cloud.azure.sentinel.alertsField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | id | str
| | azureTenantId | str
| | azureSubscriptionId | str
| | riskScore | str
| | tags | str
| | activityGroupName | str
| | assignedTo | str
| | category | str
| | closedDateTime | timestamp
| | comments | str
| | confidence | int4
| | createdDateTime | str
| | description | str
| | detectionIds | str
| | eventDateTime | str
| | feedback | str
| | incidentIds | str
| | lastModifiedDateTime | str
| | recommendedActions | str
| | severity | str
| | sourceMaterials | str
| | status | str
| | title | str
| | vendorInformation__provider | str
| | vendorInformation__providerVersion | str
| | vendorInformation__subProvider | str
| | vendorInformation__vendor | str
| | cloudAppStates_json | json
| | fileStates_json | json
| | hostStates_json | json
| | historyStates_json | json
| | malwareStates_json | json
| | networkConnections_json | json
| | processes_json | json
| | registryKeyStates_json | json
| | securityResources_json | json
| | triggers_json | json
| | userStates_json | json
| | vulnerabilityStates_json | json
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
cloud.azure.servicebus.metricsField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | resourceId | str
| | average | float8
| | total | int4
| | timeGrain | str
| | metricName | str
| | count | int4
| | maximum | int4
| | time | str
| | minimum | int4
| | hostchain | str
| v | tag | str
| ✓ | rawMessage | str
| ✓ |
cloud.azure.servicebus.operationalField | Type | Extra fields |
---|
eventdate | timestamp
| | hostname | str
| | Status | str
| | resourceId | str
| | SubscriptionId | str
| | Caller | str
| | ActivityId | str
| | EventTimeString | str
| | EventProperties | str
| | Environment | str
| | Region | str
| | EventName | str
| | category | str
| | ScaleUnit | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
cloud.azure.siterecovery.addon_backup_jobsField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | hostname | str
| | | | region | str
| | | | timestamp | timestamp
| Code Block |
---|
parsedate(time, dateformat("YYYY-MM-DD[T]HH:mm:ss.SSSSSSS[Z]", "UTC")) |
| time | | resourceId | str
| | | | operationName | str
| | | | category | str
| | | | level | str
| | | | eventId | int4
| | | | eventName | str
| | | | properties | json
| | | | properties__protectedContainerUniqueId | str
| | | | properties__recoveryJobRPDateTime | str
| | | | properties__jobUniqueId | str
| | | | properties__backupItemUniqueId | str
| | | | properties__vaultUniqueId | str
| | | | properties__jobOperation | str
| | | | properties__jobStatus | str
| | | | properties__jobFailureCode | str
| | | | properties__jobStartDatetime | timestamp
| Code Block |
---|
parsedate(properties__jobStartDateTime, dateformat("D/M/YYYY h:mm:ss A", "UTC")) |
| properties__jobStartDateTime | | properties__jobDurationInSecs | str
| | | | properties__dataTransferredInMB | str
| | | | properties__schemaVersion | str
| | | | properties__state | str
| | | | properties__backupManagementType | str
| | | | at_devo_collector_version | int4
| | | | at_entry_offset | str
| | | | at_enqueued_time | timestamp
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
cloud.azure.siterecovery.addon_backup_policyField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | hostname | str
| | | | region | str
| | | | timestamp | timestamp
| Code Block |
---|
parsedate(time, dateformat("YYYY-MM-DD[T]HH:mm:ss.SSSSSSS[Z]", "UTC")) |
| time | | resourceId | str
| | | | operationName | str
| | | | category | str
| | | | level | str
| | | | eventId | int4
| | | | eventName | str
| | | | properties | json
| | | | properties__policyUniqueId | str
| | | | properties__vaultUniqueId | str
| | | | properties__schemaVersion | str
| | | | properties__state | str
| | | | properties__backupManagementType | str
| | | | properties__logBackupFrequency | str
| | | | properties__logBackupRetentionDuration | str
| | | | properties__policyTimeZone | str
| | | | properties__policyName | str
| | | | properties__backupFrequency | str
| | | | properties__backupTimes | str
| | | | properties__backupDaysOfTheWeek | str
| | | | properties__dailyRetentionDuration | str
| | | | properties__dailyRetentionTimes | str
| | | | at_devo_collector_version | int4
| | | | at_entry_offset | str
| | | | at_enqueued_time | timestamp
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
cloud.azure.siterecovery.addon_backup_protected_instField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | hostname | str
| | | | region | str
| | | | timestamp | timestamp
| Code Block |
---|
parsedate(time, dateformat("YYYY-MM-DD[T]HH:mm:ss.SSSSSSS[Z]", "UTC")) |
| time | | resourceId | str
| | | | operationName | str
| | | | category | str
| | | | level | str
| | | | telemetryProperties | str
| | | | deploymentUnit | str
| | | | eventId | int4
| | | | eventName | str
| | | | properties | json
| | | | properties__protectedContainerUniqueId | str
| | | | properties__vaultUniqueId | str
| | | | properties__protectedInstanceCount | str
| | | | properties__schemaVersion | str
| | | | properties__state | str
| | | | properties__backupManagementType | str
| | | | at_devo_collector_version | int4
| | | | at_entry_offset | str
| | | | at_enqueued_time | timestamp
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
cloud.azure.siterecovery.addon_backup_storageField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | hostname | str
| | | | region | str
| | | | timestamp | timestamp
| Code Block |
---|
parsedate(time, dateformat("YYYY-MM-DD[T]HH:mm:ss.SSSSSSS[Z]", "UTC")) |
| time | | resourceId | str
| | | | operationName | str
| | | | category | str
| | | | level | str
| | | | telemetryProperties | str
| | | | deploymentUnit | str
| | | | eventId | int4
| | | | eventName | str
| | | | properties | json
| | | | properties__storageUniqueId | str
| | | | properties__storageType | str
| | | | properties__storageName | str
| | | | properties__schemaVersion | str
| | | | properties__state | str
| | | | properties__backupManagementType | str
| | | | properties__backupItemUniqueId | str
| | | | properties__protectedContainerUniqueId | str
| | | | properties__vaultUniqueId | str
| | | | properties__storageConsumedInMBs | str
| | | | at_devo_collector_version | int4
| | | | at_entry_offset | str
| | | | at_enqueued_time | timestamp
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
cloud.azure.siterecovery.backup_reportField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | hostname | str
| | | | region | str
| | | | timestamp | timestamp
| Code Block |
---|
parsedate(time, dateformat("YYYY-MM-DD[T]HH:mm:ss.SSSSSSS[Z]", "UTC")) |
| time | | resourceId | str
| | | | operationName | str
| | | | category | str
| | | | level | str
| | | | deploymentUnit | str
| | | | eventId | int4
| | | | eventName | str
| | | | properties | json
| | | | properties__vaultUniqueId | str
| | | | properties__protectedServerUniqueId | str
| | | | properties__cloudStorageInBytes | str
| | | | properties__protectedInstances | str
| | | | properties__schemaVersion | str
| | | | properties__state | str
| | | | properties__backupManagementType | str
| | | | properties__logBackupFrequency | str
| | | | properties__logBackupRetentionDuration | str
| | | | properties__policyTimeZone | str
| | | | properties__policyUniqueId | str
| | | | properties__policyName | str
| | | | properties__backupFrequency | str
| | | | properties__backupTimes | str
| | | | properties__backupDaysOfTheWeek | str
| | | | properties__dailyRetentionDuration | str
| | | | properties__dailyRetentionTimes | str
| | | | at_devo_collector_version | int4
| | | | at_entry_offset | str
| | | | at_enqueued_time | timestamp
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
cloud.azure.siterecovery.core_backupField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | hostname | str
| | | | region | str
| | | | timestamp | timestamp
| Code Block |
---|
parsedate(time, dateformat("YYYY-MM-DD[T]HH:mm:ss.SSSSSSS[Z]", "UTC")) |
| time | | resourceId | str
| | | | operationName | str
| | | | category | str
| | | | level | str
| | | | telemetryProperties | str
| | | | deploymentUnit | str
| | | | eventId | int4
| | | | eventName | str
| | | | properties__backupItemUniqueId | str
| | | | properties__oldestRecoveryPointTimestamp | timestamp
| Code Block |
---|
parsedate(properties__oldestRecoveryPointTime, dateformat("M/D/YYYY h:mm:ss A", "UTC")) |
| properties__oldestRecoveryPointTime | | properties__oldestRecoveryPointLocation | str
| | | | properties__latestRecoveryPointTimestamp | timestamp
| Code Block |
---|
parsedate(properties__latestRecoveryPointTime, dateformat("M/D/YYYY h:mm:ss A", "UTC")) |
| properties__latestRecoveryPointTime | | properties__latestRecoveryPointLocation | str
| | | | properties__schemaVersion | str
| | | | properties__state | str
| | | | properties__backupManagementType | str
| | | | properties__backupItemFrontEndSize | str
| | | | at_devo_collector_version | int4
| | | | at_entry_offset | str
| | | | at_enqueued_time | timestamp
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
cloud.azure.siterecovery.site_rec_recovery_pointsField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | hostname | str
| | | | region | str
| | | | timestamp | timestamp
| Code Block |
---|
parsedate(timeStamp, dateformat("YYYY-MM-DD[T]HH:mm:ss.SSSSSSS[Z]", "UTC")) |
| timeStamp | | resourceId | str
| | | | category | str
| | | | level | str
| | | | operationName | str
| | | | properties__version | str
| | | | properties__correlationId | str
| | | | properties__lastRecoveryPointTime | timestamp
| Code Block |
---|
parsedate(replace(properties__lastRecoveryPoint, 'Z', ''), dateformat("YYYY-MM-DD[T]HH:mm:ss.SSSSSSS", "UTC")) |
| properties__lastRecoveryPoint | | properties__latestAppConsistentrecoveryPointTime | timestamp
| Code Block |
---|
parsedate(properties__latestAppConsistentRecoveryPoint, dateformat("YYYY-MM-DD[T]HH:mm:ss.SSSSSSS[Z]", "UTC")) |
| properties__latestAppConsistentRecoveryPoint | | properties__replicatingDisksCount | int4
| | | | at_devo_collector_version | int4
| | | | at_entry_offset | str
| | | | at_enqueued_time | timestamp
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
cloud.azure.siterecovery.site_rec_rep_statsField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | hostname | str
| | | | region | str
| | | | timestamp | timestamp
| Code Block |
---|
parsedate(timeStamp, dateformat("YYYY-MM-DD[T]HH:mm:ss.SSSSSSS[Z]", "UTC")) |
| timeStamp | | resourceId | str
| | | | category | str
| | | | level | str
| | | | operationName | str
| | | | properties__version | str
| | | | properties__correlationId | str
| | | | properties__uploadRPOInSeconds | int4
| | | | properties__uploadRPOUpdateTimestamp | timestamp
| Code Block |
---|
parsedate(properties__uploadRPOUpdateTime, dateformat("YYYY-MM-DD[T]HH:mm:ss.SSSSSSS[Z]", "UTC")) |
| properties__uploadRPOUpdateTime | | properties__processedRPOInSeconds | int4
| | | | properties__processedRPOUpdateTimestamp | timestamp
| Code Block |
---|
parsedate(properties__processedRPOUpdateTime, dateformat("YYYY-MM-DD[T]HH:mm:ss.SSSSSSS[Z]", "UTC")) |
| properties__processedRPOUpdateTime | | at_devo_collector_version | int4
| | | | at_entry_offset | str
| | | | at_enqueued_time | timestamp
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
cloud.azure.siterecovery.site_rec_replicated_itemsField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | hostname | str
| | | | region | str
| | | | providerName | str
| | | | taskName | str
| | | | timestamp | timestamp
| Code Block |
---|
parsedate(time, dateformat("YYYY-MM-DD[T]HH:mm:ss.SSSSSSS[Z]", "UTC")) |
| time | | resourceId | str
| | | | category | str
| | | | level | str
| | | | operationName | str
| | | | properties | json
| | | | properties__processServerName | str
| | | | properties__multiVmGroupId | str
| | | | properties__multiVmGroupName | str
| | | | properties__vCenter | str
| | | | properties__agentVersion | ip4
| | | | properties__masterTargetServer | str
| | | | properties__logStorageAccountId | str
| | | | properties__recoveryNetworkId | str
| | | | properties__lastHeartbeat | timestamp
| | | | properties__multiVmSyncStatus | str
| | | | properties__correlationId | str
| | | | properties__recoveryServicesProviderId | str
| | | | properties__replicationHealth | str
| | | | properties__failoverHealth | str
| | | | properties__name | str
| | | | properties__id | str
| | | | properties__primaryFabricName | str
| | | | properties__recoveryFabricName | str
| | | | properties__primaryFabricType | str
| | | | properties__recoveryFabricType | str
| | | | properties__protectionState | str
| | | | properties__activeLocation | str
| | | | properties__policyName | str
| | | | properties__replicationProviderName | str
| | | | properties__osFamily | str
| | | | properties__initialReplicationProgressPercentage | float8
| | | | properties__itemType | str
| | | | properties__rpoInSeconds | int4
| | | | properties__lastRpoCalculatedTime | timestamp
| | | | properties__version | timestamp
| | | | at_devo_collector_version | int4
| | | | at_entry_offset | str
| | | | at_enqueued_time | timestamp
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
cloud.azure.sql.auditField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | hostname | str
| | | | region | str
| | | | resourceId | str
| | | | SubscriptionId | str
| | | | originalEventTimestamp | str
| | | | operationName | str
| | | | LogicalServerName | str
| | | | timestamp | timestamp
| | | | category | str
| | | | target_database_principal_id | int4
| | | | target_database_principal_name | str
| | | | user_defined_information | str
| | | | session_context | str
| | | | class_type_desc | str
| | | | is_column_permission | str
| | | | sequence_group_id | str
| | | | client_tls_version | int4
| | | | duration_milliseconds | int4
| | | | permission_bitmask | str
| | | | class_type | str
| | | | application_name | str
| | | | session_server_principal_name | str
| | | | action_id | str
| | | | object_name | str
| | | | audit_schema_version | int4
| | | | action_name | str
| | | | statement | str
| | | | client_ip | ip4
| | | | database_principal_id | int4
| | | | securable_class_type | str
| | | | transaction_id | int8
| | | | database_name | str
| | | | target_server_principal_id | int4
| | | | response_rows | int4
| | | | server_principal_id | int4
| | | | session_id | int4
| | | | database_principal_name | str
| | | | target_server_principal_name | str
| | | | affected_rows | int4
| | | | schema_name | str
| | | | object_id | int4
| | | | server_instance_name | str
| | | | is_server_level_audit | str
| | | | server_principal_name | str
| | | | sequence_number | int4
| | | | target_server_principal_sid | str
| | | | additional_information | str
| | | | event_id | str
| | | | data_sensitivity_information | str
| | | | connection_id | str
| | | | server_principal_sid | str
| | | | user_defined_event_id | int4
| | | | event_time | timestamp
| | | | host_name | str
| | | | succeeded | str
| | | | ResourceGroup | str
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
|