Parsing Azure Event Hub logs

arecalde · ‎02-23-2024

Hello.

I have these types of logs coming in to the FortiSIEM where the format changes in the middle.

{"Computer":"InfoHere","EventCategory":1,"EventData":"<DataItem Type=\"System.XmlData\" time=\"2024-02-22T17:23:14.105724100Z\" sourceHealthServiceId=\"dcda94d8-296a-4fbe-8996-12312351234\"><EventData xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"><Data Name=\"SubjectUserSid\">S-222</Data><Data Name=\"SubjectUserName\">NameHere</Data><Data Name=\"SubjectDomainName\">Contoso</Data><Data Name=\"SubjectLogonId\">0x3e7</Data><Data Name=\"NewProcessId\">0xc2f8</Data><Data Name=\"NewProcessName\">C:\\Windows\\WinSxS\\amd64_microsoft-windows\\TiWorker.exe</Data><Data Name=\"TokenElevationType\">%%1936</Data><Data Name=\"ProcessId\">0x4d8</Data><Data Name=\"CommandLine\">C:\\Windows\\winsxs\\amd64_microsoft-windows\\TiWorker.exe -Embedding</Data><Data Name=\"TargetUserSid\">S2222</Data><Data Name=\"TargetUserName\">-</Data><Data Name=\"TargetDomainName\">-</Data><Data Name=\"TargetLogonId\">0x0</Data></EventData></DataItem>","EventID":4688,"EventLevel":0,"EventLevelName":"Success","EventLog":"Security","MG":"00000000-0000-0000-0000-000000000001","ManagementGroupName":"AOI-XXXX","ParameterXml":"<Param>XXXX</Param><Param>XXXXXX</Param><Param>XXXXXX</Param><Param>0x3e7</Param><Param>0xc2f8</Param><Param>C:\\Windows\\WinSxS\\amd64_microsoft-windows\\TiWorker.exe</Param><Param>%%1936</Param><Param>0x4d8</Param><Param>C:\\Windows\\winsxs\\amd64_microsoft-windows\\TiWorker.exe -Embedding</Param><Param>S-1-0-0</Param><Param>-</Param><Param>-</Param><Param>0x0</Param>","RenderedDescription":"A new process has been created.  Creator Subject: \tSecurity ID:\t\tS-1-5-18 \tAccount Name:\t\XXXXXXX \tAccount Domain:\t\XXXXXX \tLogon ID:\t\tXXXXX  Target Subject: \tSecurity ID:\t\tS-1-0-0 \tAccount Name:\t\t- \tAccount Domain:\t\t- \tLogon ID:\t\t0x0  Process Information: \tNew Process ID:\t\XXXXXXX \tNew Process Name:\tC:\\Windows\\WinSxS\\amd64_microsoft-windows\\TiWorker.exe \tToken Elevation Type:\tTokenElevationTypeDefault (1) \tCreator Process ID:\t0x4d8 \tProcess Command Line:\tC:\\Windows\\winsxs\\amd64_microsoft-windows\\TiWorker.exe -Embedding  Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.  Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.  Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.  Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.","Source":"Microsoft-Windows-Security-Auditing","SourceSystem":"OpsManager","TenantId":"","TimeGenerated":"2024-02-22T17:23:14.1057241Z","Type":"Event","UserName":"N/A","_Internal_WorkspaceResourceId":"/subscriptions/001","_ItemId":"256","_ResourceId":"/subscriptions/cc"}

Would anyone know if there is a way to parse these types of logs? The start and ending are easy to parse, but when ""EventData":"<DataItem Type=\"System.XmlData\" " this part starts I am not sure FortiSIEM is capable of parsing it.

Any tips or help would be appreciated.

FSM_FTNT · ‎02-28-2024

Thanks for this.

Have you got some more events and I can look into this.

kcanalichio · ‎02-28-2024

At one point I posted an event hub parser that I wrote. But I can't seem to find it so here it is again

<eventFormatRecognizer><![CDATA[\{.*"[oO]perationName":\s*"(?:Microsoft|MICROSOFT)\..*\}|\{.*"[rR]esourceId":\s*".*(?:Microsoft|MICROSOFT)\..*\}]]></eventFormatRecognizer><parsingInstructions><setEventAttribute attr="eventType">MS_EvtHub_Generic</setEventAttribute><collectAndSetAttrByJSON src="$_rawmsg"><attrKeyMap attr="_body" key="records[0]"/></collectAndSetAttrByJSON><when test="not_exist _body"><setEventAttribute attr="_body">$_rawmsg</setEventAttribute></when><collectAndSetAttrByJSON src="$_body"><attrKeyMap attr="AzureAppRoleInstance" key="AppRoleInstance"/><attrKeyMap attr="AzureAppRoleInstance" key="AppRoleInstance"/><attrKeyMap attr="AzureAppRoleName" key="AppRoleName"/><attrKeyMap attr="numJob" key="average"/><attrKeyMap attr="numJob" key="Average"/><attrKeyMap attr="_backendPoolName" key="backendPoolName"/><attrKeyMap attr="_backendSettingName" key="backendSettingName"/><attrKeyMap attr="srcIpAddr" key="callerIpAddress"/><attrKeyMap attr="srcIpAddr" key="CallerIpAddress"/><attrKeyMap attr="azureEventCategory" key="category"/><attrKeyMap attr="azureEventCategory" key="Category"/><attrKeyMap attr="categoryType" key="category"/><attrKeyMap attr="categoryType" key="Category"/><attrKeyMap attr="browserName" key="ClientBrowser"/><attrKeyMap attr="srcGeoCity" key="ClientCity"/><attrKeyMap attr="srcGeoCountry" key="ClientCountryOrRegion"/><attrKeyMap attr="srcIpAddr" key="ClientIP"/><attrKeyMap attr="AzureClientModel" key="ClientModel"/><attrKeyMap attr="AzureClientOS" key="ClientOS"/><attrKeyMap attr="srcGeoState" key="ClientStateOrProvince"/><attrKeyMap attr="srcType" key="ClientType"/><attrKeyMap attr="azureCorrelationId" key="correlationId"/><attrKeyMap attr="azureCorrelationId" key="CorrelationId"/><attrKeyMap attr="count" key="count"/><attrKeyMap attr="count" key="Count"/><attrKeyMap attr="AzureDependencyType" key="DependencyType"/><attrKeyMap attr="durationMSec" key="durationMs"/><attrKeyMap attr="durationMSec" key="DurationMs"/><attrKeyMap attr="azureEventId" key="eventDataId"/><attrKeyMap attr="azureEventId" key="EventDataId"/><attrKeyMap attr="azureEventId" key="EventId"/><attrKeyMap attr="compEventName" key="EventName"/><attrKeyMap attr="AzureHttpPath" key="HttpPath"/><attrKeyMap attr="identity" key="identity"/><attrKeyMap attr="authorMethod" key="identity.authorization.action"/><attrKeyMap attr="authorMethod" key="Identity.Authorization.Action"/><attrKeyMap attr="userPrincipalName" key="identity.authorization.evidence.principalId"/><attrKeyMap attr="principal" key="identity.authorization.evidence.principalType"/><attrKeyMap attr="role" key="identity.authorization.evidence.role"/><attrKeyMap attr="role" key="Identity.Authorization.Evidence.Role"/><attrKeyMap attr="roleId" key="identity.authorization.evidence.roleAssignmentId"/><attrKeyMap attr="permissionRoleDescription" key="identity.authorization.evidence.roleAssignmentScope"/><attrKeyMap attr="permissionRoleName" key="identity.authorization.evidence.roleDefinitionId"/><attrKeyMap attr="azureIdentityScope" key="identity.authorization.scope"/><attrKeyMap attr="azureAio" key="identity.claims.aio"/><attrKeyMap attr="clientAppId" key="identity.claims.appid"/><attrKeyMap attr="azureAppidacr" key="identity.claims.appidacr"/><attrKeyMap attr="authServerName" key="identity.claims.aud"/><attrKeyMap attr="authServerName" key="Identity.Claims.Aud"/><attrKeyMap attr="azureAud" key="identity.claims.aud"/><attrKeyMap attr="clearOrExpiredTime" key="identity.claims.exp"/><attrKeyMap attr="_groups" key="identity.claims.groups"/><attrKeyMap attr="createTime" key="identity.claims.iat"/><attrKeyMap attr="srcIpAddr" key="identity.claims.ipaddr"/><attrKeyMap attr="srcIpAddr" key="Identity.Claims.IpAddr"/><attrKeyMap attr="azureIss" key="identity.claims.iss"/><attrKeyMap attr="user" key="identity.claims.name"/><attrKeyMap attr="user" key="Identity.Claims.Name"/><attrKeyMap attr="azureNbf" key="identity.claims.nbf"/><attrKeyMap attr="_puid" key="identity.claims.puid"/><attrKeyMap attr="_rh" key="identity.claims.rh"/><attrKeyMap attr="_uti" key="identity.claims.uti"/><attrKeyMap attr="azureVer" key="identity.claims.ver"/><attrKeyMap attr="azureWids" key="identity.claims.wids"/><attrKeyMap attr="_xms" key="identity.claims.xms_tcdt"/><attrKeyMap attr="logLevel" key="identity.level"/><attrKeyMap attr="opName" key="identity.operationName"/><attrKeyMap attr="AzureIKey" key="Ikey"/><attrKeyMap attr="Attribute" key="Key"/><attrKeyMap attr="attribute" key="key"/><attrKeyMap attr="logLevel" key="level"/><attrKeyMap attr="logLevel" key="Level"/><attrKeyMap attr="hostLocation" key="location"/><attrKeyMap attr="serverName" key="LogicalServerName"/><attrKeyMap attr="maxCount" key="maximum"/><attrKeyMap attr="msg" key="Message"/><attrKeyMap attr="azureEventCategory" key="metricName"/><attrKeyMap attr="azureEventCategory" key="MetricName"/><attrKeyMap attr="minCount" key="minimum"/><attrKeyMap attr="opName" key="Name"/><attrKeyMap attr="operationId" key="OperationId"/><attrKeyMap attr="opName" key="operationName"/><attrKeyMap attr="opName" key="OperationName"/><attrKeyMap attr="appVersion" key="operationVersion"/><attrKeyMap attr="parentProcId" key="ParentId"/><attrKeyMap attr="AzurePerformanceBucket" key="PerformanceBucket"/><attrKeyMap attr="action" key="properties.action"/><attrKeyMap attr="action" key="Properties.Action"/><attrKeyMap attr="actionTime" key="properties.activityDateTime"/><attrKeyMap attr="actionName" key="properties.activityDisplayName"/><attrKeyMap attr="detailSeq" key="properties.additionalDetails.key"/><attrKeyMap attr="details" key="properties.additionalDetails.value"/><attrKeyMap attr="appName" key="properties.appDisplayName"/><attrKeyMap attr="appName" key="Properties.AppDisplayName"/><attrKeyMap attr="clientAppId" key="properties.appId"/><attrKeyMap attr="policyName" key="properties.appliedConditionalAccessPolicies"/><attrKeyMap attr="prinicpal" key="properties.appServicePrincipalId"/><attrKeyMap attr="resvUsedStorageMB" key="properties.ArchiveTierStorageConsumedInMBs"/><attrKeyMap attr="authProcessingDetailsKey" key="properties.authenticationProcessingDetails.key"/><attrKeyMap attr="authProcessingDetails" key="properties.authenticationProcessingDetails.value"/><attrKeyMap attr="authenMethod" key="properties.authenticationProtocol"/><attrKeyMap attr="cpuSysPct" key="properties.avg_cpu_percent"/><attrKeyMap attr="targetHostName" key="properties.backendHostname"/><attrKeyMap attr="targetHostName" key="Properties.BackendHostname"/><attrKeyMap attr="azureBackupItemAppVer" key="properties.BackupItemAppVersion"/><attrKeyMap attr="azureBackupItemName" key="properties.BackupItemFriendlyName"/><attrKeyMap attr="azureBackupContainerName" key="properties.BackupItemName"/><attrKeyMap attr="azureBackupItemProState" key="properties.BackupItemProtectionState"/><attrKeyMap attr="azureBackupItemType" key="properties.BackupItemType"/><attrKeyMap attr="azureBackupUID" key="properties.BackupItemUniqueId"/><attrKeyMap attr="appServerInstance" key="properties.BackupManagementServerUniqueId"/><attrKeyMap attr="AzureBackupManagementType" key="properties.BackupManagementType"/><attrKeyMap attr="httpHeaderCacheControl" key="properties.cacheStatus"/><attrKeyMap attr="httpHeaderCacheControl" key="Properties.CacheStatus"/><attrKeyMap attr="appCategory" key="properties.category"/><attrKeyMap attr="credentialType" key="properties.clientCredentialType"/><attrKeyMap attr="srcIpAddr" key="properties.clientIP"/><attrKeyMap attr="srcIpAddr" key="Properties.ClientIP"/><attrKeyMap attr="srcIpPort" key="properties.clientPort"/><attrKeyMap attr="srcIpPort" key="Properties.ClientPort"/><attrKeyMap attr="conditionalAccessStatus" key="properties.conditionalAccessStatus"/><attrKeyMap attr="destIpAddr" key="properties.conditions.destinationIP"/><attrKeyMap attr="destIpPort" key="properties.conditions.destinationPortRange"/><attrKeyMap attr="ipProto" key="properties.conditions.protocols"/><attrKeyMap attr="srcIpAddr" key="properties.conditions.sourceIP"/><attrKeyMap attr="srcIpPort" key="properties.conditions.sourcePortRange"/><attrKeyMap attr="ipConnId" key="Properties.ConnectionId"/><attrKeyMap attr="azureCorrelationId" key="properties.correlationId"/><attrKeyMap attr="createTime" key="properties.createdDateTime"/><attrKeyMap attr="crossTenantAccessType" key="properties.crossTenantAccessType"/><attrKeyMap attr="details" key="properties.details.data"/><attrKeyMap attr="details" key="Properties.Details.Data"/><attrKeyMap attr="fileName" key="properties.details.file"/><attrKeyMap attr="fileName" key="Properties.Details.File"/><attrKeyMap attr="lineNumber" key="properties.details.line"/><attrKeyMap attr="lineNumber" key="Properties.Details.Line"/><attrKeyMap attr="serviceDesc" key="properties.details.matches"/><attrKeyMap attr="msg" key="properties.details.message"/><attrKeyMap attr="msg" key="Properties.Details.Message"/><attrKeyMap attr="srcName" key="properties.deviceDetail.displayName"/><attrKeyMap attr="srcName" key="Properties.DeviceDetail.DisplayName"/><attrKeyMap attr="osName" key="properties.deviceDetail.operatingSystem"/><attrKeyMap attr="osName" key="Properties.DeviceDetail.OperatingSystem"/><attrKeyMap attr="direction" key="properties.direction"/><attrKeyMap attr="endpoint" key="properties.EndpointName"/><attrKeyMap attr="managedEntity" key="properties.entity"/><attrKeyMap attr="errReason" key="properties.ErrorInfo"/><attrKeyMap attr="errReason" key="Properties.ErrorInfo"/><attrKeyMap attr="azureEventCategory" key="properties.eventCategory"/><attrKeyMap attr="azureEventCategory" key="Properties.EventCategory"/><attrKeyMap attr="authenMethod" key="properties.EventData.AuthenticationPackageName"/><attrKeyMap attr="callerProcessName" key="properties.EventData.CallerProcessId"/><attrKeyMap attr="callerProcessId" key="properties.EventData.CallerProcessName"/><attrKeyMap attr="azureHandleId" key="properties.EventData.HandleId"/><attrKeyMap attr="integrityLevel" key="properties.EventData.ImpersonationLevel"/><attrKeyMap attr="hostIpAddr" key="properties.EventData.IpAddress"/><attrKeyMap attr="ipPort" key="properties.EventData.IpPort"/><attrKeyMap attr="azureKeyLength" key="properties.EventData.KeyLength"/><attrKeyMap attr="azureLmPackageName" key="properties.EventData.LmPackageName"/><attrKeyMap attr="azureLogonGuid" key="properties.EventData.LogonGuid"/><attrKeyMap attr="procName" key="properties.EventData.LogonProcessName"/><attrKeyMap attr="loginType" key="properties.EventData.LogonType"/><attrKeyMap attr="azureNewSd" key="properties.EventData.NewSd"/><attrKeyMap attr="targetOsObjName" key="properties.EventData.ObjectName"/><attrKeyMap attr="azureTargetObjServer" key="properties.EventData.ObjectServer"/><attrKeyMap attr="azureTargetObjType" key="properties.EventData.ObjectType"/><attrKeyMap attr="azureOldSd" key="properties.EventData.OldSd"/><attrKeyMap attr="azurePackageName" key="properties.EventData.PackageName"/><attrKeyMap attr="azurePrivList" key="properties.EventData.PrivilegeList"/><attrKeyMap attr="procId" key="properties.EventData.ProcessId"/><attrKeyMap attr="procName" key="properties.EventData.ProcessName"/><attrKeyMap attr="azureEventStatus" key="properties.EventData.Status"/><attrKeyMap attr="domain" key="properties.EventData.SubjectDomainName"/><attrKeyMap attr="azureSubjectLogonId" key="properties.EventData.SubjectLogonId"/><attrKeyMap attr="azureSubjectUserName" key="properties.EventData.SubjectUserName"/><attrKeyMap attr="azureSubjectUserSid" key="properties.EventData.SubjectUserSid"/><attrKeyMap attr="targetDomain" key="properties.EventData.TargetDomainName"/><attrKeyMap attr="targetUserId" key="properties.EventData.TargetLogonId"/><attrKeyMap attr="azureTargetUserSid" key="properties.EventData.TargetSid"/><attrKeyMap attr="targetName" key="properties.EventData.TargetUserName"/><attrKeyMap attr="azureTargetUserSid" key="properties.EventData.TargetUserSid"/><attrKeyMap attr="azureTransmittedServices" key="properties.EventData.TransmittedServices"/><attrKeyMap attr="azureWorkstation" key="properties.EventData.Workstation"/><attrKeyMap attr="azureWorkstationName" key="properties.EventData.WorkstationName"/><attrKeyMap attr="actionName" key="properties.eventName"/><attrKeyMap attr="actionName" key="Properties.EventName"/><attrKeyMap attr="sessionId" key="properties.eventProperties.accountSessionId"/><attrKeyMap attr="sessionId" key="Properties.EventProperties.AccountSessionId"/><attrKeyMap attr="targetType" key="properties.eventProperties.attackedResourceType"/><attrKeyMap attr="targetType" key="Properties.EventProperties.AttackedResourceType"/><attrKeyMap attr="_attacker" key="properties.eventProperties.attackers"/><attrKeyMap attr="_attacker" key="Properties.EventProperties.Attackers"/><attrKeyMap attr="statusDetailedReason" key="properties.eventProperties.cause"/><attrKeyMap attr="statusDetailedReason" key="Properties.EventProperties.Cause"/><attrKeyMap attr="targetName" key="properties.eventProperties.compromisedEntity"/><attrKeyMap attr="targetName" key="Properties.EventProperties.CompromisedEntity"/><attrKeyMap attr="newStatus" key="properties.eventProperties.currentHealthStatus"/><attrKeyMap attr="newStatus" key="Properties.EventProperties.CurrentHealthStatus"/><attrKeyMap attr="details" key="properties.eventProperties.details"/><attrKeyMap attr="details" key="Properties.EventProperties.Details"/><attrKeyMap attr="remedyAction" key="properties.eventProperties.remediationSteps"/><attrKeyMap attr="remedyAction" key="Properties.EventProperties.RemediationSteps"/><attrKeyMap attr="command" key="properties.eventProperties.suspiciousCommandLine"/><attrKeyMap attr="command" key="Properties.EventProperties.SuspiciousCommandLine"/><attrKeyMap attr="title" key="properties.eventProperties.title"/><attrKeyMap attr="title" key="Properties.EventProperties.Title"/><attrKeyMap attr="type" key="properties.eventProperties.type"/><attrKeyMap attr="type" key="Properties.EventProperties.Type"/><attrKeyMap attr="user" key="properties.eventProperties.userName"/><attrKeyMap attr="user" key="Properties.EventProperties.UserName"/><attrKeyMap attr="extendedProperties" key="properties.ExtendedProperties"/><attrKeyMap attr="_flagged" key="properties.flaggedForReview"/><attrKeyMap attr="azureHierarchy" key="properties.hierarchy"/><attrKeyMap attr="hostName" key="properties.host"/><attrKeyMap attr="targetHostName" key="properties.hostname"/><attrKeyMap attr="targetHostName" key="Properties.Hostname"/><attrKeyMap attr="httpHost" key="Properties.HttpHost"/><attrKeyMap attr="httpMethod" key="properties.httpMethod"/><attrKeyMap attr="httpMethod" key="Properties.HttpMethod"/><attrKeyMap attr="AzureHttpResponseGuid" key="Properties.HttpResponseGuid"/><attrKeyMap attr="httpStatusCode" key="properties.httpStatus"/><attrKeyMap attr="httpStatusCode" key="properties.httpStatusCode"/><attrKeyMap attr="httpStatusCode" key="Properties.HttpStatusCode"/><attrKeyMap attr="httpSubStatusCode" key="properties.httpStatusDetails"/><attrKeyMap attr="httpSubStatusCode" key="Properties.HttpStatusDetails"/><attrKeyMap attr="httpVersion" key="properties.httpVersion"/><attrKeyMap attr="httpVersion" key="Properties.HttpVersion"/><attrKeyMap attr="morId" key="properties.id"/><attrKeyMap attr="tokenIssuerType" key="properties.incomingTokenType"/><attrKeyMap attr="initiated" key="properties.initiatedBy"/><attrKeyMap attr="instanceName" key="properties.instanceId"/><attrKeyMap attr="instanceName" key="Properties.InstanceId"/><attrKeyMap attr="azureio_bytes_read" key="properties.io_bytes_read"/><attrKeyMap attr="azureio_bytes_written" key="properties.io_bytes_written"/><attrKeyMap attr="azureio_requests" key="properties.io_requests"/><attrKeyMap attr="srcIpAddr" key="properties.ipAddress"/><attrKeyMap attr="srcIpAddr" key="Properties.IpAddress"/><attrKeyMap attr="isInteractive" key="properties.isInteractive"/><attrKeyMap attr="isInteractive" key="Properties.IsInteractive"/><attrKeyMap attr="_isReceived" key="properties.isReceivedFromClient"/><attrKeyMap attr="_isRecieved" key="Properties.IsRecievedFromClient"/><attrKeyMap attr="_restricted" key="properties.isTenantRestricted"/><attrKeyMap attr="hostGeoCity" key="properties.location.city"/><attrKeyMap attr="hostGeoCountry" key="properties.location.countryOrRegion"/><attrKeyMap attr="hostGeoLatitude" key="properties.location.geoCoordinates.latitude"/><attrKeyMap attr="hostGeoLongitude" key="properties.location.geoCoordinates.longitude"/><attrKeyMap attr="hostGeoState" key="properties.location.state"/><attrKeyMap attr="_logged" key="properties.loggedByService"/><attrKeyMap attr="srcMACAddr" key="properties.macAddress"/><attrKeyMap attr="activeConns" key="properties.matchedConnections"/><attrKeyMap attr="msg" key="properties.message"/><attrKeyMap attr="usrMsg" key="properties.message"/><attrKeyMap attr="usrMsg" key="Properties.Message"/><attrKeyMap attr="usrMsg" key="properties.msg"/><attrKeyMap attr="usrMsg" key="Properties.Msg"/><attrKeyMap attr="opName" key="properties.operationType"/><attrKeyMap attr="webUrl" key="properties.originalRequestUriWithArgs"/><attrKeyMap attr="policyDetails" key="properties.policies"/><attrKeyMap attr="policyDetails" key="Properties.Policies"/><attrKeyMap attr="policyName" key="properties.policy"/><attrKeyMap attr="ipPolicyid" key="properties.policyId"/><attrKeyMap attr="ipPolicyId" key="Properties.policyId"/><attrKeyMap attr="policyMode" key="properties.policyMode"/><attrKeyMap attr="azureFWPolicyScope" key="properties.policyScope"/><attrKeyMap attr="azureFWPolicyScope" key="Properties.PolicyScope"/><attrKeyMap attr="azureFWPolicyScopeName" key="properties.policyScopeName"/><attrKeyMap attr="azureFWPolicyScopeName" key="Properties.PolicyScopeName"/><attrKeyMap attr="policyIdentity" key="properties.PolicyUniqueId"/><attrKeyMap attr="_pop" key="properties.pop"/><attrKeyMap attr="_pop" key="Properties.Pop"/><attrKeyMap attr="srcIpAddr" key="properties.primaryIPv4Address"/><attrKeyMap attr="azurePriority" key="properties.priority"/><attrKeyMap attr="sessionProcessTimeMs" key="properties.processingTimeInMilliseconds"/><attrKeyMap attr="azureProtContainerId" key="properties.ProtectedContainerUniqueId"/><attrKeyMap attr="azureProtectedServerUniqueId" key="properties.ProtectedServerUniqueId"/><attrKeyMap attr="groupName" key="properties.ProtectionGroupName"/><attrKeyMap attr="recvBytes" key="properties.receivedBytes"/><attrKeyMap attr="recordNumber" key="properties.RecordId"/><attrKeyMap attr="sentBytes" key="properties.requestBytes"/><attrKeyMap attr="sentBytes" key="Properties.RequestBytes"/><attrKeyMap attr="uriQuery" key="Properties.RequestPath"/><attrKeyMap attr="appTransportProto" key="properties.requestProtocol"/><attrKeyMap attr="appTransportProto" key="Properties.RequestProtocol"/><attrKeyMap attr="queryData" key="properties.requestQuery"/><attrKeyMap attr="uriQuery" key="properties.requestUri"/><attrKeyMap attr="uriQuery" key="Properties.RequestUri"/><attrKeyMap attr="resvStorageMB" key="properties.reserved_storage_mb"/><attrKeyMap attr="targetName" key="properties.resourceDisplayName"/><attrKeyMap attr="targetResourceId" key="properties.resourceId"/><attrKeyMap attr="servicePolicy" key="properties.resourceServicePrincipalId"/><attrKeyMap attr="recvBytes" key="properties.responseBytes"/><attrKeyMap attr="resultType" key="properties.result"/><attrKeyMap attr="actionResult" key="properties.resultReason"/><attrKeyMap attr="riskDetail" key="properties.riskDetail"/><attrKeyMap attr="riskLevelAgg" key="properties.riskLevelAggregated"/><attrKeyMap attr="riskLevelatSignIn" key="properties.riskLevelDuringSignIn"/><attrKeyMap attr="riskState" key="properties.riskState"/><attrKeyMap attr="ruleName" key="properties.routingRuleName"/><attrKeyMap attr="ruleName" key="Properties.RoutingRuleName"/><attrKeyMap attr="ruleId" key="properties.ruleId"/><attrKeyMap attr="ruleId" key="Properties.RuleId"/><attrKeyMap attr="ruleName" key="properties.ruleName"/><attrKeyMap attr="_ruleEngine" key="properties.rulesEngineMatchName"/><attrKeyMap attr="_ruleEngine" key="Properties.RulesEngineMatchName"/><attrKeyMap attr="ruleIdStr" key="properties.ruleSetType"/><attrKeyMap attr="ruleIdStr" key="Properties.ruleSetType"/><attrKeyMap attr="azureSchemaVersion" key="properties.SchemaVersion"/><attrKeyMap attr="azureSecBackupProtectionState" key="properties.SecondaryBackupProtectionState"/><attrKeyMap attr="appProtoId" key="properties.securityProtocol"/><attrKeyMap attr="appProtoId" key="Properties.SecurityProtocol"/><attrKeyMap attr="sentBytes" key="properties.sentBytes"/><attrKeyMap attr="latency" key="properties.serverResponseLatency"/><attrKeyMap attr="serverName" key="properties.serverRouted"/><attrKeyMap attr="svcStatus" key="properties.serverStatus"/><attrKeyMap attr="serviceAccount" key="properties.servicePrincipalCredentialKeyId"/><attrKeyMap attr="servicePolicy" key="properties.servicePrincipalId"/><attrKeyMap attr="serviceName" key="properties.servicePrincipalName"/><attrKeyMap attr="servicePolicy" key="properties.serviceRequestId"/><attrKeyMap attr="site" key="properties.site"/><attrKeyMap attr="site" key="Properties.Site"/><attrKeyMap attr="azureSKU" key="properties.SKU"/><attrKeyMap attr="nepDevIpAddr" key="properties.socketIp"/><attrKeyMap attr="nepDevIpAddr" key="Properties.SocketIp"/><attrKeyMap attr="srcApp" key="Properties.SourceContext"/><attrKeyMap attr="spanStatsSpanId" key="Properties.SpanId"/><attrKeyMap attr="azureState" key="properties.State"/><attrKeyMap attr="svcStatus" key="properties.Status"/><attrKeyMap attr="errorNo" key="properties.status.errorCode"/><attrKeyMap attr="errorNo" key="Properties.Status.ErrorCode"/><attrKeyMap attr="errReason" key="properties.status.failureReason"/><attrKeyMap attr="errReason" key="Properties.Status.FailureReason"/><attrKeyMap attr="azureStatusCode" key="properties.statusCode"/><attrKeyMap attr="httpStatusCode" key="Properties.StatusCode"/><attrKeyMap attr="usedStorageMB" key="properties.storage_space_used_mb"/><attrKeyMap attr="resvStorageMB" key="properties.StorageAllocatedInMBs"/><attrKeyMap attr="usedStorageMB" key="properties.StorageConsumedInMBs"/><attrKeyMap attr="diskDisplayName" key="properties.StorageName"/><attrKeyMap attr="totalStorageMB" key="properties.StorageTotalSizeInGBs"/><attrKeyMap attr="diskType" key="properties.StorageType"/><attrKeyMap attr="hwDiskSerial" key="properties.StorageUniqueId"/><attrKeyMap attr="azureSubnetPrefix" key="properties.subnetPrefix"/><attrKeyMap attr="targetAccountId" key="properties.targetResources.administrativeUnits"/><attrKeyMap attr="targetName" key="properties.targetResources.displayName"/><attrKeyMap attr="targetResourceId" key="properties.targetResources.id"/><attrKeyMap attr="targetUser" key="properties.targetResources.modifiedProperties.displayName"/><attrKeyMap attr="targetUserId" key="properties.targetResources.modifiedProperties.newValue"/><attrKeyMap attr="oldTargetUser" key="properties.targetResources.modifiedProperties.oldvalue"/><attrKeyMap attr="targetType" key="properties.targetResources.type"/><attrKeyMap attr="httpResponseTimeMs" key="properties.timeTaken"/><attrKeyMap attr="httpResponseTimeMs" key="Properties.TimeTaken"/><attrKeyMap attr="loadTime" key="properties.timeToFirstByte"/><attrKeyMap attr="loadTime" key="Properties.TimeToFirstByte"/><attrKeyMap attr="tokenIssuerName" key="properties.tokenIssuerName"/><attrKeyMap attr="tokenIssuerName" key="Properties.TokenIssuerName"/><attrKeyMap attr="tokenIssuerType" key="properties.tokenIssuerType"/><attrKeyMap attr="tokenIssuerType" key="Properties.TokenIssuerType"/><attrKeyMap attr="trackStatements" key="properties.trackingReference"/><attrKeyMap attr="trackStatements" key="Properties.TrackingReference"/><attrKeyMap attr="transactionId" key="properties.transactionId"/><attrKeyMap attr="transactionId" key="Properties.TransactionId"/><attrKeyMap attr="type" key="properties.type"/><attrKeyMap attr="token" key="properties.uniqueTokenIdentifier"/><attrKeyMap attr="httpUserAgent" key="properties.userAgent"/><attrKeyMap attr="httpUserAgent" key="Properties.UserAgent"/><attrKeyMap attr="httpUserAgent" key="properties.userAgent"/><attrKeyMap attr="httpUserAgent" key="Properties.UserAgent"/><attrKeyMap attr="user" key="properties.userDisplayName"/><attrKeyMap attr="user" key="Properties.UserDisplayName"/><attrKeyMap attr="userId" key="properties.userId"/><attrKeyMap attr="userPrincipalName" key="properties.userPrincipalName"/><attrKeyMap attr="userPrincipalName" key="Properties.UserPrincipalName"/><attrKeyMap attr="azureVaultUniqueID" key="properties.VaultUniqueId"/><attrKeyMap attr="cpuCore" key="properties.virtual_core_count"/><attrKeyMap attr="azurevnetResourceGuid" key="properties.vnetResourceGuid"/><attrKeyMap attr="volName" key="properties.VolumeFriendlyName"/><attrKeyMap attr="appResponseTimeMSec" key="properties.WAFEvaluationTime"/><attrKeyMap attr="appVersion" key="ReleaseVersion"/><attrKeyMap attr="appVersion" key="releaseVersion"/><attrKeyMap attr="resourcePool" key="ResourceGroup"/><attrKeyMap attr="AzureResourceGUID" key="ResourceGUID"/><attrKeyMap attr="resourceName" key="resourceId"/><attrKeyMap attr="resourceName" key="ResourceId"/><attrKeyMap attr="AzureResultCode" key="ResultCode"/><attrKeyMap attr="description" key="resultDescription"/><attrKeyMap attr="description" key="ResultDescription"/><attrKeyMap attr="actionResult" key="resultSignature"/><attrKeyMap attr="actionResult" key="ResultSignature"/><attrKeyMap attr="resultType" key="resultType"/><attrKeyMap attr="resultType" key="ResultType"/><attrKeyMap attr="role" key="RoleLocation"/><attrKeyMap attr="role" key="roleLocation"/><attrKeyMap attr="scope" key="Scope"/><attrKeyMap attr="appVersion" key="SDKVersion"/><attrKeyMap attr="azureSubscriptionId" key="SubscriptionId"/><attrKeyMap attr="status" key="Success"/><attrKeyMap attr="AzureSyntheticSource" key="SyntheticSource"/><attrKeyMap attr="azuresystemId" key="systemId"/><attrKeyMap attr="targetName" key="Target"/><attrKeyMap attr="Telemetry" key="TelemetryProperties"/><attrKeyMap attr="exchTenantId" key="tenantId"/><attrKeyMap attr="_time" key="Time"/><attrKeyMap attr="_time" key="time"/><attrKeyMap attr="timeGrain" key="timeGrain"/><attrKeyMap attr="timeGrain" key="TimeGrain"/><attrKeyMap attr="_time" key="timeStamp"/><attrKeyMap attr="totalCurrent" key="total"/><attrKeyMap attr="totalCurrent" key="Total"/><attrKeyMap attr="azureEventCategory" key="Type"/><attrKeyMap attr="webUrl" key="Url"/></collectAndSetAttrByJSON><choose><when test="not_exist _level"/><when test="$_level IN 'warning,Warning'"><setEventAttribute attr="eventSeverity">5</setEventAttribute></when><when test="$_level IN 'error,Error'"><setEventAttribute attr="eventSeverity">7</setEventAttribute></when><otherwise><setEventAttribute attr="eventSeverity">1</setEventAttribute></otherwise></choose><when test="exist resourceName"><collectFieldsByRegex src="$resourceName"><regex><![CDATA[\/SUBSCRIPTIONS\/<azureSubscriptionId:gPatStr>\/RESOURCEGROUPS\/<azureResourceGroup:gPatStr>\/PROVIDERS\/<providerName:gPatStr>\/]]></regex></collectFieldsByRegex></when><when test="exist _time"><switch><case><collectFieldsByRegex src="$_time"><regex><![CDATA[<_year:gPatYear>-<_mon:gPatMonNum>-<_day:gPatDay>T<_time:gPatTime>(?:\.\d+)?<_tz:gPatTimeZone>]]></regex></collectFieldsByRegex><setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_year, $_time, $_tz)</setEventAttribute></case><default/></switch></when><!-- "attackers":["IP Address: 192.144.212.207"] --><when test="exist _attacker"><switch><case><collectFieldsByRegex src="$_attacker"><regex><![CDATA[.*<srcIpAddr:gPatIpAddr>.*]]></regex></collectFieldsByRegex></case><default/></switch><setEventAttribute attr="_attacker">replaceStringByRegex($_attacker, "[\[\]]", "")</setEventAttribute><setEventAttribute attr="_attacker">replaceStringByRegex($_attacker, "\"[^:]+:", "")</setEventAttribute><setEventAttribute attr="srcIpAddrList">replaceStringByRegex($_attacker, "\"", "")</setEventAttribute></when><choose><when test="exist opName"><setEventAttribute attr="eventType">MS_EvtHub_</setEventAttribute><setEventAttribute attr="_opName">toLower($opName)</setEventAttribute><choose><when test="matches($opName, '^microsoft\.)"><setEventAttribute attr="eventType">combineMsgId($eventType, $_opName)</setEventAttribute><setEventAttribute attr="eventType">replaceStringByRegex($eventType, "microsoft.|\(|\)", "")</setEventAttribute></when><otherwise><when test="exist azureEventCategory"><setEventAttribute attr="eventType">combineMsgId($eventType, $azureEventCategory, "_", $_opName)</setEventAttribute></when></otherwise></choose></when><otherwise><when test="exist azureEventCategory"><setEventAttribute attr="eventType">combineMsgId("MS_EvtHub_", $azureEventCategory, "_Generic")</setEventAttribute></when></otherwise></choose><setEventAttribute attr="eventType">replaceStringByRegex($eventType, "/", "_")</setEventAttribute></parsingInstructions>

arecalde · ‎04-02-2024

I appreciate the answers!

I have found a workaround to this issue. Unfortunately this parser doesn't work with my use case.