DnsQueryTypeName = tostring(query.type),\n DnsResponseCodeName = rcode,\n DnsResponseCode = rcode_id,\n SrcIpAddr = tostring(src_endpoint.ip),\n SrcPortNumber = toint(src_endpoint.port),\n DstIpAddr = tostring(dst_endpoint.ip),\n DstPortNumber = toint(dst_endpoint.port),\n DvcHostname = tostring(device.hostname),\n DvcIpAddr = tostring(device.ip),\n DvcId = tostring(device.uid)\n | extend\n Domain = DnsQuery,\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away _ResourceId\n};\nparser(disabled=disabled)\n", "functionParameters": "disabled:bool=False", "version": 2, "tags": [ @@ -5100,14 +1132,14 @@ "contentId": "[variables('parserObject2').parserContentId2]", "contentKind": "Parser", "displayName": "ASIM DNS Activity Parser for Halcyon", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '1.0.0')))]", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '2.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '2.0.0')))]", "version": "[variables('parserObject2').parserVersion2]" } }, { "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "[variables('parserObject2')._parserName2]", "location": "[parameters('workspace-location')]", "properties": { @@ -5115,7 +1147,7 @@ "displayName": "ASIM DNS Activity Parser for Halcyon", "category": "Microsoft Sentinel Parser", "functionAlias": "ASimDnsHalcyon", - "query": "let parser = () {\n HalcyonDnsActivity_CL\n | project-away SourceSystem, Type, TenantId\n};\nparser\n", + "query": "let parser = (disabled: bool = false) {\n HalcyonEvents_CL\n | where not(disabled)\n | where class_uid == 4003 // DNS Activity\n | extend\n EventVendor = tostring(metadata.product.vendor_name),\n EventProduct = tostring(metadata.product.name),\n EventProductVersion = tostring(metadata.product.version),\n EventSchema = 'Dns',\n EventSchemaVersion = '0.1.7',\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'Query',\n EventResult = case(rcode_id == 0, 'Success', rcode_id == 3, 'NXDOMAIN', 'Failure'),\n EventOriginalType = tostring(type_uid),\n EventOriginalSeverity = severity,\n EventSeverity = case(severity_id == 1, 'Informational', severity_id == 2, 'Low', severity_id == 3, 'Medium', severity_id == 4, 'High', severity_id == 5, 'Critical', 'Informational'),\n EventMessage = message,\n DnsQuery = tostring(query.hostname),\n DnsQueryTypeName = tostring(query.type),\n DnsResponseCodeName = rcode,\n DnsResponseCode = rcode_id,\n SrcIpAddr = tostring(src_endpoint.ip),\n SrcPortNumber = toint(src_endpoint.port),\n DstIpAddr = tostring(dst_endpoint.ip),\n DstPortNumber = toint(dst_endpoint.port),\n DvcHostname = tostring(device.hostname),\n DvcIpAddr = tostring(device.ip),\n DvcId = tostring(device.uid)\n | extend\n Domain = DnsQuery,\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away _ResourceId\n};\nparser(disabled=disabled)\n", "functionParameters": "disabled:bool=False", "version": 2, "tags": [ @@ -5164,7 +1196,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ASimFileEventHalcyon Data Parser with template version 3.0.0", + "description": "ASimFileEventHalcyon Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject3').parserVersion3]", @@ -5173,7 +1205,7 @@ "resources": [ { "name": "[variables('parserObject3')._parserName3]", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "location": "[parameters('workspace-location')]", "properties": { @@ -5181,7 +1213,7 @@ "displayName": "ASIM File Activity Parser for Halcyon", "category": "Microsoft Sentinel Parser", "functionAlias": "ASimFileEventHalcyon", - "query": "let parser = () {\n HalcyonFileActivity_CL\n | project-away SourceSystem, Type, TenantId\n};\nparser\n", + "query": "let parser = (disabled: bool = false) {\n HalcyonEvents_CL\n | where not(disabled)\n | where class_uid == 1001 // File Activity\n | extend\n EventVendor = tostring(metadata.product.vendor_name),\n EventProduct = tostring(metadata.product.name),\n EventProductVersion = tostring(metadata.product.version),\n EventSchema = 'FileEvent',\n EventSchemaVersion = '0.2.1',\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = activity_name,\n EventResult = case(status_id == 1, 'Success', status_id == 2, 'Failure', 'NA'),\n EventOriginalType = tostring(type_uid),\n EventOriginalSeverity = severity,\n EventSeverity = case(severity_id == 1, 'Informational', severity_id == 2, 'Low', severity_id == 3, 'Medium', severity_id == 4, 'High', severity_id == 5, 'Critical', 'Informational'),\n EventMessage = message,\n TargetFileName = tostring(file.name),\n TargetFilePath = tostring(file.path),\n TargetFileExtension = tostring(file.ext),\n ActorUsername = tostring(actor.user.name),\n ActorUserId = tostring(actor.user.uid),\n ActorUsernameType = 'Simple',\n ActingProcessName = tostring(actor.process.name),\n ActingProcessId = tostring(actor.process.pid),\n ActingProcessCommandLine = tostring(actor.process.cmd_line),\n DvcHostname = tostring(device.hostname),\n DvcIpAddr = tostring(device.ip),\n DvcId = tostring(device.uid)\n | extend\n FilePath = TargetFilePath,\n User = ActorUsername,\n Dvc = DvcHostname\n | project-away _ResourceId\n};\nparser(disabled=disabled)\n", "functionParameters": "disabled:bool=False", "version": 2, "tags": [ @@ -5230,14 +1262,14 @@ "contentId": "[variables('parserObject3').parserContentId3]", "contentKind": "Parser", "displayName": "ASIM File Activity Parser for Halcyon", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '1.0.0')))]", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '2.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '2.0.0')))]", "version": "[variables('parserObject3').parserVersion3]" } }, { "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "[variables('parserObject3')._parserName3]", "location": "[parameters('workspace-location')]", "properties": { @@ -5245,7 +1277,7 @@ "displayName": "ASIM File Activity Parser for Halcyon", "category": "Microsoft Sentinel Parser", "functionAlias": "ASimFileEventHalcyon", - "query": "let parser = () {\n HalcyonFileActivity_CL\n | project-away SourceSystem, Type, TenantId\n};\nparser\n", + "query": "let parser = (disabled: bool = false) {\n HalcyonEvents_CL\n | where not(disabled)\n | where class_uid == 1001 // File Activity\n | extend\n EventVendor = tostring(metadata.product.vendor_name),\n EventProduct = tostring(metadata.product.name),\n EventProductVersion = tostring(metadata.product.version),\n EventSchema = 'FileEvent',\n EventSchemaVersion = '0.2.1',\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = activity_name,\n EventResult = case(status_id == 1, 'Success', status_id == 2, 'Failure', 'NA'),\n EventOriginalType = tostring(type_uid),\n EventOriginalSeverity = severity,\n EventSeverity = case(severity_id == 1, 'Informational', severity_id == 2, 'Low', severity_id == 3, 'Medium', severity_id == 4, 'High', severity_id == 5, 'Critical', 'Informational'),\n EventMessage = message,\n TargetFileName = tostring(file.name),\n TargetFilePath = tostring(file.path),\n TargetFileExtension = tostring(file.ext),\n ActorUsername = tostring(actor.user.name),\n ActorUserId = tostring(actor.user.uid),\n ActorUsernameType = 'Simple',\n ActingProcessName = tostring(actor.process.name),\n ActingProcessId = tostring(actor.process.pid),\n ActingProcessCommandLine = tostring(actor.process.cmd_line),\n DvcHostname = tostring(device.hostname),\n DvcIpAddr = tostring(device.ip),\n DvcId = tostring(device.uid)\n | extend\n FilePath = TargetFilePath,\n User = ActorUsername,\n Dvc = DvcHostname\n | project-away _ResourceId\n};\nparser(disabled=disabled)\n", "functionParameters": "disabled:bool=False", "version": 2, "tags": [ @@ -5294,7 +1326,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ASimNetworkSessionHalcyon Data Parser with template version 3.0.0", + "description": "ASimNetworkSessionHalcyon Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject4').parserVersion4]", @@ -5303,7 +1335,7 @@ "resources": [ { "name": "[variables('parserObject4')._parserName4]", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "location": "[parameters('workspace-location')]", "properties": { @@ -5311,7 +1343,7 @@ "displayName": "ASIM Network Session Parser for Halcyon", "category": "Microsoft Sentinel Parser", "functionAlias": "ASimNetworkSessionHalcyon", - "query": "let parser = () {\n HalcyonNetworkSession_CL\n | project-away SourceSystem, Type, TenantId\n};\nparser\n", + "query": "let parser = (disabled: bool = false) {\n HalcyonEvents_CL\n | where not(disabled)\n | where class_uid == 4001 // Network Activity\n | extend\n EventVendor = tostring(metadata.product.vendor_name),\n EventProduct = tostring(metadata.product.name),\n EventProductVersion = tostring(metadata.product.version),\n EventSchema = 'NetworkSession',\n EventSchemaVersion = '0.2.6',\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'NetworkSession',\n EventResult = case(status_id == 1, 'Success', status_id == 2, 'Failure', 'NA'),\n EventOriginalType = tostring(type_uid),\n EventOriginalSeverity = severity,\n EventSeverity = case(severity_id == 1, 'Informational', severity_id == 2, 'Low', severity_id == 3, 'Medium', severity_id == 4, 'High', severity_id == 5, 'Critical', 'Informational'),\n EventMessage = message,\n DvcAction = action,\n SrcIpAddr = tostring(src_endpoint.ip),\n SrcPortNumber = toint(src_endpoint.port),\n SrcHostname = tostring(src_endpoint.hostname),\n SrcDomain = tostring(src_endpoint.domain),\n SrcMacAddr = tostring(src_endpoint.mac),\n DstIpAddr = tostring(dst_endpoint.ip),\n DstPortNumber = toint(dst_endpoint.port),\n DstHostname = tostring(dst_endpoint.hostname),\n DstDomain = tostring(dst_endpoint.domain),\n DstMacAddr = tostring(dst_endpoint.mac),\n DvcHostname = tostring(device.hostname),\n DvcIpAddr = tostring(device.ip),\n DvcId = tostring(device.uid)\n | extend\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = DvcHostname\n | project-away _ResourceId\n};\nparser(disabled=disabled)\n", "functionParameters": "disabled:bool=False", "version": 2, "tags": [ @@ -5360,14 +1392,14 @@ "contentId": "[variables('parserObject4').parserContentId4]", "contentKind": "Parser", "displayName": "ASIM Network Session Parser for Halcyon", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.0.0')))]", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '2.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '2.0.0')))]", "version": "[variables('parserObject4').parserVersion4]" } }, { "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "[variables('parserObject4')._parserName4]", "location": "[parameters('workspace-location')]", "properties": { @@ -5375,7 +1407,7 @@ "displayName": "ASIM Network Session Parser for Halcyon", "category": "Microsoft Sentinel Parser", "functionAlias": "ASimNetworkSessionHalcyon", - "query": "let parser = () {\n HalcyonNetworkSession_CL\n | project-away SourceSystem, Type, TenantId\n};\nparser\n", + "query": "let parser = (disabled: bool = false) {\n HalcyonEvents_CL\n | where not(disabled)\n | where class_uid == 4001 // Network Activity\n | extend\n EventVendor = tostring(metadata.product.vendor_name),\n EventProduct = tostring(metadata.product.name),\n EventProductVersion = tostring(metadata.product.version),\n EventSchema = 'NetworkSession',\n EventSchemaVersion = '0.2.6',\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'NetworkSession',\n EventResult = case(status_id == 1, 'Success', status_id == 2, 'Failure', 'NA'),\n EventOriginalType = tostring(type_uid),\n EventOriginalSeverity = severity,\n EventSeverity = case(severity_id == 1, 'Informational', severity_id == 2, 'Low', severity_id == 3, 'Medium', severity_id == 4, 'High', severity_id == 5, 'Critical', 'Informational'),\n EventMessage = message,\n DvcAction = action,\n SrcIpAddr = tostring(src_endpoint.ip),\n SrcPortNumber = toint(src_endpoint.port),\n SrcHostname = tostring(src_endpoint.hostname),\n SrcDomain = tostring(src_endpoint.domain),\n SrcMacAddr = tostring(src_endpoint.mac),\n DstIpAddr = tostring(dst_endpoint.ip),\n DstPortNumber = toint(dst_endpoint.port),\n DstHostname = tostring(dst_endpoint.hostname),\n DstDomain = tostring(dst_endpoint.domain),\n DstMacAddr = tostring(dst_endpoint.mac),\n DvcHostname = tostring(device.hostname),\n DvcIpAddr = tostring(device.ip),\n DvcId = tostring(device.uid)\n | extend\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = DvcHostname\n | project-away _ResourceId\n};\nparser(disabled=disabled)\n", "functionParameters": "disabled:bool=False", "version": 2, "tags": [ @@ -5424,7 +1456,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ASimProcessEventHalcyon Data Parser with template version 3.0.0", + "description": "ASimProcessEventHalcyon Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject5').parserVersion5]", @@ -5433,7 +1465,7 @@ "resources": [ { "name": "[variables('parserObject5')._parserName5]", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "location": "[parameters('workspace-location')]", "properties": { @@ -5441,7 +1473,7 @@ "displayName": "ASIM Process Event Parser for Halcyon", "category": "Microsoft Sentinel Parser", "functionAlias": "ASimProcessEventHalcyon", - "query": "let parser = () {\n HalcyonProcessEvent_CL\n | project-away SourceSystem, Type, TenantId\n};\nparser\n", + "query": "let parser = (disabled: bool = false) {\n HalcyonEvents_CL\n | where not(disabled)\n | where class_uid == 1007 // Process Activity\n | extend\n EventVendor = tostring(metadata.product.vendor_name),\n EventProduct = tostring(metadata.product.name),\n EventProductVersion = tostring(metadata.product.version),\n EventSchema = 'ProcessEvent',\n EventSchemaVersion = '0.1.4',\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = iff(activity_id == 1, 'ProcessCreated', iff(activity_id == 2, 'ProcessTerminated', 'Other')),\n EventResult = case(status_id == 1, 'Success', status_id == 2, 'Failure', 'NA'),\n EventOriginalType = tostring(type_uid),\n EventOriginalSeverity = severity,\n EventSeverity = case(severity_id == 1, 'Informational', severity_id == 2, 'Low', severity_id == 3, 'Medium', severity_id == 4, 'High', severity_id == 5, 'Critical', 'Informational'),\n EventMessage = message,\n TargetProcessName = tostring(process.name),\n TargetProcessId = tostring(process.pid),\n TargetProcessCommandLine = tostring(process.cmd_line),\n TargetProcessFilename = tostring(process.file.name),\n TargetProcessFilePath = tostring(process.file.path),\n ParentProcessName = tostring(process.parent_process.name),\n ParentProcessId = tostring(process.parent_process.pid),\n ParentProcessCommandLine = tostring(process.parent_process.cmd_line),\n ActorUsername = tostring(actor.user.name),\n ActorUserId = tostring(actor.user.uid),\n ActorUsernameType = 'Simple',\n ActingProcessName = tostring(actor.process.name),\n ActingProcessId = tostring(actor.process.pid),\n ActingProcessCommandLine = tostring(actor.process.cmd_line),\n DvcHostname = tostring(device.hostname),\n DvcIpAddr = tostring(device.ip),\n DvcId = tostring(device.uid)\n | extend\n User = ActorUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n | project-away _ResourceId\n};\nparser(disabled=disabled)\n", "functionParameters": "disabled:bool=False", "version": 2, "tags": [ @@ -5490,14 +1522,14 @@ "contentId": "[variables('parserObject5').parserContentId5]", "contentKind": "Parser", "displayName": "ASIM Process Event Parser for Halcyon", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '2.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '2.0.0')))]", "version": "[variables('parserObject5').parserVersion5]" } }, { "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", + "apiVersion": "2025-07-01", "name": "[variables('parserObject5')._parserName5]", "location": "[parameters('workspace-location')]", "properties": { @@ -5505,7 +1537,7 @@ "displayName": "ASIM Process Event Parser for Halcyon", "category": "Microsoft Sentinel Parser", "functionAlias": "ASimProcessEventHalcyon", - "query": "let parser = () {\n HalcyonProcessEvent_CL\n | project-away SourceSystem, Type, TenantId\n};\nparser\n", + "query": "let parser = (disabled: bool = false) {\n HalcyonEvents_CL\n | where not(disabled)\n | where class_uid == 1007 // Process Activity\n | extend\n EventVendor = tostring(metadata.product.vendor_name),\n EventProduct = tostring(metadata.product.name),\n EventProductVersion = tostring(metadata.product.version),\n EventSchema = 'ProcessEvent',\n EventSchemaVersion = '0.1.4',\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = iff(activity_id == 1, 'ProcessCreated', iff(activity_id == 2, 'ProcessTerminated', 'Other')),\n EventResult = case(status_id == 1, 'Success', status_id == 2, 'Failure', 'NA'),\n EventOriginalType = tostring(type_uid),\n EventOriginalSeverity = severity,\n EventSeverity = case(severity_id == 1, 'Informational', severity_id == 2, 'Low', severity_id == 3, 'Medium', severity_id == 4, 'High', severity_id == 5, 'Critical', 'Informational'),\n EventMessage = message,\n TargetProcessName = tostring(process.name),\n TargetProcessId = tostring(process.pid),\n TargetProcessCommandLine = tostring(process.cmd_line),\n TargetProcessFilename = tostring(process.file.name),\n TargetProcessFilePath = tostring(process.file.path),\n ParentProcessName = tostring(process.parent_process.name),\n ParentProcessId = tostring(process.parent_process.pid),\n ParentProcessCommandLine = tostring(process.parent_process.cmd_line),\n ActorUsername = tostring(actor.user.name),\n ActorUserId = tostring(actor.user.uid),\n ActorUsernameType = 'Simple',\n ActingProcessName = tostring(actor.process.name),\n ActingProcessId = tostring(actor.process.pid),\n ActingProcessCommandLine = tostring(actor.process.cmd_line),\n DvcHostname = tostring(device.hostname),\n DvcIpAddr = tostring(device.ip),\n DvcId = tostring(device.uid)\n | extend\n User = ActorUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n | project-away _ResourceId\n};\nparser(disabled=disabled)\n", "functionParameters": "disabled:bool=False", "version": 2, "tags": [ @@ -5550,12 +1582,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.0", + "version": "3.1.0", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Halcyon", "publisherDisplayName": "Halcyon", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Halcyon solution for Microsoft Sentinel enables you to ingest Halcyon Events and Alerts into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.

\n

Data Connectors: 1, Parsers: 5

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Halcyon solution for Microsoft Sentinel enables you to ingest Halcyon Events and Alerts into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.

\n

Installing this solution automatically provisions a Data Collection Endpoint (DCE) and Data Collection Rule (DCR) in your Azure environment. These resources are updated automatically with each solution upgrade. To complete the connector setup, use the Deploy button on the Halcyon connector page to create the required Entra app registration and link it to the DCR.

\n

Data Connectors: 1, Parsers: 5

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -5612,7 +1644,7 @@ ] }, "firstPublishDate": "2025-12-22", - "lastPublishDate": "2025-12-22", + "lastPublishDate": "2026-03-24", "providers": [ "Halcyon" ], diff --git a/Solutions/Halcyon/Parsers/ASimAuthenticationHalcyon.yaml b/Solutions/Halcyon/Parsers/ASimAuthenticationHalcyon.yaml index b55dd6c3e4c..2ec78d50104 100644 --- a/Solutions/Halcyon/Parsers/ASimAuthenticationHalcyon.yaml +++ b/Solutions/Halcyon/Parsers/ASimAuthenticationHalcyon.yaml @@ -1,17 +1,43 @@ id: a1b2c3d4-e5f6-7890-1234-567890abcde1 Function: Title: ASIM Authentication Event Parser for Halcyon - Version: '1.0.0' - LastUpdated: '2025-12-01' + Version: '2.0.0' + LastUpdated: '2026-03-18' Category: Microsoft Sentinel Parser FunctionName: ASimAuthenticationHalcyon FunctionAlias: ASimAuthenticationHalcyon FunctionQuery: | - let parser = () { - HalcyonAuthenticationEvents_CL - | project-away SourceSystem, Type, TenantId + let parser = (disabled: bool = false) { + HalcyonEvents_CL + | where not(disabled) + | where class_uid == 3002 // Authentication + | extend + EventVendor = tostring(metadata.product.vendor_name), + EventProduct = tostring(metadata.product.name), + EventProductVersion = tostring(metadata.product.version), + EventSchema = 'Authentication', + EventSchemaVersion = '0.1.3', + EventCount = int(1), + EventStartTime = TimeGenerated, + EventEndTime = TimeGenerated, + EventType = iff(activity_id == 1, 'Logon', iff(activity_id == 2, 'Logoff', 'Other')), + EventResult = case(status_id == 1, 'Success', status_id == 2, 'Failure', 'NA'), + EventOriginalType = tostring(type_uid), + EventOriginalSeverity = severity, + EventSeverity = case(severity_id == 1, 'Informational', severity_id == 2, 'Low', severity_id == 3, 'Medium', severity_id == 4, 'High', severity_id == 5, 'Critical', 'Informational'), + EventMessage = message, + ActorUsername = tostring(user.name), + ActorUserId = tostring(user.uid), + ActorUsernameType = 'Simple', + DvcHostname = tostring(device.hostname), + DvcIpAddr = tostring(device.ip), + DvcId = tostring(device.uid) + | extend + User = ActorUsername, + Dvc = DvcHostname + | project-away _ResourceId }; - parser + parser(disabled=disabled) FunctionParams: - Name: disabled Type: bool diff --git a/Solutions/Halcyon/Parsers/ASimDnsHalcyon.yaml b/Solutions/Halcyon/Parsers/ASimDnsHalcyon.yaml index ae96a21648f..6012156f6a2 100644 --- a/Solutions/Halcyon/Parsers/ASimDnsHalcyon.yaml +++ b/Solutions/Halcyon/Parsers/ASimDnsHalcyon.yaml @@ -1,17 +1,50 @@ id: a1b2c3d4-e5f6-7890-1234-567890abcde2 Function: Title: ASIM DNS Activity Parser for Halcyon - Version: '1.0.0' - LastUpdated: '2025-12-01' + Version: '2.0.0' + LastUpdated: '2026-03-18' Category: Microsoft Sentinel Parser FunctionName: ASimDnsHalcyon FunctionAlias: ASimDnsHalcyon FunctionQuery: | - let parser = () { - HalcyonDnsActivity_CL - | project-away SourceSystem, Type, TenantId + let parser = (disabled: bool = false) { + HalcyonEvents_CL + | where not(disabled) + | where class_uid == 4003 // DNS Activity + | extend + EventVendor = tostring(metadata.product.vendor_name), + EventProduct = tostring(metadata.product.name), + EventProductVersion = tostring(metadata.product.version), + EventSchema = 'Dns', + EventSchemaVersion = '0.1.7', + EventCount = int(1), + EventStartTime = TimeGenerated, + EventEndTime = TimeGenerated, + EventType = 'Query', + EventResult = case(rcode_id == 0, 'Success', rcode_id == 3, 'NXDOMAIN', 'Failure'), + EventOriginalType = tostring(type_uid), + EventOriginalSeverity = severity, + EventSeverity = case(severity_id == 1, 'Informational', severity_id == 2, 'Low', severity_id == 3, 'Medium', severity_id == 4, 'High', severity_id == 5, 'Critical', 'Informational'), + EventMessage = message, + DnsQuery = tostring(query.hostname), + DnsQueryTypeName = tostring(query.type), + DnsResponseCodeName = rcode, + DnsResponseCode = rcode_id, + SrcIpAddr = tostring(src_endpoint.ip), + SrcPortNumber = toint(src_endpoint.port), + DstIpAddr = tostring(dst_endpoint.ip), + DstPortNumber = toint(dst_endpoint.port), + DvcHostname = tostring(device.hostname), + DvcIpAddr = tostring(device.ip), + DvcId = tostring(device.uid) + | extend + Domain = DnsQuery, + Dvc = DvcHostname, + IpAddr = SrcIpAddr, + Src = SrcIpAddr + | project-away _ResourceId }; - parser + parser(disabled=disabled) FunctionParams: - Name: disabled Type: bool diff --git a/Solutions/Halcyon/Parsers/ASimFileEventHalcyon.yaml b/Solutions/Halcyon/Parsers/ASimFileEventHalcyon.yaml index b14b9c2dce3..81defaa430e 100644 --- a/Solutions/Halcyon/Parsers/ASimFileEventHalcyon.yaml +++ b/Solutions/Halcyon/Parsers/ASimFileEventHalcyon.yaml @@ -1,17 +1,50 @@ id: a1b2c3d4-e5f6-7890-1234-567890abcde3 Function: Title: ASIM File Activity Parser for Halcyon - Version: '1.0.0' - LastUpdated: '2025-12-01' + Version: '2.0.0' + LastUpdated: '2026-03-18' Category: Microsoft Sentinel Parser FunctionName: ASimFileEventHalcyon FunctionAlias: ASimFileEventHalcyon FunctionQuery: | - let parser = () { - HalcyonFileActivity_CL - | project-away SourceSystem, Type, TenantId + let parser = (disabled: bool = false) { + HalcyonEvents_CL + | where not(disabled) + | where class_uid == 1001 // File Activity + | extend + EventVendor = tostring(metadata.product.vendor_name), + EventProduct = tostring(metadata.product.name), + EventProductVersion = tostring(metadata.product.version), + EventSchema = 'FileEvent', + EventSchemaVersion = '0.2.1', + EventCount = int(1), + EventStartTime = TimeGenerated, + EventEndTime = TimeGenerated, + EventType = activity_name, + EventResult = case(status_id == 1, 'Success', status_id == 2, 'Failure', 'NA'), + EventOriginalType = tostring(type_uid), + EventOriginalSeverity = severity, + EventSeverity = case(severity_id == 1, 'Informational', severity_id == 2, 'Low', severity_id == 3, 'Medium', severity_id == 4, 'High', severity_id == 5, 'Critical', 'Informational'), + EventMessage = message, + TargetFileName = tostring(file.name), + TargetFilePath = tostring(file.path), + TargetFileExtension = tostring(file.ext), + ActorUsername = tostring(actor.user.name), + ActorUserId = tostring(actor.user.uid), + ActorUsernameType = 'Simple', + ActingProcessName = tostring(actor.process.name), + ActingProcessId = tostring(actor.process.pid), + ActingProcessCommandLine = tostring(actor.process.cmd_line), + DvcHostname = tostring(device.hostname), + DvcIpAddr = tostring(device.ip), + DvcId = tostring(device.uid) + | extend + FilePath = TargetFilePath, + User = ActorUsername, + Dvc = DvcHostname + | project-away _ResourceId }; - parser + parser(disabled=disabled) FunctionParams: - Name: disabled Type: bool diff --git a/Solutions/Halcyon/Parsers/ASimNetworkSessionHalcyon.yaml b/Solutions/Halcyon/Parsers/ASimNetworkSessionHalcyon.yaml index 952cfcf0348..1c9ac98553f 100644 --- a/Solutions/Halcyon/Parsers/ASimNetworkSessionHalcyon.yaml +++ b/Solutions/Halcyon/Parsers/ASimNetworkSessionHalcyon.yaml @@ -1,17 +1,53 @@ id: a1b2c3d4-e5f6-7890-1234-567890abcde4 Function: Title: ASIM Network Session Parser for Halcyon - Version: '1.0.0' - LastUpdated: '2025-12-01' + Version: '2.0.0' + LastUpdated: '2026-03-18' Category: Microsoft Sentinel Parser FunctionName: ASimNetworkSessionHalcyon FunctionAlias: ASimNetworkSessionHalcyon FunctionQuery: | - let parser = () { - HalcyonNetworkSession_CL - | project-away SourceSystem, Type, TenantId + let parser = (disabled: bool = false) { + HalcyonEvents_CL + | where not(disabled) + | where class_uid == 4001 // Network Activity + | extend + EventVendor = tostring(metadata.product.vendor_name), + EventProduct = tostring(metadata.product.name), + EventProductVersion = tostring(metadata.product.version), + EventSchema = 'NetworkSession', + EventSchemaVersion = '0.2.6', + EventCount = int(1), + EventStartTime = TimeGenerated, + EventEndTime = TimeGenerated, + EventType = 'NetworkSession', + EventResult = case(status_id == 1, 'Success', status_id == 2, 'Failure', 'NA'), + EventOriginalType = tostring(type_uid), + EventOriginalSeverity = severity, + EventSeverity = case(severity_id == 1, 'Informational', severity_id == 2, 'Low', severity_id == 3, 'Medium', severity_id == 4, 'High', severity_id == 5, 'Critical', 'Informational'), + EventMessage = message, + DvcAction = action, + SrcIpAddr = tostring(src_endpoint.ip), + SrcPortNumber = toint(src_endpoint.port), + SrcHostname = tostring(src_endpoint.hostname), + SrcDomain = tostring(src_endpoint.domain), + SrcMacAddr = tostring(src_endpoint.mac), + DstIpAddr = tostring(dst_endpoint.ip), + DstPortNumber = toint(dst_endpoint.port), + DstHostname = tostring(dst_endpoint.hostname), + DstDomain = tostring(dst_endpoint.domain), + DstMacAddr = tostring(dst_endpoint.mac), + DvcHostname = tostring(device.hostname), + DvcIpAddr = tostring(device.ip), + DvcId = tostring(device.uid) + | extend + Src = SrcIpAddr, + Dst = DstIpAddr, + IpAddr = SrcIpAddr, + Dvc = DvcHostname + | project-away _ResourceId }; - parser + parser(disabled=disabled) FunctionParams: - Name: disabled Type: bool diff --git a/Solutions/Halcyon/Parsers/ASimProcessEventHalcyon.yaml b/Solutions/Halcyon/Parsers/ASimProcessEventHalcyon.yaml index 6335f734afc..60a62e5b633 100644 --- a/Solutions/Halcyon/Parsers/ASimProcessEventHalcyon.yaml +++ b/Solutions/Halcyon/Parsers/ASimProcessEventHalcyon.yaml @@ -1,17 +1,55 @@ id: a1b2c3d4-e5f6-7890-1234-567890abcde5 Function: Title: ASIM Process Event Parser for Halcyon - Version: '1.0.0' - LastUpdated: '2025-12-01' + Version: '2.0.0' + LastUpdated: '2026-03-18' Category: Microsoft Sentinel Parser FunctionName: ASimProcessEventHalcyon FunctionAlias: ASimProcessEventHalcyon FunctionQuery: | - let parser = () { - HalcyonProcessEvent_CL - | project-away SourceSystem, Type, TenantId + let parser = (disabled: bool = false) { + HalcyonEvents_CL + | where not(disabled) + | where class_uid == 1007 // Process Activity + | extend + EventVendor = tostring(metadata.product.vendor_name), + EventProduct = tostring(metadata.product.name), + EventProductVersion = tostring(metadata.product.version), + EventSchema = 'ProcessEvent', + EventSchemaVersion = '0.1.4', + EventCount = int(1), + EventStartTime = TimeGenerated, + EventEndTime = TimeGenerated, + EventType = iff(activity_id == 1, 'ProcessCreated', iff(activity_id == 2, 'ProcessTerminated', 'Other')), + EventResult = case(status_id == 1, 'Success', status_id == 2, 'Failure', 'NA'), + EventOriginalType = tostring(type_uid), + EventOriginalSeverity = severity, + EventSeverity = case(severity_id == 1, 'Informational', severity_id == 2, 'Low', severity_id == 3, 'Medium', severity_id == 4, 'High', severity_id == 5, 'Critical', 'Informational'), + EventMessage = message, + TargetProcessName = tostring(process.name), + TargetProcessId = tostring(process.pid), + TargetProcessCommandLine = tostring(process.cmd_line), + TargetProcessFilename = tostring(process.file.name), + TargetProcessFilePath = tostring(process.file.path), + ParentProcessName = tostring(process.parent_process.name), + ParentProcessId = tostring(process.parent_process.pid), + ParentProcessCommandLine = tostring(process.parent_process.cmd_line), + ActorUsername = tostring(actor.user.name), + ActorUserId = tostring(actor.user.uid), + ActorUsernameType = 'Simple', + ActingProcessName = tostring(actor.process.name), + ActingProcessId = tostring(actor.process.pid), + ActingProcessCommandLine = tostring(actor.process.cmd_line), + DvcHostname = tostring(device.hostname), + DvcIpAddr = tostring(device.ip), + DvcId = tostring(device.uid) + | extend + User = ActorUsername, + Dvc = DvcHostname, + Process = TargetProcessName + | project-away _ResourceId }; - parser + parser(disabled=disabled) FunctionParams: - Name: disabled Type: bool diff --git a/Solutions/Halcyon/ReleaseNotes.md b/Solutions/Halcyon/ReleaseNotes.md index b9ccba896d8..d3ddc975b7a 100644 --- a/Solutions/Halcyon/ReleaseNotes.md +++ b/Solutions/Halcyon/ReleaseNotes.md @@ -1,3 +1,4 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| -|3.0.0 | 12-09-2025 | Initial Solution release \ No newline at end of file +|3.1.0 | 24-03-2026 | Update Connector to recieve events with OCSF schemas | +|3.0.0 | 09-12-2025 | Initial Solution release \ No newline at end of file diff --git a/Solutions/Halcyon/SolutionMetadata.json b/Solutions/Halcyon/SolutionMetadata.json index 5f5bc5bc60f..242424e27a7 100644 --- a/Solutions/Halcyon/SolutionMetadata.json +++ b/Solutions/Halcyon/SolutionMetadata.json @@ -2,7 +2,7 @@ "publisherId": "halcyontech1743610828684", "offerId": "azure-sentinel-solution-halcyon", "firstPublishDate": "2025-12-22", - "lastPublishDate": "2025-12-22", + "lastPublishDate": "2026-03-24", "providers": ["Halcyon"], "categories": { "domains" : ["Security - Threat Protection"] From a408f62e250f0774bb4bbb80d80dba4b28d4bd72 Mon Sep 17 00:00:00 2001 From: Kyle West Date: Fri, 27 Mar 2026 11:03:13 -0600 Subject: [PATCH 2/4] pr feedback --- Solutions/Halcyon/Data/Solution_Halcyon.json | 8 ++-- .../Parsers/ASimAuthenticationHalcyon.yaml | 25 ++++++++++++- Solutions/Halcyon/Parsers/ASimDnsHalcyon.yaml | 32 +++++++++++++++- .../Halcyon/Parsers/ASimFileEventHalcyon.yaml | 32 +++++++++++++++- .../Parsers/ASimNetworkSessionHalcyon.yaml | 35 +++++++++++++++++- .../Parsers/ASimProcessEventHalcyon.yaml | 37 ++++++++++++++++++- Solutions/Halcyon/ReleaseNotes.md | 2 +- 7 files changed, 161 insertions(+), 10 deletions(-) diff --git a/Solutions/Halcyon/Data/Solution_Halcyon.json b/Solutions/Halcyon/Data/Solution_Halcyon.json index 882e965747a..221d91bef4f 100644 --- a/Solutions/Halcyon/Data/Solution_Halcyon.json +++ b/Solutions/Halcyon/Data/Solution_Halcyon.json @@ -1,8 +1,8 @@ { "Name": "Halcyon", - "Author": "Halcyon", + "Author": "Halcyon - support@halcyon.ai", "Logo": "", - "Description": "The [Halcyon](https://www.halcyon.ai) solution for Microsoft Sentinel enables you to ingest Halcyon Events and Alerts into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.\n\nInstalling this solution automatically provisions a Data Collection Endpoint (DCE) and Data Collection Rule (DCR) in your Azure environment. These resources are updated automatically with each solution upgrade. To complete the connector setup, use the **Deploy** button on the Halcyon connector page to create the required Entra app registration and link it to the DCR.", + "Description": "The [Halcyon](https://www.halcyon.ai) solution for Microsoft Sentinel enables you to ingest Halcyon Events and Alerts into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following Microsoft technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional data ingestion or operational costs:\n\na. [Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/)\n\nb. [Azure Monitor Data Collection Rules (DCR)](https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview)\n\nc. [Azure Monitor Data Collection Endpoints (DCE)](https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-endpoint-overview)\n\nd. [Azure Log Analytics workspaces](https://learn.microsoft.com/azure/azure-monitor/logs/log-analytics-workspace-overview)", "Data Connectors": [ "Data Connectors/Halcyon_ccp/Halcyon_connectorDefinition.json" ], @@ -17,9 +17,9 @@ "Analytic Rules": [], "Hunting Queries": [], "Playbooks": [], - "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\Halcyon", + "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Halcyon", "Version": "3.1.0", "Metadata": "SolutionMetadata.json", - "TemplateSpec": true, + "TemplateSpec": false, "Is1PConnector": false } diff --git a/Solutions/Halcyon/Parsers/ASimAuthenticationHalcyon.yaml b/Solutions/Halcyon/Parsers/ASimAuthenticationHalcyon.yaml index 2ec78d50104..5802c6105ea 100644 --- a/Solutions/Halcyon/Parsers/ASimAuthenticationHalcyon.yaml +++ b/Solutions/Halcyon/Parsers/ASimAuthenticationHalcyon.yaml @@ -35,7 +35,30 @@ FunctionQuery: | | extend User = ActorUsername, Dvc = DvcHostname - | project-away _ResourceId + | project + TimeGenerated, + EventVendor, + EventProduct, + EventProductVersion, + EventSchema, + EventSchemaVersion, + EventCount, + EventStartTime, + EventEndTime, + EventType, + EventResult, + EventOriginalType, + EventOriginalSeverity, + EventSeverity, + EventMessage, + ActorUsername, + ActorUserId, + ActorUsernameType, + DvcHostname, + DvcIpAddr, + DvcId, + User, + Dvc }; parser(disabled=disabled) FunctionParams: diff --git a/Solutions/Halcyon/Parsers/ASimDnsHalcyon.yaml b/Solutions/Halcyon/Parsers/ASimDnsHalcyon.yaml index 6012156f6a2..89416882e9d 100644 --- a/Solutions/Halcyon/Parsers/ASimDnsHalcyon.yaml +++ b/Solutions/Halcyon/Parsers/ASimDnsHalcyon.yaml @@ -42,7 +42,37 @@ FunctionQuery: | Dvc = DvcHostname, IpAddr = SrcIpAddr, Src = SrcIpAddr - | project-away _ResourceId + | project + TimeGenerated, + EventVendor, + EventProduct, + EventProductVersion, + EventSchema, + EventSchemaVersion, + EventCount, + EventStartTime, + EventEndTime, + EventType, + EventResult, + EventOriginalType, + EventOriginalSeverity, + EventSeverity, + EventMessage, + DnsQuery, + DnsQueryTypeName, + DnsResponseCodeName, + DnsResponseCode, + SrcIpAddr, + SrcPortNumber, + DstIpAddr, + DstPortNumber, + DvcHostname, + DvcIpAddr, + DvcId, + Domain, + Dvc, + IpAddr, + Src }; parser(disabled=disabled) FunctionParams: diff --git a/Solutions/Halcyon/Parsers/ASimFileEventHalcyon.yaml b/Solutions/Halcyon/Parsers/ASimFileEventHalcyon.yaml index 81defaa430e..c4b1d3a38ce 100644 --- a/Solutions/Halcyon/Parsers/ASimFileEventHalcyon.yaml +++ b/Solutions/Halcyon/Parsers/ASimFileEventHalcyon.yaml @@ -42,7 +42,37 @@ FunctionQuery: | FilePath = TargetFilePath, User = ActorUsername, Dvc = DvcHostname - | project-away _ResourceId + | project + TimeGenerated, + EventVendor, + EventProduct, + EventProductVersion, + EventSchema, + EventSchemaVersion, + EventCount, + EventStartTime, + EventEndTime, + EventType, + EventResult, + EventOriginalType, + EventOriginalSeverity, + EventSeverity, + EventMessage, + TargetFileName, + TargetFilePath, + TargetFileExtension, + ActorUsername, + ActorUserId, + ActorUsernameType, + ActingProcessName, + ActingProcessId, + ActingProcessCommandLine, + DvcHostname, + DvcIpAddr, + DvcId, + FilePath, + User, + Dvc }; parser(disabled=disabled) FunctionParams: diff --git a/Solutions/Halcyon/Parsers/ASimNetworkSessionHalcyon.yaml b/Solutions/Halcyon/Parsers/ASimNetworkSessionHalcyon.yaml index 1c9ac98553f..d81163d980c 100644 --- a/Solutions/Halcyon/Parsers/ASimNetworkSessionHalcyon.yaml +++ b/Solutions/Halcyon/Parsers/ASimNetworkSessionHalcyon.yaml @@ -45,7 +45,40 @@ FunctionQuery: | Dst = DstIpAddr, IpAddr = SrcIpAddr, Dvc = DvcHostname - | project-away _ResourceId + | project + TimeGenerated, + EventVendor, + EventProduct, + EventProductVersion, + EventSchema, + EventSchemaVersion, + EventCount, + EventStartTime, + EventEndTime, + EventType, + EventResult, + EventOriginalType, + EventOriginalSeverity, + EventSeverity, + EventMessage, + DvcAction, + SrcIpAddr, + SrcPortNumber, + SrcHostname, + SrcDomain, + SrcMacAddr, + DstIpAddr, + DstPortNumber, + DstHostname, + DstDomain, + DstMacAddr, + DvcHostname, + DvcIpAddr, + DvcId, + Src, + Dst, + IpAddr, + Dvc }; parser(disabled=disabled) FunctionParams: diff --git a/Solutions/Halcyon/Parsers/ASimProcessEventHalcyon.yaml b/Solutions/Halcyon/Parsers/ASimProcessEventHalcyon.yaml index 60a62e5b633..037573275b2 100644 --- a/Solutions/Halcyon/Parsers/ASimProcessEventHalcyon.yaml +++ b/Solutions/Halcyon/Parsers/ASimProcessEventHalcyon.yaml @@ -47,7 +47,42 @@ FunctionQuery: | User = ActorUsername, Dvc = DvcHostname, Process = TargetProcessName - | project-away _ResourceId + | project + TimeGenerated, + EventVendor, + EventProduct, + EventProductVersion, + EventSchema, + EventSchemaVersion, + EventCount, + EventStartTime, + EventEndTime, + EventType, + EventResult, + EventOriginalType, + EventOriginalSeverity, + EventSeverity, + EventMessage, + TargetProcessName, + TargetProcessId, + TargetProcessCommandLine, + TargetProcessFilename, + TargetProcessFilePath, + ParentProcessName, + ParentProcessId, + ParentProcessCommandLine, + ActorUsername, + ActorUserId, + ActorUsernameType, + ActingProcessName, + ActingProcessId, + ActingProcessCommandLine, + DvcHostname, + DvcIpAddr, + DvcId, + User, + Dvc, + Process }; parser(disabled=disabled) FunctionParams: diff --git a/Solutions/Halcyon/ReleaseNotes.md b/Solutions/Halcyon/ReleaseNotes.md index d3ddc975b7a..551be7d65c0 100644 --- a/Solutions/Halcyon/ReleaseNotes.md +++ b/Solutions/Halcyon/ReleaseNotes.md @@ -1,4 +1,4 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| -|3.1.0 | 24-03-2026 | Update Connector to recieve events with OCSF schemas | +|3.1.0 | 24-03-2026 | Update Connector to receive events with OCSF schemas | |3.0.0 | 09-12-2025 | Initial Solution release \ No newline at end of file From 1a11c90bc28a62eec124b032ee41dd9046950d24 Mon Sep 17 00:00:00 2001 From: Kyle West Date: Tue, 31 Mar 2026 07:27:12 -0600 Subject: [PATCH 3/4] update halcyon custom tables in ksql tests tool --- .../HalcyonAuthenticationEvents_CL.json | 486 ------------- .../CustomTables/HalcyonDnsActivity_CL.json | 458 ------------ .../CustomTables/HalcyonEvents_CL.json | 145 ++++ .../CustomTables/HalcyonFileActivity_CL.json | 435 ------------ .../HalcyonNetworkSession_CL.json | 666 ------------------ .../CustomTables/HalcyonProcessEvent_CL.json | 511 -------------- 6 files changed, 145 insertions(+), 2556 deletions(-) delete mode 100644 .script/tests/KqlvalidationsTests/CustomTables/HalcyonAuthenticationEvents_CL.json delete mode 100644 .script/tests/KqlvalidationsTests/CustomTables/HalcyonDnsActivity_CL.json create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/HalcyonEvents_CL.json delete mode 100644 .script/tests/KqlvalidationsTests/CustomTables/HalcyonFileActivity_CL.json delete mode 100644 .script/tests/KqlvalidationsTests/CustomTables/HalcyonNetworkSession_CL.json delete mode 100644 .script/tests/KqlvalidationsTests/CustomTables/HalcyonProcessEvent_CL.json diff --git a/.script/tests/KqlvalidationsTests/CustomTables/HalcyonAuthenticationEvents_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/HalcyonAuthenticationEvents_CL.json deleted file mode 100644 index 789e5a1ad1a..00000000000 --- a/.script/tests/KqlvalidationsTests/CustomTables/HalcyonAuthenticationEvents_CL.json +++ /dev/null @@ -1,486 +0,0 @@ -{ - "Name": "HalcyonAuthenticationEvents_CL", - "Properties": [ - { - "name": "TimeGenerated", - "type": "DateTime" - }, - { - "name": "EventCount", - "type": "Int" - }, - { - "name": "EventStartTime", - "type": "DateTime" - }, - { - "name": "EventEndTime", - "type": "DateTime" - }, - { - "name": "EventType", - "type": "String" - }, - { - "name": "EventSubType", - "type": "String" - }, - { - "name": "EventResult", - "type": "String" - }, - { - "name": "EventResultDetails", - "type": "String" - }, - { - "name": "EventOriginalResultDetails", - "type": "String" - }, - { - "name": "EventSeverity", - "type": "String" - }, - { - "name": "EventOriginalSeverity", - "type": "String" - }, - { - "name": "EventProduct", - "type": "String" - }, - { - "name": "EventProductVersion", - "type": "String" - }, - { - "name": "EventVendor", - "type": "String" - }, - { - "name": "EventSchema", - "type": "String" - }, - { - "name": "EventSchemaVersion", - "type": "String" - }, - { - "name": "EventOriginalUid", - "type": "String" - }, - { - "name": "EventOriginalType", - "type": "String" - }, - { - "name": "EventMessage", - "type": "String" - }, - { - "name": "EventOwner", - "type": "String" - }, - { - "name": "EventReportUrl", - "type": "String" - }, - { - "name": "Dvc", - "type": "String" - }, - { - "name": "DvcHostname", - "type": "String" - }, - { - "name": "DvcIpAddr", - "type": "String", - "dataTypeHint": "IP" - }, - { - "name": "DvcDomain", - "type": "String" - }, - { - "name": "DvcDomainType", - "type": "String" - }, - { - "name": "DvcFQDN", - "type": "String" - }, - { - "name": "DvcId", - "type": "String" - }, - { - "name": "DvcIdType", - "type": "String" - }, - { - "name": "DvcMacAddr", - "type": "String", - "dataTypeHint": "IP" - }, - { - "name": "DvcOs", - "type": "String" - }, - { - "name": "DvcOsVersion", - "type": "String" - }, - { - "name": "DvcAction", - "type": "String" - }, - { - "name": "DvcOriginalAction", - "type": "String" - }, - { - "name": "DvcDescription", - "type": "String" - }, - { - "name": "DvcScope", - "type": "String" - }, - { - "name": "DvcScopeId", - "type": "String" - }, - { - "name": "DvcZone", - "type": "String" - }, - { - "name": "LogonMethod", - "type": "String" - }, - { - "name": "LogonProtocol", - "type": "String" - }, - { - "name": "ActorUsername", - "type": "String" - }, - { - "name": "ActorUsernameType", - "type": "String" - }, - { - "name": "ActorUserId", - "type": "String" - }, - { - "name": "ActorUserIdType", - "type": "String" - }, - { - "name": "ActorUserType", - "type": "String" - }, - { - "name": "ActorOriginalUserType", - "type": "String" - }, - { - "name": "ActorScope", - "type": "String" - }, - { - "name": "ActorScopeId", - "type": "String" - }, - { - "name": "ActorUserSid", - "type": "String" - }, - { - "name": "ActorUserAadId", - "type": "String" - }, - { - "name": "ActorSessionId", - "type": "String" - }, - { - "name": "TargetUsername", - "type": "String" - }, - { - "name": "TargetUsernameType", - "type": "String" - }, - { - "name": "TargetUserId", - "type": "String" - }, - { - "name": "TargetUserIdType", - "type": "String" - }, - { - "name": "TargetUserType", - "type": "String" - }, - { - "name": "TargetOriginalUserType", - "type": "String" - }, - { - "name": "TargetUserScope", - "type": "String" - }, - { - "name": "TargetUserScopeId", - "type": "String" - }, - { - "name": "TargetSessionId", - "type": "String" - }, - { - "name": "TargetUserSessionId", - "type": "String" - }, - { - "name": "TargetUserSessionGuid", - "type": "String" - }, - { - "name": "TargetAppName", - "type": "String" - }, - { - "name": "TargetAppId", - "type": "String" - }, - { - "name": "TargetAppType", - "type": "String" - }, - { - "name": "TargetOriginalAppType", - "type": "String" - }, - { - "name": "TargetUrl", - "type": "String" - }, - { - "name": "TargetHostname", - "type": "String" - }, - { - "name": "TargetDomain", - "type": "String" - }, - { - "name": "TargetDomainType", - "type": "String" - }, - { - "name": "TargetFQDN", - "type": "String" - }, - { - "name": "TargetDescription", - "type": "String" - }, - { - "name": "TargetDvcId", - "type": "String" - }, - { - "name": "TargetDvcIdType", - "type": "String" - }, - { - "name": "TargetDvcOs", - "type": "String" - }, - { - "name": "TargetPortNumber", - "type": "Int" - }, - { - "name": "TargetIpAddr", - "type": "String", - "dataTypeHint": "IP" - }, - { - "name": "TargetGeoCity", - "type": "String" - }, - { - "name": "TargetGeoCountry", - "type": "String" - }, - { - "name": "TargetGeoLatitude", - "type": "Real" - }, - { - "name": "TargetGeoLongitude", - "type": "Real" - }, - { - "name": "TargetGeoRegion", - "type": "String" - }, - { - "name": "SrcIpAddr", - "type": "String", - "dataTypeHint": "IP" - }, - { - "name": "SrcPortNumber", - "type": "Int" - }, - { - "name": "SrcHostname", - "type": "String" - }, - { - "name": "SrcDomain", - "type": "String" - }, - { - "name": "SrcDomainType", - "type": "String" - }, - { - "name": "SrcFQDN", - "type": "String" - }, - { - "name": "SrcDescription", - "type": "String" - }, - { - "name": "SrcDvcId", - "type": "String" - }, - { - "name": "SrcDvcIdType", - "type": "String" - }, - { - "name": "SrcDvcOs", - "type": "String" - }, - { - "name": "SrcIsp", - "type": "String" - }, - { - "name": "SrcGeoCity", - "type": "String" - }, - { - "name": "SrcGeoCountry", - "type": "String" - }, - { - "name": "SrcGeoLatitude", - "type": "Real" - }, - { - "name": "SrcGeoLongitude", - "type": "Real" - }, - { - "name": "SrcGeoRegion", - "type": "String" - }, - { - "name": "HttpUserAgent", - "type": "String" - }, - { - "name": "HttpRequestMethod", - "type": "String" - }, - { - "name": "RuleName", - "type": "String" - }, - { - "name": "RuleNumber", - "type": "Int" - }, - { - "name": "Rule", - "type": "String" - }, - { - "name": "ThreatId", - "type": "String" - }, - { - "name": "ThreatName", - "type": "String" - }, - { - "name": "ThreatCategory", - "type": "String" - }, - { - "name": "ThreatRiskLevel", - "type": "Int" - }, - { - "name": "ThreatOriginalRiskLevel", - "type": "String" - }, - { - "name": "ThreatConfidence", - "type": "Int" - }, - { - "name": "ThreatOriginalConfidence", - "type": "String" - }, - { - "name": "ThreatIsActive", - "type": "Bool" - }, - { - "name": "ThreatFirstReportedTime", - "type": "DateTime" - }, - { - "name": "ThreatLastReportedTime", - "type": "DateTime" - }, - { - "name": "ThreatIpAddr", - "type": "String", - "dataTypeHint": "IP" - }, - { - "name": "ThreatField", - "type": "String" - }, - { - "name": "AdditionalFields", - "type": "Dynamic" - }, - { - "name": "SourceSystem", - "type": "String" - }, - { - "name": "Type", - "type": "String" - }, - { - "name": "TenantId", - "type": "String" - } - ] -} diff --git a/.script/tests/KqlvalidationsTests/CustomTables/HalcyonDnsActivity_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/HalcyonDnsActivity_CL.json deleted file mode 100644 index 4d1432f6458..00000000000 --- a/.script/tests/KqlvalidationsTests/CustomTables/HalcyonDnsActivity_CL.json +++ /dev/null @@ -1,458 +0,0 @@ -{ - "Name": "HalcyonDnsActivity_CL", - "Properties": [ - { - "name": "TimeGenerated", - "type": "DateTime" - }, - { - "name": "EventCount", - "type": "Int" - }, - { - "name": "EventStartTime", - "type": "DateTime" - }, - { - "name": "EventEndTime", - "type": "DateTime" - }, - { - "name": "EventType", - "type": "String" - }, - { - "name": "EventSubType", - "type": "String" - }, - { - "name": "EventResult", - "type": "String" - }, - { - "name": "EventResultDetails", - "type": "String" - }, - { - "name": "EventOriginalResultDetails", - "type": "String" - }, - { - "name": "EventSeverity", - "type": "String" - }, - { - "name": "EventOriginalSeverity", - "type": "String" - }, - { - "name": "EventProduct", - "type": "String" - }, - { - "name": "EventProductVersion", - "type": "String" - }, - { - "name": "EventVendor", - "type": "String" - }, - { - "name": "EventSchema", - "type": "String" - }, - { - "name": "EventSchemaVersion", - "type": "String" - }, - { - "name": "EventOriginalUid", - "type": "String" - }, - { - "name": "EventOriginalType", - "type": "String" - }, - { - "name": "EventMessage", - "type": "String" - }, - { - "name": "Dvc", - "type": "String" - }, - { - "name": "DvcHostname", - "type": "String" - }, - { - "name": "DvcIpAddr", - "type": "String", - "dataTypeHint": "IP" - }, - { - "name": "DvcDomain", - "type": "String" - }, - { - "name": "DvcDomainType", - "type": "String" - }, - { - "name": "DvcFQDN", - "type": "String" - }, - { - "name": "DvcId", - "type": "String" - }, - { - "name": "DvcIdType", - "type": "String" - }, - { - "name": "DvcMacAddr", - "type": "String", - "dataTypeHint": "IP" - }, - { - "name": "DvcOs", - "type": "String" - }, - { - "name": "DvcOsVersion", - "type": "String" - }, - { - "name": "DvcAction", - "type": "String" - }, - { - "name": "DvcDescription", - "type": "String" - }, - { - "name": "DvcScope", - "type": "String" - }, - { - "name": "DvcScopeId", - "type": "String" - }, - { - "name": "DvcZone", - "type": "String" - }, - { - "name": "Src", - "type": "String" - }, - { - "name": "SrcIpAddr", - "type": "String", - "dataTypeHint": "IP" - }, - { - "name": "SrcPortNumber", - "type": "Int" - }, - { - "name": "SrcHostname", - "type": "String" - }, - { - "name": "SrcDomain", - "type": "String" - }, - { - "name": "SrcDomainType", - "type": "String" - }, - { - "name": "SrcFQDN", - "type": "String" - }, - { - "name": "SrcDvcId", - "type": "String" - }, - { - "name": "SrcDvcIdType", - "type": "String" - }, - { - "name": "SrcDvcOs", - "type": "String" - }, - { - "name": "SrcGeoCity", - "type": "String" - }, - { - "name": "SrcGeoCountry", - "type": "String" - }, - { - "name": "SrcGeoLatitude", - "type": "Real" - }, - { - "name": "SrcGeoLongitude", - "type": "Real" - }, - { - "name": "SrcGeoRegion", - "type": "String" - }, - { - "name": "SrcUserId", - "type": "String" - }, - { - "name": "SrcUserIdType", - "type": "String" - }, - { - "name": "SrcUsername", - "type": "String" - }, - { - "name": "SrcUsernameType", - "type": "String" - }, - { - "name": "SrcUserType", - "type": "String" - }, - { - "name": "SrcProcessName", - "type": "String" - }, - { - "name": "SrcProcessId", - "type": "String" - }, - { - "name": "SrcProcessGuid", - "type": "String" - }, - { - "name": "DstIpAddr", - "type": "String", - "dataTypeHint": "IP" - }, - { - "name": "DstPortNumber", - "type": "Int" - }, - { - "name": "DstHostname", - "type": "String" - }, - { - "name": "DstDomain", - "type": "String" - }, - { - "name": "DstDomainType", - "type": "String" - }, - { - "name": "DstFQDN", - "type": "String" - }, - { - "name": "DstDvcId", - "type": "String" - }, - { - "name": "DstDvcIdType", - "type": "String" - }, - { - "name": "DstGeoCity", - "type": "String" - }, - { - "name": "DstGeoCountry", - "type": "String" - }, - { - "name": "DstGeoLatitude", - "type": "Real" - }, - { - "name": "DstGeoLongitude", - "type": "Real" - }, - { - "name": "DstGeoRegion", - "type": "String" - }, - { - "name": "DnsQuery", - "type": "String" - }, - { - "name": "DnsQueryType", - "type": "Int" - }, - { - "name": "DnsQueryTypeName", - "type": "String" - }, - { - "name": "DnsQueryClass", - "type": "Int" - }, - { - "name": "DnsQueryClassName", - "type": "String" - }, - { - "name": "DnsResponseCode", - "type": "Int" - }, - { - "name": "DnsResponseName", - "type": "String" - }, - { - "name": "DnsResponseIpCity", - "type": "String" - }, - { - "name": "DnsResponseIpCountry", - "type": "String" - }, - { - "name": "DnsResponseIpLatitude", - "type": "Real" - }, - { - "name": "DnsResponseIpLongitude", - "type": "Real" - }, - { - "name": "DnsResponseIpRegion", - "type": "String" - }, - { - "name": "DnsFlags", - "type": "String" - }, - { - "name": "DnsFlagsAuthenticated", - "type": "Bool" - }, - { - "name": "DnsFlagsAuthoritative", - "type": "Bool" - }, - { - "name": "DnsFlagsCheckingDisabled", - "type": "Bool" - }, - { - "name": "DnsFlagsRecursionAvailable", - "type": "Bool" - }, - { - "name": "DnsFlagsRecursionDesired", - "type": "Bool" - }, - { - "name": "DnsFlagsTruncated", - "type": "Bool" - }, - { - "name": "DnsFlagsZ", - "type": "Bool" - }, - { - "name": "DnsNetworkDuration", - "type": "Int" - }, - { - "name": "DnsSessionId", - "type": "String" - }, - { - "name": "TransactionIdHex", - "type": "String" - }, - { - "name": "NetworkProtocol", - "type": "String" - }, - { - "name": "NetworkProtocolVersion", - "type": "String" - }, - { - "name": "ThreatId", - "type": "String" - }, - { - "name": "ThreatName", - "type": "String" - }, - { - "name": "ThreatCategory", - "type": "String" - }, - { - "name": "ThreatRiskLevel", - "type": "Int" - }, - { - "name": "ThreatOriginalRiskLevel", - "type": "String" - }, - { - "name": "ThreatConfidence", - "type": "Int" - }, - { - "name": "ThreatOriginalConfidence", - "type": "String" - }, - { - "name": "ThreatIsActive", - "type": "Bool" - }, - { - "name": "ThreatFirstReportedTime", - "type": "DateTime" - }, - { - "name": "ThreatLastReportedTime", - "type": "DateTime" - }, - { - "name": "ThreatIpAddr", - "type": "String", - "dataTypeHint": "IP" - }, - { - "name": "ThreatField", - "type": "String" - }, - { - "name": "AdditionalFields", - "type": "Dynamic" - }, - { - "name": "SourceSystem", - "type": "String" - }, - { - "name": "Type", - "type": "String" - }, - { - "name": "TenantId", - "type": "String" - } - ] -} diff --git a/.script/tests/KqlvalidationsTests/CustomTables/HalcyonEvents_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/HalcyonEvents_CL.json new file mode 100644 index 00000000000..f414c0acfc7 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/HalcyonEvents_CL.json @@ -0,0 +1,145 @@ +{ + "Name": "HalcyonEvents_CL", + "Properties": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "activity_id", + "type": "int" + }, + { + "name": "activity_name", + "type": "string" + }, + { + "name": "category_uid", + "type": "int" + }, + { + "name": "category_name", + "type": "string" + }, + { + "name": "class_uid", + "type": "int" + }, + { + "name": "class_name", + "type": "string" + }, + { + "name": "severity_id", + "type": "int" + }, + { + "name": "severity", + "type": "string" + }, + { + "name": "type_uid", + "type": "long" + }, + { + "name": "type_name", + "type": "string" + }, + { + "name": "message", + "type": "string" + }, + { + "name": "raw_data", + "type": "string" + }, + { + "name": "status_id", + "type": "int" + }, + { + "name": "status", + "type": "string" + }, + { + "name": "action_id", + "type": "int" + }, + { + "name": "action", + "type": "string" + }, + { + "name": "disposition_id", + "type": "int" + }, + { + "name": "disposition", + "type": "string" + }, + { + "name": "rcode", + "type": "string" + }, + { + "name": "rcode_id", + "type": "int" + }, + { + "name": "metadata", + "type": "dynamic" + }, + { + "name": "unmapped", + "type": "dynamic" + }, + { + "name": "actor", + "type": "dynamic" + }, + { + "name": "device", + "type": "dynamic" + }, + { + "name": "file", + "type": "dynamic" + }, + { + "name": "process", + "type": "dynamic" + }, + { + "name": "user", + "type": "dynamic" + }, + { + "name": "dst_endpoint", + "type": "dynamic" + }, + { + "name": "src_endpoint", + "type": "dynamic" + }, + { + "name": "query", + "type": "dynamic" + }, + { + "name": "answers", + "type": "dynamic" + }, + { + "name": "driver", + "type": "dynamic" + }, + { + "name": "module", + "type": "dynamic" + }, + { + "name": "app", + "type": "dynamic" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/HalcyonFileActivity_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/HalcyonFileActivity_CL.json deleted file mode 100644 index a615bd4d889..00000000000 --- a/.script/tests/KqlvalidationsTests/CustomTables/HalcyonFileActivity_CL.json +++ /dev/null @@ -1,435 +0,0 @@ -{ - "Name": "HalcyonFileActivity_CL", - "Properties": [ - { - "name": "TimeGenerated", - "type": "DateTime" - }, - { - "name": "EventCount", - "type": "Int" - }, - { - "name": "EventStartTime", - "type": "DateTime" - }, - { - "name": "EventEndTime", - "type": "DateTime" - }, - { - "name": "EventType", - "type": "String" - }, - { - "name": "EventSubType", - "type": "String" - }, - { - "name": "EventResult", - "type": "String" - }, - { - "name": "EventResultDetails", - "type": "String" - }, - { - "name": "EventOriginalResultDetails", - "type": "String" - }, - { - "name": "EventSeverity", - "type": "String" - }, - { - "name": "EventOriginalSeverity", - "type": "String" - }, - { - "name": "EventProduct", - "type": "String" - }, - { - "name": "EventProductVersion", - "type": "String" - }, - { - "name": "EventVendor", - "type": "String" - }, - { - "name": "EventSchema", - "type": "String" - }, - { - "name": "EventSchemaVersion", - "type": "String" - }, - { - "name": "EventOriginalUid", - "type": "String" - }, - { - "name": "EventOriginalType", - "type": "String" - }, - { - "name": "EventMessage", - "type": "String" - }, - { - "name": "Dvc", - "type": "String" - }, - { - "name": "DvcHostname", - "type": "String" - }, - { - "name": "DvcIpAddr", - "type": "String", - "dataTypeHint": "IP" - }, - { - "name": "DvcDomain", - "type": "String" - }, - { - "name": "DvcDomainType", - "type": "String" - }, - { - "name": "DvcFQDN", - "type": "String" - }, - { - "name": "DvcId", - "type": "String" - }, - { - "name": "DvcIdType", - "type": "String" - }, - { - "name": "DvcMacAddr", - "type": "String", - "dataTypeHint": "IP" - }, - { - "name": "DvcOs", - "type": "String" - }, - { - "name": "DvcOsVersion", - "type": "String" - }, - { - "name": "DvcAction", - "type": "String" - }, - { - "name": "DvcOriginalAction", - "type": "String" - }, - { - "name": "DvcScope", - "type": "String" - }, - { - "name": "DvcScopeId", - "type": "String" - }, - { - "name": "ActorUsername", - "type": "String" - }, - { - "name": "ActorUsernameType", - "type": "String" - }, - { - "name": "ActorUserId", - "type": "String" - }, - { - "name": "ActorUserIdType", - "type": "String" - }, - { - "name": "ActorUserType", - "type": "String" - }, - { - "name": "ActorScope", - "type": "String" - }, - { - "name": "ActorScopeId", - "type": "String" - }, - { - "name": "ActorSessionId", - "type": "String" - }, - { - "name": "ActingProcessName", - "type": "String" - }, - { - "name": "ActingProcessId", - "type": "String" - }, - { - "name": "ActingProcessGuid", - "type": "String" - }, - { - "name": "ActingProcessCommandLine", - "type": "String" - }, - { - "name": "ActingProcessCreationTime", - "type": "DateTime" - }, - { - "name": "ActingProcessFileCompany", - "type": "String" - }, - { - "name": "ActingProcessFileDescription", - "type": "String" - }, - { - "name": "ActingProcessFileProduct", - "type": "String" - }, - { - "name": "ActingProcessFileVersion", - "type": "String" - }, - { - "name": "ActingProcessFileSize", - "type": "Long" - }, - { - "name": "ActingProcessMD5", - "type": "String" - }, - { - "name": "ActingProcessSHA1", - "type": "String" - }, - { - "name": "ActingProcessSHA256", - "type": "String" - }, - { - "name": "ActingProcessSHA512", - "type": "String" - }, - { - "name": "ActingProcessIMPHASH", - "type": "String" - }, - { - "name": "ActingProcessIntegrityLevel", - "type": "String" - }, - { - "name": "ActingProcessTokenElevation", - "type": "String" - }, - { - "name": "TargetFileName", - "type": "String" - }, - { - "name": "TargetFilePath", - "type": "String" - }, - { - "name": "TargetFilePathType", - "type": "String" - }, - { - "name": "TargetFileDirectory", - "type": "String" - }, - { - "name": "TargetFileExtension", - "type": "String" - }, - { - "name": "TargetFileMimeType", - "type": "String" - }, - { - "name": "TargetFileCreationTime", - "type": "DateTime" - }, - { - "name": "TargetFileSize", - "type": "Long" - }, - { - "name": "TargetFileMD5", - "type": "String" - }, - { - "name": "TargetFileSHA1", - "type": "String" - }, - { - "name": "TargetFileSHA256", - "type": "String" - }, - { - "name": "TargetFileSHA512", - "type": "String" - }, - { - "name": "SrcFileName", - "type": "String" - }, - { - "name": "SrcFilePath", - "type": "String" - }, - { - "name": "SrcFilePathType", - "type": "String" - }, - { - "name": "SrcFileDirectory", - "type": "String" - }, - { - "name": "SrcFileExtension", - "type": "String" - }, - { - "name": "SrcFileMimeType", - "type": "String" - }, - { - "name": "SrcFileCreationTime", - "type": "DateTime" - }, - { - "name": "SrcFileSize", - "type": "Long" - }, - { - "name": "SrcFileMD5", - "type": "String" - }, - { - "name": "SrcFileSHA1", - "type": "String" - }, - { - "name": "SrcFileSHA256", - "type": "String" - }, - { - "name": "SrcFileSHA512", - "type": "String" - }, - { - "name": "HashType", - "type": "String" - }, - { - "name": "FileMD5", - "type": "String" - }, - { - "name": "FileSHA1", - "type": "String" - }, - { - "name": "FileSHA256", - "type": "String" - }, - { - "name": "FileSHA512", - "type": "String" - }, - { - "name": "FileContentType", - "type": "String" - }, - { - "name": "FileSize", - "type": "Int" - }, - { - "name": "FileName", - "type": "String" - }, - { - "name": "ThreatId", - "type": "String" - }, - { - "name": "ThreatName", - "type": "String" - }, - { - "name": "ThreatCategory", - "type": "String" - }, - { - "name": "ThreatRiskLevel", - "type": "Int" - }, - { - "name": "ThreatOriginalRiskLevel", - "type": "String" - }, - { - "name": "ThreatConfidence", - "type": "Int" - }, - { - "name": "ThreatOriginalConfidence", - "type": "String" - }, - { - "name": "ThreatIsActive", - "type": "Bool" - }, - { - "name": "ThreatFirstReportedTime", - "type": "DateTime" - }, - { - "name": "ThreatLastReportedTime", - "type": "DateTime" - }, - { - "name": "ThreatFilePath", - "type": "String" - }, - { - "name": "ThreatField", - "type": "String" - }, - { - "name": "AdditionalFields", - "type": "Dynamic" - }, - { - "name": "SourceSystem", - "type": "String" - }, - { - "name": "Type", - "type": "String" - }, - { - "name": "TenantId", - "type": "String" - } - ] -} diff --git a/.script/tests/KqlvalidationsTests/CustomTables/HalcyonNetworkSession_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/HalcyonNetworkSession_CL.json deleted file mode 100644 index ca4c83fb1c7..00000000000 --- a/.script/tests/KqlvalidationsTests/CustomTables/HalcyonNetworkSession_CL.json +++ /dev/null @@ -1,666 +0,0 @@ -{ - "Name": "HalcyonNetworkSession_CL", - "Properties": [ - { - "name": "TimeGenerated", - "type": "DateTime" - }, - { - "name": "EventCount", - "type": "Int" - }, - { - "name": "EventStartTime", - "type": "DateTime" - }, - { - "name": "EventEndTime", - "type": "DateTime" - }, - { - "name": "EventType", - "type": "String" - }, - { - "name": "EventSubType", - "type": "String" - }, - { - "name": "EventResult", - "type": "String" - }, - { - "name": "EventResultDetails", - "type": "String" - }, - { - "name": "EventOriginalResultDetails", - "type": "String" - }, - { - "name": "EventSeverity", - "type": "String" - }, - { - "name": "EventOriginalSeverity", - "type": "String" - }, - { - "name": "EventProduct", - "type": "String" - }, - { - "name": "EventProductVersion", - "type": "String" - }, - { - "name": "EventVendor", - "type": "String" - }, - { - "name": "EventSchema", - "type": "String" - }, - { - "name": "EventSchemaVersion", - "type": "String" - }, - { - "name": "EventOriginalUid", - "type": "String" - }, - { - "name": "EventOriginalType", - "type": "String" - }, - { - "name": "EventMessage", - "type": "String" - }, - { - "name": "Dvc", - "type": "String" - }, - { - "name": "DvcHostname", - "type": "String" - }, - { - "name": "DvcIpAddr", - "type": "String", - "dataTypeHint": "IP" - }, - { - "name": "DvcDomain", - "type": "String" - }, - { - "name": "DvcDomainType", - "type": "String" - }, - { - "name": "DvcFQDN", - "type": "String" - }, - { - "name": "DvcId", - "type": "String" - }, - { - "name": "DvcIdType", - "type": "String" - }, - { - "name": "DvcMacAddr", - "type": "String", - "dataTypeHint": "IP" - }, - { - "name": "DvcOs", - "type": "String" - }, - { - "name": "DvcOsVersion", - "type": "String" - }, - { - "name": "DvcAction", - "type": "String" - }, - { - "name": "DvcOriginalAction", - "type": "String" - }, - { - "name": "DvcDescription", - "type": "String" - }, - { - "name": "DvcInterface", - "type": "String" - }, - { - "name": "DvcZone", - "type": "String" - }, - { - "name": "DvcScope", - "type": "String" - }, - { - "name": "DvcScopeId", - "type": "String" - }, - { - "name": "Src", - "type": "String" - }, - { - "name": "SrcIpAddr", - "type": "String", - "dataTypeHint": "IP" - }, - { - "name": "SrcPortNumber", - "type": "Int" - }, - { - "name": "SrcHostname", - "type": "String" - }, - { - "name": "SrcDomain", - "type": "String" - }, - { - "name": "SrcDomainType", - "type": "String" - }, - { - "name": "SrcFQDN", - "type": "String" - }, - { - "name": "SrcDvcId", - "type": "String" - }, - { - "name": "SrcDvcIdType", - "type": "String" - }, - { - "name": "SrcDvcScopeId", - "type": "String" - }, - { - "name": "SrcDvcScope", - "type": "String" - }, - { - "name": "SrcDeviceType", - "type": "String" - }, - { - "name": "SrcUserId", - "type": "String" - }, - { - "name": "SrcUserIdType", - "type": "String" - }, - { - "name": "SrcUsername", - "type": "String" - }, - { - "name": "SrcUsernameType", - "type": "String" - }, - { - "name": "SrcUserType", - "type": "String" - }, - { - "name": "SrcOriginalUserType", - "type": "String" - }, - { - "name": "SrcUserScope", - "type": "String" - }, - { - "name": "SrcUserScopeId", - "type": "String" - }, - { - "name": "SrcMacAddr", - "type": "String", - "dataTypeHint": "IP" - }, - { - "name": "SrcDvcOs", - "type": "String" - }, - { - "name": "SrcIsp", - "type": "String" - }, - { - "name": "SrcGeoCity", - "type": "String" - }, - { - "name": "SrcGeoCountry", - "type": "String" - }, - { - "name": "SrcGeoLatitude", - "type": "Real" - }, - { - "name": "SrcGeoLongitude", - "type": "Real" - }, - { - "name": "SrcGeoRegion", - "type": "String" - }, - { - "name": "SrcRiskLevel", - "type": "Int" - }, - { - "name": "SrcOriginalRiskLevel", - "type": "String" - }, - { - "name": "SrcProcessName", - "type": "String" - }, - { - "name": "SrcProcessId", - "type": "String" - }, - { - "name": "SrcProcessGuid", - "type": "String" - }, - { - "name": "SrcAppName", - "type": "String" - }, - { - "name": "SrcAppId", - "type": "String" - }, - { - "name": "SrcAppType", - "type": "String" - }, - { - "name": "SrcZone", - "type": "String" - }, - { - "name": "SrcInterfaceName", - "type": "String" - }, - { - "name": "SrcInterfaceGuid", - "type": "String" - }, - { - "name": "SrcVlanId", - "type": "String" - }, - { - "name": "SrcSubscriptionId", - "type": "String" - }, - { - "name": "Dst", - "type": "String" - }, - { - "name": "DstIpAddr", - "type": "String", - "dataTypeHint": "IP" - }, - { - "name": "DstPortNumber", - "type": "Int" - }, - { - "name": "DstHostname", - "type": "String" - }, - { - "name": "DstDomain", - "type": "String" - }, - { - "name": "DstDomainType", - "type": "String" - }, - { - "name": "DstFQDN", - "type": "String" - }, - { - "name": "DstDvcId", - "type": "String" - }, - { - "name": "DstDvcIdType", - "type": "String" - }, - { - "name": "DstDvcScopeId", - "type": "String" - }, - { - "name": "DstDvcScope", - "type": "String" - }, - { - "name": "DstDeviceType", - "type": "String" - }, - { - "name": "DstUserId", - "type": "String" - }, - { - "name": "DstUserIdType", - "type": "String" - }, - { - "name": "DstUsername", - "type": "String" - }, - { - "name": "DstUsernameType", - "type": "String" - }, - { - "name": "DstUserType", - "type": "String" - }, - { - "name": "DstOriginalUserType", - "type": "String" - }, - { - "name": "DstUserScope", - "type": "String" - }, - { - "name": "DstUserScopeId", - "type": "String" - }, - { - "name": "DstMacAddr", - "type": "String", - "dataTypeHint": "IP" - }, - { - "name": "DstDvcOs", - "type": "String" - }, - { - "name": "DstIsp", - "type": "String" - }, - { - "name": "DstGeoCity", - "type": "String" - }, - { - "name": "DstGeoCountry", - "type": "String" - }, - { - "name": "DstGeoLatitude", - "type": "Real" - }, - { - "name": "DstGeoLongitude", - "type": "Real" - }, - { - "name": "DstGeoRegion", - "type": "String" - }, - { - "name": "DstRiskLevel", - "type": "Int" - }, - { - "name": "DstOriginalRiskLevel", - "type": "String" - }, - { - "name": "DstProcessName", - "type": "String" - }, - { - "name": "DstProcessId", - "type": "String" - }, - { - "name": "DstProcessGuid", - "type": "String" - }, - { - "name": "DstAppName", - "type": "String" - }, - { - "name": "DstAppId", - "type": "String" - }, - { - "name": "DstAppType", - "type": "String" - }, - { - "name": "DstZone", - "type": "String" - }, - { - "name": "DstInterfaceName", - "type": "String" - }, - { - "name": "DstInterfaceGuid", - "type": "String" - }, - { - "name": "DstVlanId", - "type": "String" - }, - { - "name": "DstSubscriptionId", - "type": "String" - }, - { - "name": "NetworkApplicationProtocol", - "type": "String" - }, - { - "name": "NetworkProtocol", - "type": "String" - }, - { - "name": "NetworkProtocolVersion", - "type": "String" - }, - { - "name": "NetworkDirection", - "type": "String" - }, - { - "name": "NetworkDuration", - "type": "Int" - }, - { - "name": "NetworkIcmpCode", - "type": "Int" - }, - { - "name": "NetworkIcmpType", - "type": "String" - }, - { - "name": "NetworkConnectionHistory", - "type": "String" - }, - { - "name": "DstBytes", - "type": "Long" - }, - { - "name": "SrcBytes", - "type": "Long" - }, - { - "name": "NetworkBytes", - "type": "Long" - }, - { - "name": "DstPackets", - "type": "Long" - }, - { - "name": "SrcPackets", - "type": "Long" - }, - { - "name": "NetworkPackets", - "type": "Long" - }, - { - "name": "NetworkSessionId", - "type": "String" - }, - { - "name": "SessionId", - "type": "String" - }, - { - "name": "SrcNatIpAddr", - "type": "String", - "dataTypeHint": "IP" - }, - { - "name": "SrcNatPortNumber", - "type": "Int" - }, - { - "name": "DstNatIpAddr", - "type": "String", - "dataTypeHint": "IP" - }, - { - "name": "DstNatPortNumber", - "type": "Int" - }, - { - "name": "TcpFlags", - "type": "String" - }, - { - "name": "SrcVmName", - "type": "String" - }, - { - "name": "DstVmName", - "type": "String" - }, - { - "name": "NetworkRuleName", - "type": "String" - }, - { - "name": "NetworkRuleNumber", - "type": "Int" - }, - { - "name": "Rule", - "type": "String" - }, - { - "name": "RuleName", - "type": "String" - }, - { - "name": "RuleNumber", - "type": "Int" - }, - { - "name": "ThreatId", - "type": "String" - }, - { - "name": "ThreatName", - "type": "String" - }, - { - "name": "ThreatCategory", - "type": "String" - }, - { - "name": "ThreatRiskLevel", - "type": "Int" - }, - { - "name": "ThreatOriginalRiskLevel", - "type": "String" - }, - { - "name": "ThreatConfidence", - "type": "Int" - }, - { - "name": "ThreatOriginalConfidence", - "type": "String" - }, - { - "name": "ThreatIsActive", - "type": "Bool" - }, - { - "name": "ThreatFirstReportedTime", - "type": "DateTime" - }, - { - "name": "ThreatLastReportedTime", - "type": "DateTime" - }, - { - "name": "ThreatIpAddr", - "type": "String", - "dataTypeHint": "IP" - }, - { - "name": "ThreatField", - "type": "String" - }, - { - "name": "AdditionalFields", - "type": "Dynamic" - }, - { - "name": "SourceSystem", - "type": "String" - }, - { - "name": "Type", - "type": "String" - }, - { - "name": "TenantId", - "type": "String" - } - ] -} diff --git a/.script/tests/KqlvalidationsTests/CustomTables/HalcyonProcessEvent_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/HalcyonProcessEvent_CL.json deleted file mode 100644 index 2e79d8933be..00000000000 --- a/.script/tests/KqlvalidationsTests/CustomTables/HalcyonProcessEvent_CL.json +++ /dev/null @@ -1,511 +0,0 @@ -{ - "Name": "HalcyonProcessEvent_CL", - "Properties": [ - { - "name": "TimeGenerated", - "type": "DateTime" - }, - { - "name": "EventCount", - "type": "Int" - }, - { - "name": "EventStartTime", - "type": "DateTime" - }, - { - "name": "EventEndTime", - "type": "DateTime" - }, - { - "name": "EventType", - "type": "String" - }, - { - "name": "EventSubType", - "type": "String" - }, - { - "name": "EventResult", - "type": "String" - }, - { - "name": "EventResultDetails", - "type": "String" - }, - { - "name": "EventOriginalResultDetails", - "type": "String" - }, - { - "name": "EventSeverity", - "type": "String" - }, - { - "name": "EventOriginalSeverity", - "type": "String" - }, - { - "name": "EventProduct", - "type": "String" - }, - { - "name": "EventProductVersion", - "type": "String" - }, - { - "name": "EventVendor", - "type": "String" - }, - { - "name": "EventSchema", - "type": "String" - }, - { - "name": "EventSchemaVersion", - "type": "String" - }, - { - "name": "EventOriginalUid", - "type": "String" - }, - { - "name": "EventOriginalType", - "type": "String" - }, - { - "name": "EventMessage", - "type": "String" - }, - { - "name": "Dvc", - "type": "String" - }, - { - "name": "DvcHostname", - "type": "String" - }, - { - "name": "DvcIpAddr", - "type": "String", - "dataTypeHint": "IP" - }, - { - "name": "DvcDomain", - "type": "String" - }, - { - "name": "DvcDomainType", - "type": "String" - }, - { - "name": "DvcFQDN", - "type": "String" - }, - { - "name": "DvcId", - "type": "String" - }, - { - "name": "DvcIdType", - "type": "String" - }, - { - "name": "DvcMacAddr", - "type": "String", - "dataTypeHint": "IP" - }, - { - "name": "DvcOs", - "type": "String" - }, - { - "name": "DvcOsVersion", - "type": "String" - }, - { - "name": "DvcAction", - "type": "String" - }, - { - "name": "DvcOriginalAction", - "type": "String" - }, - { - "name": "DvcScope", - "type": "String" - }, - { - "name": "DvcScopeId", - "type": "String" - }, - { - "name": "DvcZone", - "type": "String" - }, - { - "name": "ActorUsername", - "type": "String" - }, - { - "name": "ActorUsernameType", - "type": "String" - }, - { - "name": "ActorUserId", - "type": "String" - }, - { - "name": "ActorUserIdType", - "type": "String" - }, - { - "name": "ActorUserType", - "type": "String" - }, - { - "name": "ActorScope", - "type": "String" - }, - { - "name": "ActorScopeId", - "type": "String" - }, - { - "name": "ActorSessionId", - "type": "String" - }, - { - "name": "ActingProcessName", - "type": "String" - }, - { - "name": "ActingProcessId", - "type": "String" - }, - { - "name": "ActingProcessGuid", - "type": "String" - }, - { - "name": "ActingProcessCommandLine", - "type": "String" - }, - { - "name": "ActingProcessCreationTime", - "type": "DateTime" - }, - { - "name": "ActingProcessFileCompany", - "type": "String" - }, - { - "name": "ActingProcessFileDescription", - "type": "String" - }, - { - "name": "ActingProcessFileProduct", - "type": "String" - }, - { - "name": "ActingProcessFileVersion", - "type": "String" - }, - { - "name": "ActingProcessFileSize", - "type": "Long" - }, - { - "name": "ActingProcessMD5", - "type": "String" - }, - { - "name": "ActingProcessSHA1", - "type": "String" - }, - { - "name": "ActingProcessSHA256", - "type": "String" - }, - { - "name": "ActingProcessSHA512", - "type": "String" - }, - { - "name": "ActingProcessIMPHASH", - "type": "String" - }, - { - "name": "ActingProcessIntegrityLevel", - "type": "String" - }, - { - "name": "ActingProcessTokenElevation", - "type": "String" - }, - { - "name": "ParentProcessName", - "type": "String" - }, - { - "name": "ParentProcessId", - "type": "String" - }, - { - "name": "ParentProcessGuid", - "type": "String" - }, - { - "name": "ParentProcessCommandLine", - "type": "String" - }, - { - "name": "ParentProcessCreationTime", - "type": "DateTime" - }, - { - "name": "ParentProcessFileCompany", - "type": "String" - }, - { - "name": "ParentProcessFileDescription", - "type": "String" - }, - { - "name": "ParentProcessFileProduct", - "type": "String" - }, - { - "name": "ParentProcessFileVersion", - "type": "String" - }, - { - "name": "ParentProcessFileSize", - "type": "Long" - }, - { - "name": "ParentProcessMD5", - "type": "String" - }, - { - "name": "ParentProcessSHA1", - "type": "String" - }, - { - "name": "ParentProcessSHA256", - "type": "String" - }, - { - "name": "ParentProcessSHA512", - "type": "String" - }, - { - "name": "ParentProcessIMPHASH", - "type": "String" - }, - { - "name": "ParentProcessIntegrityLevel", - "type": "String" - }, - { - "name": "ParentProcessTokenElevation", - "type": "String" - }, - { - "name": "TargetProcessName", - "type": "String" - }, - { - "name": "TargetProcessId", - "type": "String" - }, - { - "name": "TargetProcessGuid", - "type": "String" - }, - { - "name": "TargetProcessCommandLine", - "type": "String" - }, - { - "name": "TargetProcessCurrentDirectory", - "type": "String" - }, - { - "name": "TargetProcessCreationTime", - "type": "DateTime" - }, - { - "name": "TargetProcessFileCompany", - "type": "String" - }, - { - "name": "TargetProcessFileDescription", - "type": "String" - }, - { - "name": "TargetProcessFileProduct", - "type": "String" - }, - { - "name": "TargetProcessFileVersion", - "type": "String" - }, - { - "name": "TargetProcessFileSize", - "type": "Long" - }, - { - "name": "TargetProcessMD5", - "type": "String" - }, - { - "name": "TargetProcessSHA1", - "type": "String" - }, - { - "name": "TargetProcessSHA256", - "type": "String" - }, - { - "name": "TargetProcessSHA512", - "type": "String" - }, - { - "name": "TargetProcessIMPHASH", - "type": "String" - }, - { - "name": "TargetProcessIntegrityLevel", - "type": "String" - }, - { - "name": "TargetProcessTokenElevation", - "type": "String" - }, - { - "name": "TargetUsername", - "type": "String" - }, - { - "name": "TargetUsernameType", - "type": "String" - }, - { - "name": "TargetUserId", - "type": "String" - }, - { - "name": "TargetUserIdType", - "type": "String" - }, - { - "name": "TargetUserType", - "type": "String" - }, - { - "name": "TargetUserSessionId", - "type": "String" - }, - { - "name": "TargetUserScope", - "type": "String" - }, - { - "name": "TargetUserScopeId", - "type": "String" - }, - { - "name": "Hash", - "type": "String" - }, - { - "name": "HashType", - "type": "String" - }, - { - "name": "MD5", - "type": "String" - }, - { - "name": "SHA1", - "type": "String" - }, - { - "name": "SHA256", - "type": "String" - }, - { - "name": "SHA512", - "type": "String" - }, - { - "name": "IMPHASH", - "type": "String" - }, - { - "name": "ThreatId", - "type": "String" - }, - { - "name": "ThreatName", - "type": "String" - }, - { - "name": "ThreatCategory", - "type": "String" - }, - { - "name": "ThreatRiskLevel", - "type": "Int" - }, - { - "name": "ThreatOriginalRiskLevel", - "type": "String" - }, - { - "name": "ThreatConfidence", - "type": "Int" - }, - { - "name": "ThreatOriginalConfidence", - "type": "String" - }, - { - "name": "ThreatIsActive", - "type": "Bool" - }, - { - "name": "ThreatFirstReportedTime", - "type": "DateTime" - }, - { - "name": "ThreatLastReportedTime", - "type": "DateTime" - }, - { - "name": "ThreatFilePath", - "type": "String" - }, - { - "name": "ThreatField", - "type": "String" - }, - { - "name": "AdditionalFields", - "type": "Dynamic" - }, - { - "name": "SourceSystem", - "type": "String" - }, - { - "name": "Type", - "type": "String" - }, - { - "name": "TenantId", - "type": "String" - } - ] -} From c05c4bc67aabd8a36c0363abcb4998424498da21 Mon Sep 17 00:00:00 2001 From: Kyle West Date: Thu, 9 Apr 2026 11:16:36 -0600 Subject: [PATCH 4/4] remove parsers, add sample query --- .../CustomTables/HalcyonEvents_CL.json | 145 ---- .../Halcyon_connectorDefinition.json | 7 +- Solutions/Halcyon/Data/Solution_Halcyon.json | 8 +- Solutions/Halcyon/Package/3.1.0.zip | Bin 10002 -> 7315 bytes .../Halcyon/Package/createUiDefinition.json | 2 +- Solutions/Halcyon/Package/mainTemplate.json | 742 +----------------- .../Parsers/ASimAuthenticationHalcyon.yaml | 72 -- Solutions/Halcyon/Parsers/ASimDnsHalcyon.yaml | 86 -- .../Halcyon/Parsers/ASimFileEventHalcyon.yaml | 86 -- .../Parsers/ASimNetworkSessionHalcyon.yaml | 92 --- .../Parsers/ASimProcessEventHalcyon.yaml | 96 --- 11 files changed, 32 insertions(+), 1304 deletions(-) delete mode 100644 .script/tests/KqlvalidationsTests/CustomTables/HalcyonEvents_CL.json delete mode 100644 Solutions/Halcyon/Parsers/ASimAuthenticationHalcyon.yaml delete mode 100644 Solutions/Halcyon/Parsers/ASimDnsHalcyon.yaml delete mode 100644 Solutions/Halcyon/Parsers/ASimFileEventHalcyon.yaml delete mode 100644 Solutions/Halcyon/Parsers/ASimNetworkSessionHalcyon.yaml delete mode 100644 Solutions/Halcyon/Parsers/ASimProcessEventHalcyon.yaml diff --git a/.script/tests/KqlvalidationsTests/CustomTables/HalcyonEvents_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/HalcyonEvents_CL.json deleted file mode 100644 index f414c0acfc7..00000000000 --- a/.script/tests/KqlvalidationsTests/CustomTables/HalcyonEvents_CL.json +++ /dev/null @@ -1,145 +0,0 @@ -{ - "Name": "HalcyonEvents_CL", - "Properties": [ - { - "name": "TimeGenerated", - "type": "datetime" - }, - { - "name": "activity_id", - "type": "int" - }, - { - "name": "activity_name", - "type": "string" - }, - { - "name": "category_uid", - "type": "int" - }, - { - "name": "category_name", - "type": "string" - }, - { - "name": "class_uid", - "type": "int" - }, - { - "name": "class_name", - "type": "string" - }, - { - "name": "severity_id", - "type": "int" - }, - { - "name": "severity", - "type": "string" - }, - { - "name": "type_uid", - "type": "long" - }, - { - "name": "type_name", - "type": "string" - }, - { - "name": "message", - "type": "string" - }, - { - "name": "raw_data", - "type": "string" - }, - { - "name": "status_id", - "type": "int" - }, - { - "name": "status", - "type": "string" - }, - { - "name": "action_id", - "type": "int" - }, - { - "name": "action", - "type": "string" - }, - { - "name": "disposition_id", - "type": "int" - }, - { - "name": "disposition", - "type": "string" - }, - { - "name": "rcode", - "type": "string" - }, - { - "name": "rcode_id", - "type": "int" - }, - { - "name": "metadata", - "type": "dynamic" - }, - { - "name": "unmapped", - "type": "dynamic" - }, - { - "name": "actor", - "type": "dynamic" - }, - { - "name": "device", - "type": "dynamic" - }, - { - "name": "file", - "type": "dynamic" - }, - { - "name": "process", - "type": "dynamic" - }, - { - "name": "user", - "type": "dynamic" - }, - { - "name": "dst_endpoint", - "type": "dynamic" - }, - { - "name": "src_endpoint", - "type": "dynamic" - }, - { - "name": "query", - "type": "dynamic" - }, - { - "name": "answers", - "type": "dynamic" - }, - { - "name": "driver", - "type": "dynamic" - }, - { - "name": "module", - "type": "dynamic" - }, - { - "name": "app", - "type": "dynamic" - } - ] -} \ No newline at end of file diff --git a/Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_connectorDefinition.json b/Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_connectorDefinition.json index ec52d98cce5..f196711828c 100644 --- a/Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_connectorDefinition.json +++ b/Solutions/Halcyon/Data Connectors/Halcyon_ccp/Halcyon_connectorDefinition.json @@ -11,7 +11,12 @@ "publisher": "Halcyon", "logo": "halcyon.svg", "descriptionMarkdown": "The [Halcyon](https://www.halcyon.ai) connector provides the capability to send data from Halcyon to Microsoft Sentinel.", - "sampleQueries": [], + "sampleQueries": [ + { + "description": "View recent events", + "query": "HalcyonEvents_CL\n| where TimeGenerated > ago(24h)\n| sort by TimeGenerated desc\n" + } + ], "graphQueries": [ { "metricName": "Events", diff --git a/Solutions/Halcyon/Data/Solution_Halcyon.json b/Solutions/Halcyon/Data/Solution_Halcyon.json index 221d91bef4f..e7faa6a071a 100644 --- a/Solutions/Halcyon/Data/Solution_Halcyon.json +++ b/Solutions/Halcyon/Data/Solution_Halcyon.json @@ -6,13 +6,7 @@ "Data Connectors": [ "Data Connectors/Halcyon_ccp/Halcyon_connectorDefinition.json" ], - "Parsers": [ - "Parsers/ASimAuthenticationHalcyon.yaml", - "Parsers/ASimDnsHalcyon.yaml", - "Parsers/ASimFileEventHalcyon.yaml", - "Parsers/ASimNetworkSessionHalcyon.yaml", - "Parsers/ASimProcessEventHalcyon.yaml" - ], + "Parsers": [], "Workbooks": [], "Analytic Rules": [], "Hunting Queries": [], diff --git a/Solutions/Halcyon/Package/3.1.0.zip b/Solutions/Halcyon/Package/3.1.0.zip index 3eb413dc27d5e56c085759211fd552fca8b02194..c94768f45becb7cad639e5fa4cfa25ec3918c59c 100644 GIT binary patch literal 7315 zcmZ{pMN}LBjD`nycOSgK07Z(IV#PbSTY*7~Q`{YjyA*eKcZ$2ayF+mX-R|ybci$$5 zyyTFV+xPPSigIx9_y7O^8StzXrW^9J)HDSV0KmWl0EqrgjU7x3f10RSNSK&f*jW6u zu(e^cbhNc;&|I~l<;C@S(7<;ms@9HaJ%{m!{{w~{FrFm-Q%u{Msu9DfQ*3K><31l(l`Uqv5y2E zj~Z$Q3%AutmCuM03p3#BaVQE1y z24nx=ls9-Y$5}Z~mc@`F?KT*-)`Cg3kvd~(&zzf9@748@fSLJbC58ZuQrH4dr7hPKA&w$;Arm89j&FA=n**^KB<|grPSap zcVkxv?QbIO;>h^apsZn`C2h!&IB~Sk96xEpcHOF@OG;uIJ^?N(H{s2)>zX9!oCnBA zIpyz5{$q~+#0svxHK3{jOmvj~=nGOquHV5UY|>t0kk!aNX4kPy>9RiMZMHOcoEL%5 z)Jtn+*i{Y+Qnb*xR?%0>3=K>Z;74Aug>aZ>0LQT$2 zl1&M;kp5-E@WC%58c6XW;U9Y^mY994nNa5#9TE0tnIpDQIXFfo# z$seF#>Vb>8wz++v>b12iHUSPMV_|`kRS2IE7w_m+LA{0b=jwo1QMt(BzZE%BsZAMn zl*l4W5T7GM+fDRupDD%=8L|W!=Ui4Ca+ZI3Xj!bUf)N~lBR$-VICF!-DD`7Ha>Pva z?F!7T^F%JZAK#gz6LaOs%i8$zIbD1k*JfRKjNICbL4KEEp0xmjOAX-PBcAzS2Y-{iZm- zCA$saCp0ymIJ71bcwFkC;X*pdIf?i=x>xS0|A;ajfq(KRF)w2-awo7ioYCyctGH+D z8L>jpKP=9bIijA7BgwIRvy!G?9$zeUk6Yxmh;T$BH)+-;*X#ANl*>nNwwpX{q%tc z&N$)pF}&tjR$BKlO&W;ia`lb0b`=L~R9W{vU7@6EL_hMcA_`2NthH~A| zfmNYSLUy#h?r8WP`dzu#`44&ewL+lxHI*26YjaM7q287mY4tT>1S>QTDxQuW%ENSK*66p7J4BIVK@%@28&OEBjIdY=GD~}n5)C2k3hj+0 zaZlSXwjDf;c975Tmp%Cl{6oioODtKud_=BfNojkjp6ef!v zAwGYXD@-kQ*UuDp8^6g1lzd35%CE7xB_dHiN_RW2s@;R%Q)aWFePJNyn%{2wr*Z{13I{l_+rd;kFFAIz)` zEo@XxtnIA+A??2~cCP24Le`S>{v}Ine~tNf$I<}ZjV%2fXZLuuI43A(4=bB9S7)iU zxPVe7axgys#5?KL{8^?k-@BPgx#`7xY(22VNUVwSuz>dX=x8x36EFq+{g>f`Zw65| zS1cz!dvNdLFwhr2O3AmFyt|7g3Xu{m&c&#?jq9nT>!!Vni}dLOomJt8UN(?UF}LRn zLY{))YN=PWQdqHPbaQt^sf}a+#ht;6fC%oBV(HtL&oBUA%!s`}d$qqr((NR9*;o?z z!4aeH>3s@_*rzM4P?0;3D%4SuCX57uGY4*s6EjX-KmqWW+lEdZ0uvV+?p74&rl>al z@6Omd>=M(Uy_BeUOoHK*OrStg`~=#^k<6zfLP?3v5W1NLHhx^t4yF6J7XE!Bq6N`n zOVY>~BP&Yu?nmmPnA%l1Ghg35|Iq9_ zY;rEYlid0Etv#efzic7_JVgL1)Ht_lWg=kgN3W5`4CI`UC#Kl0fMa+MJYR&rID-#E zNKNSot&hXPL(CsaO0(FX-nBacKTFSBh8jRU2>U;eIZi~EPcw6BcwiBYM&W51!d2;E zZ=XegCdebw_{K~*B0ztkyQ+)(HAVOJTQ8R%r>%a+LRHS0(8xx4LIVpW<{c)9lQ(S1MCj1sKmu zj~&FxhaE9&-tN3$e}E_i!jI~AR%|Q)o>#L4=Xh#}J)q8jdm>X-N7IKGV^?v-iR2uB z5w45TO&V1lXR;PtN2T}Dxa+Z}JQCOlr9`~4eUksdEI?^zC2=qQVX!k(e`f{PEq)qn zGRy1B3e^5#@Y2VVa+1v}wt7wB#~owR#m>QX!sO=O&?MrXmXVxH$6S5Xt3IzZz3?Ne zgl@E*bW}G*3{v1Sl1k;qNn#a7PS-Au zV0b8XcJCr6E4Y4M3DkSV!e%)ZQdgb{ZfLDcV|&{{v>b(Q4A`y8N7N(C=Z;iF`KWxTyTZv8dc@kN-lmE2+K`nbM zJt3dTY6mUwYbR$Wgron~8@KT}WQ;Exwk+SeLhYN7!J7vs-QsAyw)I(I(NJsozANvP zCe@;MwCnZPclIJhZ0yw35CbUAeiK=kOdHCOO6g~I9tD5r5QU0_w$K?GC+X;8^}R0X zer!T;gM(&F7HSU=;lZ=TQ&xH$f6o9H1wcCu(ID4=FmO;5g6qdX-jwhBD$mw_#aIc2 zyPus#N+H1+_d&^qKKn zP#s@WVSy`;4k13yesH&>N+#DsNFIPFE!zhuL@p6KLe7qhB~j^C_jpO=j&Wmzz^Aq) zM`R_X*RHl+9+r;(UU|}I4v6SK@PSgqgn#LDO(aLn6o0dHjK!lhC1}(xQ(%1#o6Idl ztaSMT-A%f`y2V~%&Proyaz8~OinWflAE;-y932j7GS9#)RYK2;V9J;h; z^!}NzaTs54xZH=kqd}T0DW+Lx1uTRQnD-FLr~gCDTt`+BuZ0iTdUXCWh=Fm%x|IjV-+F>2^ISk;Ou)o!HB z<(%O7;d;qOp3j4L`r4~*Z;jfbvA4ah)^2`p38i;j1UkWUNK^@0{<@+7epvEX9K$Hj z8+gTB9t!~{{hQ`P3$VkdbL8lt{xqiol^HO_T%2kuGbLWbs?LJ7_+~+RH1Z7Vh8T@} z5`@?A*)h+ag)w(g+K4|~w&T>(=1XpzxLtQFYMG#AF}LxdWrEA5MSOIwGyrvDC^y=TKH@u2L7h1rmCJ9Coe;A&X$y5C zv~A7!!W)vlH9nPI6)9v1BRt1K{Pax*1?xZ9qsywfpGNp>?Q5=3loq)tWoV zY2oT`KGDpkt?9MDve1HtQ)zE3HgadWf;uVK%qhm zAeSR@>Gxac46GVGLgmrAPRzduIL`$!(m|Q|w#- z$@G!OH2Yu*aU&1ot2t9uxr^XObOzwe3?A8JM4L?lt4nHIT2}5}y6hGM8Y$KsoWokw zPvlv}-HAfQn0v0a)#E>H7>Nmg&#*LNd(hF2`vTKr{^~z@H}l~&*yc`jH82*Em(zeVGK)Hg6$BGl@#%Lc9%o2%o8|HP9dY@!?TwTee1{&qYqSY>w%_G`a=>(wwT zM|p1mR}=sK^V`Ib30uwHuTr(I;luoHbuw_lrD$h%8)}Ae=fKcBE;_nL@$LUq_GZZ z7f)f4A4%JI)QkK=q9^4NekQh7r6D1S7NLPht+B8-C*@&B^Si*=e6*7(Sti7Sg+`x=!N*PiLi0v5=kS2k#?k=-a_F6lxCWowBEzq9mDe582)}|2zG; za`Ma*Kx4zP%#A{A#>{Fv8_WcXEe)aVA-blO#p>jd`?a-UOikapU2Etf+OJA+WxXVf zpFdm}$^G5C-aZ+o*Ny_eneneca9&Vfz3{c<5}#a`t`MCyT*wdt2F6!Q+M%1!-q#D& z2z6AF-w;^(7bHU!vbv;hWAc%5G@&Hp6jQylWwsw9D^eATR*`a;C5kd$U2iy4zx$Z> zv;2f(ZslCg_5HZlmdRdkd%>RNtq5dHw@-epn=Nu5gYISp zkJ+SL?;a@0;GQCrao7E!Q8_PPXFZ5ec6cv~)Gs=CFc0d>bd%tVvb{WT?a&sQSo{Wn zUg2lFNQXN6>+~NsDIX$x9@X7!(ftJjyERTc94&28-J4e2jH}!9!fnwVn#?cndd}6M zHkg)8g5&dnHah#O9HHx!H*7tp&VxGEQ?0L+ytMZNz=qWY@8t`!fZ20r1F8g@rpw^( zKie`E5p!10TbUl$YJ27pGIZ3N<*HlsaMS(A&f^rRbZy+4dEpav7JR%uwyaN(`46#< zb}+b}E!_xknrEe)9JrnYatQ5K?Z4bu;-E!+C!oJwQG}iwrCw$1!>EV`r<{1m(H0Wo zrk7QhgzLH%cbBeAi!?>#>TEHKF*iC=jIsEFiVO%e1#&%f-J|1VOBPjeZ7ww+hy`3e@$SQw+zz4o{>F>8B>3!j!GqdP0+55Mxkx{pl~Q z3r}i~BP}6_=X}(h)nw~a`Rd2S^jN}|r^9L!ek2l7N$3|fp*E)Ak74*-IU2p2^$ zTSYL^CN>t}SeG#Kw@MZLZLs~(M38vI5P3uqctqhBs*>c)&Oc%MB7Uoahdw;!yfHs# zlj497k00JCN2(wY^@myHd5yapR*{>}4$_^b`OJC7_Wm1=Jqz!N#TNMb&_#Oq#A$0h=DXHLME^wZk9iQgJ+7yiQiUE zri^}s;OijET9Gim-Fdlk$KEwzMG048MUe(~GgFZ^L?l;jh36q8PmxG1DRc?j@ff>wdS?vmQ{@1?$*X)XraB59VVsEu*@IX@m?QEx4YLLf982ZFV*iGj7ZeV@uu1k z*_$ogY>TfjrrQ)x$#NfBaXN^!l$X3phf4^P12EfKZP?yACXViGxG9+`Qho5mVI zJ4pC-sJMFKhy5?84~nEhPWsZex_}QEUDH$0G4a7_MlQky{uKcmK`PN#v<)`dUN3{* ziro2t77LJFs^&%Qm68sSgE9Tzv#ey7*uTR$!y7_`)~cWa8Rs_-8aN=)>KYQM+SL#C zU=P}hheW z_IQ7;dWSL7MhSx5qKC(evN6yz3Gd`cia(MZWPVVa<9u6JP&o>Yqvb}=jtRw5iT!2x zXa6s{g#!VW5%!}-M#mn?RJ1npXg=FIQrjCOzUtk0>yh=2(bcXHAKxKr<9M ztZX9l4Xw|olv35dE-=N?{zI4{jIwf*s3w8AV&X24R%Jc2R9Rh@%)sd$7v<=U>uQ73 zrkOZ#-(o^DKVI1B$udcUXcKkXBKsNMzQn;RlBhh699*E-D<>}bH@#$TX+w$1o^!Tk zLko{+=(nQe5;1K~T;yvD|3Q9kEm%c3F`NkCe`aT0cx@G4C}3-Fu%a-dr{$|UP>~Mw zJE$mr!%1Sk6ym_K;#}ryrG#Y44=(RUPRC?((DnAg+|8@xieJav((m{Y>pR`Yv4Cn$ z@?{rH$l*ueO6hJxkJ@#Pp4}6pdo>dzH9b`-%ZZYeL zOa9vB-v+H~92~?>d!DVXl^61VYAT!92;0GgAK~~zMko`IJZ*fyW%q;AaZ~t4e%x$! zIDI@b123F}+smvfWj$k@}QXF^Bncrv>Xdqm%rHP1z=^LrPU zn_ZE0hf2bi&aRvCuIKiTeKX^#GUchuLL7V1&bV{n093C+W&BdZUtm&Z1TQ-dC8F55 z#7`unTioH9%vSyN%$zETTKEdDs000C)hrF+$R_W!23LF4njR^qY|I1pqS($lQY1v6z zS=%|;dDuBSv3_%Rc52dDb6S(d@PE)jS%$`gjjI0y!xB>xW>2I5C`Bc1k)e1plZhLy zO6wTEn2t&!JZia}d!`v=X44<3&%!&3wsNyM^gS5Anu8L*Egn;>l=gsDQ_$@AdEDs# zQ(H0`nrS{cDn53Qn@bCLP$GBi`s|=?(D}19Ge-|6RIE$%Pw{+G(adp{Y~pL1;&*r1 z@0c_W6*z)Awkz{Q8G4ZMq*;v`!LQS!oB5uzwy7JO3ptB@QAmhY(Ohuu`-)k|xSZ9IXjpA4v>Pse%`05#ZR?Y_fP`zobspO^6-$u&=yO~Kt7pUY-N+|dvCp}jSiFMp4 zki~brdYq879J@k8t_{pcny04p+`NADeJlIyXKqHgs<8&Y{b0EU6i4~pFU2CYB;xO5 zo4amVXEPahX4rtR;v^LUP&4`65|hzcysSqKpa6a7T4b?3Sf}I7^*Wf|)PW?s7UPbm zRCGk@HySS-Rbly1`!5l#3<&Xt)vP_o|xnYy>(t%#A5 zE8S6OA5r!o3l3#Xo=EP|m$r#b&3`pL(n{CR83F*V;X!8Bfm?+KUQtP+F;+G1%AddKxBx3ld z+iOL(maHB_Ail=aUh54=O(Hk38&Sck#HLNEW8c{7^@l!hbM2u&!X|u{{vmm3e`&>9 zEU?m-CN^b9$J>cBO*>@kmFFO>V+UfpdYn_ct5D-Dclick5M4I%YwlR#*5osoZzaI~ zY04C3tz<_M`%Wc=l+9K1rjx3Cg=6)I)Q${x$ihrUOFHeo`BZx$(DJCUij6V zt3lT?zRKy|jrS7$0{tEC>;FfA(#!`R|BwLyosLj|et&J();%u=wgSIJrTWTOQDr)BGqgQfgjEyq`CXlIy^aJ5em{)sEEP2OWUNyJVGse$S-+bOzVK+!6@1!xjST zv4g^rFa~#J0wwWj%wX8Y!?{uH_2uGy=i=REO12v!a^uElyCam4-z!#r7_e~s_nu|S zYS>DQLbC4g#wk3+|NZ+81lD{yJm%r!g$V#S>Is|>=|g@8ketrA%Sg=31_LFZ3V$5J zpnzCS>y_B=5F!~np|_)LHzHtIF{DCi&xLYeeHI?^0fJ{Ua-Djk2wpbzQmiCiYzaaZ ze<$tPW4<@d;J~51APNSR-35`Kzz#@mVY6LT$?^8=hs?1y3d--Ie%JXrOEWCMqIqM@Jy#1;V;Qt9fExASJxs z>+klr0X5%^BOjp6p~a8cifZfZm`yF2rQE{qKxF*AN2mwlj&VIb> zGCnKQV8d{uy(_5VNZ4-Uh~z2bK3IM0b+?=;tIE?mH6qg?BE$tlbq2!qa+Rf}KS9ZN zWtXOl8fz!#D772#8zMW{ck>!+P|MX-`o!ZG6unoI5{k?(I8PnKJr2V$xlB6`rtHbR zX++ARVl9Knv7)+3K_gO@U6-|zcJ>yJF3puC!!~n$I=%OcpL$Nj`l5U=!UQM zfs%X|3*GE&uD+<~Oc(4q{r-RD+Yl_iLUks!cp;eI^(zdzn z=p!I`kb9u-l)HzKFrSD%0Fr4YGvF||P5+3mB+R5!S53gh7$>zz?08fEeXp=sGr@Uj zj3}U`6Bm|-sWdDcr8A=#%hr~kE=SbOIBvLoc3yK1HS9H6N$d)iHam&KX)Bk}<=pnvcMhp)V%8?_ZGS{Y&C zVt1-4sm6xoLw2|(4o=-)2__d5?vjJtSiim1+b*K`;K!#=&#@F~z@OqMT~>WEP@U88 z8_+K@qUcpqF0`v0KE}bk0m>z$*M8EUwZ+MH#_8**e-6=?LN~7sZ%KLfy-Y4wk-gD#AXeI z!P}idbtQ3sRfn!eU6F;6)lMBWUaV4*mOnFQw$2gG!fqrxj`diS9D;N6-vP7%L4f z5|f``7yD9Mh$j7YSyf3DE-6CM$8pLbUboL}+Ke!g)Xa492^s_B`h!p}l8ltlv)!|o zED$almio~IVSO7G`j08p_tWc-SJF1&FXSM(WMp&&c2ALjo-tCHjBKq5N+X;ti+gWH zb}5+tXS^u$b%7KvZuM2$LXb~)(WN}jh(41Q7+HQLj4xWbl85LqWJ;(T_EVJUHowjj zOCVRxL#$&hEr3j?k+U;mInjL+1KUTlNau#;hL9bLT%~*-%w2s%Ro`Q-T7f=Z{&11v z*M;+Wi+gg1iM+z-Dc1TnxbX<$(&QNuV9|MJA0UrzMD#kofkh7sMU8-QYafVMe@DSV zRplUvWIO_OlVaW$>{Yh^bet(uOf^%@h!S0S)8m=k@8qP{hsHWzjvgu{RN`>(YYv2hHSB~DjuX29ZS)IuNxgGEX~K_1E@^}agEa^Jt~qVA!e0c^ z(D_556yJZONOqc%pizE^{CkE4vAnp~$}px*-Yz67U8CaG5!cpn<@J4gK|zeC@=hYO zULt`L6wym5P%_CvBAV->W|ITgRp?jT1SZP8B)i@0cf+5kdFv<48MT?C5MqB$*|WxM z^TLA-9_D)&ZJcP|b!?dLcUwrV0!iT6gKfB^`%nQuRO7)c>vScz0q-sLGhP8i_@&YL zcF(B{2k$sTnw~JXUg>I4m)aM-TOrY|gE_p0?xUarmn4cbiijfd7M4}6`BBa z7h<`4o1+cqPvkeXZJ4?{&gl5Ene@G6hi}m+b2Xd>l5MzOqU5?!KO;ZohKHZB_`E2= z4a|_|7$XS#LP0HC*`{`ewv9=bw7HRI`C6(8;Jwqg{nD6n?S#K@AE}Lg_OsIycA4x0!4aCA(sl8g*d47m10Q-N@@1|U#?|EbzEj0h<4d-k zr$4xUg~11RVu$zYR8=~Z95!}%|x+TpYn0|x=Zl4N4XnTvGJm_ z2r4(!xo?v}f){;mI#KLAaB~9v5Sv{F&P}{<`~qGjC|v_LEV8BE&n6$0dhB}FXvTBBPRNGmB}4I z0AbQz6`mdYuyu*_LC->XfJ@1B^3#dXH%UoR{K&@qT|PGyDV;3{HHk%^3MonZC54tH z7!kwfIWLNNOQA5i$M;2;J-f7;lmDsCE;KqpsGJ8AWjFYNDf?nfwy&3i1XAKumd;Py z?zON|0>(GSVV{p-#z;)N;gH2HOA<=fSK*ZNTgWU5x&(!4Ick7W^u?KtCF<)wQz=C30_n ztvyC73NAk0wy(bIoNm0Cr91@h(4v`8aLbFR$+33+DP%FeAL7_>nFVDY&?YlraRzUj z$1q21WwG$j{UpxZuw5lWw`7?@#0$ev52MPT{{ft#_{u%bYZ*1hgXHk3KsO;jLylAomZ(Xdc?eH;ASl^sl~^)-VlB7;B+V;oM9IKw zkBphbD8KEEdiQZuSmCr%hLQywgDt?B8lDa4?a)4_3b z-sXORBiewNrygJU zkRZO0L-%OKvaD=Cw7e4f17c^e2arn9Hz0VAo2Nh5&4aT^7%a%bWI1>y5j+^^j@}?k zSIg8z5g$+kI|Zof-t_!%nCmMi%NWW6T6E)pqV$&M>1(cq&x zGg~3!p4UK?P>R8P;HYs}+TuM{!4iZh;5*k@tiRYHy_J(>lbWA z(A|W79!`<-*EctpZnX_?;LU`c3DOW>1&9H`7z)~?{Bi;nL~yiWdsu7=Y#=p3a^pL? z9NhLQ^i2y{o#;M5%3G7Yt41*AEA_*@YF~NMM$qTmy0acPMpD;VTV-4GXW-v(co@v{ zXz))9oSE=4Mv&xN^CWm&ukFVTnnXqS#;tAB!(Xk!I7mVjNW$T`=f1AWR>b<6Y&(h9OqMJupuxHfWN!WOWx zc{3ASjxCGB5D}u?0`O>wnH9Kod3sHK%zI};gAKCfYpH`wU3YudgQSb4gFLZd78Ov^ zqh61p*l7XGLh2keuWP0SVhx!oSkL?1)xUab$X&O1sn1??XB5K_pQ5m?i``f7Xg0w~ zE~>z9O*t^23F<`yo_ymbXnb&-C5_Q{RNg5eDPnQ zFcC>yU&R_e)-YmCWWP|lRtJX`Hy%j4WXS_sEXm6c+3v79wMK+AlBTPCednVPjR`a4 zP8G+sM@(_C>N1Xgs3v=#ub@n0)2f4o8fBhF2}z9I|E%#B3@$aj#!t!5Gz0yipRuXAjpuORwyHW?AV0+=xo>ctG1G97J?1vgwG{Pdbj{j(J zBdS@zcB~TV)vg-QAA>nadq`BUJH3Y_t=+jQOyKD57bb;2-9UGjj?Y?g?13 zZm-xPeTtBo5+W0AJ=%Eztce)WN40fBE6;NTa79m|c^OG3LBNbypM`x`cCVK5zeJYN zsQQKI!{-%;&J$0HZ>7EGs0RX6#o>zf|H)Fhg0-TAE4W~I57Gp?Z}#koE@S+|DMt76}UadhHYbW55N)7nh`7~r_-f=l_H#D-YNt@<&tzVJ|_4(9doqylNR zkAJP?((;tJU$5WqDv`|s3u=KUw2YF$?UOe>#AKdOoL!CJTB%dUarH31?982O^QK++ zL3FPNIn^79YdCiSd$D7qx4%1W#fBrLeaQG+W>6%JZ-gEJA4U&*WB6U*Oni~!K}Y5< zK%2Z83k3Y))BK7z%L>AFWb9sPUe>WE^C(T)EV+Ph@76*uO4}`x?wgfk*ElW1PC1`p zzf6F*Fg+fyF2)>?*}-MIQj(ZHY+e!l7n9_#LMPU{RIWeGmL*F(Ddte5PXGHYK1AbG z=!x9McLn&-jFWPbWN?cnY{H|#^*0(giH(;7ne=q8X;ByT0;Ma_kZ~d(8D1$M7p~ZC zc3zDg9}~Xy5o+G?XNbWAnS6=Tl@1#}oXAc1z1}N~^hj^bwU}<;*q=204F}9Q z41`=^4WK=~E$%OHFQo$_o$1?1qluOk#GYdFIO8CHyRb% zp9K~FbWXmT^79Yl;v&z?r<1v-+B>J?hf4Gfpf(m+o)Bs`_hs0ZMx|+Qx17zs15vI# zRy8=sTz`MQmw4#Qa_#brm%F+480A~NTp`AMryaZXjJ4e^!V!bRD=Ndc;fZR`gxPhH zZ9!L$_vYJ@ID>(?4q#PnZxh|b7Vc;D!0N(*k94ypuvf8EWHV+`yi6hb*{ZA^O--a% z^rvm?c!V?4&2d&nvO#2zjQC0hQ14nhEGD$~6)tDuuWHh-Q6kj2RA%m!S1%b^AF%_t~o^((TcF7|KNQSou9%p^Zy zP9eC{s8{Ur{Qde;Mbxdb%hy|Xqe$-?Z&Yrd^W~Lt_c9-H`Djq~nU2&hhm#+ifyk#Y z{j*XFb$;k*)Bcdbt)16xUF~DuY9c~mXE)s0{b}%+^p51$su>Yp(cyjV*2dU52pOn# z4M9TQbO)tNg^E^t={AnvvveWxIv+ge*&9B4+UHy!0U0#dFkA=^OzIl`Q-ap?_kk8{vSjFG)-aeCcOBVD8mSS$ z+ZARyk?G|l>tgNsb;yOU5yOO`+dvQB!$)9AJeMol+R}0+Mjvm2P?y^xt^4zd@~%>S z?XIMOWHv!@T|`XabK9L;ITvIM(Ih;oYeSZvYvgQ&H)nk3{T(VoRuj9aXPDzC&POt? z!giQ%3Jvu*N_lK!)KvBsk>Y~ug@IYhzYqAB_8}7Rak2MW5AGpk$(!NMYlHQ=aye7WR-&l6jL;g6Kx!z3MTLtYk<^za0n$R3}U=Lrw)%s1l_Xq(RBM zg4xp7%ObOd)y_h!>q$}b)duP_8oR2a>Tm0$Rk@nUP9FqGQAvZ>jLHRSq(y{0f2bMP zC`VKEX%lh&3Es%NKJAR#98iE(?JoA?o-5J=&({g1U{#QrASxFzWH@HmF-}6$X0$R) zplEPNU%66IiG_C2+?<7$7T1oW4i7t;sU>~+=f6bDiIp38w6>~!o$*s@lm9v+wslj< z#D!vLg}Flojb>A51tVzg6IK369*t&I(APT>uLRw(?$7#KyK4U~MczOXEGYkplK|?D z>ui6vq7~UWRVO7|dTpqh@Zu6(ASt1a>+gsz_O^hH4J=Sk_NIh4^0bjR>|U{kG_z_QGDq-4g! zA8J%~a_3@&r~Wg)Q&VZ)zuD>0OsCY(i?yIHs*WkPe4yCrtu);+?p1~eZ+lJ?3xFL8 z84SLS=&5(6{-SxYAJH3A+1el0e8t+_>knMgWA5U%IqL(3mQ6-AAI@n%~Zd6e@?Hi?Y zJBJlbi4so&&xX6q_-GAdiDMBPF=(=$kJg}1UrBe(x-YZdN}vUONmW&eX}3c}X?^(7;@k9{ye zn{o%2%8LcDhGs`=rJ9UD!CQ_6(HWIm*av&ZYF}UJmm;3FpPdrDx13!%BUN5NQkNl8 z&h4%XQ9CAdjy0(x(VJ82?+;Y?1xgDR#EL3xZ3E=mW>#Aj@-HX++JTGIt-Qp<+JL2# z9(yH#gOa#|WWjMG{uaJULdj7Sp+sl7lZlQ~a&m`+Wss3x<4ev2<_=q%de4O&d54um zhi~mhEnYNd@7BGTuh2^1@+D8l{7r#_w&ss#$T5 zu$g)Bd(rchWlC)>!`AFq%X*87a!#R=tkHCy1@#|#Tr9_x4y|t;yKh?yPJpG3Po2*! z+bnJHos{}*+{SwNb=>RcM!R0la3-2vhSgr&xNbX@H0%{dEigl+p7y;Fq;|J)#vAr9rmY>L_Wxt(QPGwxJu zi;HF>y06N^(bk&Y?t6p!?$#{xgXWb@gSrMW|DXY@@w0t&UGx6~?{@5qsn1WG<+)b6 zc19d8(-CmM zs}LdhIRQ$@Y{4kg9(*$f>Gja}mvGMAwuY88QmLA)vytCDDIw%Cfq4v+fj<9QW9hze z5D`-#+{N@f6@qCR=Mn!a{=2Z-+miGBYfH-o(Z~76+tf#}JqJQL^foGtdvM90mO7yc z_AGc{aI{aKUdGPHg)IF9DHXyw3%OO~nG9_)NPVo!o_b(kaJsjz`@A#dH{g0MOXQK4 zW-b<>hIfUzP7%v~#YN0~M4FNy80)x$f=W%b1|&+N1cxVMu|jw0#h)K_boIll$T9pJwgZ)Ukr}; z5*!^GWsIAA|6CLHwCw;7x~k!kFsFmsl{>)QShoJv#0cges*{kW0Xl%Z*uceQuGaX8id5{`L z6s0e61I6j|UqP*=>N=8Wj4n^7a|;Q(+$$>a$6NC(wlT+-~!zd;zN6!8MC!z0)# z<6o@7xDb}m*D%$){M38rWuYPip)Pf_3VYW`#Yn=1X4(GNMO$4XTz@6?{2kg`g8e%J zmeMJD@RTj~v*wHTLDZHpNYcN;O3i?SZVLNEBUZapL_S_ z9z7E>1pEzN=C5tXZ>PxW+Y5?Iy|T4y=mU7>PQr(iG4KccS0yNDoKOFE=h?s3|9?kO x(0{`J#fSDki~LXX!2d1*02BoU|1-7y|EvUGm0\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Halcyon/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Halcyon](https://www.halcyon.ai) solution for Microsoft Sentinel enables you to ingest Halcyon Events and Alerts into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.\n\nInstalling this solution automatically provisions a Data Collection Endpoint (DCE) and Data Collection Rule (DCR) in your Azure environment. These resources are updated automatically with each solution upgrade. To complete the connector setup, use the **Deploy** button on the Halcyon connector page to create the required Entra app registration and link it to the DCR.\n\n**Data Connectors:** 1, **Parsers:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Halcyon/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Halcyon](https://www.halcyon.ai) solution for Microsoft Sentinel enables you to ingest Halcyon Events and Alerts into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following Microsoft technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional data ingestion or operational costs:\n\na. [Microsoft Sentinel](https://learn.microsoft.com/azure/sentinel/)\n\nb. [Azure Monitor Data Collection Rules (DCR)](https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview)\n\nc. [Azure Monitor Data Collection Endpoints (DCE)](https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-endpoint-overview)\n\nd. [Azure Log Analytics workspaces](https://learn.microsoft.com/azure/azure-monitor/logs/log-analytics-workspace-overview)\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", diff --git a/Solutions/Halcyon/Package/mainTemplate.json b/Solutions/Halcyon/Package/mainTemplate.json index 45da19c9694..e4ebff86b5a 100644 --- a/Solutions/Halcyon/Package/mainTemplate.json +++ b/Solutions/Halcyon/Package/mainTemplate.json @@ -2,7 +2,7 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { - "author": "Halcyon", + "author": "Halcyon - support@halcyon.ai", "comments": "Solution template for Halcyon" }, "parameters": { @@ -44,6 +44,8 @@ } }, "variables": { + "email": "support@halcyon.ai", + "_email": "[variables('email')]", "_solutionName": "Halcyon", "_solutionVersion": "3.1.0", "solutionId": "halcyontech1743610828684.azure-sentinel-solution-halcyon", @@ -56,41 +58,6 @@ "dataConnectorTemplateNameConnections1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections1')))]", "dataCollectionEndpointId1": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]", "blanks": "[replace('b', 'b', '')]", - "parserObject1": { - "_parserName1": "[concat(parameters('workspace'),'/','ASimAuthenticationHalcyon')]", - "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimAuthenticationHalcyon')]", - "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('ASimAuthenticationHalcyon-Parser')))]", - "parserVersion1": "2.0.0", - "parserContentId1": "ASimAuthenticationHalcyon-Parser" - }, - "parserObject2": { - "_parserName2": "[concat(parameters('workspace'),'/','ASimDnsHalcyon')]", - "_parserId2": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimDnsHalcyon')]", - "parserTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('ASimDnsHalcyon-Parser')))]", - "parserVersion2": "2.0.0", - "parserContentId2": "ASimDnsHalcyon-Parser" - }, - "parserObject3": { - "_parserName3": "[concat(parameters('workspace'),'/','ASimFileEventHalcyon')]", - "_parserId3": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimFileEventHalcyon')]", - "parserTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('ASimFileEventHalcyon-Parser')))]", - "parserVersion3": "2.0.0", - "parserContentId3": "ASimFileEventHalcyon-Parser" - }, - "parserObject4": { - "_parserName4": "[concat(parameters('workspace'),'/','ASimNetworkSessionHalcyon')]", - "_parserId4": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimNetworkSessionHalcyon')]", - "parserTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('ASimNetworkSessionHalcyon-Parser')))]", - "parserVersion4": "2.0.0", - "parserContentId4": "ASimNetworkSessionHalcyon-Parser" - }, - "parserObject5": { - "_parserName5": "[concat(parameters('workspace'),'/','ASimProcessEventHalcyon')]", - "_parserId5": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimProcessEventHalcyon')]", - "parserTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('ASimProcessEventHalcyon-Parser')))]", - "parserVersion5": "2.0.0", - "parserContentId5": "ASimProcessEventHalcyon-Parser" - }, "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ @@ -125,7 +92,12 @@ "publisher": "Halcyon", "logo": "halcyon.svg", "descriptionMarkdown": "The [Halcyon](https://www.halcyon.ai) connector provides the capability to send data from Halcyon to Microsoft Sentinel.", - "sampleQueries": [], + "sampleQueries": [ + { + "description": "View recent events", + "query": "HalcyonEvents_CL\n| where TimeGenerated > ago(24h)\n| sort by TimeGenerated desc\n" + } + ], "graphQueries": [ { "metricName": "Events", @@ -269,7 +241,8 @@ "kind": "Solution" }, "author": { - "name": "Halcyon" + "name": "Halcyon", + "email": "[variables('_email')]" }, "support": { "name": "Halcyon", @@ -647,7 +620,12 @@ "publisher": "Halcyon", "logo": "halcyon.svg", "descriptionMarkdown": "The [Halcyon](https://www.halcyon.ai) connector provides the capability to send data from Halcyon to Microsoft Sentinel.", - "sampleQueries": [], + "sampleQueries": [ + { + "description": "View recent events", + "query": "HalcyonEvents_CL\n| where TimeGenerated > ago(24h)\n| sort by TimeGenerated desc\n" + } + ], "graphQueries": [ { "metricName": "Events", @@ -791,7 +769,8 @@ "kind": "Solution" }, "author": { - "name": "Halcyon" + "name": "Halcyon", + "email": "[variables('_email')]" }, "support": { "name": "Halcyon", @@ -877,7 +856,8 @@ "kind": "Solution" }, "author": { - "name": "Halcyon" + "name": "Halcyon", + "email": "[variables('_email')]" }, "support": { "name": "Halcyon", @@ -927,656 +907,6 @@ "version": "[variables('dataConnectorCCPVersion')]" } }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject1').parserTemplateSpecName1]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "ASimAuthenticationHalcyon Data Parser with template version 3.1.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject1').parserVersion1]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject1')._parserName1]", - "apiVersion": "2025-07-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "ASIM Authentication Event Parser for Halcyon", - "category": "Microsoft Sentinel Parser", - "functionAlias": "ASimAuthenticationHalcyon", - "query": "let parser = (disabled: bool = false) {\n HalcyonEvents_CL\n | where not(disabled)\n | where class_uid == 3002 // Authentication\n | extend\n EventVendor = tostring(metadata.product.vendor_name),\n EventProduct = tostring(metadata.product.name),\n EventProductVersion = tostring(metadata.product.version),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = iff(activity_id == 1, 'Logon', iff(activity_id == 2, 'Logoff', 'Other')),\n EventResult = case(status_id == 1, 'Success', status_id == 2, 'Failure', 'NA'),\n EventOriginalType = tostring(type_uid),\n EventOriginalSeverity = severity,\n EventSeverity = case(severity_id == 1, 'Informational', severity_id == 2, 'Low', severity_id == 3, 'Medium', severity_id == 4, 'High', severity_id == 5, 'Critical', 'Informational'),\n EventMessage = message,\n ActorUsername = tostring(user.name),\n ActorUserId = tostring(user.uid),\n ActorUsernameType = 'Simple',\n DvcHostname = tostring(device.hostname),\n DvcIpAddr = tostring(device.ip),\n DvcId = tostring(device.uid)\n | extend\n User = ActorUsername,\n Dvc = DvcHostname\n | project-away _ResourceId\n};\nparser(disabled=disabled)\n", - "functionParameters": "disabled:bool=False", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", - "dependsOn": [ - "[variables('parserObject1')._parserId1]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimAuthenticationHalcyon')]", - "contentId": "[variables('parserObject1').parserContentId1]", - "kind": "Parser", - "version": "[variables('parserObject1').parserVersion1]", - "source": { - "name": "Halcyon", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Halcyon" - }, - "support": { - "name": "Halcyon", - "email": "support@halcyon.ai", - "tier": "Partner", - "link": "https://www.halcyon.ai" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject1').parserContentId1]", - "contentKind": "Parser", - "displayName": "ASIM Authentication Event Parser for Halcyon", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '2.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '2.0.0')))]", - "version": "[variables('parserObject1').parserVersion1]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2025-07-01", - "name": "[variables('parserObject1')._parserName1]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "ASIM Authentication Event Parser for Halcyon", - "category": "Microsoft Sentinel Parser", - "functionAlias": "ASimAuthenticationHalcyon", - "query": "let parser = (disabled: bool = false) {\n HalcyonEvents_CL\n | where not(disabled)\n | where class_uid == 3002 // Authentication\n | extend\n EventVendor = tostring(metadata.product.vendor_name),\n EventProduct = tostring(metadata.product.name),\n EventProductVersion = tostring(metadata.product.version),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = iff(activity_id == 1, 'Logon', iff(activity_id == 2, 'Logoff', 'Other')),\n EventResult = case(status_id == 1, 'Success', status_id == 2, 'Failure', 'NA'),\n EventOriginalType = tostring(type_uid),\n EventOriginalSeverity = severity,\n EventSeverity = case(severity_id == 1, 'Informational', severity_id == 2, 'Low', severity_id == 3, 'Medium', severity_id == 4, 'High', severity_id == 5, 'Critical', 'Informational'),\n EventMessage = message,\n ActorUsername = tostring(user.name),\n ActorUserId = tostring(user.uid),\n ActorUsernameType = 'Simple',\n DvcHostname = tostring(device.hostname),\n DvcIpAddr = tostring(device.ip),\n DvcId = tostring(device.uid)\n | extend\n User = ActorUsername,\n Dvc = DvcHostname\n | project-away _ResourceId\n};\nparser(disabled=disabled)\n", - "functionParameters": "disabled:bool=False", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", - "dependsOn": [ - "[variables('parserObject1')._parserId1]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimAuthenticationHalcyon')]", - "contentId": "[variables('parserObject1').parserContentId1]", - "kind": "Parser", - "version": "[variables('parserObject1').parserVersion1]", - "source": { - "kind": "Solution", - "name": "Halcyon", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Halcyon" - }, - "support": { - "name": "Halcyon", - "email": "support@halcyon.ai", - "tier": "Partner", - "link": "https://www.halcyon.ai" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject2').parserTemplateSpecName2]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "ASimDnsHalcyon Data Parser with template version 3.1.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject2').parserVersion2]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject2')._parserName2]", - "apiVersion": "2025-07-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "ASIM DNS Activity Parser for Halcyon", - "category": "Microsoft Sentinel Parser", - "functionAlias": "ASimDnsHalcyon", - "query": "let parser = (disabled: bool = false) {\n HalcyonEvents_CL\n | where not(disabled)\n | where class_uid == 4003 // DNS Activity\n | extend\n EventVendor = tostring(metadata.product.vendor_name),\n EventProduct = tostring(metadata.product.name),\n EventProductVersion = tostring(metadata.product.version),\n EventSchema = 'Dns',\n EventSchemaVersion = '0.1.7',\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'Query',\n EventResult = case(rcode_id == 0, 'Success', rcode_id == 3, 'NXDOMAIN', 'Failure'),\n EventOriginalType = tostring(type_uid),\n EventOriginalSeverity = severity,\n EventSeverity = case(severity_id == 1, 'Informational', severity_id == 2, 'Low', severity_id == 3, 'Medium', severity_id == 4, 'High', severity_id == 5, 'Critical', 'Informational'),\n EventMessage = message,\n DnsQuery = tostring(query.hostname),\n DnsQueryTypeName = tostring(query.type),\n DnsResponseCodeName = rcode,\n DnsResponseCode = rcode_id,\n SrcIpAddr = tostring(src_endpoint.ip),\n SrcPortNumber = toint(src_endpoint.port),\n DstIpAddr = tostring(dst_endpoint.ip),\n DstPortNumber = toint(dst_endpoint.port),\n DvcHostname = tostring(device.hostname),\n DvcIpAddr = tostring(device.ip),\n DvcId = tostring(device.uid)\n | extend\n Domain = DnsQuery,\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away _ResourceId\n};\nparser(disabled=disabled)\n", - "functionParameters": "disabled:bool=False", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject2')._parserId2,'/'))))]", - "dependsOn": [ - "[variables('parserObject2')._parserId2]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimDnsHalcyon')]", - "contentId": "[variables('parserObject2').parserContentId2]", - "kind": "Parser", - "version": "[variables('parserObject2').parserVersion2]", - "source": { - "name": "Halcyon", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Halcyon" - }, - "support": { - "name": "Halcyon", - "email": "support@halcyon.ai", - "tier": "Partner", - "link": "https://www.halcyon.ai" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject2').parserContentId2]", - "contentKind": "Parser", - "displayName": "ASIM DNS Activity Parser for Halcyon", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '2.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '2.0.0')))]", - "version": "[variables('parserObject2').parserVersion2]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2025-07-01", - "name": "[variables('parserObject2')._parserName2]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "ASIM DNS Activity Parser for Halcyon", - "category": "Microsoft Sentinel Parser", - "functionAlias": "ASimDnsHalcyon", - "query": "let parser = (disabled: bool = false) {\n HalcyonEvents_CL\n | where not(disabled)\n | where class_uid == 4003 // DNS Activity\n | extend\n EventVendor = tostring(metadata.product.vendor_name),\n EventProduct = tostring(metadata.product.name),\n EventProductVersion = tostring(metadata.product.version),\n EventSchema = 'Dns',\n EventSchemaVersion = '0.1.7',\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'Query',\n EventResult = case(rcode_id == 0, 'Success', rcode_id == 3, 'NXDOMAIN', 'Failure'),\n EventOriginalType = tostring(type_uid),\n EventOriginalSeverity = severity,\n EventSeverity = case(severity_id == 1, 'Informational', severity_id == 2, 'Low', severity_id == 3, 'Medium', severity_id == 4, 'High', severity_id == 5, 'Critical', 'Informational'),\n EventMessage = message,\n DnsQuery = tostring(query.hostname),\n DnsQueryTypeName = tostring(query.type),\n DnsResponseCodeName = rcode,\n DnsResponseCode = rcode_id,\n SrcIpAddr = tostring(src_endpoint.ip),\n SrcPortNumber = toint(src_endpoint.port),\n DstIpAddr = tostring(dst_endpoint.ip),\n DstPortNumber = toint(dst_endpoint.port),\n DvcHostname = tostring(device.hostname),\n DvcIpAddr = tostring(device.ip),\n DvcId = tostring(device.uid)\n | extend\n Domain = DnsQuery,\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away _ResourceId\n};\nparser(disabled=disabled)\n", - "functionParameters": "disabled:bool=False", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject2')._parserId2,'/'))))]", - "dependsOn": [ - "[variables('parserObject2')._parserId2]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimDnsHalcyon')]", - "contentId": "[variables('parserObject2').parserContentId2]", - "kind": "Parser", - "version": "[variables('parserObject2').parserVersion2]", - "source": { - "kind": "Solution", - "name": "Halcyon", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Halcyon" - }, - "support": { - "name": "Halcyon", - "email": "support@halcyon.ai", - "tier": "Partner", - "link": "https://www.halcyon.ai" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject3').parserTemplateSpecName3]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "ASimFileEventHalcyon Data Parser with template version 3.1.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject3').parserVersion3]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject3')._parserName3]", - "apiVersion": "2025-07-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "ASIM File Activity Parser for Halcyon", - "category": "Microsoft Sentinel Parser", - "functionAlias": "ASimFileEventHalcyon", - "query": "let parser = (disabled: bool = false) {\n HalcyonEvents_CL\n | where not(disabled)\n | where class_uid == 1001 // File Activity\n | extend\n EventVendor = tostring(metadata.product.vendor_name),\n EventProduct = tostring(metadata.product.name),\n EventProductVersion = tostring(metadata.product.version),\n EventSchema = 'FileEvent',\n EventSchemaVersion = '0.2.1',\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = activity_name,\n EventResult = case(status_id == 1, 'Success', status_id == 2, 'Failure', 'NA'),\n EventOriginalType = tostring(type_uid),\n EventOriginalSeverity = severity,\n EventSeverity = case(severity_id == 1, 'Informational', severity_id == 2, 'Low', severity_id == 3, 'Medium', severity_id == 4, 'High', severity_id == 5, 'Critical', 'Informational'),\n EventMessage = message,\n TargetFileName = tostring(file.name),\n TargetFilePath = tostring(file.path),\n TargetFileExtension = tostring(file.ext),\n ActorUsername = tostring(actor.user.name),\n ActorUserId = tostring(actor.user.uid),\n ActorUsernameType = 'Simple',\n ActingProcessName = tostring(actor.process.name),\n ActingProcessId = tostring(actor.process.pid),\n ActingProcessCommandLine = tostring(actor.process.cmd_line),\n DvcHostname = tostring(device.hostname),\n DvcIpAddr = tostring(device.ip),\n DvcId = tostring(device.uid)\n | extend\n FilePath = TargetFilePath,\n User = ActorUsername,\n Dvc = DvcHostname\n | project-away _ResourceId\n};\nparser(disabled=disabled)\n", - "functionParameters": "disabled:bool=False", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject3')._parserId3,'/'))))]", - "dependsOn": [ - "[variables('parserObject3')._parserId3]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimFileEventHalcyon')]", - "contentId": "[variables('parserObject3').parserContentId3]", - "kind": "Parser", - "version": "[variables('parserObject3').parserVersion3]", - "source": { - "name": "Halcyon", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Halcyon" - }, - "support": { - "name": "Halcyon", - "email": "support@halcyon.ai", - "tier": "Partner", - "link": "https://www.halcyon.ai" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject3').parserContentId3]", - "contentKind": "Parser", - "displayName": "ASIM File Activity Parser for Halcyon", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '2.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '2.0.0')))]", - "version": "[variables('parserObject3').parserVersion3]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2025-07-01", - "name": "[variables('parserObject3')._parserName3]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "ASIM File Activity Parser for Halcyon", - "category": "Microsoft Sentinel Parser", - "functionAlias": "ASimFileEventHalcyon", - "query": "let parser = (disabled: bool = false) {\n HalcyonEvents_CL\n | where not(disabled)\n | where class_uid == 1001 // File Activity\n | extend\n EventVendor = tostring(metadata.product.vendor_name),\n EventProduct = tostring(metadata.product.name),\n EventProductVersion = tostring(metadata.product.version),\n EventSchema = 'FileEvent',\n EventSchemaVersion = '0.2.1',\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = activity_name,\n EventResult = case(status_id == 1, 'Success', status_id == 2, 'Failure', 'NA'),\n EventOriginalType = tostring(type_uid),\n EventOriginalSeverity = severity,\n EventSeverity = case(severity_id == 1, 'Informational', severity_id == 2, 'Low', severity_id == 3, 'Medium', severity_id == 4, 'High', severity_id == 5, 'Critical', 'Informational'),\n EventMessage = message,\n TargetFileName = tostring(file.name),\n TargetFilePath = tostring(file.path),\n TargetFileExtension = tostring(file.ext),\n ActorUsername = tostring(actor.user.name),\n ActorUserId = tostring(actor.user.uid),\n ActorUsernameType = 'Simple',\n ActingProcessName = tostring(actor.process.name),\n ActingProcessId = tostring(actor.process.pid),\n ActingProcessCommandLine = tostring(actor.process.cmd_line),\n DvcHostname = tostring(device.hostname),\n DvcIpAddr = tostring(device.ip),\n DvcId = tostring(device.uid)\n | extend\n FilePath = TargetFilePath,\n User = ActorUsername,\n Dvc = DvcHostname\n | project-away _ResourceId\n};\nparser(disabled=disabled)\n", - "functionParameters": "disabled:bool=False", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject3')._parserId3,'/'))))]", - "dependsOn": [ - "[variables('parserObject3')._parserId3]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimFileEventHalcyon')]", - "contentId": "[variables('parserObject3').parserContentId3]", - "kind": "Parser", - "version": "[variables('parserObject3').parserVersion3]", - "source": { - "kind": "Solution", - "name": "Halcyon", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Halcyon" - }, - "support": { - "name": "Halcyon", - "email": "support@halcyon.ai", - "tier": "Partner", - "link": "https://www.halcyon.ai" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject4').parserTemplateSpecName4]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "ASimNetworkSessionHalcyon Data Parser with template version 3.1.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject4').parserVersion4]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject4')._parserName4]", - "apiVersion": "2025-07-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "ASIM Network Session Parser for Halcyon", - "category": "Microsoft Sentinel Parser", - "functionAlias": "ASimNetworkSessionHalcyon", - "query": "let parser = (disabled: bool = false) {\n HalcyonEvents_CL\n | where not(disabled)\n | where class_uid == 4001 // Network Activity\n | extend\n EventVendor = tostring(metadata.product.vendor_name),\n EventProduct = tostring(metadata.product.name),\n EventProductVersion = tostring(metadata.product.version),\n EventSchema = 'NetworkSession',\n EventSchemaVersion = '0.2.6',\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'NetworkSession',\n EventResult = case(status_id == 1, 'Success', status_id == 2, 'Failure', 'NA'),\n EventOriginalType = tostring(type_uid),\n EventOriginalSeverity = severity,\n EventSeverity = case(severity_id == 1, 'Informational', severity_id == 2, 'Low', severity_id == 3, 'Medium', severity_id == 4, 'High', severity_id == 5, 'Critical', 'Informational'),\n EventMessage = message,\n DvcAction = action,\n SrcIpAddr = tostring(src_endpoint.ip),\n SrcPortNumber = toint(src_endpoint.port),\n SrcHostname = tostring(src_endpoint.hostname),\n SrcDomain = tostring(src_endpoint.domain),\n SrcMacAddr = tostring(src_endpoint.mac),\n DstIpAddr = tostring(dst_endpoint.ip),\n DstPortNumber = toint(dst_endpoint.port),\n DstHostname = tostring(dst_endpoint.hostname),\n DstDomain = tostring(dst_endpoint.domain),\n DstMacAddr = tostring(dst_endpoint.mac),\n DvcHostname = tostring(device.hostname),\n DvcIpAddr = tostring(device.ip),\n DvcId = tostring(device.uid)\n | extend\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = DvcHostname\n | project-away _ResourceId\n};\nparser(disabled=disabled)\n", - "functionParameters": "disabled:bool=False", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject4')._parserId4,'/'))))]", - "dependsOn": [ - "[variables('parserObject4')._parserId4]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimNetworkSessionHalcyon')]", - "contentId": "[variables('parserObject4').parserContentId4]", - "kind": "Parser", - "version": "[variables('parserObject4').parserVersion4]", - "source": { - "name": "Halcyon", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Halcyon" - }, - "support": { - "name": "Halcyon", - "email": "support@halcyon.ai", - "tier": "Partner", - "link": "https://www.halcyon.ai" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject4').parserContentId4]", - "contentKind": "Parser", - "displayName": "ASIM Network Session Parser for Halcyon", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '2.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '2.0.0')))]", - "version": "[variables('parserObject4').parserVersion4]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2025-07-01", - "name": "[variables('parserObject4')._parserName4]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "ASIM Network Session Parser for Halcyon", - "category": "Microsoft Sentinel Parser", - "functionAlias": "ASimNetworkSessionHalcyon", - "query": "let parser = (disabled: bool = false) {\n HalcyonEvents_CL\n | where not(disabled)\n | where class_uid == 4001 // Network Activity\n | extend\n EventVendor = tostring(metadata.product.vendor_name),\n EventProduct = tostring(metadata.product.name),\n EventProductVersion = tostring(metadata.product.version),\n EventSchema = 'NetworkSession',\n EventSchemaVersion = '0.2.6',\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'NetworkSession',\n EventResult = case(status_id == 1, 'Success', status_id == 2, 'Failure', 'NA'),\n EventOriginalType = tostring(type_uid),\n EventOriginalSeverity = severity,\n EventSeverity = case(severity_id == 1, 'Informational', severity_id == 2, 'Low', severity_id == 3, 'Medium', severity_id == 4, 'High', severity_id == 5, 'Critical', 'Informational'),\n EventMessage = message,\n DvcAction = action,\n SrcIpAddr = tostring(src_endpoint.ip),\n SrcPortNumber = toint(src_endpoint.port),\n SrcHostname = tostring(src_endpoint.hostname),\n SrcDomain = tostring(src_endpoint.domain),\n SrcMacAddr = tostring(src_endpoint.mac),\n DstIpAddr = tostring(dst_endpoint.ip),\n DstPortNumber = toint(dst_endpoint.port),\n DstHostname = tostring(dst_endpoint.hostname),\n DstDomain = tostring(dst_endpoint.domain),\n DstMacAddr = tostring(dst_endpoint.mac),\n DvcHostname = tostring(device.hostname),\n DvcIpAddr = tostring(device.ip),\n DvcId = tostring(device.uid)\n | extend\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = DvcHostname\n | project-away _ResourceId\n};\nparser(disabled=disabled)\n", - "functionParameters": "disabled:bool=False", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject4')._parserId4,'/'))))]", - "dependsOn": [ - "[variables('parserObject4')._parserId4]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimNetworkSessionHalcyon')]", - "contentId": "[variables('parserObject4').parserContentId4]", - "kind": "Parser", - "version": "[variables('parserObject4').parserVersion4]", - "source": { - "kind": "Solution", - "name": "Halcyon", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Halcyon" - }, - "support": { - "name": "Halcyon", - "email": "support@halcyon.ai", - "tier": "Partner", - "link": "https://www.halcyon.ai" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject5').parserTemplateSpecName5]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "ASimProcessEventHalcyon Data Parser with template version 3.1.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject5').parserVersion5]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject5')._parserName5]", - "apiVersion": "2025-07-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "ASIM Process Event Parser for Halcyon", - "category": "Microsoft Sentinel Parser", - "functionAlias": "ASimProcessEventHalcyon", - "query": "let parser = (disabled: bool = false) {\n HalcyonEvents_CL\n | where not(disabled)\n | where class_uid == 1007 // Process Activity\n | extend\n EventVendor = tostring(metadata.product.vendor_name),\n EventProduct = tostring(metadata.product.name),\n EventProductVersion = tostring(metadata.product.version),\n EventSchema = 'ProcessEvent',\n EventSchemaVersion = '0.1.4',\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = iff(activity_id == 1, 'ProcessCreated', iff(activity_id == 2, 'ProcessTerminated', 'Other')),\n EventResult = case(status_id == 1, 'Success', status_id == 2, 'Failure', 'NA'),\n EventOriginalType = tostring(type_uid),\n EventOriginalSeverity = severity,\n EventSeverity = case(severity_id == 1, 'Informational', severity_id == 2, 'Low', severity_id == 3, 'Medium', severity_id == 4, 'High', severity_id == 5, 'Critical', 'Informational'),\n EventMessage = message,\n TargetProcessName = tostring(process.name),\n TargetProcessId = tostring(process.pid),\n TargetProcessCommandLine = tostring(process.cmd_line),\n TargetProcessFilename = tostring(process.file.name),\n TargetProcessFilePath = tostring(process.file.path),\n ParentProcessName = tostring(process.parent_process.name),\n ParentProcessId = tostring(process.parent_process.pid),\n ParentProcessCommandLine = tostring(process.parent_process.cmd_line),\n ActorUsername = tostring(actor.user.name),\n ActorUserId = tostring(actor.user.uid),\n ActorUsernameType = 'Simple',\n ActingProcessName = tostring(actor.process.name),\n ActingProcessId = tostring(actor.process.pid),\n ActingProcessCommandLine = tostring(actor.process.cmd_line),\n DvcHostname = tostring(device.hostname),\n DvcIpAddr = tostring(device.ip),\n DvcId = tostring(device.uid)\n | extend\n User = ActorUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n | project-away _ResourceId\n};\nparser(disabled=disabled)\n", - "functionParameters": "disabled:bool=False", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]", - "dependsOn": [ - "[variables('parserObject5')._parserId5]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimProcessEventHalcyon')]", - "contentId": "[variables('parserObject5').parserContentId5]", - "kind": "Parser", - "version": "[variables('parserObject5').parserVersion5]", - "source": { - "name": "Halcyon", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Halcyon" - }, - "support": { - "name": "Halcyon", - "email": "support@halcyon.ai", - "tier": "Partner", - "link": "https://www.halcyon.ai" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject5').parserContentId5]", - "contentKind": "Parser", - "displayName": "ASIM Process Event Parser for Halcyon", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '2.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '2.0.0')))]", - "version": "[variables('parserObject5').parserVersion5]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2025-07-01", - "name": "[variables('parserObject5')._parserName5]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "ASIM Process Event Parser for Halcyon", - "category": "Microsoft Sentinel Parser", - "functionAlias": "ASimProcessEventHalcyon", - "query": "let parser = (disabled: bool = false) {\n HalcyonEvents_CL\n | where not(disabled)\n | where class_uid == 1007 // Process Activity\n | extend\n EventVendor = tostring(metadata.product.vendor_name),\n EventProduct = tostring(metadata.product.name),\n EventProductVersion = tostring(metadata.product.version),\n EventSchema = 'ProcessEvent',\n EventSchemaVersion = '0.1.4',\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = iff(activity_id == 1, 'ProcessCreated', iff(activity_id == 2, 'ProcessTerminated', 'Other')),\n EventResult = case(status_id == 1, 'Success', status_id == 2, 'Failure', 'NA'),\n EventOriginalType = tostring(type_uid),\n EventOriginalSeverity = severity,\n EventSeverity = case(severity_id == 1, 'Informational', severity_id == 2, 'Low', severity_id == 3, 'Medium', severity_id == 4, 'High', severity_id == 5, 'Critical', 'Informational'),\n EventMessage = message,\n TargetProcessName = tostring(process.name),\n TargetProcessId = tostring(process.pid),\n TargetProcessCommandLine = tostring(process.cmd_line),\n TargetProcessFilename = tostring(process.file.name),\n TargetProcessFilePath = tostring(process.file.path),\n ParentProcessName = tostring(process.parent_process.name),\n ParentProcessId = tostring(process.parent_process.pid),\n ParentProcessCommandLine = tostring(process.parent_process.cmd_line),\n ActorUsername = tostring(actor.user.name),\n ActorUserId = tostring(actor.user.uid),\n ActorUsernameType = 'Simple',\n ActingProcessName = tostring(actor.process.name),\n ActingProcessId = tostring(actor.process.pid),\n ActingProcessCommandLine = tostring(actor.process.cmd_line),\n DvcHostname = tostring(device.hostname),\n DvcIpAddr = tostring(device.ip),\n DvcId = tostring(device.uid)\n | extend\n User = ActorUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n | project-away _ResourceId\n};\nparser(disabled=disabled)\n", - "functionParameters": "disabled:bool=False", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]", - "dependsOn": [ - "[variables('parserObject5')._parserId5]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ASimProcessEventHalcyon')]", - "contentId": "[variables('parserObject5').parserContentId5]", - "kind": "Parser", - "version": "[variables('parserObject5').parserVersion5]", - "source": { - "kind": "Solution", - "name": "Halcyon", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Halcyon" - }, - "support": { - "name": "Halcyon", - "email": "support@halcyon.ai", - "tier": "Partner", - "link": "https://www.halcyon.ai" - } - } - }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", "apiVersion": "2023-04-01-preview", @@ -1587,7 +917,7 @@ "contentSchemaVersion": "3.0.0", "displayName": "Halcyon", "publisherDisplayName": "Halcyon", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Halcyon solution for Microsoft Sentinel enables you to ingest Halcyon Events and Alerts into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.

\n

Installing this solution automatically provisions a Data Collection Endpoint (DCE) and Data Collection Rule (DCR) in your Azure environment. These resources are updated automatically with each solution upgrade. To complete the connector setup, use the Deploy button on the Halcyon connector page to create the required Entra app registration and link it to the DCR.

\n

Data Connectors: 1, Parsers: 5

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Halcyon solution for Microsoft Sentinel enables you to ingest Halcyon Events and Alerts into Microsoft Sentinel using the Microsoft Sentinel Analytics Workspace.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following Microsoft technologies, and some of these dependencies either may be in Preview state or might result in additional data ingestion or operational costs:

\n
    \n

  1. Microsoft Sentinel

    \n
    2. \n

  2. Azure Monitor Data Collection Rules (DCR)

    \n
    3. \n

  3. Azure Monitor Data Collection Endpoints (DCE)

    \n
    4. \n

  4. Azure Log Analytics workspaces

    \n
    5. \n
\n

Data Connectors: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -1600,7 +930,8 @@ "sourceId": "[variables('_solutionId')]" }, "author": { - "name": "Halcyon" + "name": "Halcyon", + "email": "[variables('_email')]" }, "support": { "name": "Halcyon", @@ -1615,31 +946,6 @@ "kind": "DataConnector", "contentId": "[variables('_dataConnectorContentIdConnections1')]", "version": "[variables('dataConnectorCCPVersion')]" - }, - { - "kind": "Parser", - "contentId": "[variables('parserObject1').parserContentId1]", - "version": "[variables('parserObject1').parserVersion1]" - }, - { - "kind": "Parser", - "contentId": "[variables('parserObject2').parserContentId2]", - "version": "[variables('parserObject2').parserVersion2]" - }, - { - "kind": "Parser", - "contentId": "[variables('parserObject3').parserContentId3]", - "version": "[variables('parserObject3').parserVersion3]" - }, - { - "kind": "Parser", - "contentId": "[variables('parserObject4').parserContentId4]", - "version": "[variables('parserObject4').parserVersion4]" - }, - { - "kind": "Parser", - "contentId": "[variables('parserObject5').parserContentId5]", - "version": "[variables('parserObject5').parserVersion5]" } ] }, diff --git a/Solutions/Halcyon/Parsers/ASimAuthenticationHalcyon.yaml b/Solutions/Halcyon/Parsers/ASimAuthenticationHalcyon.yaml deleted file mode 100644 index 5802c6105ea..00000000000 --- a/Solutions/Halcyon/Parsers/ASimAuthenticationHalcyon.yaml +++ /dev/null @@ -1,72 +0,0 @@ -id: a1b2c3d4-e5f6-7890-1234-567890abcde1 -Function: - Title: ASIM Authentication Event Parser for Halcyon - Version: '2.0.0' - LastUpdated: '2026-03-18' -Category: Microsoft Sentinel Parser -FunctionName: ASimAuthenticationHalcyon -FunctionAlias: ASimAuthenticationHalcyon -FunctionQuery: | - let parser = (disabled: bool = false) { - HalcyonEvents_CL - | where not(disabled) - | where class_uid == 3002 // Authentication - | extend - EventVendor = tostring(metadata.product.vendor_name), - EventProduct = tostring(metadata.product.name), - EventProductVersion = tostring(metadata.product.version), - EventSchema = 'Authentication', - EventSchemaVersion = '0.1.3', - EventCount = int(1), - EventStartTime = TimeGenerated, - EventEndTime = TimeGenerated, - EventType = iff(activity_id == 1, 'Logon', iff(activity_id == 2, 'Logoff', 'Other')), - EventResult = case(status_id == 1, 'Success', status_id == 2, 'Failure', 'NA'), - EventOriginalType = tostring(type_uid), - EventOriginalSeverity = severity, - EventSeverity = case(severity_id == 1, 'Informational', severity_id == 2, 'Low', severity_id == 3, 'Medium', severity_id == 4, 'High', severity_id == 5, 'Critical', 'Informational'), - EventMessage = message, - ActorUsername = tostring(user.name), - ActorUserId = tostring(user.uid), - ActorUsernameType = 'Simple', - DvcHostname = tostring(device.hostname), - DvcIpAddr = tostring(device.ip), - DvcId = tostring(device.uid) - | extend - User = ActorUsername, - Dvc = DvcHostname - | project - TimeGenerated, - EventVendor, - EventProduct, - EventProductVersion, - EventSchema, - EventSchemaVersion, - EventCount, - EventStartTime, - EventEndTime, - EventType, - EventResult, - EventOriginalType, - EventOriginalSeverity, - EventSeverity, - EventMessage, - ActorUsername, - ActorUserId, - ActorUsernameType, - DvcHostname, - DvcIpAddr, - DvcId, - User, - Dvc - }; - parser(disabled=disabled) -FunctionParams: - - Name: disabled - Type: bool - Default: false -EquivalentBuiltInParser: _ASim_Authentication_Halcyon -ParserParams: - - Name: disabled - Type: bool - Default: false diff --git a/Solutions/Halcyon/Parsers/ASimDnsHalcyon.yaml b/Solutions/Halcyon/Parsers/ASimDnsHalcyon.yaml deleted file mode 100644 index 89416882e9d..00000000000 --- a/Solutions/Halcyon/Parsers/ASimDnsHalcyon.yaml +++ /dev/null @@ -1,86 +0,0 @@ -id: a1b2c3d4-e5f6-7890-1234-567890abcde2 -Function: - Title: ASIM DNS Activity Parser for Halcyon - Version: '2.0.0' - LastUpdated: '2026-03-18' -Category: Microsoft Sentinel Parser -FunctionName: ASimDnsHalcyon -FunctionAlias: ASimDnsHalcyon -FunctionQuery: | - let parser = (disabled: bool = false) { - HalcyonEvents_CL - | where not(disabled) - | where class_uid == 4003 // DNS Activity - | extend - EventVendor = tostring(metadata.product.vendor_name), - EventProduct = tostring(metadata.product.name), - EventProductVersion = tostring(metadata.product.version), - EventSchema = 'Dns', - EventSchemaVersion = '0.1.7', - EventCount = int(1), - EventStartTime = TimeGenerated, - EventEndTime = TimeGenerated, - EventType = 'Query', - EventResult = case(rcode_id == 0, 'Success', rcode_id == 3, 'NXDOMAIN', 'Failure'), - EventOriginalType = tostring(type_uid), - EventOriginalSeverity = severity, - EventSeverity = case(severity_id == 1, 'Informational', severity_id == 2, 'Low', severity_id == 3, 'Medium', severity_id == 4, 'High', severity_id == 5, 'Critical', 'Informational'), - EventMessage = message, - DnsQuery = tostring(query.hostname), - DnsQueryTypeName = tostring(query.type), - DnsResponseCodeName = rcode, - DnsResponseCode = rcode_id, - SrcIpAddr = tostring(src_endpoint.ip), - SrcPortNumber = toint(src_endpoint.port), - DstIpAddr = tostring(dst_endpoint.ip), - DstPortNumber = toint(dst_endpoint.port), - DvcHostname = tostring(device.hostname), - DvcIpAddr = tostring(device.ip), - DvcId = tostring(device.uid) - | extend - Domain = DnsQuery, - Dvc = DvcHostname, - IpAddr = SrcIpAddr, - Src = SrcIpAddr - | project - TimeGenerated, - EventVendor, - EventProduct, - EventProductVersion, - EventSchema, - EventSchemaVersion, - EventCount, - EventStartTime, - EventEndTime, - EventType, - EventResult, - EventOriginalType, - EventOriginalSeverity, - EventSeverity, - EventMessage, - DnsQuery, - DnsQueryTypeName, - DnsResponseCodeName, - DnsResponseCode, - SrcIpAddr, - SrcPortNumber, - DstIpAddr, - DstPortNumber, - DvcHostname, - DvcIpAddr, - DvcId, - Domain, - Dvc, - IpAddr, - Src - }; - parser(disabled=disabled) -FunctionParams: - - Name: disabled - Type: bool - Default: false -EquivalentBuiltInParser: _ASim_Dns_Halcyon -ParserParams: - - Name: disabled - Type: bool - Default: false diff --git a/Solutions/Halcyon/Parsers/ASimFileEventHalcyon.yaml b/Solutions/Halcyon/Parsers/ASimFileEventHalcyon.yaml deleted file mode 100644 index c4b1d3a38ce..00000000000 --- a/Solutions/Halcyon/Parsers/ASimFileEventHalcyon.yaml +++ /dev/null @@ -1,86 +0,0 @@ -id: a1b2c3d4-e5f6-7890-1234-567890abcde3 -Function: - Title: ASIM File Activity Parser for Halcyon - Version: '2.0.0' - LastUpdated: '2026-03-18' -Category: Microsoft Sentinel Parser -FunctionName: ASimFileEventHalcyon -FunctionAlias: ASimFileEventHalcyon -FunctionQuery: | - let parser = (disabled: bool = false) { - HalcyonEvents_CL - | where not(disabled) - | where class_uid == 1001 // File Activity - | extend - EventVendor = tostring(metadata.product.vendor_name), - EventProduct = tostring(metadata.product.name), - EventProductVersion = tostring(metadata.product.version), - EventSchema = 'FileEvent', - EventSchemaVersion = '0.2.1', - EventCount = int(1), - EventStartTime = TimeGenerated, - EventEndTime = TimeGenerated, - EventType = activity_name, - EventResult = case(status_id == 1, 'Success', status_id == 2, 'Failure', 'NA'), - EventOriginalType = tostring(type_uid), - EventOriginalSeverity = severity, - EventSeverity = case(severity_id == 1, 'Informational', severity_id == 2, 'Low', severity_id == 3, 'Medium', severity_id == 4, 'High', severity_id == 5, 'Critical', 'Informational'), - EventMessage = message, - TargetFileName = tostring(file.name), - TargetFilePath = tostring(file.path), - TargetFileExtension = tostring(file.ext), - ActorUsername = tostring(actor.user.name), - ActorUserId = tostring(actor.user.uid), - ActorUsernameType = 'Simple', - ActingProcessName = tostring(actor.process.name), - ActingProcessId = tostring(actor.process.pid), - ActingProcessCommandLine = tostring(actor.process.cmd_line), - DvcHostname = tostring(device.hostname), - DvcIpAddr = tostring(device.ip), - DvcId = tostring(device.uid) - | extend - FilePath = TargetFilePath, - User = ActorUsername, - Dvc = DvcHostname - | project - TimeGenerated, - EventVendor, - EventProduct, - EventProductVersion, - EventSchema, - EventSchemaVersion, - EventCount, - EventStartTime, - EventEndTime, - EventType, - EventResult, - EventOriginalType, - EventOriginalSeverity, - EventSeverity, - EventMessage, - TargetFileName, - TargetFilePath, - TargetFileExtension, - ActorUsername, - ActorUserId, - ActorUsernameType, - ActingProcessName, - ActingProcessId, - ActingProcessCommandLine, - DvcHostname, - DvcIpAddr, - DvcId, - FilePath, - User, - Dvc - }; - parser(disabled=disabled) -FunctionParams: - - Name: disabled - Type: bool - Default: false -EquivalentBuiltInParser: _ASim_FileEvent_Halcyon -ParserParams: - - Name: disabled - Type: bool - Default: false diff --git a/Solutions/Halcyon/Parsers/ASimNetworkSessionHalcyon.yaml b/Solutions/Halcyon/Parsers/ASimNetworkSessionHalcyon.yaml deleted file mode 100644 index d81163d980c..00000000000 --- a/Solutions/Halcyon/Parsers/ASimNetworkSessionHalcyon.yaml +++ /dev/null @@ -1,92 +0,0 @@ -id: a1b2c3d4-e5f6-7890-1234-567890abcde4 -Function: - Title: ASIM Network Session Parser for Halcyon - Version: '2.0.0' - LastUpdated: '2026-03-18' -Category: Microsoft Sentinel Parser -FunctionName: ASimNetworkSessionHalcyon -FunctionAlias: ASimNetworkSessionHalcyon -FunctionQuery: | - let parser = (disabled: bool = false) { - HalcyonEvents_CL - | where not(disabled) - | where class_uid == 4001 // Network Activity - | extend - EventVendor = tostring(metadata.product.vendor_name), - EventProduct = tostring(metadata.product.name), - EventProductVersion = tostring(metadata.product.version), - EventSchema = 'NetworkSession', - EventSchemaVersion = '0.2.6', - EventCount = int(1), - EventStartTime = TimeGenerated, - EventEndTime = TimeGenerated, - EventType = 'NetworkSession', - EventResult = case(status_id == 1, 'Success', status_id == 2, 'Failure', 'NA'), - EventOriginalType = tostring(type_uid), - EventOriginalSeverity = severity, - EventSeverity = case(severity_id == 1, 'Informational', severity_id == 2, 'Low', severity_id == 3, 'Medium', severity_id == 4, 'High', severity_id == 5, 'Critical', 'Informational'), - EventMessage = message, - DvcAction = action, - SrcIpAddr = tostring(src_endpoint.ip), - SrcPortNumber = toint(src_endpoint.port), - SrcHostname = tostring(src_endpoint.hostname), - SrcDomain = tostring(src_endpoint.domain), - SrcMacAddr = tostring(src_endpoint.mac), - DstIpAddr = tostring(dst_endpoint.ip), - DstPortNumber = toint(dst_endpoint.port), - DstHostname = tostring(dst_endpoint.hostname), - DstDomain = tostring(dst_endpoint.domain), - DstMacAddr = tostring(dst_endpoint.mac), - DvcHostname = tostring(device.hostname), - DvcIpAddr = tostring(device.ip), - DvcId = tostring(device.uid) - | extend - Src = SrcIpAddr, - Dst = DstIpAddr, - IpAddr = SrcIpAddr, - Dvc = DvcHostname - | project - TimeGenerated, - EventVendor, - EventProduct, - EventProductVersion, - EventSchema, - EventSchemaVersion, - EventCount, - EventStartTime, - EventEndTime, - EventType, - EventResult, - EventOriginalType, - EventOriginalSeverity, - EventSeverity, - EventMessage, - DvcAction, - SrcIpAddr, - SrcPortNumber, - SrcHostname, - SrcDomain, - SrcMacAddr, - DstIpAddr, - DstPortNumber, - DstHostname, - DstDomain, - DstMacAddr, - DvcHostname, - DvcIpAddr, - DvcId, - Src, - Dst, - IpAddr, - Dvc - }; - parser(disabled=disabled) -FunctionParams: - - Name: disabled - Type: bool - Default: false -EquivalentBuiltInParser: _ASim_NetworkSession_Halcyon -ParserParams: - - Name: disabled - Type: bool - Default: false diff --git a/Solutions/Halcyon/Parsers/ASimProcessEventHalcyon.yaml b/Solutions/Halcyon/Parsers/ASimProcessEventHalcyon.yaml deleted file mode 100644 index 037573275b2..00000000000 --- a/Solutions/Halcyon/Parsers/ASimProcessEventHalcyon.yaml +++ /dev/null @@ -1,96 +0,0 @@ -id: a1b2c3d4-e5f6-7890-1234-567890abcde5 -Function: - Title: ASIM Process Event Parser for Halcyon - Version: '2.0.0' - LastUpdated: '2026-03-18' -Category: Microsoft Sentinel Parser -FunctionName: ASimProcessEventHalcyon -FunctionAlias: ASimProcessEventHalcyon -FunctionQuery: | - let parser = (disabled: bool = false) { - HalcyonEvents_CL - | where not(disabled) - | where class_uid == 1007 // Process Activity - | extend - EventVendor = tostring(metadata.product.vendor_name), - EventProduct = tostring(metadata.product.name), - EventProductVersion = tostring(metadata.product.version), - EventSchema = 'ProcessEvent', - EventSchemaVersion = '0.1.4', - EventCount = int(1), - EventStartTime = TimeGenerated, - EventEndTime = TimeGenerated, - EventType = iff(activity_id == 1, 'ProcessCreated', iff(activity_id == 2, 'ProcessTerminated', 'Other')), - EventResult = case(status_id == 1, 'Success', status_id == 2, 'Failure', 'NA'), - EventOriginalType = tostring(type_uid), - EventOriginalSeverity = severity, - EventSeverity = case(severity_id == 1, 'Informational', severity_id == 2, 'Low', severity_id == 3, 'Medium', severity_id == 4, 'High', severity_id == 5, 'Critical', 'Informational'), - EventMessage = message, - TargetProcessName = tostring(process.name), - TargetProcessId = tostring(process.pid), - TargetProcessCommandLine = tostring(process.cmd_line), - TargetProcessFilename = tostring(process.file.name), - TargetProcessFilePath = tostring(process.file.path), - ParentProcessName = tostring(process.parent_process.name), - ParentProcessId = tostring(process.parent_process.pid), - ParentProcessCommandLine = tostring(process.parent_process.cmd_line), - ActorUsername = tostring(actor.user.name), - ActorUserId = tostring(actor.user.uid), - ActorUsernameType = 'Simple', - ActingProcessName = tostring(actor.process.name), - ActingProcessId = tostring(actor.process.pid), - ActingProcessCommandLine = tostring(actor.process.cmd_line), - DvcHostname = tostring(device.hostname), - DvcIpAddr = tostring(device.ip), - DvcId = tostring(device.uid) - | extend - User = ActorUsername, - Dvc = DvcHostname, - Process = TargetProcessName - | project - TimeGenerated, - EventVendor, - EventProduct, - EventProductVersion, - EventSchema, - EventSchemaVersion, - EventCount, - EventStartTime, - EventEndTime, - EventType, - EventResult, - EventOriginalType, - EventOriginalSeverity, - EventSeverity, - EventMessage, - TargetProcessName, - TargetProcessId, - TargetProcessCommandLine, - TargetProcessFilename, - TargetProcessFilePath, - ParentProcessName, - ParentProcessId, - ParentProcessCommandLine, - ActorUsername, - ActorUserId, - ActorUsernameType, - ActingProcessName, - ActingProcessId, - ActingProcessCommandLine, - DvcHostname, - DvcIpAddr, - DvcId, - User, - Dvc, - Process - }; - parser(disabled=disabled) -FunctionParams: - - Name: disabled - Type: bool - Default: false -EquivalentBuiltInParser: _ASim_ProcessEvent_Halcyon -ParserParams: - - Name: disabled - Type: bool - Default: false