diff --git a/.gitignore b/.gitignore index b285e5c..2be9c3d 100644 --- a/.gitignore +++ b/.gitignore @@ -6,4 +6,5 @@ cov.xml dist/ docs/_build .env -.venv/ \ No newline at end of file +.venv/ +.python-version diff --git a/README.md b/README.md index 5d87d2a..d45b5b2 100644 --- a/README.md +++ b/README.md @@ -1,44 +1,85 @@ -# πŸ›‘οΈ pySigma Kusto Query Language (KQL) Backend +# pySigma Kusto Query Language (KQL) Backend ![Tests](https://github.com/AttackIQ/pySigma-backend-microsoft365defender/actions/workflows/test.yml/badge.svg) ![Coverage Badge](https://img.shields.io/endpoint?url=https://gist.githubusercontent.com/slincoln-aiq/9c0879725c7f94387801390bbb0ac8d6/raw/slincoln-aiq-pySigma-backend-microsoft365defender.json) ![Status](https://img.shields.io/badge/Status-pre--release-orange) +![PyPI version](https://badge.fury.io/py/pysigma-backend-kusto.svg) +![Python versions](https://img.shields.io/pypi/pyversions/pysigma-backend-kusto.svg) +![pySigma version](https://img.shields.io/badge/pySigma-%3E%3D0.10.0-blue) +![License](https://img.shields.io/github/license/AttackIQ/pySigma-backend-microsoft365defender.svg) + +## Contents + +- [pySigma Kusto Query Language (KQL) Backend](#pysigma-kusto-query-language-kql-backend) + - [πŸ“– Overview](#-overview) + - [πŸš€ Quick Start](#-quick-start) + - [πŸ“˜ Usage](#-usage) + - [πŸ› οΈ Advanced Features](#️-advanced-features) + - [πŸ”„ Processing Pipelines](#-processing-pipelines) + - [πŸ§ͺ Custom Transformations](#-custom-transformations) + - [❓Frequently Asked Questions](#frequently-asked-questions) + - [🀝 Contributing](#-contributing) + - [πŸ“„ License](#-license) ## πŸ“– Overview -This backend for [pySigma](https://github.com/SigmaHQ/pySigma) enables the transformation of Sigma Rules into queries in [Kusto Query Language (KQL)](https://learn.microsoft.com/en-us/kusto/query/?view=microsoft-fabric) for products such as [Microsoft 365 Defender Advanced Hunting Queries](https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-language?view=o365-worldwide), [Azure Sentinel Queries](https://learn.microsoft.com/en-us/azure/sentinel/kusto-overview), and more! +The **pySigma Kusto Backend** transforms Sigma Rules into queries using [Kusto Query Language (KQL)](https://learn.microsoft.com/en-us/kusto/query/?view=microsoft-fabric). This backend supports multiple Microsoft products, including: -This project was formally named pySigma Microsoft 365 Defender Backend, or pySigma-microsoft365defender-backend. +- [Microsoft XDR Advanced Hunting Queries](https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-overview) (Formally Microsoft 365 Defender Advanced Hunting Queries) +- [Azure Sentinel Advanced Security Information Model (ASIM) Queries](https://learn.microsoft.com/en-us/azure/sentinel/normalization) +- [Azure Monitor Queries](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/get-started-queries) + +> **Note:** This backend was previously named **pySigma Microsoft 365 Defender Backend**. ### πŸ”‘ Key Features -- Provides `sigma.backends.kusto` package with `KustoBackend` class -- Includes `microsoft_365_defender_pipeline` and `sentinelasim_pipeline` for field renames and error handling -- Supports output format: Query string for Advanced Hunting Queries in KQL + +- **Backend**: `sigma.backends.kusto` with `KustoBackend` class +- **Pipelines**: Provides `microsoft_xdr_pipeline`, `sentinelasim_pipeline`, and `azure_monitor_pipeline` for query tables and field renames +- **Output**: Query strings in Kusto Query Language (KQL) ### πŸ§‘β€πŸ’» Maintainer + - [Stephen Lincoln](https://github.com/slincoln-aiq) via [AttackIQ](https://github.com/AttackIQ) -## πŸš€ Installation +## πŸš€ Quick Start -### πŸ“¦ Using pip +1. Install the package: -```bash -pip install pysigma-backend-kusto -``` + ```bash + pip install pysigma-backend-kusto + ``` + > **Note:** This package requires `pySigma` version 0.10.0 or higher. -### πŸ”Œ Using pySigma Plugins (requires pySigma >= 0.10.0) +2. Convert a Sigma rule to MIcrosoft XDR KQL query using sigma-cli: -```python -from sigma.plugins import SigmaPluginDirectory # Requires pySigma >= 0.10.0 + ```bash + sigma convert -t kusto -p microsoft_xdr path/to/your/rule.yml + ``` -plugins = SigmaPluginDirectory.default_plugin_directory() -plugins.get_plugin_by_id("kusto").install() -``` +3. Or use in a Python script: + + ```python + from sigma.rule import SigmaRule + from sigma.backends.kusto import KustoBackend + # Load your Sigma rule + rule = SigmaRule.from_yaml(""" + title: Mimikatz CommandLine + status: test + logsource: + category: process_creation + product: windows + detection: + sel: + CommandLine|contains: mimikatz.exe + condition: sel + """) -## πŸ”§ Dependencies -- pySigma >= v0.10.0 + # Convert the rule + backend = KustoBackend() + print(backend.convert_rule(rule)[0]) + ``` ## πŸ“˜ Usage @@ -47,7 +88,7 @@ plugins.get_plugin_by_id("kusto").install() Use with `sigma-cli` per [typical sigma-cli usage](https://github.com/SigmaHQ/sigma-cli#usage): ```bash -sigma convert -t kusto -p microsoft_365_defender -f default -s ~/sigma/rules +sigma convert -t kusto -p microsoft_xdr -f default -s ~/sigma/rules ``` ### 🐍 Python Script @@ -58,7 +99,7 @@ you can manually add it if you would like. ```python from sigma.rule import SigmaRule from sigma.backends.kusto import KustoBackend -from sigma.pipelines.microsoft365defender import microsoft_365_defender_pipeline +from sigma.pipelines.microsoftxdr import microsoft_xdr_pipeline # Define an example rule as a YAML str sigma_rule = SigmaRule.from_yaml(""" @@ -76,7 +117,7 @@ sigma_rule = SigmaRule.from_yaml(""" kusto_backend = KustoBackend() # Or apply the pipeline manually -pipeline = microsoft_365_defender_pipeline() +pipeline = microsoft_xdr_pipeline() pipeline.apply(sigma_rule) # Convert the rule @@ -86,17 +127,19 @@ print(kusto_backend.convert_rule(sigma_rule)[0]) Output: -``` +```text Mimikatz CommandLine KQL Query: DeviceProcessEvents | where ProcessCommandLine contains "mimikatz.exe" -```` +``` ## πŸ› οΈ Advanced Features ### πŸ”„ Pipeline & Backend Args (New in 0.2.0) +For the `microsoft_xdr_pipeline`: + - `transform_parent_image`: Controls ParentImage field mapping behavior - When set to `True` (default), maps ParentImage to InitiatingProcessParentFileName - When set to `False`, maps ParentImage to InitiatingProcessFileName @@ -104,93 +147,210 @@ DeviceProcessEvents - Example usage: ```python -from sigma.pipelines.microsoft365defender import microsoft_365_defender_pipeline -pipeline = microsoft_365_defender_pipeline(transform_parent_image=False) +from sigma.pipelines.microsoftxdr import microsoft_xdr_pipeline +pipeline = microsoft_xdr_pipeline(transform_parent_image=False) ``` This argument allows fine-tuning of the ParentImage field mapping, which can be crucial for accurate rule conversion in certain scenarios. By default, it follows the behavior of mapping ParentImage to the parent process name, but setting it to `False` allows for mapping to the initiating process name instead. -### πŸ—ƒοΈ Custom Table Names (New in 0.3.0) (Experimental) +### πŸ—ƒοΈ Custom Table Names (New in 0.3.0) (Beta) -- `query_table`: Allows user to override table mappings and set their own table name - - Experimental feature, implementation is subject to change - - Example usage: +The `query_table` argument allows users to override table mappings and set custom table names. This is useful for converting Sigma rules where the rule category does not easily map to the default table names. + +#### YAML Pipelines + +To set a custom table name, ensure your pipeline has a priority of 9 or lower, as sigma-cli merges pipelines based on priority (default is 10). Field mappings in `mappings.py` will apply according to your specified table name, along with any custom field mapping transformations. -via YAML ```YAML # test_table_name_pipeline.yml +name: Custom Query Table Pipeline +priority: 1 transformations: - id: test_name_name type: set_state key: "query_table" - val: ["MyTestTable"] + val: ["DeviceProcessEvents"] ``` + ```bash -sigma convert -t kusto -p microsoft_365_defender -p test_table_name_pipeline.yml test_rule.yml +sigma convert -t kusto -p microsoft_xdr -p test_table_name_pipeline.yml test_rule.yml ``` -via Python +#### Python Pipelines + +You can also set the table name in the pipeline via Python by passing the `query_table` parameter to the pipeline. ```python -from sigma.pipelines.microsoft365defender import microsoft_365_defender_pipeline -my_pipeline = microsoft_365_defender_pipeline(query_table="MyTestTable") # Or ["MyTestTable"] +from sigma.pipelines.microsoftxdr import microsoft_xdr_pipeline +my_pipeline = microsoft_xdr_pipeline(query_table="DeviceProcessEvents") ``` -## πŸ“Š Rule Support +## πŸ”„ Processing Pipelines + +This project includes three main processing pipelines, each designed for a specific Microsoft product: + +1. **Microsoft XDR Pipeline** (formerly Microsoft 365 Defender) + - Status: Production-ready + - Supports a wide range of Sigma rule categories + - All tables supported, but additional field mapping contributions welcome + +2. **Sentinel ASIM Pipeline** + - Status: Beta + - Transforms rules for Microsoft Sentinel Advanced Security Information Model (ASIM) + - All tables supported, but field mappings are limited + +3. **Azure Monitor Pipeline** + - Status: Alpha + - Currently supports field mappings for `SecurityEvent` and `SigninLogs` tables only + - All tables supported, but requires custom field mappings for other tables + +Each pipeline includes a `query_table` parameter for setting custom table names. + +### πŸ“Š Rule Support + +Rules are supported if either: + +- A valid table name is supplied via the `query_table` parameter or YAML pipeline +- The rule's logsource category is supported and mapped in the pipeline's `mappings.py` file + +### πŸ–₯️ Commonly Supported Categories -### πŸ–₯️ Supported Categories (product=windows) - process_creation - image_load - network_connection - file_access, file_change, file_delete, file_event, file_rename - registry_add, registry_delete, registry_event, registry_set -## πŸ” Processing Pipeline +Specific pipelines may support additional categories. Check each pipeline's `mappings.py` file for details. + +## πŸ§ͺ Custom Transformations + +This package includes several custom `ProcessingPipeline` `Transformation` classes: + +1. **DynamicFieldMappingTransformation** + - Determines field mappings based on the `query_table` state parameter + +2. **GenericFieldMappingTransformation** + - Applies common field mappings across all tables in a pipeline + +3. **BaseHashesValuesTransformation** + - Transforms the Hashes field, removing hash algorithm prefixes + +4. **ParentImageValueTransformation** + - Extracts parent process name from Sysmon ParentImage field + +5. **SplitDomainUserTransformation** + - Splits User field into separate domain and username fields + +6. **RegistryActionTypeValueTransformation** + - Adjusts registry ActionType values for compatibility + +7. **InvalidFieldTransformation** + - Identifies unsupported or invalid fields in rules + +8. **SetQueryTableStateTransformation** + - Manages the `query_table` state based on rule category or custom settings + +### πŸ“Š Custom Finalizer + +1. **QueryTableFinalizer** + +- Adds table name as prefix to each query +- Keeps queries separate for fine-grained control -The `microsoft_365_defender_pipeline` includes custom `ProcessingPipeline` `Transformation` classes: +## ❓Frequently Asked Questions -- πŸ”€ ParentImageValueTransformation - - Extracts the parent process name from the Sysmon ParentImage field - - Maps to InitiatingProcessParentFileName (as InitiatingProcessParentFolderPath is not available) - - Use before mapping ParentImage to InitiatingProcessFileName +### How do I set the table name for a rule? -- πŸ”’ SplitDomainUserTransformation - - Splits the User field into separate domain and username fields - - Handles Sysmon `User` field containing both domain and username - - Creates new SigmaDetectionItems for Domain and Username - - Use with field_name_condition for username fields +You can set the table name for a rule by adding the `query_table` parameter to the pipeline and setting it to the table name you want to use. -- πŸ” HashesValuesTransformation - - Processes 'Hashes' field values in 'algo:hash_value' format - - Creates new SigmaDetectionItems for each hash type - - Infers hash type based on length if not specified - - Use with field_name_condition for the Hashes field +```python +from sigma.pipelines.microsoftxdr import microsoft_xdr_pipeline +pipeline = microsoft_xdr_pipeline(query_table="DeviceProcessEvents") +``` + +### How do I set the table name for a rule in YAML? + +You can set the table name for a rule in YAML by adding the `query_table` parameter to the pipeline and setting it to the table name you want to use. + +```YAML +# test_table_name_pipeline.yml +name: +priority: 1 +transformations: +- id: test_name_name + type: set_state + key: "query_table" + val: ["DeviceProcessEvents"] +``` + +```bash +sigma convert -t kusto -p microsoft_xdr -p test_table_name_pipeline.yml test_rule.yml +``` + +### How is the table name determined for a rule? + +The table name is set by the `SetQueryTableStateTransformation` transformation, which is the first transformation in each pipeline. It will use the `query_table` parameter if it is set by either a YAML pipeline or by passing the parameter to the pipeline in a Python script, otherwise it will select the table based on the rule category. The table name to rule category logic is defined in each pipeline's `mappings.py` file. + +### How are field mappings determined for a rule? + +The field mappings are determined by the `DynamicFieldMappingTransformation` transformation. It will use the table name from the pipeline state's `query_table` key. The field mapping logic is defined in each pipeline's `mappings.py` file for each table. If a field is not found in the table, the `GenericFieldMappingTransformation` will apply generic field mappings. If a field is not found in the generic field mappings, the field will be kept the same. -- πŸ“ RegistryActionTypeValueTransformation - - Adjusts registry ActionType values to match Microsoft DeviceRegistryEvents table - - Ensures compatibility between Sysmon and Microsoft 365 Defender schemas +### What tables are supported for each pipeline? -- ❌ InvalidFieldTransformation - - Extends DetectionItemFailureTransformation - - Includes the field name in the error message - - Helps identify unsupported or invalid fields in the rule +The tables that are supported for each pipeline are defined in each pipeline's `tables.py` file. This file is automatically generated by the scripts in the `utils` folder. These scripts pull documentation from Microsoft to get all documented tables and their fields and schema. -- 🏷️ SetQueryTableStateTransformation - - Appends rule query table to pipeline state query_table key - - Used to set custom table names for queries +### I am receiving an `Invalid SigmaDetectionItem field name encountered` error. What does this mean? + +This error means that the field name(s) provided in the error are not found in the tables fields defined in `tables.py` for the pipeline you are using. This probably means that a Sigma rule's field was not found in the field mappings for the table. To fix this error, you can supply your own custom field mappings to convert the unsupported field into a supported one. For example, in using YAML: + +```YAML +# custom_field_mapping_pipeline.yml +name: Custom Field Mapping +priority: 1 +transformations: +- id: field_mapping + type: field_name_mapping + mapping: + MyNotSupportedField: a_supported_field + rule_conditions: + - type: logsource + service: sysmon +``` + +```bash +sigma convert -t kusto -p custom_field_mapping_pipeline.yml -p microsoft_xdr test_rule.yml +``` + +If you find the field mapping useful, please consider submitting a PR to add it to the pipeline's field mappings :) + +### My query_table or custom field mapping isn't working + +Each pipeline in the project has a priority of 10. If you are trying to set the table name or custom field mappings, your pipeline needs to have a priority of 9 or less. You can set the priority in the YAML pipeline like so: + +```YAML +# test_table_name_pipeline.yml +name: +priority: 9 +transformations: +- id: test_name_name + type: set_state + key: "query_table" + val: ["DeviceProcessEvents"] +``` -The pipeline also includes a custom `Finalizer`: +## 🀝 Contributing -- πŸ“Š Microsoft365DefenderTableFinalizer - - Adds the table name as a prefix to each query - - Uses custom table names if specified, otherwise selects based on rule category - - Keeps individual queries separate instead of combining them - - Allows for fine-grained control over query table selection +Contributions are welcome, especially for table and field mappings! Please feel free to submit a Pull Request. -## ⚠️ Limitations and Constraints +1. Fork the repository +2. Create your feature branch (`git checkout -b feature/AmazingFeature`) +3. Commit your changes (`git commit -m 'Add some AmazingFeature'`) +4. Push to the branch (`git push origin feature/AmazingFeature`) +5. Open a Pull Request -- Works only for `product=windows` and listed rule categories -- Unsupported fields may cause exceptions (improvements in progress) +Please make sure to update tests as appropriate. -For more detailed information, please refer to the full documentation. +## πŸ“„ License +This project is licensed under the GNU Lesser General Public License v3.0 - see the [LICENSE](LICENSE) file for details. diff --git a/poetry.lock b/poetry.lock index 3338801..fa1aaa0 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1,5 +1,27 @@ # This file is automatically @generated by Poetry 1.4.0 and should not be changed by hand. +[[package]] +name = "beautifulsoup4" +version = "4.12.3" +description = "Screen-scraping library" +category = "dev" +optional = false +python-versions = ">=3.6.0" +files = [ + {file = "beautifulsoup4-4.12.3-py3-none-any.whl", hash = "sha256:b80878c9f40111313e55da8ba20bdba06d8fa3969fc68304167741bbf9e082ed"}, + {file = "beautifulsoup4-4.12.3.tar.gz", hash = "sha256:74e3d1928edc070d21748185c46e3fb33490f22f52a3addee9aee0f4f7781051"}, +] + +[package.dependencies] +soupsieve = ">1.2" + +[package.extras] +cchardet = ["cchardet"] +chardet = ["chardet"] +charset-normalizer = ["charset-normalizer"] +html5lib = ["html5lib"] +lxml = ["lxml"] + [[package]] name = "certifi" version = "2024.8.30" @@ -543,6 +565,18 @@ urllib3 = ">=1.21.1,<3" socks = ["PySocks (>=1.5.6,!=1.5.7)"] use-chardet-on-py3 = ["chardet (>=3.0.2,<6)"] +[[package]] +name = "soupsieve" +version = "2.6" +description = "A modern CSS selector implementation for Beautiful Soup." +category = "dev" +optional = false +python-versions = ">=3.8" +files = [ + {file = "soupsieve-2.6-py3-none-any.whl", hash = "sha256:e72c4ff06e4fb6e4b5a9f0f55fe6e81514581fca1515028625d0f299c602ccc9"}, + {file = "soupsieve-2.6.tar.gz", hash = "sha256:e2e68417777af359ec65daac1057404a3c8a5455bb8abc36f1a9866ab1a51abb"}, +] + [[package]] name = "tomli" version = "2.0.1" @@ -576,4 +610,4 @@ zstd = ["zstandard (>=0.18.0)"] [metadata] lock-version = "2.0" python-versions = "^3.8" -content-hash = "5d4f5ebd97b4fd5be0cd277f9dd2ba96348eab1f49192df49a7e17664b9c02b0" +content-hash = "a808f0ada6f5c338865c9dead8b966656e5c9fb64890228a319c864a6a7fce65" diff --git a/pyproject.toml b/pyproject.toml index bd79e5f..353fb7c 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -22,6 +22,7 @@ pytest-cov = "^4.0.0" coverage = "^7.2.1" requests = "^2.32.3" python-dotenv = "^1.0.1" +beautifulsoup4 = "^4.12.3" [build-system] requires = ["poetry-core>=1.0.0"] diff --git a/sigma/pipelines/azuremonitor/__init__.py b/sigma/pipelines/azuremonitor/__init__.py new file mode 100644 index 0000000..799bdb5 --- /dev/null +++ b/sigma/pipelines/azuremonitor/__init__.py @@ -0,0 +1,4 @@ +from .azuremonitor import azure_monitor_pipeline +pipelines = { + "azure_monitor": azure_monitor_pipeline, +} diff --git a/sigma/pipelines/azuremonitor/azuremonitor.py b/sigma/pipelines/azuremonitor/azuremonitor.py new file mode 100644 index 0000000..fa1298d --- /dev/null +++ b/sigma/pipelines/azuremonitor/azuremonitor.py @@ -0,0 +1,219 @@ +from typing import Optional + +from sigma.processing.conditions import ( + # DetectionItemProcessingItemAppliedCondition, + ExcludeFieldCondition, + IncludeFieldCondition, + LogsourceCondition, + RuleProcessingItemAppliedCondition, + RuleProcessingStateCondition, +) +from sigma.processing.pipeline import ProcessingItem, ProcessingPipeline +from sigma.processing.transformations import ( + DropDetectionItemTransformation, + ReplaceStringTransformation, + RuleFailureTransformation, +) + +from ..kusto_common.errors import InvalidFieldTransformation +from ..kusto_common.finalization import QueryTableFinalizer +from ..kusto_common.schema import create_schema +from ..kusto_common.transformations import ( + DynamicFieldMappingTransformation, + RegistryActionTypeValueTransformation, + SetQueryTableStateTransformation, +) +from .mappings import ( + AZURE_MONITOR_FIELD_MAPPINGS, + CATEGORY_TO_TABLE_MAPPINGS, +) +from .schema import AzureMonitorSchema +from .tables import AZURE_MONITOR_TABLES +from .transformations import ( + DefaultHashesValuesTransformation, + SecurityEventHashesValuesTransformation, +) + +AZURE_MONITOR_SCHEMA = create_schema(AzureMonitorSchema, AZURE_MONITOR_TABLES) + + +## Fieldmappings +fieldmappings_proc_item = ProcessingItem( + identifier="azure_monitor_table_fieldmappings", + transformation=DynamicFieldMappingTransformation(AZURE_MONITOR_FIELD_MAPPINGS), +) + +## Generic Field Mappings, keep this last +## Exclude any fields already mapped, e.g. if a table mapping has been applied. +# This will fix the case where ProcessId is usually mapped to InitiatingProcessId, EXCEPT for the DeviceProcessEvent table where it stays as ProcessId. +# So we can map ProcessId to ProcessId in the DeviceProcessEvents table mapping, and prevent the generic mapping to InitiatingProcessId from being applied +# by adding a detection item condition that the table field mappings have been applied + +# generic_field_mappings_proc_item = ProcessingItem( +# identifier="azure_monitor_generic_fieldmappings", +# transformation=GenericFieldMappingTransformation(AZURE_MONITOR_FIELD_MAPPINGS), +# detection_item_conditions=[DetectionItemProcessingItemAppliedCondition("azure_monitor_table_fieldmappings")], +# detection_item_condition_linking=any, +# detection_item_condition_negation=True, +# ) + +REGISTRY_FIELDS = [ + "RegistryKey", + "RegistryPreviousKey", + "ObjectName", +] + +## Field Value Replacements ProcessingItems +replacement_proc_items = [ + # Sysmon uses abbreviations in RegistryKey values, replace with full key names as the DeviceRegistryEvents schema + # expects them to be + # Note: Ensure this comes AFTER field mapping renames, as we're specifying DeviceRegistryEvent fields + # + # Do this one first, or else the HKLM only one will replace HKLM and mess up the regex + ProcessingItem( + identifier="azure_monitor_registry_key_replace_currentcontrolset", + transformation=ReplaceStringTransformation( + regex=r"(?i)(^HKLM\\SYSTEM\\CurrentControlSet)", + replacement=r"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001", + ), + field_name_conditions=[IncludeFieldCondition(REGISTRY_FIELDS)], + ), + ProcessingItem( + identifier="azure_monitor_registry_key_replace_hklm", + transformation=ReplaceStringTransformation(regex=r"(?i)(^HKLM)", replacement=r"HKEY_LOCAL_MACHINE"), + field_name_conditions=[IncludeFieldCondition(REGISTRY_FIELDS)], + ), + ProcessingItem( + identifier="azure_monitor_registry_key_replace_hku", + transformation=ReplaceStringTransformation(regex=r"(?i)(^HKU)", replacement=r"HKEY_USERS"), + field_name_conditions=[IncludeFieldCondition(REGISTRY_FIELDS)], + ), + ProcessingItem( + identifier="azure_monitor_registry_key_replace_hkcr", + transformation=ReplaceStringTransformation(regex=r"(?i)(^HKCR)", replacement=r"HKEY_LOCAL_MACHINE\\CLASSES"), + field_name_conditions=[IncludeFieldCondition(REGISTRY_FIELDS)], + ), + ProcessingItem( + identifier="azure_monitor_registry_actiontype_value", + transformation=RegistryActionTypeValueTransformation(), + field_name_conditions=[IncludeFieldCondition(["EventType"])], + ), + # Processing item to transform the Hashes field in the SecurityEvent table to get rid of the hash algorithm prefix in each value + ProcessingItem( + identifier="azure_monitor_securityevent_hashes_field_values", + transformation=SecurityEventHashesValuesTransformation(), + field_name_conditions=[IncludeFieldCondition(["FileHash"])], + rule_conditions=[RuleProcessingStateCondition("query_table", "SecurityEvent")], + ), + ProcessingItem( + identifier="azure_monitor_hashes_field_values", + transformation=DefaultHashesValuesTransformation(), + field_name_conditions=[IncludeFieldCondition(["Hashes"])], + rule_conditions=[RuleProcessingStateCondition("query_table", "SecurityEvent")], + rule_condition_negation=True, + ), + # Processing item to essentially ignore initiated field + ProcessingItem( + identifier="azure_monitor_network_initiated_field", + transformation=DropDetectionItemTransformation(), + field_name_conditions=[IncludeFieldCondition(["Initiated"])], + rule_conditions=[LogsourceCondition(category="network_connection")], + ), +] + +# Exceptions/Errors ProcessingItems +# Catch-all for when the query table is not set, meaning the rule could not be mapped to a table or the table name was not set +rule_error_proc_items = [ + # Category Not Supported or Query Table Not Set + ProcessingItem( + identifier="azure_monitor_unsupported_rule_category_or_missing_query_table", + transformation=RuleFailureTransformation( + "Rule category not yet supported by the Azure Monitor pipeline or query_table is not set." + ), + rule_conditions=[ + RuleProcessingItemAppliedCondition("azure_monitor_set_query_table"), + RuleProcessingStateCondition("query_table", None), + ], + rule_condition_linking=all, + ) +] + + +def get_valid_fields(table_name): + return ( + list(AZURE_MONITOR_SCHEMA.tables[table_name].fields.keys()) + + list(AZURE_MONITOR_FIELD_MAPPINGS.table_mappings.get(table_name, {}).keys()) + + list(AZURE_MONITOR_FIELD_MAPPINGS.generic_mappings.keys()) + + ["Hashes"] + ) + + +field_error_proc_items = [] + +for table_name in AZURE_MONITOR_SCHEMA.tables.keys(): + valid_fields = get_valid_fields(table_name) + + field_error_proc_items.append( + ProcessingItem( + identifier=f"azure_monitor_unsupported_fields_{table_name}", + transformation=InvalidFieldTransformation( + f"Please use valid fields for the {table_name} table, or the following fields that have fieldmappings in this " + f"pipeline:\n{', '.join(sorted(set(valid_fields)))}" + ), + field_name_conditions=[ExcludeFieldCondition(fields=valid_fields)], + rule_conditions=[ + RuleProcessingItemAppliedCondition("azure_monitor_set_query_table"), + RuleProcessingStateCondition("query_table", table_name), + ], + rule_condition_linking=all, + ) + ) + +# Add a catch-all error for custom table names +field_error_proc_items.append( + ProcessingItem( + identifier="azure_monitor_unsupported_fields_custom", + transformation=InvalidFieldTransformation( + "Invalid field name for the custom table. Please ensure you're using valid fields for your custom table." + ), + field_name_conditions=[ + ExcludeFieldCondition(fields=list(AZURE_MONITOR_FIELD_MAPPINGS.generic_mappings.keys()) + ["Hashes"]) + ], + rule_conditions=[ + RuleProcessingItemAppliedCondition("azure_monitor_set_query_table"), + RuleProcessingStateCondition("query_table", None), + ], + rule_condition_linking=all, + ) +) + + +def azure_monitor_pipeline(query_table: Optional[str] = None) -> ProcessingPipeline: + """Pipeline for transformations for SigmaRules to use in the Kusto Query Language backend. + + :param query_table: If specified, the table name will be used in the finalizer, otherwise the table name will be selected based on the category of the rule. + :type query_table: Optional[str] + + :return: ProcessingPipeline for Microsoft Azure Monitor + :rtype: ProcessingPipeline + """ + + pipeline_items = [ + ProcessingItem( + identifier="azure_monitor_set_query_table", + transformation=SetQueryTableStateTransformation(query_table, CATEGORY_TO_TABLE_MAPPINGS), + ), + fieldmappings_proc_item, + # generic_field_mappings_proc_item, + *replacement_proc_items, + *rule_error_proc_items, + *field_error_proc_items, + ] + + return ProcessingPipeline( + name="Generic Log Sources to Azure Monitor tables and fields", + priority=10, + items=pipeline_items, + allowed_backends=frozenset(["kusto"]), + finalizers=[QueryTableFinalizer()], + ) diff --git a/sigma/pipelines/azuremonitor/mappings.py b/sigma/pipelines/azuremonitor/mappings.py new file mode 100644 index 0000000..a782502 --- /dev/null +++ b/sigma/pipelines/azuremonitor/mappings.py @@ -0,0 +1,132 @@ +from sigma.pipelines.common import ( + logsource_windows_file_access, + logsource_windows_file_change, + logsource_windows_file_delete, + logsource_windows_file_event, + logsource_windows_file_rename, + logsource_windows_image_load, + logsource_windows_network_connection, + logsource_windows_process_creation, + logsource_windows_registry_add, + logsource_windows_registry_delete, + logsource_windows_registry_event, + logsource_windows_registry_set, +) +from sigma.pipelines.kusto_common.schema import FieldMappings + + +class AzureMonitorFieldMappings(FieldMappings): + pass + + +# Just map to SecurityEvent for now until we have more mappings for other tables +CATEGORY_TO_TABLE_MAPPINGS = { + "process_creation": "SecurityEvent", + "image_load": "SecurityEvent", + "file_access": "SecurityEvent", + "file_change": "SecurityEvent", + "file_delete": "SecurityEvent", + "file_event": "SecurityEvent", + "file_rename": "SecurityEvent", + "registry_add": "SecurityEvent", + "registry_delete": "SecurityEvent", + "registry_event": "SecurityEvent", + "registry_set": "SecurityEvent", + "network_connection": "SecurityEvent", +} + +## Rule Categories -> RuleConditions +CATEGORY_TO_CONDITIONS_MAPPINGS = { + "process_creation": logsource_windows_process_creation(), + "image_load": logsource_windows_image_load(), + "file_access": logsource_windows_file_access(), + "file_change": logsource_windows_file_change(), + "file_delete": logsource_windows_file_delete(), + "file_event": logsource_windows_file_event(), + "file_rename": logsource_windows_file_rename(), + "registry_add": logsource_windows_registry_add(), + "registry_delete": logsource_windows_registry_delete(), + "registry_event": logsource_windows_registry_event(), + "registry_set": logsource_windows_registry_set(), + "network_connection": logsource_windows_network_connection(), +} + + +AZURE_MONITOR_FIELD_MAPPINGS = AzureMonitorFieldMappings( + table_mappings={ + "SecurityEvent": { + "CommandLine": "CommandLine", + "Image": "NewProcessName", + "ParentImage": "ParentProcessName", + "User": "SubjectUserName", + "TargetFilename": "ObjectName", + "SourceIp": "IpAddress", + "DestinationIp": "DestinationIp", + "DestinationPort": "DestinationPort", + "SourcePort": "SourcePort", + "SourceHostname": "WorkstationName", + "DestinationHostname": "DestinationHostname", + "EventID": "EventID", + "ProcessId": "NewProcessId", + "ProcessName": "NewProcessName", + "LogonType": "LogonType", + "TargetUserName": "TargetUserName", + "TargetDomainName": "TargetDomainName", + "TargetLogonId": "TargetLogonId", + "Status": "Status", + "SubStatus": "SubStatus", + "ObjectType": "ObjectType", + "ShareName": "ShareName", + "AccessMask": "AccessMask", + "ServiceName": "ServiceName", + "TicketOptions": "TicketOptions", + "TicketEncryptionType": "TicketEncryptionType", + "TransmittedServices": "TransmittedServices", + "WorkstationName": "WorkstationName", + "LogonProcessName": "LogonProcessName", + "LogonGuid": "LogonGuid", + "Category": "EventSourceName", + "Hashes": "FileHash", + "TargetObject": "ObjectName", + }, + "SigninLogs": { + "User": "UserPrincipalName", + "TargetUserName": "UserPrincipalName", + "src_ip": "IPAddress", + "IpAddress": "IPAddress", + "app": "AppDisplayName", + "Application": "AppDisplayName", + "AuthenticationMethod": "AuthenticationMethodsUsed", + "Status": "Status", + "ResultType": "ResultType", + "ResultDescription": "ResultDescription", + "UserAgent": "UserAgent", + "Location": "Location", + "ClientAppUsed": "ClientAppUsed", + "DeviceDetail": "DeviceDetail", + "CorrelationId": "CorrelationId", + "ConditionalAccessStatus": "ConditionalAccessStatus", + "RiskLevelAggregated": "RiskLevelAggregated", + "RiskLevelDuringSignIn": "RiskLevelDuringSignIn", + "RiskDetail": "RiskDetail", + "RiskState": "RiskState", + "MfaDetail": "MfaDetail", + "NetworkLocationDetails": "NetworkLocationDetails", + "AuthenticationProtocol": "AuthenticationProtocol", + "AuthenticationRequirement": "AuthenticationRequirement", + "SignInIdentifier": "SignInIdentifier", + "SignInIdentifierType": "SignInIdentifierType", + "ResourceDisplayName": "ResourceDisplayName", + "ResourceIdentity": "ResourceIdentity", + "AppId": "AppId", + "AuthenticationProcessingDetails": "AuthenticationProcessingDetails", + "IsInteractive": "IsInteractive", + "TokenIssuerName": "TokenIssuerName", + "TokenIssuerType": "TokenIssuerType", + "UserType": "UserType", + "IPAddress": "IPAddress", + "AutonomousSystemNumber": "AutonomousSystemNumber", + }, + }, + generic_mappings={}, +) diff --git a/sigma/pipelines/azuremonitor/schema.py b/sigma/pipelines/azuremonitor/schema.py new file mode 100644 index 0000000..135044f --- /dev/null +++ b/sigma/pipelines/azuremonitor/schema.py @@ -0,0 +1,13 @@ +from dataclasses import dataclass + +from sigma.pipelines.kusto_common.schema import BaseSchema, FieldMappings + + +@dataclass +class AzureMonitorSchema(BaseSchema): + pass + + +@dataclass +class AzureMonitorFieldMappings(FieldMappings): + pass diff --git a/sigma/pipelines/azuremonitor/tables.py b/sigma/pipelines/azuremonitor/tables.py new file mode 100644 index 0000000..64a3092 --- /dev/null +++ b/sigma/pipelines/azuremonitor/tables.py @@ -0,0 +1,20663 @@ +# This file is auto-generated. Do not edit manually. +# Last updated: 2024-09-25 20:24:23 UTC + +AZURE_MONITOR_TABLES = { + "AzureDiagnostics": { + "action_id_s": {"data_type": "String", "description": ''}, + "action_name_s": {"data_type": "String", "description": ''}, + "action_s": {"data_type": "String", "description": ''}, + "ActivityId_g": {"data_type": "Guid", "description": ''}, + "AdHocOrScheduledJob_s": {"data_type": "String", "description": ''}, + "application_name_s": {"data_type": "String", "description": ''}, + "audit_schema_version_d": {"data_type": "Double", "description": ''}, + "avg_cpu_percent_s": {"data_type": "String", "description": ''}, + "avg_mean_time_s": {"data_type": "String", "description": ''}, + "backendHostname_s": {"data_type": "String", "description": ''}, + "Caller_s": {"data_type": "String", "description": ''}, + "callerId_s": {"data_type": "String", "description": ''}, + "CallerIPAddress": {"data_type": "String", "description": ''}, + "calls_s": {"data_type": "String", "description": ''}, + "Category": {"data_type": "String", "description": ''}, + "client_ip_s": {"data_type": "String", "description": ''}, + "clientInfo_s": {"data_type": "String", "description": ''}, + "clientIP_s": {"data_type": "String", "description": ''}, + "clientIp_s": {"data_type": "String", "description": ''}, + "clientIpAddress_s": {"data_type": "String", "description": ''}, + "clientPort_d": {"data_type": "Double", "description": ''}, + "code_s": {"data_type": "String", "description": ''}, + "collectionName_s": {"data_type": "String", "description": ''}, + "conditions_destinationIP_s": {"data_type": "String", "description": ''}, + "conditions_destinationPortRange_s": {"data_type": "String", "description": ''}, + "conditions_None_s": {"data_type": "String", "description": ''}, + "conditions_protocols_s": {"data_type": "String", "description": ''}, + "conditions_sourceIP_s": {"data_type": "String", "description": ''}, + "conditions_sourcePortRange_s": {"data_type": "String", "description": ''}, + "CorrelationId": {"data_type": "String", "description": ''}, + "count_executions_d": {"data_type": "Double", "description": ''}, + "cpu_time_d": {"data_type": "Double", "description": ''}, + "database_name_s": {"data_type": "String", "description": ''}, + "database_principal_name_s": {"data_type": "String", "description": ''}, + "DatabaseName_s": {"data_type": "String", "description": ''}, + "db_id_s": {"data_type": "String", "description": ''}, + "direction_s": {"data_type": "String", "description": ''}, + "dop_d": {"data_type": "Double", "description": ''}, + "duration_d": {"data_type": "Double", "description": ''}, + "duration_milliseconds_d": {"data_type": "Double", "description": ''}, + "DurationMs": {"data_type": "BigInt", "description": ''}, + "ElasticPoolName_s": {"data_type": "String", "description": ''}, + "endTime_t": {"data_type": "DateTime", "description": ''}, + "Environment_s": {"data_type": "String", "description": ''}, + "error_code_s": {"data_type": "String", "description": ''}, + "error_message_s": {"data_type": "String", "description": ''}, + "errorLevel_s": {"data_type": "String", "description": ''}, + "event_class_s": {"data_type": "String", "description": ''}, + "event_s": {"data_type": "String", "description": ''}, + "event_subclass_s": {"data_type": "String", "description": ''}, + "event_time_t": {"data_type": "DateTime", "description": ''}, + "EventName_s": {"data_type": "String", "description": ''}, + "execution_type_d": {"data_type": "Double", "description": ''}, + "executionInfo_endTime_t": {"data_type": "DateTime", "description": ''}, + "executionInfo_exitCode_d": {"data_type": "Double", "description": ''}, + "executionInfo_startTime_t": {"data_type": "DateTime", "description": ''}, + "host_s": {"data_type": "String", "description": ''}, + "httpMethod_s": {"data_type": "String", "description": ''}, + "httpStatus_d": {"data_type": "Double", "description": ''}, + "httpStatusCode_d": {"data_type": "Double", "description": ''}, + "httpStatusCode_s": {"data_type": "String", "description": ''}, + "httpVersion_s": {"data_type": "String", "description": ''}, + "id_s": {"data_type": "String", "description": ''}, + "identity_claim_appid_g": {"data_type": "Guid", "description": ''}, + "identity_claim_ipaddr_s": {"data_type": "String", "description": ''}, + "instanceId_s": {"data_type": "String", "description": ''}, + "interval_end_time_d": {"data_type": "Double", "description": ''}, + "interval_start_time_d": {"data_type": "Double", "description": ''}, + "ip_s": {"data_type": "String", "description": ''}, + "is_column_permission_s": {"data_type": "String", "description": ''}, + "isAccessPolicyMatch_b": {"data_type": "Bool", "description": ''}, + "JobDurationInSecs_s": {"data_type": "String", "description": ''}, + "JobFailureCode_s": {"data_type": "String", "description": ''}, + "JobId_g": {"data_type": "Guid", "description": ''}, + "jobId_s": {"data_type": "String", "description": ''}, + "JobOperation_s": {"data_type": "String", "description": ''}, + "JobOperationSubType_s": {"data_type": "String", "description": ''}, + "JobStartDateTime_s": {"data_type": "String", "description": ''}, + "JobStatus_s": {"data_type": "String", "description": ''}, + "JobUniqueId_g": {"data_type": "Guid", "description": ''}, + "Level": {"data_type": "String", "description": ''}, + "log_bytes_used_d": {"data_type": "Double", "description": ''}, + "logical_io_reads_d": {"data_type": "Double", "description": ''}, + "logical_io_writes_d": {"data_type": "Double", "description": ''}, + "LogicalServerName_s": {"data_type": "String", "description": ''}, + "macAddress_s": {"data_type": "String", "description": ''}, + "matchedConnections_d": {"data_type": "Double", "description": ''}, + "max_cpu_time_d": {"data_type": "Double", "description": ''}, + "max_dop_d": {"data_type": "Double", "description": ''}, + "max_duration_d": {"data_type": "Double", "description": ''}, + "max_log_bytes_used_d": {"data_type": "Double", "description": ''}, + "max_logical_io_reads_d": {"data_type": "Double", "description": ''}, + "max_logical_io_writes_d": {"data_type": "Double", "description": ''}, + "max_num_physical_io_reads_d": {"data_type": "Double", "description": ''}, + "max_physical_io_reads_d": {"data_type": "Double", "description": ''}, + "max_query_max_used_memory_d": {"data_type": "Double", "description": ''}, + "max_rowcount_d": {"data_type": "Double", "description": ''}, + "max_time_s": {"data_type": "String", "description": ''}, + "mean_time_s": {"data_type": "String", "description": ''}, + "Message": {"data_type": "String", "description": ''}, + "min_time_s": {"data_type": "String", "description": ''}, + "msg_s": {"data_type": "String", "description": ''}, + "num_physical_io_reads_d": {"data_type": "Double", "description": ''}, + "object_id_d": {"data_type": "Double", "description": ''}, + "object_name_s": {"data_type": "String", "description": ''}, + "OperationName": {"data_type": "String", "description": ''}, + "OperationVersion": {"data_type": "String", "description": ''}, + "partitionKey_s": {"data_type": "String", "description": ''}, + "physical_io_reads_d": {"data_type": "Double", "description": ''}, + "plan_id_d": {"data_type": "Double", "description": ''}, + "policy_s": {"data_type": "String", "description": ''}, + "policyMode_s": {"data_type": "String", "description": ''}, + "primaryIPv4Address_s": {"data_type": "String", "description": ''}, + "priority_d": {"data_type": "Double", "description": ''}, + "properties_enabledForDeployment_b": {"data_type": "Bool", "description": ''}, + "properties_enabledForDiskEncryption_b": {"data_type": "Bool", "description": ''}, + "properties_enabledForTemplateDeployment_b": {"data_type": "Bool", "description": ''}, + "properties_s": {"data_type": "String", "description": ''}, + "properties_sku_Family_s": {"data_type": "String", "description": ''}, + "properties_sku_Name_s": {"data_type": "String", "description": ''}, + "properties_tenantId_g": {"data_type": "Guid", "description": ''}, + "query_hash_s": {"data_type": "String", "description": ''}, + "query_id_d": {"data_type": "Double", "description": ''}, + "query_max_used_memory_d": {"data_type": "Double", "description": ''}, + "query_plan_hash_s": {"data_type": "String", "description": ''}, + "query_time_d": {"data_type": "Double", "description": ''}, + "querytext_s": {"data_type": "String", "description": ''}, + "receivedBytes_d": {"data_type": "Double", "description": ''}, + "Region_s": {"data_type": "String", "description": ''}, + "requestCharge_s": {"data_type": "String", "description": ''}, + "requestQuery_s": {"data_type": "String", "description": ''}, + "requestResourceId_s": {"data_type": "String", "description": ''}, + "requestResourceType_s": {"data_type": "String", "description": ''}, + "requestUri_s": {"data_type": "String", "description": ''}, + "reserved_storage_mb_s": {"data_type": "String", "description": ''}, + "Resource": {"data_type": "String", "description": ''}, + "resource_actionName_s": {"data_type": "String", "description": ''}, + "resource_location_s": {"data_type": "String", "description": ''}, + "resource_originRunId_s": {"data_type": "String", "description": ''}, + "resource_resourceGroupName_s": {"data_type": "String", "description": ''}, + "resource_runId_s": {"data_type": "String", "description": ''}, + "resource_subscriptionId_g": {"data_type": "Guid", "description": ''}, + "resource_triggerName_s": {"data_type": "String", "description": ''}, + "resource_workflowId_g": {"data_type": "Guid", "description": ''}, + "resource_workflowName_s": {"data_type": "String", "description": ''}, + "ResourceGroup": {"data_type": "String", "description": ''}, + "_ResourceId": {"data_type": "String", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResourceProvider": {"data_type": "String", "description": ''}, + "ResourceType": {"data_type": "String", "description": ''}, + "response_rows_d": {"data_type": "Double", "description": ''}, + "resultCode_s": {"data_type": "String", "description": ''}, + "ResultDescription": {"data_type": "String", "description": ''}, + "resultDescription_ChildJobs_s": {"data_type": "String", "description": ''}, + "resultDescription_ErrorJobs_s": {"data_type": "String", "description": ''}, + "resultMessage_s": {"data_type": "String", "description": ''}, + "ResultSignature": {"data_type": "String", "description": ''}, + "ResultType": {"data_type": "String", "description": ''}, + "rootCauseAnalysis_s": {"data_type": "String", "description": ''}, + "routingRuleName_s": {"data_type": "String", "description": ''}, + "rowcount_d": {"data_type": "Double", "description": ''}, + "ruleName_s": {"data_type": "String", "description": ''}, + "RunbookName_s": {"data_type": "String", "description": ''}, + "RunOn_s": {"data_type": "String", "description": ''}, + "schema_name_s": {"data_type": "String", "description": ''}, + "sentBytes_d": {"data_type": "Double", "description": ''}, + "sequence_group_id_g": {"data_type": "Guid", "description": ''}, + "sequence_number_d": {"data_type": "Double", "description": ''}, + "server_principal_sid_s": {"data_type": "String", "description": ''}, + "session_id_d": {"data_type": "Double", "description": ''}, + }, + "AACAudit": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIdentity": {"data_type": "dynamic", "description": 'Caller identity of this event.'}, + "CallerIPAddress": {"data_type": "string", "description": 'IP Address of the caller that triggered this audit event.'}, + "Category": {"data_type": "string", "description": 'The log category of the event.'}, + "CorrelationId": {"data_type": "string", "description": 'GUID for correlated logs.'}, + "ETag": {"data_type": "string", "description": 'An identifier for a specific version of the resource.'}, + "EventCategory": {"data_type": "string", "description": 'Audit category of this event.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'Name of the audited operation.'}, + "RequestId": {"data_type": "string", "description": 'Unique request ID generated by server.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultType": {"data_type": "string", "description": 'The result of the operation being audited.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Status": {"data_type": "string", "description": 'Status of this audit event.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TargetResource": {"data_type": "dynamic", "description": 'Target resource that apply to the operation being audited.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AACHttpRequest": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BytesReceived": {"data_type": "int", "description": 'The total number of bytes received by the server across all requests included in this aggregated entry.'}, + "BytesSent": {"data_type": "int", "description": 'The total number of bytes sent by the server across all requests included in this aggregated entry.'}, + "Category": {"data_type": "string", "description": 'The log category of the event.'}, + "ClientIPAddress": {"data_type": "string", "description": 'IP Address of the client that sent the requests.'}, + "ClientRequestId": {"data_type": "string", "description": 'Request ID provided by client.'}, + "CorrelationId": {"data_type": "string", "description": 'GUID for correlated logs.'}, + "DurationMs": {"data_type": "int", "description": 'The average duration of the operation, in milliseconds, of all the requests included in this aggregated entry.'}, + "HitCount": {"data_type": "int", "description": 'Count of requests that are included in this aggregated HTTP request log entry.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Method": {"data_type": "string", "description": 'HTTP Method.'}, + "RequestId": {"data_type": "string", "description": 'Unique request ID generated by server.'}, + "RequestURI": {"data_type": "string", "description": 'URI of the requests.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StatusCode": {"data_type": "int", "description": 'HTTP Status Code of the requests.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) marking the start of the aggregation period.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'User Agent provided by the client.'}, + }, + "AADB2CRequestLogs": { + "AADTenantId": {"data_type": "string", "description": 'The AAD tenant ID of associated request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'Hashed format of caller IP address. Can be used to identify if a single IP address is using a large portion of traffic.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated log analytics events. Can be used to identify correlated events between multiple tables.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'Name of the operation.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultSignature": {"data_type": "string", "description": 'The HTTP status code of the corresponding REST call.'}, + "ResultType": {"data_type": "string", "description": 'Indicates whether the request is throttled or not.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time of the request received at the AAD gateway in UTC.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AADCustomSecurityAttributeAuditLogs": { + "AADOperationType": {"data_type": "string", "description": 'Type of the operation. Possible values are Add Update Delete and Other.'}, + "AADTenantId": {"data_type": "string", "description": 'ID of the AAD tenant.'}, + "ActivityDateTime": {"data_type": "datetime", "description": 'Date and time the activity was performed in UTC.'}, + "ActivityDisplayName": {"data_type": "string", "description": 'Activity name or the operation name.'}, + "AdditionalDetails": {"data_type": "dynamic", "description": 'Indicates additional details on the activity. Can have any string as a key or value.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'IP address of caller.'}, + "CorrelationId": {"data_type": "string", "description": 'ID to provide audit trail.'}, + "DurationMs": {"data_type": "long", "description": 'The duration of the operation in milliseconds.'}, + "Id": {"data_type": "string", "description": 'Unique ID representing the audit activity.'}, + "Identity": {"data_type": "string", "description": 'The identity from the token that was presented when you made the request. It can be a user account, system account, or service principal.'}, + "InitiatedBy": {"data_type": "dynamic", "description": 'User or app initiated the activity.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the event.'}, + "Location": {"data_type": "string", "description": 'The region of the resource emitting the event.'}, + "LoggedByService": {"data_type": "string", "description": 'Service that initiated the activity.'}, + "OperationName": {"data_type": "string", "description": 'Name of the operation.'}, + "OperationVersion": {"data_type": "string", "description": "The REST API version that's requested by the client."}, + "Result": {"data_type": "string", "description": 'Result of the activity. Possible values are: success failure timeout unknownFutureValue.'}, + "ResultDescription": {"data_type": "string", "description": 'Provides the error description for the audit operation.'}, + "ResultReason": {"data_type": "string", "description": 'Describes cause of failure or timeout results.'}, + "ResultSignature": {"data_type": "string", "description": 'Contains the error code, if any, for the audit operation.'}, + "ResultType": {"data_type": "string", "description": 'The result of the audit operation can be Success or Failure.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TargetResources": {"data_type": "dynamic", "description": 'Indicates information on which resource was changed due to the activity.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time of the event in UTC.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'User agent of initiator.'}, + }, + "AADDomainServicesAccountLogon": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": ''}, + "CertIssuerName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "CertSerialNumber": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "CertThumbprint": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ClientUserName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "CorrelationId": {"data_type": "string", "description": ''}, + "FailureCode": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "IpAddress": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "IpPort": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "MappedName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "MappingBy": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "OperationName": {"data_type": "string", "description": ''}, + "PackageName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "PreAuthType": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "RecordId": {"data_type": "string", "description": 'A unique identifier corresponding to this record.'}, + "ResourceId": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": ''}, + "ResultType": {"data_type": "string", "description": ''}, + "ServiceName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TicketOptions": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AADDomainServicesAccountManagement": { + "AccountExpires": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "AllowedToDelegateTo": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerProcessId": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "CallerProcessName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "Category": {"data_type": "string", "description": ''}, + "ComputerAccountChange": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "CorrelationId": {"data_type": "string", "description": ''}, + "DisplayName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "DnsHostName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "GroupTypeChange": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "HomeDirectory": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "HomePath": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogonHours": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "MemberName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "MembershipExpirationTime": {"data_type": "datetime", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "MemberSid": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "NewTargetUserName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "NewUacValue": {"data_type": "string", "description": ''}, + "OldTargetUserName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "OldUacValue": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "OperationName": {"data_type": "string", "description": ''}, + "PasswordLastSet": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "PrimaryGroupId": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "PrivilegeList": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ProfilePath": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "RecordId": {"data_type": "string", "description": 'A unique identifier corresponding to this record.'}, + "ResourceId": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": ''}, + "ResultType": {"data_type": "string", "description": ''}, + "SamAccountName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ScriptPath": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ServicePrincipalNames": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "SidHistory": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "SourceSid": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SourceUserName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "Status": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "SubjectDomainName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "SubjectLogonId": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "SubjectUserName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "SubjectUserSid": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TargetSid": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAccountControl": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "UserParameters": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "UserPrincipalName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "UserWorkstations": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "Workstation": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + }, + "AADDomainServicesDirectoryServiceAccess": { + "AppCorrelationID": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "AttributeLDAPDisplayName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "AttributeSyntaxOID": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "AttributeValue": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": ''}, + "CorrelationId": {"data_type": "string", "description": ''}, + "DSName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "DSType": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "NewObjectDN": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ObjectClass": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ObjectDN": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ObjectGUID": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "OldObjectDN": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "OpCorrelationID": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "OperationName": {"data_type": "string", "description": ''}, + "OperationType": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "RecordId": {"data_type": "string", "description": 'A unique identifier corresponding to this record.'}, + "ResourceId": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": ''}, + "ResultType": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "TreeDelete": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AADDomainServicesDNSAuditsDynamicUpdates": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BufferSize": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "EventType": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Name": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "operationName": {"data_type": "string", "description": 'Identifies the type of event emitted.'}, + "operationVersion": {"data_type": "string", "description": 'Version string. Reserved.'}, + "RData": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "RecordId": {"data_type": "string", "description": 'Identifier for the underlying Windows event'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "resultDescription": {"data_type": "string", "description": 'Summary description of the event.'}, + "Source": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the event was generated.'}, + "Ttl": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Zone": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ZoneScope": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + }, + "AADDomainServicesDNSAuditsGeneral": { + "Action": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ActiveKey": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "Base64Data": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BufferSize": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ChildZone": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ClientSubnetList": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ClientSubnetRecord": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "Condition": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "Criteria": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "CryptoAlgorithm": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "CurrentRolloverStatus": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "CurrentState": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "DenialOfExistence": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "Digest": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "DigestType": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "DistributeTrustAnchor": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "DnsKeyRecordSetTtl": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "DnsKeySignatureValidityPeriod": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "DSRecordGenerationAlgorithm": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "DSRecordSetTtl": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "DSSignatureValidityPeriod": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "EnableRfc5011KeyRollover": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ErrorsPerSecond": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "EventGuid": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "EventString": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "FilePath": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "Forwarders": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "FriendlyName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "InitialRolloverOffset": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "IPv4PrefixLength": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "IPv6PrefixLength": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsEnabled": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "IsKeyMasterServer": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "KeyId": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "KeyLength": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "KeyMasterServer": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "KeyOrZone": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "KeyProtocol": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "KeyStorageProvider": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "KeyTag": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "KeyType": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "KskOrZsk": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "LastRolloverTime": {"data_type": "datetime", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "LeakRate": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ListenAddresses": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "Lookup": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "MasterServer": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "Mode": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "Name": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "NameServer": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "NewFriendlyName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "NewPropertyValues": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "NewScope": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "NewValue": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "NextKey": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "NextRolloverAction": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "NextRolloverTime": {"data_type": "datetime", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "NodeName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "NSec3HashAlgorithm": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "NSec3Iterations": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "NSec3OptOut": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "NSec3RandomSaltLength": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "NSec3UserSalt": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "OldFriendlyName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "OldPropertyValues": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "OldScope": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "operationName": {"data_type": "string", "description": 'Identifies the type of event emitted.'}, + "operationVersion": {"data_type": "string", "description": 'Version string. Reserved.'}, + "ParentHasSecureDelegation": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "Policy": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ProcessingOrder": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "PropagationTime": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "PropertyKey": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "QName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "QType": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "RData": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "RecordId": {"data_type": "string", "description": 'Identifier for the underlying Windows event'}, + "RecursionScope": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ReplicationScope": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResponsePerSecond": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "resultDescription": {"data_type": "string", "description": 'Summary description of the event.'}, + "RolloverPeriod": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "RolloverType": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "RRLExceptionlist": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ScavengeServers": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "Scope": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "Scopes": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ScopeWeight": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ScopeWeightNew": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ScopeWeightOld": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "SecureDelegationPollingPeriod": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "SeizedOrTransfered": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ServerName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "Setting": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "SignatureInceptionOffset": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StandbyKey": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "StoreKeysInAD": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "SubTreeAging": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "TCRate": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the event was generated.'}, + "TotalResponsesInWindow": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "Ttl": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "VirtualizationID": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "WindowSize": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "WithNewKeys": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "WithWithout": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "Zone": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ZoneFile": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ZoneName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ZoneScope": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ZoneSignatureValidityPeriod": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + }, + "AADDomainServicesLogonLogoff": { + "AuthenticationPackageName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": ''}, + "CorrelationId": {"data_type": "string", "description": ''}, + "ElevatedToken": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "FailureReason": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ImpersonationLevel": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "KeyLength": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "LmPackageName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "LogonGuid": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "LogonProcessName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "LogonType": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "OperationName": {"data_type": "string", "description": ''}, + "RecordId": {"data_type": "string", "description": 'A unique identifier corresponding to this record.'}, + "ResourceId": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RestrictedAdminMode": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ResultDescription": {"data_type": "string", "description": ''}, + "ResultType": {"data_type": "string", "description": ''}, + "SidList": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "SubStatus": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "TargetDomainName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "TargetInfo": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "TargetLinkedLogonId": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "TargetLogonGuid": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "TargetLogonId": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "TargetOutboundDomainName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "TargetOutboundUserName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "TargetServerName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "TargetUserName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "TargetUserSid": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "TdoSid": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "TransmittedServices": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "VirtualAccount": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "WorkstationName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + }, + "AADDomainServicesPolicyChange": { + "AccessGranted": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "AccessRemoved": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "AuditPolicyChanges": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "AuditSourceName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "CategoryId": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "CollisionTargetName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "CollisionTargetType": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "CorrelationId": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "CrashOnAuditFailValue": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "DisabledPrivilegeList": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "DnsName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "DomainBehaviorVersion": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "DomainName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "DomainPolicyChanged": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "DomainSid": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "EnabledPrivilegeList": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "EntryType": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "EventSourceId": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "Flags": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ForceLogoff": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ForestRoot": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ForestRootSid": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "HandleId": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "KerberosPolicyChange": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "LockoutDuration": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "LockoutObservationWindow": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "LockoutThreshold": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "MachineAccountQuota": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "MaxPasswordAge": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "MinPasswordAge": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "MinPasswordLength": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "MixedDomainMode": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "NetbiosName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "NewSd": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ObjectName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ObjectServer": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ObjectType": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "OemInformation": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "OldSd": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "OperationId": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "OperationName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "PasswordHistoryLength": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "PasswordProperties": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "RecordId": {"data_type": "string", "description": 'A unique identifier corresponding to this record.'}, + "ResourceId": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ResultType": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "SidFilteringEnabled": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SubcategoryGuid": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "SubcategoryId": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TdoAttributes": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "TdoDirection": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "TdoType": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "TopLevelName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AADDomainServicesPrivilegeUse": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": ''}, + "CorrelationId": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "NewState": {"data_type": "int", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "OperationName": {"data_type": "string", "description": ''}, + "ProcessId": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ProcessName": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "RecordId": {"data_type": "string", "description": 'A unique identifier corresponding to this record.'}, + "ResourceId": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResourceManager": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "ResultDescription": {"data_type": "string", "description": ''}, + "ResultType": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "TransactionId": {"data_type": "string", "description": 'The context of this field is dependent on the Windows Event being emitted, represented in the OperationName. Please see the Windows Server description of this event for the meaning of this field.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AADManagedIdentitySignInLogs": { + "AppId": {"data_type": "string", "description": 'Unique GUID representing the app ID in the Azure Active Directory'}, + "AuthenticationContextClassReferences": {"data_type": "string", "description": 'The authentication contexts of the sign-in'}, + "AuthenticationProcessingDetails": {"data_type": "string", "description": 'Provides the details associated with authentication processor'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Category of the sign-in event'}, + "ConditionalAccessPolicies": {"data_type": "string", "description": 'Details of the conditional access policies being applied for the sign-in'}, + "ConditionalAccessStatus": {"data_type": "string", "description": 'Status of all the conditionalAccess policies related to the sign-in'}, + "CorrelationId": {"data_type": "string", "description": 'ID to provide sign-in trail'}, + "DurationMs": {"data_type": "long", "description": 'The duration of the operation in milliseconds'}, + "FederatedCredentialId": {"data_type": "string", "description": "Th identifier of an application's federated identity credential if a federated identity credential was used to sign in."}, + "Id": {"data_type": "string", "description": 'Unique ID representing the sign-in activity'}, + "Identity": {"data_type": "string", "description": 'The identity from the token that was presented when you made the request. It can be a user account, system account, or service principal'}, + "IPAddress": {"data_type": "string", "description": 'IP address of the client used to sign in'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the event'}, + "Location": {"data_type": "string", "description": 'The region of the resource emitting the event'}, + "LocationDetails": {"data_type": "string", "description": 'Details of the sign-in location'}, + "OperationName": {"data_type": "string", "description": 'For sign-ins, this value is always Sign-in activity'}, + "OperationVersion": {"data_type": "string", "description": "The REST API version that's requested by the client"}, + "ResourceDisplayName": {"data_type": "string", "description": 'Name of the resource that the service principal signed into'}, + "ResourceGroup": {"data_type": "string", "description": 'Resource group for the logs'}, + "ResourceIdentity": {"data_type": "string", "description": 'ID of the resource that the service principal signed into'}, + "ResourceServicePrincipalId": {"data_type": "string", "description": 'Service Principal Id of the resource'}, + "ResultDescription": {"data_type": "string", "description": 'Provides the error description for the sign-in operation'}, + "ResultSignature": {"data_type": "string", "description": 'Contains the error code, if any, for the sign-in operation'}, + "ResultType": {"data_type": "string", "description": 'The result of the sign-in operation can be Success or Failure'}, + "ServicePrincipalCredentialKeyId": {"data_type": "string", "description": 'Key id of the service principal that initiated the sign-in'}, + "ServicePrincipalCredentialThumbprint": {"data_type": "string", "description": 'Thumbprint of the service principal that initiated the sign-in'}, + "ServicePrincipalId": {"data_type": "string", "description": 'ID of the service principal who initiated the sign-in'}, + "ServicePrincipalName": {"data_type": "string", "description": 'Service Principal Name of the service principal who initiated the sign-in'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time of the event in UTC'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UniqueTokenIdentifier": {"data_type": "string", "description": 'Unique token identifier for the request'}, + }, + "AADNonInteractiveUserSignInLogs": { + "AlternateSignInName": {"data_type": "string", "description": 'Provides the on-premises UPN of the user sign-ing into Azure AD.e.g. Phone number sign-in.'}, + "AppDisplayName": {"data_type": "string", "description": 'App name displayed in the Azure portal.'}, + "AppId": {"data_type": "string", "description": 'Unique GUID representing the app ID in the Azure Active Directory.'}, + "AppliedEventListeners": {"data_type": "dynamic", "description": "Detailed information about the applied event listeners or listeners that are triggered by the corresponding events in an authentication activity. It's called appliedEventListeners in ALP and MSGraph, but use Authentication Events to match name on UX."}, + "AuthenticationContextClassReferences": {"data_type": "string", "description": 'The authentication contexts of the sign-in.'}, + "AuthenticationDetails": {"data_type": "string", "description": 'A record of each step of authentication undertaken in the sign-in.'}, + "AuthenticationMethodsUsed": {"data_type": "string", "description": 'List of authentication methods used.'}, + "AuthenticationProcessingDetails": {"data_type": "string", "description": 'Provides the details associated with authentication processor.'}, + "AuthenticationProtocol": {"data_type": "string", "description": 'Lists the protocol type or grant type used in the authentication. The possible values are: none, oAuth2, ropc, wsFederation, saml20, deviceCode, unknownFutureValue. For authentications that use protocols other than the possible values listed, the protocol type is listed as none.'}, + "AuthenticationRequirement": {"data_type": "string", "description": 'Type of authentication required for the sign-in. If set to multiFactorAuthentication, an MFA step was required. If set to singleFactorAuthentication, no MFA was required.'}, + "AuthenticationRequirementPolicies": {"data_type": "string", "description": 'Set of CA policies that apply to this sign-in, each as CA: policy name, and/or MFA: Per-user.'}, + "AutonomousSystemNumber": {"data_type": "string", "description": 'Autonomous System Number for the network.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Category of the sign-in event.'}, + "ClientAppUsed": {"data_type": "string", "description": 'Details outlining app auth used (Legacy vs non Legacy) Eg: Modern Browser, Native App, Exchange Activty Sync and Older Clients.'}, + "ConditionalAccessPolicies": {"data_type": "string", "description": 'Details of the conditional access policies being applied for the sign-in.'}, + "ConditionalAccessStatus": {"data_type": "string", "description": 'Status of all the conditionalAccess policies related to the sign-in.'}, + "CorrelationId": {"data_type": "string", "description": 'ID to provide sign-in trail.'}, + "CreatedDateTime": {"data_type": "datetime", "description": 'Datetime of the sign-in activity.'}, + "CrossTenantAccessType": {"data_type": "string", "description": 'Describes the type of cross-tenant access used by the actor to access the resource. Possible values are: none, b2bCollaboration, b2bDirectConnect, microsoftSupport, serviceProvider, unknownFutureValue. If the sign in did not cross tenant boundaries, the value is none.'}, + "DeviceDetail": {"data_type": "string", "description": 'Details of the device used for the sign-in.'}, + "DurationMs": {"data_type": "long", "description": 'The duration of the operation in milliseconds.'}, + "HomeTenantId": {"data_type": "string", "description": 'The home tenant ID for cross-tenant scenarios.'}, + "Id": {"data_type": "string", "description": 'Unique ID representing the sign-in activity.'}, + "Identity": {"data_type": "string", "description": 'The identity from the token that was presented when you made the request. It can be a user account, system account, or service principal.'}, + "IPAddress": {"data_type": "string", "description": 'IP address of the client used to sign in.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsInteractive": {"data_type": "bool", "description": 'Indicates if a sign-in is interactive or not.'}, + "IsRisky": {"data_type": "bool", "description": 'Indicates if a sign-in is considered risky or not.'}, + "Level": {"data_type": "string", "description": 'The severity level of the event.'}, + "Location": {"data_type": "string", "description": 'The region of the resource emitting the event.'}, + "LocationDetails": {"data_type": "string", "description": 'Details of the sign-in location.'}, + "MfaDetail": {"data_type": "string", "description": 'Details of the Multi-factor authentication.'}, + "NetworkLocationDetails": {"data_type": "string", "description": 'Provides the details associated with authentication processor.'}, + "OperationName": {"data_type": "string", "description": 'For sign-ins, this value is always Sign-in activity.'}, + "OperationVersion": {"data_type": "string", "description": "The REST API version that's requested by the client."}, + "OriginalRequestId": {"data_type": "string", "description": 'The request id of the first request in the authentication sequence.'}, + "ProcessingTimeInMs": {"data_type": "string", "description": 'Request processing time in milliseconds in AD STS.'}, + "ResourceDisplayName": {"data_type": "string", "description": 'Name of the resource that the user signed into.'}, + "ResourceGroup": {"data_type": "string", "description": 'Resource group for the logs.'}, + "ResourceIdentity": {"data_type": "string", "description": 'ID of the resource that the user signed into.'}, + "ResourceServicePrincipalId": {"data_type": "string", "description": 'Service Principal Id of the resource.'}, + "ResourceTenantId": {"data_type": "string", "description": 'The resource tenant ID for cross-tenant scenarios.'}, + "ResultDescription": {"data_type": "string", "description": 'Provides the error description for the sign-in operation.'}, + "ResultSignature": {"data_type": "string", "description": 'Contains the error code, if any, for the sign-in operation.'}, + "ResultType": {"data_type": "string", "description": 'The result of the sign-in operation can be Success or Failure.'}, + "RiskDetail": {"data_type": "string", "description": 'Risky user state details.'}, + "RiskEventTypes": {"data_type": "string", "description": 'The list of risk event types associated with the sign-in.'}, + "RiskEventTypes_V2": {"data_type": "string", "description": 'The list of risk event types associated with the sign-in. These are strings.'}, + "RiskLevelAggregated": {"data_type": "string", "description": 'Aggregated risk level.'}, + "RiskLevelDuringSignIn": {"data_type": "string", "description": 'Risk level during sign-in.'}, + "RiskState": {"data_type": "string", "description": 'Risky user state.'}, + "ServicePrincipalId": {"data_type": "string", "description": 'ID of the service principal who initiated the sign-in.'}, + "SessionLifetimePolicies": {"data_type": "string", "description": 'Policies and settings that applied to the sign-in that enforced or revoked a session lifetime.'}, + "SignInEventTypes": {"data_type": "string", "description": 'The types that are associated with the sign-in. Examples include "interactive", "refreshToken", "managedIdentity", "continuousAccessEvaluation" and many more.'}, + "SignInIdentifierType": {"data_type": "string", "description": 'The type of sign in identifier. Possible values are: userPrincipalName, phoneNumber, proxyAddress, qrCode, onPremisesUserPrincipalName, unknownFutureValue.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Status": {"data_type": "string", "description": 'Details of the sign-in status.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time of the event in UTC.'}, + "TokenIssuerName": {"data_type": "string", "description": 'Name of the identity provider (e.g. sts.microsoft.com ).'}, + "TokenIssuerType": {"data_type": "string", "description": 'Type of identityProvider (Azure AD, AD Federation Services).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UniqueTokenIdentifier": {"data_type": "string", "description": 'Unique token identifier for the request.'}, + "UserAgent": {"data_type": "string", "description": 'User Agent for the sign-in.'}, + "UserDisplayName": {"data_type": "string", "description": 'Display name of the user that initiated the sign-in.'}, + "UserId": {"data_type": "string", "description": 'ID of the user that initiated the sign-in.'}, + "UserPrincipalName": {"data_type": "string", "description": 'User principal name of the user that initiated the sign-in.'}, + "UserType": {"data_type": "string", "description": 'Identifies whether the user is a member or guest in the tenant. Possible values are: member, guest, unknownFutureValue.'}, + }, + "AADProvisioningLogs": { + "AADTenantId": {"data_type": "string", "description": 'Unique Azure AD tenant ID'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Category of the event'}, + "ChangeId": {"data_type": "string", "description": 'Unique ID of this change in this cycle'}, + "CorrelationId": {"data_type": "string", "description": 'ID to provide provisioning trail'}, + "CycleId": {"data_type": "string", "description": 'Unique ID per job iteration'}, + "DurationMs": {"data_type": "long", "description": 'Indicates how long this provisioning action took to finish'}, + "Id": {"data_type": "string", "description": 'Indicates the unique ID for the activity'}, + "InitiatedBy": {"data_type": "string", "description": 'Details of who initiated this provisioning'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "JobId": {"data_type": "string", "description": 'The unique ID for the whole provisioning job'}, + "ModifiedProperties": {"data_type": "string", "description": 'Details of each property that was modified in this provisioning action on this object'}, + "OperationName": {"data_type": "string", "description": 'Name of the operation'}, + "OperationVersion": {"data_type": "string", "description": "The REST API version that's requested by the client"}, + "ProvisioningAction": {"data_type": "string", "description": 'Indicates the activity name or the operation name. For a list of activities logged, refer to Azure AD activity list'}, + "ProvisioningStatusInfo": {"data_type": "string", "description": 'Details of provisioning status'}, + "ProvisioningSteps": {"data_type": "string", "description": 'Details of each step in provisioning'}, + "ResultDescription": {"data_type": "string", "description": 'When available, provides the error description for the provisioning operation'}, + "ResultSignature": {"data_type": "string", "description": 'Contains the error code, if any, for the provisioning operation'}, + "ResultType": {"data_type": "string", "description": 'The result of the provisioning operation can be Success, Failure, or Skipped'}, + "ServicePrincipal": {"data_type": "string", "description": 'Represents the service principal used for provisioning'}, + "SourceIdentity": {"data_type": "string", "description": 'Details of source object being provisioned'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TargetIdentity": {"data_type": "string", "description": 'Details of target object being provisioned'}, + "TargetSystem": {"data_type": "string", "description": 'Details of target system of the object being provisioned'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time of the event in UTC'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AADRiskyServicePrincipals": { + "AccountEnabled": {"data_type": "bool", "description": 'true if the service principal account is enabled; otherwise, false.'}, + "AppId": {"data_type": "string", "description": 'The globally unique identifier for the associated application (its appId property), if any.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated log analytics events. Can be used to identify correlated events between multiple tables.'}, + "DisplayName": {"data_type": "string", "description": 'The display name for the service principal.'}, + "Id": {"data_type": "string", "description": 'The unique identifier assigned to the service principal at risk. Inherited from entity.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsProcessing": {"data_type": "bool", "description": "Indicates whether Azure AD is currently processing the service principal's risky state."}, + "OperationName": {"data_type": "string", "description": 'Name of the operation.'}, + "RiskDetail": {"data_type": "string", "description": 'Details of the detected risk.'}, + "RiskLastUpdatedDateTime": {"data_type": "datetime", "description": 'The date and time that the risk state was last updated in UTC.'}, + "RiskLevel": {"data_type": "string", "description": 'Level of the detected risky workload identity. The possible values are: low, medium, high, hidden, none, unknownFutureValue.'}, + "RiskState": {"data_type": "string", "description": "State of the service principal's risk. The possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, unknownFutureValue."}, + "ServicePrincipalType": {"data_type": "string", "description": 'Identifies whether the service principal represents an Application, a Managed Identity, or a legacy application (social IdP).'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time of the event in UTC.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AADRiskyUsers": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated log analytics events. Can be used to identify correlated events between multiple tables.'}, + "Id": {"data_type": "string", "description": 'Unique ID of the user at risk.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsDeleted": {"data_type": "bool", "description": 'Indicates whether the user is deleted.'}, + "IsProcessing": {"data_type": "bool", "description": "Indicates whether a user's risky state is being processed by the backend."}, + "OperationName": {"data_type": "string", "description": 'Name of the operation.'}, + "RiskDetail": {"data_type": "string", "description": 'Details of the detected risk. Possible values are: none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, hidden, adminConfirmedUserCompromised, unknownFutureValue.'}, + "RiskLastUpdatedDateTime": {"data_type": "datetime", "description": 'The date and time that the risky user was last updated.'}, + "RiskLevel": {"data_type": "string", "description": 'Level of the detected risky user. Possible values are: low, medium, high, hidden, none, unknownFutureValue.'}, + "RiskState": {"data_type": "string", "description": "State of the user's risk. Possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, unknownFutureValue."}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time of the event in UTC.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserDisplayName": {"data_type": "string", "description": 'Risky user display name.'}, + "UserPrincipalName": {"data_type": "string", "description": 'Risky user principal name.'}, + }, + "AADServicePrincipalRiskEvents": { + "Activity": {"data_type": "string", "description": 'Indicates the activity type the detected risk is linked to.'}, + "ActivityDateTime": {"data_type": "datetime", "description": 'Date and time when the risky activity occurred in UTC.'}, + "AdditionalInfo": {"data_type": "dynamic", "description": 'Additional information associated with the risk detection in JSON format.'}, + "AppId": {"data_type": "string", "description": 'The unique identifier for the associated application.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'Correlation ID of the sign-in activity associated with the risk detection. Nullable.'}, + "DetectedDateTime": {"data_type": "datetime", "description": 'Date and time when the risk was detected in UTC.'}, + "DetectionTimingType": {"data_type": "string", "description": 'Timing of the detected risk , whether real-time or offline.'}, + "Id": {"data_type": "string", "description": 'Unique identifier of the risk detection. Inherited from entity.'}, + "IpAddress": {"data_type": "string", "description": 'Provides the IP address of the client from where the risk occurred.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "KeyIds": {"data_type": "dynamic", "description": 'The unique identifier (GUID) for the key credential associated with the risk detection.'}, + "LastUpdatedDateTime": {"data_type": "datetime", "description": 'Date and time when the risk detection was last updated in UTC.'}, + "Location": {"data_type": "dynamic", "description": 'Location of the sign-in.'}, + "OperationName": {"data_type": "string", "description": 'Name of the operation.'}, + "RequestId": {"data_type": "string", "description": 'Request identifier of the sign-in activity associated with the risk detection. Nullable.'}, + "RiskDetail": {"data_type": "string", "description": 'Details of the detected risk. Note: Details for this property are only available for Azure AD Premium P2 customers.'}, + "RiskEventType": {"data_type": "string", "description": 'The type of risk event detected.'}, + "RiskLevel": {"data_type": "string", "description": 'Level of the detected risk. Note: details for this property are only available for Azure AD Premium P2 customers.'}, + "RiskState": {"data_type": "string", "description": 'The state of a detected risky service principal or sign-in activity.'}, + "ServicePrincipalDisplayName": {"data_type": "string", "description": 'The display name for the service principal.'}, + "ServicePrincipalId": {"data_type": "string", "description": 'The unique identifier for the service principal.'}, + "Source": {"data_type": "string", "description": 'Source of the risk detection. For example, identityProtection.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time of the event in UTC.'}, + "TokenIssuerType": {"data_type": "string", "description": 'Indicates the type of token issuer for the detected sign-in risk.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AADServicePrincipalSignInLogs": { + "AppId": {"data_type": "string", "description": 'Unique GUID representing the app ID in the Azure Active Directory'}, + "AuthenticationContextClassReferences": {"data_type": "string", "description": 'The authentication contexts of the sign-in'}, + "AuthenticationProcessingDetails": {"data_type": "string", "description": 'Provides the details associated with authentication processor'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Category of the sign-in event'}, + "ConditionalAccessPolicies": {"data_type": "string", "description": 'Details of the conditional access policies being applied for the sign-in'}, + "ConditionalAccessStatus": {"data_type": "string", "description": 'Status of all the conditionalAccess policies related to the sign-in'}, + "CorrelationId": {"data_type": "string", "description": 'ID to provide sign-in trail'}, + "DurationMs": {"data_type": "long", "description": 'The duration of the operation in milliseconds'}, + "FederatedCredentialId": {"data_type": "string", "description": "Th identifier of an application's federated identity credential if a federated identity credential was used to sign in."}, + "Id": {"data_type": "string", "description": 'Unique ID representing the sign-in activity'}, + "Identity": {"data_type": "string", "description": 'The identity from the token that was presented when you made the request. It can be a user account, system account, or service principal'}, + "IPAddress": {"data_type": "string", "description": 'IP address of the client used to sign in'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the event'}, + "Location": {"data_type": "string", "description": 'The region of the resource emitting the event'}, + "LocationDetails": {"data_type": "string", "description": 'Details of the sign-in location'}, + "OperationName": {"data_type": "string", "description": 'For sign-ins, this value is always Sign-in activity'}, + "OperationVersion": {"data_type": "string", "description": "The REST API version that's requested by the client"}, + "ResourceDisplayName": {"data_type": "string", "description": 'Name of the resource that the service principal signed into'}, + "ResourceGroup": {"data_type": "string", "description": 'Resource group for the logs'}, + "ResourceIdentity": {"data_type": "string", "description": 'ID of the resource that the service principal signed into'}, + "ResourceServicePrincipalId": {"data_type": "string", "description": 'Service Principal Id of the resource'}, + "ResultDescription": {"data_type": "string", "description": 'Provides the error description for the sign-in operation'}, + "ResultSignature": {"data_type": "string", "description": 'Contains the error code, if any, for the sign-in operation'}, + "ResultType": {"data_type": "string", "description": 'The result of the sign-in operation can be Success or Failure'}, + "ServicePrincipalCredentialKeyId": {"data_type": "string", "description": 'Key id of the service principal that initiated the sign-in'}, + "ServicePrincipalCredentialThumbprint": {"data_type": "string", "description": 'Thumbprint of the service principal that initiated the sign-in'}, + "ServicePrincipalId": {"data_type": "string", "description": 'ID of the service principal who initiated the sign-in'}, + "ServicePrincipalName": {"data_type": "string", "description": 'Service Principal Name of the service principal who initiated the sign-in'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time of the event in UTC'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UniqueTokenIdentifier": {"data_type": "string", "description": 'Unique token identifier for the request'}, + }, + "AADUserRiskEvents": { + "Activity": {"data_type": "string", "description": 'Indicates the activity type the detected risk is linked to. Possible values are: signin, user, unknownFutureValue.'}, + "ActivityDateTime": {"data_type": "datetime", "description": 'Date and time when the risky activity occurred.'}, + "AdditionalInfo": {"data_type": "dynamic", "description": 'Additional information associated with the user risk event in JSON format.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'Correlation ID of the sign-in associated with the risk detection. This property is null if the risk detection is not associated with a sign-in.'}, + "DetectedDateTime": {"data_type": "datetime", "description": 'Date and time that the risk was detected.'}, + "DetectionTimingType": {"data_type": "string", "description": 'Timing of the detected risk (real-time/offline). Possible values are: notDefined, realtime, nearRealtime, offline, unknownFutureValue.'}, + "Id": {"data_type": "string", "description": 'Unique ID of the risk event.'}, + "IpAddress": {"data_type": "string", "description": 'The IP address of the client from where the risk occurred.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastUpdatedDateTime": {"data_type": "datetime", "description": 'Date and time when the risk detection was last updated.'}, + "Location": {"data_type": "dynamic", "description": 'Location of the sign-in.'}, + "OperationName": {"data_type": "string", "description": 'Name of the operation.'}, + "RequestId": {"data_type": "string", "description": 'Request ID of the sign-in associated with the risk detection. This property is null if the risk detection is not associated with a sign-in.'}, + "RiskDetail": {"data_type": "string", "description": 'Details of the detected risk. Possible values are: none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, hidden, adminConfirmedUserCompromised, unknownFutureValue.'}, + "RiskEventType": {"data_type": "string", "description": 'The type of risk event detected.'}, + "RiskLevel": {"data_type": "string", "description": 'Level of the detected risk. Possible values are: low, medium, high, hidden, none, unknownFutureValue.'}, + "RiskState": {"data_type": "string", "description": 'The state of a detected risky user or sign-in. Possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, unknownFutureValue.'}, + "Source": {"data_type": "string", "description": 'Source of the risk detection. For example, activeDirectory.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time of the event in UTC.'}, + "TokenIssuerType": {"data_type": "string", "description": 'Indicates the type of token issuer for the detected sign-in risk. Possible values are: AzureAD, ADFederationServices, UnknownFutureValue.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserDisplayName": {"data_type": "string", "description": 'The user principal name (UPN) of the user.'}, + "UserId": {"data_type": "string", "description": 'Unique ID of the user.'}, + "UserPrincipalName": {"data_type": "string", "description": 'The user principal name (UPN) of the user.'}, + }, + "ABSBotRequests": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BotId": {"data_type": "string", "description": 'Name of the bot or the bot handle.'}, + "Category": {"data_type": "string", "description": 'Classification of the log.'}, + "Channel": {"data_type": "string", "description": 'Name of the Channel generating the log such as Direct Line, MS Teams, Facebook, etc.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for the correlated events. Can be used to identify correlated events between multiple tables.'}, + "DurationMs": {"data_type": "real", "description": 'Duration of the request.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'log level of message such as Information, Warning, Error, etc.'}, + "Location": {"data_type": "string", "description": 'Location of the service sending the log (Azure region name e.g. West US).'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with the log record.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultCode": {"data_type": "int", "description": 'HTTP request response code.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ABSChannelToBotRequests": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BotId": {"data_type": "string", "description": 'Name of the bot or the bot handle.'}, + "Category": {"data_type": "string", "description": 'Classification of the log.'}, + "Channel": {"data_type": "string", "description": 'Name of the Channel making generating the log (e.g. DirectLine, Facebook, etc.).'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "DurationMs": {"data_type": "real", "description": 'Duration of a request.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'log level of message (Information, Warning, Error, etc.).'}, + "Location": {"data_type": "string", "description": 'Location of the service sending the log (Azure region name e.g. West US).'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultCode": {"data_type": "int", "description": 'HTTP request response code.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ABSDependenciesRequests": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BotId": {"data_type": "string", "description": 'Name of the bot or the bot handle.'}, + "Category": {"data_type": "string", "description": 'Classification of the log.'}, + "Channel": {"data_type": "string", "description": 'Name of the Channel making generating the log (e.g. DirectLine, Facebook, etc.).'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "DurationMs": {"data_type": "real", "description": 'Duration of a request.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'log level of message (Information, Warning, Error, etc.).'}, + "Location": {"data_type": "string", "description": 'Location of the service sending the log (Azure region name e.g. West US).'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultCode": {"data_type": "int", "description": 'HTTP request response code.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ACICollaborationAudit": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated pipeline run events. Can be used to identify audits that belong to the same pipeline run.'}, + "EntitlementResult": {"data_type": "string", "description": 'The result of the entitlement evaluation. Options are: Granted = access granted; Denied = access was not granted; Revoked = accessed was revoked because the pipeline could not be fully approved; Actualized = the resource was accessed by the pipeline run.'}, + "EntitlementSummary": {"data_type": "string", "description": 'Textual summary of the granted access.'}, + "GrantCorrelationId": {"data_type": "string", "description": 'The ID for the grant events. Can be used to correlate between different results of the same grant.'}, + "GrantSource": {"data_type": "string", "description": 'The azure resource ID of the resource the grant is based on.'}, + "GrantSourceType": {"data_type": "string", "description": 'The type of the the resource the grant is based on.'}, + "GrantType": {"data_type": "string", "description": 'The method used to grant access to the resource (Owned, Reference, Entitlement).'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The Location (Region) the resource was accessed in.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with audit record.'}, + "ParticipantName": {"data_type": "string", "description": 'The participant friendly name as used in the contract negotiation.'}, + "ParticipantTenantId": {"data_type": "string", "description": 'The participant tenant id. Enable query by the granted tenant invariant id. Example of retrieving this is for contoso: https://login.microsoftonline.com/contoso.com/.well-known/openid-configuration'}, + "ReferencedResourceId": {"data_type": "string", "description": 'The storage resource that the accessed CI resource points to, if applicable'}, + "ReferencedResourceType": {"data_type": "string", "description": 'The storage resource type that the accessed CI resource points to, if applicable.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TargetResourceId": {"data_type": "string", "description": 'The azure resource ID of the accessed resource.'}, + "TargetResourceType": {"data_type": "string", "description": 'The resource type of the accessed resource.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the audit was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserName": {"data_type": "string", "description": 'Name of the user that initiated the pipeline. Available only if the audit relate to owned resource'}, + }, + "ACRConnectedClientList": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CacheName": {"data_type": "string", "description": 'The name of the Azure Cache for Redis instance.'}, + "ClientCount": {"data_type": "int", "description": 'The number of Redis client connections from the associated IP address.'}, + "ClientIp": {"data_type": "string", "description": 'The Redis client IP address.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The location (region) the Azure Cache for Redis instance was accessed in.'}, + "OperationName": {"data_type": "string", "description": 'The Redis operation associated with the log record.'}, + "PrivateLinkIpv6": {"data_type": "string", "description": 'The Redis client private link IPv6 address (if applicable).'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RoleInstance": {"data_type": "string", "description": 'The role instance which logged the client list.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp of when the log was generated in UTC.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ACREntraAuthenticationAuditLog": { + "Authentication": {"data_type": "string", "description": 'Authentication result.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CacheName": {"data_type": "string", "description": 'The name of the Azure Cache for Redis instance.'}, + "ClientId": {"data_type": "string", "description": 'Client identifier.'}, + "ClientName": {"data_type": "string", "description": 'Client name.'}, + "IpAddress": {"data_type": "string", "description": 'The IP address and port associated with the log event.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Lifetime": {"data_type": "string", "description": 'Duration of Microsoft Entra authentication validity, measured in Milliseconds from the initial connection.'}, + "Location": {"data_type": "string", "description": 'The location (region) the Azure Cache for Redis instance was accessed in.'}, + "Message": {"data_type": "string", "description": 'The message associated with the log event.'}, + "OperationName": {"data_type": "string", "description": 'The Redis operation associated with the log record.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RoleInstance": {"data_type": "int", "description": 'The role instance associated with the log event.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp of when the log was generated in UTC.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Username": {"data_type": "string", "description": "The user's identifier or username."}, + }, + "ACSAdvancedMessagingOperations": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'The caller IP address, if the operation corresponds to an API call that would come from an entity with a publicly available IP address.'}, + "Category": {"data_type": "string", "description": 'The log category of the event. Logs with the same log category and resource type will have the same properties fields.'}, + "ChannelId": {"data_type": "string", "description": 'The Channel Registration ID of the channel used to send the request.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "DurationMs": {"data_type": "int", "description": 'The duration of the operation in milliseconds.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the operation.'}, + "Location": {"data_type": "string", "description": 'The location the request was processed.'}, + "MessageStatus": {"data_type": "string", "description": 'The status result of the message send. Possible values include: "delivered", "read", "sent", "failed", "accepted", "preprocessingfailed", "received", and "unknown".'}, + "MessageType": {"data_type": "string", "description": 'The type of message in the request. Possible values include: "text", "media", and "template".'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "OperationVersion": {"data_type": "string", "description": 'The API-version associated with the operation or version of the operation (if there is no API version).'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'The static text description of this operation.'}, + "ResultSignature": {"data_type": "string", "description": 'The sub status of the operation. If this operation corresponds to a REST API call, this field is the HTTP status code of the corresponding REST call.'}, + "ResultType": {"data_type": "string", "description": 'The status of the operation.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "URI": {"data_type": "string", "description": 'The URI of the request.'}, + }, + "ACSAuthIncomingOperations": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The log category of the event. Logs with the same log category and resource type will have the same properties fields.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "DurationMs": {"data_type": "int", "description": 'The duration of the operation in milliseconds.'}, + "Identity": {"data_type": "string", "description": "The request sender's identity"}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the operation.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "OperationVersion": {"data_type": "string", "description": 'The API-version associated with the operation or version of the operation (if there is no API version).'}, + "PlatformType": {"data_type": "string", "description": 'The platform type being used in the request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'The static text description of this operation.'}, + "ResultSignature": {"data_type": "string", "description": 'The sub status of the operation. If this operation corresponds to a REST API call, this field is the HTTP status code of the corresponding REST call.'}, + "ResultType": {"data_type": "string", "description": 'The status of the operation.'}, + "Scopes": {"data_type": "dynamic", "description": 'Scopes for the auth request (e.g. Chat, SMS, etc.)'}, + "SdkType": {"data_type": "string", "description": 'The SDK type being used in the request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "URI": {"data_type": "string", "description": 'The URI of the request'}, + }, + "ACSBillingUsage": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The log category of the event. Logs with the same log category and resource type will have the same properties fields.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "EndTime": {"data_type": "datetime", "description": 'The time when resource consumption ended. Optional, as some events are instant by nature.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "OperationVersion": {"data_type": "string", "description": 'The API-version associated with the operation or version of the operation (if there is no API version).'}, + "ParticipantId": {"data_type": "string", "description": 'Participant Id is the link between billing data and calling data.'}, + "Quantity": {"data_type": "real", "description": 'The amount of usage in terms of the specified unit.'}, + "RecordId": {"data_type": "string", "description": 'The unique ID for a given usage record.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StartTime": {"data_type": "datetime", "description": 'Time when the resource consumption started.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UnitType": {"data_type": "string", "description": 'The unit in which the type of usage is measured.'}, + "UsageType": {"data_type": "string", "description": 'The type of resource being consumed.'}, + "UserIdA": {"data_type": "string", "description": 'User ID consuming the resource.'}, + "UserIdB": {"data_type": "string", "description": 'User ID consuming the resource for consumables involving two users.'}, + }, + "ACSCallAutomationIncomingOperations": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallConnectionId": {"data_type": "string", "description": 'Id of the call connection/leg, if available.'}, + "CallerIpAddress": {"data_type": "string", "description": 'The caller IP address, if the operation corresponds to an API call that would come from an entity with a publicly available IP address.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "DurationMs": {"data_type": "int", "description": 'The duration of the operation in milliseconds.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the operation.'}, + "OperationId": {"data_type": "string", "description": 'The ID for media events. Can be used to identify operation events between ACSCallAutomationMediaSummary table and this.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "OperationVersion": {"data_type": "string", "description": 'The API version associated with the operation or version of the operation (if there is no API version).'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultSignature": {"data_type": "int", "description": 'The sub status of the operation. If this operation corresponds to a REST API call, this field is the HTTP status code of the corresponding REST call.'}, + "ResultType": {"data_type": "string", "description": 'The status of the operation.'}, + "SdkType": {"data_type": "string", "description": 'The SDK type used in the request.'}, + "SdkVersion": {"data_type": "string", "description": 'SDK Version.'}, + "ServerCallId": {"data_type": "string", "description": 'Server Call Id.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SubOperationName": {"data_type": "string", "description": 'Denotes the operation specific configuration (e.g. Recognize Dtmf, Play File), if available.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "URI": {"data_type": "string", "description": 'The URI of the request.'}, + }, + "ACSCallAutomationMediaSummary": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the operation.'}, + "OperationId": {"data_type": "string", "description": 'The ID for media events. Can be used to identify operation events between ACSCallAutomationIncomingOperations table and this.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "PlayInLoop": {"data_type": "bool", "description": 'Describes if the Play was requested to loop.'}, + "PlayInterrupted": {"data_type": "bool", "description": 'Describes if the play operation was interrupted.'}, + "PlayToParticipant": {"data_type": "bool", "description": 'True if Play request was targeted to a single participant, false if it was played to all participants.'}, + "RecognizePromptSubOperationName": {"data_type": "string", "description": "Describes the Recognize request's prompt kind, i.e. SSML, Text, File. Only available when Prompt is requested during Recognize operation."}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultCode": {"data_type": "int", "description": 'The HTTP result code for the operation.'}, + "ResultMessage": {"data_type": "string", "description": 'The result message related to the operation.'}, + "ResultSubcode": {"data_type": "int", "description": 'The sub status code for the operation.'}, + "ResultType": {"data_type": "string", "description": 'The status of the operation.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ACSCallClientMediaStatsTimeSeries": { + "AggregationIntervalSeconds": {"data_type": "int", "description": 'ACS calling media stats aggregation interval in seconds.'}, + "Average": {"data_type": "real", "description": 'The average of a certain media metric statistics.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallClientTimeStamp": {"data_type": "datetime", "description": "The timestamp (UTC) of when the ACS client's media stats log was generated."}, + "CallId": {"data_type": "string", "description": 'The identifier of the call used to correlate. Can be used to identify correlated events between multiple tables.'}, + "ClientInstanceId": {"data_type": "string", "description": 'Client instance ID.'}, + "Count": {"data_type": "long", "description": 'The count of a certain media metric statistics.'}, + "EndpointId": {"data_type": "string", "description": 'ACS calling endpoint ID.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Maximum": {"data_type": "real", "description": 'The maximum of a certain media metric statistics.'}, + "MediaStreamCodec": {"data_type": "string", "description": 'Client media stream codec.'}, + "MediaStreamDirection": {"data_type": "string", "description": 'Client media stream direction, i.e. recv or send.'}, + "MediaStreamId": {"data_type": "string", "description": 'ACS calling media stream ID.'}, + "MediaStreamType": {"data_type": "string", "description": 'Client media stream type, i.e. video or screen.'}, + "MetricName": {"data_type": "string", "description": 'Client metric name.'}, + "Minimum": {"data_type": "real", "description": 'The minimum of a certain media metric statistics.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "ParticipantId": {"data_type": "string", "description": 'ID of the participant.'}, + "RemoteEndpointId": {"data_type": "string", "description": 'ACS calling remote endpoint ID.'}, + "RemoteParticipantId": {"data_type": "string", "description": 'ACS remote participant ID.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Sum": {"data_type": "real", "description": 'The sum of a certain media metric statistics.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ACSCallClientOperations": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallClientTimeStamp": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the call client log was generated.'}, + "CallId": {"data_type": "string", "description": 'The identifier of the call used to correlate. Can be used to identify correlated events between multiple tables.'}, + "ClientInstanceId": {"data_type": "string", "description": 'Client instance ID.'}, + "DurationMs": {"data_type": "long", "description": 'Client operation duration in millisecond.'}, + "EndpointId": {"data_type": "string", "description": 'Azure Communication Service calling endpoint ID.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationId": {"data_type": "string", "description": 'Client operation ID.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "OperationPayload": {"data_type": "dynamic", "description": 'Azure Communication Service calling specific operation payload adhering to a defined schema.'}, + "OperationType": {"data_type": "string", "description": 'Client operation type.'}, + "ParticipantId": {"data_type": "string", "description": 'ID of the participant.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultSignature": {"data_type": "int", "description": 'Client operation event result network code.'}, + "ResultType": {"data_type": "string", "description": 'Client operation event result type.'}, + "SdkVersion": {"data_type": "string", "description": 'Azure Communication Service calling client SDK version associated with the log.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The user agent string of the client application.'}, + }, + "ACSCallClosedCaptionsSummary": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CancelReason": {"data_type": "string", "description": 'The reason why the closed captions cancelled.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "Duration": {"data_type": "real", "description": 'Duration of the closed captions in seconds.'}, + "EndReason": {"data_type": "string", "description": 'The reason why the closed captions ended.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the operation.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultType": {"data_type": "string", "description": 'The status of the operation.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SpeechRecognitionSessionId": {"data_type": "string", "description": 'The ID given to the closed captions this log refers to.'}, + "SpokenLanguage": {"data_type": "string", "description": 'The spoken language of the closed captions.'}, + "StartTime": {"data_type": "datetime", "description": 'The time that the closed captions started.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ACSCallDiagnostics": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The log category of the event. Logs with the same log category and resource type will have the same properties fields.'}, + "CodecName": {"data_type": "string", "description": 'Codec used for the media stream.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "EndpointId": {"data_type": "string", "description": 'ID of the endpoint.'}, + "EndpointType": {"data_type": "string", "description": 'Type of the endpoint.'}, + "HealedDataRatioAvg": {"data_type": "real", "description": 'Average healed data ratio for incoming audio.'}, + "HealedDataRatioMax": {"data_type": "real", "description": 'Maximum healed data ratio for incoming audio.'}, + "Identifier": {"data_type": "string", "description": 'The indentifier of the call used to correlate. Can be used to identify correlated events between multiple tables.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "JitterAvg": {"data_type": "int", "description": 'Average delay of sending the packages in milliseconds.'}, + "JitterBufferSizeAvg": {"data_type": "int", "description": 'Average jitter buffer size in milliseconds.'}, + "JitterBufferSizeMax": {"data_type": "int", "description": 'Maximum jitter buffer size in milliseconds.'}, + "JitterMax": {"data_type": "int", "description": 'Max delay of sending the packages in milliseconds.'}, + "MediaType": {"data_type": "string", "description": 'Type of Media.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "OperationVersion": {"data_type": "string", "description": 'The API-version associated with the operation or version of the operation (if there is no API version).'}, + "PacketLossRateAvg": {"data_type": "real", "description": 'Average lost packages.'}, + "PacketLossRateMax": {"data_type": "real", "description": 'Max lost packages.'}, + "PacketUtilization": {"data_type": "int", "description": 'Utilized packets for the media stream.'}, + "ParticipantId": {"data_type": "string", "description": 'ID of the participant.'}, + "RecvFreezeDurationPerMinuteInMs": {"data_type": "real", "description": 'Average receive freeze duration per minute in microseconds.'}, + "RecvResolutionHeight": {"data_type": "int", "description": 'Receive average resolution height.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RoundTripTimeAvg": {"data_type": "int", "description": 'Average time of a round trip in milliseconds.'}, + "RoundTripTimeMax": {"data_type": "int", "description": 'Max time of a trip in milliseconds.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StreamDirection": {"data_type": "string", "description": 'The direction of the stream, can be inbound or outbound.'}, + "StreamId": {"data_type": "long", "description": 'ID of the stream.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "TransportType": {"data_type": "string", "description": 'Type of the internet transport layer, it can be UDP, TCP or unknown.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "VideoBitRateAvg": {"data_type": "int", "description": 'Average bitrate.'}, + "VideoBitRateMax": {"data_type": "int", "description": 'Maximum bitrate.'}, + "VideoFrameRateAvg": {"data_type": "real", "description": 'Average frames per second.'}, + }, + "ACSCallRecordingIncomingOperations": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallConnectionId": {"data_type": "string", "description": 'Id of the call connection/leg, if available.'}, + "CallerIpAddress": {"data_type": "string", "description": 'The caller IP address, if the operation corresponds to an API call that would come from an entity with a publicly available IP address.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "DurationMs": {"data_type": "int", "description": 'The duration of the operation in milliseconds.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the operation.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "OperationVersion": {"data_type": "string", "description": 'The API version associated with the operation or version of the operation (if there is no API version).'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultSignature": {"data_type": "int", "description": 'The sub status of the operation. If this operation corresponds to a REST API call, this field is the HTTP status code of the corresponding REST call.'}, + "ResultType": {"data_type": "string", "description": 'The status of the operation.'}, + "SdkType": {"data_type": "string", "description": 'The SDK type used in the request.'}, + "SdkVersion": {"data_type": "string", "description": 'SDK Version.'}, + "ServerCallId": {"data_type": "string", "description": 'Server Call Id.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "URI": {"data_type": "string", "description": 'The URI of the request.'}, + }, + "ACSCallRecordingSummary": { + "AudioChannelsCount": {"data_type": "int", "description": 'Total number of audio channels in the recording.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ChannelType": {"data_type": "string", "description": "The recording's channel type, i.e. mixed, unmixed."}, + "ChunkCount": {"data_type": "int", "description": 'The total number of chunks created fot the recording.'}, + "ContentType": {"data_type": "string", "description": "The recording's content, i.e. Audio Only, Audio - Video, Transcription, etc."}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "FormatType": {"data_type": "string", "description": "The recording's file format."}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the operation.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "RecordingEndReason": {"data_type": "string", "description": 'The reason why the recording ended.'}, + "RecordingId": {"data_type": "string", "description": 'The ID given to the recording this log refers to.'}, + "RecordingLength": {"data_type": "real", "description": 'Duration of the recording in seconds.'}, + "RecordingStartTime": {"data_type": "datetime", "description": 'The time that the recording started.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultType": {"data_type": "string", "description": 'The status of the operation.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ACSCallSummary": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallDuration": {"data_type": "long", "description": 'Duration of the call in seconds.'}, + "CallStartTime": {"data_type": "datetime", "description": 'Start time of the call.'}, + "CallType": {"data_type": "string", "description": 'Type of the call, for example P2P (peer to peer).'}, + "Category": {"data_type": "string", "description": 'The log category of the event. Logs with the same log category and resource type will have the same properties fields.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "DiagnosticOptions": {"data_type": "string", "description": 'JSON containing the DiagnosticOptions provided during client initialization containing appName, appVersion and tags.'}, + "EndpointId": {"data_type": "string", "description": 'The ID of the endpoint.'}, + "EndpointType": {"data_type": "string", "description": 'Type of the endpoint, for example VoIP (voice over IP).'}, + "Identifier": {"data_type": "string", "description": 'The indentifier of the call used to correlate. Can be used to identify correlated events between multiple tables.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "OperationVersion": {"data_type": "string", "description": 'The API-version associated with the operation or version of the operation (if there is no API version).'}, + "OsVersion": {"data_type": "string", "description": 'Operating System version.'}, + "ParticipantDuration": {"data_type": "long", "description": 'Duration of the participant call in seconds.'}, + "ParticipantEndReason": {"data_type": "string", "description": "Participant's call end reason."}, + "ParticipantEndSubCode": {"data_type": "string", "description": "Participant's call end reason sub code."}, + "ParticipantId": {"data_type": "string", "description": 'ID of the participant.'}, + "ParticipantStartTime": {"data_type": "datetime", "description": 'Start time of the participant.'}, + "ParticipantTenantId": {"data_type": "string", "description": 'The ID of the Microsoft tenant associated with the identity of the participant. The tenant can either be the Azure tenant that owns the ACS resource or the Microsoft tenant of an M365 identity. This field is used to guide cross-tenant redaction.'}, + "ParticipantType": {"data_type": "string", "description": 'Description of the participant as a combination of its client (Azure Communication Services (ACS) or Teams), and its identity, (ACS or Microsoft 365). Possible values include: ACS (ACS identity and ACS SDK), Teams (Teams identity and Teams client), ACS as Teams external user (ACS identity and ACS SDK in Teams call or meeting), and ACS as Microsoft 365 user (M365 identity and ACS client).'}, + "PstnParticipantCallType": {"data_type": "string", "description": 'The type and direction of PSTN participants, including emergency calling, direct routing, transfer, forwarding, etc.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultCategory": {"data_type": "string", "description": 'The category of participant call end reason.'}, + "SdkVersion": {"data_type": "string", "description": 'SDK version.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TeamsThreadId": {"data_type": "string", "description": 'Thread ID of the team.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ACSCallSurvey": { + "AudioIssues": {"data_type": "string", "description": 'Comma separated audio issues reported by the participant.'}, + "AudioRatingScore": {"data_type": "int", "description": 'Audio experience rated by the participant.'}, + "AudioRatingScoreLowerBound": {"data_type": "int", "description": 'Minimum value of the AudioRatingScore scale.'}, + "AudioRatingScoreThreshold": {"data_type": "int", "description": 'The AudioRatingScore greater than this value indicates better quality.'}, + "AudioRatingScoreUpperBound": {"data_type": "int", "description": 'Maximum value of the AudioRatingScore scale.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallId": {"data_type": "string", "description": 'The identifier of the call used to correlate. Can be used to identify correlated events between multiple tables.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. This field contains the participant ID that allows call survey to be correlated with other calling logs.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "OperationVersion": {"data_type": "string", "description": 'The API-version associated with the operation or version of the operation (if there is no API version).'}, + "OverallCallIssues": {"data_type": "string", "description": 'Comma separated overall issues reported by the participant.'}, + "OverallRatingScore": {"data_type": "int", "description": 'Overall call experience rated by the participant.'}, + "OverallRatingScoreLowerBound": {"data_type": "int", "description": 'Minimum value of the OverallRatingScore scale.'}, + "OverallRatingScoreThreshold": {"data_type": "int", "description": 'The OverallRatingScore greater than this value indicates better quality.'}, + "OverallRatingScoreUpperBound": {"data_type": "int", "description": 'Maximum value of the OverallRatingScore scale.'}, + "ParticipantId": {"data_type": "string", "description": 'ID of the participant.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ScreenshareIssues": {"data_type": "string", "description": 'Comma separated screenshare issues reported by the participant.'}, + "ScreenshareRatingScore": {"data_type": "int", "description": 'Screenshare experience rated by the participant.'}, + "ScreenshareRatingScoreLowerBound": {"data_type": "int", "description": 'Minimum value of the ScreenshareRatingScore scale.'}, + "ScreenshareRatingScoreThreshold": {"data_type": "int", "description": 'The ScreenshareRatingScore greater than this value indicates better quality.'}, + "ScreenshareRatingScoreUpperBound": {"data_type": "int", "description": 'Maximum value of the ScreenshareRatingScore scale.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "SurveyId": {"data_type": "string", "description": 'The ID of the survey uniquely identifies the call survey.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "VideoIssues": {"data_type": "string", "description": 'Comma separated video issues reported by the participant.'}, + "VideoRatingScore": {"data_type": "int", "description": 'Video experience rated by the participant.'}, + "VideoRatingScoreLowerBound": {"data_type": "int", "description": 'Minimum value of the VideoRatingScore scale.'}, + "VideoRatingScoreThreshold": {"data_type": "int", "description": 'The VideoRatingScore greater than this value indicates better quality.'}, + "VideoRatingScoreUpperBound": {"data_type": "int", "description": 'Maximum value of the VideoRatingScore scale.'}, + }, + "ACSChatIncomingOperations": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'The caller IP address, if the operation corresponds to an API call that would come from an entity with a publicly available IP address.'}, + "Category": {"data_type": "string", "description": 'The log category of the event. Category is the granularity at which you can enable or disable logs on a particular resource. The properties that appear within the properties blob of an event are the same within a particular log category and resource type.'}, + "ChatMessageId": {"data_type": "int", "description": 'The chat message id associated with the request.'}, + "ChatThreadId": {"data_type": "string", "description": 'The chat thread id associated with the request.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "DurationMs": {"data_type": "int", "description": 'The duration of the operation in milliseconds.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the operation.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "OperationVersion": {"data_type": "string", "description": 'The API-version associated with the operation, if the operationName was performed using an API. If there is no API that corresponds to this operation, the version represents the version of that operation in case the properties associated with the operation change in the future.'}, + "PlatformType": {"data_type": "string", "description": 'The platform type used in the request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'The static text description of this operation.'}, + "ResultSignature": {"data_type": "string", "description": 'The sub status of the operation. If this operation corresponds to a REST API call, this field is the HTTP status code of the corresponding REST call.'}, + "ResultType": {"data_type": "string", "description": 'The status of the operation.'}, + "SdkType": {"data_type": "string", "description": 'The Sdk type used in the request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "URI": {"data_type": "string", "description": 'The URI of the request'}, + "UserId": {"data_type": "string", "description": "The request sender's user id."}, + }, + "ACSEmailSendMailOperational": { + "AttachmentsCount": {"data_type": "int", "description": 'The count of attachments attached to a request.'}, + "BccRecipientsCount": {"data_type": "int", "description": "The count of unique recipients on the 'Bcc' line."}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The log category of the event. Logs with the same log category and resource type will have the same properties fields.'}, + "CcRecipientsCount": {"data_type": "int", "description": "The count of unique recipients on the 'Cc' line."}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. This value is populated with the MessageID returned by Email send requests and can be used to identify correlated events between Email Operational tables.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The location the request was processed.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "OperationVersion": {"data_type": "string", "description": 'The API-version associated with the operation or version of the operation (if there is no API version).'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Size": {"data_type": "real", "description": 'The size of the email in megabypes.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "ToRecipientsCount": {"data_type": "int", "description": "The count of unique recipients on the 'To' line."}, + "TrafficSource": {"data_type": "string", "description": 'The traffic source of a request.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UniqueRecipientsCount": {"data_type": "int", "description": 'The unique count of all recipients.'}, + }, + "ACSEmailStatusUpdateOperational": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The log category of the event. Logs with the same log category and resource type will have the same properties fields.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. This value is populated with the MessageID returned by Email send requests and can be used to identify correlated events between Email Operational tables.'}, + "DeliveryStatus": {"data_type": "string", "description": 'The count of unique recipients on the Cc line.'}, + "EnhancedSmtpStatusCode": {"data_type": "string", "description": 'The enhanced SMTP status code returned from the recipient email server (if available).'}, + "FailureMessage": {"data_type": "string", "description": 'Verbatim error message for the given SMTP or EnhancedSmtp status code.'}, + "FailureReason": {"data_type": "string", "description": 'Failure reason for the given SMTP or EnhancedSmtp status code.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsHardBounce": {"data_type": "string", "description": 'Signifies whether a delivery failure was due to a permanent or temporary issue. IsHardBounce == true means a permanent mailbox issue preventing emails from being delivered.'}, + "Location": {"data_type": "string", "description": 'The location the request was processed.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "OperationVersion": {"data_type": "string", "description": 'The API-version associated with the operation or version of the operation (if there is no API version).'}, + "RecipientId": {"data_type": "string", "description": 'The count of unique recipients on the To line.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SenderDomain": {"data_type": "string", "description": 'The domain portion of the SenderAddress used in sending emails.'}, + "SenderUsername": {"data_type": "string", "description": 'The username portion of the SenderAddress used in sending emails.'}, + "SmtpStatusCode": {"data_type": "string", "description": 'The SMTP status code returned from the recipient email server in response to a send mail request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ACSEmailUserEngagementOperational": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The log category of the event. Logs with the same log category and resource type will have the same properties fields.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. This value is populated with the MessageID returned by Email send requests and can be used to identify correlated events between Email Operational tables.'}, + "EngagementContext": {"data_type": "string", "description": 'The context of the user interaction.'}, + "EngagementType": {"data_type": "string", "description": 'The type of user engagement.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The location the request was processed.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "OperationVersion": {"data_type": "string", "description": 'The API-version associated with the operation or version of the operation (if there is no API version).'}, + "RecipientId": {"data_type": "string", "description": 'The count of unique recipients on the To line.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The user agent string of the client application.'}, + }, + "ACSJobRouterIncomingOperations": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'The caller IP address, if the operation corresponds to an API call that would come from an entity with a publicly available IP address.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "DurationMs": {"data_type": "real", "description": 'The duration of the operation in milliseconds.'}, + "EntityId": {"data_type": "string", "description": 'The Entity Id for the request.'}, + "EntityType": {"data_type": "string", "description": 'The Entity Type for the request.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the operation.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "OperationVersion": {"data_type": "string", "description": 'The API-version associated with the operation or version of the operation (if there is no API version).'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'The static text description of this operation.'}, + "ResultSignature": {"data_type": "string", "description": 'The sub status of the operation. If this operation corresponds to a REST API call, this field is the HTTP status code of the corresponding REST call.'}, + "ResultType": {"data_type": "string", "description": 'The status of the operation.'}, + "SdkType": {"data_type": "string", "description": 'The SDK type used in the request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "URI": {"data_type": "string", "description": 'The URI of the request.'}, + }, + "ACSNetworkTraversalDiagnostics": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BytesReceived": {"data_type": "long", "description": 'Number of bytes received by the client.'}, + "BytesSent": {"data_type": "long", "description": 'Number of bytes sent by the client.'}, + "CallerIpAddress": {"data_type": "string", "description": 'The caller IP address, if the operation corresponds to an API call that would come from an entity with a publicly available IP address.'}, + "Category": {"data_type": "string", "description": 'The log category of the event. Logs with the same log category and resource type will have the same properties fields.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID associated with the relay session.'}, + "Identity": {"data_type": "string", "description": "The request sender's identity, if provided when requesting the relay configuration used to establish the session."}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the operation.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "Protocol": {"data_type": "string", "description": 'The protocol used for the session (e.g. TCP or UDP).'}, + "Reason": {"data_type": "string", "description": 'Describes the reason for the relay session ending (e.g. Deallocated or Expired). Only defined for logs of the operation RelaySessionEnd.'}, + "RelayLocation": {"data_type": "string", "description": 'The location of the relay server.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultSignature": {"data_type": "string", "description": 'The sub status of the operation. If this operation corresponds to a REST API call, this field is the HTTP status code of the corresponding REST call.'}, + "ResultType": {"data_type": "string", "description": 'The status of the operation (e.g. Succeeded or Failed).'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "TotalBytesFromClient": {"data_type": "long", "description": 'Number of bytes received from a client during the session.'}, + "TotalBytesToClient": {"data_type": "long", "description": 'Number of bytes sent to a client during the session.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ACSNetworkTraversalIncomingOperations": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The log category of the event. Logs with the same log category and resource type will have the same properties fields.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "DurationMs": {"data_type": "int", "description": 'The duration of the operation in milliseconds.'}, + "Identity": {"data_type": "string", "description": "The request sender's identity, if provided."}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the operation.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "OperationVersion": {"data_type": "string", "description": 'The API-version associated with the operation or version of the operation (if there is no API version).'}, + "PlatformType": {"data_type": "string", "description": 'The platform type being used in the request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultSignature": {"data_type": "string", "description": 'The sub status of the operation. If this operation corresponds to a REST API call, this field is the HTTP status code of the corresponding REST call.'}, + "ResultType": {"data_type": "string", "description": 'The status of the operation (e.g. Succeeded or Failed).'}, + "RouteType": {"data_type": "string", "description": 'The routing methodology to where the ICE server will be located from the client (e.g. Any or Nearest).'}, + "SdkType": {"data_type": "string", "description": 'The SDK type being used in the request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "TTL": {"data_type": "string", "description": 'The TTL specified in the request.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "URI": {"data_type": "string", "description": 'The URI of the request'}, + }, + "ACSRoomsIncomingOperations": { + "AddedRoomParticipantsCount": {"data_type": "int", "description": 'The count of participants added to a room.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'The unique ID of the request.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the operation.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record. e.g., CreateRoom, PatchRoom, GetRoom, ListRooms, DeleteRoom, GetParticipants, AddParticipants, UpdateParticipants, or RemoveParticipants.'}, + "OperationVersion": {"data_type": "string", "description": 'The API-version associated with the operation or version of the operation (if there is no API version).'}, + "PstnDialOutEnabled": {"data_type": "bool", "description": 'Flag to true if, at the time of the call, dial out to a PSTN number is enabled in a particular room.'}, + "RemovedRoomParticipantsCount": {"data_type": "int", "description": 'The count of participants removed in a room.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultSignature": {"data_type": "string", "description": 'The sub status of the operation. If this operation corresponds to a REST API call, this field is the HTTP status code of the corresponding REST call.'}, + "ResultType": {"data_type": "string", "description": 'The status of the operation.'}, + "RoomId": {"data_type": "string", "description": 'The ID of the room.'}, + "RoomLifespan": {"data_type": "int", "description": 'The Room lifespan in minutes.'}, + "RoomParticipantsAttendee": {"data_type": "int", "description": 'The participants count with attendee role.'}, + "RoomParticipantsConsumer": {"data_type": "int", "description": 'The participants count with consumer role.'}, + "RoomParticipantsCount": {"data_type": "int", "description": 'The count of participants in a room.'}, + "RoomParticipantsPresenter": {"data_type": "int", "description": 'The participants count with presenter role.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UpsertedRoomParticipantsCount": {"data_type": "int", "description": 'The count of participants upserted in a room.'}, + }, + "ACSSMSIncomingOperations": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'The caller IP address, if the operation corresponds to an API call that would come from an entity with a publicly available IP address.'}, + "Category": {"data_type": "string", "description": 'The log category of the event. Logs with the same log category and resource type will have the same properties fields.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "Country": {"data_type": "string", "description": 'The recipient country.'}, + "DeliveryAttempts": {"data_type": "int", "description": 'The number of attempts made to deliver this message.'}, + "DurationMs": {"data_type": "int", "description": 'The duration of the operation in milliseconds.'}, + "IncomingMessageLength": {"data_type": "int", "description": 'The number of characters in the incoming message.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the operation.'}, + "MessageId": {"data_type": "string", "description": 'The identifier of the outgoing Sms message. Only present if message processed.'}, + "Method": {"data_type": "string", "description": 'The method used in the request.'}, + "NumberType": {"data_type": "string", "description": 'The type of number used for sending or receiving the SMS message (e.g. LongCodeNumber)'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "OperationVersion": {"data_type": "string", "description": 'The API-version associated with the operation or version of the operation (if there is no API version).'}, + "OutgoingMessageLength": {"data_type": "int", "description": 'The number of characters in the outgoing message.'}, + "PhoneNumber": {"data_type": "string", "description": 'The number used for sending or receiving the SMS message (e.g. +18445791704)'}, + "PlatformType": {"data_type": "string", "description": 'The platform type being used in the request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'The status text response of the result of this operation.'}, + "ResultSignature": {"data_type": "string", "description": 'The sub status of the operation. If this operation corresponds to a REST API call, this field is the HTTP status code of the corresponding REST call.'}, + "ResultType": {"data_type": "string", "description": 'The status of the operation.'}, + "SdkType": {"data_type": "string", "description": 'The SDK type being used in the request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "URI": {"data_type": "string", "description": 'The URI of the request.'}, + }, + "ADAssessmentRecommendation": { + "ActionArea": {"data_type": "string", "description": 'The segment in which action is to be performed'}, + "ActionAreaId": {"data_type": "string", "description": 'ID generated for Action Area'}, + "AffectedObjectName": {"data_type": "string", "description": 'Name of the affected object'}, + "AffectedObjectType": {"data_type": "string", "description": 'Type of object which is affected'}, + "AssessmentId": {"data_type": "string", "description": 'ID of the assessment'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": 'The machine from which data is uploaded'}, + "CustomData": {"data_type": "string", "description": ''}, + "Description": {"data_type": "string", "description": 'Description of the recommendation'}, + "Domain": {"data_type": "string", "description": 'Domain of the system'}, + "DomainController": {"data_type": "string", "description": ''}, + "FocusArea": {"data_type": "string", "description": 'Area to be focussed on'}, + "FocusAreaId": {"data_type": "string", "description": 'ID of the Focus Area'}, + "Forest": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Recommendation": {"data_type": "string", "description": 'Generated recommendation'}, + "RecommendationId": {"data_type": "string", "description": 'ID of the recommendation generated'}, + "RecommendationResult": {"data_type": "string", "description": 'Result of the recommendation generated'}, + "RecommendationWeight": {"data_type": "real", "description": 'Weight of recommendation'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Technology": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AddonAzureBackupAlerts": { + "AlertCode": {"data_type": "string", "description": ''}, + "AlertConsolidationStatus": {"data_type": "string", "description": ''}, + "AlertOccurrenceDateTime": {"data_type": "datetime", "description": ''}, + "AlertRaisedOn": {"data_type": "string", "description": ''}, + "AlertSeverity": {"data_type": "string", "description": ''}, + "AlertStatus": {"data_type": "string", "description": ''}, + "AlertTimeToResolveInMinutes": {"data_type": "real", "description": ''}, + "AlertType": {"data_type": "string", "description": ''}, + "AlertUniqueId": {"data_type": "string", "description": ''}, + "BackupItemUniqueId": {"data_type": "string", "description": ''}, + "BackupManagementServerUniqueId": {"data_type": "string", "description": ''}, + "BackupManagementType": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": ''}, + "CountOfAlertsConsolidated": {"data_type": "int", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": ''}, + "ProtectedContainerUniqueId": {"data_type": "string", "description": ''}, + "RecommendedAction": {"data_type": "string", "description": ''}, + "ResourceId": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SchemaVersion": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "State": {"data_type": "string", "description": ''}, + "StorageUniqueId": {"data_type": "string", "description": ''}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "VaultUniqueId": {"data_type": "string", "description": ''}, + }, + "AddonAzureBackupJobs": { + "AdHocOrScheduledJob": {"data_type": "string", "description": ''}, + "ArchiveTierStorageReplicationType": {"data_type": "string", "description": ''}, + "AzureDataCenter": {"data_type": "string", "description": ''}, + "BackupItemFriendlyName": {"data_type": "string", "description": ''}, + "BackupItemId": {"data_type": "string", "description": ''}, + "BackupItemUniqueId": {"data_type": "string", "description": ''}, + "BackupManagementServerUniqueId": {"data_type": "string", "description": ''}, + "BackupManagementType": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": ''}, + "DatasourceFriendlyName": {"data_type": "string", "description": ''}, + "DatasourceResourceId": {"data_type": "string", "description": ''}, + "DatasourceSetFriendlyName": {"data_type": "string", "description": ''}, + "DatasourceSetResourceId": {"data_type": "string", "description": ''}, + "DatasourceSetType": {"data_type": "string", "description": ''}, + "DatasourceType": {"data_type": "string", "description": ''}, + "DataTransferredInMB": {"data_type": "real", "description": ''}, + "ExtendedProperties": {"data_type": "dynamic", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "JobDurationInSecs": {"data_type": "real", "description": ''}, + "JobFailureCode": {"data_type": "string", "description": ''}, + "JobOperation": {"data_type": "string", "description": ''}, + "JobOperationSubType": {"data_type": "string", "description": ''}, + "JobStartDateTime": {"data_type": "datetime", "description": ''}, + "JobStatus": {"data_type": "string", "description": ''}, + "JobUniqueId": {"data_type": "string", "description": ''}, + "OperationName": {"data_type": "string", "description": ''}, + "ProtectedContainerUniqueId": {"data_type": "string", "description": ''}, + "RecoveryJobDestination": {"data_type": "string", "description": ''}, + "RecoveryJobRPDateTime": {"data_type": "datetime", "description": ''}, + "RecoveryJobRPLocation": {"data_type": "string", "description": ''}, + "RecoveryLocationType": {"data_type": "string", "description": ''}, + "ResourceGroupName": {"data_type": "string", "description": ''}, + "ResourceId": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SchemaVersion": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "State": {"data_type": "string", "description": ''}, + "StorageReplicationType": {"data_type": "string", "description": ''}, + "SubscriptionId": {"data_type": "string", "description": ''}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "VaultName": {"data_type": "string", "description": ''}, + "VaultTags": {"data_type": "string", "description": ''}, + "VaultType": {"data_type": "string", "description": ''}, + "VaultUniqueId": {"data_type": "string", "description": ''}, + }, + "AddonAzureBackupPolicy": { + "ArchiveTierDailyRetentionDuration": {"data_type": "int", "description": ''}, + "ArchiveTierDefaultRetentionDuration": {"data_type": "int", "description": ''}, + "ArchiveTieringDuration": {"data_type": "int", "description": ''}, + "ArchiveTieringDurationType": {"data_type": "string", "description": ''}, + "ArchiveTieringMode": {"data_type": "string", "description": ''}, + "ArchiveTierMonthlyRetentionDuration": {"data_type": "int", "description": ''}, + "ArchiveTierStorageReplicationType": {"data_type": "string", "description": ''}, + "ArchiveTierWeeklyRetentionDuration": {"data_type": "int", "description": ''}, + "ArchiveTierYearlyRetentionDuration": {"data_type": "int", "description": ''}, + "AzureDataCenter": {"data_type": "string", "description": ''}, + "BackupDaysOfTheWeek": {"data_type": "string", "description": ''}, + "BackupFrequency": {"data_type": "string", "description": ''}, + "BackupIntervalInHours": {"data_type": "int", "description": ''}, + "BackupManagementServerUniqueId": {"data_type": "string", "description": ''}, + "BackupManagementType": {"data_type": "string", "description": ''}, + "BackupTimes": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": ''}, + "DailyRetentionDuration": {"data_type": "int", "description": ''}, + "DailyRetentionTimes": {"data_type": "string", "description": ''}, + "DatasourceType": {"data_type": "string", "description": ''}, + "DiffBackupDaysofTheWeek": {"data_type": "string", "description": ''}, + "DiffBackupFormat": {"data_type": "string", "description": ''}, + "DiffBackupRetentionDuration": {"data_type": "int", "description": ''}, + "DiffBackupTime": {"data_type": "string", "description": ''}, + "DifferentialBackupDaysOfTheWeek": {"data_type": "string", "description": ''}, + "DifferentialBackupFrequency": {"data_type": "string", "description": ''}, + "DifferentialBackupTimes": {"data_type": "string", "description": ''}, + "ExtendedProperties": {"data_type": "dynamic", "description": ''}, + "FullBackupDaysOfTheWeek": {"data_type": "string", "description": ''}, + "FullBackupFrequency": {"data_type": "string", "description": ''}, + "FullBackupTimes": {"data_type": "string", "description": ''}, + "IncrementalBackupDaysOfTheWeek": {"data_type": "string", "description": ''}, + "IncrementalBackupFrequency": {"data_type": "string", "description": ''}, + "IncrementalBackupTimes": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogBackupFrequency": {"data_type": "int", "description": ''}, + "LogBackupRetentionDuration": {"data_type": "int", "description": ''}, + "MonthlyRetentionDaysOfTheMonth": {"data_type": "string", "description": ''}, + "MonthlyRetentionDaysOfTheWeek": {"data_type": "string", "description": ''}, + "MonthlyRetentionDuration": {"data_type": "int", "description": ''}, + "MonthlyRetentionFormat": {"data_type": "string", "description": ''}, + "MonthlyRetentionTimes": {"data_type": "string", "description": ''}, + "MonthlyRetentionWeeksOfTheMonth": {"data_type": "string", "description": ''}, + "OperationName": {"data_type": "string", "description": ''}, + "PolicyId": {"data_type": "string", "description": ''}, + "PolicyName": {"data_type": "string", "description": ''}, + "PolicySubType": {"data_type": "string", "description": ''}, + "PolicyTimeZone": {"data_type": "string", "description": ''}, + "PolicyUniqueId": {"data_type": "string", "description": ''}, + "ResourceGroupName": {"data_type": "string", "description": ''}, + "ResourceId": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RetentionDuration": {"data_type": "int", "description": ''}, + "RetentionType": {"data_type": "string", "description": ''}, + "ScheduleWindowDuration": {"data_type": "int", "description": ''}, + "ScheduleWindowStartTime": {"data_type": "datetime", "description": ''}, + "SchemaVersion": {"data_type": "string", "description": ''}, + "SnapshotTierDailyRetentionDuration": {"data_type": "int", "description": ''}, + "SnapshotTierDefaultRetentionDuration": {"data_type": "int", "description": ''}, + "SnapshotTierMonthlyRetentionDuration": {"data_type": "int", "description": ''}, + "SnapshotTierWeeklyRetentionDuration": {"data_type": "int", "description": ''}, + "SnapshotTierYearlyRetentionDuration": {"data_type": "int", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StandardTierDefaultRetentionDuration": {"data_type": "int", "description": ''}, + "State": {"data_type": "string", "description": ''}, + "StorageReplicationType": {"data_type": "string", "description": ''}, + "SubscriptionId": {"data_type": "string", "description": ''}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "SynchronisationFrequencyPerDay": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "VaultName": {"data_type": "string", "description": ''}, + "VaultTags": {"data_type": "string", "description": ''}, + "VaultType": {"data_type": "string", "description": ''}, + "VaultUniqueId": {"data_type": "string", "description": ''}, + "WeeklyRetentionDaysOfTheWeek": {"data_type": "string", "description": ''}, + "WeeklyRetentionDuration": {"data_type": "int", "description": ''}, + "WeeklyRetentionTimes": {"data_type": "string", "description": ''}, + "YearlyRetentionDaysOfTheMonth": {"data_type": "string", "description": ''}, + "YearlyRetentionDaysOfTheWeek": {"data_type": "string", "description": ''}, + "YearlyRetentionDuration": {"data_type": "int", "description": ''}, + "YearlyRetentionFormat": {"data_type": "string", "description": ''}, + "YearlyRetentionMonthsOfTheYear": {"data_type": "string", "description": ''}, + "YearlyRetentionTimes": {"data_type": "string", "description": ''}, + "YearlyRetentionWeeksOfTheMonth": {"data_type": "string", "description": ''}, + }, + "AddonAzureBackupProtectedInstance": { + "ArchiveTierStorageConsumedInMBs": {"data_type": "real", "description": ''}, + "ArchiveTierStorageReplicationType": {"data_type": "string", "description": ''}, + "AzureDataCenter": {"data_type": "string", "description": ''}, + "BackupItemUniqueId": {"data_type": "string", "description": ''}, + "BackupManagementServerUniqueId": {"data_type": "string", "description": ''}, + "BackupManagementType": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BillingGroupFriendlyName": {"data_type": "string", "description": ''}, + "BillingGroupResourceGroupName": {"data_type": "string", "description": ''}, + "BillingGroupType": {"data_type": "string", "description": ''}, + "BillingGroupUniqueId": {"data_type": "string", "description": ''}, + "Category": {"data_type": "string", "description": ''}, + "DatasourceType": {"data_type": "string", "description": ''}, + "ExtendedProperties": {"data_type": "dynamic", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": ''}, + "ProtectedContainerUniqueId": {"data_type": "string", "description": ''}, + "ProtectedInstanceCount": {"data_type": "int", "description": ''}, + "ResourceGroupName": {"data_type": "string", "description": ''}, + "ResourceId": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SchemaVersion": {"data_type": "string", "description": ''}, + "SourceSizeInMBs": {"data_type": "real", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "State": {"data_type": "string", "description": ''}, + "StorageConsumedInMBs": {"data_type": "real", "description": ''}, + "StorageReplicationType": {"data_type": "string", "description": ''}, + "SubscriptionId": {"data_type": "string", "description": ''}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "VaultName": {"data_type": "string", "description": ''}, + "VaultTags": {"data_type": "string", "description": ''}, + "VaultType": {"data_type": "string", "description": ''}, + "VaultUniqueId": {"data_type": "string", "description": ''}, + }, + "AddonAzureBackupStorage": { + "ArchiveTierStorageConsumedInMBs": {"data_type": "string", "description": ''}, + "BackupItemUniqueId": {"data_type": "string", "description": ''}, + "BackupManagementServerUniqueId": {"data_type": "string", "description": ''}, + "BackupManagementType": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": ''}, + "ExtendedProperties": {"data_type": "dynamic", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": ''}, + "PreferredWorkloadOnVolume": {"data_type": "string", "description": ''}, + "ProtectedContainerUniqueId": {"data_type": "string", "description": ''}, + "ResourceId": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SchemaVersion": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "State": {"data_type": "string", "description": ''}, + "StorageAllocatedInMBs": {"data_type": "real", "description": ''}, + "StorageConsumedInMBs": {"data_type": "real", "description": ''}, + "StorageName": {"data_type": "string", "description": ''}, + "StorageTotalSizeInGBs": {"data_type": "real", "description": ''}, + "StorageType": {"data_type": "string", "description": ''}, + "StorageUniqueId": {"data_type": "string", "description": ''}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "VaultUniqueId": {"data_type": "string", "description": ''}, + "VolumeFriendlyName": {"data_type": "string", "description": ''}, + }, + "ADFActivityRun": { + "ActivityIterationCount": {"data_type": "int", "description": ''}, + "ActivityName": {"data_type": "string", "description": ''}, + "ActivityRunId": {"data_type": "string", "description": ''}, + "ActivityType": {"data_type": "string", "description": ''}, + "Annotations": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": ''}, + "CorrelationId": {"data_type": "string", "description": ''}, + "EffectiveIntegrationRuntime": {"data_type": "string", "description": ''}, + "End": {"data_type": "datetime", "description": ''}, + "Error": {"data_type": "string", "description": ''}, + "ErrorCode": {"data_type": "string", "description": ''}, + "ErrorMessage": {"data_type": "string", "description": ''}, + "EventMessage": {"data_type": "string", "description": ''}, + "FailureType": {"data_type": "string", "description": ''}, + "Input": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": ''}, + "LinkedServiceName": {"data_type": "string", "description": ''}, + "Location": {"data_type": "string", "description": ''}, + "OperationName": {"data_type": "string", "description": ''}, + "Output": {"data_type": "string", "description": ''}, + "PipelineName": {"data_type": "string", "description": ''}, + "PipelineRunId": {"data_type": "string", "description": ''}, + "ResourceId": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Start": {"data_type": "datetime", "description": ''}, + "Status": {"data_type": "string", "description": ''}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Tags": {"data_type": "string", "description": ''}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserProperties": {"data_type": "string", "description": ''}, + }, + "ADFAirflowSchedulerLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the log that belongs to Airflow application.'}, + "CorrelationId": {"data_type": "string", "description": 'The correlation id of the event.'}, + "DataFactoryName": {"data_type": "string", "description": 'The name of the Data factory.'}, + "IntegrationRuntimeName": {"data_type": "string", "description": 'The name of the Integration runtime.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Message": {"data_type": "string", "description": 'The application log of the Airflow event.'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation represented by this event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the log.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ADFAirflowTaskLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the log that belongs to Airflow application.'}, + "CorrelationId": {"data_type": "string", "description": 'The correlation id of the event.'}, + "DagId": {"data_type": "string", "description": 'The dag ID of the Airflow task run.'}, + "DataFactoryName": {"data_type": "string", "description": 'The name of the Data factory.'}, + "IntegrationRuntimeName": {"data_type": "string", "description": 'The name of the Integration runtime.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Message": {"data_type": "string", "description": 'The application log of the Airflow event.'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation represented by this event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TaskId": {"data_type": "string", "description": 'The task ID of the Airflow task run.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the log.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ADFAirflowWebLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the log that belongs to Airflow application.'}, + "CorrelationId": {"data_type": "string", "description": 'The correlation id of the event.'}, + "DataFactoryName": {"data_type": "string", "description": 'The name of the Data factory.'}, + "IntegrationRuntimeName": {"data_type": "string", "description": 'The name of the Integration runtime.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Message": {"data_type": "string", "description": 'The application log of the Airflow event.'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation represented by this event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the log.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ADFAirflowWorkerLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the log that belongs to Airflow application.'}, + "CorrelationId": {"data_type": "string", "description": 'The correlation id of the event.'}, + "DataFactoryName": {"data_type": "string", "description": 'The name of the Data factory.'}, + "IntegrationRuntimeName": {"data_type": "string", "description": 'The name of the Integration runtime.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Message": {"data_type": "string", "description": 'The application log of the Airflow event.'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation represented by this event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the log.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ADFPipelineRun": { + "Annotations": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": ''}, + "CorrelationId": {"data_type": "string", "description": ''}, + "End": {"data_type": "datetime", "description": ''}, + "ErrorCode": {"data_type": "string", "description": ''}, + "ErrorMessage": {"data_type": "string", "description": ''}, + "EventMessage": {"data_type": "string", "description": ''}, + "FailureType": {"data_type": "string", "description": ''}, + "Input": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": ''}, + "Location": {"data_type": "string", "description": ''}, + "OperationName": {"data_type": "string", "description": ''}, + "Output": {"data_type": "string", "description": ''}, + "Parameters": {"data_type": "string", "description": ''}, + "PipelineName": {"data_type": "string", "description": ''}, + "Predecessors": {"data_type": "string", "description": ''}, + "ResourceId": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RunId": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Start": {"data_type": "datetime", "description": ''}, + "Status": {"data_type": "string", "description": ''}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "SystemParameters": {"data_type": "string", "description": ''}, + "Tags": {"data_type": "string", "description": ''}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserProperties": {"data_type": "string", "description": ''}, + }, + "ADFSandboxActivityRun": { + "ActivityIterationCount": {"data_type": "int", "description": ''}, + "ActivityName": {"data_type": "string", "description": ''}, + "ActivityRunId": {"data_type": "string", "description": ''}, + "ActivityType": {"data_type": "string", "description": ''}, + "Annotations": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": ''}, + "CorrelationId": {"data_type": "string", "description": ''}, + "EffectiveIntegrationRuntime": {"data_type": "string", "description": ''}, + "End": {"data_type": "datetime", "description": ''}, + "Error": {"data_type": "string", "description": ''}, + "ErrorCode": {"data_type": "string", "description": ''}, + "ErrorMessage": {"data_type": "string", "description": ''}, + "EventMessage": {"data_type": "string", "description": ''}, + "FailureType": {"data_type": "string", "description": ''}, + "Input": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": ''}, + "LinkedServiceName": {"data_type": "string", "description": ''}, + "Location": {"data_type": "string", "description": ''}, + "OperationName": {"data_type": "string", "description": ''}, + "Output": {"data_type": "string", "description": ''}, + "PipelineName": {"data_type": "string", "description": ''}, + "PipelineRunId": {"data_type": "string", "description": ''}, + "ResourceId": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Start": {"data_type": "datetime", "description": ''}, + "Status": {"data_type": "string", "description": ''}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Tags": {"data_type": "string", "description": ''}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserProperties": {"data_type": "string", "description": ''}, + }, + "ADFSandboxPipelineRun": { + "Annotations": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": ''}, + "CorrelationId": {"data_type": "string", "description": ''}, + "End": {"data_type": "datetime", "description": ''}, + "ErrorCode": {"data_type": "string", "description": ''}, + "ErrorMessage": {"data_type": "string", "description": ''}, + "EventMessage": {"data_type": "string", "description": ''}, + "FailureType": {"data_type": "string", "description": ''}, + "Input": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": ''}, + "Location": {"data_type": "string", "description": ''}, + "OperationName": {"data_type": "string", "description": ''}, + "Output": {"data_type": "string", "description": ''}, + "Parameters": {"data_type": "string", "description": ''}, + "PipelineName": {"data_type": "string", "description": ''}, + "Predecessors": {"data_type": "string", "description": ''}, + "ResourceId": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RunId": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Start": {"data_type": "datetime", "description": ''}, + "Status": {"data_type": "string", "description": ''}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "SystemParameters": {"data_type": "string", "description": ''}, + "Tags": {"data_type": "string", "description": ''}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserProperties": {"data_type": "string", "description": ''}, + }, + "ADFSSignInLogs": { + "AlternateSignInName": {"data_type": "string", "description": 'Provides the on-premises UPN of the user sign-ing into Azure AD.e.g. Phone number sign-in'}, + "AppDisplayName": {"data_type": "string", "description": 'The string name of the OAuth client in the request displayed in the Azure Portal'}, + "AppId": {"data_type": "string", "description": 'A unique ID of the Oauth Client ID in the request'}, + "AuthenticationDetails": {"data_type": "string", "description": 'A record of each step of authentication undertaken in the sign-in'}, + "AuthenticationProcessingDetails": {"data_type": "string", "description": 'Provides the details associated with authentication processor'}, + "AuthenticationRequirement": {"data_type": "string", "description": 'Type of authentication required for the sign-in. If set to multiFactorAuthentication, an MFA step was required. If set to singleFactorAuthentication, no MFA was required'}, + "AuthenticationRequirementPolicies": {"data_type": "string", "description": 'Set of CA policies that apply to this sign-in, each as CA: policy name, and/or MFA: Per-user'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Category of the sign-in event'}, + "ConditionalAccessPolicies": {"data_type": "string", "description": 'Details of the conditional access policies being applied for the sign-in'}, + "ConditionalAccessStatus": {"data_type": "string", "description": 'Status of all the conditionalAccess policies related to the sign-in'}, + "CorrelationId": {"data_type": "string", "description": 'ID to provide sign-in trail'}, + "CreatedDateTime": {"data_type": "datetime", "description": 'Datetime of the sign-in activity'}, + "DeviceDetail": {"data_type": "string", "description": 'Details of the device used for the sign-in'}, + "DurationMs": {"data_type": "long", "description": 'The duration of the operation in milliseconds'}, + "Id": {"data_type": "string", "description": 'Unique ID representing the sign-in activity'}, + "Identity": {"data_type": "string", "description": 'The identity from the token that was presented when you made the request. It can be a user account, system account, or service principal'}, + "IPAddress": {"data_type": "string", "description": 'IP address of the client used to sign in'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsInteractive": {"data_type": "bool", "description": 'Indicates if a sign-in is interactive or not'}, + "Level": {"data_type": "string", "description": 'The severity level of the event'}, + "Location": {"data_type": "string", "description": 'The region of the resource emitting the event'}, + "NetworkLocationDetails": {"data_type": "string", "description": 'Provides the details associated with authentication processor'}, + "OperationName": {"data_type": "string", "description": 'For sign-ins, this value is always Sign-in activity'}, + "OperationVersion": {"data_type": "string", "description": "The REST API version that's requested by the client"}, + "OriginalRequestId": {"data_type": "string", "description": 'The request id of the first request in the authentication sequence'}, + "ProcessingTimeInMs": {"data_type": "string", "description": 'Request processing time in milliseconds in AD STS'}, + "Requirement": {"data_type": "string", "description": 'If the authentication is a primary or secondary authentication. Can be not set.'}, + "ResourceDisplayName": {"data_type": "string", "description": 'The string name of the application the user signed into displayed in the Azure Portal'}, + "ResourceGroup": {"data_type": "string", "description": 'Resource group for the logs'}, + "ResourceIdentity": {"data_type": "string", "description": 'A unique ID application ID the user signed into of the request'}, + "ResourceTenantId": {"data_type": "string", "description": 'The resource tenant ID for cross-tenant scenarios'}, + "ResultDescription": {"data_type": "string", "description": 'Provides the error description for the sign-in operation'}, + "ResultSignature": {"data_type": "string", "description": 'Contains the error code, if any, for the sign-in operation'}, + "ResultType": {"data_type": "string", "description": 'The result of the sign-in operation can be Success or Failure'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Status": {"data_type": "string", "description": 'Details of the sign-in status'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time of the event in UTC'}, + "TokenIssuerName": {"data_type": "string", "description": 'Name of the identity provider (e.g. sts.microsoft.com )'}, + "TokenIssuerType": {"data_type": "string", "description": 'Type of identityProvider (Azure AD, AD Federation Services)'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UniqueTokenIdentifier": {"data_type": "string", "description": 'Unique token identifier for the request'}, + "UserAgent": {"data_type": "string", "description": 'User Agent for the sign-in'}, + "UserDisplayName": {"data_type": "string", "description": 'Display name of the user that initiated the sign-in'}, + "UserId": {"data_type": "string", "description": 'ID of the user that initiated the sign-in'}, + "UserPrincipalName": {"data_type": "string", "description": 'User principal name of the user that initiated the sign-in'}, + }, + "ADFSSISIntegrationRuntimeLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The name of the log that belongs to'}, + "CorrelationId": {"data_type": "string", "description": 'correlation id'}, + "DataFactoryName": {"data_type": "string", "description": 'Data factory name'}, + "IntegrationRuntimeName": {"data_type": "string", "description": 'Integration runtime name'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'Verbosity level of log'}, + "Message": {"data_type": "string", "description": 'Event message'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation represented by this event'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultType": {"data_type": "string", "description": 'Status of the log'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the log'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ADFSSISPackageEventMessageContext": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The name of the log that belongs to'}, + "ContextDepth": {"data_type": "int", "description": 'Context depth'}, + "ContextSourceId": {"data_type": "string", "description": 'Context source Id'}, + "ContextSourceName": {"data_type": "string", "description": 'Context source name'}, + "ContextType": {"data_type": "int", "description": 'Context type'}, + "CorrelationId": {"data_type": "string", "description": 'correlation id'}, + "DataFactoryName": {"data_type": "string", "description": 'Data factory name'}, + "IntegrationRuntimeName": {"data_type": "string", "description": 'Integration runtime name'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'Verbosity level of log'}, + "OperationId": {"data_type": "long", "description": 'Operation id'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation represented by this event'}, + "PackagePath": {"data_type": "string", "description": 'Package path'}, + "PropertyName": {"data_type": "string", "description": 'Property name'}, + "PropertyValue": {"data_type": "dynamic", "description": 'Property value'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the log'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ADFSSISPackageEventMessages": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The name of the log that belongs to'}, + "CorrelationId": {"data_type": "string", "description": 'correlation id'}, + "DataFactoryName": {"data_type": "string", "description": 'Data factory name'}, + "EventMessageGuid": {"data_type": "string", "description": 'Event message guid'}, + "EventName": {"data_type": "string", "description": 'Event name'}, + "ExecutionPath": {"data_type": "string", "description": 'Execution path'}, + "ExtendedInfoId": {"data_type": "long", "description": 'Extended info id'}, + "IntegrationRuntimeName": {"data_type": "string", "description": 'Integration runtime name'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'Verbosity level of log'}, + "Message": {"data_type": "string", "description": 'Event message'}, + "MessageCode": {"data_type": "int", "description": 'Message code'}, + "MessageSourceId": {"data_type": "string", "description": 'Message source id'}, + "MessageSourceName": {"data_type": "string", "description": 'Message source name'}, + "MessageSourceType": {"data_type": "int", "description": 'Message source type'}, + "MessageTime": {"data_type": "datetime", "description": 'Message time'}, + "MessageType": {"data_type": "int", "description": 'Message type'}, + "OperationId": {"data_type": "long", "description": 'Operation id'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation represented by this event'}, + "PackageName": {"data_type": "string", "description": 'Package name'}, + "PackagePath": {"data_type": "string", "description": 'Package path'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SubcomponentName": {"data_type": "string", "description": 'Subcomponent name'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "ThreadId": {"data_type": "int", "description": 'Thread id'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the log'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ADFSSISPackageExecutableStatistics": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The name of the log that belongs to'}, + "CorrelationId": {"data_type": "string", "description": 'correlation id'}, + "DataFactoryName": {"data_type": "string", "description": 'Data factory name'}, + "EndTime": {"data_type": "datetime", "description": 'Executable end time'}, + "ExecutionDuration": {"data_type": "int", "description": 'Executable execution duration'}, + "ExecutionId": {"data_type": "long", "description": 'Execution id'}, + "ExecutionPath": {"data_type": "string", "description": 'Execution path'}, + "ExecutionResult": {"data_type": "int", "description": 'Execution result'}, + "ExecutionValue": {"data_type": "dynamic", "description": 'Execution value'}, + "IntegrationRuntimeName": {"data_type": "string", "description": 'Integration runtime name'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'Verbosity level of log'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation represented by this event'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StartTime": {"data_type": "datetime", "description": 'Executable start time'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the log'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ADFSSISPackageExecutionComponentPhases": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The name of the log that belongs to'}, + "CorrelationId": {"data_type": "string", "description": 'correlation id'}, + "DataFactoryName": {"data_type": "string", "description": 'Data factory name'}, + "EndTime": {"data_type": "datetime", "description": 'End time'}, + "ExecutionId": {"data_type": "long", "description": 'Execution id'}, + "ExecutionPath": {"data_type": "string", "description": 'Execution path'}, + "IntegrationRuntimeName": {"data_type": "string", "description": 'Integration runtime name'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'Verbosity level of log'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation represented by this event'}, + "PackageName": {"data_type": "string", "description": 'Package name'}, + "Phase": {"data_type": "string", "description": 'Phase'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StartTime": {"data_type": "datetime", "description": 'Start time'}, + "SubcomponentName": {"data_type": "string", "description": 'Subcomponent name'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TaskName": {"data_type": "string", "description": 'Task name'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the log'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ADFSSISPackageExecutionDataStatistics": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The name of the log that belongs to'}, + "CorrelationId": {"data_type": "string", "description": 'correlation id'}, + "CreatedTime": {"data_type": "datetime", "description": 'Created time'}, + "DataFactoryName": {"data_type": "string", "description": 'Data factory name'}, + "DataflowPathIdString": {"data_type": "string", "description": 'Dataflow path Id string'}, + "DataflowPathName": {"data_type": "string", "description": 'Dataflow path name'}, + "DestinationComponentName": {"data_type": "string", "description": 'Destination component name'}, + "ExecutionId": {"data_type": "long", "description": 'Execution id'}, + "ExecutionPath": {"data_type": "string", "description": 'Execution path'}, + "IntegrationRuntimeName": {"data_type": "string", "description": 'Integration runtime name'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'Verbosity level of log'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation represented by this event'}, + "PackageName": {"data_type": "string", "description": 'Package name'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RowsSent": {"data_type": "long", "description": 'Rows sent'}, + "SourceComponentName": {"data_type": "string", "description": 'Source somponent name'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TaskName": {"data_type": "string", "description": 'Task name'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the log'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ADFTriggerRun": { + "Annotations": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": ''}, + "CorrelationId": {"data_type": "string", "description": ''}, + "ErrorCode": {"data_type": "string", "description": ''}, + "ErrorMessage": {"data_type": "string", "description": ''}, + "EventMessage": {"data_type": "string", "description": ''}, + "Input": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": ''}, + "Location": {"data_type": "string", "description": ''}, + "OperationName": {"data_type": "string", "description": ''}, + "Output": {"data_type": "string", "description": ''}, + "Parameters": {"data_type": "string", "description": ''}, + "ResourceId": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Start": {"data_type": "datetime", "description": ''}, + "Status": {"data_type": "string", "description": ''}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "SystemParameters": {"data_type": "string", "description": ''}, + "Tags": {"data_type": "string", "description": ''}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "TriggerEvent": {"data_type": "string", "description": ''}, + "TriggerFailureType": {"data_type": "string", "description": ''}, + "TriggerId": {"data_type": "string", "description": ''}, + "TriggerName": {"data_type": "string", "description": ''}, + "TriggerType": {"data_type": "string", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserProperties": {"data_type": "string", "description": ''}, + }, + "ADPAudit": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'Internal ADP correlation ID used in support scenarios.'}, + "Identity": {"data_type": "dynamic", "description": 'Active Directory identity claims'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The location (region) of the resource.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with the log record.'}, + "OperationVersion": {"data_type": "string", "description": 'The API version against which the operation was performed.'}, + "Properties": {"data_type": "dynamic", "description": 'Additional properties related to the audit event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultType": {"data_type": "string", "description": 'The result of the audit operation.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log record was generated.'}, + "TraceContext": {"data_type": "dynamic", "description": 'W3C Trace Context information used for event correlation.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ADPDiagnostics": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the diagnostic log record.'}, + "CorrelationId": {"data_type": "string", "description": 'Internal ADP correlation ID used in support scenarios.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": "The verbosity level of the log record ('Informational', 'Warning', 'Error', or 'Critical')."}, + "Location": {"data_type": "string", "description": 'The location (region) of the resource.'}, + "Message": {"data_type": "string", "description": 'The log record message.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with the log record.'}, + "OperationVersion": {"data_type": "string", "description": 'The API version against which the operation was performed.'}, + "Properties": {"data_type": "dynamic", "description": 'Additional properties related to the diagnostic log record.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log record was generated.'}, + "TraceContext": {"data_type": "dynamic", "description": 'W3C Trace Context information used for event correlation.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ADPRequests": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'IP address of the user who has performed the operation.'}, + "CorrelationId": {"data_type": "string", "description": 'Internal ADP correlation ID used in support scenarios.'}, + "DurationMs": {"data_type": "int", "description": 'The duration of the operation in milliseconds.'}, + "HttpStatusCode": {"data_type": "int", "description": 'The HTTP response status code of the corresponding REST call.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The location (region) of the resource.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with the log record.'}, + "OperationVersion": {"data_type": "string", "description": 'The API version against which the operation was performed.'}, + "Properties": {"data_type": "dynamic", "description": 'Additional properties related to the request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Success": {"data_type": "bool", "description": 'Whether the request was successful or not. Note that long-running asynchronous operations might fail even when the request is successful.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log record was generated.'}, + "TraceContext": {"data_type": "dynamic", "description": 'W3C Trace Context information used for event correlation.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Uri": {"data_type": "string", "description": 'The URI of the request.'}, + }, + "ADReplicationResult": { + "AssessmentId": {"data_type": "string", "description": 'Unique Guid corresponding to each run'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": 'Computer Name where the solution ran'}, + "ConsecutiveFailures": {"data_type": "int", "description": 'Number of consecutive replication failures between two Domain Controllers'}, + "DestinationServer": {"data_type": "string", "description": 'AD Replication Destination Server'}, + "DestinationSiteName": {"data_type": "string", "description": 'AD Replication Destination Site Name'}, + "HelpLink": {"data_type": "string", "description": 'Help Link for more information'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsDestinationGC": {"data_type": "bool", "description": 'Is Destinationation Global Catalog'}, + "IsSourceGC": {"data_type": "bool", "description": 'Is Source Global Catalog'}, + "LastAttemptedSync": {"data_type": "datetime", "description": 'Last Attempted Replication DateTime'}, + "LastSuccessfulSync": {"data_type": "datetime", "description": 'Last Successful DateTime'}, + "LastSyncMessage": {"data_type": "string", "description": 'Last Replication Sync Message'}, + "LastSyncResult": {"data_type": "int", "description": 'Last Replication Sync Success / Failure Code'}, + "PartitionName": {"data_type": "string", "description": 'Partition Name'}, + "PercentOfTSL": {"data_type": "real", "description": 'Percentage of Tombstone Lifecycle'}, + "ReplicationNeighborOption": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceInvocationId": {"data_type": "string", "description": 'Unique Id assigned to a Domain Controller'}, + "SourceServer": {"data_type": "string", "description": 'Source Server Name'}, + "SourceSiteName": {"data_type": "string", "description": 'Source Site Name'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was created.'}, + "TombstoneLifetime": {"data_type": "string", "description": 'Length of time a deleted object persisted in the database'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ADSecurityAssessmentRecommendation": { + "ActionArea": {"data_type": "string", "description": ''}, + "ActionAreaId": {"data_type": "string", "description": ''}, + "AffectedObjectName": {"data_type": "string", "description": ''}, + "AffectedObjectType": {"data_type": "string", "description": ''}, + "AssessmentId": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "CustomData": {"data_type": "string", "description": ''}, + "Description": {"data_type": "string", "description": ''}, + "DNSServer": {"data_type": "string", "description": ''}, + "DNSZone": {"data_type": "string", "description": ''}, + "Domain": {"data_type": "string", "description": ''}, + "DomainController": {"data_type": "string", "description": ''}, + "FocusArea": {"data_type": "string", "description": ''}, + "FocusAreaId": {"data_type": "string", "description": ''}, + "Forest": {"data_type": "string", "description": ''}, + "GroupPolicyObject": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "NamingContext": {"data_type": "string", "description": ''}, + "Recommendation": {"data_type": "string", "description": ''}, + "RecommendationId": {"data_type": "string", "description": ''}, + "RecommendationResult": {"data_type": "string", "description": ''}, + "RecommendationWeight": {"data_type": "real", "description": ''}, + "Site": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Technology": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ADTDataHistoryOperation": { + "ApplicationId": {"data_type": "string", "description": 'Application ID used in bearer authorization.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'A masked source IP address for the event.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "DurationMs": {"data_type": "long", "description": 'How long it took to perform the event in milliseconds.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "int", "description": 'The logging severity of the event.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "OperationVersion": {"data_type": "string", "description": 'The API version utilized during the event.'}, + "ParentId": {"data_type": "string", "description": "ParentId as part of W3C's trace context. A request without a parent id is the root of the trace."}, + "Region": {"data_type": "string", "description": 'Azure region in which the Digital Twins instance is located.'}, + "RequestUri": {"data_type": "string", "description": "The time series database connection's eventhub endpoint."}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'Additional details about the event.'}, + "ResultSignature": {"data_type": "int", "description": 'Http status code of the event (if applicable).'}, + "ResultType": {"data_type": "string", "description": 'Result of the event. For example: Success, Failure, ClientFalure, etc.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SpanId": {"data_type": "string", "description": "SpanId as part of W3C's trace context. The ID of this request in the trace."}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) when the log was generated.'}, + "TraceFlags": {"data_type": "string", "description": "TraceFlags as part of W3C's trace context. Controls tracing flags such as sampling, trace level, etc."}, + "TraceId": {"data_type": "string", "description": "TraceId as part of W3C's trace context. The ID of the whole trace used to uniquely identify a distributed trace across systems."}, + "TraceState": {"data_type": "string", "description": "TraceState as part of W3C's trace context. Additional vendor-specific trace identification information to span across different distributed tracing systems."}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ADTDigitalTwinsOperation": { + "ApplicationId": {"data_type": "string", "description": 'Application ID used in bearer authorization'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'A masked source IP address for the event'}, + "Category": {"data_type": "string", "description": 'The type of resource being emitted'}, + "CorrelationId": {"data_type": "string", "description": 'Customer provided unique identifier for the event'}, + "DurationMs": {"data_type": "string", "description": 'How long it took to perform the event in milliseconds'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The logging severity of the event'}, + "Location": {"data_type": "string", "description": 'Azure region in which the Digital Twins instance is located'}, + "OperationName": {"data_type": "string", "description": 'The type of action being performed during the event'}, + "OperationVersion": {"data_type": "string", "description": 'The API Version utilized during the event'}, + "ParentId": {"data_type": "string", "description": "ParentId as part of W3C's Trace Context. A request without a parent id is the root of the trace"}, + "RequestUri": {"data_type": "string", "description": 'The endpoint utilized during the event'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'Additional details about the event'}, + "ResultSignature": {"data_type": "string", "description": 'Http status code of the event (if applicable)'}, + "ResultType": {"data_type": "string", "description": 'Outcome of the event'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SpanId": {"data_type": "string", "description": "SpanId as part of W3C's Trace Context. The ID of this request in the trace"}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time that this event occurred, in UTC'}, + "TraceFlags": {"data_type": "string", "description": "TraceFlags as part of W3C's Trace Context. Controls tracing flags such as sampling, trace level, etc."}, + "TraceId": {"data_type": "string", "description": "TraceId as part of W3C's Trace Context. The ID of the whole trace used to uniquely identify a distributed trace across systems"}, + "TraceState": {"data_type": "string", "description": "TraceState as part of W3C's Trace Context. Additional vendor-specific trace identification information to span across different distributed tracing systems"}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ADTEventRoutesOperation": { + "ApplicationId": {"data_type": "string", "description": 'Application ID used in bearer authorization'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'A masked source IP address for the event'}, + "Category": {"data_type": "string", "description": 'The type of resource being emitted'}, + "CorrelationId": {"data_type": "string", "description": 'Customer provided unique identifier for the event'}, + "DurationMs": {"data_type": "string", "description": 'How long it took to perform the event in milliseconds'}, + "EndpointName": {"data_type": "string", "description": 'The name of egress endpoint created in Azure Digital Twins'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The logging severity of the event'}, + "Location": {"data_type": "string", "description": 'Azure region in which the Digital Twins instance is located'}, + "OperationName": {"data_type": "string", "description": 'The type of action being performed during the event'}, + "OperationVersion": {"data_type": "string", "description": 'The API Version utilized during the event'}, + "ParentId": {"data_type": "string", "description": "ParentId as part of W3C's Trace Context. A request without a parent id is the root of the trace"}, + "RequestUri": {"data_type": "string", "description": 'The endpoint utilized during the event'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'Additional details about the event'}, + "ResultSignature": {"data_type": "string", "description": 'Http status code of the event (if applicable)'}, + "ResultType": {"data_type": "string", "description": 'Outcome of the event'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SpanId": {"data_type": "string", "description": "SpanId as part of W3C's Trace Context. The ID of this request in the trace"}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time that this event occurred, in UTC'}, + "TraceFlags": {"data_type": "string", "description": "TraceFlags as part of W3C's Trace Context. Controls tracing flags such as sampling, trace level, etc."}, + "TraceId": {"data_type": "string", "description": "TraceId as part of W3C's Trace Context. The ID of the whole trace used to uniquely identify a distributed trace across systems"}, + "TraceState": {"data_type": "string", "description": "TraceState as part of W3C's Trace Context. Additional vendor-specific trace identification information to span across different distributed tracing systems"}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ADTModelsOperation": { + "ApplicationId": {"data_type": "string", "description": 'Application ID used in bearer authorization'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'A masked source IP address for the event'}, + "Category": {"data_type": "string", "description": 'The type of resource being emitted'}, + "CorrelationId": {"data_type": "string", "description": 'Customer provided unique identifier for the event'}, + "DurationMs": {"data_type": "string", "description": 'How long it took to perform the event in milliseconds'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The logging severity of the event'}, + "Location": {"data_type": "string", "description": 'Azure region in which the Digital Twins instance is located'}, + "OperationName": {"data_type": "string", "description": 'The type of action being performed during the event'}, + "OperationVersion": {"data_type": "string", "description": 'The API Version utilized during the event'}, + "ParentId": {"data_type": "string", "description": "ParentId as part of W3C's Trace Context. A request without a parent id is the root of the trace"}, + "RequestUri": {"data_type": "string", "description": 'The endpoint utilized during the event'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'Additional details about the event'}, + "ResultSignature": {"data_type": "string", "description": 'Http status code of the event (if applicable)'}, + "ResultType": {"data_type": "string", "description": 'Outcome of the event'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SpanId": {"data_type": "string", "description": "SpanId as part of W3C's Trace Context. The ID of this request in the trace"}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time that this event occurred, in UTC'}, + "TraceFlags": {"data_type": "string", "description": "TraceFlags as part of W3C's Trace Context. Controls tracing flags such as sampling, trace level, etc."}, + "TraceId": {"data_type": "string", "description": "TraceId as part of W3C's Trace Context. The ID of the whole trace used to uniquely identify a distributed trace across systems"}, + "TraceState": {"data_type": "string", "description": "TraceState as part of W3C's Trace Context. Additional vendor-specific trace identification information to span across different distributed tracing systems"}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ADTQueryOperation": { + "ApplicationId": {"data_type": "string", "description": 'Application ID used in bearer authorization'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'A masked source IP address for the event'}, + "Category": {"data_type": "string", "description": 'The type of resource being emitted'}, + "CorrelationId": {"data_type": "string", "description": 'Customer provided unique identifier for the event'}, + "DurationMs": {"data_type": "string", "description": 'How long it took to perform the event in milliseconds'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The logging severity of the event'}, + "Location": {"data_type": "string", "description": 'Azure region in which the Digital Twins instance is located'}, + "OperationName": {"data_type": "string", "description": 'The type of action being performed during the event'}, + "OperationVersion": {"data_type": "string", "description": 'The API Version utilized during the event'}, + "ParentId": {"data_type": "string", "description": "ParentId as part of W3C's Trace Context. A request without a parent id is the root of the trace"}, + "QueryCharge": {"data_type": "real", "description": 'The QueryCharge for this event in the trace.'}, + "RequestUri": {"data_type": "string", "description": 'The endpoint utilized during the event'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'Additional details about the event'}, + "ResultSignature": {"data_type": "string", "description": 'Http status code of the event (if applicable)'}, + "ResultType": {"data_type": "string", "description": 'Outcome of the event'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SpanId": {"data_type": "string", "description": "SpanId as part of W3C's Trace Context. The ID of this request in the trace"}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time that this event occurred, in UTC'}, + "TraceFlags": {"data_type": "string", "description": "TraceFlags as part of W3C's Trace Context. Controls tracing flags such as sampling, trace level, etc."}, + "TraceId": {"data_type": "string", "description": "TraceId as part of W3C's Trace Context. The ID of the whole trace used to uniquely identify a distributed trace across systems"}, + "TraceState": {"data_type": "string", "description": "TraceState as part of W3C's Trace Context. Additional vendor-specific trace identification information to span across different distributed tracing systems"}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ADXCommand": { + "ApplicationName": {"data_type": "string", "description": 'The name of the application that invoked the command'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of this log for this events it will be Command'}, + "CommandType": {"data_type": "string", "description": 'Command type'}, + "CorrelationId": {"data_type": "string", "description": 'The client request ID'}, + "DatabaseName": {"data_type": "string", "description": 'The name of the database the command ran on'}, + "Duration": {"data_type": "string", "description": 'Command duration'}, + "FailureReason": {"data_type": "string", "description": 'The failure reason'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastUpdatedOn": {"data_type": "datetime", "description": 'Time (UTC) at which this command ended'}, + "OperationName": {"data_type": "string", "description": 'The name of this operation'}, + "Principal": {"data_type": "string", "description": 'The principal that invoked the query'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResourceUtilization": {"data_type": "dynamic", "description": 'Command resource utilization'}, + "RootActivityId": {"data_type": "string", "description": 'The root activity ID'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StartedOn": {"data_type": "datetime", "description": 'Time (UTC) at which this command started'}, + "State": {"data_type": "string", "description": 'The State the command ended with'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "Text": {"data_type": "string", "description": 'The text of the invoked command'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time (UTC) at which this event was generated'}, + "TotalCPU": {"data_type": "string", "description": 'Total CPU duration'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "User": {"data_type": "string", "description": 'The user that invoked the query'}, + "WorkloadGroup": {"data_type": "string", "description": 'The workload group the command was classified to'}, + }, + "ADXDataOperation": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of this log for this events it will be DataOperation'}, + "CorrelationId": {"data_type": "string", "description": 'The client request id'}, + "DatabaseName": {"data_type": "string", "description": 'The name of the database related to this data operation'}, + "DataOperationKind": {"data_type": "string", "description": 'The kind of the data operation activity'}, + "Duration": {"data_type": "string", "description": 'Data operation duration'}, + "ExtentCount": {"data_type": "int", "description": 'The total number of extents ingested on this operation'}, + "ExtentSize": {"data_type": "long", "description": 'The size of extents (compressed size + index size) ingested (in bytes)'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The name of this operation'}, + "OriginalSize": {"data_type": "long", "description": 'The original size of data ingested (in bytes)'}, + "Principal": {"data_type": "string", "description": 'The principal that invoked the data operation'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RootActivityId": {"data_type": "string", "description": 'The root activity id'}, + "RowCount": {"data_type": "long", "description": 'The number of rows ingested'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TableName": {"data_type": "string", "description": 'The name of the table related to this data operation'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time (UTC) at which this event was generated'}, + "TotalCPU": {"data_type": "string", "description": 'Total CPU duration'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ADXIngestionBatching": { + "BatchingType": {"data_type": "string", "description": 'Trigger of sealing a batch: whether the batch reached batching time, data size, or number of files limit set by batching policy'}, + "BatchSizeBytes": {"data_type": "long", "description": 'Total uncompressed size of data in this batch (bytes)'}, + "BatchTimeSeconds": {"data_type": "real", "description": 'Total batching time of this batch (seconds)'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Database": {"data_type": "string", "description": 'Name of the database holding the target table'}, + "DataSourcesInBatch": {"data_type": "int", "description": 'Number of data sources in this batch'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RootActivityId": {"data_type": "string", "description": "The operation's activity ID"}, + "SourceCreationTime": {"data_type": "datetime", "description": 'Minimal time (UTC) at which blobs in this batch were created'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Table": {"data_type": "string", "description": 'Name of the target table into which the data is ingested'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time (UTC) at which this event was generated'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ADXJournal": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ChangeCommand": {"data_type": "string", "description": 'The executed control command that triggered the metadata change'}, + "CorrelationId": {"data_type": "string", "description": 'The client request ID'}, + "DatabaseName": {"data_type": "string", "description": 'The name of the database changed following the event'}, + "EntityContainerName": {"data_type": "string", "description": 'The entity container name (entity=column, container=table), or the database name'}, + "EntityName": {"data_type": "string", "description": 'The entity name that the operation was executed on, before the change'}, + "EntityVersion": {"data_type": "string", "description": 'The new metadata version (DB/cluster) following the change'}, + "Event": {"data_type": "string", "description": 'The metadata change event name'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationTimestamp": {"data_type": "datetime", "description": 'The timestamp (UTC) at which the metadata operation completed'}, + "OriginalEntityState": {"data_type": "string", "description": 'The state of the entity (entity properties) before the change'}, + "OriginalEntityVersion": {"data_type": "string", "description": 'The version of the entity (entity properties) before the change'}, + "Principal": {"data_type": "string", "description": 'The principal (user/app) that executed the control command'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RootActivityId": {"data_type": "string", "description": 'The root activity ID of the operation that caused the metadata change (for example: 1234ab0c-567d-8c9e-0123-456789fg012h)'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time (UTC) at which this log was sent to Log Analytics'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UpdatedEntityName": {"data_type": "string", "description": 'The new entity name after the change'}, + "UpdatedEntityState": {"data_type": "string", "description": 'The new state after the change'}, + "User": {"data_type": "string", "description": 'The user that executed the control command'}, + }, + "ADXQuery": { + "ApplicationName": {"data_type": "string", "description": 'The name of the application that invoked the query'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CacheDiskHits": {"data_type": "long", "description": 'Disk cache hits'}, + "CacheDiskMisses": {"data_type": "long", "description": 'Disk cache misses'}, + "CacheMemoryHits": {"data_type": "long", "description": 'Memory cache hits'}, + "CacheMemoryMisses": {"data_type": "long", "description": 'Memory cache misses'}, + "CacheShardsBypassBytes": {"data_type": "long", "description": 'Shards cache bypass bytes'}, + "CacheShardsColdHits": {"data_type": "long", "description": 'Shards cold cache hits'}, + "CacheShardsColdMisses": {"data_type": "long", "description": 'Shards cold cache misses'}, + "CacheShardsHotHits": {"data_type": "long", "description": 'Shards hot cache hits'}, + "CacheShardsHotMisses": {"data_type": "long", "description": 'Shards hot cache misses'}, + "Category": {"data_type": "string", "description": 'The category of this log for this events it will be Query'}, + "ComponentFault": {"data_type": "string", "description": "The entity that caused the query to fail. For example, if the query result is too large, the ComponentFault will be 'Client'. If an internal error occured, it will be 'Server'"}, + "CorrelationId": {"data_type": "string", "description": 'The client request ID'}, + "DatabaseName": {"data_type": "string", "description": 'The name of the database that the command ran on'}, + "Duration": {"data_type": "string", "description": 'Command duration'}, + "ExtentsMaxDataScannedTime": {"data_type": "datetime", "description": 'Maximum data scan time'}, + "ExtentsMinDataScannedTime": {"data_type": "datetime", "description": 'Minimum data scan time'}, + "FailureReason": {"data_type": "string", "description": 'The failure reason'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastUpdatedOn": {"data_type": "datetime", "description": 'Time (UTC) at which this command ended'}, + "MemoryPeak": {"data_type": "long", "description": 'Memory peak'}, + "OperationName": {"data_type": "string", "description": 'The name of this operation'}, + "Principal": {"data_type": "string", "description": 'The principal that invoked the query'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RootActivityId": {"data_type": "string", "description": 'The root activity ID'}, + "ScannedExtentsCount": {"data_type": "long", "description": 'Scanned extents count'}, + "ScannedRowsCount": {"data_type": "long", "description": 'Scanned rows count'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StartedOn": {"data_type": "datetime", "description": 'Time (UTC) at which this command started'}, + "State": {"data_type": "string", "description": 'The state the command ended with'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TableCount": {"data_type": "int", "description": 'Table count'}, + "TablesStatistics": {"data_type": "dynamic", "description": 'Tables statistics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "Text": {"data_type": "string", "description": 'The text of the invoked query'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time (UTC) at which this event was generated'}, + "TotalCPU": {"data_type": "string", "description": 'Total CPU duration'}, + "TotalExtentsCount": {"data_type": "long", "description": 'Total extents count'}, + "TotalRowsCount": {"data_type": "long", "description": 'Total rows count'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "User": {"data_type": "string", "description": 'The user that invoked the query'}, + "WorkloadGroup": {"data_type": "string", "description": 'The workload group the query was classified to'}, + }, + "ADXTableDetails": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CachingPolicy": {"data_type": "dynamic", "description": "The table's effective entity caching policy, serialized as JSON"}, + "CachingPolicyOrigin": {"data_type": "string", "description": 'Caching policy origin entity (Table/Database/Cluster)'}, + "CorrelationId": {"data_type": "string", "description": 'The client request ID'}, + "DatabaseName": {"data_type": "string", "description": 'The name of the database'}, + "EntityType": {"data_type": "string", "description": 'The type of the table. Can be Table or MaterializedView'}, + "HotExtentCount": {"data_type": "long", "description": 'The total number of extents in the table, stored in the hot cache'}, + "HotExtentSize": {"data_type": "real", "description": 'The total size of extents (compressed size + index size) in the table, stored in the hot cache (in bytes)'}, + "HotOriginalSize": {"data_type": "long", "description": 'The total original size of data in the table, stored in the hot cache (in bytes)'}, + "HotRowCount": {"data_type": "long", "description": 'The total number of rows in the table, stored in the hot cache'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "MaxExtentsCreationTime": {"data_type": "datetime", "description": 'The maximum creation time of an extent in the table (or null, if there are no extents)'}, + "MinExtentsCreationTime": {"data_type": "datetime", "description": 'The minimum creation time of an extent in the table (or null, if there are no extents)'}, + "OperationName": {"data_type": "string", "description": 'The name of this operation'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RetentionPolicy": {"data_type": "dynamic", "description": "The table's effective entity retention policy, serialized as JSON"}, + "RetentionPolicyOrigin": {"data_type": "string", "description": 'Retention policy origin entity (Table/Database/Cluster)'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TableName": {"data_type": "string", "description": 'The name of the table'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time (UTC) at which this event was generated.'}, + "TotalExtentCount": {"data_type": "long", "description": 'The total number of extents in the table'}, + "TotalExtentSize": {"data_type": "real", "description": 'The total size of extents (compressed size + index size) in the table (in bytes)'}, + "TotalOriginalSize": {"data_type": "real", "description": 'The total original size of data in the table (in bytes)'}, + "TotalRowCount": {"data_type": "long", "description": 'The total number of rows in the table'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ADXTableUsageStatistics": { + "ApplicationName": {"data_type": "string", "description": 'The name of the application that invoked the command'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'The client request ID'}, + "DatabaseName": {"data_type": "string", "description": 'The name of the database'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "MaxCreatedOn": {"data_type": "datetime", "description": 'Lastest extent time of the table'}, + "MinCreatedOn": {"data_type": "datetime", "description": 'Oldest extent time of the table'}, + "OperationName": {"data_type": "string", "description": 'The name of this operation'}, + "Principal": {"data_type": "string", "description": 'The principal that invoked the query'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RootActivityId": {"data_type": "string", "description": 'The root activity ID'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StartedOn": {"data_type": "datetime", "description": 'Time (UTC) at which table usage statistics operation started'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TableName": {"data_type": "string", "description": 'The name of the table'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time (UTC) at which this event was generated'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "User": {"data_type": "string", "description": 'The user that invoked the query'}, + }, + "AegDataPlaneRequests": { + "Authentication": {"data_type": "string", "description": 'The type of secret used for authentication when issuing requests. Key - request uses the SAS key, SASToken - request uses a SAS token generated from SAS key, AADAccessToken - Azure Active Directory issued JSON Web Token (JWT) token, Unknown - None of the above authentication types. OPTIONS requests will have Unknown authentication type.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientIpAddress": {"data_type": "string", "description": 'The IP address of the client issuing the request.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "NetworkAccess": {"data_type": "string", "description": 'The type of network used by the client issuing the request. Allowed values are: PublicAccess - when connecting via public IP, PrivateAccess - when connecting via private link'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation.'}, + "OperationResult": {"data_type": "string", "description": 'Thw result of the operation. Possible values are: Success, Unauthorized, Forbidden, RequestEntityTooLarge, BadRequest, InternalServerError'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log was generated.'}, + "TlsVersion": {"data_type": "string", "description": 'The transport layer security (TLS) version used by the client connection. Possible values are: 1.0, 1.1 and 1.2'}, + "TotalOperations": {"data_type": "string", "description": "The total number of request with above values issued within the minute. These traces aren't emitted for each publish request. An aggregate for each unique combination of above values is emitted every minute"}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AegDeliveryFailureLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Log category name.'}, + "EventSubscriptionName": {"data_type": "string", "description": 'Name of the event subscription.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Message": {"data_type": "string", "description": 'Log message for the user.'}, + "OperationName": {"data_type": "string", "description": 'Name of the operation.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SubResourceName": {"data_type": "string", "description": 'Name of the sub resource.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time when log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AegPublishFailureLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Log category name.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Message": {"data_type": "string", "description": 'Log message for the user.'}, + "OperationName": {"data_type": "string", "description": 'Name of the operation.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SubResourceName": {"data_type": "string", "description": 'Name of the sub resource.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time when log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AEWAssignmentBlobLogs": { + "AssignmentBlobDataVersion": {"data_type": "int", "description": 'Data version (gets incremented with every experiment operation) of Assignment Blob.'}, + "AssignmentBlobLastOperationId": {"data_type": "string", "description": 'The last operation id that got published for an assignment blob data version which is generally one below the current version.'}, + "AssignmentBlobNewOperationIds": {"data_type": "dynamic", "description": 'List of new operation ids (changes) that are getting published or added with this assignment blob.'}, + "AssignmentBlobSchemaVersion": {"data_type": "string", "description": 'Schema version of assignment blob data associated with this operation.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "DurationMs": {"data_type": "int", "description": 'The duration of the operation (to upload blob file) in milliseconds.'}, + "ExperimentWorkspaceId": {"data_type": "string", "description": 'The Guid of your experimentation workspace.'}, + "HttpStatusCode": {"data_type": "int", "description": 'The HTTP status code of the corresponding REST API call operation.'}, + "Identity": {"data_type": "string", "description": 'The resource id of the user assigned managed identity that performed this operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the operation. Will be one of Information, Warning, Error, or Critical.'}, + "Location": {"data_type": "string", "description": 'The location of the resource.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'The static text description of this operation.'}, + "ResultType": {"data_type": "string", "description": 'The status of the event. Typical values include Succeeded, Failed.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "URI": {"data_type": "string", "description": 'The request Url.'}, + }, + "AEWAuditLogs": { + "ActionName": {"data_type": "string", "description": 'The event name.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The event category. Typical log categories are Audit, Operational, Execution, and Request.'}, + "ExpComponentName": {"data_type": "string", "description": 'The Exp component sending the log.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Message": {"data_type": "string", "description": 'The message in the log.'}, + "Operator": {"data_type": "string", "description": 'The user identity triggering the event.'}, + "RequestUri": {"data_type": "string", "description": 'The event URI.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time (UTC) of the HTTP request.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AEWComputePipelinesLogs": { + "AnalysisId": {"data_type": "string", "description": 'The ID of your experiment study.'}, + "AnalysisType": {"data_type": "string", "description": 'The type of your analysis.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "EventName": {"data_type": "string", "description": 'The event name.'}, + "ExperimentationGroup": {"data_type": "string", "description": 'Experimentation group name of your experiment.'}, + "ExperimentId": {"data_type": "string", "description": 'The GUID of your experiment.'}, + "ExperimentStepId": {"data_type": "string", "description": 'The GUID of your experiment step.'}, + "ExperimentWorkspaceId": {"data_type": "string", "description": 'The Guid ID of your experimentation workspace.'}, + "FeatureId": {"data_type": "string", "description": 'The GUID of your experiment feature.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Properties": {"data_type": "dynamic", "description": 'Event properties in Experimentation Platform Compute Pipeline with json format.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ScorecardId": {"data_type": "string", "description": 'The ID of your experiment scorecard.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time (UTC) of the HTTP request.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AFSAuditLogs": { + "ActivityId": {"data_type": "string", "description": 'Internal identifier used for tracking.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Identity": {"data_type": "dynamic", "description": 'JSON structure that describes the identity of the user or application that performed the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The region of the resource associated with the event.'}, + "OperationName": {"data_type": "string", "description": 'The operation name for which the log entry was created.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'Details about the result of the operation, if available.'}, + "ResultSignature": {"data_type": "int", "description": 'HTTP status of API request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AGCAccessLogs": { + "BackendHost": {"data_type": "string", "description": 'Address of backend target with appended port. For example \\:\\'}, + "BackendIp": {"data_type": "string", "description": 'IP address of backend target Application Gateway for Containers proxies the request to.'}, + "BackendPort": {"data_type": "int", "description": 'Port number of the backend target.'}, + "BackendResponseLatency": {"data_type": "real", "description": 'Time in milliseconds to receive first byte from Application Gateway for Containers to the backend target.'}, + "BackendTimeTaken": {"data_type": "int", "description": 'Time in milliseconds for the response to be transmitted from the backend target to Application Gateway for Containers.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientIp": {"data_type": "string", "description": 'IP address of the client initiating the request to the frontend of Application Gateway for Containers.'}, + "FrontendName": {"data_type": "string", "description": 'Name of the Application Gateway for Containers frontend that received the request from the client.'}, + "FrontendPort": {"data_type": "int", "description": 'Port number the request was listened on by Application Gateway for Containers.'}, + "HostName": {"data_type": "string", "description": 'Host header value received from the client by Application Gateway for Containers.'}, + "HttpMethod": {"data_type": "string", "description": 'HTTP Method of the request received from the client by Application Gateway for Containers as per RFC 7231.'}, + "HttpStatusCode": {"data_type": "int", "description": 'HTTP Status code returned from Application Gateway for Containers to the client.'}, + "HttpVersion": {"data_type": "string", "description": 'HTTP version of the request received from the client by Application Gateway for Containers.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'Name of the operation.'}, + "Referrer": {"data_type": "string", "description": 'Referrer header of the request received from the client by Application Gateway for Containers.'}, + "Region": {"data_type": "string", "description": 'The region where Application Gateway for Containers association is deployed'}, + "RequestBodyBytes": {"data_type": "long", "description": 'Size in bytes of the body payload of the request received from the client by Application Gateway for Containers.'}, + "RequestHeaderBytes": {"data_type": "long", "description": 'Size in bytes of the headers of the request received from the client by Application Gateway for Containers.'}, + "RequestUri": {"data_type": "string", "description": 'URI of the request received from the client by Application Gateway for Containers (everything after \\://\\ of the URL).'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResponseBodyBytes": {"data_type": "long", "description": 'Size in bytes of the body payload of the response returned to the client by Application Gateway for Containers.'}, + "ResponseHeaderBytes": {"data_type": "long", "description": 'Size in bytes of the headers of the response returned to the client by Application Gateway for Containers.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time (UTC) when the log was created.'}, + "TimeTaken": {"data_type": "real", "description": 'Time in milliseconds of the client request received by Application Gateway for Containers and the last byte returned to the client from Application Gateway for Containers.'}, + "TlsCipher": {"data_type": "string", "description": 'TLS cipher suite negotiated between the client and Application Gateway for Containers frontend.'}, + "TlsProtocol": {"data_type": "string", "description": 'TLS version negotiated between the client and Application Gateway for Containers frontend.'}, + "TrackingId": {"data_type": "string", "description": 'Generated guid by Application Gateway for Containers to help with tracking and debugging. This value correlates to the x-request-id header returned to the client from Application Gateway for Containers.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'User-Agent header of the request received from the client by Application Gateway for Containers.'}, + }, + "AgriFoodApplicationAuditLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'IP address of the client that made the request.'}, + "Category": {"data_type": "string", "description": 'Logs generated as a result of operations executed using FarmBeats APIs are grouped into categories. Categories in FarmBeats are logical groupings based on either the data source the underlying APIs fetch data from or on the basis of hierarchy of entities in FarmBeats.'}, + "CorrelationId": {"data_type": "string", "description": 'Unique identifier to be used to correlate logs, when available.'}, + "DataPlaneResourceId": {"data_type": "string", "description": 'ID that uniquely identifies a FarmBeats resource such as a Farm, Farmer, Boundary etc.'}, + "Identity": {"data_type": "dynamic", "description": 'Identity from the token that was presented in the REST API request.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the event, will be one of Informational, Warning, Error, or Critical.'}, + "Location": {"data_type": "string", "description": 'The region of the resource emitting the event.'}, + "OperationName": {"data_type": "string", "description": 'The operation name for which the log entry was created.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'Additional details about the result, when available.'}, + "ResultType": {"data_type": "string", "description": 'Result of the REST API request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (in UTC) when the log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AgriFoodFarmManagementLogs": { + "ApplicationId": {"data_type": "string", "description": 'ApplicationId in identity claims.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'IP address of the client that made the request.'}, + "Category": {"data_type": "string", "description": 'Logs generated as a result of operations executed using FarmBeats APIs are grouped into categories. Categories in FarmBeats are logical groupings based on either the data source the underlying APIs fetch data from or on the basis of hierarchy of entities in FarmBeats.'}, + "ClientTenantId": {"data_type": "string", "description": 'TenantId in identity claims.'}, + "CorrelationId": {"data_type": "string", "description": 'Unique identifier to be used to correlate logs, when available.'}, + "DataPlaneResourceId": {"data_type": "string", "description": 'ID that uniquely identifies a FarmBeats resource such as a Farm, Farmer, Boundary etc.'}, + "DurationMs": {"data_type": "real", "description": 'Time it took to service the REST API request, in milliseconds.'}, + "FarmerId": {"data_type": "string", "description": 'Farmer ID associated with the request, wherever applicable.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the event, will be one of Informational, Warning, Error, or Critical.'}, + "Location": {"data_type": "string", "description": 'The region of the resource emitting the event.'}, + "ObjectId": {"data_type": "string", "description": 'ObjectId in identity claims.'}, + "OperationName": {"data_type": "string", "description": 'The operation name for which the log entry was created.'}, + "RequestBody": {"data_type": "dynamic", "description": 'Request body of the API calls.'}, + "RequestUri": {"data_type": "string", "description": 'URI of the API request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'Additional details about the result, when available.'}, + "ResultSignature": {"data_type": "int", "description": 'HTTP status of API request.'}, + "ResultType": {"data_type": "string", "description": 'Result of the REST API request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (in UTC) when the log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AgriFoodFarmOperationLogs": { + "ApplicationId": {"data_type": "string", "description": 'ApplicationId in identity claims.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'IP address of the client that made the request.'}, + "Category": {"data_type": "string", "description": 'Logs generated as a result of operations executed using FarmBeats APIs are grouped into categories. Categories in FarmBeats are logical groupings based on either the data source the underlying APIs fetch data from or on the basis of hierarchy of entities in FarmBeats.'}, + "ClientTenantId": {"data_type": "string", "description": 'TenantId in identity claims.'}, + "CorrelationId": {"data_type": "string", "description": 'Unique identifier to be used to correlate logs, when available.'}, + "DataPlaneResourceId": {"data_type": "string", "description": 'ID that uniquely identifies a FarmBeats resource such as a Farm, Farmer, Boundary etc.'}, + "DurationMs": {"data_type": "real", "description": 'Time it took to service the REST API request, in milliseconds.'}, + "FarmerId": {"data_type": "string", "description": 'Farmer ID associated with the request, wherever applicable.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the event, will be one of Informational, Warning, Error, or Critical.'}, + "Location": {"data_type": "string", "description": 'The region of the resource emitting the event.'}, + "ObjectId": {"data_type": "string", "description": 'ObjectId in identity claims.'}, + "OperationName": {"data_type": "string", "description": 'The operation name for which the log entry was created.'}, + "RequestBody": {"data_type": "dynamic", "description": 'Request body of the API calls.'}, + "RequestUri": {"data_type": "string", "description": 'URI of the API request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'Additional details about the result, when available.'}, + "ResultSignature": {"data_type": "int", "description": 'HTTP status of API request.'}, + "ResultType": {"data_type": "string", "description": 'Result of the REST API request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (in UTC) when the log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AgriFoodInsightLogs": { + "ApplicationId": {"data_type": "string", "description": 'ApplicationId in identity claims.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'IP address of the client that made the request.'}, + "Category": {"data_type": "string", "description": 'Logs generated as a result of operations executed using FarmBeats APIs are grouped into categories. Categories in FarmBeats are logical groupings based on either the data source the underlying APIs fetch data from or on the basis of hierarchy of entities in FarmBeats.'}, + "ClientTenantId": {"data_type": "string", "description": 'TenantId in identity claims.'}, + "CorrelationId": {"data_type": "string", "description": 'Unique identifier to be used to correlate logs, when available.'}, + "DataPlaneResourceId": {"data_type": "string", "description": 'ID that uniquely identifies a FarmBeats resource such as a Farm, Farmer, Boundary etc.'}, + "DurationMs": {"data_type": "real", "description": 'Time it took to service the REST API request, in milliseconds.'}, + "FarmerId": {"data_type": "string", "description": 'Farmer ID associated with the request, wherever applicable.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the event, will be one of Informational, Warning, Error, or Critical.'}, + "Location": {"data_type": "string", "description": 'The region of the resource emitting the event.'}, + "ObjectId": {"data_type": "string", "description": 'ObjectId in identity claims.'}, + "OperationName": {"data_type": "string", "description": 'The operation name for which the log entry was created.'}, + "RequestBody": {"data_type": "dynamic", "description": 'Request body of the API calls.'}, + "RequestUri": {"data_type": "string", "description": 'URI of the API request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'Additional details about the result, when available.'}, + "ResultSignature": {"data_type": "int", "description": 'HTTP status of API request.'}, + "ResultType": {"data_type": "string", "description": 'Result of the REST API request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (in UTC) when the log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AgriFoodJobProcessedLogs": { + "ApplicationId": {"data_type": "string", "description": 'ApplicationId in identity claims.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Logs generated as a result of operations executed using FarmBeats APIs are grouped into categories. Categories in FarmBeats are logical groupings based on either the data source the underlying APIs fetch data from or on the basis of hierarchy of entities in FarmBeats.'}, + "ClientTenantId": {"data_type": "string", "description": 'TenantId in identity claims.'}, + "CorrelationId": {"data_type": "string", "description": 'Unique identifier to be used to correlate logs, when available.'}, + "DurationMs": {"data_type": "real", "description": 'Time it took to service the REST API request, in milliseconds.'}, + "FarmerId": {"data_type": "string", "description": 'Farmer ID associated with the request, wherever applicable.'}, + "InitiatedBy": {"data_type": "string", "description": 'Indicates whether the job was initiated by FarmBeats or user.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "JobId": {"data_type": "string", "description": 'User defined ID of the job.'}, + "JobRunType": {"data_type": "string", "description": 'Indicates whether a job is a periodic job or a one-time job.'}, + "Level": {"data_type": "string", "description": 'The severity level of the event, will be one of Informational, Warning, Error, or Critical.'}, + "Location": {"data_type": "string", "description": 'The region of the resource emitting the event.'}, + "ObjectId": {"data_type": "string", "description": 'ObjectId in identity claims.'}, + "OperationName": {"data_type": "string", "description": 'The operation name for which the log entry was created.'}, + "Properties": {"data_type": "dynamic", "description": 'Additional properties associated with the Job.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'Additional details about the result, when available.'}, + "ResultType": {"data_type": "string", "description": 'Result of the REST API request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (in UTC) when the log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AgriFoodModelInferenceLogs": { + "ApplicationId": {"data_type": "string", "description": 'ApplicationId in identity claims.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'IP address of the client that made the request.'}, + "Category": {"data_type": "string", "description": 'Logs generated as a result of operations executed using FarmBeats APIs are grouped into categories. Categories in FarmBeats are logical groupings based on either the data source the underlying APIs fetch data from or on the basis of hierarchy of entities in FarmBeats.'}, + "ClientTenantId": {"data_type": "string", "description": 'TenantId in identity claims.'}, + "CorrelationId": {"data_type": "string", "description": 'Unique identifier to be used to correlate logs, when available.'}, + "DataPlaneResourceId": {"data_type": "string", "description": 'ID that uniquely identifies a FarmBeats resource such as a Farm, Farmer, Boundary etc.'}, + "DurationMs": {"data_type": "real", "description": 'Time it took to service the REST API request, in milliseconds.'}, + "FarmerId": {"data_type": "string", "description": 'Farmer ID associated with the request, wherever applicable.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the event, will be one of Informational, Warning, Error, or Critical.'}, + "Location": {"data_type": "string", "description": 'The region of the resource emitting the event.'}, + "ObjectId": {"data_type": "string", "description": 'ObjectId in identity claims.'}, + "OperationName": {"data_type": "string", "description": 'The operation name for which the log entry was created.'}, + "RequestBody": {"data_type": "dynamic", "description": 'Request body of the API calls.'}, + "RequestUri": {"data_type": "string", "description": 'URI of the API request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'Additional details about the result, when available.'}, + "ResultSignature": {"data_type": "int", "description": 'HTTP status of API request.'}, + "ResultType": {"data_type": "string", "description": 'Result of the REST API request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (in UTC) when the log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AgriFoodProviderAuthLogs": { + "ApplicationId": {"data_type": "string", "description": 'ApplicationId in identity claims.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'IP address of the client that made the request.'}, + "Category": {"data_type": "string", "description": 'Logs generated as a result of operations executed using FarmBeats APIs are grouped into categories. Categories in FarmBeats are logical groupings based on either the data source the underlying APIs fetch data from or on the basis of hierarchy of entities in FarmBeats.'}, + "ClientTenantId": {"data_type": "string", "description": 'TenantId in identity claims.'}, + "CorrelationId": {"data_type": "string", "description": 'Unique identifier to be used to correlate logs, when available.'}, + "DataPlaneResourceId": {"data_type": "string", "description": 'ID that uniquely identifies a FarmBeats resource such as a Farm, Farmer, Boundary etc.'}, + "DurationMs": {"data_type": "real", "description": 'Time it took to service the REST API request, in milliseconds.'}, + "FarmerId": {"data_type": "string", "description": 'Farmer ID associated with the request, wherever applicable.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the event, will be one of Informational, Warning, Error, or Critical.'}, + "Location": {"data_type": "string", "description": 'The region of the resource emitting the event.'}, + "ObjectId": {"data_type": "string", "description": 'ObjectId in identity claims.'}, + "OperationName": {"data_type": "string", "description": 'The operation name for which the log entry was created.'}, + "RequestBody": {"data_type": "dynamic", "description": 'Request body of the API calls.'}, + "RequestUri": {"data_type": "string", "description": 'URI of the API request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'Additional details about the result, when available.'}, + "ResultSignature": {"data_type": "int", "description": 'HTTP status of API request.'}, + "ResultType": {"data_type": "string", "description": 'Result of the REST API request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (in UTC) when the log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AgriFoodSatelliteLogs": { + "ApplicationId": {"data_type": "string", "description": 'ApplicationId in identity claims.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'IP address of the client that made the request.'}, + "Category": {"data_type": "string", "description": 'Logs generated as a result of operations executed using FarmBeats APIs are grouped into categories. Categories in FarmBeats are logical groupings based on either the data source the underlying APIs fetch data from or on the basis of hierarchy of entities in FarmBeats.'}, + "ClientTenantId": {"data_type": "string", "description": 'TenantId in identity claims.'}, + "CorrelationId": {"data_type": "string", "description": 'Unique identifier to be used to correlate logs, when available.'}, + "DataPlaneResourceId": {"data_type": "string", "description": 'ID that uniquely identifies a FarmBeats resource such as a Farm, Farmer, Boundary etc.'}, + "DurationMs": {"data_type": "real", "description": 'Time it took to service the REST API request, in milliseconds.'}, + "FarmerId": {"data_type": "string", "description": 'Farmer ID associated with the request, wherever applicable.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the event, will be one of Informational, Warning, Error, or Critical.'}, + "Location": {"data_type": "string", "description": 'The region of the resource emitting the event.'}, + "ObjectId": {"data_type": "string", "description": 'ObjectId in identity claims.'}, + "OperationName": {"data_type": "string", "description": 'The operation name for which the log entry was created.'}, + "RequestBody": {"data_type": "dynamic", "description": 'Request body of the API calls.'}, + "RequestUri": {"data_type": "string", "description": 'URI of the API request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'Additional details about the result, when available.'}, + "ResultSignature": {"data_type": "int", "description": 'HTTP status of API request.'}, + "ResultType": {"data_type": "string", "description": 'Result of the REST API request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (in UTC) when the log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AgriFoodSensorManagementLogs": { + "ApplicationId": {"data_type": "string", "description": 'ApplicationId in identity claims.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'IP address of the client that made the request.'}, + "Category": {"data_type": "string", "description": 'Logs generated as a result of operations executed using FarmBeats APIs are grouped into categories. Categories in FarmBeats are logical groupings based on either the data source the underlying APIs fetch data from or on the basis of hierarchy of entities in FarmBeats.'}, + "ClientTenantId": {"data_type": "string", "description": 'TenantId in identity claims.'}, + "CorrelationId": {"data_type": "string", "description": 'Unique identifier to be used to correlate logs, when available.'}, + "DataPlaneResourceId": {"data_type": "string", "description": 'ID that uniquely identifies a FarmBeats resource such as a Farm, Farmer, Boundary etc.'}, + "DurationMs": {"data_type": "real", "description": 'Time it took to service the REST API request, in milliseconds.'}, + "FarmerId": {"data_type": "string", "description": 'Farmer ID associated with the request, wherever applicable.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the event, will be one of Informational, Warning, Error, or Critical.'}, + "Location": {"data_type": "string", "description": 'The region of the resource emitting the event.'}, + "ObjectId": {"data_type": "string", "description": 'ObjectId in identity claims.'}, + "OperationName": {"data_type": "string", "description": 'The operation name for which the log entry was created.'}, + "RequestBody": {"data_type": "dynamic", "description": 'Request body of the API calls.'}, + "RequestUri": {"data_type": "string", "description": 'URI of the API request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'Additional details about the result, when available.'}, + "ResultSignature": {"data_type": "int", "description": 'HTTP status of API request.'}, + "ResultType": {"data_type": "string", "description": 'Result of the REST API request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AgriFoodWeatherLogs": { + "ApplicationId": {"data_type": "string", "description": 'ApplicationId in identity claims.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'IP address of the client that made the request.'}, + "Category": {"data_type": "string", "description": 'Logs generated as a result of operations executed using FarmBeats APIs are grouped into categories. Categories in FarmBeats are logical groupings based on either the data source the underlying APIs fetch data from or on the basis of hierarchy of entities in FarmBeats.'}, + "ClientTenantId": {"data_type": "string", "description": 'TenantId in identity claims.'}, + "CorrelationId": {"data_type": "string", "description": 'Unique identifier to be used to correlate logs, when available.'}, + "DataPlaneResourceId": {"data_type": "string", "description": 'ID that uniquely identifies a FarmBeats resource such as a Farm, Farmer, Boundary etc.'}, + "DurationMs": {"data_type": "real", "description": 'Time it took to service the REST API request, in milliseconds.'}, + "FarmerId": {"data_type": "string", "description": 'Farmer ID associated with the request, wherever applicable.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the event, will be one of Informational, Warning, Error, or Critical.'}, + "Location": {"data_type": "string", "description": 'The region of the resource emitting the event.'}, + "ObjectId": {"data_type": "string", "description": 'ObjectId in identity claims.'}, + "OperationName": {"data_type": "string", "description": 'The operation name for which the log entry was created.'}, + "RequestBody": {"data_type": "dynamic", "description": 'Request body of the API calls.'}, + "RequestUri": {"data_type": "string", "description": 'URI of the API request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'Additional details about the result, when available.'}, + "ResultSignature": {"data_type": "int", "description": 'HTTP status of API request.'}, + "ResultType": {"data_type": "string", "description": 'Result of the REST API request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (in UTC) when the log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AGSGrafanaLoginEvents": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the log record.'}, + "CorrelationId": {"data_type": "string", "description": 'GUID for the correlated logs.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the log record.'}, + "Location": {"data_type": "string", "description": 'The location (region) the Azure Managed Grafana instance was accessed in.'}, + "Message": {"data_type": "string", "description": 'The inner message of the log record.'}, + "OperationName": {"data_type": "string", "description": 'The Grafana operation associated with the log record.'}, + "ResourceGroup": {"data_type": "string", "description": 'The resource group containing the resource corresponding to the log record.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TargetResource": {"data_type": "string", "description": 'The corresponding resource name of the log record.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log record was generated.'}, + "TraceContext": {"data_type": "dynamic", "description": 'The W3C distributed tracing context for the log record.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "User": {"data_type": "string", "description": 'The user identity of the login event.'}, + "UserRole": {"data_type": "string", "description": 'The Grafana role of the user for the login event.'}, + }, + "AGWAccessLogs": { + "BackendPoolName": {"data_type": "string", "description": 'The backend pool associated with the given request log.'}, + "BackendSettingName": {"data_type": "string", "description": 'The backend setting name associated with the given request log.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientIp": {"data_type": "string", "description": 'IP of the immediate client of Application Gateway. If another proxy fronts your application gateway, this displays the IP of that fronting proxy.'}, + "ClientResponseTime": {"data_type": "real", "description": 'Time difference (in seconds) between first byte received from the backend to first byte sent to the client.'}, + "Host": {"data_type": "string", "description": 'Address listed in the host header of the request. If rewritten using header rewrite, this field contains the updated host name.'}, + "HttpMethod": {"data_type": "string", "description": 'HTTP method used by the request.'}, + "HttpStatus": {"data_type": "int", "description": 'HTTP status code returned to the client from Application Gateway.'}, + "HttpVersion": {"data_type": "string", "description": 'HTTP version of the request.'}, + "InstanceId": {"data_type": "string", "description": 'Application Gateway instance that served the request.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ListenerName": {"data_type": "string", "description": 'The listener associated with given request log.'}, + "OperationName": {"data_type": "string", "description": 'Name of the operation.'}, + "OriginalHost": {"data_type": "string", "description": 'This field contains the original request host name.'}, + "OriginalRequestUriWithArgs": {"data_type": "string", "description": 'This field contains the original request URL.'}, + "ReceivedBytes": {"data_type": "int", "description": 'Size of packet received, in bytes.'}, + "RequestUri": {"data_type": "string", "description": 'URI of the received request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RuleName": {"data_type": "string", "description": 'The rule associated with the given request log.'}, + "SentBytes": {"data_type": "int", "description": 'Size of packet sent, in bytes.'}, + "ServerResponseLatency": {"data_type": "real", "description": 'Latency of the response (in seconds) from the backend server.'}, + "ServerRouted": {"data_type": "string", "description": 'The backend server that application gateway routes the request to.'}, + "ServerStatus": {"data_type": "int", "description": 'HTTP status code of the backend server.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SslCipher": {"data_type": "string", "description": 'Cipher suite being used for TLS communication (if TLS is enabled).'}, + "SslEnabled": {"data_type": "string", "description": 'Whether communication to the backend pools used TLS. Valid values are on and off.'}, + "SslProtocol": {"data_type": "string", "description": 'SSL/TLS protocol being used (if TLS is enabled).'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time (UTC) when the log was created.'}, + "TimeTaken": {"data_type": "real", "description": "Length of time (in seconds) that it takes for the first byte of a client request to be processed and its last-byte sent in the response to the client. It's important to note that the Time-Taken field usually includes the time that the request and response packets are traveling over the network."}, + "TransactionId": {"data_type": "string", "description": 'Unique identifier to correlate the request received from the client.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UpstreamSourcePort": {"data_type": "int", "description": 'The source port used by Application Gateway when initiating a connection to the backend target.'}, + "UserAgent": {"data_type": "string", "description": 'User agent from the HTTP request header.'}, + "WafEvaluationTime": {"data_type": "real", "description": 'Length of time (in seconds) that it takes for the request to be processed by the WAF.'}, + "WafMode": {"data_type": "string", "description": 'Value can be either Detection or Prevention.'}, + }, + "AGWFirewallLogs": { + "Action": {"data_type": "string", "description": 'Action taken on the request. Available values are Blocked and Allowed (for custom rules), Matched (when a rule matches a part of the request), and Detected and Blocked (these are both for mandatory rules, depending on if the WAF is in detection or prevention mode).'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientIp": {"data_type": "string", "description": 'Originating IP for the request.'}, + "ClientPort": {"data_type": "int", "description": 'Originating port for the request.'}, + "DetailedData": {"data_type": "string", "description": 'Specific data found in request that matched the rule for the triggered event.'}, + "DetailedMessage": {"data_type": "string", "description": 'Description of the rule for the triggered event.'}, + "FileDetails": {"data_type": "string", "description": 'Configuration file that contained the rule for the triggered event.'}, + "Hostname": {"data_type": "string", "description": 'Hostname or IP address of the Application Gateway.'}, + "InstanceId": {"data_type": "string", "description": 'Application Gateway instance for which firewall data is being generated. For a multiple-instance application gateway, there is one row per instance.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LineDetails": {"data_type": "string", "description": 'Line number in the configuration file that triggered the event.'}, + "Message": {"data_type": "string", "description": 'User-friendly message for the triggering event. More details are provided in the details section.'}, + "OperationName": {"data_type": "string", "description": 'Name of the operation.'}, + "RequestUri": {"data_type": "string", "description": 'URL of the received request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RuleId": {"data_type": "string", "description": 'Rule ID of the triggering event.'}, + "RuleSetType": {"data_type": "string", "description": 'Rule set type. The available value is OWASP.'}, + "RuleSetVersion": {"data_type": "string", "description": 'Rule set version used. Available values are 2.2.9 and 3.0.'}, + "Site": {"data_type": "string", "description": 'Site for which the log was generated. Currently, only Global is listed because rules are global.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time (UTC) when the log was created.'}, + "TransactionId": {"data_type": "string", "description": 'Unique ID for a given transaction which helps group multiple rule violations that occurred within the same request.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AGWPerformanceLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "FailedRequestCount": {"data_type": "int", "description": 'Number of failed requests.'}, + "HealthyHostCount": {"data_type": "int", "description": 'Number of healthy hosts in the backend pool.'}, + "InstanceId": {"data_type": "string", "description": 'Application Gateway instance for which performance data is being generated. For a multiple-instance application gateway, there is one row per instance.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Latency": {"data_type": "int", "description": 'Average latency (in milliseconds) of requests from the instance to the back end that serves the requests.'}, + "OperationName": {"data_type": "string", "description": 'Name of the operation.'}, + "RequestCount": {"data_type": "int", "description": 'Number of requests served.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "Throughput": {"data_type": "int", "description": 'Average throughput since the last log, measured in bytes per second.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time (UTC) when the log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UnHealthyHostCount": {"data_type": "int", "description": 'Number of unhealthy hosts in the backend pool.'}, + }, + "AHDSDeidAuditLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'An identifier used to group together a set of related events.'}, + "Identity": {"data_type": "dynamic", "description": 'Identity of the issuer of the request.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The operation name for which the log entry was generated.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StatusCode": {"data_type": "int", "description": 'HTTP status code returned for the request.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time (UTC) when the log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Uri": {"data_type": "string", "description": 'URI of the request.'}, + }, + "AHDSDicomAuditLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'An identifier used to group together a set of related events.'}, + "Identity": {"data_type": "dynamic", "description": 'Identity of the issuer of the request.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": "The log's severity level. Possible values are Informational, Warning, and Error."}, + "OperationName": {"data_type": "string", "description": 'The operation name for which the log entry was generated.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultType": {"data_type": "string", "description": 'Indicates whether the operation started or ended.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StatusCode": {"data_type": "int", "description": 'Status code returned for the request.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time (UTC) when the log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Uri": {"data_type": "string", "description": 'URI of the request.'}, + }, + "AHDSDicomDiagnosticLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'An identifier used to group together a set of related events.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": "Azure region of service from which log was generated. Examples are 'eastus', 'centralindia', 'westus2', etc."}, + "LogLevel": {"data_type": "string", "description": "The log's severity level. Possible values are Informational, Warning, and Error."}, + "Message": {"data_type": "string", "description": 'Description of the log entry.'}, + "OperationName": {"data_type": "string", "description": 'The operation name for which the log entry was generated. For example, Store/PostInstance/POST'}, + "Properties": {"data_type": "dynamic", "description": 'Additional information about the event in JSON array format. Examples include DICOM identifiers present in the request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time (UTC) when the log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AHDSMedTechDiagnosticLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogType": {"data_type": "string", "description": 'Type of the log entry.'}, + "Message": {"data_type": "string", "description": 'Description of the log entry.'}, + "OperationName": {"data_type": "string", "description": 'The operation stage of the service from which the log entry was generated.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time (UTC) when the log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AirflowDagProcessingLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the log that belongs to Airflow application.'}, + "CorrelationId": {"data_type": "string", "description": 'The correlation id of the event.'}, + "DataFactoryName": {"data_type": "string", "description": 'The name of the Data factory.'}, + "IntegrationRuntimeName": {"data_type": "string", "description": 'The name of the Integration runtime.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Message": {"data_type": "string", "description": 'The application log of the Airflow event.'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation represented by this event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the log.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AKSAudit": { + "Annotations": {"data_type": "dynamic", "description": 'An unstructed key-value map associated with this audit event. These annotations are set by plugins as part of the request serving chain and are included at the Metadata event level.'}, + "AuditId": {"data_type": "string", "description": 'Unique audit ID that is generated for each request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'Level (Metadata, Request, RequestResponse) of the audit event.'}, + "ObjectRef": {"data_type": "dynamic", "description": 'The Kubernetes object reference this event was targeted for. This field does not apply for list requests nor non-resource requests.'}, + "PodName": {"data_type": "string", "description": 'Name of the pod emitting this audit event.'}, + "RequestObject": {"data_type": "dynamic", "description": 'Kubernetes API object from the request in object format or the string "skipped-too-big-size-object". This is omitted for non-resource requests.'}, + "RequestReceivedTime": {"data_type": "datetime", "description": 'Time when the API Server first received the request.'}, + "RequestUri": {"data_type": "string", "description": 'The URI of the request made by the client to the server.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResponseObject": {"data_type": "dynamic", "description": 'Kubernetes API object from the response, in object format or the string "skipped-too-big-size-object". This is omitted for non-resource requests.'}, + "ResponseStatus": {"data_type": "dynamic", "description": 'Response status for the request, which includes the response code. In error cases, this object will include the error message property.'}, + "SourceIps": {"data_type": "dynamic", "description": 'The list of source IP addresses for the originating client and intermediate proxies.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Stage": {"data_type": "string", "description": 'The request handling stage (RequestReceived, ResponseStarted, ResponseComplete, Panic) at which this audit event was generated.'}, + "StageReceivedTime": {"data_type": "datetime", "description": 'Time when the request reached the current audit stage.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Event generation time.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "User": {"data_type": "dynamic", "description": 'Authenticated user metadata of the requesting client, including optional fields such as UID and groups.'}, + "UserAgent": {"data_type": "string", "description": 'The user agent string presented by the originating client.'}, + "Verb": {"data_type": "string", "description": 'The Kubernetes verb associated with the request. For non-resource requests, this is the lower-cased HTTP method.'}, + }, + "AKSAuditAdmin": { + "Annotations": {"data_type": "dynamic", "description": 'An unstructed key-value map associated with this audit event. These annotations are set by plugins as part of the request serving chain and are included at the Metadata event level.'}, + "AuditId": {"data_type": "string", "description": 'Unique audit ID that is generated for each request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'Level (Metadata, Request, RequestResponse) of the audit event.'}, + "ObjectRef": {"data_type": "dynamic", "description": 'The Kubernetes object reference this event was targeted for. This field does not apply for list requests nor non-resource requests.'}, + "PodName": {"data_type": "string", "description": 'Name of the pod emitting this audit event.'}, + "RequestObject": {"data_type": "dynamic", "description": 'Kubernetes API object from the request in object format or the string "skipped-too-big-size-object". This is omitted for non-resource requests.'}, + "RequestReceivedTime": {"data_type": "datetime", "description": 'Time when the API Server first received the request.'}, + "RequestUri": {"data_type": "string", "description": 'The URI of the request made by the client to the server.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResponseObject": {"data_type": "dynamic", "description": 'Kubernetes API object from the response, in object format or the string "skipped-too-big-size-object". This is omitted for non-resource requests.'}, + "ResponseStatus": {"data_type": "dynamic", "description": 'Response status for the request, which includes the response code. In error cases, this object will include the error message property.'}, + "SourceIps": {"data_type": "dynamic", "description": 'The list of source IP addresses for the originating client and intermediate proxies.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Stage": {"data_type": "string", "description": 'The request handling stage (RequestReceived, ResponseStarted, ResponseComplete, Panic) at which this audit event was generated.'}, + "StageReceivedTime": {"data_type": "datetime", "description": 'Time when the request reached the current audit stage.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Event generation time.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "User": {"data_type": "dynamic", "description": 'Authenticated user metadata of the requesting client, including optional fields such as UID and groups.'}, + "UserAgent": {"data_type": "string", "description": 'The user agent string presented by the originating client.'}, + "Verb": {"data_type": "string", "description": 'The Kubernetes verb associated with the request. For non-resource requests, this is the lower-cased HTTP method.'}, + }, + "AKSControlPlane": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Service log category describing the service logging the message.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'Level (Fatal, Error, Warning, Info) of the log message.'}, + "Message": {"data_type": "string", "description": 'Log message body.'}, + "PodName": {"data_type": "string", "description": 'Name of the pod logging the request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Stream": {"data_type": "string", "description": 'Output stream (stdout, stderr) source of the log message.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Event generation time.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ALBHealthEvent": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Description": {"data_type": "string", "description": 'Description of the health event.'}, + "FrontendIP": {"data_type": "string", "description": 'Frontend IP of the health event.'}, + "HealthEventType": {"data_type": "string", "description": 'Type of the health event.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LoadBalancerResourceId": {"data_type": "string", "description": 'Load Balancer Resource ID of the health event.'}, + "operationName": {"data_type": "string", "description": 'The operation when the record is generated'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Severity": {"data_type": "string", "description": 'Severity of the health event.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "Alert": { + "AlertContext": {"data_type": "string", "description": 'Details of the data item that caused the alert to be generated in XML format.'}, + "AlertDescription": {"data_type": "string", "description": 'Detailed description of the alert.'}, + "AlertError": {"data_type": "string", "description": ''}, + "AlertId": {"data_type": "string", "description": 'GUID of the alert.'}, + "AlertName": {"data_type": "string", "description": 'Name of the alert.'}, + "AlertPriority": {"data_type": "string", "description": 'Priority level of the alert.'}, + "AlertRuleId": {"data_type": "string", "description": ''}, + "AlertRuleInstanceId": {"data_type": "string", "description": ''}, + "AlertSeverity": {"data_type": "string", "description": 'Severity level of the alert.'}, + "AlertState": {"data_type": "string", "description": 'Latest resolution state of the alert.'}, + "AlertStatus": {"data_type": "int", "description": ''}, + "AlertTypeDescription": {"data_type": "string", "description": ''}, + "AlertTypeNumber": {"data_type": "int", "description": ''}, + "AlertValue": {"data_type": "int", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Comments": {"data_type": "string", "description": ''}, + "Computer": {"data_type": "string", "description": ''}, + "Custom1": {"data_type": "string", "description": ''}, + "Custom10": {"data_type": "string", "description": ''}, + "Custom2": {"data_type": "string", "description": ''}, + "Custom3": {"data_type": "string", "description": ''}, + "Custom4": {"data_type": "string", "description": ''}, + "Custom5": {"data_type": "string", "description": ''}, + "Custom6": {"data_type": "string", "description": ''}, + "Custom7": {"data_type": "string", "description": ''}, + "Custom8": {"data_type": "string", "description": ''}, + "Custom9": {"data_type": "string", "description": ''}, + "Expression": {"data_type": "string", "description": ''}, + "Flags": {"data_type": "int", "description": ''}, + "FlagsDescription": {"data_type": "string", "description": ''}, + "HostName": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastModifiedBy": {"data_type": "string", "description": 'Name of the user who last modified the alert.'}, + "LinkToSearchResults": {"data_type": "string", "description": ''}, + "ManagementGroupName": {"data_type": "string", "description": 'Name of the management group for System Center Operations Manager agents.'}, + "ObjectDisplayName": {"data_type": "string", "description": ''}, + "PriorityNumber": {"data_type": "int", "description": ''}, + "Query": {"data_type": "string", "description": ''}, + "QueryExecutionEndTime": {"data_type": "datetime", "description": ''}, + "QueryExecutionStartTime": {"data_type": "datetime", "description": ''}, + "RemediationJobId": {"data_type": "string", "description": ''}, + "RemediationRunbookName": {"data_type": "string", "description": ''}, + "RepeatCount": {"data_type": "int", "description": 'Number of times the same alert was generated for the same monitored object since being resolved.'}, + "ResolvedBy": {"data_type": "string", "description": 'Name of the user who resolved the alert. Empty if the alert has not yet been resolved.'}, + "ResourceId": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResourceType": {"data_type": "string", "description": ''}, + "ResourceValue": {"data_type": "string", "description": ''}, + "RootObjectName": {"data_type": "string", "description": ''}, + "ServiceDeskConnectionName": {"data_type": "string", "description": ''}, + "ServiceDeskId": {"data_type": "string", "description": ''}, + "ServiceDeskWorkItemLink": {"data_type": "string", "description": ''}, + "ServiceDeskWorkItemType": {"data_type": "string", "description": ''}, + "SourceDisplayName": {"data_type": "string", "description": 'Display name of the monitoring object that generated the alert.'}, + "SourceFullName": {"data_type": "string", "description": 'Full name of the monitoring object that generated the alert.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StateType": {"data_type": "string", "description": ''}, + "StatusDescription": {"data_type": "string", "description": ''}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TemplateId": {"data_type": "string", "description": ''}, + "ThresholdOperator": {"data_type": "string", "description": ''}, + "ThresholdValue": {"data_type": "int", "description": ''}, + "TicketId": {"data_type": "string", "description": 'Ticket ID for the alert if the System Center Operations Manager environment is integrated with a process for assigning tickets for alerts. Empty of no ticket ID is assigned.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was created.'}, + "TimeLastModified": {"data_type": "datetime", "description": 'Date and time that the alert was last changed.'}, + "TimeRaised": {"data_type": "datetime", "description": 'Date and time that the alert was generated.'}, + "TimeResolved": {"data_type": "datetime", "description": 'Date and time that the alert was resolved. Empty if the alert has not yet been resolved.'}, + "TriggerId": {"data_type": "string", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Url": {"data_type": "string", "description": ''}, + "ValueDescription": {"data_type": "string", "description": ''}, + "ValueFlags": {"data_type": "int", "description": ''}, + "ValueFlagsDescription": {"data_type": "string", "description": ''}, + }, + "AlertEvidence": { + "AccountDomain": {"data_type": "string", "description": 'Domain of the account.'}, + "AccountName": {"data_type": "string", "description": 'User name of the account.'}, + "AccountObjectId": {"data_type": "string", "description": 'Unique identifier for the account in Azure Active Directory.'}, + "AccountSid": {"data_type": "string", "description": 'Security Identifier (SID) of the account.'}, + "AccountUpn": {"data_type": "string", "description": 'User principal name (UPN) of the account.'}, + "AdditionalFields": {"data_type": "dynamic", "description": 'Additional information about the event in JSON array format.'}, + "AlertId": {"data_type": "string", "description": 'Unique identifier for the alert.'}, + "Application": {"data_type": "string", "description": 'Application that performed the recorded action.'}, + "ApplicationId": {"data_type": "int", "description": 'Unique identifier for the application.'}, + "AttackTechniques": {"data_type": "string", "description": 'MITRE ATT&CK techniques associated with the activity that triggered the alert.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Categories": {"data_type": "string", "description": 'List of categories that the information belongs to, in JSON array format.'}, + "DetectionSource": {"data_type": "string", "description": 'Detection technology or sensor that identified the notable component or activity.'}, + "DeviceId": {"data_type": "string", "description": 'Unique identifier for the device in the service.'}, + "DeviceName": {"data_type": "string", "description": 'Fully qualified domain name (FQDN) of the machine.'}, + "EmailSubject": {"data_type": "string", "description": 'Subject of the email.'}, + "EntityType": {"data_type": "string", "description": 'Type of object, such as a file, a process, a device, or a user.'}, + "EvidenceDirection": {"data_type": "string", "description": 'Indicates whether the entity is the source or the destination of a network connection.'}, + "EvidenceRole": {"data_type": "string", "description": 'How the entity is involved in an alert, indicating whether it is impacted or is merely related.'}, + "FileName": {"data_type": "string", "description": 'Name of the file that the recorded action was applied to.'}, + "FileSize": {"data_type": "long", "description": 'Size of the file in bytes.'}, + "FolderPath": {"data_type": "string", "description": 'Folder containing the file that the recorded action was applied to.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LocalIP": {"data_type": "string", "description": 'IP address assigned to the local device used during communication.'}, + "NetworkMessageId": {"data_type": "string", "description": 'Unique identifier for the email, generated by Office 365.'}, + "OAuthApplicationId": {"data_type": "string", "description": 'Unique identifier of the third-party OAuth application.'}, + "ProcessCommandLine": {"data_type": "string", "description": 'Command line used to create the new process.'}, + "RegistryKey": {"data_type": "string", "description": 'Registry key that the recorded action was applied to.'}, + "RegistryValueData": {"data_type": "string", "description": 'Data of the registry value that the recorded action was applied to.'}, + "RegistryValueName": {"data_type": "string", "description": 'Name of the registry value that the recorded action was applied to.'}, + "RemoteIP": {"data_type": "string", "description": 'IP address that was being connected to.'}, + "RemoteUrl": {"data_type": "string", "description": 'URL or fully qualified domain name (FQDN) that was being connected to.'}, + "ServiceSource": {"data_type": "string", "description": 'Product or service that provided the alert information.'}, + "SHA1": {"data_type": "string", "description": 'SHA-1 of the file that the recorded action was applied to.'}, + "SHA256": {"data_type": "string", "description": 'SHA-256 of the file that the recorded action was applied to. This field is usually not populated-use the SHA1 column when available.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "ThreatFamily": {"data_type": "string", "description": 'Malware family that the suspicious or malicious file or process has been classified under.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time (UTC) when the record was generated.'}, + "Title": {"data_type": "string", "description": 'Title of the alert.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AlertHistory": { + "AlertContext": {"data_type": "string", "description": ''}, + "AlertDescription": {"data_type": "string", "description": ''}, + "AlertId": {"data_type": "string", "description": ''}, + "AlertName": {"data_type": "string", "description": ''}, + "AlertPriority": {"data_type": "string", "description": ''}, + "AlertSeverity": {"data_type": "string", "description": ''}, + "AlertState": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Custom1": {"data_type": "string", "description": ''}, + "Custom10": {"data_type": "string", "description": ''}, + "Custom2": {"data_type": "string", "description": ''}, + "Custom3": {"data_type": "string", "description": ''}, + "Custom4": {"data_type": "string", "description": ''}, + "Custom5": {"data_type": "string", "description": ''}, + "Custom6": {"data_type": "string", "description": ''}, + "Custom7": {"data_type": "string", "description": ''}, + "Custom8": {"data_type": "string", "description": ''}, + "Custom9": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastModifiedBy": {"data_type": "string", "description": ''}, + "ManagementGroupName": {"data_type": "string", "description": ''}, + "RepeatCount": {"data_type": "int", "description": ''}, + "ResolvedBy": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceDisplayName": {"data_type": "string", "description": ''}, + "SourceFullName": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TicketId": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "TimeLastModified": {"data_type": "datetime", "description": ''}, + "TimeRaised": {"data_type": "datetime", "description": ''}, + "TimeResolved": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AlertInfo": { + "AlertId": {"data_type": "string", "description": 'Unique identifier for the alert.'}, + "AttackTechniques": {"data_type": "string", "description": 'MITRE ATT&CK techniques associated with the activity that triggered the alert.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Type of threat indicator or breach activity identified by the alert.'}, + "DetectionSource": {"data_type": "string", "description": 'Detection technology or sensor that identified the notable component or activity.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ServiceSource": {"data_type": "string", "description": 'Product or service that provided the alert information.'}, + "Severity": {"data_type": "string", "description": 'Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time (UTC) when the record was generated.'}, + "Title": {"data_type": "string", "description": 'Title of the alert.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AmlComputeClusterEvent": { + "AllocationState": {"data_type": "string", "description": ''}, + "AllocationStateTransitionTime": {"data_type": "datetime", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterErrorCodes": {"data_type": "string", "description": ''}, + "ClusterName": {"data_type": "string", "description": ''}, + "ClusterType": {"data_type": "string", "description": ''}, + "CoreCount": {"data_type": "int", "description": ''}, + "CreatedBy": {"data_type": "string", "description": ''}, + "CreationApiVersion": {"data_type": "string", "description": ''}, + "CurrentNodeCount": {"data_type": "int", "description": ''}, + "EventType": {"data_type": "string", "description": ''}, + "IdleNodeCount": {"data_type": "int", "description": ''}, + "InitialNodeCount": {"data_type": "int", "description": ''}, + "InternalOperationName": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsResizeGrow": {"data_type": "string", "description": ''}, + "LeavingNodeCount": {"data_type": "int", "description": ''}, + "MaximumNodeCount": {"data_type": "int", "description": ''}, + "MinimumNodeCount": {"data_type": "int", "description": ''}, + "NodeDeallocationOption": {"data_type": "string", "description": ''}, + "NodeIdleTimeSecondsBeforeScaleDown": {"data_type": "int", "description": ''}, + "Offer": {"data_type": "string", "description": ''}, + "OperationName": {"data_type": "string", "description": ''}, + "PreemptedNodeCount": {"data_type": "string", "description": ''}, + "PreparingNodeCount": {"data_type": "int", "description": ''}, + "ProvisioningState": {"data_type": "string", "description": ''}, + "Publisher": {"data_type": "string", "description": ''}, + "QuotaAllocated": {"data_type": "string", "description": ''}, + "QuotaUtilized": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultSignature": {"data_type": "string", "description": ''}, + "RunningNodeCount": {"data_type": "int", "description": ''}, + "ScalingType": {"data_type": "string", "description": ''}, + "Sku": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SubnetId": {"data_type": "string", "description": ''}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TargetNodeCount": {"data_type": "int", "description": ''}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UnusableNodeCount": {"data_type": "int", "description": ''}, + "Version": {"data_type": "string", "description": ''}, + "VmFamilyName": {"data_type": "string", "description": ''}, + "VmPriority": {"data_type": "string", "description": ''}, + "VmSize": {"data_type": "string", "description": ''}, + }, + "AmlComputeClusterNodeEvent": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterCreationTime": {"data_type": "string", "description": ''}, + "ClusterName": {"data_type": "string", "description": ''}, + "InternalOperationName": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "NodeAllocationTime": {"data_type": "datetime", "description": ''}, + "NodeBootTime": {"data_type": "datetime", "description": ''}, + "NodeId": {"data_type": "string", "description": ''}, + "Offer": {"data_type": "string", "description": ''}, + "OperationName": {"data_type": "string", "description": ''}, + "Publisher": {"data_type": "string", "description": ''}, + "ResizeEndTime": {"data_type": "datetime", "description": ''}, + "ResizeStartTime": {"data_type": "datetime", "description": ''}, + "ResultSignature": {"data_type": "string", "description": ''}, + "Sku": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StartTaskEndTime": {"data_type": "datetime", "description": ''}, + "StartTaskStartTime": {"data_type": "datetime", "description": ''}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "TotalE2ETimeInSeconds": {"data_type": "string", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Version": {"data_type": "string", "description": ''}, + "VmFamilyName": {"data_type": "string", "description": ''}, + "VmPriority": {"data_type": "string", "description": ''}, + "VmSize": {"data_type": "string", "description": ''}, + }, + "AmlComputeCpuGpuUtilization": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'The caller IP address.'}, + "ClusterName": {"data_type": "string", "description": 'Compute cluster name for AmlCompute clusters. In case of singularity this would be VirtualCluster(VC) name.'}, + "CorrelationId": {"data_type": "string", "description": 'A GUID used to group together a set of related events.'}, + "DeviceId": {"data_type": "string", "description": 'DeviceId of GPU.'}, + "DeviceType": {"data_type": "string", "description": 'Type of compute, either CPU or GPU.'}, + "DurationMs": {"data_type": "string", "description": 'The duration of the operation in milliseconds.'}, + "Identity": {"data_type": "string", "description": 'Identity of the user or application that performed the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the event. Must be one of Informational, Warning, Error, or Critical.'}, + "Location": {"data_type": "string", "description": 'The region of the resource emitting the event.'}, + "MetricName": {"data_type": "string", "description": 'Metric name. This would be Cpu/Gpu utilization metric eg. GpuMemoryUtilization, GpuUtilization, CpuUtilization etc.'}, + "NodeId": {"data_type": "string", "description": 'NodeId on the cluster.'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation associated with the log entry.'}, + "OperationVersion": {"data_type": "string", "description": 'The api-version associated with the operation, if the operationName was performed using an API.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'The static text description of this operation.'}, + "ResultSignature": {"data_type": "string", "description": 'The sub status of the event. If this operation corresponds to a REST API call, this is the HTTP status code of the corresponding REST call.'}, + "ResultType": {"data_type": "string", "description": 'The status of the event. Typical values include Started, In Progress, Succeeded, Failed, Active, and Resolved.'}, + "RunId": {"data_type": "string", "description": 'Unique run identifier.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the event.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Utilization": {"data_type": "string", "description": 'Compute utilization of node.'}, + "WorkspaceId": {"data_type": "string", "description": 'Unique workspace identifer.'}, + "WorkspaceName": {"data_type": "string", "description": 'User friendly workspace identifier.'}, + }, + "AmlComputeInstanceEvent": { + "AadTenantId": {"data_type": "string", "description": 'The AAD tenant ID the operation was submitted for.'}, + "AmlComputeInstanceName": {"data_type": "string", "description": 'The name of the compute instance.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'A GUID used to group together a set of related events, when applicable.'}, + "Identity": {"data_type": "dynamic", "description": 'The identity of the user or application that performed the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the event. Must be one of Informational, Warning, Error, or Critical.'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation associated with the log entry.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultType": {"data_type": "string", "description": 'The status of the event. Typical values include Started, In Progress, Succeeded, Failed, Active, and Resolved.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the event.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AmlComputeJobEvent": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterId": {"data_type": "string", "description": ''}, + "ClusterName": {"data_type": "string", "description": ''}, + "ClusterResourceGroupName": {"data_type": "string", "description": ''}, + "CreationApiVersion": {"data_type": "string", "description": ''}, + "CustomerSubscriptionId": {"data_type": "string", "description": ''}, + "ErrorDetails": {"data_type": "string", "description": ''}, + "EventType": {"data_type": "string", "description": ''}, + "ExecutionState": {"data_type": "string", "description": ''}, + "ExperimentId": {"data_type": "string", "description": ''}, + "ExperimentName": {"data_type": "string", "description": ''}, + "InternalOperationName": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "JobErrorMessage": {"data_type": "string", "description": ''}, + "JobId": {"data_type": "string", "description": ''}, + "JobName": {"data_type": "string", "description": ''}, + "NodeId": {"data_type": "string", "description": ''}, + "OperationName": {"data_type": "string", "description": ''}, + "ProvisioningState": {"data_type": "string", "description": ''}, + "ResourceGroupName": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultSignature": {"data_type": "string", "description": ''}, + "RunInContainer": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TFParameterServerCount": {"data_type": "string", "description": ''}, + "TFWorkerCount": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "ToolType": {"data_type": "string", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "WorkspaceName": {"data_type": "string", "description": ''}, + }, + "AmlDataLabelEvent": { + "AadTenantId": {"data_type": "string", "description": 'The AAD tenant ID the operation was submitted for.'}, + "AmlDataStoreName": {"data_type": "string", "description": "The name of the data store where the project's data is stored."}, + "AmlLabelNames": {"data_type": "string", "description": 'The label class names which are created for the project.'}, + "AmlProjectId": {"data_type": "string", "description": 'The unique identifier of the project.'}, + "AmlProjectName": {"data_type": "string", "description": 'The name of the AML project.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'A GUID used to group together a set of related events.'}, + "Identity": {"data_type": "dynamic", "description": 'The identity of the user or application that performed the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the event. Must be one of Informational, Warning, Error, or Critical.'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation associated with the log entry.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultType": {"data_type": "string", "description": 'The status of the event. Typical values include Started, In Progress, Succeeded, Failed, Active, and Resolved.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the event.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AmlDataSetEvent": { + "AadTenantId": {"data_type": "string", "description": 'The AAD tenant ID the operation was submitted for.'}, + "AmlDatasetId": {"data_type": "string", "description": 'The ID of the AML Data Set.'}, + "AmlDatasetName": {"data_type": "string", "description": 'The name of the AML Data Set.'}, + "AmlWorkspaceId": {"data_type": "string", "description": 'The unique ID of the workspace.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Identity": {"data_type": "dynamic", "description": 'The identity of the user or application that performed the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The name of the operation associated with the log entry.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultType": {"data_type": "string", "description": 'The status of the event. Typical values include Started, In Progress, Succeeded, Failed, Active, and Resolved.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the event.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AmlDataStoreEvent": { + "AadTenantId": {"data_type": "string", "description": 'The AAD tenant ID the operation was submitted for.'}, + "AmlDatastoreName": {"data_type": "string", "description": 'The name of the AML Data Store.'}, + "AmlWorkspaceId": {"data_type": "string", "description": 'The unique ID of the workspace.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Identity": {"data_type": "dynamic", "description": 'The identity of the user or application that performed the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The name of the operation associated with the log entry.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultType": {"data_type": "string", "description": 'The status of the event. Typical values include Started, In Progress, Succeeded, Failed, Active, and Resolved.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the event.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AmlDeploymentEvent": { + "AadTenantId": {"data_type": "string", "description": 'The AAD tenant ID the operation was submitted for.'}, + "AmlServiceName": {"data_type": "string", "description": 'The name of the AML service.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'A GUID used to group together a set of related events.'}, + "Identity": {"data_type": "dynamic", "description": 'The identity of the user or application that performed the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the event. Must be one of Informational, Warning, Error, or Critical.'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation associated with the log entry.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultType": {"data_type": "string", "description": 'The status of the event. Typical values include Started, In Progress, Succeeded, Failed, Active, and Resolved.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the event.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AmlEnvironmentEvent": { + "AadTenantId": {"data_type": "string", "description": 'The AAD tenant ID the operation was submitted for.'}, + "AmlEnvironmentName": {"data_type": "string", "description": 'The name of environment.'}, + "AmlEnvironmentVersion": {"data_type": "string", "description": 'The version of the environment.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Identity": {"data_type": "dynamic", "description": 'The identity of the user or application that performed the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The name of the operation associated with the log entry.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the event.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AmlInferencingEvent": { + "AadTenantId": {"data_type": "string", "description": 'The AAD tenant ID the operation was submitted for.'}, + "AmlServiceName": {"data_type": "string", "description": 'The name of the AML service.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'A GUID used to group together a set of related events.'}, + "Identity": {"data_type": "dynamic", "description": 'The identity of the user or application that performed the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the event. Must be one of Informational, Warning, Error, or Critical.'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation associated with the log entry.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultType": {"data_type": "string", "description": 'The status of the event. Typical values include Started, In Progress, Succeeded, Failed, Active, and Resolved.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the event.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AmlModelsEvent": { + "AadTenantId": {"data_type": "string", "description": 'The AAD tenant ID the operation was submitted for.'}, + "AmlModelName": {"data_type": "string", "description": 'The name of the AML Model.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'A GUID used to group together a set of related events.'}, + "Identity": {"data_type": "dynamic", "description": 'The identity of the user or application that performed the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the event. Must be one of Informational, Warning, Error, or Critical.'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation associated with the log entry.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultSignature": {"data_type": "string", "description": 'The HTTP status code of the event. Typical values include 200, 201, 202 etc.'}, + "ResultType": {"data_type": "string", "description": 'The status of the event. Typical values include Started, In Progress, Succeeded, Failed, Active, and Resolved.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the event.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AmlOnlineEndpointConsoleLog": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ContainerImageName": {"data_type": "string", "description": 'The name of the docker image running in the container where the log was generated.'}, + "ContainerName": {"data_type": "string", "description": 'The name of the container where the log was generated.'}, + "DeploymentName": {"data_type": "string", "description": 'The name of the deployment associated with the log record.'}, + "InstanceId": {"data_type": "string", "description": 'The ID of the instance that generated this log record.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Message": {"data_type": "string", "description": 'The content of the log.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AmlOnlineEndpointEventLog": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DeploymentName": {"data_type": "string", "description": 'The name of the deployment associated with this log record.'}, + "InstanceId": {"data_type": "string", "description": 'The ID of the instance that generated this log record.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Message": {"data_type": "string", "description": 'The content of the inference-server container life cycle event.'}, + "Name": {"data_type": "string", "description": 'The name of the inference-server container life cycle event.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with this log record.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when this log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AmlOnlineEndpointTrafficLog": { + "AuthType": {"data_type": "string", "description": 'The authentication type of the request (Key, AMLToken, AADToken).'}, + "AzureMLWorkspaceId": {"data_type": "string", "description": 'The machine learning workspace ID of the online endpoint.'}, + "AzureMLWorkspaceName": {"data_type": "string", "description": 'The machine learning workspace name of the online endpoint.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DeploymentName": {"data_type": "string", "description": 'The name of the online deployment.'}, + "EndpointName": {"data_type": "string", "description": 'The name of the online endpoint.'}, + "IdentityData": {"data_type": "string", "description": 'The identity data from the user client (JWT OID).'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The region of the online endpoint.'}, + "Method": {"data_type": "string", "description": 'The requested method from client.'}, + "ModelStatusCode": {"data_type": "int", "description": 'The response status code from model.'}, + "ModelStatusReason": {"data_type": "string", "description": 'The response status reason from model.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "Path": {"data_type": "string", "description": 'The requested path from client.'}, + "Protocol": {"data_type": "string", "description": 'The protocol of the request.'}, + "RequestDurationMs": {"data_type": "int", "description": 'Duration in milliseconds from the request start time to the last byte of the request received from the user client.'}, + "RequestPayloadSize": {"data_type": "int", "description": 'The total bytes received from the user client.'}, + "RequestThrottlingDelayMs": {"data_type": "int", "description": 'Delay in milliseconds in request data transfer due to network throttling.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResponseCode": {"data_type": "int", "description": 'The final response code returned to the user.'}, + "ResponseCodeReason": {"data_type": "string", "description": 'The final response code reason returned to the user.'}, + "ResponseDurationMs": {"data_type": "int", "description": 'Duration in milliseconds from the request start time to the first response byte read from the model.'}, + "ResponsePayloadSize": {"data_type": "int", "description": 'The total bytes sent back to the user client.'}, + "ResponseThrottlingDelayMs": {"data_type": "int", "description": 'Delay in milliseconds in response data transfer due to network throttling.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the request was received by Azure Machine Learning.'}, + "TotalDurationMs": {"data_type": "int", "description": 'Duration in milliseconds from the request start time to the last response byte sent back to the user client. If the user client disconnected, it measures from the start time to client disconnect time.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The user-agent header of the request.'}, + "XMSClientRequestId": {"data_type": "string", "description": 'The tracking ID generated by user client.'}, + "XRequestId": {"data_type": "string", "description": 'The request ID generated by Azure Machine Learning for internal tracing.'}, + }, + "AmlPipelineEvent": { + "AadTenantId": {"data_type": "string", "description": 'The AAD tenant ID the operation was submitted for.'}, + "AmlModuleId": {"data_type": "string", "description": 'The unique ID of the module.'}, + "AmlModuleName": {"data_type": "string", "description": 'The name of the AML Module.'}, + "AmlParentPipelineId": {"data_type": "string", "description": 'The ID of the parent AML pipeline (in the case of cloning).'}, + "AmlPipelineDraftId": {"data_type": "string", "description": 'The ID of the AML pipeline draft.'}, + "AmlPipelineDraftName": {"data_type": "string", "description": 'The name of the AML pipeline draft.'}, + "AmlPipelineEndpointId": {"data_type": "string", "description": 'The ID of the AML pipeline endpoint.'}, + "AmlPipelineEndpointName": {"data_type": "string", "description": 'The name of the AML pipeline endpoint.'}, + "AmlPipelineId": {"data_type": "string", "description": 'The ID of the AML pipeline.'}, + "AmlWorkspaceId": {"data_type": "string", "description": 'The unique ID of the AML workspace.'}, + "AmlWorkspaceName": {"data_type": "string", "description": 'The name of the AML workspace.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'A GUID used to group together a set of related events.'}, + "Identity": {"data_type": "dynamic", "description": 'The identity of the user or application that performed the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The name of the operation associated with the log entry.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultType": {"data_type": "string", "description": 'The status of the event. Typical values include Started, In Progress, Succeeded, Failed, Active, and Resolved.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the event.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AmlRegistryReadEventsLog": { + "AssetName": {"data_type": "string", "description": 'AzureML Asset name associated with log record.'}, + "AssetVersion": {"data_type": "string", "description": 'AzureML Asset version associated with log record.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'The correlation ID associated with log record.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Labels": {"data_type": "string", "description": 'Labels associated with log record.'}, + "RegistryResourceId": {"data_type": "string", "description": 'ARM ResourceId of the registry that generated this log record.'}, + "RegistryTenantId": {"data_type": "string", "description": 'TenantId associated with log record.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserName": {"data_type": "string", "description": 'User name who initialized the event.'}, + "UserObjectId": {"data_type": "string", "description": 'User AAD object ID who initialized the event.'}, + }, + "AmlRegistryWriteEventsLog": { + "AssetName": {"data_type": "string", "description": 'AzureML Asset name associated with log record.'}, + "AssetVersion": {"data_type": "string", "description": 'AzureML Asset version associated with log record.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'The correlation ID associated with log record.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Labels": {"data_type": "string", "description": 'Labels associated with log record.'}, + "RegistryResourceId": {"data_type": "string", "description": 'ARM ResourceId of the registry that generated this log record.'}, + "RegistryTenantId": {"data_type": "string", "description": 'TenantId associated with log record.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserName": {"data_type": "string", "description": 'User name who initialized the event.'}, + "UserObjectId": {"data_type": "string", "description": 'User AAD object ID who initialized the event.'}, + }, + "AmlRunEvent": { + "AadTenantId": {"data_type": "string", "description": 'The AAD tenant ID the operation was submitted for.'}, + "AmlWorkspaceId": {"data_type": "string", "description": 'The unique ID of the workspace.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Identity": {"data_type": "dynamic", "description": 'The identity of the user or application that performed the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The name of the operation associated with the log entry.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RunId": {"data_type": "string", "description": 'The unique ID of the run.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the event.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AmlRunStatusChangedEvent": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'The caller IP address.'}, + "CorrelationId": {"data_type": "string", "description": 'A GUID used to group together a set of related events.'}, + "DurationMs": {"data_type": "string", "description": 'The duration of the operation in milliseconds.'}, + "Identity": {"data_type": "string", "description": 'Identity of the user or application that performed the operation'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the event. Must be one of Informational, Warning, Error, or Critical.'}, + "Location": {"data_type": "string", "description": 'The region of the resource emitting the event.'}, + "Message": {"data_type": "string", "description": 'Message associated with run status change.'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation associated with the log entry.'}, + "OperationVersion": {"data_type": "string", "description": 'The api-version associated with the operation, if the operationName was performed using an API.'}, + "ParentRunId": {"data_type": "string", "description": 'The unique identifier for the parent run.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'The static text description of this operation.'}, + "ResultSignature": {"data_type": "string", "description": 'The sub status of the event. If this operation corresponds to a REST API call, this is the HTTP status code of the corresponding REST call.'}, + "ResultType": {"data_type": "string", "description": 'The status of the event. Typical values include Started, In Progress, Succeeded, Failed, Active, and Resolved.'}, + "RootRunId": {"data_type": "string", "description": 'The unique identifier for the root run.'}, + "RunId": {"data_type": "string", "description": 'Unique run identifier.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Status": {"data_type": "string", "description": 'Updated run status.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the event.'}, + "TriggeringUserName": {"data_type": "string", "description": 'Friendly name of run status change initiator.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "WorkspaceId": {"data_type": "string", "description": 'Unique workspace identifer.'}, + "WorkspaceName": {"data_type": "string", "description": 'User friendly workspace identifier.'}, + }, + "AMSKeyDeliveryRequests": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DurationMs": {"data_type": "int", "description": 'Azure Media Services operation duration in milli-seconds.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "KeyId": {"data_type": "string", "description": 'The ID of the requested key.'}, + "KeyType": {"data_type": "string", "description": 'Could be one of the following values: Clear (no encryption), FairPlay, PlayReady, or Widevine.'}, + "Level": {"data_type": "string", "description": 'Log level of message, e.g. Informational.'}, + "Location": {"data_type": "string", "description": 'Location of the service sending the log.'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation that triggered the event.'}, + "OperationVersion": {"data_type": "string", "description": 'Azure Media Services operation version.'}, + "PolicyName": {"data_type": "string", "description": 'The Azure Resource Manager name of the policy.'}, + "RequestId": {"data_type": "string", "description": 'Id of the request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultSignature": {"data_type": "string", "description": 'Azure Media Services operation result signature.'}, + "ResultType": {"data_type": "string", "description": 'Azure Media Services operation result type.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StatusMessage": {"data_type": "string", "description": 'The status message.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the event was generated.'}, + "TokenType": {"data_type": "string", "description": 'The token type.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AMSLiveEventOperations": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'Message level. Possible values are Informational, Warning, Error, Critical and Verbose.'}, + "Location": {"data_type": "string", "description": 'Location of the service sending the event.'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation that triggered the event.'}, + "Properties": {"data_type": "dynamic", "description": 'Operation details.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) when the event was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AMSMediaAccountHealth": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "EventCode": {"data_type": "string", "description": 'The event code.'}, + "EventMessage": {"data_type": "string", "description": 'The event status message.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'Log level of message, e.g. Informational.'}, + "Location": {"data_type": "string", "description": 'Location of the service sending the log.'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation that triggered the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the event was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AMSStreamingEndpointRequests": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientIP": {"data_type": "string", "description": 'IP address of the client.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'Message level. Possible values are Informational, Warning, Error, Critical and Verbose.'}, + "Location": {"data_type": "string", "description": 'Location of the service sending the event.'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation that triggered the event.'}, + "OperationVersion": {"data_type": "string", "description": 'Azure Media Services operation version.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Status": {"data_type": "string", "description": 'Status code of the request.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) when the event was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "URL": {"data_type": "string", "description": 'The streaming URL from Azure Media Services.'}, + }, + "AMWMetricsUsageDetails": { + "AMWResourceName": {"data_type": "string", "description": 'Azure Monitor Workspace resource name.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DailyTimeseriesCount": {"data_type": "long", "description": 'Daily timeseries count associated with the labels/dimensions for the metric.'}, + "DaysSinceMetricQueried": {"data_type": "int", "description": 'Number of days from the specified date range when the metric was queried last.'}, + "DimensionsList": {"data_type": "string", "description": 'The set of labels/dimensions being described.'}, + "EndTime": {"data_type": "datetime", "description": 'The end time (UTC) of the date range being described.'}, + "IncomingEventsCount": {"data_type": "long", "description": 'Number of events received for the specified date range.'}, + "IngestedSamplesCount": {"data_type": "long", "description": 'Number of samples ingested in the specified date range.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "MetricName": {"data_type": "string", "description": 'The name of the metric the insights is generated for.'}, + "MetricNamespace": {"data_type": "string", "description": 'Namespace in the Azure Monitor Workspace the metric belongs to.'}, + "NumberOfQueries": {"data_type": "int", "description": 'Number of queries received for the specified date range.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StartTime": {"data_type": "datetime", "description": 'The start time (UTC) of the date range being described.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) when the summary data for the row was produced.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "Anomalies": { + "ActivityInsights": {"data_type": "dynamic", "description": 'Insights about the activites corresponding to the generated anomaly as JSON.'}, + "AnomalyDetails": {"data_type": "dynamic", "description": 'JSON object containing general information about the rule and algorithm that generated the anomaly as well as explanations for the anomaly.'}, + "AnomalyReasons": {"data_type": "dynamic", "description": 'The detailed explanation of the generated anomaly as JSON.'}, + "AnomalyTemplateId": {"data_type": "string", "description": 'The ID of the Anomaly template that generated this anomaly.'}, + "AnomalyTemplateName": {"data_type": "string", "description": 'The name of the Anomaly template that generated this anomaly.'}, + "AnomalyTemplateVersion": {"data_type": "string", "description": 'The version of the Anomaly template that generated this anomaly.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Description": {"data_type": "string", "description": 'The description of the anomaly.'}, + "DestinationDevice": {"data_type": "string", "description": 'The destination device for which the anomaly was generated.'}, + "DestinationIpAddress": {"data_type": "string", "description": 'The destination ip address for which the anomaly was generated.'}, + "DestinationLocation": {"data_type": "dynamic", "description": 'Info about the destination location for which the anomaly was generated as JSON.'}, + "DeviceInsights": {"data_type": "dynamic", "description": 'Insights about the devices corresponding to the generated anomaly as JSON.'}, + "EndTime": {"data_type": "datetime", "description": 'The time (UTC) when the anomaly ended.'}, + "Entities": {"data_type": "dynamic", "description": 'JSON object containing all entities involved in the generated anomaly.'}, + "ExtendedLinks": {"data_type": "dynamic", "description": 'List of links pointing to the data that generated the anomaly.'}, + "ExtendedProperties": {"data_type": "dynamic", "description": 'JSON object with additional data on the anomaly as key-value pairs.'}, + "Id": {"data_type": "string", "description": 'The ID of the generated anomaly.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "RuleConfigVersion": {"data_type": "string", "description": 'The configuration version of the Anomaly analytics rule that generated this anomaly.'}, + "RuleId": {"data_type": "string", "description": 'The ID of the Anomaly analytics rule that generated this anomaly.'}, + "RuleName": {"data_type": "string", "description": 'The name of the Anomaly analytics rule that generated this anomaly.'}, + "RuleStatus": {"data_type": "string", "description": 'The status (Flighting/Production) of the Anomaly analytics rule that generated this anomaly.'}, + "Score": {"data_type": "real", "description": 'The score of the anomaly.'}, + "SourceDevice": {"data_type": "string", "description": 'The source device for which the anomaly was generated.'}, + "SourceIpAddress": {"data_type": "string", "description": 'The source ip address for which the anomaly was generated.'}, + "SourceLocation": {"data_type": "dynamic", "description": 'Info about the source location for which the anomaly was generated as JSON.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StartTime": {"data_type": "datetime", "description": 'The time (UTC) when the anomaly started.'}, + "Tactics": {"data_type": "string", "description": 'List of MITRE ATT&CK tactics (strings) corresponding to the anomaly.'}, + "Techniques": {"data_type": "string", "description": 'List MITRE ATT&CK techniques (strings) corresponding to the anomaly.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the anomaly was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserInsights": {"data_type": "dynamic", "description": 'Insights about the users corresponding to the generated anomaly as JSON.'}, + "UserName": {"data_type": "string", "description": 'The username for which the anomaly was generated.'}, + "UserPrincipalName": {"data_type": "string", "description": 'The UPN of the user for which the anomaly was generated.'}, + "VendorName": {"data_type": "string", "description": 'The name of the vendor that generated this anomaly.'}, + "WorkspaceId": {"data_type": "string", "description": 'The ID of the Sentinel workspace.'}, + }, + "AOIDatabaseQuery": { + "ApplicationName": {"data_type": "string", "description": 'The name of the application that invoked the query.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CacheDiskHits": {"data_type": "long", "description": 'Disk cache hits.'}, + "CacheDiskMisses": {"data_type": "long", "description": 'Disk cache misses.'}, + "CacheMemoryHits": {"data_type": "long", "description": 'Memory cache hits.'}, + "CacheMemoryMisses": {"data_type": "long", "description": 'Memory cache misses.'}, + "CacheShardsBypassBytes": {"data_type": "long", "description": 'Shards cache bypass bytes.'}, + "CacheShardsColdHits": {"data_type": "long", "description": 'Shards cold cache hits.'}, + "CacheShardsColdMisses": {"data_type": "long", "description": 'Shards cold cache misses.'}, + "CacheShardsHotHits": {"data_type": "long", "description": 'Shards hot cache hits.'}, + "CacheShardsHotMisses": {"data_type": "long", "description": 'Shards hot cache misses.'}, + "ComponentFault": {"data_type": "string", "description": "The entity that caused the query to fail. For example, if the query result is too large, the ComponentFault will be 'Client'. If an internal error occured, it will be 'Server'."}, + "CorrelationId": {"data_type": "string", "description": 'The client request ID.'}, + "DatabaseName": {"data_type": "string", "description": 'The name of the database that the command ran on.'}, + "DurationMs": {"data_type": "string", "description": 'Command duration in milliseconds.'}, + "FailureReason": {"data_type": "string", "description": 'The failure reason.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastUpdatedOn": {"data_type": "datetime", "description": 'Time (UTC) at which this command ended.'}, + "Location": {"data_type": "string", "description": 'The region where this query was executed.'}, + "MaxDataScannedTime": {"data_type": "datetime", "description": 'Maximum data scan time.'}, + "MemoryPeak": {"data_type": "long", "description": 'Memory peak.'}, + "MinDataScannedTime": {"data_type": "datetime", "description": 'Minimum data scan time.'}, + "OperationName": {"data_type": "string", "description": 'The name of this operation.'}, + "Principal": {"data_type": "string", "description": 'The principal that invoked the query.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RootActivityId": {"data_type": "string", "description": 'The root activity ID.'}, + "ScannedExtentsCount": {"data_type": "long", "description": 'Scanned extents count.'}, + "ScannedRowsCount": {"data_type": "long", "description": 'Scanned rows count.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StartedOn": {"data_type": "datetime", "description": 'Time (UTC) at which this command started.'}, + "State": {"data_type": "string", "description": 'The state the command ended with.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TableCount": {"data_type": "int", "description": 'Table count.'}, + "TablesStatistics": {"data_type": "dynamic", "description": 'Tables statistics.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "Text": {"data_type": "string", "description": 'The text of the invoked query.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time (UTC) at which this event was generated.'}, + "TotalCPU": {"data_type": "string", "description": 'Total CPU duration time.'}, + "TotalExtentsCount": {"data_type": "long", "description": 'Total extents count.'}, + "TotalRowsCount": {"data_type": "long", "description": 'Total rows count.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "User": {"data_type": "string", "description": 'The user that invoked the query.'}, + "WorkloadGroup": {"data_type": "string", "description": 'The workload group the query was classified to.'}, + }, + "AOIDigestion": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Datatype": {"data_type": "string", "description": 'The datatype of the file that was digested.'}, + "FilePath": {"data_type": "string", "description": 'The path of the file that was digested.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The level of the log.'}, + "Message": {"data_type": "string", "description": 'The log message.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time (UTC) when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AOIStorage": { + "AccessTier": {"data_type": "string", "description": 'The access tier of the storage account.'}, + "AccountName": {"data_type": "string", "description": 'The name of the storage account.'}, + "AuthenticationHash": {"data_type": "string", "description": 'The hash of authentication token.'}, + "AuthenticationType": {"data_type": "string", "description": 'The type of authentication that was used to make the request.'}, + "AuthorizationDetails": {"data_type": "dynamic", "description": 'Detailed policy information used to authorize the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'The IP address of the requester, including the port number.'}, + "Category": {"data_type": "string", "description": 'The category to which this row belongs to, it will be one of Ingestion, IngestionDelete or ReadStorage.'}, + "ClientRequestId": {"data_type": "string", "description": 'The x-ms-client-request-id header value of the request.'}, + "ConditionsUsed": {"data_type": "string", "description": 'A semicolon-separated list of key-value pairs that represent a condition.'}, + "ContentLengthHeader": {"data_type": "long", "description": 'The value of the Content-Length header for the request sent to the storage service.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID that is used to correlate logs across resources.'}, + "DestinationUri": {"data_type": "string", "description": 'Records the destination URI for operations.'}, + "DurationMs": {"data_type": "real", "description": 'The total time, expressed in milliseconds, to perform the requested operation. This includes the time to read the incoming request, and to send the response to the requester.'}, + "Etag": {"data_type": "string", "description": 'The ETag identifier for the returned object, in quotes.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastModifiedTime": {"data_type": "datetime", "description": 'The Last Modified Time (LMT) for the returned object. This field is empty for operations that can return multiple objects.'}, + "Location": {"data_type": "string", "description": 'The location of storage account.'}, + "MetricResponseType": {"data_type": "string", "description": 'Records the metric response for correlation between metrics and logs.'}, + "ObjectKey": {"data_type": "string", "description": 'The key of the requested object, in quotes.'}, + "OperationCount": {"data_type": "int", "description": 'The number of each logged operation that is involved in the request. This count starts with an index of 0. Some requests require more than one operation, such as a request to copy a blob. Most requests perform only one operation.'}, + "OperationName": {"data_type": "string", "description": 'The type of REST operation that was performed.'}, + "OperationVersion": {"data_type": "string", "description": 'The storage service version that was specified when the request was made. This is equivalent to the value of the x-ms-version header.'}, + "Protocol": {"data_type": "string", "description": 'The protocol that is used in the operation.'}, + "ReferrerHeader": {"data_type": "string", "description": 'The Referer header value.'}, + "RehydratePriority": {"data_type": "string", "description": 'The priority used to rehydrate an archived blob.'}, + "RequestBodySize": {"data_type": "long", "description": 'The size of the request packets, expressed in bytes, that are read by the storage service. If a request is unsuccessful, this value might be empty.'}, + "RequesterAppId": {"data_type": "string", "description": 'The Open Authorization (OAuth) application ID that is used as the requester.'}, + "RequesterAudience": {"data_type": "string", "description": 'The OAuth audience of the request.'}, + "RequesterObjectId": {"data_type": "string", "description": 'The OAuth object ID of the requester.'}, + "RequesterTenantId": {"data_type": "string", "description": 'The OAuth tenant ID of identity.'}, + "RequesterTokenIssuer": {"data_type": "string", "description": 'The OAuth token issuer.'}, + "RequesterUpn": {"data_type": "string", "description": 'The User Principal Names of requestor.'}, + "RequestHeaderSize": {"data_type": "long", "description": 'The size of the request header expressed in bytes. If a request is unsuccessful, this value might be empty.'}, + "RequestMd5": {"data_type": "string", "description": 'The value of either the Content-MD5 header or the x-ms-content-md5 header in the request. The MD5 hash value specified in this field represents the content in the request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResponseBodySize": {"data_type": "long", "description": 'The size of the response packets written by the storage service, in bytes. If a request is unsuccessful, this value may be empty.'}, + "ResponseHeaderSize": {"data_type": "long", "description": 'The size of the response header expressed in bytes. If a request is unsuccessful, this value might be empty.'}, + "ResponseMd5": {"data_type": "string", "description": 'The value of the MD5 hash calculated by the storage service.'}, + "SasExpiryStatus": {"data_type": "string", "description": 'Records any violations in the request SAS token as per the SAS policy set in the storage account. Ex: longer SAS token duration specified than allowed per SAS policy.'}, + "SchemaVersion": {"data_type": "string", "description": 'The schema version of the log.'}, + "ServerLatencyMs": {"data_type": "real", "description": "The total time expressed in milliseconds to perform the requested operation. This value doesn't include network latency (the time to read the incoming request and send the response to the requester)."}, + "ServiceType": {"data_type": "string", "description": 'The service associated with this request.'}, + "SourceAccessTier": {"data_type": "string", "description": 'The source tier of the storage account.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SourceUri": {"data_type": "string", "description": 'Records the source URI for operations.'}, + "StatusCode": {"data_type": "string", "description": 'The HTTP status code for the request. If the request is interrupted, this value might be set to Unknown.'}, + "StatusText": {"data_type": "string", "description": 'The status of the requested operation.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time (UTC) at which this event was generated.'}, + "TlsVersion": {"data_type": "string", "description": 'The TLS version used in the connection of request.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Uri": {"data_type": "string", "description": 'Uniform resource identifier that is requested.'}, + "UserAgentHeader": {"data_type": "string", "description": 'The User-Agent header value, in quotes.'}, + }, + "ApiManagementGatewayLogs": { + "ApiId": {"data_type": "string", "description": ''}, + "ApimSubscriptionId": {"data_type": "string", "description": ''}, + "ApiRevision": {"data_type": "string", "description": ''}, + "BackendId": {"data_type": "string", "description": ''}, + "BackendMethod": {"data_type": "string", "description": ''}, + "BackendProtocol": {"data_type": "string", "description": ''}, + "BackendRequestBody": {"data_type": "string", "description": 'Backend request body'}, + "BackendRequestHeaders": {"data_type": "dynamic", "description": ''}, + "BackendResponseBody": {"data_type": "string", "description": 'Backend response body'}, + "BackendResponseCode": {"data_type": "int", "description": ''}, + "BackendResponseHeaders": {"data_type": "dynamic", "description": ''}, + "BackendTime": {"data_type": "long", "description": ''}, + "BackendUrl": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Cache": {"data_type": "string", "description": ''}, + "CacheTime": {"data_type": "long", "description": ''}, + "CallerIpAddress": {"data_type": "string", "description": ''}, + "Category": {"data_type": "string", "description": ''}, + "ClientProtocol": {"data_type": "string", "description": ''}, + "ClientTime": {"data_type": "long", "description": ''}, + "ClientTlsVersion": {"data_type": "string", "description": ''}, + "CorrelationId": {"data_type": "string", "description": ''}, + "Errors": {"data_type": "dynamic", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsMasterTrace": {"data_type": "bool", "description": 'Indication if the request trace was created with the master subscription'}, + "IsRequestSuccess": {"data_type": "bool", "description": ''}, + "IsTraceAllowed": {"data_type": "bool", "description": 'Indication if the requested trace was allowed'}, + "IsTraceExpired": {"data_type": "bool", "description": 'Indication if the requested trace has expired and is not granted'}, + "IsTraceRequested": {"data_type": "bool", "description": 'Indication if the caller has requested to create a request trace'}, + "LastErrorElapsed": {"data_type": "long", "description": ''}, + "LastErrorMessage": {"data_type": "string", "description": ''}, + "LastErrorReason": {"data_type": "string", "description": ''}, + "LastErrorScope": {"data_type": "string", "description": ''}, + "LastErrorSection": {"data_type": "string", "description": ''}, + "LastErrorSource": {"data_type": "string", "description": ''}, + "Method": {"data_type": "string", "description": ''}, + "OperationId": {"data_type": "string", "description": ''}, + "OperationName": {"data_type": "string", "description": ''}, + "ProductId": {"data_type": "string", "description": ''}, + "Region": {"data_type": "string", "description": ''}, + "RequestBody": {"data_type": "string", "description": 'Client request body'}, + "RequestHeaders": {"data_type": "dynamic", "description": ''}, + "RequestSize": {"data_type": "int", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResponseBody": {"data_type": "string", "description": 'Gateway response body'}, + "ResponseCode": {"data_type": "int", "description": ''}, + "ResponseHeaders": {"data_type": "dynamic", "description": ''}, + "ResponseSize": {"data_type": "int", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Timestamp": {"data_type": "datetime", "description": ''}, + "TotalTime": {"data_type": "long", "description": ''}, + "TraceRecords": {"data_type": "dynamic", "description": 'Records emitted by trace policies'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Url": {"data_type": "string", "description": ''}, + "UserId": {"data_type": "string", "description": ''}, + "WorkspaceId": {"data_type": "string", "description": 'ID of a workspace for which the request API operation is a part of'}, + }, + "ApiManagementWebSocketConnectionLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'Unique id to group related events for a websocket request.'}, + "Destination": {"data_type": "string", "description": 'The destination of the request/message for the websocket connection.'}, + "Error": {"data_type": "string", "description": 'Error details if any for the websocket connection.'}, + "EventName": {"data_type": "string", "description": 'Name of the event describing the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Region": {"data_type": "string", "description": 'Country or region where API Management Gateway is located.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Source": {"data_type": "string", "description": 'The source of the request/message for the websocket connection.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time when request processing started.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "APIMDevPortalAuditDiagnosticLog": { + "ActivityId": {"data_type": "string", "description": 'An unique identifier represented as a GUID (Globally Unique Identifier). It serves as a globally distinctive label for tracking and correlating activities or events across systems and applications.'}, + "ApimClient": {"data_type": "string", "description": 'The field refers to the HTTP header X-Ms-Apim-Client sent by Developer Portal.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Distinct group or type of record.'}, + "HashedUserId": {"data_type": "string", "description": 'The field represents a hashed or encrypted form of a user identifier.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'Field denotes the specific name or identifier of the operation being performed.'}, + "Region": {"data_type": "string", "description": 'The field indicates the geographical location or data center region within the Azure cloud infrastructure where a specific resource or service is deployed.'}, + "RequestMethod": {"data_type": "string", "description": 'The field indicates the type of HTTP method used in an incoming request.'}, + "RequestPath": {"data_type": "string", "description": 'The field contains the path or endpoint of an incoming request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResponseCode": {"data_type": "int", "description": "The field indicates the HTTP status code associated with the server's response to a client's request."}, + "ResultType": {"data_type": "string", "description": 'This field signifies the outcome or type of result associated with this operation. It has two values: Succeeded or Failed'}, + "ServiceName": {"data_type": "string", "description": 'API Management service name'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Represents the date and time when the associated event or record was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": "The field refers to the HTTP header that provides information about the user's browser or client application."}, + "Version": {"data_type": "string", "description": 'API Management version'}, + }, + "AppAvailabilityResults": { + "AppRoleInstance": {"data_type": "string", "description": 'Role instance of the application.'}, + "AppRoleName": {"data_type": "string", "description": 'Role name of the application.'}, + "AppVersion": {"data_type": "string", "description": 'Version of the application.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientBrowser": {"data_type": "string", "description": 'Browser running on the client device.'}, + "ClientCity": {"data_type": "string", "description": 'City where the client device is located.'}, + "ClientCountryOrRegion": {"data_type": "string", "description": 'Country or region where the client device is located.'}, + "ClientIP": {"data_type": "string", "description": 'IP address of the client device.'}, + "ClientModel": {"data_type": "string", "description": 'Model of the client device.'}, + "ClientOS": {"data_type": "string", "description": 'Operating system of the client device.'}, + "ClientStateOrProvince": {"data_type": "string", "description": 'State or province where the client device is located.'}, + "ClientType": {"data_type": "string", "description": 'Type of the client device.'}, + "DurationMs": {"data_type": "real", "description": 'Number of milliseconds it took to finish the test.'}, + "Id": {"data_type": "string", "description": 'Unique ID of the availability test.'}, + "IKey": {"data_type": "string", "description": 'Instrumentation key of the Azure resource.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ItemCount": {"data_type": "int", "description": 'Number of telemetry items represented by a single sample item.'}, + "Location": {"data_type": "string", "description": 'The location from where the test ran.'}, + "Measurements": {"data_type": "dynamic", "description": 'Application-defined measurements.'}, + "Message": {"data_type": "string", "description": 'Application-defined message.'}, + "Name": {"data_type": "string", "description": 'Availability Test Name.'}, + "OperationId": {"data_type": "string", "description": 'Application-defined operation ID.'}, + "OperationName": {"data_type": "string", "description": 'Application-defined name of the overall operation. The OperationName values typically match the Name values for AppRequests.'}, + "ParentId": {"data_type": "string", "description": 'ID of the parent operation.'}, + "Properties": {"data_type": "dynamic", "description": 'Application-defined properties.'}, + "ResourceGUID": {"data_type": "string", "description": 'Unique, persistent identifier of an Azure resource.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SDKVersion": {"data_type": "string", "description": 'Version of the SDK used by the application to generate this telemetry item.'}, + "SessionId": {"data_type": "string", "description": 'Application-defined session ID.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Success": {"data_type": "bool", "description": 'The result of test.'}, + "SyntheticSource": {"data_type": "string", "description": 'Synthetic source of the operation.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time when availability result was recorded.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAccountId": {"data_type": "string", "description": 'Application-defined account associated with the user.'}, + "UserAuthenticatedId": {"data_type": "string", "description": 'Persistent string that uniquely represents each authenticated user in the application.'}, + "UserId": {"data_type": "string", "description": 'Anonymous ID of a user accessing the application.'}, + }, + "AppBrowserTimings": { + "AppRoleInstance": {"data_type": "string", "description": 'Role instance of the application.'}, + "AppRoleName": {"data_type": "string", "description": 'Role name of the application.'}, + "AppVersion": {"data_type": "string", "description": 'Version of the application.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientBrowser": {"data_type": "string", "description": 'Browser running on the client device.'}, + "ClientCity": {"data_type": "string", "description": 'City where the client device is located.'}, + "ClientCountryOrRegion": {"data_type": "string", "description": 'Country or region where the client device is located.'}, + "ClientIP": {"data_type": "string", "description": 'IP address of the client device.'}, + "ClientModel": {"data_type": "string", "description": 'Model of the client device.'}, + "ClientOS": {"data_type": "string", "description": 'Operating system of the client device.'}, + "ClientStateOrProvince": {"data_type": "string", "description": 'State or province where the client device is located.'}, + "ClientType": {"data_type": "string", "description": 'Type of the client device.'}, + "IKey": {"data_type": "string", "description": 'Instrumentation key of the Azure resource.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ItemCount": {"data_type": "int", "description": 'Number of telemetry items represented by a single sample item.'}, + "Measurements": {"data_type": "dynamic", "description": 'Application-defined measurements.'}, + "Name": {"data_type": "string", "description": 'Name of the page.'}, + "NetworkDurationMs": {"data_type": "real", "description": 'Page load network time in milliseconds.'}, + "OperationId": {"data_type": "string", "description": 'Application-defined operation ID.'}, + "OperationName": {"data_type": "string", "description": 'Application-defined name of the overall operation. The OperationName values typically match the Name values for AppRequests.'}, + "ParentId": {"data_type": "string", "description": 'ID of the parent operation.'}, + "ProcessingDurationMs": {"data_type": "real", "description": 'Page DOM processing time in milliseconds.'}, + "Properties": {"data_type": "dynamic", "description": 'Application-defined properties.'}, + "ReceiveDurationMs": {"data_type": "real", "description": 'Page load recieve response duration in milliseconds.'}, + "ResourceGUID": {"data_type": "string", "description": 'Unique, persistent identifier of an Azure resource.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SDKVersion": {"data_type": "string", "description": 'Version of the SDK used by the application to generate this telemetry item.'}, + "SendDurationMs": {"data_type": "real", "description": 'Send request time in milliseconds.'}, + "SessionId": {"data_type": "string", "description": 'Application-defined session ID.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "SyntheticSource": {"data_type": "string", "description": 'Synthetic source of the operation.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time when request was recorded.'}, + "TotalDurationMs": {"data_type": "real", "description": 'Page loading total time in milliseconds.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Url": {"data_type": "string", "description": 'URI of the page view.'}, + "UserAccountId": {"data_type": "string", "description": 'Application-defined account associated with the user.'}, + "UserAuthenticatedId": {"data_type": "string", "description": 'Persistent string that uniquely represents each authenticated user in the application.'}, + "UserId": {"data_type": "string", "description": 'Anonymous ID of a user accessing the application.'}, + }, + "AppCenterError": { + "Annotation": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CreatedAt": {"data_type": "datetime", "description": ''}, + "ErrorClass": {"data_type": "string", "description": ''}, + "ErrorFile": {"data_type": "string", "description": ''}, + "ErrorGroupId": {"data_type": "string", "description": ''}, + "ErrorId": {"data_type": "string", "description": ''}, + "ErrorLine": {"data_type": "int", "description": ''}, + "ErrorMethod": {"data_type": "string", "description": ''}, + "ErrorReason": {"data_type": "string", "description": ''}, + "ErrorType": {"data_type": "string", "description": ''}, + "ExceptionType": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "JailBreak": {"data_type": "bool", "description": ''}, + "LastErrorAt": {"data_type": "datetime", "description": ''}, + "Model": {"data_type": "string", "description": ''}, + "Oem": {"data_type": "string", "description": ''}, + "OsVersion": {"data_type": "string", "description": ''}, + "SchemaType": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Status": {"data_type": "string", "description": ''}, + "SymbolicatedAt": {"data_type": "datetime", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserString": {"data_type": "string", "description": ''}, + }, + "AppDependencies": { + "AppRoleInstance": {"data_type": "string", "description": 'Role instance of the application.'}, + "AppRoleName": {"data_type": "string", "description": 'Role name of the application.'}, + "AppVersion": {"data_type": "string", "description": 'Version of the application.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientBrowser": {"data_type": "string", "description": 'Browser running on the client device.'}, + "ClientCity": {"data_type": "string", "description": 'City where the client device is located.'}, + "ClientCountryOrRegion": {"data_type": "string", "description": 'Country or region where the client device is located.'}, + "ClientIP": {"data_type": "string", "description": 'IP address of the client device.'}, + "ClientModel": {"data_type": "string", "description": 'Model of the client device.'}, + "ClientOS": {"data_type": "string", "description": 'Operating system of the client device.'}, + "ClientStateOrProvince": {"data_type": "string", "description": 'State or province where the client device is located.'}, + "ClientType": {"data_type": "string", "description": 'Type of the client device.'}, + "Data": {"data_type": "string", "description": 'Detailed information about the dependency call, such as a full URI or a SQL statement.'}, + "DependencyType": {"data_type": "string", "description": 'Dependency type, such as HTTP or SQL.'}, + "DurationMs": {"data_type": "real", "description": 'Number of milliseconds the dependency call took to complete.'}, + "Id": {"data_type": "string", "description": 'Application-generated, unique ID of the dependency call.'}, + "IKey": {"data_type": "string", "description": 'Instrumentation key of the Azure resource.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ItemCount": {"data_type": "int", "description": 'Number of telemetry items represented by a single sample item.'}, + "Measurements": {"data_type": "dynamic", "description": 'Application-defined measurements.'}, + "Name": {"data_type": "string", "description": 'Dependency name, such as an URI query without parameters or a SQL server table name.'}, + "OperationId": {"data_type": "string", "description": 'Application-defined operation ID.'}, + "OperationName": {"data_type": "string", "description": 'Application-defined name of the overall operation. The OperationName values typically match the Name values for AppRequests.'}, + "ParentId": {"data_type": "string", "description": 'ID of the parent operation.'}, + "Properties": {"data_type": "dynamic", "description": 'Application-defined properties.'}, + "ReferencedItemId": {"data_type": "string", "description": 'Id of the item with additional details about the dependency call.'}, + "ReferencedType": {"data_type": "string", "description": 'Name of the table with additional details about the dependency call.'}, + "ResourceGUID": {"data_type": "string", "description": 'Unique, persistent identifier of an Azure resource.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultCode": {"data_type": "string", "description": 'Result code returned to the application by the dependency call.'}, + "SDKVersion": {"data_type": "string", "description": 'Version of the SDK used by the application to generate this telemetry item.'}, + "SessionId": {"data_type": "string", "description": 'Application-defined session ID.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Success": {"data_type": "bool", "description": 'Indicates whether the dependency call completed successfully.'}, + "SyntheticSource": {"data_type": "string", "description": 'Synthetic source of the operation.'}, + "Target": {"data_type": "string", "description": 'Target of a dependency call, such as a Web or a SQL server name.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time when dependency call was recorded.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAccountId": {"data_type": "string", "description": 'Application-defined account associated with the user.'}, + "UserAuthenticatedId": {"data_type": "string", "description": 'Persistent string that uniquely represents each authenticated user in the application.'}, + "UserId": {"data_type": "string", "description": 'Anonymous ID of a user accessing the application.'}, + }, + "AppEnvSpringAppConsoleLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ContainerAppName": {"data_type": "string", "description": 'The name of the Container App generating this log.'}, + "ContainerGroupId": {"data_type": "string", "description": "The ID of the container's pod (Container App replica) generating this log."}, + "ContainerGroupName": {"data_type": "string", "description": "The name of the container's pod (Container App replica) generating this log."}, + "ContainerId": {"data_type": "string", "description": 'The ID of the Container App generating this log.'}, + "ContainerImage": {"data_type": "string", "description": 'The image used in the container instance that generated this log.'}, + "ContainerName": {"data_type": "string", "description": 'The name of the container generating this log.'}, + "EnvironmentName": {"data_type": "string", "description": 'The name of the Container App Environment generating this log.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The location of the Container App generating this log.'}, + "Log": {"data_type": "string", "description": "The log message generated by the user's Container App."}, + "OperationName": {"data_type": "string", "description": 'The name of the operation generating this log.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RevisionName": {"data_type": "string", "description": 'The name of the revision generating this log.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Stream": {"data_type": "string", "description": 'The stream where the log was emitted.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time (UTC) when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AppEvents": { + "AppRoleInstance": {"data_type": "string", "description": 'Role instance of the application.'}, + "AppRoleName": {"data_type": "string", "description": 'Role name of the application.'}, + "AppVersion": {"data_type": "string", "description": 'Version of the application.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientBrowser": {"data_type": "string", "description": 'Browser running on the client device.'}, + "ClientCity": {"data_type": "string", "description": 'City where the client device is located.'}, + "ClientCountryOrRegion": {"data_type": "string", "description": 'Country or region where the client device is located.'}, + "ClientIP": {"data_type": "string", "description": 'IP address of the client device.'}, + "ClientModel": {"data_type": "string", "description": 'Model of the client device.'}, + "ClientOS": {"data_type": "string", "description": 'Operating system of the client device.'}, + "ClientStateOrProvince": {"data_type": "string", "description": 'State or province where the client device is located.'}, + "ClientType": {"data_type": "string", "description": 'Type of the client device.'}, + "IKey": {"data_type": "string", "description": 'Instrumentation key of the Azure resource.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ItemCount": {"data_type": "int", "description": 'Number of telemetry items represented by a single sample item.'}, + "Measurements": {"data_type": "dynamic", "description": 'Application-defined measurements.'}, + "Name": {"data_type": "string", "description": 'Human-readable name of the customEvent.'}, + "OperationId": {"data_type": "string", "description": 'Application-defined operation ID.'}, + "OperationName": {"data_type": "string", "description": 'Application-defined name of the overall operation. The OperationName values typically match the Name values for AppRequests.'}, + "ParentId": {"data_type": "string", "description": 'ID of the parent operation.'}, + "Properties": {"data_type": "dynamic", "description": 'Application-defined properties.'}, + "ResourceGUID": {"data_type": "string", "description": 'Unique, persistent identifier of an Azure resource.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SDKVersion": {"data_type": "string", "description": 'Version of the SDK used by the application to generate this telemetry item.'}, + "SessionId": {"data_type": "string", "description": 'Application-defined session ID.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "SyntheticSource": {"data_type": "string", "description": 'Synthetic source of the operation.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time when customEvent was recorded.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAccountId": {"data_type": "string", "description": 'Application-defined account associated with the user.'}, + "UserAuthenticatedId": {"data_type": "string", "description": 'Persistent string that uniquely represents each authenticated user in the application.'}, + "UserId": {"data_type": "string", "description": 'Anonymous ID of a user accessing the application.'}, + }, + "AppExceptions": { + "AppRoleInstance": {"data_type": "string", "description": 'Role instance of the application.'}, + "AppRoleName": {"data_type": "string", "description": 'Role name of the application.'}, + "AppVersion": {"data_type": "string", "description": 'Version of the application.'}, + "Assembly": {"data_type": "string", "description": 'Exception assembly.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientBrowser": {"data_type": "string", "description": 'Browser running on the client device.'}, + "ClientCity": {"data_type": "string", "description": 'City where the client device is located.'}, + "ClientCountryOrRegion": {"data_type": "string", "description": 'Country or region where the client device is located.'}, + "ClientIP": {"data_type": "string", "description": 'IP address of the client device.'}, + "ClientModel": {"data_type": "string", "description": 'Model of the client device.'}, + "ClientOS": {"data_type": "string", "description": 'Operating system of the client device.'}, + "ClientStateOrProvince": {"data_type": "string", "description": 'State or province where the client device is located.'}, + "ClientType": {"data_type": "string", "description": 'Type of the client device.'}, + "Details": {"data_type": "dynamic", "description": 'Details of the exception.'}, + "ExceptionType": {"data_type": "string", "description": 'Type of exception.'}, + "HandledAt": {"data_type": "string", "description": 'Where the exception was seen.'}, + "IKey": {"data_type": "string", "description": 'Instrumentation key of the Azure resource.'}, + "InnermostAssembly": {"data_type": "string", "description": 'Assembly of the innermost exception.'}, + "InnermostMessage": {"data_type": "string", "description": 'Message of the innermost exception.'}, + "InnermostMethod": {"data_type": "string", "description": 'Method of the innermost exception.'}, + "InnermostType": {"data_type": "string", "description": 'Type of the innermost exception.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ItemCount": {"data_type": "int", "description": 'Number of telemetry items represented by a single sample item.'}, + "Measurements": {"data_type": "dynamic", "description": 'Application-defined measurements.'}, + "Message": {"data_type": "string", "description": 'Exception message.'}, + "Method": {"data_type": "string", "description": 'Exception method.'}, + "OperationId": {"data_type": "string", "description": 'Application-defined operation ID.'}, + "OperationName": {"data_type": "string", "description": 'Application-defined name of the overall operation. The OperationName values typically match the Name values for AppRequests.'}, + "OuterAssembly": {"data_type": "string", "description": 'Assembly of the outer exception.'}, + "OuterMessage": {"data_type": "string", "description": 'Message of the outer exception.'}, + "OuterMethod": {"data_type": "string", "description": 'Method of the outer exception.'}, + "OuterType": {"data_type": "string", "description": 'Type of the outer exception.'}, + "ParentId": {"data_type": "string", "description": 'ID of the parent operation.'}, + "ProblemId": {"data_type": "string", "description": 'Problem ID of the exception.'}, + "Properties": {"data_type": "dynamic", "description": 'Application-defined properties.'}, + "ResourceGUID": {"data_type": "string", "description": 'Unique, persistent identifier of an Azure resource.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SDKVersion": {"data_type": "string", "description": 'Version of the SDK used by the application to generate this telemetry item.'}, + "SessionId": {"data_type": "string", "description": 'Application-defined session ID.'}, + "SeverityLevel": {"data_type": "int", "description": 'Severity level of the exception.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "SyntheticSource": {"data_type": "string", "description": 'Synthetic source of the operation.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time when request was recorded.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAccountId": {"data_type": "string", "description": 'Application-defined account associated with the user.'}, + "UserAuthenticatedId": {"data_type": "string", "description": 'Persistent string that uniquely represents each authenticated user in the application.'}, + "UserId": {"data_type": "string", "description": 'Anonymous ID of a user accessing the application.'}, + }, + "ApplicationInsights": { + "AccountAcquisitionDate": {"data_type": "datetime", "description": ''}, + "AnonAcquisitionDate": {"data_type": "datetime", "description": ''}, + "AnonUserId": {"data_type": "string", "description": ''}, + "ApplicationId": {"data_type": "string", "description": ''}, + "ApplicationName": {"data_type": "string", "description": ''}, + "ApplicationProtocol": {"data_type": "string", "description": ''}, + "ApplicationTypeVersion": {"data_type": "string", "description": ''}, + "AuthAcquisitionDate": {"data_type": "datetime", "description": ''}, + "AvailabilityCount": {"data_type": "int", "description": ''}, + "AvailabilityDuration": {"data_type": "real", "description": ''}, + "AvailabilityDurationCount": {"data_type": "int", "description": ''}, + "AvailabilityDurationMax": {"data_type": "real", "description": ''}, + "AvailabilityDurationMin": {"data_type": "real", "description": ''}, + "AvailabilityDurationStdDev": {"data_type": "real", "description": ''}, + "AvailabilityMax": {"data_type": "real", "description": ''}, + "AvailabilityMessage": {"data_type": "string", "description": ''}, + "AvailabilityMetricCount": {"data_type": "int", "description": ''}, + "AvailabilityMin": {"data_type": "real", "description": ''}, + "AvailabilityResult": {"data_type": "string", "description": ''}, + "AvailabilityRunLocation": {"data_type": "string", "description": ''}, + "AvailabilityStdDev": {"data_type": "real", "description": ''}, + "AvailabilityTestId": {"data_type": "string", "description": ''}, + "AvailabilityTestName": {"data_type": "string", "description": ''}, + "AvailabilityTimestamp": {"data_type": "datetime", "description": ''}, + "AvailabilityValue": {"data_type": "real", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Browser": {"data_type": "string", "description": ''}, + "BrowserVersion": {"data_type": "string", "description": ''}, + "City": {"data_type": "string", "description": ''}, + "ClientIP": {"data_type": "string", "description": ''}, + "Computer": {"data_type": "string", "description": ''}, + "Continent": {"data_type": "string", "description": ''}, + "Country": {"data_type": "string", "description": ''}, + "csUserAgent": {"data_type": "string", "description": ''}, + "CustomEventCount": {"data_type": "int", "description": ''}, + "CustomEventDimensions": {"data_type": "string", "description": ''}, + "CustomEventName": {"data_type": "string", "description": ''}, + "DataSizeMetricCount": {"data_type": "int", "description": ''}, + "DataSizeMetricValue": {"data_type": "real", "description": ''}, + "DeveloperMode": {"data_type": "string", "description": ''}, + "DeviceID": {"data_type": "string", "description": ''}, + "DeviceModel": {"data_type": "string", "description": ''}, + "DeviceName": {"data_type": "string", "description": ''}, + "DeviceType": {"data_type": "string", "description": ''}, + "ExceptionAssembly": {"data_type": "string", "description": ''}, + "ExceptionCount": {"data_type": "int", "description": ''}, + "ExceptionGroup": {"data_type": "string", "description": ''}, + "ExceptionHandledAt": {"data_type": "string", "description": ''}, + "ExceptionHasStack": {"data_type": "bool", "description": ''}, + "ExceptionMessage": {"data_type": "string", "description": ''}, + "ExceptionMethod": {"data_type": "string", "description": ''}, + "ExceptionStack": {"data_type": "string", "description": ''}, + "ExceptionType": {"data_type": "string", "description": ''}, + "Host": {"data_type": "string", "description": ''}, + "IsAuthenticated": {"data_type": "bool", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "isSynthetic": {"data_type": "string", "description": ''}, + "Language": {"data_type": "string", "description": ''}, + "Latitude": {"data_type": "string", "description": ''}, + "LocalSubnet": {"data_type": "string", "description": ''}, + "Longitude": {"data_type": "string", "description": ''}, + "ManagementGroupName": {"data_type": "string", "description": ''}, + "OperationID": {"data_type": "string", "description": ''}, + "OperationName": {"data_type": "string", "description": ''}, + "OS": {"data_type": "string", "description": ''}, + "OsVersion": {"data_type": "string", "description": ''}, + "PageViewCount": {"data_type": "int", "description": ''}, + "PageViewDuration": {"data_type": "real", "description": ''}, + "PageViewDurationCount": {"data_type": "int", "description": ''}, + "PageViewDurationMax": {"data_type": "real", "description": ''}, + "PageViewDurationMin": {"data_type": "real", "description": ''}, + "PageViewDurationStdDev": {"data_type": "real", "description": ''}, + "PageViewName": {"data_type": "string", "description": ''}, + "ParentOperationID": {"data_type": "string", "description": ''}, + "Province": {"data_type": "string", "description": ''}, + "RequestCount": {"data_type": "int", "description": ''}, + "RequestDuration": {"data_type": "real", "description": ''}, + "RequestDurationCount": {"data_type": "int", "description": ''}, + "RequestDurationMax": {"data_type": "real", "description": ''}, + "RequestDurationMin": {"data_type": "real", "description": ''}, + "RequestDurationStdDev": {"data_type": "real", "description": ''}, + "RequestID": {"data_type": "string", "description": ''}, + "RequestName": {"data_type": "string", "description": ''}, + "RequestSuccess": {"data_type": "bool", "description": ''}, + "ResponseCode": {"data_type": "string", "description": ''}, + "Role": {"data_type": "string", "description": ''}, + "RoleInstance": {"data_type": "string", "description": ''}, + "SampledCount": {"data_type": "int", "description": ''}, + "SamplingRate": {"data_type": "string", "description": ''}, + "ScreenResolution": {"data_type": "string", "description": ''}, + "SessionId": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "sPort": {"data_type": "int", "description": ''}, + "TelemetryType": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "URL": {"data_type": "string", "description": ''}, + "URLBase": {"data_type": "string", "description": ''}, + "UserAccountId": {"data_type": "string", "description": ''}, + }, + "AppMetrics": { + "AppRoleInstance": {"data_type": "string", "description": 'Role instance of the application.'}, + "AppRoleName": {"data_type": "string", "description": 'Role name of the application.'}, + "AppVersion": {"data_type": "string", "description": 'Version of the application.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientBrowser": {"data_type": "string", "description": 'Browser running on the client device.'}, + "ClientCity": {"data_type": "string", "description": 'City where the client device is located.'}, + "ClientCountryOrRegion": {"data_type": "string", "description": 'Country or region where the client device is located.'}, + "ClientIP": {"data_type": "string", "description": 'IP address of the client device.'}, + "ClientModel": {"data_type": "string", "description": 'Model of the client device.'}, + "ClientOS": {"data_type": "string", "description": 'Operating system of the client device.'}, + "ClientStateOrProvince": {"data_type": "string", "description": 'State or province where the client device is located.'}, + "ClientType": {"data_type": "string", "description": 'Type of the client device.'}, + "IKey": {"data_type": "string", "description": 'Instrumentation key of the Azure resource.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ItemCount": {"data_type": "int", "description": 'The number of measurements that were aggregated into trackMetric(..) call.'}, + "Max": {"data_type": "real", "description": 'The maximum value in the measurements that were aggregated into trackMetric(..) call.'}, + "Min": {"data_type": "real", "description": 'The minimum value in the measurements that were aggregated into trackMetric(..) call.'}, + "Name": {"data_type": "string", "description": 'Application-defined name'}, + "OperationId": {"data_type": "string", "description": 'Application-defined operation ID.'}, + "OperationName": {"data_type": "string", "description": 'Application-defined name of the overall operation. The OperationName values typically match the Name values for AppRequests.'}, + "ParentId": {"data_type": "string", "description": 'ID of the parent operation.'}, + "Properties": {"data_type": "dynamic", "description": 'Application-defined properties.'}, + "ResourceGUID": {"data_type": "string", "description": 'Unique, persistent identifier of an Azure resource.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SDKVersion": {"data_type": "string", "description": 'Version of the SDK used by the application to generate this telemetry item.'}, + "SessionId": {"data_type": "string", "description": 'Application-defined session ID.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Sum": {"data_type": "real", "description": 'This is the sum of the measurements. To get the mean value, divide by valueCount.'}, + "SyntheticSource": {"data_type": "string", "description": 'Synthetic source of the operation.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time when metric was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAccountId": {"data_type": "string", "description": 'Application-defined account associated with the user.'}, + "UserAuthenticatedId": {"data_type": "string", "description": 'Persistent string that uniquely represents each authenticated user in the application.'}, + "UserId": {"data_type": "string", "description": 'Anonymous ID of a user accessing the application.'}, + }, + "AppPageViews": { + "AppRoleInstance": {"data_type": "string", "description": 'Role instance of the application.'}, + "AppRoleName": {"data_type": "string", "description": 'Role name of the application.'}, + "AppVersion": {"data_type": "string", "description": 'Version of the application.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientBrowser": {"data_type": "string", "description": 'Browser running on the client device.'}, + "ClientCity": {"data_type": "string", "description": 'City where the client device is located.'}, + "ClientCountryOrRegion": {"data_type": "string", "description": 'Country or region where the client device is located.'}, + "ClientIP": {"data_type": "string", "description": 'IP address of the client device.'}, + "ClientModel": {"data_type": "string", "description": 'Model of the client device.'}, + "ClientOS": {"data_type": "string", "description": 'Operating system of the client device.'}, + "ClientStateOrProvince": {"data_type": "string", "description": 'State or province where the client device is located.'}, + "ClientType": {"data_type": "string", "description": 'Type of the client device.'}, + "DurationMs": {"data_type": "real", "description": 'Number of milliseconds it took the application to handle the page view.'}, + "Id": {"data_type": "string", "description": 'Application-generated, unique page view ID.'}, + "IKey": {"data_type": "string", "description": 'Instrumentation key of the Azure resource.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ItemCount": {"data_type": "int", "description": 'Number of telemetry items represented by a single sample item.'}, + "Measurements": {"data_type": "dynamic", "description": 'Application-defined measurements.'}, + "Name": {"data_type": "string", "description": 'Human-readable name of the page view.'}, + "OperationId": {"data_type": "string", "description": 'Application-defined operation ID.'}, + "OperationName": {"data_type": "string", "description": 'Application-defined name of the overall operation. The OperationName values typically match the Name values for AppRequests.'}, + "ParentId": {"data_type": "string", "description": 'ID of the parent operation.'}, + "Properties": {"data_type": "dynamic", "description": 'Application-defined properties.'}, + "ResourceGUID": {"data_type": "string", "description": 'Unique, persistent identifier of an Azure resource.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SDKVersion": {"data_type": "string", "description": 'Version of the SDK used by the application to generate this telemetry item.'}, + "SessionId": {"data_type": "string", "description": 'Application-defined session ID.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "SyntheticSource": {"data_type": "string", "description": 'Synthetic source of the operation.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time when page view was recorded.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Url": {"data_type": "string", "description": 'URL of the page view.'}, + "UserAccountId": {"data_type": "string", "description": 'Application-defined account associated with the user.'}, + "UserAuthenticatedId": {"data_type": "string", "description": 'Persistent string that uniquely represents each authenticated user in the application.'}, + "UserId": {"data_type": "string", "description": 'Anonymous ID of a user accessing the application.'}, + }, + "AppPerformanceCounters": { + "AppRoleInstance": {"data_type": "string", "description": 'Role instance of the application.'}, + "AppRoleName": {"data_type": "string", "description": 'Role name of the application.'}, + "AppVersion": {"data_type": "string", "description": 'Version of the application.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Performance counter category.'}, + "ClientBrowser": {"data_type": "string", "description": 'Browser running on the client device.'}, + "ClientCity": {"data_type": "string", "description": 'City where the client device is located.'}, + "ClientCountryOrRegion": {"data_type": "string", "description": 'Country or region where the client device is located.'}, + "ClientIP": {"data_type": "string", "description": 'IP address of the client device.'}, + "ClientModel": {"data_type": "string", "description": 'Model of the client device.'}, + "ClientOS": {"data_type": "string", "description": 'Operating system of the client device.'}, + "ClientStateOrProvince": {"data_type": "string", "description": 'State or province where the client device is located.'}, + "ClientType": {"data_type": "string", "description": 'Type of the client device.'}, + "Counter": {"data_type": "string", "description": 'Performance counter name.'}, + "IKey": {"data_type": "string", "description": 'Instrumentation key of the Azure resource.'}, + "Instance": {"data_type": "string", "description": 'Instance identifier, to which the counter is related.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Name": {"data_type": "string", "description": 'Performance counter name.'}, + "OperationId": {"data_type": "string", "description": 'Application-defined operation ID.'}, + "OperationName": {"data_type": "string", "description": 'Application-defined name of the overall operation. The OperationName values typically match the Name values for AppRequests.'}, + "ParentId": {"data_type": "string", "description": 'ID of the parent operation.'}, + "Properties": {"data_type": "dynamic", "description": 'Application-defined properties.'}, + "ResourceGUID": {"data_type": "string", "description": 'Unique, persistent identifier of an Azure resource.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SDKVersion": {"data_type": "string", "description": 'Version of the SDK used by the application to generate this telemetry item.'}, + "SessionId": {"data_type": "string", "description": 'Application-defined session ID.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "SyntheticSource": {"data_type": "string", "description": 'Synthetic source of the operation.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time when performance counter was recorded.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAccountId": {"data_type": "string", "description": 'Application-defined account associated with the user.'}, + "UserAuthenticatedId": {"data_type": "string", "description": 'Persistent string that uniquely represents each authenticated user in the application.'}, + "UserId": {"data_type": "string", "description": 'Anonymous ID of a user accessing the application.'}, + "Value": {"data_type": "real", "description": 'Performance counter value.'}, + }, + "AppPlatformBuildLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BuildLog": {"data_type": "string", "description": 'The build log for each build stages.'}, + "ContainerName": {"data_type": "string", "description": 'The name of the container that emitted the log.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "PodName": {"data_type": "string", "description": 'The name of the pod that emitted the log.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) when the log is collected by Azure Spring Cloud.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AppPlatformContainerEventLogs": { + "App": {"data_type": "string", "description": 'The name of the application that emitted the container event.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Count": {"data_type": "int", "description": 'The count of this container event happened.'}, + "Deployment": {"data_type": "string", "description": 'The name of the deployment that emitted the container event.'}, + "Event": {"data_type": "string", "description": "The name of container event, including: 'Backoff', 'Pulled', 'Created', 'Started', 'Unhealty' and so on."}, + "FirstTimestamp": {"data_type": "datetime", "description": 'The timestamp when this container event was first seen.'}, + "Instance": {"data_type": "string", "description": 'The name of the instance that emitted the container event.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastTimestamp": {"data_type": "datetime", "description": 'The timestamp when this container event was last seen.'}, + "Message": {"data_type": "string", "description": 'The detailed message of the container event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) when the log is collected by Azure Spring Cloud.'}, + "Type": {"data_type": "string", "description": "The type of container event, including: 'Error', 'Warning' and 'Normal'."}, + }, + "AppPlatformIngressLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BodyBytesSent": {"data_type": "string", "description": 'Number of bytes sent to a client, not counting the response header'}, + "Host": {"data_type": "string", "description": 'The host name of the log'}, + "HttpReferer": {"data_type": "string", "description": 'Value of the referer header'}, + "HttpUserAgent": {"data_type": "string", "description": 'Value of user-agent header'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The name of the operation represented by this event'}, + "ProxyAlternativeUpstreamName": {"data_type": "string", "description": 'Name of the alternative upstream server. The format is upstream-\\-\\-\\'}, + "ProxyUpstreamName": {"data_type": "string", "description": 'Name of the upstream server. The format is upstream-\\-\\-\\'}, + "RemoteAddr": {"data_type": "string", "description": 'The source IP address of the client'}, + "RemoteUser": {"data_type": "string", "description": 'User name supplied with the basic authentication'}, + "ReqId": {"data_type": "string", "description": 'The randomly generated ID of the request'}, + "Request": {"data_type": "string", "description": 'Full original request line'}, + "RequestHeaders": {"data_type": "string", "description": "Request headers end with 'id' or 'ID'"}, + "RequestLength": {"data_type": "string", "description": 'Request length in bytes (including request line, header, and request body)'}, + "RequestTime": {"data_type": "real", "description": 'Time in seconds with millisecond resolution elapsed since the first bytes were read from the client'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Status": {"data_type": "string", "description": 'Response status'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) when the log is collected by Azure Spring Cloud'}, + "TimeLocal": {"data_type": "string", "description": 'Local time in the common log format'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UpstreamAddr": {"data_type": "string", "description": 'The IP address and port (or the path to the domain socket) of the upstream server. If several servers were contacted during request processing, their addresses are separated by commas'}, + "UpstreamResponseLength": {"data_type": "string", "description": 'The length in bytes of the response obtained from the upstream server'}, + "UpstreamResponseTime": {"data_type": "string", "description": 'Time spent on receiving the response from the upstream server, the time is kept in seconds with millisecond resolution'}, + "UpstreamStatus": {"data_type": "string", "description": 'Status code of the response obtained from the upstream server'}, + }, + "AppPlatformLogsforSpring": { + "AppName": {"data_type": "string", "description": 'The application name that emitted the log'}, + "AppTimestamp": {"data_type": "datetime", "description": 'The log timestamp (UTC) from user application log'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Log Category'}, + "CustomLevel": {"data_type": "string", "description": 'Verbosity level of log'}, + "ExceptionClass": {"data_type": "string", "description": 'The exceptionClass of the log'}, + "InstanceName": {"data_type": "string", "description": 'The instance name that emitted the log'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Log": {"data_type": "string", "description": 'The content of the log'}, + "Logger": {"data_type": "string", "description": 'The logger from user application log'}, + "MDC": {"data_type": "string", "description": 'Customized MDC field in the log'}, + "Message": {"data_type": "string", "description": 'The message of the log'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation represented by this event'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ServiceName": {"data_type": "string", "description": 'The service name that emitted the log'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SpanId": {"data_type": "string", "description": 'SpanId for tracing'}, + "StackTrace": {"data_type": "string", "description": 'The stackTrace of the log'}, + "Stream": {"data_type": "string", "description": 'The stream of the log'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "Thread": {"data_type": "string", "description": 'The thread of the log'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) when the log is collected by Azure Spring Cloud'}, + "TraceId": {"data_type": "string", "description": 'TraceId for tracing'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AppPlatformSystemLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Log Category'}, + "InstanceName": {"data_type": "string", "description": 'The instance name that emitted the log'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The level of the log'}, + "Log": {"data_type": "string", "description": 'The log of the log'}, + "Logger": {"data_type": "string", "description": 'The logger of the log'}, + "LogType": {"data_type": "string", "description": 'The type of the log'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation represented by this event'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ServiceName": {"data_type": "string", "description": 'The service name that emitted the log'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Stack": {"data_type": "string", "description": 'The stack of the log'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "Thread": {"data_type": "string", "description": 'The thread of the log'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) when the log is collected by Azure Spring Cloud'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AppRequests": { + "AppRoleInstance": {"data_type": "string", "description": 'Role instance of the application.'}, + "AppRoleName": {"data_type": "string", "description": 'Role name of the application.'}, + "AppVersion": {"data_type": "string", "description": 'Version of the application.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientBrowser": {"data_type": "string", "description": 'Browser running on the client device.'}, + "ClientCity": {"data_type": "string", "description": 'City where the client device is located.'}, + "ClientCountryOrRegion": {"data_type": "string", "description": 'Country or region where the client device is located.'}, + "ClientIP": {"data_type": "string", "description": 'IP address of the client device.'}, + "ClientModel": {"data_type": "string", "description": 'Model of the client device.'}, + "ClientOS": {"data_type": "string", "description": 'Operating system of the client device.'}, + "ClientStateOrProvince": {"data_type": "string", "description": 'State or province where the client device is located.'}, + "ClientType": {"data_type": "string", "description": 'Type of the client device.'}, + "DurationMs": {"data_type": "real", "description": 'Number of milliseconds it took the application to handle the request.'}, + "Id": {"data_type": "string", "description": 'Application-generated, unique request ID.'}, + "IKey": {"data_type": "string", "description": 'Instrumentation key of the Azure resource.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ItemCount": {"data_type": "int", "description": 'Number of telemetry items represented by a single sample item.'}, + "Measurements": {"data_type": "dynamic", "description": 'Application-defined measurements.'}, + "Name": {"data_type": "string", "description": 'Human-readable name of the request.'}, + "OperationId": {"data_type": "string", "description": 'Application-defined operation ID.'}, + "OperationName": {"data_type": "string", "description": 'Application-defined name of the overall operation. The OperationName values typically match the Name values for AppRequests.'}, + "ParentId": {"data_type": "string", "description": 'ID of the parent operation.'}, + "Properties": {"data_type": "dynamic", "description": 'Application-defined properties.'}, + "ReferencedItemId": {"data_type": "string", "description": 'Id of the item with additional details about the request.'}, + "ReferencedType": {"data_type": "string", "description": 'Name of the table with additional details about the request.'}, + "ResourceGUID": {"data_type": "string", "description": 'Unique, persistent identifier of an Azure resource.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultCode": {"data_type": "string", "description": 'Result code returned by the application after handling the request.'}, + "SDKVersion": {"data_type": "string", "description": 'Version of the SDK used by the application to generate this telemetry item.'}, + "SessionId": {"data_type": "string", "description": 'Application-defined session ID.'}, + "Source": {"data_type": "string", "description": 'Friendly name of the request source, when known. Source is based on the metadata supplied by the caller.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Success": {"data_type": "bool", "description": 'Indicates whether the application handled the request successfully.'}, + "SyntheticSource": {"data_type": "string", "description": 'Synthetic source of the operation.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time when request processing started.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Url": {"data_type": "string", "description": 'URL of the request.'}, + "UserAccountId": {"data_type": "string", "description": 'Application-defined account associated with the user.'}, + "UserAuthenticatedId": {"data_type": "string", "description": 'Persistent string that uniquely represents each authenticated user in the application.'}, + "UserId": {"data_type": "string", "description": 'Anonymous ID of a user accessing the application.'}, + }, + "AppServiceAntivirusScanAuditLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Log category name'}, + "ErrorMessage": {"data_type": "string", "description": 'Error Message'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ListOfInfectedFiles": {"data_type": "string", "description": 'List of each virus file path'}, + "NumberOfInfectedFiles": {"data_type": "int", "description": 'Total number of files infected with virus'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ScanStatus": {"data_type": "string", "description": 'Status of the scan'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time when event is generated'}, + "TimeStamp": {"data_type": "datetime", "description": 'Time when event is generated'}, + "TotalFilesScanned": {"data_type": "int", "description": 'Total number of scanned files'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AppServiceAppLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Log category name'}, + "ContainerId": {"data_type": "string", "description": 'Application container id'}, + "CustomLevel": {"data_type": "string", "description": 'Verbosity level of log'}, + "ExceptionClass": {"data_type": "string", "description": 'Application class from where log message is emitted'}, + "Host": {"data_type": "string", "description": 'Host where the application is running'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'Verbosity level of log mapped to standard levels (Informational, Warning, Error, or Critical)'}, + "Logger": {"data_type": "string", "description": 'Application logger used to emit log message'}, + "Message": {"data_type": "string", "description": 'Log message'}, + "Method": {"data_type": "string", "description": 'Application Method from where log message is emitted'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation represented by this event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'Log message description'}, + "Source": {"data_type": "string", "description": 'Application source from where log message is emitted'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Stacktrace": {"data_type": "string", "description": 'Complete stack trace of the log message in case of exception'}, + "StackTrace": {"data_type": "string", "description": 'Complete stack trace of the log message in case of exception'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time when event is generated'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "WebSiteInstanceId": {"data_type": "string", "description": 'Instance Id the application running'}, + }, + "AppServiceAuditLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Log category name'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'Name of the operation'}, + "Protocol": {"data_type": "string", "description": 'Authentication protocol'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time when event is generated'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "User": {"data_type": "string", "description": 'Username used for publishing access'}, + "UserAddress": {"data_type": "string", "description": 'Client IP addres of the publishing user'}, + "UserDisplayName": {"data_type": "string", "description": 'Email address of a user in case publishing was authorized via AAD authentication'}, + }, + "AppServiceAuthenticationLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events.'}, + "Details": {"data_type": "string", "description": 'The event details.'}, + "HostName": {"data_type": "string", "description": 'The host name of the application.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The level of log verbosity.'}, + "Message": {"data_type": "string", "description": 'The log message.'}, + "ModuleRuntimeVersion": {"data_type": "string", "description": 'The version of App Service Authentication running.'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation represented by this event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SiteName": {"data_type": "string", "description": 'The runtime name of the application.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StatusCode": {"data_type": "int", "description": 'The HTTP status code of the operation.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "SubStatusCode": {"data_type": "int", "description": 'The HTTP sub-status code of the request.'}, + "TaskName": {"data_type": "string", "description": 'The name of the task being performed.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when this event was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AppServiceConsoleLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Log category name'}, + "ContainerId": {"data_type": "string", "description": 'Application container id'}, + "Host": {"data_type": "string", "description": 'Host where the application is running'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'Verbosity level of log'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation represented by this event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'Log message description'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time when event is generated'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AppServiceEnvironmentPlatformLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": ''}, + "ResourceId": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": ''}, + "ResultType": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AppServiceFileAuditLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Log category name'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'Operation performed on a file'}, + "Path": {"data_type": "string", "description": 'Path to the file that was changed'}, + "Process": {"data_type": "string", "description": 'Type of the process that change the file'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time when event is generated'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AppServiceHTTPLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CIp": {"data_type": "string", "description": 'IP address of the client'}, + "ComputerName": {"data_type": "string", "description": 'The name of the server on which the log file entry was generated.'}, + "Cookie": {"data_type": "string", "description": 'Cookie on HTTP request'}, + "CsBytes": {"data_type": "int", "description": 'Number of bytes received by server'}, + "CsHost": {"data_type": "string", "description": 'Host name header on HTTP request'}, + "CsMethod": {"data_type": "string", "description": 'The request HTTP verb'}, + "CsUriQuery": {"data_type": "string", "description": 'URI query on HTTP request'}, + "CsUriStem": {"data_type": "string", "description": 'The target of the request'}, + "CsUsername": {"data_type": "string", "description": 'The name of the authenticated user on HTTP request'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Referer": {"data_type": "string", "description": 'The site that the user last visited. This site provided a link to the current site'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Result": {"data_type": "string", "description": 'Success / Failure of HTTP request'}, + "ScBytes": {"data_type": "int", "description": 'Number of bytes sent by server'}, + "ScStatus": {"data_type": "int", "description": 'HTTP status code'}, + "ScSubStatus": {"data_type": "string", "description": 'Substatus error code on HTTP request'}, + "ScWin32Status": {"data_type": "string", "description": 'Windows status code on HTTP request'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SPort": {"data_type": "string", "description": 'Server port number'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time when event is generated'}, + "TimeTaken": {"data_type": "int", "description": 'Time taken by HTTP request in milliseconds'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'User agent on HTTP request'}, + }, + "AppServiceIPSecAuditLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CIp": {"data_type": "string", "description": 'IP address of the client'}, + "CsHost": {"data_type": "string", "description": 'Host header of the HTTP request'}, + "Details": {"data_type": "string", "description": 'Additional information'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Result": {"data_type": "string", "description": 'The result whether the access is Allowed or Denied'}, + "ServiceEndpoint": {"data_type": "string", "description": 'This indicates whether the access is via Virtual Network Service Endpoint communication'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time of the Http Request'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "XAzureFDID": {"data_type": "string", "description": 'X-Azure-FDID header (Azure Frontdoor Id) of the HTTP request'}, + "XFDHealthProbe": {"data_type": "string", "description": 'X-FD-HealthProbe (Azure Frontdoor Health Probe) of the HTTP request'}, + "XForwardedFor": {"data_type": "string", "description": 'X-Forwarded-For header of the HTTP request'}, + "XForwardedHost": {"data_type": "string", "description": 'X-Forwarded-Host header of the HTTP request'}, + }, + "AppServicePlatformLogs": { + "ActivityId": {"data_type": "string", "description": 'Activity Id to correlate events'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ContainerId": {"data_type": "string", "description": 'Application container id'}, + "DeploymentId": {"data_type": "string", "description": 'Deployment ID of the application deployment'}, + "Exception": {"data_type": "string", "description": 'Details of the exception'}, + "Host": {"data_type": "string", "description": 'Host where the application is running'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'Level of log verbosity'}, + "Message": {"data_type": "string", "description": 'Log message'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation represented by this event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StackTrace": {"data_type": "string", "description": 'Stack trace for the exception'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time when event is generated'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AppServiceServerlessSecurityPluginData": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Index": {"data_type": "int", "description": 'Available when multiple payloads exist for the same message. In that case, payloads share the same SlSecRequestId and Index defines the chronological order of payloads.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "MsgVersion": {"data_type": "string", "description": 'The version of the message schema. Used to make code changes backward- and forward- compatible.'}, + "Payload": {"data_type": "dynamic", "description": 'An array of messages, where each one is a JSON string.'}, + "PayloadType": {"data_type": "string", "description": 'The type of the payload. Mostly used to distinguish between messages meant for different types of security analysis.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Sender": {"data_type": "string", "description": 'The name of the component that published this message. Almost always will be the name of the plugin, but can also be platform.'}, + "SlSecMetadata": {"data_type": "dynamic", "description": 'Contains details about the resource like the deployment ID, runtime info, website info, OS, etc.'}, + "SlSecProps": {"data_type": "dynamic", "description": 'Contains other details that might be needed for debugging end-to-end requests, e.g., slsec nuget version.'}, + "SlSecRequestId": {"data_type": "string", "description": 'The ingestion request ID used for identifying the message and the request for diagnostics and debugging.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time (UTC) this message was created on the node.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AppSystemEvents": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "EventType": {"data_type": "string", "description": 'Event type'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Measurements": {"data_type": "dynamic", "description": 'Event measurements.'}, + "Name": {"data_type": "string", "description": 'Event name'}, + "Properties": {"data_type": "dynamic", "description": 'Event properties.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time when the system event was recorded.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AppTraces": { + "AppRoleInstance": {"data_type": "string", "description": 'Role instance of the application.'}, + "AppRoleName": {"data_type": "string", "description": 'Role name of the application.'}, + "AppVersion": {"data_type": "string", "description": 'Version of the application.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientBrowser": {"data_type": "string", "description": 'Browser running on the client device.'}, + "ClientCity": {"data_type": "string", "description": 'City where the client device is located.'}, + "ClientCountryOrRegion": {"data_type": "string", "description": 'Country or region where the client device is located.'}, + "ClientIP": {"data_type": "string", "description": 'IP address of the client device.'}, + "ClientModel": {"data_type": "string", "description": 'Model of the client device.'}, + "ClientOS": {"data_type": "string", "description": 'Operating system of the client device.'}, + "ClientStateOrProvince": {"data_type": "string", "description": 'State or province where the client device is located.'}, + "ClientType": {"data_type": "string", "description": 'Type of the client device.'}, + "IKey": {"data_type": "string", "description": 'Instrumentation key of the Azure resource.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ItemCount": {"data_type": "int", "description": 'Number of telemetry items represented by a single sample item.'}, + "Measurements": {"data_type": "dynamic", "description": 'Application-defined measurements.'}, + "Message": {"data_type": "string", "description": 'Trace message.'}, + "OperationId": {"data_type": "string", "description": 'Application-defined operation ID.'}, + "OperationName": {"data_type": "string", "description": 'Application-defined name of the overall operation. The OperationName values typically match the Name values for AppRequests.'}, + "ParentId": {"data_type": "string", "description": 'ID of the parent operation.'}, + "Properties": {"data_type": "dynamic", "description": 'Application-defined properties.'}, + "ReferencedItemId": {"data_type": "string", "description": 'Id of the item with additional details about the trace.'}, + "ReferencedType": {"data_type": "string", "description": 'Name of the table with additional details about the trace.'}, + "ResourceGUID": {"data_type": "string", "description": 'Unique, persistent identifier of an Azure resource.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SDKVersion": {"data_type": "string", "description": 'Version of the SDK used by the application to generate this telemetry item.'}, + "SessionId": {"data_type": "string", "description": 'Application-defined session ID.'}, + "SeverityLevel": {"data_type": "int", "description": 'Severity level of the trace.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "SyntheticSource": {"data_type": "string", "description": 'Synthetic source of the operation.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time when trace was recorded.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAccountId": {"data_type": "string", "description": 'Application-defined account associated with the user.'}, + "UserAuthenticatedId": {"data_type": "string", "description": 'Persistent string that uniquely represents each authenticated user in the application.'}, + "UserId": {"data_type": "string", "description": 'Anonymous ID of a user accessing the application.'}, + }, + "ArcK8sAudit": { + "Annotations": {"data_type": "dynamic", "description": 'An unstructed key-value map associated with this audit event. These annotations are set by plugins as part of the request serving chain and are included at the Metadata event level.'}, + "AuditId": {"data_type": "string", "description": 'Unique audit ID that is generated for each request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'Level (Metadata, Request, RequestResponse) of the audit event.'}, + "ObjectRef": {"data_type": "dynamic", "description": 'The Kubernetes object reference this event was targeted for. This field does not apply for list requests nor non-resource requests.'}, + "PodName": {"data_type": "string", "description": 'Name of the pod emitting this audit event.'}, + "RequestObject": {"data_type": "dynamic", "description": 'Kubernetes API object from the request in object format or the string "skipped-too-big-size-object". This is omitted for non-resource requests.'}, + "RequestReceivedTime": {"data_type": "datetime", "description": 'Time when the API Server first received the request.'}, + "RequestUri": {"data_type": "string", "description": 'The URI of the request made by the client to the server.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResponseObject": {"data_type": "dynamic", "description": 'Kubernetes API object from the response, in object format or the string "skipped-too-big-size-object". This is omitted for non-resource requests.'}, + "ResponseStatus": {"data_type": "dynamic", "description": 'Response status for the request, which includes the response code. In error cases, this object will include the error message property.'}, + "SourceIps": {"data_type": "dynamic", "description": 'The list of source IP addresses for the originating client and intermediate proxies.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Stage": {"data_type": "string", "description": 'The request handling stage (RequestReceived, ResponseStarted, ResponseComplete, Panic) at which this audit event was generated.'}, + "StageReceivedTime": {"data_type": "datetime", "description": 'Time when the request reached the current audit stage.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Event generation time.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "User": {"data_type": "dynamic", "description": 'Authenticated user metadata of the requesting client, including optional fields such as UID and groups.'}, + "UserAgent": {"data_type": "string", "description": 'The user agent string presented by the originating client.'}, + "Verb": {"data_type": "string", "description": 'The Kubernetes verb associated with the request. For non-resource requests, this is the lower-cased HTTP method.'}, + }, + "ArcK8sAuditAdmin": { + "Annotations": {"data_type": "dynamic", "description": 'An unstructed key-value map associated with this audit event. These annotations are set by plugins as part of the request serving chain and are included at the Metadata event level.'}, + "AuditId": {"data_type": "string", "description": 'Unique audit ID that is generated for each request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'Level (Metadata, Request, RequestResponse) of the audit event.'}, + "ObjectRef": {"data_type": "dynamic", "description": 'The Kubernetes object reference this event was targeted for. This field does not apply for list requests nor non-resource requests.'}, + "PodName": {"data_type": "string", "description": 'Name of the pod emitting this audit event.'}, + "RequestObject": {"data_type": "dynamic", "description": 'Kubernetes API object from the request in object format or the string "skipped-too-big-size-object". This is omitted for non-resource requests.'}, + "RequestReceivedTime": {"data_type": "datetime", "description": 'Time when the API Server first received the request.'}, + "RequestUri": {"data_type": "string", "description": 'The URI of the request made by the client to the server.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResponseObject": {"data_type": "dynamic", "description": 'Kubernetes API object from the response, in object format or the string "skipped-too-big-size-object". This is omitted for non-resource requests.'}, + "ResponseStatus": {"data_type": "dynamic", "description": 'Response status for the request, which includes the response code. In error cases, this object will include the error message property.'}, + "SourceIps": {"data_type": "dynamic", "description": 'The list of source IP addresses for the originating client and intermediate proxies.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Stage": {"data_type": "string", "description": 'The request handling stage (RequestReceived, ResponseStarted, ResponseComplete, Panic) at which this audit event was generated.'}, + "StageReceivedTime": {"data_type": "datetime", "description": 'Time when the request reached the current audit stage.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Event generation time.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "User": {"data_type": "dynamic", "description": 'Authenticated user metadata of the requesting client, including optional fields such as UID and groups.'}, + "UserAgent": {"data_type": "string", "description": 'The user agent string presented by the originating client.'}, + "Verb": {"data_type": "string", "description": 'The Kubernetes verb associated with the request. For non-resource requests, this is the lower-cased HTTP method.'}, + }, + "ArcK8sControlPlane": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Service log category describing the service logging the message.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'Level (Fatal, Error, Warning, Info) of the log message.'}, + "Message": {"data_type": "string", "description": 'Log message body.'}, + "PodName": {"data_type": "string", "description": 'Name of the pod logging the request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Stream": {"data_type": "string", "description": 'Output stream (stdout, stderr) source of the log message.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Event generation time.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ASCAuditLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'A unique correlation ID for the log event.'}, + "DurationMs": {"data_type": "int", "description": 'The total duration (in milliseconds) for the log event.'}, + "Identity": {"data_type": "dynamic", "description": 'Identity of the user or application responsible for the log event.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The location and region where the log event was generated.'}, + "OperationName": {"data_type": "string", "description": 'The Azure Sphere operation associated with the log event.'}, + "Properties": {"data_type": "dynamic", "description": 'Additional properties related to the log event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'The result description for the log event.'}, + "ResultType": {"data_type": "string", "description": 'The result type (success, failure) for the log event.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp(UTC) when the log event was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ASCDeviceEvents": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CatalogId": {"data_type": "string", "description": 'The catalog ID of the device where the log event was generated.'}, + "CorrelationId": {"data_type": "string", "description": 'A unique correlation ID for the log event.'}, + "DeviceId": {"data_type": "string", "description": 'The ID of the device where the log event was generated.'}, + "DurationMs": {"data_type": "int", "description": 'The total duration (in milliseconds) for the log event.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The location and region where the log event was generated.'}, + "OperationName": {"data_type": "string", "description": 'The Azure Sphere operation associated with the log event.'}, + "Properties": {"data_type": "dynamic", "description": 'Additional properties related to the log event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'The result description for the log event.'}, + "ResultType": {"data_type": "string", "description": 'The result type (success, failure) for the log event.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp(UTC) when the log event was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ASimAuditEventLogs": { + "ActingAppId": {"data_type": "string", "description": 'The ID of the application that initiated the activity reported, including a process, browser, or service.'}, + "ActingAppName": {"data_type": "string", "description": 'The name of the application that initiated the activity reported, including a service, a URL, or a SaaS application.'}, + "ActingAppType": {"data_type": "string", "description": 'The type of acting application.'}, + "ActingOriginalAppType": {"data_type": "string", "description": 'The acting application type as reported by the reporting device.'}, + "ActorOriginalUserType": {"data_type": "string", "description": 'The user type as reported by the reporting device.'}, + "ActorScope": {"data_type": "string", "description": 'The scope, such as Azure AD tenant, in which ActorUserId and ActorUsername are defined.'}, + "ActorScopeId": {"data_type": "string", "description": 'The scope ID, such as Azure AD tenant ID, in which ActorUserId and ActorUsername are defined.'}, + "ActorSessionId": {"data_type": "string", "description": 'The unique ID of the sign-in session of the Actor.'}, + "ActorUserAadId": {"data_type": "string", "description": 'The Azure Active Directory ID of the actor.'}, + "ActorUserId": {"data_type": "string", "description": 'A machine-readable, alphanumeric, unique representation of the actor.'}, + "ActorUserIdType": {"data_type": "string", "description": 'The type of the ID stored in the ActorUserId field.'}, + "ActorUsername": {"data_type": "string", "description": "The Actor's username, including domain information when available."}, + "ActorUsernameType": {"data_type": "string", "description": "The type of the Actor's username specified in ActionUsername field"}, + "ActorUserSid": {"data_type": "string", "description": 'The Windows user ID (SIDs) of the actor.'}, + "ActorUserType": {"data_type": "string", "description": 'The type of the Actor.'}, + "AdditionalFields": {"data_type": "dynamic", "description": 'Additional information, represented using key/value pairs provided by the source which do not map to ASim.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DvcAction": {"data_type": "string", "description": 'For reporting security systems, the action taken by the system.'}, + "DvcDescription": {"data_type": "string", "description": 'A descriptive text associated with the device.'}, + "DvcDomain": {"data_type": "string", "description": 'The domain of the device reporting the event.'}, + "DvcDomainType": {"data_type": "string", "description": 'The type of DvcDomain.'}, + "DvcFQDN": {"data_type": "string", "description": 'The hostname of the device on which the event occurred or which reported the event.'}, + "DvcHostname": {"data_type": "string", "description": 'The hostname of the device reporting the event.'}, + "DvcId": {"data_type": "string", "description": 'The unique ID of the device on which the event occurred or which reported the event.'}, + "DvcIdType": {"data_type": "string", "description": 'The type of DvcId.'}, + "DvcInterface": {"data_type": "string", "description": 'The network interface on which data was captured.'}, + "DvcIpAddr": {"data_type": "string", "description": 'The IP Address of the device reporting the event.'}, + "DvcMacAddr": {"data_type": "string", "description": 'The MAC address of the device on which the event occurred or which reported the event.'}, + "DvcOriginalAction": {"data_type": "string", "description": 'The original DvcAction as provided by the reporting device.'}, + "DvcOs": {"data_type": "string", "description": 'The operating system running on the device on which the event occurred or which reported the event.'}, + "DvcOsVersion": {"data_type": "string", "description": 'The version of the operating system on the device on which the event occurred or which reported the event.'}, + "DvcScope": {"data_type": "string", "description": 'The cloud platform scope the device belongs to. DvcScope map to a subscription ID on Azure and to an account ID on AWS.'}, + "DvcScopeId": {"data_type": "string", "description": 'The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS.'}, + "DvcZone": {"data_type": "string", "description": 'The network on which the event occurred or which reported the event.'}, + "EventCount": {"data_type": "int", "description": 'The number of events described by the record.'}, + "EventEndTime": {"data_type": "datetime", "description": 'The time (UTC) in which the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field.'}, + "EventMessage": {"data_type": "string", "description": 'A general message or description.'}, + "EventOriginalResultDetails": {"data_type": "string", "description": 'The original result details provided by the source.'}, + "EventOriginalSeverity": {"data_type": "string", "description": 'The original severity as provided by the reporting device.'}, + "EventOriginalSubType": {"data_type": "string", "description": 'The original event subtype or ID, if provided by the source.'}, + "EventOriginalType": {"data_type": "string", "description": 'The original event type or ID, if provided by the source.'}, + "EventOriginalUid": {"data_type": "string", "description": 'A unique ID of the original record, if provided by the source.'}, + "EventOwner": {"data_type": "string", "description": 'The owner of the event, which is usually the department or subsidiary in which it was generated.'}, + "EventProduct": {"data_type": "string", "description": 'The product generating the event.'}, + "EventProductVersion": {"data_type": "string", "description": 'The version of the product generating the event.'}, + "EventReportUrl": {"data_type": "string", "description": 'A URL provided in the event for a resource that provides more information about the event.'}, + "EventResult": {"data_type": "string", "description": 'The outcome of the event, represented by one of the following values: Success, Partial, Failure, NA (Not Applicable). The value may not be provided directly by the sources, in which case it is derived from other event fields, for example, the EventResultDetails field.'}, + "EventResultDetails": {"data_type": "string", "description": 'Reason or details for the result reported in the EventResult field.'}, + "EventSchemaVersion": {"data_type": "string", "description": 'The version of the schema.'}, + "EventSeverity": {"data_type": "string", "description": 'The severity of the event. Valid values are: Informational, Low, Medium, or High.'}, + "EventStartTime": {"data_type": "datetime", "description": 'The time (UTC) in which the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field.'}, + "EventSubType": {"data_type": "string", "description": 'Describes a subdivision of the operation reported in the EventType field.'}, + "EventType": {"data_type": "string", "description": 'Describes the operation reported by the record'}, + "EventVendor": {"data_type": "string", "description": 'The vendor of the product generating the event.'}, + "HttpUserAgent": {"data_type": "string", "description": "When authentication is performed over HTTP or HTTPS, this field's value is the user_agent HTTP header provided by the acting application when performing the authentication."}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "NewValue": {"data_type": "string", "description": 'The new value of Object after the operation was performed.'}, + "Object": {"data_type": "string", "description": 'The name of the object on which the operation identified by EventType is performed.'}, + "ObjectId": {"data_type": "string", "description": 'The name of the object on which the operation identified by EventType is performed.'}, + "ObjectType": {"data_type": "string", "description": 'The type of Object.'}, + "OldValue": {"data_type": "string", "description": 'The old value of Object prior to the operation.'}, + "Operation": {"data_type": "string", "description": 'The operation audited as reported by the reporting device.'}, + "OriginalObjectType": {"data_type": "string", "description": 'The object type as reported by the reporting device.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RuleName": {"data_type": "string", "description": 'The name or ID of the rule associated with the inspection results.'}, + "RuleNumber": {"data_type": "int", "description": 'The number of the rule associated with the inspection results.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SrcDescription": {"data_type": "string", "description": 'A descriptive text associated with the source device.'}, + "SrcDeviceType": {"data_type": "string", "description": 'The type of the source device.'}, + "SrcDomain": {"data_type": "string", "description": 'The domain of the source device.'}, + "SrcDomainType": {"data_type": "string", "description": 'The type of SrcDomain.'}, + "SrcDvcId": {"data_type": "string", "description": 'The ID of the source device.'}, + "SrcDvcIdType": {"data_type": "string", "description": 'The type of SrcDvcId.'}, + "SrcDvcScope": {"data_type": "string", "description": 'The cloud platform scope the source device belongs to. SrcDvcScope map to a subscription ID on Azure and to an account ID on AWS.'}, + "SrcDvcScopeId": {"data_type": "string", "description": 'The cloud platform scope ID the source device belongs to. SrcDvcScopeId map to a subscription ID on Azure and to an account ID on AWS.'}, + "SrcFQDN": {"data_type": "string", "description": 'The source device hostname, including domain information when available.'}, + "SrcGeoCity": {"data_type": "string", "description": 'The city associated with the source IP address.'}, + "SrcGeoCountry": {"data_type": "string", "description": 'The country associated with the source IP address.'}, + "SrcGeoLatitude": {"data_type": "real", "description": 'The latitude of the geographical coordinate associated with the source IP address.'}, + "SrcGeoLongitude": {"data_type": "real", "description": 'The longitude of the geographical coordinate associated with the source IP address.'}, + "SrcGeoRegion": {"data_type": "string", "description": 'The region within a country associated with the source IP address.'}, + "SrcHostname": {"data_type": "string", "description": 'The source device hostname, excluding domain information.'}, + "SrcIpAddr": {"data_type": "string", "description": 'The Source IP address from which the connection or session originated.'}, + "SrcOriginalRiskLevel": {"data_type": "string", "description": 'The risk level associaeted with the identified Source as reported by the reporting device.'}, + "SrcPortNumber": {"data_type": "int", "description": 'The Source IP port from which the connection originated.'}, + "SrcRiskLevel": {"data_type": "int", "description": 'The risk level associated with the identified Source.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TargetAppId": {"data_type": "string", "description": 'The ID of the application to which the event applies, including a process, browser, or service.'}, + "TargetAppName": {"data_type": "string", "description": 'The name of the application to which event applies, including a service, a URL, or a SaaS application.'}, + "TargetAppType": {"data_type": "string", "description": 'The type of the application authorizing on behalf of the Actor.'}, + "TargetDescription": {"data_type": "string", "description": 'A descriptive text associated with the target device.'}, + "TargetDeviceType": {"data_type": "string", "description": 'The type of the target device.'}, + "TargetDomain": {"data_type": "string", "description": 'The domain of the target device.'}, + "TargetDomainType": {"data_type": "string", "description": 'The type of TargetDomain.'}, + "TargetDvcId": {"data_type": "string", "description": 'The ID of the target device.'}, + "TargetDvcIdType": {"data_type": "string", "description": 'The type of TargetDvcId.'}, + "TargetDvcOs": {"data_type": "string", "description": 'The OS of the target device.'}, + "TargetDvcScope": {"data_type": "string", "description": 'The cloud platform scope the target device belongs to. TargetDvcScope map to a subscription ID on Azure and to an account ID on AWS.'}, + "TargetDvcScopeId": {"data_type": "string", "description": 'The cloud platform scope ID the target device belongs to. TargetDvcScopeId map to a subscription ID on Azure and to an account ID on AWS.'}, + "TargetFQDN": {"data_type": "string", "description": 'The target device hostname, including domain information when available.'}, + "TargetGeoCity": {"data_type": "string", "description": 'The city associated with the target IP address.'}, + "TargetGeoCountry": {"data_type": "string", "description": 'The country associated with the target IP address.'}, + "TargetGeoLatitude": {"data_type": "real", "description": 'The latitude of the geographical coordinate associated with the target IP address.'}, + "TargetGeoLongitude": {"data_type": "real", "description": 'The longitude of the geographical coordinate associated with the target IP address.'}, + "TargetGeoRegion": {"data_type": "string", "description": 'The region within a country associated with the target IP address.'}, + "TargetHostname": {"data_type": "string", "description": 'The target device hostname, excluding domain information.'}, + "TargetIpAddr": {"data_type": "string", "description": 'The Target IP address from which the connection or session originated.'}, + "TargetOriginalAppType": {"data_type": "string", "description": 'The target application type as reported by the reporting device.'}, + "TargetOriginalRiskLevel": {"data_type": "string", "description": 'The risk level associated with the target, as reported by the reporting device.'}, + "TargetPortNumber": {"data_type": "int", "description": 'The Target IP port from which the connection originated.'}, + "TargetRiskLevel": {"data_type": "int", "description": 'The risk level associated with the target.'}, + "TargetUrl": {"data_type": "string", "description": 'A URL associated with the target application.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "ThreatCategory": {"data_type": "string", "description": 'The category of the threat or malware identified in audit activity.'}, + "ThreatConfidence": {"data_type": "int", "description": 'The confidence level of the threat identified, normalized to a value between 0 and a 100.'}, + "ThreatField": {"data_type": "string", "description": 'The field for which a threat was identified.'}, + "ThreatFirstReportedTime": {"data_type": "datetime", "description": 'The first time the IP address or domain were identified as a threat.'}, + "ThreatId": {"data_type": "string", "description": 'The ID of the threat or malware identified in the audit activity.'}, + "ThreatIpAddr": {"data_type": "string", "description": 'An IP address or Domain for which a threat was identified.'}, + "ThreatIsActive": {"data_type": "bool", "description": 'True if the threat identified is considered an active threat.'}, + "ThreatLastReportedTime": {"data_type": "datetime", "description": 'The last time the IP address or domain were identified as a threat.'}, + "ThreatName": {"data_type": "string", "description": 'The name of the threat or malware identified in the audit activity.'}, + "ThreatOriginalConfidence": {"data_type": "string", "description": 'The original confidence level of the threat identified, as reported by the reporting device.'}, + "ThreatOriginalRiskLevel": {"data_type": "string", "description": 'The risk level as reported by the reporting device.'}, + "ThreatRiskLevel": {"data_type": "int", "description": 'The risk level associated with the identified threat. The level should be a number between 0 and 100.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) reflecting the time in which the event was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "ValueType": {"data_type": "string", "description": 'The type of the old and new values.'}, + }, + "ASimAuthenticationEventLogs": { + "ActingAppId": {"data_type": "string", "description": 'The ID of the application authorizing on behalf of the actor, including a process, browser, or service.'}, + "ActingAppName": {"data_type": "string", "description": 'The name of the application authorizing on behalf of the actor, including a process, browser, or service.'}, + "ActingAppType": {"data_type": "string", "description": 'The type of acting application.'}, + "ActingOriginalAppType": {"data_type": "string", "description": 'The acting application type as reported by the reporting device.'}, + "ActorOriginalUserType": {"data_type": "string", "description": 'The user type as reported by the reporting device.'}, + "ActorScope": {"data_type": "string", "description": 'The scope, such as Azure AD tenant, in which ActorUserId and ActorUsername are defined.'}, + "ActorScopeId": {"data_type": "string", "description": 'The scope ID, such as Azure AD tenant ID, in which ActorUserId and ActorUsername are defined.'}, + "ActorSessionId": {"data_type": "string", "description": 'The unique ID of the sign-in session of the Actor.'}, + "ActorUserId": {"data_type": "string", "description": 'A machine-readable, alphanumeric, unique representation of the actor.'}, + "ActorUserIdType": {"data_type": "string", "description": 'The type of the ID stored in the ActorUserId field.'}, + "ActorUsername": {"data_type": "string", "description": "The Actor's username, including domain information when available."}, + "ActorUsernameType": {"data_type": "string", "description": 'Specifies the type of the user name stored in the ActorUsername field.'}, + "ActorUserType": {"data_type": "string", "description": 'The type of the Actor.'}, + "AdditionalFields": {"data_type": "dynamic", "description": 'Additional information, represented using key/value pairs provided by the source which do not map to ASim.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DvcAction": {"data_type": "string", "description": 'For reporting security systems, the action taken by the system.'}, + "DvcDescription": {"data_type": "string", "description": 'A descriptive text associated with the device.'}, + "DvcDomain": {"data_type": "string", "description": 'The domain of the device reporting the event.'}, + "DvcDomainType": {"data_type": "string", "description": 'The type of DvcDomain.'}, + "DvcFQDN": {"data_type": "string", "description": 'The hostname of the device on which the event occurred or which reported the event.'}, + "DvcHostname": {"data_type": "string", "description": 'The hostname of the device reporting the event.'}, + "DvcId": {"data_type": "string", "description": 'The unique ID of the device on which the event occurred or which reported the event.'}, + "DvcIdType": {"data_type": "string", "description": 'The type of DvcId.'}, + "DvcInterface": {"data_type": "string", "description": 'The network interface on which data was captured.'}, + "DvcIpAddr": {"data_type": "string", "description": 'The IP Address of the device reporting the event.'}, + "DvcMacAddr": {"data_type": "string", "description": 'The MAC address of the device on which the event occurred or which reported the event.'}, + "DvcOriginalAction": {"data_type": "string", "description": 'The original DvcAction as provided by the reporting device.'}, + "DvcOs": {"data_type": "string", "description": 'The operating system running on the device on which the event occurred or which reported the event.'}, + "DvcOsVersion": {"data_type": "string", "description": 'The version of the operating system on the device on which the event occurred or which reported the event.'}, + "DvcScope": {"data_type": "string", "description": 'The cloud platform scope the device belongs to. DvcScope map to a subscription ID on Azure and to an account ID on AWS.'}, + "DvcScopeId": {"data_type": "string", "description": 'The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS.'}, + "DvcZone": {"data_type": "string", "description": 'The network on which the event occurred or which reported the event.'}, + "EventCount": {"data_type": "int", "description": 'The number of events described by the record.'}, + "EventEndTime": {"data_type": "datetime", "description": 'The time in which the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field.'}, + "EventMessage": {"data_type": "string", "description": 'A general message or description.'}, + "EventOriginalResultDetails": {"data_type": "string", "description": 'The original result details provided by the source.'}, + "EventOriginalSeverity": {"data_type": "string", "description": 'The original severity as provided by the reporting device.'}, + "EventOriginalSubType": {"data_type": "string", "description": 'The original event subtype or ID, if provided by the source.'}, + "EventOriginalType": {"data_type": "string", "description": 'The original event type or ID, if provided by the source.'}, + "EventOriginalUid": {"data_type": "string", "description": 'A unique ID of the original record, if provided by the source.'}, + "EventOwner": {"data_type": "string", "description": 'The owner of the event, which is usually the department or subsidiary in which it was generated.'}, + "EventProduct": {"data_type": "string", "description": 'The product generating the event.'}, + "EventProductVersion": {"data_type": "string", "description": 'The version of the product generating the event.'}, + "EventReportUrl": {"data_type": "string", "description": 'A URL provided in the event for a resource that provides more information about the event.'}, + "EventResult": {"data_type": "string", "description": 'The outcome of the event, represented by one of the following values: Success, Partial, Failure, NA (Not Applicable). The value may not be provided directly by the sources, in which case it is derived from other event fields, for example, the EventResultDetails field.'}, + "EventResultDetails": {"data_type": "string", "description": 'The details associated with the event result. This field is typically populated when the result is a failure.'}, + "EventSchemaVersion": {"data_type": "string", "description": 'The version of the schema.'}, + "EventSeverity": {"data_type": "string", "description": 'The severity of the event. Valid values are: Informational, Low, Medium, or High.'}, + "EventStartTime": {"data_type": "datetime", "description": 'The time in which the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field.'}, + "EventSubType": {"data_type": "string", "description": 'The sign-in type for example System, Interactive, RemoteInteractive, Service, RemoteService, Remote or AssumeRole.'}, + "EventType": {"data_type": "string", "description": 'Describes the operation reported by the record'}, + "EventVendor": {"data_type": "string", "description": 'The vendor of the product generating the event.'}, + "HttpUserAgent": {"data_type": "string", "description": "When authentication is performed over HTTP or HTTPS, this field's value is the user_agent HTTP header provided by the acting application when performing the authentication."}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogonMethod": {"data_type": "string", "description": 'The method used to perform authentication.'}, + "LogonProtocol": {"data_type": "string", "description": 'The protocol used to perform authentication.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RuleName": {"data_type": "string", "description": 'The name or ID of the rule associated with the inspection results.'}, + "RuleNumber": {"data_type": "int", "description": 'The number of the rule associated with the inspection results.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SrcDescription": {"data_type": "string", "description": 'A descriptive text associated with the source device.'}, + "SrcDeviceType": {"data_type": "string", "description": 'The type of the source device.'}, + "SrcDomain": {"data_type": "string", "description": 'The domain of the source device.'}, + "SrcDomainType": {"data_type": "string", "description": 'The type of SrcDomain.'}, + "SrcDvcId": {"data_type": "string", "description": 'The ID of the source device.'}, + "SrcDvcIdType": {"data_type": "string", "description": 'The type of SrcDvcId.'}, + "SrcDvcOs": {"data_type": "string", "description": 'The OS of the source device.'}, + "SrcDvcScope": {"data_type": "string", "description": 'The cloud platform scope the source device belongs to. SrcDvcScope map to a subscription ID on Azure and to an account ID on AWS.'}, + "SrcDvcScopeId": {"data_type": "string", "description": 'The cloud platform scope ID the source device belongs to. SrcDvcScopeId map to a subscription ID on Azure and to an account ID on AWS.'}, + "SrcFQDN": {"data_type": "string", "description": 'The source device hostname, including domain information when available.'}, + "SrcGeoCity": {"data_type": "string", "description": 'The city associated with the source IP address.'}, + "SrcGeoCountry": {"data_type": "string", "description": 'The country associated with the source IP address.'}, + "SrcGeoLatitude": {"data_type": "real", "description": 'The latitude of the geographical coordinate associated with the source IP address.'}, + "SrcGeoLongitude": {"data_type": "real", "description": 'The longitude of the geographical coordinate associated with the source IP address.'}, + "SrcGeoRegion": {"data_type": "string", "description": 'The region within a country associated with the source IP address.'}, + "SrcHostname": {"data_type": "string", "description": 'The source device hostname, excluding domain information.'}, + "SrcIpAddr": {"data_type": "string", "description": 'The IP address of the source device.'}, + "SrcIsp": {"data_type": "string", "description": 'The Internet Service Provider (ISP) used by the source device to connect to the internet.'}, + "SrcOriginalRiskLevel": {"data_type": "string", "description": 'The risk level associaeted with the identified Source as reported by the reporting device.'}, + "SrcPortNumber": {"data_type": "int", "description": 'The IP port from which the connection originated.'}, + "SrcRiskLevel": {"data_type": "int", "description": 'The risk level associated with the identified Source.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TargetAppId": {"data_type": "string", "description": 'The ID of the application to which the authorization is required, often assigned by the reporting device.'}, + "TargetAppName": {"data_type": "string", "description": 'The name of the application to which the authorization is required, including a service, a URL, or a SaaS application.'}, + "TargetAppType": {"data_type": "string", "description": 'The type of the application authorizing on behalf of the Actor.'}, + "TargetDescription": {"data_type": "string", "description": 'A descriptive text associated with the target device.'}, + "TargetDeviceType": {"data_type": "string", "description": 'The type of the target device.'}, + "TargetDomain": {"data_type": "string", "description": 'The domain of the target device.'}, + "TargetDomainType": {"data_type": "string", "description": 'The type of TargetDomain.'}, + "TargetDvcId": {"data_type": "string", "description": 'The ID of the target device.'}, + "TargetDvcIdType": {"data_type": "string", "description": 'The type of TargetDvcId.'}, + "TargetDvcOs": {"data_type": "string", "description": 'The OS of the target device.'}, + "TargetDvcScope": {"data_type": "string", "description": 'The cloud platform scope the target device belongs to. TargetDvcScope map to a subscription ID on Azure and to an account ID on AWS.'}, + "TargetDvcScopeId": {"data_type": "string", "description": 'The cloud platform scope ID the target device belongs to. TargetDvcScopeId map to a subscription ID on Azure and to an account ID on AWS.'}, + "TargetFQDN": {"data_type": "string", "description": 'The target device hostname, including domain information when available.'}, + "TargetGeoCity": {"data_type": "string", "description": 'The city associated with the target IP address.'}, + "TargetGeoCountry": {"data_type": "string", "description": 'The country associated with the target IP address.'}, + "TargetGeoLatitude": {"data_type": "real", "description": 'The latitude of the geographical coordinate associated with the target IP address.'}, + "TargetGeoLongitude": {"data_type": "real", "description": 'The longitude of the geographical coordinate associated with the target IP address.'}, + "TargetGeoRegion": {"data_type": "string", "description": 'The region within a country associated with the target IP address.'}, + "TargetHostname": {"data_type": "string", "description": 'The target device hostname, excluding domain information.'}, + "TargetIpAddr": {"data_type": "string", "description": 'The IP address of the target device.'}, + "TargetOriginalAppType": {"data_type": "string", "description": 'The target application type as reported by the reporting device.'}, + "TargetOriginalRiskLevel": {"data_type": "string", "description": 'The risk level associated with the target, as reported by the reporting device.'}, + "TargetOriginalUserType": {"data_type": "string", "description": 'The user type as reported by the reporting device.'}, + "TargetPortNumber": {"data_type": "int", "description": 'The port of the target device.'}, + "TargetRiskLevel": {"data_type": "int", "description": 'The risk level associated with the target.'}, + "TargetSessionId": {"data_type": "string", "description": 'The unique ID of the sign-in session of the Target actor.'}, + "TargetUrl": {"data_type": "string", "description": 'A URL associated with the target application.'}, + "TargetUserId": {"data_type": "string", "description": 'A machine-readable, alphanumeric, unique representation of the actor.'}, + "TargetUserIdType": {"data_type": "string", "description": 'The type of the ID stored in the TargetUserId field.'}, + "TargetUsername": {"data_type": "string", "description": "The Target actor's username, including domain information when available."}, + "TargetUsernameType": {"data_type": "string", "description": "The type of the Target actor's username specified in TargetUsername field"}, + "TargetUserScope": {"data_type": "string", "description": 'The scope, such as Azure AD tenant, in which TargetUserId and TargetUsername are defined.'}, + "TargetUserScopeId": {"data_type": "string", "description": 'The scope ID, such as Azure AD tenant ID, in which TargetUserId and TargetUsername are defined.'}, + "TargetUserType": {"data_type": "string", "description": 'The type of the Target actor.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "ThreatCategory": {"data_type": "string", "description": 'The category of the threat or malware identified in audit activity.'}, + "ThreatConfidence": {"data_type": "int", "description": 'The confidence level of the threat identified, normalized to a value between 0 and a 100.'}, + "ThreatField": {"data_type": "string", "description": 'The field for which a threat was identified.'}, + "ThreatFirstReportedTime": {"data_type": "datetime", "description": 'The first time the IP address or domain were identified as a threat.'}, + "ThreatId": {"data_type": "string", "description": 'The ID of the threat or malware identified in the audit activity.'}, + "ThreatIpAddr": {"data_type": "string", "description": 'An IP address for which a threat was identified.'}, + "ThreatIsActive": {"data_type": "bool", "description": 'True if the threat identified is considered an active threat.'}, + "ThreatLastReportedTime": {"data_type": "datetime", "description": 'The last time the IP address or domain were identified as a threat.'}, + "ThreatName": {"data_type": "string", "description": 'The name of the threat or malware identified in the audit activity.'}, + "ThreatOriginalConfidence": {"data_type": "string", "description": 'The original confidence level of the threat identified, as reported by the reporting device.'}, + "ThreatOriginalRiskLevel": {"data_type": "string", "description": 'The risk level as reported by the reporting device.'}, + "ThreatRiskLevel": {"data_type": "int", "description": 'The risk level associated with the identified threat. The level should be a number between 0 and 100.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) reflecting the time in which the event was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ASimDhcpEventLogs": { + "AdditionalFields": {"data_type": "dynamic", "description": 'Additional information, represented using key/value pairs provided by the source which do not map to ASim.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DhcpCircuitId": {"data_type": "string", "description": 'The DHCP circuit ID, as defined by RFC3046.'}, + "DhcpLeaseDuration": {"data_type": "int", "description": 'The length of the lease granted to a client, in seconds.'}, + "DhcpSessionDuration": {"data_type": "int", "description": 'The amount of time, in milliseconds, for the completion of the DHCP session.'}, + "DhcpSessionId": {"data_type": "string", "description": 'The session identifier as reported by the reporting device. For the Windows DHCP server, set this to the TransactionID field.'}, + "DhcpSrcDHCId": {"data_type": "string", "description": 'The DHCP client ID, as defined by RFC4701.'}, + "DhcpSubscriberId": {"data_type": "string", "description": 'The DHCP subscriber ID, as defined by RFC3993.'}, + "DhcpUserClass": {"data_type": "string", "description": 'The DHCP User Class, as defined by RFC3004.'}, + "DhcpUserClassId": {"data_type": "string", "description": 'The DHCP User Class Id, as defined by RFC3004.'}, + "DhcpVendorClass": {"data_type": "string", "description": 'The DHCP Vendor Class, as defined by RFC3925.'}, + "DhcpVendorClassId": {"data_type": "string", "description": 'The DHCP Vendor Class Id, as defined by RFC3925.'}, + "DvcAction": {"data_type": "string", "description": 'For reporting security systems, the action taken by the system, if applicable.'}, + "DvcDescription": {"data_type": "string", "description": 'A descriptive text associated with the device.'}, + "DvcDomain": {"data_type": "string", "description": 'The domain of the device on which the event occurred or which reported the event, depending on the schema'}, + "DvcDomainType": {"data_type": "string", "description": 'The type of DvcDomain.'}, + "DvcFQDN": {"data_type": "string", "description": 'The hostname of the device on which the event occurred or which reported the event, depending on the schema.'}, + "DvcHostname": {"data_type": "string", "description": 'The hostname of the device on which the event occurred or which reported the event, depending on the schema.'}, + "DvcId": {"data_type": "string", "description": 'The unique ID of the device on which the event occurred or which reported the event, depending on the schema.'}, + "DvcIdType": {"data_type": "string", "description": 'The type of DvcId.'}, + "DvcInterface": {"data_type": "string", "description": 'The network interface on which data was captured. This field is typically relevant to network related activity which is captured by an intermediate or tap device.'}, + "DvcIpAddr": {"data_type": "string", "description": 'The IP address of the device on which the event occurred or which reported the event, depending on the schema.'}, + "DvcMacAddr": {"data_type": "string", "description": 'The MAC address of the device on which the event occurred or which reported the event.'}, + "DvcOriginalAction": {"data_type": "string", "description": 'The original DvcAction as provided by the reporting device.'}, + "DvcOs": {"data_type": "string", "description": 'The operating system running on the device on which the event occurred or which reported the event.'}, + "DvcOsVersion": {"data_type": "string", "description": 'The version of the operating system on the device on which the event occurred or which reported the event.'}, + "DvcScope": {"data_type": "string", "description": 'The cloud platform scope the device belongs to. DvcScope map to a subscription name on Azure and to an account ID on AWS.'}, + "DvcScopeId": {"data_type": "string", "description": 'The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS.'}, + "DvcZone": {"data_type": "string", "description": 'The network on which the event occurred or which reported the event, depending on the schema. The zone is defined by the reporting device.'}, + "EventCount": {"data_type": "int", "description": 'The number of events described by the record. This value is used when the source supports aggregation, and a single record might represent multiple events.'}, + "EventEndTime": {"data_type": "datetime", "description": 'The time in which the event ended. If the source supports aggregation and the record represents multiple events, the time when the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field.'}, + "EventMessage": {"data_type": "string", "description": 'A general message or description, either included in or generated from the record.'}, + "EventOriginalResultDetails": {"data_type": "string", "description": 'The original result details provided by the source. This value is used to derive EventResultDetails, which should have only one of the values documented for each schema.'}, + "EventOriginalSeverity": {"data_type": "string", "description": 'The original severity as provided by the reporting device. This value is used to derive EventSeverity.'}, + "EventOriginalSubType": {"data_type": "string", "description": 'The original event subtype or ID, if provided by the source.'}, + "EventOriginalType": {"data_type": "string", "description": 'The original event type or ID, if provided by the source.'}, + "EventOriginalUid": {"data_type": "string", "description": 'A unique ID of the original record, if provided by the source.'}, + "EventOwner": {"data_type": "string", "description": 'The owner of the event, which is usually the department or subsidiary in which it was generated.'}, + "EventProduct": {"data_type": "string", "description": 'The product generating the event. The value should be one of the values listed in Vendors and Products.'}, + "EventProductVersion": {"data_type": "string", "description": 'The version of the product generating the event.'}, + "EventReportUrl": {"data_type": "string", "description": 'A URL provided in the event for a resource that provides more information about the event.'}, + "EventResult": {"data_type": "string", "description": 'The outcome of the event, represented by one of the following values: Success, Partial, Failure, NA (Not Applicable).'}, + "EventResultDetails": {"data_type": "string", "description": 'Reason or details for the result reported in the EventResult field.'}, + "EventSchema": {"data_type": "string", "description": 'The schema the event is normalized to. Each schema documents its schema name.'}, + "EventSchemaVersion": {"data_type": "string", "description": 'The version of the schema. Each schema documents its current version.'}, + "EventSeverity": {"data_type": "string", "description": 'The severity of the event.'}, + "EventStartTime": {"data_type": "datetime", "description": 'The time in which the event started. If the source supports aggregation and the record represents multiple events, the time when the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field.'}, + "EventSubType": {"data_type": "string", "description": 'Describes a subdivision of the operation reported in the EventType field.'}, + "EventType": {"data_type": "string", "description": 'Describes the operation reported by the record.'}, + "EventVendor": {"data_type": "string", "description": 'The vendor of the product generating the event. The value should be one of the values listed in Vendors and Products.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "RequestedIpAddr": {"data_type": "string", "description": 'The IP address requested by the DHCP client, when available.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RuleName": {"data_type": "string", "description": 'The name or ID of the rule by associated with the inspection results.'}, + "RuleNumber": {"data_type": "int", "description": 'The number of the rule associated with the inspection results.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SrcDescription": {"data_type": "string", "description": 'A descriptive text associated with the device.'}, + "SrcDeviceType": {"data_type": "string", "description": 'The type of the device.'}, + "SrcDomain": {"data_type": "string", "description": 'The domain of the device.'}, + "SrcDomainType": {"data_type": "string", "description": 'The type of the domain.'}, + "SrcDvcId": {"data_type": "string", "description": 'The ID of the device.'}, + "SrcDvcIdType": {"data_type": "string", "description": 'The type of the DvcId.'}, + "SrcDvcScope": {"data_type": "string", "description": 'The cloud platform scope the device belongs to.'}, + "SrcDvcScopeId": {"data_type": "string", "description": 'The cloud platform scope ID the device belongs to.'}, + "SrcFQDN": {"data_type": "string", "description": 'The device hostname, including domain information when available.'}, + "SrcGeoCity": {"data_type": "string", "description": 'The city associated with the source IP address.'}, + "SrcGeoCountry": {"data_type": "string", "description": 'The country associated with the source IP address.'}, + "SrcGeoLatitude": {"data_type": "real", "description": 'The latitude of the geographical coordinate associated with the source IP address.'}, + "SrcGeoLongitude": {"data_type": "real", "description": 'The longitude of the geographical coordinate associated with the source IP address.'}, + "SrcGeoRegion": {"data_type": "string", "description": 'The region within a country associated with the source IP address..'}, + "SrcHostname": {"data_type": "string", "description": 'The device hostname, excluding domain information.'}, + "SrcIpAddr": {"data_type": "string", "description": 'The IP address of the source device.'}, + "SrcMacAddr": {"data_type": "string", "description": 'The MAC address of the network interface from which the connection or session originated.'}, + "SrcOriginalRiskLevel": {"data_type": "string", "description": 'The risk level associaeted with the identified Source as reported by the reporting device.'}, + "SrcOriginalUserType": {"data_type": "string", "description": 'The original source user type, if provided by the source.'}, + "SrcPortNumber": {"data_type": "int", "description": 'The IP port on which the device communicated, if applicable.'}, + "SrcRiskLevel": {"data_type": "int", "description": 'The risk level associated with the identified Source.'}, + "SrcUserId": {"data_type": "string", "description": 'A machine-readable, alphanumeric, unique representation of the user.'}, + "SrcUserIdType": {"data_type": "string", "description": 'The type of SrcUserId.'}, + "SrcUsername": {"data_type": "string", "description": "The user's username, including domain information when available."}, + "SrcUsernameType": {"data_type": "string", "description": 'The type of username.'}, + "SrcUserScope": {"data_type": "string", "description": 'The type of username.'}, + "SrcUserScopeId": {"data_type": "string", "description": 'The scope ID, such as Azure AD tenant ID, in which UserId and Username are defined.'}, + "SrcUserSessionId": {"data_type": "string", "description": 'The unique ID of the sign-in session of the user.'}, + "SrcUserType": {"data_type": "string", "description": 'The type of user'}, + "SrcUserUid": {"data_type": "string", "description": 'The Unix or Linux user ID of the user.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "ThreatCategory": {"data_type": "string", "description": 'The category of the threat or malware identified in activity.'}, + "ThreatConfidence": {"data_type": "int", "description": 'The confidence level of the threat identified, normalized to a value between 0 and a 100.'}, + "ThreatField": {"data_type": "string", "description": 'The field for which a threat was identified.'}, + "ThreatFirstReportedTime": {"data_type": "datetime", "description": 'The first time the IP address or domain were identified as a threat.'}, + "ThreatId": {"data_type": "string", "description": 'The ID of the threat or malware identified in the activity.'}, + "ThreatIsActive": {"data_type": "bool", "description": 'True ID the threat identified is considered an active threat.'}, + "ThreatLastReportedTime": {"data_type": "datetime", "description": 'The last time the IP address or domain were identified as a threat.'}, + "ThreatName": {"data_type": "string", "description": 'The name of the threat or malware identified in the activity.'}, + "ThreatOriginalConfidence": {"data_type": "string", "description": 'The original confidence level of the threat identified, as reported by the reporting device.'}, + "ThreatOriginalRiskLevel": {"data_type": "string", "description": 'The risk level as reported by the reporting device.'}, + "ThreatRiskLevel": {"data_type": "int", "description": 'The risk level associated with the identified threat. The level should be a number between 0 and 100.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) reflecting the time in which the event was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ASimDnsActivityLogs": { + "AdditionalFields": {"data_type": "dynamic", "description": 'Additional information, represented using key/value pairs provided by the source which do not map to ASim.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DnsFlags": {"data_type": "string", "description": 'The DNS request flags, as provided by the reporting device. The structure of the DNS flags information may vary between different reporting devices.'}, + "DnsFlagsAuthenticated": {"data_type": "bool", "description": 'The DNS authenticated answer flag, which is related to DNSSEC, indicates in a response that all data included in the answer and authority sections of the response have been verified by the server according to the policies of that server. see RFC 3655 Section 6.1 for more information.'}, + "DnsFlagsAuthoritative": {"data_type": "bool", "description": 'The DNS authoritative answer flag indicates whether the response from the server was authoritative.'}, + "DnsFlagsCheckingDisabled": {"data_type": "bool", "description": 'The DNS CD flag, which is related to DNSSEC, indicates in a query that non-verified data is acceptable to the system sending the query.'}, + "DnsFlagsRecursionAvailable": {"data_type": "bool", "description": 'The DNS RA flag indicates in a response that that server supports recursive queries.'}, + "DnsFlagsRecursionDesired": {"data_type": "bool", "description": 'The DNS recursion desired flag indicates in a request that that client would like the server to use recursive queries.'}, + "DnsFlagsTruncated": {"data_type": "bool", "description": 'The DNS TC flag indicates that a response was truncates as it exceeded the maximum response size.'}, + "DnsFlagsZ": {"data_type": "bool", "description": 'The DNS Z flag is a deprecated DNS flag, which might be reported by older DNS systems.'}, + "DnsNetworkDuration": {"data_type": "int", "description": 'The amount of time, in milliseconds, for the completion of DNS request.'}, + "DnsQuery": {"data_type": "string", "description": 'The domain that needs to be resolved.'}, + "DnsQueryClass": {"data_type": "int", "description": 'The DNS class ID as defined by the Internet Assigned Numbers Authority (IANA).'}, + "DnsQueryClassName": {"data_type": "string", "description": 'The DNS class name as defined by the Internet Assigned Numbers Authority (IANA).'}, + "DnsQueryType": {"data_type": "int", "description": 'The DNS resource record type codes as defined by the Internet Assigned Numbers Authority (IANA).'}, + "DnsQueryTypeName": {"data_type": "string", "description": 'The DNS resource record type name as defined by the Internet Assigned Numbers Authority (IANA).'}, + "DnsResponseCode": {"data_type": "int", "description": 'The DNS numerical response code as defined by the Internet Assigned Numbers Authority (IANA).'}, + "DnsResponseIpCity": {"data_type": "string", "description": 'The city associated with the response IP address.'}, + "DnsResponseIpCountry": {"data_type": "string", "description": 'The country associated with the response IP address.'}, + "DnsResponseIpLatitude": {"data_type": "real", "description": 'The Latitude of the geographical coordinate associated with the response IP address.'}, + "DnsResponseIpLongitude": {"data_type": "real", "description": 'The longitude of the geographical coordinate associated with the response IP address.'}, + "DnsResponseIpRegion": {"data_type": "string", "description": 'The region, or state, within a country, associated with the source IP address.'}, + "DnsResponseName": {"data_type": "string", "description": 'The content of the response, as included in the record. The structure of the DNS response data may vary between different reporting devices.'}, + "DnsSessionId": {"data_type": "string", "description": 'The DNS session identifier as reported by the reporting device.'}, + "Dst": {"data_type": "string", "description": 'A unique identifier of the server that received the DNS request.'}, + "DstDescription": {"data_type": "string", "description": 'A descriptive text associated with the destination.'}, + "DstDeviceType": {"data_type": "string", "description": 'The type of the destination device.'}, + "DstDomain": {"data_type": "string", "description": 'The domain of the destination device.'}, + "DstDomainType": {"data_type": "string", "description": 'The type of DstDomain.'}, + "DstDvcId": {"data_type": "string", "description": 'The ID of the destination device.'}, + "DstDvcIdType": {"data_type": "string", "description": 'The type of DstDvcId.'}, + "DstDvcScope": {"data_type": "string", "description": 'The cloud platform scope the destination device belongs to. DvcScope maps to a subscription on Azure and to an account on AWS.'}, + "DstDvcScopeId": {"data_type": "string", "description": 'The cloud platform scope ID the destination device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS.'}, + "DstFQDN": {"data_type": "string", "description": 'The destination device hostname, including domain information when available.'}, + "DstGeoCity": {"data_type": "string", "description": 'The city associated with the destination IP address.'}, + "DstGeoCountry": {"data_type": "string", "description": 'The country associated with the destination IP address.'}, + "DstGeoLatitude": {"data_type": "real", "description": 'The latitude of the geographical coordinate associated with the destination IP address.'}, + "DstGeoLongitude": {"data_type": "real", "description": 'The longitude of the geographical coordinate associated with the destination IP address.'}, + "DstGeoRegion": {"data_type": "string", "description": 'The region, or state, within a country, associated with the destination IP address.'}, + "DstHostname": {"data_type": "string", "description": 'The destination device hostname, excluding domain information.'}, + "DstIpAddr": {"data_type": "string", "description": 'The IP address of the server receiving the DNS request. For a regular DNS request, this value would typically be the reporting device, and in most cases set to 127.0.0.1.'}, + "DstOriginalRiskLevel": {"data_type": "string", "description": 'The risk level associated with the destination device as reported by the reporting device.'}, + "DstPortNumber": {"data_type": "int", "description": 'Destination Port number.'}, + "DstRiskLevel": {"data_type": "int", "description": 'The risk level associated with the destination device.'}, + "Dvc": {"data_type": "string", "description": 'A unique identifier of the device reporting the event. The identifier can be either an IP Address, A hostname, or a device ID.'}, + "DvcAction": {"data_type": "string", "description": 'The action taken by the the reporting device on the request, such as blocking it.'}, + "DvcDescription": {"data_type": "string", "description": 'A descriptive text associated with the device. For example: Primary Domain Controller.'}, + "DvcDomain": {"data_type": "string", "description": 'The domain of the device reporting the event.'}, + "DvcDomainType": {"data_type": "string", "description": 'The type of DvcDomain. Possible values include "Windows" and "FQDN".'}, + "DvcFQDN": {"data_type": "string", "description": 'The fully qualified hostname, including domain information, of the device reporting the event.'}, + "DvcHostname": {"data_type": "string", "description": 'The hostname of the device reporting the event.'}, + "DvcId": {"data_type": "string", "description": 'The unique ID of the device reporting the event.'}, + "DvcIdType": {"data_type": "string", "description": 'The type of DvcId.'}, + "DvcInterface": {"data_type": "string", "description": 'The network interface on which data was captured. This field is typically relevant to network related activity which is captured by an intermediate or tap device.'}, + "DvcIpAddr": {"data_type": "string", "description": 'The IP Address of the device reporting the event.'}, + "DvcMacAddr": {"data_type": "string", "description": 'The MAC address of the device reporting the event.'}, + "DvcOriginalAction": {"data_type": "string", "description": 'The original DvcAction as provided by the reporting device.'}, + "DvcOs": {"data_type": "string", "description": 'The operating system running on the device reporting the event.'}, + "DvcOsVersion": {"data_type": "string", "description": 'The version of the operating system on the device reporting the event.'}, + "DvcScope": {"data_type": "string", "description": 'The cloud platform scope the device belongs to. DvcScope map to a subscription ID on Azure and to an account ID on AWS.'}, + "DvcScopeId": {"data_type": "string", "description": 'The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS.'}, + "DvcZone": {"data_type": "string", "description": 'The network segment of the device reporting the event.'}, + "EventCount": {"data_type": "int", "description": 'The number of events described by the record. This value is used when the source supports aggregation, and a single record may represent multiple events.'}, + "EventEndTime": {"data_type": "datetime", "description": 'The time at which the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field.'}, + "EventMessage": {"data_type": "string", "description": 'A general message or description.'}, + "EventOriginalSeverity": {"data_type": "string", "description": 'The original severity as provided by the reporting device. This value is used to derive EventSeverity.'}, + "EventOriginalType": {"data_type": "string", "description": 'The original event type or ID, for example, the original Windows event ID.'}, + "EventOriginalUid": {"data_type": "string", "description": 'A unique ID of the original record.'}, + "EventOwner": {"data_type": "string", "description": 'The owner of the event, which is usually the department or subsidiary in which it was generated.'}, + "EventProduct": {"data_type": "string", "description": 'The product generating the event.'}, + "EventProductVersion": {"data_type": "string", "description": 'The version of the product generating the event.'}, + "EventReportUrl": {"data_type": "string", "description": 'A URL of a resource that provides additional information about the event.'}, + "EventResult": {"data_type": "string", "description": 'The outcome of the event, represented by one of the following values: Success, Partial, Failure, NA (Not Applicable). The value may not be provided directly by the sources, in which case it is derived from other event fields, for example, the EventResultDetails field.'}, + "EventResultDetails": {"data_type": "string", "description": 'The DNS response code as defined by the Internet Assigned Numbers Authority (IANA).'}, + "EventSchemaVersion": {"data_type": "string", "description": 'The version of the schema.'}, + "EventSeverity": {"data_type": "string", "description": 'The severity of the event. Valid values are: Informational, Low, Medium, or High.'}, + "EventStartTime": {"data_type": "datetime", "description": 'The time at which the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field.'}, + "EventSubType": {"data_type": "string", "description": 'Either request or response.'}, + "EventType": {"data_type": "string", "description": 'Indicates the operation reported by the record. For DNS activity events, this value is the DNS opcode as defined by the Internet Assigned Numbers Authority (IANA).'}, + "EventVendor": {"data_type": "string", "description": 'The vendor of the product generating the event.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "NetworkProtocol": {"data_type": "string", "description": 'The transport protocol used by the network resolution event. The value can be UDP or TCP.'}, + "NetworkProtocolVersion": {"data_type": "string", "description": 'The version of the network protocol. Typically used to differentiate between IPv4 and Ipv6.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RuleName": {"data_type": "string", "description": 'The name or ID of the rule by associated with the inspection results.'}, + "RuleNumber": {"data_type": "int", "description": 'The number of the rule associated with the inspection results.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Src": {"data_type": "string", "description": 'A unique identifier of the source device.'}, + "SrcDescription": {"data_type": "string", "description": 'The number of the rule associated with the inspection results.'}, + "SrcDeviceType": {"data_type": "string", "description": 'The type of the source device.'}, + "SrcDomain": {"data_type": "string", "description": 'The domain of the source device.'}, + "SrcDomainType": {"data_type": "string", "description": 'The type of SrcDomain.'}, + "SrcDvcId": {"data_type": "string", "description": 'The ID of the source device.'}, + "SrcDvcIdType": {"data_type": "string", "description": 'The type of SrcDvcId.'}, + "SrcDvcScope": {"data_type": "string", "description": 'The cloud platform scope the source device belongs to. DvcScope maps to a subscription on Azure and to an account on AWS.'}, + "SrcDvcScopeId": {"data_type": "string", "description": 'The cloud platform scope ID the source device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS.'}, + "SrcFQDN": {"data_type": "string", "description": 'The source device hostname, including domain information.'}, + "SrcGeoCity": {"data_type": "string", "description": 'The city associated with the source IP address.'}, + "SrcGeoCountry": {"data_type": "string", "description": 'The country associated with the source IP address.'}, + "SrcGeoLatitude": {"data_type": "real", "description": 'The latitude of the geographical coordinate associated with the source IP address.'}, + "SrcGeoLongitude": {"data_type": "real", "description": 'The longitude of the geographical coordinate associated with the source IP address.'}, + "SrcGeoRegion": {"data_type": "string", "description": 'The region, or state, within a country, associated with the source IP address.'}, + "SrcHostname": {"data_type": "string", "description": 'The source device hostname, excluding domain information.'}, + "SrcIpAddr": {"data_type": "string", "description": 'The IP address of the client sending the DNS request. For a recursive DNS request, this value would typically be the reporting device, and in most cases, set to 127.0.0.1.'}, + "SrcOriginalRiskLevel": {"data_type": "string", "description": 'The risk level associated with the source device as reported by the reporting device.'}, + "SrcOriginalUserType": {"data_type": "string", "description": 'The original source user type, as provided by the source.'}, + "SrcPortNumber": {"data_type": "int", "description": 'Source port of the DNS query.'}, + "SrcProcessGuid": {"data_type": "string", "description": 'A generated unique identifier (GUID) of the process that initiated the DNS request.'}, + "SrcProcessId": {"data_type": "string", "description": 'The process ID (PID) of the process that initiated the DNS request.'}, + "SrcProcessName": {"data_type": "string", "description": 'The name of the process that initiated the DNS request.'}, + "SrcRiskLevel": {"data_type": "int", "description": 'The risk level associated with the source device.'}, + "SrcUserId": {"data_type": "string", "description": 'A machine-readable, alphanumeric, unique representation of the source user.'}, + "SrcUserIdType": {"data_type": "string", "description": 'The type of the ID stored in the SrcUserId field.'}, + "SrcUsername": {"data_type": "string", "description": 'The Source username, including domain information when available.'}, + "SrcUsernameType": {"data_type": "string", "description": 'The type of the username stored in the SrcUsername field.'}, + "SrcUserScope": {"data_type": "string", "description": 'The scope, such as Azure AD tenant, in which SrcUserId and SrcUsername are defined.'}, + "SrcUserScopeId": {"data_type": "string", "description": 'The ID of the scope, such as Azure AD tenant, in which SrcUserId and SrcUsername are defined.'}, + "SrcUserSessionId": {"data_type": "string", "description": 'The unique ID of the sign-in session of the source user.'}, + "SrcUserType": {"data_type": "string", "description": 'The type of the source user.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "ThreatCategory": {"data_type": "string", "description": 'If a DNS event source also provides DNS security, it may also evaluate the DNS event. For example, it can search for the IP address or domain in a threat intelligence database, and assign the domain or IP address with a Threat Category.'}, + "ThreatConfidence": {"data_type": "int", "description": 'The confidence level of the threat identified, normalized to a value between 0 and a 100.'}, + "ThreatField": {"data_type": "string", "description": 'The field for which a threat was identified. The value is either SrcIpAddr, DstIpAddr, Domain, or DnsResponseName.'}, + "ThreatFirstReportedTime": {"data_type": "string", "description": 'The first time the IP address or domain were identified as a threat.'}, + "ThreatFirstReportedTime_d": {"data_type": "datetime", "description": 'The first time the IP address or domain were identified as a threat.'}, + "ThreatId": {"data_type": "string", "description": 'The ID of the threat or malware identified in the web session.'}, + "ThreatIpAddr": {"data_type": "string", "description": 'An IP address for which a threat was identified. The field ThreatField contains the name of the field ThreatIpAddr represents. If a threat is identified in the Domain field, this field should be empty.'}, + "ThreatIsActive": {"data_type": "bool", "description": 'True ID the threat identified is considered an active threat.'}, + "ThreatLastReportedTime": {"data_type": "string", "description": 'The last time the IP address or domain were identified as a threat.'}, + "ThreatLastReportedTime_d": {"data_type": "datetime", "description": 'The last time the IP address or domain were identified as a threat.'}, + "ThreatName": {"data_type": "string", "description": 'The name of the threat identified, as reported by the reporting device.'}, + "ThreatOriginalConfidence": {"data_type": "string", "description": 'The original confidence level of the threat identified, as reported by the reporting device.'}, + "ThreatOriginalRiskLevel": {"data_type": "int", "description": 'The original risk level associated with the threat identified, as reported by the reporting device.'}, + "ThreatOriginalRiskLevel_s": {"data_type": "string", "description": 'The risk level associated with the threat identified, normalized to a value between 0 and a 100.'}, + "ThreatRiskLevel": {"data_type": "int", "description": 'The risk level associated with the threat identified, normalized to a value between 0 and a 100.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) reflecting the time in which the event was generated.'}, + "TransactionIdHex": {"data_type": "string", "description": 'The DNS unique hex transaction ID.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UrlCategory": {"data_type": "string", "description": 'A DNS event source may also look up the category of the requested Domains.'}, + }, + "ASimFileEventLogs": { + "ActingProcessCommandLine": {"data_type": "string", "description": 'The command line used to run the acting process.'}, + "ActingProcessGuid": {"data_type": "string", "description": 'A generated unique identifier (GUID) of the acting process.'}, + "ActingProcessId": {"data_type": "string", "description": 'The process ID (PID) of the acting process.'}, + "ActingProcessName": {"data_type": "string", "description": 'The name of the acting process.'}, + "ActorOriginalUserType": {"data_type": "string", "description": 'The original actor user type as provided by the reporting device.'}, + "ActorScope": {"data_type": "string", "description": 'The scope, such as Azure AD tenant, in which ActorUserId and ActorUsername are defined.'}, + "ActorScopeId": {"data_type": "string", "description": 'The scope ID, such as Azure AD Directory ID, in which ActorUserId and ActorUsername are defined.'}, + "ActorSessionId": {"data_type": "string", "description": 'The unique ID of the login session of the Actor.'}, + "ActorUserAadId": {"data_type": "string", "description": 'The Azure Active Directory ID of the actor.'}, + "ActorUserId": {"data_type": "string", "description": 'A machine-readable, alphanumeric, unique representation of the actor.'}, + "ActorUserIdType": {"data_type": "string", "description": 'The type of the ID stored in the ActorUserId field.'}, + "ActorUsername": {"data_type": "string", "description": 'The Actor username, including domain information when available.'}, + "ActorUsernameType": {"data_type": "string", "description": 'Specifies the type of the user name stored in the ActorUsername field.'}, + "ActorUserSid": {"data_type": "string", "description": 'The Windows user ID (SIDs) of the actor.'}, + "ActorUserType": {"data_type": "string", "description": 'The type of actor.'}, + "AdditionalFields": {"data_type": "dynamic", "description": 'Additional information, represented using key/value pairs provided by the source which do not map to ASim.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DvcAction": {"data_type": "string", "description": 'The action taken on the web session.'}, + "DvcDescription": {"data_type": "string", "description": 'A descriptive text associated with the device.'}, + "DvcDomain": {"data_type": "string", "description": 'The domain of the device reporting the event.'}, + "DvcDomainType": {"data_type": "string", "description": "The type of DvcDomain. Valid values include 'Windows' and 'FQDN'."}, + "DvcFQDN": {"data_type": "string", "description": 'The hostname of the device on which the event occurred or which reported the event.'}, + "DvcHostname": {"data_type": "string", "description": 'The hostname of the device reporting the event.'}, + "DvcId": {"data_type": "string", "description": 'The unique ID of the device on which the event occurred or which reported the event.'}, + "DvcIdType": {"data_type": "string", "description": 'The type of DvcId.'}, + "DvcInterface": {"data_type": "string", "description": 'The original DvcAction as provided by the reporting device.'}, + "DvcIpAddr": {"data_type": "string", "description": 'The IP address of the device reporting the event.'}, + "DvcMacAddr": {"data_type": "string", "description": 'The MAC address of the device on which the event occurred or which reported the event.'}, + "DvcOriginalAction": {"data_type": "string", "description": 'The original DvcAction as provided by the reporting device.'}, + "DvcOs": {"data_type": "string", "description": 'The operating system running on the device on which the event occurred or which reported the event.'}, + "DvcOsVersion": {"data_type": "string", "description": 'The version of the operating system on the device on which the event occurred or which reported the event.'}, + "DvcScope": {"data_type": "string", "description": 'The cloud platform scope the device belongs to. DvcScope map to a subscription name on Azure and to an account ID on AWS.'}, + "DvcScopeId": {"data_type": "string", "description": 'The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS.'}, + "DvcZone": {"data_type": "string", "description": 'The network on which the event occurred or which reported the event, depending on the schema.'}, + "EventCount": {"data_type": "int", "description": 'This value is used when the source supports aggregation, and a single record may represent multiple events.'}, + "EventEndTime": {"data_type": "datetime", "description": 'The time in which the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field.'}, + "EventMessage": {"data_type": "string", "description": 'A general message or description.'}, + "EventOriginalResultDetails": {"data_type": "string", "description": 'The original result details provided by the source. This value is used to derive EventResultDetails, which should have only one of the values documented for each schema.'}, + "EventOriginalSeverity": {"data_type": "string", "description": 'The original severity as provided by the reporting device. This value is used to derive EventSeverity.'}, + "EventOriginalSubType": {"data_type": "string", "description": 'The original event subtype or ID, if provided by the source. For example, this field will be used to store the original Windows logon type. This value is used to derive EventSubType, which should have only one of the values documented for each schema.'}, + "EventOriginalType": {"data_type": "string", "description": 'The original event type or ID, if provided by the source.'}, + "EventOriginalUid": {"data_type": "string", "description": 'A unique ID of the original record, if provided by the source.'}, + "EventOwner": {"data_type": "string", "description": 'The owner of the event, which is usually the department or subsidiary in which it was generated.'}, + "EventProduct": {"data_type": "string", "description": 'The product generating the event.'}, + "EventProductVersion": {"data_type": "string", "description": 'The version of the product generating the event.'}, + "EventReportUrl": {"data_type": "string", "description": 'A URL provided in the event for a resource that provides more information about the event.'}, + "EventResult": {"data_type": "string", "description": 'The outcome of the event, represented by one of the following values: Success, Partial, Failure, NA (Not Applicable). The value may not be provided directly by the sources, in which case it is derived from other event fields, for example, the EventResultDetails field.'}, + "EventResultDetails": {"data_type": "string", "description": 'The HTTP status code.'}, + "EventSchema": {"data_type": "string", "description": 'The schema the event is normalized to. Each schema documents its schema name.'}, + "EventSchemaVersion": {"data_type": "string", "description": 'The version of the schema.'}, + "EventSeverity": {"data_type": "string", "description": 'The severity of the event. Valid values are: Informational, Low, Medium, or High.'}, + "EventStartTime": {"data_type": "datetime", "description": 'The time in which the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field.'}, + "EventSubType": {"data_type": "string", "description": 'Additional description of the event type, if applicable.'}, + "EventType": {"data_type": "string", "description": 'The operation reported by the record.'}, + "EventVendor": {"data_type": "string", "description": 'The vendor of the product generating the event.'}, + "HashType": {"data_type": "string", "description": 'The type of hash stored in the Hash alias field.'}, + "HttpUserAgent": {"data_type": "string", "description": 'When the operation is initiated using HTTP or HTTPS, the HTTP user agent header.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "NetworkApplicationProtocol": {"data_type": "string", "description": 'When the operation is initiated by a remote system, the application layer protocol used by the connection or session.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RuleName": {"data_type": "string", "description": 'The name or ID of the rule by associated with the inspection results.'}, + "RuleNumber": {"data_type": "int", "description": 'The number of the rule associated with the inspection results.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SrcDescription": {"data_type": "string", "description": 'A descriptive text associated with the device.'}, + "SrcDeviceType": {"data_type": "string", "description": 'The type of the source device.'}, + "SrcDomain": {"data_type": "string", "description": 'The domain of the source device.'}, + "SrcDomainType": {"data_type": "string", "description": 'The type of SrcDomain.'}, + "SrcDvcId": {"data_type": "string", "description": 'The ID of the source device.'}, + "SrcDvcIdType": {"data_type": "string", "description": 'The type of SrcDvcId.'}, + "SrcDvcScope": {"data_type": "string", "description": 'The cloud platform scope the device belongs to.'}, + "SrcDvcScopeId": {"data_type": "string", "description": 'The cloud platform scope ID the device belongs to.'}, + "SrcFileCreationTime": {"data_type": "datetime", "description": 'The time at which the source file was created.'}, + "SrcFileDirectory": {"data_type": "string", "description": 'The source file folder or location.'}, + "SrcFileExtension": {"data_type": "string", "description": 'The source file extension.'}, + "SrcFileMD5": {"data_type": "string", "description": 'The MD5 hash of the source file.'}, + "SrcFileMimeType": {"data_type": "string", "description": 'The Mime or Media type of the source file.'}, + "SrcFileName": {"data_type": "string", "description": 'The name of the source file, without a path or a location, but with an extension if relevant.'}, + "SrcFilePath": {"data_type": "string", "description": 'The full, normalized path of the source file, including the folder or location, the file name, and the extension.'}, + "SrcFilePathType": {"data_type": "string", "description": 'The type of SrcFilePath.'}, + "SrcFileSHA1": {"data_type": "string", "description": 'The SHA-1 hash of the source file.'}, + "SrcFileSHA256": {"data_type": "string", "description": 'The SHA-256 hash of the source file.'}, + "SrcFileSHA512": {"data_type": "string", "description": 'The SHA-512 hash of the source file.'}, + "SrcFileSize": {"data_type": "long", "description": 'The size of the source file in bytes.'}, + "SrcFQDN": {"data_type": "string", "description": 'The source device hostname, including domain information when available.'}, + "SrcGeoCity": {"data_type": "string", "description": 'The city associated with the source IP address.'}, + "SrcGeoCountry": {"data_type": "string", "description": 'The country associated with the source IP address.'}, + "SrcGeoLatitude": {"data_type": "real", "description": 'The latitude of the geographical coordinate associated with the source IP address.'}, + "SrcGeoLongitude": {"data_type": "real", "description": 'The longitude of the geographical coordinate associated with the source IP address.'}, + "SrcGeoRegion": {"data_type": "string", "description": 'The region within a country associated with the source IP address.'}, + "SrcHostname": {"data_type": "string", "description": 'The source device hostname, excluding domain information. If no device name is available, store the relevant IP address in this field.'}, + "SrcIpAddr": {"data_type": "string", "description": 'When the operation is initiated by a remote system, the IP address of this system.'}, + "SrcMacAddr": {"data_type": "string", "description": 'The MAC address of the source device.'}, + "SrcOriginalRiskLevel": {"data_type": "string", "description": 'The risk level associated with the source. As reported by the reporting device or enriched.'}, + "SrcPortNumber": {"data_type": "int", "description": 'When the operation is initiated by a remote system, the port number from which the connection was initiated.'}, + "SrcRiskLevel": {"data_type": "int", "description": 'The risk level associated with the source.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TargetAppId": {"data_type": "string", "description": 'The ID of the destination application, as reported by the reporting device.'}, + "TargetAppName": {"data_type": "string", "description": 'The name of the destination application.'}, + "TargetAppType": {"data_type": "string", "description": 'The type of the destination application.'}, + "TargetFileCreationTime": {"data_type": "datetime", "description": 'The time at which the target file was created.'}, + "TargetFileDirectory": {"data_type": "string", "description": 'The target file folder or location.'}, + "TargetFileExtension": {"data_type": "string", "description": 'The target file extension.'}, + "TargetFileMD5": {"data_type": "string", "description": 'The MD5 hash of the target file.'}, + "TargetFileMimeType": {"data_type": "string", "description": 'The Mime or Media type of the target file.'}, + "TargetFileName": {"data_type": "string", "description": 'The name of the target file, without a path or a location, but with an extension if relevant.'}, + "TargetFilePath": {"data_type": "string", "description": 'The full, normalized path of the target file, including the folder or location, the file name, and the extension.'}, + "TargetFilePathType": {"data_type": "string", "description": 'The type of TargetFilePath.'}, + "TargetFileSHA1": {"data_type": "string", "description": 'The SHA-1 hash of the target file.'}, + "TargetFileSHA256": {"data_type": "string", "description": 'The SHA-256 hash of the target file.'}, + "TargetFileSHA512": {"data_type": "string", "description": 'The SHA-512 hash of the source file.'}, + "TargetFileSize": {"data_type": "long", "description": 'The size of the target file in bytes.'}, + "TargetOriginalAppType": {"data_type": "string", "description": 'The target application type as reported by the reporting device.'}, + "TargetUrl": {"data_type": "string", "description": 'When the operation is initiated using HTTP or HTTPS, the URL used.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "ThreatCategory": {"data_type": "string", "description": 'The category of the threat or malware identified in the file activity.'}, + "ThreatConfidence": {"data_type": "int", "description": 'The confidence level of the threat identified, normalized to a value between 0 and a 100.'}, + "ThreatField": {"data_type": "string", "description": 'The field for which a threat was identified. The value is either SrcFilePath or DstFilePath.'}, + "ThreatFilePath": {"data_type": "string", "description": 'A file path for which a threat was identified. The field ThreatField contains the name of the field ThreatFilePath represents.'}, + "ThreatFirstReportedTime": {"data_type": "datetime", "description": 'The first time the IP address or domain were identified as a threat.'}, + "ThreatId": {"data_type": "string", "description": 'The ID of the threat or malware identified in the file activity.'}, + "ThreatIsActive": {"data_type": "bool", "description": 'True ID the threat identified is considered an active threat.'}, + "ThreatLastReportedTime": {"data_type": "datetime", "description": 'The last time the IP address or domain were identified as a threat.'}, + "ThreatName": {"data_type": "string", "description": 'The name of the threat or malware identified in the file activity.'}, + "ThreatOriginalConfidence": {"data_type": "string", "description": 'The original confidence level of the threat identified, as reported by the reporting device.'}, + "ThreatOriginalRiskLevel": {"data_type": "string", "description": 'The risk level as reported by the reporting device.'}, + "ThreatRiskLevel": {"data_type": "int", "description": 'The risk level associated with the identified threat. The level should be a number between 0 and 100.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp reflecting the time in which the event was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ASimNetworkSessionLogs": { + "AdditionalFields": {"data_type": "dynamic", "description": 'Additional information, represented using key/value pairs provided by the source which do not map to ASim.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DstAppId": {"data_type": "string", "description": 'The ID of the destination application, as reported by the reporting device.'}, + "DstAppName": {"data_type": "string", "description": 'The name of the destination application.'}, + "DstAppType": {"data_type": "string", "description": 'The type of the destination application.'}, + "DstBytes": {"data_type": "long", "description": 'The number of bytes sent from the destination to the source for the connection or session. If the event is aggregated, DstBytes is the sum over all aggregated sessions.'}, + "DstDescription": {"data_type": "string", "description": 'A descriptive text associated with the destination.'}, + "DstDeviceType": {"data_type": "string", "description": 'The type of the destination device.'}, + "DstDomain": {"data_type": "string", "description": 'The domain of the destination device.'}, + "DstDomainType": {"data_type": "string", "description": 'The type of DstDomain.'}, + "DstDvcId": {"data_type": "string", "description": 'The ID of the destination device.'}, + "DstDvcIdType": {"data_type": "string", "description": 'The type of DstDvcId.'}, + "DstFQDN": {"data_type": "string", "description": 'The destination device hostname, including domain information when available.'}, + "DstGeoCity": {"data_type": "string", "description": 'The city associated with the destination IP address.'}, + "DstGeoCountry": {"data_type": "string", "description": 'The country associated with the destination IP address.'}, + "DstGeoLatitude": {"data_type": "real", "description": 'The latitude of the geographical coordinate associated with the destination IP address.'}, + "DstGeoLongitude": {"data_type": "real", "description": 'The longitude of the geographical coordinate associated with the destination IP address.'}, + "DstGeoRegion": {"data_type": "string", "description": 'The region, or state, within a country associated with the destination IP address.'}, + "DstHostname": {"data_type": "string", "description": 'The destination device hostname, excluding domain information.'}, + "DstInterfaceGuid": {"data_type": "string", "description": 'The GUID of the network interface used on the destination device.'}, + "DstInterfaceName": {"data_type": "string", "description": 'The network interface used for the connection or session by the destination device.'}, + "DstIpAddr": {"data_type": "string", "description": 'The IP address of the connection or session destination.'}, + "DstMacAddr": {"data_type": "string", "description": 'The MAC address of the network interface used for the connection or session by the destination device.'}, + "DstNatIpAddr": {"data_type": "string", "description": 'The DstNatIpAddr represents either of: The original address of the destination device if network address translation was used or the IP address used by the intermediary device for communication with the source.'}, + "DstNatPortNumber": {"data_type": "int", "description": 'If reported by an intermediary NAT device, the port used by the NAT device for communication with the source.'}, + "DstOriginalUserType": {"data_type": "string", "description": 'The original destination user type, if provided by the source.'}, + "DstPackets": {"data_type": "long", "description": 'The number of packets sent from the destination to the source for the connection or session. The meaning of a packet is defined by the reporting device. If the event is aggregated, DstPackets is the sum over all aggregated sessions.'}, + "DstPortNumber": {"data_type": "int", "description": 'The destination IP port.'}, + "DstSubscriptionId": {"data_type": "string", "description": 'The cloud platform subscription ID the destination device belongs to. DstSubscriptionId map to a subscription ID on Azure and to an account ID on AWS.'}, + "DstUserId": {"data_type": "string", "description": 'A machine-readable, alphanumeric, unique representation of the destination user.'}, + "DstUserIdType": {"data_type": "string", "description": 'The type of the ID stored in the DstUserId field.'}, + "DstUsername": {"data_type": "string", "description": "The destination username, including domain information when available. Use the simple form only if domain information isn't available."}, + "DstUsernameType": {"data_type": "string", "description": 'Specifies the type of the username stored in the DstUsername field.'}, + "DstUserType": {"data_type": "string", "description": 'The type of destination user.'}, + "DstVlanId": {"data_type": "string", "description": 'The VLAN ID related to the destination device.'}, + "DstZone": {"data_type": "string", "description": 'The network zone of the destination, as defined by the reporting device.'}, + "Dvc": {"data_type": "string", "description": 'A unique identifier of the device on which the event occurred or which reported the event.'}, + "DvcAction": {"data_type": "string", "description": 'The action taken on the network session.'}, + "DvcDescription": {"data_type": "string", "description": 'A descriptive text associated with the device. For example: Primary Domain Controller.'}, + "DvcDomain": {"data_type": "string", "description": 'The domain of the device reporting the event.'}, + "DvcDomainType": {"data_type": "string", "description": "The type of DvcDomain. Possible values include 'Windows' and 'FQDN'."}, + "DvcFQDN": {"data_type": "string", "description": 'The hostname of the device on which the event occurred or which reported the event.'}, + "DvcHostname": {"data_type": "string", "description": 'The hostname of the device reporting the event.'}, + "DvcId": {"data_type": "string", "description": 'The unique ID of the device on which the event occurred or which reported the event.'}, + "DvcIdType": {"data_type": "string", "description": 'The type of DvcId.'}, + "DvcInboundInterface": {"data_type": "string", "description": 'If reported by an intermediary device, the network interface used by the NAT device for the connection to the source device.'}, + "DvcInterface": {"data_type": "string", "description": 'The network interface on which data was captured. This field is typically relevant to network related activity which is captured by an intermediate or tap device.'}, + "DvcIpAddr": {"data_type": "string", "description": 'The IP Address of the device reporting the event.'}, + "DvcMacAddr": {"data_type": "string", "description": 'The MAC address of the device on which the event occurred or which reported the event. Example: 00:1B:44:11:3A:B7'}, + "DvcOriginalAction": {"data_type": "string", "description": 'The original DvcAction as provided by the reporting device.'}, + "DvcOs": {"data_type": "string", "description": 'The operating system running on the device reporting the event.'}, + "DvcOsVersion": {"data_type": "string", "description": 'The version of the operating system on the device reporting the event.'}, + "DvcOutboundInterface": {"data_type": "string", "description": 'If reported by an intermediary device, the network interface used by the NAT device for the connection to the destination device.'}, + "DvcSubscriptionId": {"data_type": "string", "description": 'The cloud platform subscription ID the device belongs to. DvcSubscriptionId map to a subscription ID on Azure and to an account ID on AWS.'}, + "DvcZone": {"data_type": "string", "description": 'The network on which the event occurred or which reported the event. The zone is defined by the reporting device.'}, + "EventCount": {"data_type": "int", "description": 'This value is used when the source supports aggregation, and a single record may represent multiple events.'}, + "EventEndTime": {"data_type": "datetime", "description": 'The time in which the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field.'}, + "EventMessage": {"data_type": "string", "description": 'A general message or description.'}, + "EventOriginalResultDetails": {"data_type": "string", "description": 'The original result details provided by the source. This value is used to derive EventResultDetails, which should have only one of the values documented for each schema.'}, + "EventOriginalSeverity": {"data_type": "string", "description": 'The original severity as provided by the reporting device. This value is used to derive EventSeverity.'}, + "EventOriginalSubType": {"data_type": "string", "description": 'The original event subtype or ID, if provided by the source. For example, this field will be used to store the original Windows logon type. This value is used to derive EventSubType, which should have only one of the values documented for each schema.'}, + "EventOriginalType": {"data_type": "string", "description": 'The original event type or ID, if provided by the source.'}, + "EventOriginalUid": {"data_type": "string", "description": 'A unique ID of the original record, if provided by the source.'}, + "EventProduct": {"data_type": "string", "description": 'The product generating the event.'}, + "EventProductVersion": {"data_type": "string", "description": 'The version of the product generating the event.'}, + "EventReportUrl": {"data_type": "string", "description": 'A URL provided in the event for a resource that provides more information about the event.'}, + "EventResult": {"data_type": "string", "description": 'The outcome of the event, represented by one of the following values: Success, Partial, Failure, NA (Not Applicable). The value may not be provided directly by the sources, in which case it is derived from other event fields, for example, the EventResultDetails field.'}, + "EventResultDetails": {"data_type": "string", "description": 'Reason or details for the result reported in the EventResult field.'}, + "EventSchemaVersion": {"data_type": "string", "description": 'The version of the schema.'}, + "EventSeverity": {"data_type": "string", "description": 'The severity of the event. Valid values are: Informational, Low, Medium, or High.'}, + "EventStartTime": {"data_type": "datetime", "description": 'The time in which the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field.'}, + "EventSubType": {"data_type": "string", "description": 'Additional description of the event type, if applicable.'}, + "EventType": {"data_type": "string", "description": 'The operation reported by the record.'}, + "EventVendor": {"data_type": "string", "description": 'The vendor of the product generating the event.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "NetworkApplicationProtocol": {"data_type": "string", "description": 'The application layer protocol used by the connection or session.'}, + "NetworkBytes": {"data_type": "long", "description": 'Number of bytes sent in both directions. If both BytesReceived and BytesSent exist, BytesTotal should equal their sum. If the event is aggregated, NetworkBytes is the sum over all aggregated sessions.'}, + "NetworkConnectionHistory": {"data_type": "string", "description": 'TCP flags and other potential IP header information.'}, + "NetworkDirection": {"data_type": "string", "description": 'The direction of the connection or session.'}, + "NetworkDuration": {"data_type": "int", "description": 'The amount of time, in milliseconds, for the completion of the network session or connection.'}, + "NetworkIcmpCode": {"data_type": "int", "description": 'For an ICMP message, the ICMP message type numeric value as described in RFC 2780 for IPv4 network connections, or in RFC 4443 for IPv6 network connections.'}, + "NetworkIcmpType": {"data_type": "string", "description": 'For an ICMP message, the ICMP message type text representation, as described in RFC 2780 for IPv4 network connections, or in RFC 4443 for IPv6 network connections.'}, + "NetworkPackets": {"data_type": "long", "description": 'The number of packets sent in both directions. If both PacketsReceived and PacketsSent exist, BytesTotal should equal their sum. The meaning of a packet is defined by the reporting device. If the event is aggregated, NetworkPackets is the sum over all aggregated sessions.'}, + "NetworkProtocol": {"data_type": "string", "description": 'The IP protocol used by the connection or session as listed in IANA protocol assignment, which is typically TCP, UDP, or ICMP.'}, + "NetworkProtocolVersion": {"data_type": "string", "description": 'The version of NetworkProtocol.'}, + "NetworkRuleName": {"data_type": "string", "description": 'The name or ID of the rule by which DvcAction was decided upon.'}, + "NetworkRuleNumber": {"data_type": "int", "description": 'The number of the rule by which DvcAction was decided upon.'}, + "NetworkSessionId": {"data_type": "string", "description": 'The session identifier as reported by the reporting device.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SrcAppId": {"data_type": "string", "description": 'The ID of the source application, as reported by the reporting device.'}, + "SrcAppName": {"data_type": "string", "description": 'The name of the source application.'}, + "SrcAppType": {"data_type": "string", "description": 'The type of the source application.'}, + "SrcBytes": {"data_type": "long", "description": 'The number of bytes sent from the source to the destination for the connection or session. If the event is aggregated, SrcBytes is the sum over all aggregated sessions.'}, + "SrcDescription": {"data_type": "string", "description": 'A descriptive text associated with the source.'}, + "SrcDeviceType": {"data_type": "string", "description": 'The type of the source device.'}, + "SrcDomain": {"data_type": "string", "description": 'The domain of the source device.'}, + "SrcDomainType": {"data_type": "string", "description": 'The type of SrcDomain.'}, + "SrcDvcId": {"data_type": "string", "description": 'The ID of the source device.'}, + "SrcDvcIdType": {"data_type": "string", "description": 'The type of SrcDvcId.'}, + "SrcFQDN": {"data_type": "string", "description": 'The source device hostname, including domain information when available.'}, + "SrcGeoCity": {"data_type": "string", "description": 'The city associated with the source IP address.'}, + "SrcGeoCountry": {"data_type": "string", "description": 'The country associated with the source IP address.'}, + "SrcGeoLatitude": {"data_type": "real", "description": 'The latitude of the geographical coordinate associated with the source IP address.'}, + "SrcGeoLongitude": {"data_type": "real", "description": 'The longitude of the geographical coordinate associated with the source IP address.'}, + "SrcGeoRegion": {"data_type": "string", "description": 'The region within a country associated with the source IP address.'}, + "SrcHostname": {"data_type": "string", "description": 'The source device hostname, excluding domain information. If no device name is available, may store the relevant IP address.'}, + "SrcInterfaceGuid": {"data_type": "string", "description": 'The GUID of the network interface used on the source device.'}, + "SrcInterfaceName": {"data_type": "string", "description": 'The network interface used for the connection or session by the source device.'}, + "SrcIpAddr": {"data_type": "string", "description": 'The IP address from which the connection or session originated.'}, + "SrcMacAddr": {"data_type": "string", "description": 'The MAC address of the network interface from which the connection or session originated.'}, + "SrcNatIpAddr": {"data_type": "string", "description": 'The SrcNatIpAddr represents either of: The original address of the source device if network address translation was used or the IP address used by the intermediary device for communication with the destination.'}, + "SrcNatPortNumber": {"data_type": "int", "description": 'If reported by an intermediary NAT device, the port used by the NAT device for communication with the destination.'}, + "SrcOriginalUserType": {"data_type": "string", "description": 'The original destination user type, if provided by the by the reporting device.'}, + "SrcPackets": {"data_type": "long", "description": 'The number of packets sent from the source to the destination for the connection or session. The meaning of a packet is defined by the reporting device. If the event is aggregated, SrcPackets is the sum over all aggregated sessions.'}, + "SrcPortNumber": {"data_type": "int", "description": 'The IP port from which the connection originated. Might not be relevant for a session comprising multiple connections.'}, + "SrcSubscriptionId": {"data_type": "string", "description": 'The cloud platform subscription ID the source device belongs to. SrcSubscriptionId map to a subscription ID on Azure and to an account ID on AWS.'}, + "SrcUserId": {"data_type": "string", "description": 'A machine-readable, alphanumeric, unique representation of the source user.'}, + "SrcUserIdType": {"data_type": "string", "description": 'The type of the ID stored in the SrcUserId field.'}, + "SrcUsername": {"data_type": "string", "description": 'The source username, including domain information when available.'}, + "SrcUsernameType": {"data_type": "string", "description": 'Specifies the type of the username stored in the SrcUsername field.'}, + "SrcUserType": {"data_type": "string", "description": 'The type of the source user.'}, + "SrcVlanId": {"data_type": "string", "description": 'The VLAN ID related to the source device.'}, + "SrcZone": {"data_type": "string", "description": 'The network zone of the source, as defined by the reporting device.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TcpFlagsAck": {"data_type": "bool", "description": 'The TCP ACK flag reported. The acknowledgment flag is used to acknowledge the successful receipt of a packet. As we can see from the diagram above, the receiver sends an ACK as well as a SYN in the second step of the three way handshake process to tell the sender that it received its initial packet.'}, + "TcpFlagsFin": {"data_type": "bool", "description": 'The TCP FIN flag reported. The finished flag means there is no more data from the sender. Therefore, it is used in the last packet sent from the sender.'}, + "TcpFlagsPsh": {"data_type": "bool", "description": 'The TCP PSH flag reported. The push flag is somewhat similar to the URG flag and tells the receiver to process these packets as they are received instead of buffering them.'}, + "TcpFlagsRst": {"data_type": "bool", "description": 'The TCP RST flag reported. The reset flag gets sent from the receiver to the sender when a packet is sent to a particular host that was not expecting it.'}, + "TcpFlagsSyn": {"data_type": "bool", "description": 'The TCP SYN flag reported. The synchronisation flag is used as a first step in establishing a three way handshake between two hosts. Only the first packet from both the sender and receiver should have this flag set.'}, + "TcpFlagsUrg": {"data_type": "bool", "description": 'The TCP URG flag reported. The urgent flag is used to notify the receiver to process the urgent packets before processing all other packets. The receiver will be notified when all known urgent data has been received. See RFC 6093 for more details.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "ThreatCategory": {"data_type": "string", "description": 'The category of the threat or malware identified in the network session.'}, + "ThreatConfidence": {"data_type": "int", "description": 'The confidence level of the threat identified, normalized to a value between 0 and a 100.'}, + "ThreatField": {"data_type": "string", "description": 'The field for which a threat was identified. The value is either SrcIpAddr, DstIpAddr, Domain, or DnsResponseName.'}, + "ThreatFirstReportedTime": {"data_type": "datetime", "description": 'The first time the IP address or domain were identified as a threat.'}, + "ThreatId": {"data_type": "string", "description": 'The ID of the threat or malware identified in the network session.'}, + "ThreatIpAddr": {"data_type": "string", "description": 'An IP address for which a threat was identified. The field ThreatField contains the name of the field ThreatIpAddr represents.'}, + "ThreatIsActive": {"data_type": "bool", "description": 'True ID the threat identified is considered an active threat.'}, + "ThreatLastReportedTime": {"data_type": "datetime", "description": 'The last time the IP address or domain were identified as a threat.'}, + "ThreatName": {"data_type": "string", "description": 'The name of the threat or malware identified in the network session.'}, + "ThreatOriginalConfidence": {"data_type": "string", "description": 'The original confidence level of the threat identified, as reported by the reporting device.'}, + "ThreatOriginalRiskLevel": {"data_type": "string", "description": 'The risk level as reported by the reporting device.'}, + "ThreatRiskLevel": {"data_type": "int", "description": 'The risk level associated with the session. The level is a number between 0 to 100.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) reflecting the time in which the event was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ASimProcessEventLogs": { + "ActingProcessCommandLine": {"data_type": "string", "description": 'The command line used to run the acting process.'}, + "ActingProcessCreationTime": {"data_type": "datetime", "description": 'The date and time when the acting process was started.'}, + "ActingProcessFileCompany": {"data_type": "string", "description": 'The company that created the acting process image file.'}, + "ActingProcessFileDescription": {"data_type": "string", "description": 'The description embedded in the version information of the acting process image file.'}, + "ActingProcessFileInternalName": {"data_type": "string", "description": 'The product internal file name from the version information of the acting process image file.'}, + "ActingProcessFilename": {"data_type": "string", "description": 'The product file name from the version information of the acting process image file.'}, + "ActingProcessFileOriginalName": {"data_type": "string", "description": 'The product original file name from the version information of the acting process image file.'}, + "ActingProcessFileProduct": {"data_type": "string", "description": 'The product name from the version information in the acting process image file.'}, + "ActingProcessFileSize": {"data_type": "long", "description": 'The size of the file in bytes that ran the acting process.'}, + "ActingProcessFileVersion": {"data_type": "string", "description": 'The product version from the version information of the acting process image file.'}, + "ActingProcessGuid": {"data_type": "string", "description": 'A GUID of the acting process.'}, + "ActingProcessId": {"data_type": "string", "description": 'The process ID of the acting process.'}, + "ActingProcessIMPHASH": {"data_type": "string", "description": 'The Import Hash of all the library DLLs that are used by the acting process.'}, + "ActingProcessInjectedAddress": {"data_type": "string", "description": 'The memory address in which the responsible acting process is stored.'}, + "ActingProcessIntegrityLevel": {"data_type": "string", "description": 'Integrity Level for acting process.'}, + "ActingProcessIsHidden": {"data_type": "bool", "description": 'An indication of whether the acting process is in hidden mode.'}, + "ActingProcessMD5": {"data_type": "string", "description": 'The MD5 hash of the acting process image file.'}, + "ActingProcessName": {"data_type": "string", "description": 'The name of the acting process.'}, + "ActingProcessSHA1": {"data_type": "string", "description": 'The SHA-1 hash of the acting process image file.'}, + "ActingProcessSHA256": {"data_type": "string", "description": 'The SHA-256 hash of the acting process image file.'}, + "ActingProcessSHA512": {"data_type": "string", "description": 'The SHA-512 hash of the acting process image file.'}, + "ActingProcessTokenElevation": {"data_type": "string", "description": 'A token indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the acting process.'}, + "ActorOriginalUserType": {"data_type": "string", "description": 'The user type as reported by the reporting device.'}, + "ActorScope": {"data_type": "string", "description": 'The scope, such as Azure AD tenant, in which ActorUserId and ActorUsername are defined.'}, + "ActorScopeId": {"data_type": "string", "description": 'The scope ID, such as Azure AD tenant ID, in which ActorUserId and ActorUsername are defined.'}, + "ActorSessionId": {"data_type": "string", "description": 'The unique ID of the sign-in session of the Actor.'}, + "ActorUserId": {"data_type": "string", "description": 'A machine-readable, alphanumeric, unique representation of the actor.'}, + "ActorUserIdType": {"data_type": "string", "description": 'The type of the ID stored in the ActorUserId field.'}, + "ActorUsername": {"data_type": "string", "description": "The Actor's username, including domain information when available."}, + "ActorUsernameType": {"data_type": "string", "description": "The type of the Actor's username specified in ActionUsername field"}, + "ActorUserType": {"data_type": "string", "description": 'The type of the Actor.'}, + "AdditionalFields": {"data_type": "dynamic", "description": 'Additional information, represented using key and value pairs provided by the source which do not map to ASim.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DvcAction": {"data_type": "string", "description": 'For reporting security systems, the action taken by the system.'}, + "DvcDescription": {"data_type": "string", "description": 'A descriptive text associated with the device.'}, + "DvcDomain": {"data_type": "string", "description": 'The domain of the device reporting the event.'}, + "DvcDomainType": {"data_type": "string", "description": 'The type of DvcDomain. Possible values include "Windows" and "FQDN".'}, + "DvcFQDN": {"data_type": "string", "description": 'The hostname of the device on which the event occurred or which reported the event.'}, + "DvcHostname": {"data_type": "string", "description": 'The hostname of the device reporting the event.'}, + "DvcId": {"data_type": "string", "description": 'The unique ID of the device on which the event occurred or which reported the event.'}, + "DvcIdType": {"data_type": "string", "description": 'The type of DvcId.'}, + "DvcInterface": {"data_type": "string", "description": 'The network interface on which data was captured.'}, + "DvcIpAddr": {"data_type": "string", "description": 'The IP Address of the device reporting the event.'}, + "DvcMacAddr": {"data_type": "string", "description": 'The MAC address of the device on which the event occurred or which reported the event.'}, + "DvcOriginalAction": {"data_type": "string", "description": 'The original DvcAction as provided by the reporting device.'}, + "DvcOs": {"data_type": "string", "description": 'The operating system running on the device on which the event occurred or which reported the event.'}, + "DvcOsVersion": {"data_type": "string", "description": 'The version of the operating system on the device on which the event occurred or which reported the event.'}, + "DvcScope": {"data_type": "string", "description": 'The cloud platform scope the device belongs to. DvcScope map to a subscription ID on Azure and to an account ID on AWS.'}, + "DvcScopeId": {"data_type": "string", "description": 'The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS.'}, + "DvcZone": {"data_type": "string", "description": 'The network on which the event occurred or which reported the event.'}, + "EventCount": {"data_type": "int", "description": 'The number of events described by the record.'}, + "EventEndTime": {"data_type": "datetime", "description": 'The time in which the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field.'}, + "EventMessage": {"data_type": "string", "description": 'A general message or description.'}, + "EventOriginalResultDetails": {"data_type": "string", "description": 'The original result details provided by the source.'}, + "EventOriginalSeverity": {"data_type": "string", "description": 'The original severity as provided by the reporting device.'}, + "EventOriginalSubType": {"data_type": "string", "description": 'The original event subtype or ID, if provided by the source.'}, + "EventOriginalType": {"data_type": "string", "description": 'The original event type or ID, if provided by the source.'}, + "EventOriginalUid": {"data_type": "string", "description": 'A unique ID of the original record, if provided by the source.'}, + "EventOwner": {"data_type": "string", "description": 'The owner of the event, which is usually the department or subsidiary in which it was generated.'}, + "EventProduct": {"data_type": "string", "description": 'The product generating the event.'}, + "EventProductVersion": {"data_type": "string", "description": 'The version of the product generating the event.'}, + "EventReportUrl": {"data_type": "string", "description": 'A URL provided in the event for a resource that provides more information about the event.'}, + "EventResult": {"data_type": "string", "description": 'The outcome of the event, represented by one of the following values: Success, Partial, Failure, NA (Not Applicable). The value may not be provided directly by the sources, in which case it is derived from other event fields, for example, the EventResultDetails field.'}, + "EventResultDetails": {"data_type": "string", "description": 'Reason or details for the result reported in the EventResult field.'}, + "EventSchemaVersion": {"data_type": "string", "description": 'The version of the schema.'}, + "EventSeverity": {"data_type": "string", "description": 'The severity of the event. Valid values are: Informational, Low, Medium, or High.'}, + "EventStartTime": {"data_type": "datetime", "description": 'The time in which the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field.'}, + "EventSubType": {"data_type": "string", "description": 'Describes a subdivision of the operation reported in the EventType field.'}, + "EventType": {"data_type": "string", "description": 'Describes the operation reported by the record'}, + "EventVendor": {"data_type": "string", "description": 'The vendor of the product generating the event.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ParentProcessCreationTime": {"data_type": "datetime", "description": 'The date and time when the parent process was started.'}, + "ParentProcessFileCompany": {"data_type": "string", "description": 'The company that created the parent process image file.'}, + "ParentProcessFileDescription": {"data_type": "string", "description": 'The description from the version information of the parent process image file.'}, + "ParentProcessFileProduct": {"data_type": "string", "description": 'The product name from the version information in the parent process image file.'}, + "ParentProcessFileVersion": {"data_type": "string", "description": 'The product version from the version information of the parent process image file.'}, + "ParentProcessGuid": {"data_type": "string", "description": 'A GUID of the parent process.'}, + "ParentProcessId": {"data_type": "string", "description": 'The process ID of the parent process.'}, + "ParentProcessIMPHASH": {"data_type": "string", "description": 'The Import Hash of all the library DLLs that are used by the parent process.'}, + "ParentProcessInjectedAddress": {"data_type": "string", "description": 'The memory address in which the responsible parent process is stored.'}, + "ParentProcessIntegrityLevel": {"data_type": "string", "description": 'Integrity Level for parent process.'}, + "ParentProcessIsHidden": {"data_type": "bool", "description": 'An indication of whether the parent process is in hidden mode.'}, + "ParentProcessMD5": {"data_type": "string", "description": 'The MD5 hash of the parent process image file.'}, + "ParentProcessName": {"data_type": "string", "description": 'The name of the parent process.'}, + "ParentProcessSHA1": {"data_type": "string", "description": 'The SHA-1 hash of the parent process image file.'}, + "ParentProcessSHA256": {"data_type": "string", "description": 'The SHA-256 hash of the parent process image file.'}, + "ParentProcessSHA512": {"data_type": "string", "description": 'The SHA-512 hash of the parent process image file.'}, + "ParentProcessTokenElevation": {"data_type": "string", "description": 'A token indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the parent process.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RuleName": {"data_type": "string", "description": 'The name or ID of the rule by associated with the inspection results.'}, + "RuleNumber": {"data_type": "int", "description": 'The number of the rule associated with the inspection results.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TargetOriginalUserType": {"data_type": "string", "description": 'The user type as reported by the reporting device.'}, + "TargetProcessCommandLine": {"data_type": "string", "description": 'The command line used to run the target process.'}, + "TargetProcessCreationTime": {"data_type": "datetime", "description": 'The date and time when the target process was started.'}, + "TargetProcessCurrentDirectory": {"data_type": "string", "description": 'The current directory in which the target process is executed.'}, + "TargetProcessFileCompany": {"data_type": "string", "description": 'The company that created the target process image file.'}, + "TargetProcessFileDescription": {"data_type": "string", "description": 'The description from the version information of the target process image file.'}, + "TargetProcessFileInternalName": {"data_type": "string", "description": 'The product internal file name from the version information of the target process image file.'}, + "TargetProcessFilename": {"data_type": "string", "description": 'The product file name from the version information of the target process image file.'}, + "TargetProcessFileOriginalName": {"data_type": "string", "description": 'The product original file name from the version information of the target process image file.'}, + "TargetProcessFileProduct": {"data_type": "string", "description": 'The product name from the version information in the target process image file.'}, + "TargetProcessFileSize": {"data_type": "long", "description": 'Size of the file in bytes that ran the process responsible for the event.'}, + "TargetProcessFileVersion": {"data_type": "string", "description": 'The product version from the version information of the target process image file.'}, + "TargetProcessGuid": {"data_type": "string", "description": 'A GUID of the target process.'}, + "TargetProcessId": {"data_type": "string", "description": 'The process ID of the target process.'}, + "TargetProcessIMPHASH": {"data_type": "string", "description": 'The Import Hash of all the library DLLs that are used by the target process.'}, + "TargetProcessInjectedAddress": {"data_type": "string", "description": 'The memory address in which the responsible target process is stored.'}, + "TargetProcessIntegrityLevel": {"data_type": "string", "description": 'Integrity Level for target process.'}, + "TargetProcessIsHidden": {"data_type": "bool", "description": 'An indication of whether the target process is in hidden mode.'}, + "TargetProcessMD5": {"data_type": "string", "description": 'The MD5 hash of the target process image file.'}, + "TargetProcessName": {"data_type": "string", "description": 'The name of the target process.'}, + "TargetProcessSHA1": {"data_type": "string", "description": 'The SHA-1 hash of the target process image file.'}, + "TargetProcessSHA256": {"data_type": "string", "description": 'The SHA-256 hash of the target process image file.'}, + "TargetProcessSHA512": {"data_type": "string", "description": 'The SHA-512 hash of the target process image file.'}, + "TargetProcessStatusCode": {"data_type": "string", "description": 'The exit code returned by the target process when terminated.'}, + "TargetProcessTokenElevation": {"data_type": "string", "description": 'A token indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the target process.'}, + "TargetScope": {"data_type": "string", "description": 'The scope, such as Azure AD tenant, in which TargetUserId and TargetUsername are defined.'}, + "TargetScopeId": {"data_type": "string", "description": 'The scope ID, such as Azure AD tenant ID, in which TargetUserId and TargetUsername are defined.'}, + "TargetUserId": {"data_type": "string", "description": 'A machine-readable, alphanumeric, unique representation of the actor.'}, + "TargetUserIdType": {"data_type": "string", "description": 'The type of the ID stored in the TargetUserId field.'}, + "TargetUsername": {"data_type": "string", "description": "The Target actor's username, including domain information when available."}, + "TargetUsernameType": {"data_type": "string", "description": "The type of the Target actor's username specified in TargetUsername field"}, + "TargetUserSessionGuid": {"data_type": "string", "description": 'The unique guid of the sign-in session of the Target actor.'}, + "TargetUserSessionId": {"data_type": "string", "description": 'The unique ID of the sign-in session of the Target actor.'}, + "TargetUserType": {"data_type": "string", "description": 'The type of the Target actor.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "ThreatCategory": {"data_type": "string", "description": 'The category of the threat or malware identified in activity.'}, + "ThreatConfidence": {"data_type": "int", "description": 'The confidence level of the threat identified, normalized to a value between 0 and a 100.'}, + "ThreatField": {"data_type": "string", "description": 'The field for which a threat was identified.'}, + "ThreatFirstReportedTime": {"data_type": "datetime", "description": 'The first time the IP address or domain were identified as a threat.'}, + "ThreatId": {"data_type": "string", "description": 'The ID of the threat or malware identified in the activity.'}, + "ThreatIsActive": {"data_type": "bool", "description": 'True ID the threat identified is considered an active threat.'}, + "ThreatLastReportedTime": {"data_type": "datetime", "description": 'The last time the IP address or domain were identified as a threat.'}, + "ThreatName": {"data_type": "string", "description": 'The name of the threat or malware identified in the activity.'}, + "ThreatOriginalConfidence": {"data_type": "string", "description": 'The original confidence level of the threat identified, as reported by the reporting device.'}, + "ThreatOriginalRiskLevel": {"data_type": "string", "description": 'The risk level as reported by the reporting device.'}, + "ThreatRiskLevel": {"data_type": "int", "description": 'The risk level associated with the identified threat. The level should be a number between 0 and 100.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) reflecting the time in which the event was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ASimRegistryEventLogs": { + "ActingProcessCommandLine": {"data_type": "string", "description": 'The command line used to run the process.'}, + "ActingProcessGuid": {"data_type": "string", "description": 'A generated unique identifier of the acting process.'}, + "ActingProcessId": {"data_type": "string", "description": 'The process ID of the acting process.'}, + "ActingProcessName": {"data_type": "string", "description": 'The file name of the acting process image file.'}, + "ActorOriginalUserType": {"data_type": "string", "description": 'The original actor user type, if provided by the source.'}, + "ActorScope": {"data_type": "string", "description": 'The scope, such as Azure AD tenant, in which ActorUserId and ActorUsername are defined.'}, + "ActorScopeId": {"data_type": "string", "description": 'The scope ID, such as Azure AD tenant ID, in which ActorUserId and ActorUsername are defined.'}, + "ActorSessionId": {"data_type": "string", "description": 'The unique ID of the login session of the Actor.'}, + "ActorUserAadId": {"data_type": "string", "description": 'The Azure Active Directory ID of the actor.'}, + "ActorUserId": {"data_type": "string", "description": 'A unique ID of the Actor.'}, + "ActorUserIdType": {"data_type": "string", "description": 'The type of the ID stored in the ActorUserId field.'}, + "ActorUsername": {"data_type": "string", "description": 'The user name of the user who initiated the event.'}, + "ActorUsernameType": {"data_type": "string", "description": 'Specifies the type of the user name stored in the ActorUsername field.'}, + "ActorUserSid": {"data_type": "string", "description": 'The Windows user ID (SIDs) of the actor.'}, + "ActorUserType": {"data_type": "string", "description": 'The type of the Actor.'}, + "AdditionalFields": {"data_type": "dynamic", "description": 'Additional information, represented using key/value pairs provided by the source which do not map to ASim.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DvcAction": {"data_type": "string", "description": 'For reporting security systems, the action taken by the system.'}, + "DvcDescription": {"data_type": "string", "description": 'A descriptive text associated with the device.'}, + "DvcDomain": {"data_type": "string", "description": 'The domain of the device reporting the event.'}, + "DvcDomainType": {"data_type": "string", "description": 'The type of DvcDomain.'}, + "DvcFQDN": {"data_type": "string", "description": 'The hostname of the device on which the event occurred or which reported the event.'}, + "DvcHostname": {"data_type": "string", "description": 'The hostname of the device reporting the event.'}, + "DvcId": {"data_type": "string", "description": 'The unique ID of the device on which the event occurred or which reported the event.'}, + "DvcIdType": {"data_type": "string", "description": 'The type of DvcId.'}, + "DvcInterface": {"data_type": "string", "description": 'The network interface on which data was captured.'}, + "DvcIpAddr": {"data_type": "string", "description": 'The IP Address of the device reporting the event.'}, + "DvcMacAddr": {"data_type": "string", "description": 'The MAC address of the device on which the event occurred or which reported the event.'}, + "DvcOriginalAction": {"data_type": "string", "description": 'The original DvcAction as provided by the reporting device.'}, + "DvcOs": {"data_type": "string", "description": 'The operating system running on the device on which the event occurred or which reported the event.'}, + "DvcOsVersion": {"data_type": "string", "description": 'The version of the operating system on the device on which the event occurred or which reported the event.'}, + "DvcScope": {"data_type": "string", "description": 'The cloud platform scope the device belongs to. DvcScope map to a subscription name on Azure and to an account ID on AWS.'}, + "DvcScopeId": {"data_type": "string", "description": 'The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS.'}, + "DvcZone": {"data_type": "string", "description": 'The network on which the event occurred or which reported the event.'}, + "EventCount": {"data_type": "int", "description": 'The number of events described by the record.'}, + "EventEndTime": {"data_type": "datetime", "description": 'The time in which the event ended. If the source supports aggregation and the record represents multiple events, the time when the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field.'}, + "EventMessage": {"data_type": "string", "description": 'A general message or description.'}, + "EventOriginalResultDetails": {"data_type": "string", "description": 'The original result details provided by the source.'}, + "EventOriginalSeverity": {"data_type": "string", "description": 'The original severity as provided by the reporting device.'}, + "EventOriginalSubType": {"data_type": "string", "description": 'The original event subtype or ID, if provided by the source.'}, + "EventOriginalType": {"data_type": "string", "description": 'A unique ID of the original record, if provided by the source.'}, + "EventOriginalUid": {"data_type": "string", "description": '.'}, + "EventOwner": {"data_type": "string", "description": 'The owner of the event, which is usually the department or subsidiary in which it was generated.'}, + "EventProduct": {"data_type": "string", "description": 'The product generating the event.'}, + "EventProductVersion": {"data_type": "string", "description": 'The version of the product generating the event.'}, + "EventReportUrl": {"data_type": "string", "description": 'A URL provided in the event for a resource that provides more information about the event.'}, + "EventResult": {"data_type": "string", "description": 'The outcome of the event, represented by one of the following values: Success, Partial, Failure, NA (Not Applicable). The value may not be provided directly by the sources, in which case it is derived from other event fields, for example, the EventResultDetails field.'}, + "EventResultDetails": {"data_type": "string", "description": 'Reason or details for the result reported in the EventResult field.'}, + "EventSchema": {"data_type": "string", "description": 'The name of the schema.'}, + "EventSchemaVersion": {"data_type": "string", "description": 'The version of the schema.'}, + "EventSeverity": {"data_type": "string", "description": 'The severity of the event. Valid values are: Informational, Low, Medium, or High.'}, + "EventStartTime": {"data_type": "datetime", "description": 'The time in which the event started. If the source supports aggregation and the record represents multiple events, the time when the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field.'}, + "EventSubType": {"data_type": "string", "description": 'Describes a subdivision of the operation reported in the EventType field.'}, + "EventType": {"data_type": "string", "description": 'Describes the operation reported by the record.'}, + "EventVendor": {"data_type": "string", "description": 'The vendor of the product generating the event.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ParentProcessCommandLine": {"data_type": "string", "description": 'The command line used to run the process.'}, + "ParentProcessGuid": {"data_type": "string", "description": 'A generated unique identifier of the parent process.'}, + "ParentProcessId": {"data_type": "string", "description": 'The process ID of the parent process.'}, + "ParentProcessName": {"data_type": "string", "description": 'The file name of the parent process image file.'}, + "RegistryKey": {"data_type": "string", "description": 'The registry key associated with the operation, normalized to standard root key naming conventions.'}, + "RegistryPreviousKey": {"data_type": "string", "description": 'For operations that modify the registry, the original registry key, normalized to standard root key naming.'}, + "RegistryPreviousValue": {"data_type": "string", "description": 'For operations that modify the registry, the original value type, normalized to the standard form.'}, + "RegistryPreviousValueData": {"data_type": "string", "description": 'The original registry data, for operations that modify the registry.'}, + "RegistryPreviousValueType": {"data_type": "string", "description": 'For operations that modify the registry, the original value type.'}, + "RegistryValue": {"data_type": "string", "description": 'The registry value associated with the operation.'}, + "RegistryValueData": {"data_type": "string", "description": 'The data stored in the registry value.'}, + "RegistryValueType": {"data_type": "string", "description": 'The type of registry value, normalized to standard form.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RuleName": {"data_type": "string", "description": 'The name or ID of the rule by associated with the inspection results.'}, + "RuleNumber": {"data_type": "int", "description": 'The number of the rule associated with the inspection results.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "ThreatCategory": {"data_type": "string", "description": 'The category of the threat or malware identified in activity.'}, + "ThreatConfidence": {"data_type": "int", "description": 'The confidence level of the threat identified, normalized to a value between 0 and a 100.'}, + "ThreatField": {"data_type": "string", "description": 'The field for which a threat was identified.'}, + "ThreatFirstReportedTime": {"data_type": "datetime", "description": 'The first time the IP address or domain were identified as a threat.'}, + "ThreatId": {"data_type": "string", "description": 'The ID of the threat or malware identified in the activity.'}, + "ThreatIsActive": {"data_type": "bool", "description": 'True ID the threat identified is considered an active threat.'}, + "ThreatLastReportedTime": {"data_type": "datetime", "description": 'The last time the IP address or domain were identified as a threat.'}, + "ThreatName": {"data_type": "string", "description": 'The name of the threat or malware identified in the activity.'}, + "ThreatOriginalConfidence": {"data_type": "string", "description": 'The original confidence level of the threat identified, as reported by the reporting device.'}, + "ThreatOriginalRiskLevel": {"data_type": "string", "description": 'The risk level as reported by the reporting device.'}, + "ThreatRiskLevel": {"data_type": "int", "description": 'The risk level associated with the identified threat. The level should be a number between 0 and 100.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) reflecting the time in which the event was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ASimUserManagementActivityLogs": { + "ActingAppId": {"data_type": "string", "description": 'The ID of the application used by the actor to perform the activity, including a process, browser, or service.'}, + "ActingAppName": {"data_type": "string", "description": 'The name of the application used by the actor to perform the activity, including a process, browser, or service.'}, + "ActingAppType": {"data_type": "string", "description": 'The type of acting application.'}, + "ActingOriginalAppType": {"data_type": "string", "description": 'The acting application type as reported by the reporting device.'}, + "ActorOriginalUserType": {"data_type": "string", "description": 'The original actor user type, if provided by the source.'}, + "ActorScope": {"data_type": "string", "description": 'The scope, such as Azure AD tenant, in which ActorUserId and ActorUsername are defined.'}, + "ActorScopeId": {"data_type": "string", "description": 'The scope ID, such as Azure AD tenant ID, in which ActorUserId and ActorUsername are defined.'}, + "ActorSessionId": {"data_type": "string", "description": 'The unique ID of the sign-in session of the Actor.'}, + "ActorUserAadId": {"data_type": "string", "description": 'The Azure Active Directory ID of the actor.'}, + "ActorUserId": {"data_type": "string", "description": 'A machine-readable, alphanumeric, unique representation of the actor.'}, + "ActorUserIdType": {"data_type": "string", "description": 'The type of the ID stored in the ActorUserId field.'}, + "ActorUsername": {"data_type": "string", "description": "The Actor's username, including domain information when available."}, + "ActorUsernameType": {"data_type": "string", "description": 'Specifies the type of the user name stored in the ActorUsername field.'}, + "ActorUserSid": {"data_type": "string", "description": 'The Windows user ID (SIDs) of the actor.'}, + "ActorUserType": {"data_type": "string", "description": 'The type of the Actor.'}, + "AdditionalFields": {"data_type": "dynamic", "description": 'Additional information, represented using key/value pairs provided by the source which do not map to ASim.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DvcAction": {"data_type": "string", "description": 'For reporting security systems, the action taken by the system.'}, + "DvcDescription": {"data_type": "string", "description": 'A descriptive text associated with the device.'}, + "DvcDomain": {"data_type": "string", "description": 'The domain of the device reporting the event.'}, + "DvcDomainType": {"data_type": "string", "description": 'The type of DvcDomain.'}, + "DvcFQDN": {"data_type": "string", "description": 'The hostname of the device on which the event occurred or which reported the event.'}, + "DvcHostname": {"data_type": "string", "description": 'The hostname of the device reporting the event.'}, + "DvcId": {"data_type": "string", "description": 'The unique ID of the device on which the event occurred or which reported the event.'}, + "DvcIdType": {"data_type": "string", "description": 'The type of DvcId.'}, + "DvcInterface": {"data_type": "string", "description": 'The network interface on which data was captured.'}, + "DvcIpAddr": {"data_type": "string", "description": 'The IP Address of the device reporting the event.'}, + "DvcMacAddr": {"data_type": "string", "description": 'The MAC address of the device on which the event occurred or which reported the event.'}, + "DvcOriginalAction": {"data_type": "string", "description": 'The original DvcAction as provided by the reporting device.'}, + "DvcOs": {"data_type": "string", "description": 'The operating system running on the device on which the event occurred or which reported the event.'}, + "DvcOsVersion": {"data_type": "string", "description": 'The version of the operating system on the device on which the event occurred or which reported the event.'}, + "DvcScope": {"data_type": "string", "description": 'The cloud platform scope the device belongs to. DvcScope map to a subscription name on Azure and to an account ID on AWS.'}, + "DvcScopeId": {"data_type": "string", "description": 'The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS.'}, + "DvcZone": {"data_type": "string", "description": 'The network on which the event occurred or which reported the event.'}, + "EventCount": {"data_type": "int", "description": 'The number of events described by the record.'}, + "EventEndTime": {"data_type": "datetime", "description": 'The time in which the event ended. If the source supports aggregation and the record represents multiple events, the time when the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field.'}, + "EventMessage": {"data_type": "string", "description": 'A general message or description.'}, + "EventOriginalResultDetails": {"data_type": "string", "description": 'The original result details provided by the source.'}, + "EventOriginalSeverity": {"data_type": "string", "description": 'The original severity as provided by the reporting device.'}, + "EventOriginalSubType": {"data_type": "string", "description": 'The original event subtype or ID, if provided by the source.'}, + "EventOriginalType": {"data_type": "string", "description": 'The original event type or ID, if provided by the source.'}, + "EventOriginalUid": {"data_type": "string", "description": 'A unique ID of the original record, if provided by the source.'}, + "EventOwner": {"data_type": "string", "description": 'The owner of the event, which is usually the department or subsidiary in which it was generated.'}, + "EventProduct": {"data_type": "string", "description": 'The product generating the event.'}, + "EventProductVersion": {"data_type": "string", "description": 'The version of the product generating the event.'}, + "EventReportUrl": {"data_type": "string", "description": 'A URL provided in the event for a resource that provides more information about the event.'}, + "EventResult": {"data_type": "string", "description": 'The outcome of the event, represented by one of the following values: Success, Partial, Failure, NA (Not Applicable). The value may not be provided directly by the sources, in which case it is derived from other event fields, for example, the EventResultDetails field.'}, + "EventResultDetails": {"data_type": "string", "description": 'Reason or details for the result reported in the EventResult field.'}, + "EventSchema": {"data_type": "string", "description": 'The name of the schema'}, + "EventSchemaVersion": {"data_type": "string", "description": 'The version of the schema.'}, + "EventSeverity": {"data_type": "string", "description": 'The severity of the event. Valid values are: Informational, Low, Medium, or High.'}, + "EventStartTime": {"data_type": "datetime", "description": 'The time in which the event started. If the source supports aggregation and the record represents multiple events, the time when the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field.'}, + "EventSubType": {"data_type": "string", "description": 'Describes a subdivision of the operation reported in the EventType field.'}, + "EventType": {"data_type": "string", "description": 'Describes the operation reported by the record.'}, + "EventVendor": {"data_type": "string", "description": 'The vendor of the product generating the event.'}, + "GroupId": {"data_type": "string", "description": 'A machine-readable, alphanumeric, unique representation of the group, for activities involving a group.'}, + "GroupIdType": {"data_type": "string", "description": 'The type of the ID stored in the GroupId field.'}, + "GroupName": {"data_type": "string", "description": 'The group name, including domain information when available, for activities involving a group.'}, + "GroupNameType": {"data_type": "string", "description": 'Specifies the type of the group name stored in the GroupName field.'}, + "GroupOriginalType": {"data_type": "string", "description": 'The original group type, if provided by the source.'}, + "GroupType": {"data_type": "string", "description": 'The type of the group, for activities involving a group.'}, + "HttpUserAgent": {"data_type": "string", "description": "When authentication is performed over HTTP or HTTPS, this field's value is the user_agent HTTP header provided by the acting application when performing the authentication."}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "NewPropertyValue": {"data_type": "string", "description": 'The new value stored in the specified property.'}, + "PreviousPropertyValue": {"data_type": "string", "description": 'The previous value that was stored in the specified property.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RuleName": {"data_type": "string", "description": 'The name or ID of the rule by associated with the inspection results.'}, + "RuleNumber": {"data_type": "int", "description": 'The number of the rule associated with the inspection results.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SrcDescription": {"data_type": "string", "description": 'A descriptive text associated with the source device.'}, + "SrcDeviceType": {"data_type": "string", "description": 'The type of the source device.'}, + "SrcDomain": {"data_type": "string", "description": 'The domain of the source device.'}, + "SrcDomainType": {"data_type": "string", "description": 'The type of SrcDomain.'}, + "SrcDvcId": {"data_type": "string", "description": 'The ID of the source device as reported in the record.'}, + "SrcDvcIdType": {"data_type": "string", "description": 'The type of SrcDvcId.'}, + "SrcDvcScope": {"data_type": "string", "description": 'The cloud platform scope the source device belongs to. SrcDvcScope map to a subscription name on Azure and to an account ID on AWS.'}, + "SrcDvcScopeId": {"data_type": "string", "description": 'The cloud platform scope ID the source device belongs to. SrcDvcScopeId map to a subscription ID on Azure and to an account ID on AWS.'}, + "SrcFQDN": {"data_type": "string", "description": 'The source device hostname, including domain information when available.'}, + "SrcGeoCity": {"data_type": "string", "description": 'The city associated with the source IP address.'}, + "SrcGeoCountry": {"data_type": "string", "description": 'The country associated with the source IP address.'}, + "SrcGeoLatitude": {"data_type": "real", "description": 'The latitude of the geographical coordinate associated with the source IP address.'}, + "SrcGeoLongitude": {"data_type": "real", "description": 'The longitude of the geographical coordinate associated with the source IP address.'}, + "SrcGeoRegion": {"data_type": "string", "description": 'The region within a country associated with the source IP address..'}, + "SrcHostname": {"data_type": "string", "description": 'The source device hostname, excluding domain information.'}, + "SrcIpAddr": {"data_type": "string", "description": 'The IP address of the source device.'}, + "SrcMacAddr": {"data_type": "string", "description": 'The MAC address of the source device.'}, + "SrcOriginalRiskLevel": {"data_type": "string", "description": 'The risk level associaeted with the identified Source as reported by the reporting device.'}, + "SrcPortNumber": {"data_type": "int", "description": 'The Source IP port from which the connection originated.'}, + "SrcRiskLevel": {"data_type": "int", "description": 'The risk level associated with the identified Source.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TargetOriginalUserType": {"data_type": "string", "description": 'The original destination user type, if provided by the source.'}, + "TargetUserId": {"data_type": "string", "description": 'A machine-readable, alphanumeric, unique representation of the target user.'}, + "TargetUserIdType": {"data_type": "string", "description": 'The type of the ID stored in the TargetUserId field.'}, + "TargetUsername": {"data_type": "string", "description": 'The target username, including domain information when available.'}, + "TargetUsernameType": {"data_type": "string", "description": 'Specifies the type of the username stored in the TargetUsername field.'}, + "TargetUserScope": {"data_type": "string", "description": 'The scope, such as Azure AD tenant name, in which TargetUserId and TargetUsername are defined.'}, + "TargetUserScopeId": {"data_type": "string", "description": 'The scope ID, such as Azure AD tenant ID, in which TargetUserId and TargetUsername are defined.'}, + "TargetUserSessionId": {"data_type": "string", "description": 'The unique ID of the sign-in session of the user.'}, + "TargetUserType": {"data_type": "string", "description": 'The type of target user.'}, + "TargetUserUid": {"data_type": "string", "description": 'The Unix or Linux user ID of the user.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "ThreatCategory": {"data_type": "string", "description": 'The category of the threat or malware identified in activity.'}, + "ThreatConfidence": {"data_type": "int", "description": 'The confidence level of the threat identified, normalized to a value between 0 and a 100.'}, + "ThreatField": {"data_type": "string", "description": 'The field for which a threat was identified.'}, + "ThreatFirstReportedTime": {"data_type": "datetime", "description": 'The first time the IP address or domain were identified as a threat.'}, + "ThreatId": {"data_type": "string", "description": 'The ID of the threat or malware identified in the activity.'}, + "ThreatIsActive": {"data_type": "bool", "description": 'True ID the threat identified is considered an active threat.'}, + "ThreatLastReportedTime": {"data_type": "datetime", "description": 'The last time the IP address or domain were identified as a threat.'}, + "ThreatName": {"data_type": "string", "description": 'The name of the threat or malware identified in the activity.'}, + "ThreatOriginalConfidence": {"data_type": "string", "description": 'The original confidence level of the threat identified, as reported by the reporting device.'}, + "ThreatOriginalRiskLevel": {"data_type": "string", "description": 'The risk level as reported by the reporting device.'}, + "ThreatRiskLevel": {"data_type": "int", "description": 'The risk level associated with the identified threat. The level should be a number between 0 and 100.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) reflecting the time in which the event was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ASimWebSessionLogs": { + "AdditionalFields": {"data_type": "dynamic", "description": 'Additional information, represented using key/value pairs provided by the source which do not map to ASim.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DstAppId": {"data_type": "string", "description": 'The ID of the destination application, as reported by the reporting device.'}, + "DstAppName": {"data_type": "string", "description": 'The name of the destination application.'}, + "DstAppType": {"data_type": "string", "description": 'The type of the destination application.'}, + "DstBytes": {"data_type": "long", "description": 'The number of bytes sent from the destination to the source for the connection or session. If the event is aggregated, DstBytes is the sum over all aggregated sessions.'}, + "DstDeviceType": {"data_type": "string", "description": 'The type of the destination device.'}, + "DstDomain": {"data_type": "string", "description": 'The domain of the destination device.'}, + "DstDomainType": {"data_type": "string", "description": 'The type of DstDomain.'}, + "DstDvcId": {"data_type": "string", "description": 'The ID of the destination device.'}, + "DstDvcIdType": {"data_type": "string", "description": 'The type of DstDvcId.'}, + "DstDvcScope": {"data_type": "string", "description": 'The cloud platform scope the destination device belongs to. DvcScope maps to a subscription on Azure and to an account on AWS.'}, + "DstDvcScopeId": {"data_type": "string", "description": 'The cloud platform scope ID the destination device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS.'}, + "DstFQDN": {"data_type": "string", "description": 'The destination device hostname, including domain information when available.'}, + "DstGeoCity": {"data_type": "string", "description": 'The city associated with the destination IP address.'}, + "DstGeoCountry": {"data_type": "string", "description": 'The country associated with the destination IP address.'}, + "DstGeoLatitude": {"data_type": "real", "description": 'The latitude of the geographical coordinate associated with the destination IP address.'}, + "DstGeoLongitude": {"data_type": "real", "description": 'The longitude of the geographical coordinate associated with the destination IP address.'}, + "DstGeoRegion": {"data_type": "string", "description": 'The region, or state, within a country associated with the destination IP address.'}, + "DstHostname": {"data_type": "string", "description": 'The destination device hostname, excluding domain information.'}, + "DstIpAddr": {"data_type": "string", "description": 'The IP address of the connection or session destination.'}, + "DstMacAddr": {"data_type": "string", "description": 'The MAC address of the network interface used for the connection or session by the destination device.'}, + "DstNatIpAddr": {"data_type": "string", "description": 'The DstNatIpAddr represents either of: The original address of the destination device if network address translation was used or the IP address used by the intermediary device for communication with the source.'}, + "DstNatPortNumber": {"data_type": "int", "description": 'If reported by an intermediary NAT device, the port used by the NAT device for communication with the source.'}, + "DstOriginalUserType": {"data_type": "string", "description": 'The original destination user type, if provided by the source.'}, + "DstPackets": {"data_type": "long", "description": 'The number of packets sent from the destination to the source for the connection or session. The meaning of a packet is defined by the reporting device. If the event is aggregated, DstPackets is the sum over all aggregated sessions.'}, + "DstPortNumber": {"data_type": "int", "description": 'The destination IP port.'}, + "DstUserId": {"data_type": "string", "description": 'A machine-readable, alphanumeric, unique representation of the destination user.'}, + "DstUserIdType": {"data_type": "string", "description": 'The type of the ID stored in the DstUserId field.'}, + "DstUsername": {"data_type": "string", "description": "The destination username, including domain information when available. Use the simple form only if domain information isn't available."}, + "DstUsernameType": {"data_type": "string", "description": 'Specifies the type of the username stored in the DstUsername field.'}, + "DstUserType": {"data_type": "string", "description": 'The type of destination user.'}, + "Dvc": {"data_type": "string", "description": 'A unique identifier of the device on which the event occurred or which reported the event.'}, + "DvcAction": {"data_type": "string", "description": 'The action taken on the web session.'}, + "DvcDomain": {"data_type": "string", "description": 'The domain of the device reporting the event.'}, + "DvcDomainType": {"data_type": "string", "description": "The type of DvcDomain. Possible values include 'Windows' and 'FQDN'."}, + "DvcFQDN": {"data_type": "string", "description": 'The hostname of the device on which the event occurred or which reported the event.'}, + "DvcHostname": {"data_type": "string", "description": 'The hostname of the device reporting the event.'}, + "DvcId": {"data_type": "string", "description": 'The unique ID of the device on which the event occurred or which reported the event.'}, + "DvcIdType": {"data_type": "string", "description": 'The type of DvcId.'}, + "DvcIpAddr": {"data_type": "string", "description": 'The IP Address of the device reporting the event.'}, + "DvcOriginalAction": {"data_type": "string", "description": 'The original DvcAction as provided by the reporting device.'}, + "EventCount": {"data_type": "int", "description": 'This value is used when the source supports aggregation, and a single record may represent multiple events.'}, + "EventEndTime": {"data_type": "datetime", "description": 'The time in which the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field.'}, + "EventMessage": {"data_type": "string", "description": 'A general message or description.'}, + "EventOriginalResultDetails": {"data_type": "string", "description": 'The original result details provided by the source. This value is used to derive EventResultDetails, which should have only one of the values documented for each schema.'}, + "EventOriginalSeverity": {"data_type": "string", "description": 'The original severity as provided by the reporting device. This value is used to derive EventSeverity.'}, + "EventOriginalSubType": {"data_type": "string", "description": 'The original event subtype or ID, if provided by the source. For example, this field will be used to store the original Windows logon type. This value is used to derive EventSubType, which should have only one of the values documented for each schema.'}, + "EventOriginalType": {"data_type": "string", "description": 'The original event type or ID, if provided by the source.'}, + "EventOriginalUid": {"data_type": "string", "description": 'A unique ID of the original record, if provided by the source.'}, + "EventOwner": {"data_type": "string", "description": 'The owner of the event, which is usually the department or subsidiary in which it was generated.'}, + "EventProduct": {"data_type": "string", "description": 'The product generating the event.'}, + "EventProductVersion": {"data_type": "string", "description": 'The version of the product generating the event.'}, + "EventReportUrl": {"data_type": "string", "description": 'A URL provided in the event for a resource that provides more information about the event.'}, + "EventResult": {"data_type": "string", "description": 'The outcome of the event, represented by one of the following values: Success, Partial, Failure, NA (Not Applicable). The value may not be provided directly by the sources, in which case it is derived from other event fields, for example, the EventResultDetails field.'}, + "EventResultDetails": {"data_type": "string", "description": 'The HTTP status code.'}, + "EventSchemaVersion": {"data_type": "string", "description": 'The version of the schema.'}, + "EventSeverity": {"data_type": "string", "description": 'The severity of the event. Valid values are: Informational, Low, Medium, or High.'}, + "EventStartTime": {"data_type": "datetime", "description": 'The time in which the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field.'}, + "EventSubType": {"data_type": "string", "description": 'Additional description of the event type, if applicable.'}, + "EventType": {"data_type": "string", "description": 'The operation reported by the record.'}, + "EventVendor": {"data_type": "string", "description": 'The vendor of the product generating the event.'}, + "FileContentType": {"data_type": "string", "description": 'For HTTP uploads, the content type of the uploaded file.'}, + "FileMD5": {"data_type": "string", "description": 'For HTTP uploads, the MD5 hash of the uploaded file.'}, + "FileName": {"data_type": "string", "description": 'For HTTP uploads, the name of the uploaded file.'}, + "FileSHA1": {"data_type": "string", "description": 'For HTTP uploads, the SHA1 hash of the uploaded file.'}, + "FileSHA256": {"data_type": "string", "description": 'For HTTP uploads, the SHA256 hash of the uploaded file.'}, + "FileSHA512": {"data_type": "string", "description": 'For HTTP uploads, the SHA512 hash of the uploaded file.'}, + "FileSize": {"data_type": "int", "description": 'For HTTP uploads, the size in bytes of the uploaded file.'}, + "HttpContentFormat": {"data_type": "string", "description": 'The content format part of the HttpContentType'}, + "HttpContentType": {"data_type": "string", "description": 'The HTTP Response content type header.'}, + "HttpHost": {"data_type": "string", "description": 'The virtual web server the HTTP request has targeted.'}, + "HttpReferrer": {"data_type": "string", "description": 'The HTTP referrer header.'}, + "HttpRequestMethod": {"data_type": "string", "description": 'The HTTP Method.'}, + "HttpRequestTime": {"data_type": "int", "description": 'The amount of time, in milliseconds, it took to send the request to the server.'}, + "HttpRequestXff": {"data_type": "string", "description": 'The HTTP X-Forwarded-For header.'}, + "HttpResponseTime": {"data_type": "int", "description": 'The amount of time, in milliseconds, it took to receive a response in the server.'}, + "HttpUserAgent": {"data_type": "string", "description": 'The HTTP user agent header.'}, + "HttpVersion": {"data_type": "string", "description": 'The HTTP Request Version.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "NetworkApplicationProtocol": {"data_type": "string", "description": 'The application layer protocol used by the connection or session.'}, + "NetworkBytes": {"data_type": "long", "description": 'Number of bytes sent in both directions. If both BytesReceived and BytesSent exist, BytesTotal should equal their sum. If the event is aggregated, NetworkBytes is the sum over all aggregated sessions.'}, + "NetworkConnectionHistory": {"data_type": "string", "description": 'TCP flags and other potential IP header information.'}, + "NetworkDirection": {"data_type": "string", "description": 'The direction of the connection or session.'}, + "NetworkDuration": {"data_type": "int", "description": 'The amount of time, in milliseconds, for the completion of the web session or connection.'}, + "NetworkIcmpCode": {"data_type": "int", "description": 'For an ICMP message, the ICMP message type numeric value as described in RFC 2780 for IPv4 network connections, or in RFC 4443 for IPv6 network connections.'}, + "NetworkIcmpType": {"data_type": "string", "description": 'For an ICMP message, the ICMP message type text representation, as described in RFC 2780 for IPv4 network connections, or in RFC 4443 for IPv6 network connections.'}, + "NetworkPackets": {"data_type": "long", "description": 'The number of packets sent in both directions. If both PacketsReceived and PacketsSent exist, BytesTotal should equal their sum. The meaning of a packet is defined by the reporting device. If the event is aggregated, NetworkPackets is the sum over all aggregated sessions.'}, + "NetworkProtocol": {"data_type": "string", "description": 'The IP protocol used by the connection or session as listed in IANA protocol assignment, which is typically TCP, UDP, or ICMP.'}, + "NetworkProtocolVersion": {"data_type": "string", "description": 'The version of NetworkProtocol.'}, + "NetworkSessionId": {"data_type": "string", "description": 'The session identifier as reported by the reporting device.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Rule": {"data_type": "string", "description": 'Either NetworkRuleName or NetworkRuleNumber'}, + "RuleName": {"data_type": "string", "description": 'The name or ID of the rule by which DvcAction was decided upon. Example: AnyAnyDrop'}, + "RuleNumber": {"data_type": "int", "description": 'The number of the rule by which DvcAction was decided upon. Example: 23'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SrcAppId": {"data_type": "string", "description": 'The ID of the source application, as reported by the reporting device.'}, + "SrcAppName": {"data_type": "string", "description": 'The name of the source application.'}, + "SrcAppType": {"data_type": "string", "description": 'The type of the source application.'}, + "SrcBytes": {"data_type": "long", "description": 'The number of bytes sent from the source to the destination for the connection or session. If the event is aggregated, SrcBytes is the sum over all aggregated sessions.'}, + "SrcDeviceType": {"data_type": "string", "description": 'The type of the source device.'}, + "SrcDomain": {"data_type": "string", "description": 'The domain of the source device.'}, + "SrcDomainType": {"data_type": "string", "description": 'The type of SrcDomain.'}, + "SrcDvcId": {"data_type": "string", "description": 'The ID of the source device.'}, + "SrcDvcIdType": {"data_type": "string", "description": 'The type of SrcDvcId.'}, + "SrcDvcScope": {"data_type": "string", "description": 'The cloud platform scope the source device belongs to. DvcScope maps to a subscription on Azure and to an account on AWS.'}, + "SrcDvcScopeId": {"data_type": "string", "description": 'The cloud platform scope ID the source device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS.'}, + "SrcFQDN": {"data_type": "string", "description": 'The source device hostname, including domain information when available.'}, + "SrcGeoCity": {"data_type": "string", "description": 'The city associated with the source IP address.'}, + "SrcGeoCountry": {"data_type": "string", "description": 'The country associated with the source IP address.'}, + "SrcGeoLatitude": {"data_type": "real", "description": 'The latitude of the geographical coordinate associated with the source IP address.'}, + "SrcGeoLongitude": {"data_type": "real", "description": 'The longitude of the geographical coordinate associated with the source IP address.'}, + "SrcGeoRegion": {"data_type": "string", "description": 'The region within a country associated with the source IP address.'}, + "SrcHostname": {"data_type": "string", "description": 'The source device hostname, excluding domain information. If no device name is available, may store the relevant IP address.'}, + "SrcIpAddr": {"data_type": "string", "description": 'The IP address from which the connection or session originated.'}, + "SrcMacAddr": {"data_type": "string", "description": 'The MAC address of the network interface from which the connection or session originated.'}, + "SrcNatIpAddr": {"data_type": "string", "description": 'The SrcNatIpAddr represents either of: The original address of the source device if network address translation was used or the IP address used by the intermediary device for communication with the destination.'}, + "SrcNatPortNumber": {"data_type": "int", "description": 'If reported by an intermediary NAT device, the port used by the NAT device for communication with the destination.'}, + "SrcOriginalUserType": {"data_type": "string", "description": 'The original destination user type, if provided by the by the reporting device.'}, + "SrcPackets": {"data_type": "long", "description": 'The number of packets sent from the source to the destination for the connection or session. The meaning of a packet is defined by the reporting device. If the event is aggregated, SrcPackets is the sum over all aggregated sessions.'}, + "SrcPortNumber": {"data_type": "int", "description": 'The IP port from which the connection originated. Might not be relevant for a session comprising multiple connections.'}, + "SrcProcessGuid": {"data_type": "string", "description": 'A generated unique identifier (GUID) of the source process.'}, + "SrcProcessId": {"data_type": "string", "description": 'The process ID (PID) of the source process.'}, + "SrcProcessName": {"data_type": "string", "description": 'The name of the source process.'}, + "SrcUserId": {"data_type": "string", "description": 'A machine-readable, alphanumeric, unique representation of the source user.'}, + "SrcUserIdType": {"data_type": "string", "description": 'The type of the ID stored in the SrcUserId field.'}, + "SrcUsername": {"data_type": "string", "description": 'The source username, including domain information when available.'}, + "SrcUsernameType": {"data_type": "string", "description": 'Specifies the type of the username stored in the SrcUsername field.'}, + "SrcUserScope": {"data_type": "string", "description": 'The scope, such as Azure AD tenant, in which SrcUserId and SrcUsername are defined.'}, + "SrcUserScopeId": {"data_type": "string", "description": 'The ID of the scope, such as Azure AD tenant, in which SrcUserId and SrcUsername are defined.'}, + "SrcUserType": {"data_type": "string", "description": 'The type of the source user.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "ThreatCategory": {"data_type": "string", "description": 'The category of the threat or malware identified in the web session.'}, + "ThreatConfidence": {"data_type": "int", "description": 'The confidence level of the threat identified, normalized to a value between 0 and a 100.'}, + "ThreatField": {"data_type": "string", "description": 'The field for which a threat was identified. The value is either SrcIpAddr, DstIpAddr, Domain, or DnsResponseName.'}, + "ThreatFirstReportedTime": {"data_type": "datetime", "description": 'The first time the IP address or domain were identified as a threat.'}, + "ThreatId": {"data_type": "string", "description": 'The ID of the threat or malware identified in the web session.'}, + "ThreatIpAddr": {"data_type": "string", "description": 'An IP address for which a threat was identified. The field ThreatField contains the name of the field ThreatIpAddr represents.'}, + "ThreatIsActive": {"data_type": "bool", "description": 'True ID the threat identified is considered an active threat.'}, + "ThreatLastReportedTime": {"data_type": "datetime", "description": 'The last time the IP address or domain were identified as a threat.'}, + "ThreatName": {"data_type": "string", "description": 'The name of the threat or malware identified in the web session.'}, + "ThreatOriginalConfidence": {"data_type": "string", "description": 'The original confidence level of the threat identified, as reported by the reporting device.'}, + "ThreatOriginalRiskLevel": {"data_type": "string", "description": 'The risk level as reported by the reporting device.'}, + "ThreatRiskLevel": {"data_type": "int", "description": 'The risk level associated with the session. The level is a number between 0 to 100.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) reflecting the time in which the event was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Url": {"data_type": "string", "description": 'The full HTTP request URL, including parameters.'}, + "UrlCategory": {"data_type": "string", "description": 'The defined grouping of a URL or the domain part of the URL.'}, + "UrlOriginal": {"data_type": "string", "description": 'The original value of the URL, when the URL was modified by the reporting device and both values are provided.'}, + }, + "ASRJobs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the log.'}, + "CorrelationId": {"data_type": "string", "description": 'Correlation ID associated with the ASR job for debugging purposes.'}, + "DurationMs": {"data_type": "int", "description": 'Duration of the ASR job.'}, + "EndTime": {"data_type": "datetime", "description": 'End time of the ASR job.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "JobUniqueId": {"data_type": "string", "description": 'Unique ID of the ASR job.'}, + "OperationName": {"data_type": "string", "description": 'Type of ASR job, for example, Test failover.'}, + "PolicyFriendlyName": {"data_type": "string", "description": 'Friendly name of the replication policy applied to the replicated item (if applicable).'}, + "PolicyId": {"data_type": "string", "description": 'ARM ID of the replication policy applied to the replicated item (if applicable).'}, + "PolicyUniqueId": {"data_type": "string", "description": 'Unique ID of the replication policy applied to the replicated item (if applicable).'}, + "ReplicatedItemFriendlyName": {"data_type": "string", "description": 'Friendly name of replicated item associated with the ASR job (if applicable).'}, + "ReplicatedItemId": {"data_type": "string", "description": 'ARM ID of the replicated item associated with the ASR job (if applicable).'}, + "ReplicatedItemUniqueId": {"data_type": "string", "description": 'Unique ID of the replicated item associated with the ASR job (if applicable).'}, + "ReplicationScenario": {"data_type": "string", "description": 'Field used to identify whether the replication is being done for an Azure resource or an on-premises resource.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'Result of the ASR job.'}, + "SourceFriendlyName": {"data_type": "string", "description": 'Friendly name of the resource on which the ASR job was executed.'}, + "SourceResourceGroup": {"data_type": "string", "description": 'Resource Group of the source.'}, + "SourceResourceId": {"data_type": "string", "description": 'ARM ID of the resource on which the ASR job was executed.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SourceType": {"data_type": "string", "description": 'Type of resource on which the ASR job was executed.'}, + "StartTime": {"data_type": "datetime", "description": 'Start time of the ASR job.'}, + "Status": {"data_type": "string", "description": 'Status of the ASR job.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "VaultLocation": {"data_type": "string", "description": 'Location of the vault associated with the ASR job.'}, + "VaultName": {"data_type": "string", "description": 'Name of the vault associated with the ASR job.'}, + "VaultType": {"data_type": "string", "description": 'Type of the vault associated with the ASR job.'}, + "Version": {"data_type": "string", "description": 'The API version.'}, + }, + "ASRReplicatedItems": { + "ActiveLocation": {"data_type": "string", "description": 'Current active location for the replicated item. If the item is in failed over state, the active location will be the secondary (target) region. Otherwise, it will be the primary region.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the log.'}, + "DatasourceFriendlyName": {"data_type": "string", "description": 'Friendly name of the datasource being replicated.'}, + "DatasourceType": {"data_type": "string", "description": 'ARM type of the resource configured for replication.'}, + "DatasourceUniqueId": {"data_type": "string", "description": 'Unique ID of the datasource being replicated.'}, + "FailoverReadiness": {"data_type": "string", "description": 'Denotes whether there are any configuration issues that could affect the failover operation success for the ASR replicated item.'}, + "IRProgressPercentage": {"data_type": "int", "description": 'Progress percentage of the initial replication phase for the replicated item.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastHeartbeat": {"data_type": "datetime", "description": 'Time at which the ASR agent associated with the replicated item last made a call to the ASR service. Useful for debugging error scenarios where you wish to identify the time at which issues started arising.'}, + "LastRpoCalculatedTime": {"data_type": "datetime", "description": 'Time at which the RPO was last calculated by the ASR service for the replicated item.'}, + "LastSuccessfulTestFailoverTime": {"data_type": "datetime", "description": 'Time of the last successful faliover performed on the replicated item.'}, + "MultiVMGroupId": {"data_type": "string", "description": 'For scenarios where multi-VM consistency feature is enabled for replicated VMs, this field specifies the ID of the multi-VM group associated with the replicated VM.'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation.'}, + "OSFamily": {"data_type": "string", "description": 'OS family of the resource being replicated.'}, + "PolicyFriendlyName": {"data_type": "string", "description": 'Friendly name of the replication policy applied to the replicated item.'}, + "PolicyId": {"data_type": "string", "description": 'ARM ID of the replication policy applied to the replicated item.'}, + "PolicyUniqueId": {"data_type": "string", "description": 'Unique ID of the replication policy applied for the replicated item.'}, + "PrimaryFabricName": {"data_type": "string", "description": 'Represents the source region of the replicated item. By default, the value is the name of the source region, however if you have specified a custom name for the primary fabric while enabling replication, then that custom name shows up under this field.'}, + "PrimaryFabricType": {"data_type": "string", "description": 'Fabric type associated with the source region of the replicated item. Depending on whether the replicated item is an Azure VM, Hyper-V VM or VMWare VM, the value for this field varies.'}, + "ProtectionInfo": {"data_type": "string", "description": 'Protection status of the replicated item.'}, + "RecoveryFabricName": {"data_type": "string", "description": 'Represents the target region of the replicated item. By default, the value is the name of the target region, however if you have specified a custom name for the recovery fabric while enabling replication, then that custom name shows up under this field.'}, + "RecoveryFabricType": {"data_type": "string", "description": 'Fabric type associated with the target region of the replicated item. Depending on whether the replicated item is an Azure VM, Hyper-V VM or VMWare VM, the value for this field varies.'}, + "RecoveryRegion": {"data_type": "string", "description": 'Target region to which the resource is replicated.'}, + "ReplicatedItemFriendlyName": {"data_type": "string", "description": 'Friendly name of the resource being replicated.'}, + "ReplicatedItemId": {"data_type": "string", "description": 'ARM ID of the replicated item.'}, + "ReplicatedItemUniqueId": {"data_type": "string", "description": 'Unique ID of the replicated item.'}, + "ReplicationHealthErrors": {"data_type": "string", "description": 'List of issues that might be affecting the recovery point generation for the replicated item.'}, + "ReplicationStatus": {"data_type": "string", "description": 'Status of replication for the ASR replicated item.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceResourceId": {"data_type": "string", "description": 'ARM ID of the datasource being replicated.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "VaultLocation": {"data_type": "string", "description": 'Location of the vault associated with the replicated item.'}, + "VaultName": {"data_type": "string", "description": 'Name of the vault associated with the replicated item.'}, + "VaultType": {"data_type": "string", "description": 'Type of the vault associated with the replicated item.'}, + "Version": {"data_type": "string", "description": 'The API version.'}, + }, + "ATCExpressRouteCircuitIpfix": { + "ATCRegion": {"data_type": "string", "description": 'Azure Traffic Collector (ATC) deployment region.'}, + "ATCResourceId": {"data_type": "string", "description": 'Azure resource ID of Azure Traffic Collector (ATC).'}, + "BgpNextHop": {"data_type": "string", "description": 'Border Gateway Protocol (BGP) next hop as defined in the routing table.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DestinationIp": {"data_type": "string", "description": 'Destination IP address.'}, + "DestinationPort": {"data_type": "int", "description": 'TCP destination port.'}, + "Dot1qCustomerVlanId": {"data_type": "int", "description": 'Dot1q Customer VlanId.'}, + "Dot1qVlanId": {"data_type": "int", "description": 'Dot1q VlanId.'}, + "DstAsn": {"data_type": "int", "description": 'Destination Autonomous System Number (ASN).'}, + "DstMask": {"data_type": "int", "description": 'Mask of destination subnet.'}, + "DstSubnet": {"data_type": "string", "description": 'Destination subnet of destination IP.'}, + "ExRCircuitDirectPortId": {"data_type": "string", "description": "Azure resource ID of Express Route Circuit's direct port."}, + "ExRCircuitId": {"data_type": "string", "description": 'Azure resource ID of Express Route Circuit.'}, + "ExRCircuitServiceKey": {"data_type": "string", "description": 'Service key of Express Route Circuit.'}, + "FlowRecordTime": {"data_type": "datetime", "description": 'Timestamp (UTC) when Express Route Circuit emitted this flow record.'}, + "Flowsequence": {"data_type": "long", "description": 'Flow sequence of this flow.'}, + "IcmpType": {"data_type": "int", "description": 'Protocol type as specified in IP header.'}, + "IpClassOfService": {"data_type": "int", "description": 'IP Class of service as specified in IP header.'}, + "IpProtocolIdentifier": {"data_type": "int", "description": 'Protocol type as specified in IP header.'}, + "IpVerCode": {"data_type": "int", "description": 'IP version as defined in the IP header.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "MaxTtl": {"data_type": "int", "description": 'Maximum time to live (TTL) as defined in the IP header.'}, + "MinTtl": {"data_type": "int", "description": 'Minimum time to live (TTL) as defined in the IP header.'}, + "NextHop": {"data_type": "string", "description": 'Next hop as per forwarding table.'}, + "NumberOfBytes": {"data_type": "long", "description": 'Total number of bytes of packets captured in this flow.'}, + "NumberOfPackets": {"data_type": "long", "description": 'Total number of packets captured in this flow.'}, + "OperationName": {"data_type": "string", "description": 'The specific Azure Traffic Collector (ATC) operation that emitted this flow record.'}, + "PeeringType": {"data_type": "string", "description": 'Express Route Circuit peering type.'}, + "Protocol": {"data_type": "int", "description": 'Protocol type as specified in IP header.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SchemaVersion": {"data_type": "string", "description": 'Flow record schema version.'}, + "SourceIp": {"data_type": "string", "description": 'Source IP address.'}, + "SourcePort": {"data_type": "int", "description": 'TCP source port.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SrcAsn": {"data_type": "int", "description": 'Source Autonomous System Number (ASN).'}, + "SrcMask": {"data_type": "int", "description": 'Mask of source subnet.'}, + "SrcSubnet": {"data_type": "string", "description": 'Source subnet of source IP.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TcpFlag": {"data_type": "int", "description": 'TCP flag as defined in the TCP header.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the Azure Traffic Collector (ATC) emitted this flow record.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ATCPrivatePeeringMetadata": { + "ATCRegion": {"data_type": "string", "description": 'Azure Traffic Collector (ATC) deployment region.'}, + "ATCResourceId": {"data_type": "string", "description": 'Azure resource ID of Azure Traffic Collector (ATC).'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ExRCircuitId": {"data_type": "string", "description": 'Azure resource ID of Express Route Circuit.'}, + "ExRCircuitServiceKey": {"data_type": "string", "description": 'Service key of Express Route Circuit.'}, + "IpMask": {"data_type": "int", "description": 'Mask of Virtual Network resource.'}, + "IpSubnet": {"data_type": "dynamic", "description": 'Azure resource ID of subnet and subnet IP address.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The specific Azure Traffic Collector (ATC) operation that emitted this record.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SchemaVersion": {"data_type": "string", "description": 'Flow record schema version.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the Azure Traffic Collector (ATC) emitted this record.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "VnetAddressPrefix": {"data_type": "string", "description": 'IP address of Virtual Network resource.'}, + "VnetId": {"data_type": "string", "description": 'Azure resource ID of Virtual Network.'}, + "VnetLocation": {"data_type": "string", "description": 'Azure region of Virtual Network resource.'}, + "VnetName": {"data_type": "string", "description": 'Virtual Network resource name.'}, + "VnetResourceGroup": {"data_type": "string", "description": 'Azure resource group of Virtual Network.'}, + "VnetSubscriptionId": {"data_type": "string", "description": 'Azure subscription ID of Virtual Network.'}, + }, + "AuditLogs": { + "AADOperationType": {"data_type": "string", "description": 'Type of the operation. Possible values are Add Update Delete and Other.'}, + "AADTenantId": {"data_type": "string", "description": 'ID of the ADD tenant'}, + "ActivityDateTime": {"data_type": "datetime", "description": 'Date and time the activity was performed in UTC.'}, + "ActivityDisplayName": {"data_type": "string", "description": 'Activity name or the operation name. Examples include Create User and Add member to group. For full list see Azure AD activity list.'}, + "AdditionalDetails": {"data_type": "dynamic", "description": 'Indicates additional details on the activity.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Currently Audit is the only supported value.'}, + "CorrelationId": {"data_type": "string", "description": "Optional GUID that's passed by the client. Can help correlate client-side operations with server-side operations and is useful when tracking logs that span services."}, + "DurationMs": {"data_type": "long", "description": 'Property is not used and can be ignored.'}, + "Id": {"data_type": "string", "description": 'GUID that uniquely identifies the activity.'}, + "Identity": {"data_type": "string", "description": 'Identity from the token that was presented when the request was made. The identity can be a user account system account or service principal.'}, + "InitiatedBy": {"data_type": "dynamic", "description": 'User or app initiated the activity.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'Message type. This is currently always Informational.'}, + "Location": {"data_type": "string", "description": 'Location of the datacenter.'}, + "LoggedByService": {"data_type": "string", "description": 'Service that initiated the activity (For example: Self-service Password Management Core Directory B2C Invited Users Microsoft Identity Manager Privileged Identity Management.'}, + "OperationName": {"data_type": "string", "description": 'Name of the operation.'}, + "OperationVersion": {"data_type": "string", "description": "REST API version that's requested by the client."}, + "Resource": {"data_type": "string", "description": ''}, + "ResourceGroup": {"data_type": "string", "description": ''}, + "ResourceId": {"data_type": "string", "description": ''}, + "ResourceProvider": {"data_type": "string", "description": ''}, + "Result": {"data_type": "string", "description": 'Result of the activity. Possible values are: success failure timeout unknownFutureValue.'}, + "ResultDescription": {"data_type": "string", "description": 'Additional description of the result.'}, + "ResultReason": {"data_type": "string", "description": 'Describes cause of failure or timeout results.'}, + "ResultSignature": {"data_type": "string", "description": 'Property is not used and can be ignored.'}, + "ResultType": {"data_type": "string", "description": 'Result of the operation. Possible values are Success and Failure.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TargetResources": {"data_type": "dynamic", "description": 'Indicates information on which resource was changed due to the activity. Target Resource Type can be User Device Directory App Role Group Policy or Other.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AUIEventsAudit": { + "Audience": {"data_type": "string", "description": 'The audience for which the accessToken was requested for.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIPAddress": {"data_type": "string", "description": 'Caller IP address, if the operation corresponds to an API call that would come from an entity with a publicly available IP address.'}, + "CallerObjectId": {"data_type": "string", "description": 'Azure Active Directory ObjectId of the caller.'}, + "Category": {"data_type": "string", "description": 'Log category of the event. Either Operational or Audit. All POST/PUT/PATCH/DELETE HTTP Requests are tagged with Audit, everything else with Operational.'}, + "Claims": {"data_type": "string", "description": 'Claims of the user or app JSON web token (JWT). Claim properties vary per organization and the Azure Active Directory configuration.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for the correlated events. Can be used to identify correlated events between multiple tables.'}, + "DurationMs": {"data_type": "long", "description": 'Duration of the operation in milliseconds.'}, + "EventType": {"data_type": "string", "description": 'Always ApiEvent, marking the log event as API event.'}, + "InstanceId": {"data_type": "string", "description": 'Customer Insights (AUI) instanceId.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'Severity level of the event, is one of: Informational, Warning, Error, or Critical.'}, + "Method": {"data_type": "string", "description": 'HTTP method: GET/POST/PUT/PATCH/HEAD'}, + "OperationName": {"data_type": "string", "description": 'Name of the operation represented by this event.'}, + "OperationStatus": {"data_type": "string", "description": 'Success for HTTP status code < 400, ClientError for HTTP status code < 500, Error for HTTP Status >= 500.'}, + "Origin": {"data_type": "string", "description": 'URI indicating where a fetch originates from or unknown.'}, + "Path": {"data_type": "string", "description": 'Relative path of the request.'}, + "RequiredRoles": {"data_type": "string", "description": 'Required roles to do the operation. Admin role is allowed to do all operations.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultSignature": {"data_type": "string", "description": "Sub status of the event. If the operation corresponds to a REST API call, it's the HTTP status code."}, + "ResultType": {"data_type": "string", "description": 'Status of the event. Running, Skipped, Successful, Failure.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Uri": {"data_type": "string", "description": 'Absolute request URI.'}, + "UserAgent": {"data_type": "string", "description": 'Browser agent sending the request or unknown.'}, + "UserPrincipalName": {"data_type": "string", "description": 'The UserPrincipalName is the Azure AD username for the user accounts.'}, + "UserRole": {"data_type": "string", "description": 'Assigned role for the user or app.'}, + }, + "AUIEventsOperational": { + "AdditionalInformation": {"data_type": "string", "description": 'Contains AffectedEntities, MessageCode and entityCount.'}, + "Audience": {"data_type": "string", "description": 'The audience for which the accessToken was requested for.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIPAddress": {"data_type": "string", "description": 'Caller IP address, if the operation corresponds to an API call that would come from an entity with a publicly available IP address.'}, + "CallerObjectId": {"data_type": "string", "description": 'Azure Active Directory ObjectId of the caller.'}, + "Category": {"data_type": "string", "description": 'Log category of the event. Either Operational or Audit. All POST/PUT/PATCH/DELETE HTTP Requests are tagged with Audit, everything else with Operational.'}, + "Claims": {"data_type": "string", "description": 'Claims of the user or app JSON web token (JWT). Claim properties vary per organization and the Azure Active Directory configuration.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for the correlated events. Can be used to identify correlated events between multiple tables.'}, + "DurationMs": {"data_type": "long", "description": 'Duration of the operation in milliseconds.'}, + "EndTime": {"data_type": "datetime", "description": 'Specifies the date and time that the workflow job ended (UTC)'}, + "Error": {"data_type": "string", "description": 'Error Message with more details.'}, + "EventType": {"data_type": "string", "description": 'The type of the event. Either ApiEvent or WorkflowEvent'}, + "FriendlyName": {"data_type": "string", "description": 'User friendly Name of the Export or the Entity which is processed.'}, + "Identifier": {"data_type": "string", "description": 'Depending on the OperationType in can be: the guid of the export configuration, the guid of the Enrichment, the Entity Name.'}, + "InstanceId": {"data_type": "string", "description": 'Customer Insights (AUI) instance ID.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'Severity level of the event, is one of: Informational, Warning or Error.'}, + "Method": {"data_type": "string", "description": 'HTTP method: GET/POST/PUT/PATCH/HEAD'}, + "OperationName": {"data_type": "string", "description": 'Name of the operation represented by this event. {OperationType}.[WorkFlow|Task][Started|Completed].'}, + "OperationStatus": {"data_type": "string", "description": 'Success for HTTP Status code < 400, ClientError for HTTP Status code < 500, Error for HTTP Status >= 500.'}, + "OperationType": {"data_type": "string", "description": 'Identifier of the operation.'}, + "Origin": {"data_type": "string", "description": 'URI indicating where a fetch originates from or unknown.'}, + "Path": {"data_type": "string", "description": 'Relative path of the request.'}, + "RequiredRoles": {"data_type": "string", "description": 'Required roles to do the operation. Admin role is allowed to do all operations.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultSignature": {"data_type": "string", "description": "Sub status of the event. If the operation corresponds to a REST API call, it's the HTTP status code."}, + "ResultType": {"data_type": "string", "description": 'Status of the event. Running, Skipped, Successful, Failure.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StartTime": {"data_type": "datetime", "description": 'Specifies the date and time that the workflow job was started (UTC)'}, + "SubmittedBy": {"data_type": "string", "description": 'Workflow events only. The Azure Active Directory objectId of the user who triggered the workflow, see also properties.workflowSubmissionKinds.'}, + "SubmittedTime": {"data_type": "datetime", "description": 'Specifies the date and time that the workflow job was submitted (UTC)'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TasksCount": {"data_type": "int", "description": 'Workflow only. Number of tasks the Workflow triggers.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp of the event (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Uri": {"data_type": "string", "description": 'Absolute request URI.'}, + "UserAgent": {"data_type": "string", "description": 'Browser agent sending the request or unknown.'}, + "UserPrincipalName": {"data_type": "string", "description": 'The UserPrincipalName is the Azure AD username for the user accounts.'}, + "UserRole": {"data_type": "string", "description": 'Assigned role for the user or app.'}, + "WorkflowJobId": {"data_type": "string", "description": 'Identifier of the workflow run. All Workflow and Tasks events within the workflow execution have the same workflowJobId.'}, + "WorkflowStatus": {"data_type": "string", "description": 'Running, Successful.'}, + "WorkflowSubmissionKind": {"data_type": "string", "description": 'OnDemand or Scheduled.'}, + "WorkflowType": {"data_type": "string", "description": 'Full or incremental refresh.'}, + }, + "AutoscaleEvaluationsLog": { + "AutoscaleMetricName": {"data_type": "string", "description": ''}, + "AvailabilitySet": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": ''}, + "CloudServiceName": {"data_type": "string", "description": ''}, + "CloudServiceRole": {"data_type": "string", "description": ''}, + "CoolDown": {"data_type": "int", "description": ''}, + "CorrelationId": {"data_type": "string", "description": ''}, + "CurrentInstanceCount": {"data_type": "int", "description": ''}, + "DefaultInstanceCount": {"data_type": "int", "description": ''}, + "DeploymentSlot": {"data_type": "string", "description": ''}, + "EstimateScaleResult": {"data_type": "string", "description": ''}, + "EvaluationResult": {"data_type": "string", "description": ''}, + "EvaluationTime": {"data_type": "datetime", "description": ''}, + "InstanceUpdateReason": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastScaleActionOperationId": {"data_type": "string", "description": ''}, + "LastScaleActionOperationStatus": {"data_type": "string", "description": ''}, + "LastScaleActionTime": {"data_type": "datetime", "description": ''}, + "MaximumInstanceCount": {"data_type": "int", "description": ''}, + "MetricData": {"data_type": "string", "description": ''}, + "MetricEndTime": {"data_type": "datetime", "description": ''}, + "MetricNamespace": {"data_type": "string", "description": ''}, + "MetricStartTime": {"data_type": "datetime", "description": ''}, + "MetricTimeGrain": {"data_type": "string", "description": ''}, + "MinimumInstanceCount": {"data_type": "int", "description": ''}, + "NewInstanceCount": {"data_type": "int", "description": ''}, + "ObservedValue": {"data_type": "real", "description": ''}, + "OperationName": {"data_type": "string", "description": ''}, + "Operator": {"data_type": "string", "description": ''}, + "Profile": {"data_type": "string", "description": ''}, + "ProfileEvaluationTime": {"data_type": "datetime", "description": ''}, + "ProfileSelected": {"data_type": "bool", "description": ''}, + "Projection": {"data_type": "real", "description": ''}, + "ResourceId": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": ''}, + "ResultType": {"data_type": "string", "description": ''}, + "SelectedAutoscaleProfile": {"data_type": "string", "description": ''}, + "ServerFarm": {"data_type": "string", "description": ''}, + "ShouldUpdateInstance": {"data_type": "bool", "description": ''}, + "SkipCurrentAutoscaleEvaluation": {"data_type": "bool", "description": ''}, + "SkipRuleEvaluationForCooldown": {"data_type": "bool", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TargetResourceId": {"data_type": "string", "description": ''}, + "Threshold": {"data_type": "real", "description": ''}, + "TimeAggregationType": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "TimeGrainStatistic": {"data_type": "string", "description": ''}, + "TimeWindow": {"data_type": "string", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Webspace": {"data_type": "string", "description": ''}, + }, + "AutoscaleScaleActionsLog": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": ''}, + "CorrelationId": {"data_type": "string", "description": ''}, + "CreatedAsyncScaleActionJob": {"data_type": "bool", "description": ''}, + "CreatedAsyncScaleActionJobId": {"data_type": "string", "description": ''}, + "CurrentInstanceCount": {"data_type": "int", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "NewInstanceCount": {"data_type": "int", "description": ''}, + "OperationName": {"data_type": "string", "description": ''}, + "ResourceId": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": ''}, + "ResultType": {"data_type": "string", "description": ''}, + "ScaleActionMessage": {"data_type": "string", "description": ''}, + "ScaleActionOperationId": {"data_type": "string", "description": ''}, + "ScaleActionOperationStatus": {"data_type": "string", "description": ''}, + "ScaleDirection": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TargetResourceId": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AVNMConnectivityConfigurationChange": { + "AppliedConnectivityConfigurations": {"data_type": "dynamic", "description": 'List of connectivity configuration IDs along with the connectivity topology currently applied to the network resources like virtual networks listed in NetworkResourceIds by your network manager.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'The correlation ID associated with the connectivity configuration change operation of network resources. Logs having same correlation Ids are part of same connectivity configuration change operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'Region of the network resource managed by network manager like virtual network.'}, + "LogLevel": {"data_type": "string", "description": 'Indicates the log level and can include: Info, Warning, Error.'}, + "Message": {"data_type": "string", "description": 'A brief success or failure message.'}, + "NetworkResourceIds": {"data_type": "dynamic", "description": 'Virtual Network IDs for which applied connectivity configurations changed.'}, + "OperationName": {"data_type": "string", "description": 'Name of the operation that applies connectivity configuration or removes applied connectivity configuration on network resources like virtual network.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultType": {"data_type": "string", "description": 'Indicates the operation status and can include: Success, Failure.'}, + "SelfDiagnosis": {"data_type": "string", "description": 'A descriptive self diagnosis message that can include explanations and resolution steps in the case of failures or warnings.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time the event was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AVNMIPAMPoolAllocationChange": { + "AllocationResources": {"data_type": "dynamic", "description": 'Details about resources allocated to the pool that changed, including the resource id, cidrs, and compliancy.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ChangeReason": {"data_type": "string", "description": 'The reason why allocations were changed and can include: ResourceAddedToPool, ResourceRemovedFromPool, ResourceDeleted, ResourceCidrsChanged, ReservedResourceCreated, AvnmScopeChanged.'}, + "ChangeType": {"data_type": "string", "description": 'The type of allocation change and can include: Add, Remove, Update.'}, + "CorrelationId": {"data_type": "string", "description": 'The correlation ID associated with the pool allocation change operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'Region of the IPAM Pool.'}, + "LogLevel": {"data_type": "string", "description": 'Indicates the log level and can include: Info, Warning, Error.'}, + "Message": {"data_type": "string", "description": 'A brief success or failure message.'}, + "OperationName": {"data_type": "string", "description": 'Name of the operation that triggered the pool allocation change.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultType": {"data_type": "string", "description": 'Indicates the operation status and can include: Success, Failure.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time the event was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AVNMNetworkGroupMembershipChange": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'The correlation ID associated with the network group membership change operation of network resources.'}, + "DetailedMessage": {"data_type": "string", "description": 'A descriptive message that can include explanations and resolution steps in the case of failures or warnings.'}, + "GroupMemberships": {"data_type": "dynamic", "description": "Details about the Virtual Network's membership of Network Group(s), including the networkgroupId, membership type, and membership details and IDs."}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'Region of the Virtual Network.'}, + "LogLevel": {"data_type": "string", "description": 'Indicates the log level and can include: Info, Warning, Error.'}, + "Message": {"data_type": "string", "description": 'A brief success or failure message.'}, + "NetworkResourceIds": {"data_type": "dynamic", "description": 'Virtual Network IDs for which network group membership changed'}, + "OperationName": {"data_type": "string", "description": "Name of the operation that triggered the Virtual Network's addition or removal from a Network Group."}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultType": {"data_type": "string", "description": 'Indicates the operation status and can include: Success, Failure.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time the event was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AVNMRuleCollectionChange": { + "AppliedRuleCollectionIds": {"data_type": "dynamic", "description": 'List of current applied rule collections to the network resources like virtual networks or subnets listed in TargetResourceIds by your network manager.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'The correlation ID associated with the rule collection change operation of network resources. Logs having same correlation Ids are part of same rule collection change operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'Region of the network resource managed by network manager like virtual network, subnets.'}, + "LogLevel": {"data_type": "string", "description": 'Indicates the log level and can include: Info, Warning, Error.'}, + "Message": {"data_type": "string", "description": 'A brief success or failure message.'}, + "NetworkResourceIds": {"data_type": "dynamic", "description": 'Virtual Network or Subnet IDs for which applied rule collections changed'}, + "OperationName": {"data_type": "string", "description": 'Name of the operation that applies rule collections or removes applied rule collections on network resources like virtual network, subnets.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultType": {"data_type": "string", "description": 'Indicates the operation status and can include: Success, Failure.'}, + "SelfDiagnosis": {"data_type": "string", "description": 'A descriptive self diagnosis message that can include explanations and resolution steps in the case of failures or warnings.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time the event was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AVSSyslog": { + "AppName": {"data_type": "string", "description": 'The name of the application that generated this log, if available.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Facility": {"data_type": "string", "description": 'Indicates the source that generated the syslog (e.g., an operating system, a process, an application, etc).'}, + "HostName": {"data_type": "string", "description": 'The name of the host that generated this log, if available.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogCreationTime": {"data_type": "datetime", "description": 'The time at which the log was created, if available.'}, + "Message": {"data_type": "string", "description": 'The entire syslog message.'}, + "MsgId": {"data_type": "string", "description": 'Identifies the type of message. For example, a firewall might use MSGID "TCPIN" for incoming traffic, and MSGID "TCPOUT" for outgoing traffic. Messages with the same MSGID reflect events of the same semantics.'}, + "ProcId": {"data_type": "string", "description": 'Identifies a process; specific usage varies from application to application.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Severity": {"data_type": "string", "description": 'The severity of the log. Acceptable values, in ascending level of severity: debug, info, notice, warn, err, crit, alert, emerg. This field may be empty.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time at which the log was ingested.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AWSCloudTrail": { + "AdditionalEventData": {"data_type": "string", "description": 'Additional data about the event that was not part of the request or response.'}, + "APIVersion": {"data_type": "string", "description": 'Identifies the API version associated with the AwsApiCall eventType value.'}, + "AwsEventId": {"data_type": "string", "description": 'GUID generated by CloudTrail to uniquely identify each event. You can use this value to identify a single event.'}, + "AWSRegion": {"data_type": "string", "description": 'The AWS region that the request was made to.'}, + "AwsRequestId": {"data_type": "string", "description": 'deprecated, please use AwsRequestId_ instead.'}, + "AwsRequestId_": {"data_type": "string", "description": 'The value that identifies the request. The service being called generates this value.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Shows the event category that is used in LookupEvents calls.'}, + "CidrIp": {"data_type": "string", "description": 'The CIDR IP is located under RequestParameters in CloudTrail, and it is used to specify the IP permissions for a security group rule. The IPv4 CIDR range.'}, + "CipherSuite": {"data_type": "string", "description": 'Optional. Part of tlsDetails. The cipher suite (combination of security algorithms used) of a request.'}, + "ClientProvidedHostHeader": {"data_type": "string", "description": 'Optional. Part of tlsDetails. The client-provided host name used in the service API call, which is typically the FQDN of the service endpoint.'}, + "DestinationPort": {"data_type": "string", "description": 'The DestinationPort is located under RequestParameters in CloudTrail, and it is used to specify the IP permissions for a security group rule. The end of port range for the TCP and UDP protocols, or an ICMP code.'}, + "EC2RoleDelivery": {"data_type": "string", "description": 'The friendly name of the user or role that issued the session.'}, + "ErrorCode": {"data_type": "string", "description": 'The AWS service error if the request returns an error.'}, + "ErrorMessage": {"data_type": "string", "description": 'The error description when available. This message includes messages for authorization failures. CloudTrail captures the message logged by the service in its exception handling.'}, + "EventName": {"data_type": "string", "description": 'The requested action, which is one of the actions in the API for that service.'}, + "EventSource": {"data_type": "string", "description": 'The service that the request was made to. This name is typically a short form of the service name without spaces plus .amazonaws.com.'}, + "EventTypeName": {"data_type": "string", "description": 'Identifies the type of event that generated the event record. This can be the one of the following values: AwsApiCall, AwsServiceEvent, AwsConsoleAction , AwsConsoleSignIn.'}, + "EventVersion": {"data_type": "string", "description": 'The version of the log event format.'}, + "IpProtocol": {"data_type": "string", "description": 'The IP protocol is located under RequestParameters in CloudTrail, and it is used to specify the IP permissions for a security group rule. The IP protocol name or number. The valid values are tcp, udp, icmp, or a protocol number.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ManagementEvent": {"data_type": "bool", "description": 'A Boolean value that identifies whether the event is a management event.'}, + "OperationName": {"data_type": "string", "description": 'Constant value: CloudTrail.'}, + "ReadOnly": {"data_type": "bool", "description": 'Identifies whether this operation is a read-only operation.'}, + "RecipientAccountId": {"data_type": "string", "description": 'Represents the account ID that received this event. The recipientAccountID may be different from the CloudTrail userIdentity Element accountId. This can occur in cross-account resource access.'}, + "RequestParameters": {"data_type": "string", "description": 'The parameters, if any, that were sent with the request. These parameters are documented in the API reference documentation for the appropriate AWS service.'}, + "Resources": {"data_type": "string", "description": 'A list of resources accessed in the event.'}, + "ResponseElements": {"data_type": "string", "description": 'The response element for actions that make changes (create, update, or delete actions). If an action does not change state (for example, a request to get or list objects), this element is omitted.'}, + "ServiceEventDetails": {"data_type": "string", "description": 'Identifies the service event, including what triggered the event and the result.'}, + "SessionCreationDate": {"data_type": "datetime", "description": 'The date and time when the temporary security credentials were issued.'}, + "SessionIssuerAccountId": {"data_type": "string", "description": 'The account that owns the entity that was used to get credentials.'}, + "SessionIssuerArn": {"data_type": "string", "description": 'The ARN of the source (account, IAM user, or role) that was used to get temporary security credentials.'}, + "SessionIssuerPrincipalId": {"data_type": "string", "description": 'The internal ID of the entity that was used to get credentials.'}, + "SessionIssuerType": {"data_type": "string", "description": 'The source of the temporary security credentials, such as Root, IAMUser, or Role.'}, + "SessionIssuerUserName": {"data_type": "string", "description": 'The friendly name of the user or role that issued the session.'}, + "SessionMfaAuthenticated": {"data_type": "bool", "description": 'The value is true if the root user or IAM user whose credentials were used for the request also was authenticated with an MFA device; otherwise, false.'}, + "SharedEventId": {"data_type": "string", "description": 'GUID generated by CloudTrail to uniquely identify CloudTrail events from the same AWS action that is sent to different AWS accounts.'}, + "SourceIpAddress": {"data_type": "string", "description": 'The IP address that the request was made from. For actions that originate from the service console, the address reported is for the underlying customer resource, not the console web server. For services in AWS, only the DNS name is displayed.'}, + "SourcePort": {"data_type": "string", "description": 'The SourcePort is located under RequestParameters in CloudTrail, and it is used to specify the IP permissions for a security group rule. The start of port range for the TCP and UDP protocols, or an ICMP type number.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": "The timestamp (UTC). An event's time stamp comes from the local host that provides the service API endpoint on which the API call was made."}, + "TlsVersion": {"data_type": "string", "description": 'Optional. Part of tlsDetails. The TLS version of a request.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The agent through which the request was made, such as the AWS Management Console, an AWS service, the AWS SDKs or the AWS CLI.'}, + "UserIdentityAccessKeyId": {"data_type": "string", "description": 'The access key ID that was used to sign the request.'}, + "UserIdentityAccountId": {"data_type": "string", "description": 'The account that owns the entity that granted permissions for the request.'}, + "UserIdentityArn": {"data_type": "string", "description": 'The Amazon Resource Name (ARN) of the principal that made the call.'}, + "UserIdentityInvokedBy": {"data_type": "string", "description": 'The name of the AWS service that made the request.'}, + "UserIdentityPrincipalid": {"data_type": "string", "description": 'A unique identifier for the entity that made the call.'}, + "UserIdentityType": {"data_type": "string", "description": 'The type of the identity. The following values are possible: Root, IAMUser, AssumedRole, FederatedUser, Directory, AWSAccount, AWSService, Unknown.'}, + "UserIdentityUserName": {"data_type": "string", "description": 'The name of the identity that made the call.'}, + "VpcEndpointId": {"data_type": "string", "description": 'Identifies the VPC endpoint in which requests were made from a VPC to another AWS service.'}, + }, + "AWSCloudWatch": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ExtractedTime": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the event was generated.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Message": {"data_type": "string", "description": 'The data contained within logs from CloudWatch.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": "The timestamp (UTC) when the event was generated and equals to 'ExtractedTime' when included in message. If timestamp is missing, it's set to the ingestion time."}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AWSGuardDuty": { + "AccountId": {"data_type": "string", "description": 'The AWS account ID of the owner of the source network interface for which traffic is recorded. If the network interface is created by an AWS service, for example when creating a VPC endpoint or Network Load Balancer, the record may display unknown for this field.'}, + "ActivityType": {"data_type": "string", "description": 'A formatted string representing the type of activity that triggered the finding.'}, + "Arn": {"data_type": "string", "description": 'Amazon resource name of the finding.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Description": {"data_type": "string", "description": 'Description of the primary purpose of the threat or attack related to the finding.'}, + "Id": {"data_type": "string", "description": 'A unique Finding ID for this finding type and set of parameters. New occurrences of activity matching this pattern will be aggregated to the same ID.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Partition": {"data_type": "string", "description": 'The AWS partition in which the finding was generated.'}, + "Region": {"data_type": "string", "description": 'The AWS region in which the finding was generated.'}, + "ResourceDetails": {"data_type": "dynamic", "description": 'Gives details on the AWS resource that was targeted by the trigger activity. The information available varies based on resource type and action typ.'}, + "SchemaVersion": {"data_type": "string", "description": 'The Guard Duty finding version.'}, + "ServiceDetails": {"data_type": "dynamic", "description": 'Gives details on the AWS service that was related to the finding, including Action, Actor/Target, Evidence, Anomalous behavior and Additional information.'}, + "Severity": {"data_type": "int", "description": "A finding's assigned severity level of either High, Medium, or Low."}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeCreated": {"data_type": "datetime", "description": 'The time and date when this finding was first created. If this value differs from Updated at (TimeGenerated), it indicates that the activity has occurred multiple times and is an ongoing issue.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the event was generated, The last time this finding was updated with new activity matching the pattern that prompted GuardDuty to generate this finding.'}, + "Title": {"data_type": "string", "description": 'Summary of the primary purpose of the threat or attack related to the finding.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AWSVPCFlow": { + "AccountId": {"data_type": "string", "description": 'The AWS account ID of the owner of the source network interface for which traffic is recorded. If the network interface is created by an AWS service, for example when creating a VPC endpoint or Network Load Balancer, the record may display unknown for this field.'}, + "Action": {"data_type": "string", "description": 'The action that is associated with the traffic.'}, + "AzId": {"data_type": "string", "description": 'The ID of the Availability Zone.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Bytes": {"data_type": "long", "description": 'The number of bytes transferred during the flow.'}, + "DstAddr": {"data_type": "string", "description": 'The destination address for outgoing traffic.'}, + "DstPort": {"data_type": "int", "description": 'The destination port of the traffic.'}, + "End": {"data_type": "datetime", "description": 'The time when the last packet of the flow was received within the aggregation interval.'}, + "FlowDirection": {"data_type": "string", "description": 'The direction of the flow with respect to the interface where traffic is captured.'}, + "InstanceId": {"data_type": "string", "description": "The ID of the instance that's associated with network interface for which the traffic is recorded."}, + "InterfaceId": {"data_type": "string", "description": 'The ID of the network interface for which the traffic is recorded.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogStatus": {"data_type": "string", "description": 'The logging status of the flow log.'}, + "Packets": {"data_type": "int", "description": 'The number of packets transferred during the flow.'}, + "PktDstAddr": {"data_type": "string", "description": 'The packet-level (original) destination IP address for the traffic.'}, + "PktDstAwsService": {"data_type": "string", "description": 'The name of the subset of IP address ranges for the PktDstAddr field, if the destination IP address is for an AWS service.'}, + "PktSrcAddr": {"data_type": "string", "description": 'The packet-level (original) source IP address of the traffic.'}, + "PktSrcAwsService": {"data_type": "string", "description": 'The name of the subset of IP address ranges for the PktSrcAddr field, if the source IP address is for an AWS service.'}, + "Protocol": {"data_type": "int", "description": 'The IANA protocol number of the traffic.'}, + "Region": {"data_type": "string", "description": 'The Region that contains the network interface for which traffic is recorded.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SrcAddr": {"data_type": "string", "description": 'The source address for incoming traffic.'}, + "SrcPort": {"data_type": "int", "description": 'The source port of the traffic.'}, + "SublocationId": {"data_type": "string", "description": 'The ID of the sublocation that contains the network interface for which traffic is recorded.'}, + "SublocationType": {"data_type": "string", "description": 'The type of sublocation that is returned in the sublocationId field.'}, + "SubnetId": {"data_type": "string", "description": 'The ID of the subnet.'}, + "TcpFlags": {"data_type": "int", "description": 'The bitmask value for the following TCP flags.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": "The timestamp (UTC) of when the event was generated. This value will be the same as 'start' input field or the data arrival time to Azure Monitor in case the 'start' input field is empty or missing."}, + "TrafficPath": {"data_type": "string", "description": 'The path that egress traffic takes to the destination.'}, + "TrafficType": {"data_type": "string", "description": "The type of traffic. The possible values are: IPv4, IPv6, and EFA. For more information search for 'Elastic Fabric Adapter (EFA)'."}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Version": {"data_type": "int", "description": 'The VPC Flow Logs version.'}, + "VpcId": {"data_type": "string", "description": 'The ID of the VPC.'}, + }, + "AZFWApplicationRule": { + "Action": {"data_type": "string", "description": 'Action taken by the firewall following the Application rule hit.'}, + "ActionReason": {"data_type": "string", "description": 'When no rule is triggered for a request, this field contains the reason for the action performed by the firewall. For example: a packet dropped because no rule matched will show `Default Action`.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DestinationPort": {"data_type": "int", "description": "Request's destination port."}, + "Fqdn": {"data_type": "string", "description": "Request's target address in FQDN (Fully qualified Domain Name). For example: www.microsoft.com."}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsExplicitProxyRequest": {"data_type": "bool", "description": 'True if the request is received on an explicit proxy port. False otherwise.'}, + "IsTlsInspected": {"data_type": "bool", "description": 'True if the connection is TLS inspected. False otherwise.'}, + "Policy": {"data_type": "string", "description": 'Name of the policy in which the triggered rule resides.'}, + "Protocol": {"data_type": "string", "description": "Request's network protocol. For example: HTTP, HTTPS."}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Rule": {"data_type": "string", "description": 'Name of the triggered rule.'}, + "RuleCollection": {"data_type": "string", "description": 'Name of the rule collection in which the triggered rule resides.'}, + "RuleCollectionGroup": {"data_type": "string", "description": 'Name of the rule collection group in which the triggered rule resides.'}, + "SourceIp": {"data_type": "string", "description": "Request's source IP address."}, + "SourcePort": {"data_type": "int", "description": "Request's source port."}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TargetUrl": {"data_type": "string", "description": "Request's target address URL. Available only for HTTP or TLS-inspected HTTPS requests. For example: https://www.microsoft.com/en-us/about."}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the data plane log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "WebCategory": {"data_type": "string", "description": 'Web Category identified for the requested FQDN (Azure Firewall Standard) or URL (Azure Firewall Premium). If a web category is not available for this request, the field is empty.'}, + }, + "AZFWApplicationRuleAggregation": { + "Action": {"data_type": "string", "description": 'Action taken by the firewall following the Application rule hit.'}, + "ActionReason": {"data_type": "string", "description": 'When no rule is triggered for a packet, this field contains the reason for the action performed by the firewall.'}, + "ApplicationRuleCount": {"data_type": "int", "description": 'Aggregated count of Application rule.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DestinationPort": {"data_type": "int", "description": "Request's destination port."}, + "Fqdn": {"data_type": "string", "description": "Request's target address in FQDN (Fully qualified Domain Name). For example: www.microsoft.com."}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Policy": {"data_type": "string", "description": 'Name of the policy in which the triggered rule resides.'}, + "Protocol": {"data_type": "string", "description": "Request's network protocol. For example: HTTP/HTTPS."}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Rule": {"data_type": "string", "description": 'Name of the triggered rule.'}, + "RuleCollection": {"data_type": "string", "description": 'Name of the rule collection in which the triggered rule resides.'}, + "RuleCollectionGroup": {"data_type": "string", "description": 'Name of the rule collection group in which the triggered rule resides.'}, + "SourceIp": {"data_type": "string", "description": "Request's source IP address."}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TargetUrl": {"data_type": "string", "description": "Request's target address URL. Available only for HTTP or TLS-inspected HTTPS requests. For example: https://www.microsoft.com/en-us/about."}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the data plane log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AZFWDnsQuery": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DnssecOkBit": {"data_type": "bool", "description": 'A flag indicating that the resolver supports DNSSEC records.'}, + "EDNS0BufferSize": {"data_type": "int", "description": "Client's EDNS0 buffer size. Specifies the maximum packet size allowed in responses in bytes."}, + "ErrorMessage": {"data_type": "string", "description": 'Description of the error returned to the client. Empty if request is successful.'}, + "ErrorNumber": {"data_type": "int", "description": 'Error number matching the returned response code.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Protocol": {"data_type": "string", "description": 'Protocol used to send the DNS query. For example: TCP, UDP'}, + "QueryClass": {"data_type": "string", "description": "DNS query's query class."}, + "QueryId": {"data_type": "int", "description": "DNS query's query ID."}, + "QueryName": {"data_type": "string", "description": "DNS query's name to resolve."}, + "QueryType": {"data_type": "string", "description": "DNS query's query type."}, + "RequestDurationSecs": {"data_type": "real", "description": 'Duration of the DNS request from the time it arrived to the firewall and until a response was sent to the client.'}, + "RequestSize": {"data_type": "int", "description": 'The size of the DNS request in bytes.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResponseCode": {"data_type": "string", "description": 'DNS reponse code.'}, + "ResponseFlags": {"data_type": "string", "description": 'DNS reponse flags, comma separated.'}, + "ResponseSize": {"data_type": "int", "description": 'DNS reponse syze in bytes.'}, + "SourceIp": {"data_type": "string", "description": "DNS query's source IP address."}, + "SourcePort": {"data_type": "int", "description": "DNS query's source Port."}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the data plane log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AZFWFatFlow": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DestinationIp": {"data_type": "string", "description": "Flow's destination IP address."}, + "DestinationPort": {"data_type": "int", "description": "Flow's destination port."}, + "FlowRate": {"data_type": "real", "description": "Flow's bandwidth consumption rate in Megabits per second unit."}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Protocol": {"data_type": "string", "description": "Flow's network protocol. For example: UDP, TCP."}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceIp": {"data_type": "string", "description": "Flow's source IP address."}, + "SourcePort": {"data_type": "int", "description": "Flow's source port."}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the data plane log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AZFWFlowTrace": { + "Action": {"data_type": "string", "description": 'Action taken by the firewall to log additional flow information.'}, + "ActionReason": {"data_type": "string", "description": 'The reason for the action performed by the firewall. For example: when additional logging is enabled it shows `Additional TCP Log`.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DestinationIp": {"data_type": "string", "description": "Flow's destination IP address."}, + "DestinationPort": {"data_type": "int", "description": "Flow's destination port."}, + "Flag": {"data_type": "string", "description": 'Flags set in the connection. For example: FIN, FIN-ACK, SYN-ACK, RST, INVALID.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Protocol": {"data_type": "string", "description": "Flow's network protocol. For example: UDP, TCP."}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceIp": {"data_type": "string", "description": "Flow's source IP address."}, + "SourcePort": {"data_type": "int", "description": "Flow's source port."}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the data plane log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AZFWIdpsSignature": { + "Action": {"data_type": "string", "description": 'Action taken by the firewall following the IDPS signature hit.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Category of the matched IDPS signature.'}, + "Description": {"data_type": "string", "description": 'Description of the matched IDPS signature.'}, + "DestinationIp": {"data_type": "string", "description": "Packet's destination IP address."}, + "DestinationPort": {"data_type": "int", "description": "Packet's destination port."}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Protocol": {"data_type": "string", "description": "Packet's network protocol. For example: UDP, TCP."}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Severity": {"data_type": "int", "description": 'Severity of the matched IDPS signature.'}, + "SignatureId": {"data_type": "string", "description": 'ID of the matched IDPS signature.'}, + "SourceIp": {"data_type": "string", "description": "Packet's source IP address."}, + "SourcePort": {"data_type": "int", "description": "Packet's source port."}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the data plane log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AZFWInternalFqdnResolutionFailure": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Error": {"data_type": "string", "description": 'Description of the error that caused the failure of the FQDN resolution.'}, + "Fqdn": {"data_type": "string", "description": 'The FQDN which the firewall failed to resolve.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Policy": {"data_type": "string", "description": 'Name of the policy in which the rule with the failing FQDN resolution resides.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Rule": {"data_type": "string", "description": 'Name of the rule with the failing FQDN resolution.'}, + "RuleCollection": {"data_type": "string", "description": 'Name of the rule collection in which the rule with the failing FQDN resolution resides.'}, + "RuleCollectionGroup": {"data_type": "string", "description": 'Name of the rule collection group in which the rule with the failing FQDN resolution resides.'}, + "ServerIp": {"data_type": "string", "description": "DNS Resolver server's IP address."}, + "ServerPort": {"data_type": "int", "description": "DNS Resolver server's port."}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the data plane log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AZFWNatRule": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DestinationIp": {"data_type": "string", "description": "Packet's destination IP address."}, + "DestinationPort": {"data_type": "int", "description": "Packet's destination port."}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Policy": {"data_type": "string", "description": 'Name of the policy in which the triggered rule resides.'}, + "Protocol": {"data_type": "string", "description": "Packet's network protocol. For example: UDP, TCP."}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Rule": {"data_type": "string", "description": 'Name of the triggered rule.'}, + "RuleCollection": {"data_type": "string", "description": 'Name of the rule collection in which the triggered rule resides.'}, + "RuleCollectionGroup": {"data_type": "string", "description": 'Name of the rule collection group in which the triggered rule resides.'}, + "SourceIp": {"data_type": "string", "description": "Packet's source IP address."}, + "SourcePort": {"data_type": "int", "description": "Packet's source port."}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the data plane log was created.'}, + "TranslatedIp": {"data_type": "string", "description": 'Original Destination IP address of the packet is replaced with TranslatedIp.'}, + "TranslatedPort": {"data_type": "int", "description": 'Original Destination port of the packet is replaced with TranslatedPort.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AZFWNatRuleAggregation": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "NatRuleCount": {"data_type": "int", "description": 'Aggregated count of NAT rules.'}, + "Policy": {"data_type": "string", "description": 'Name of the policy in which the triggered rule resides.'}, + "Protocol": {"data_type": "string", "description": "Packet's network protocol. For example: UDP, TCP."}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Rule": {"data_type": "string", "description": 'Name of the triggered rule.'}, + "RuleCollection": {"data_type": "string", "description": 'Name of the rule collection in which the triggered rule resides.'}, + "RuleCollectionGroup": {"data_type": "string", "description": 'Name of the rule collection group in which the triggered rule resides.'}, + "SourceIp": {"data_type": "string", "description": "Packet's source IP address."}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the data plane log was created.'}, + "TranslatedIp": {"data_type": "string", "description": 'Original Destination IP address of the packet is replaced with TranslatedIp.'}, + "TranslatedPort": {"data_type": "int", "description": 'Original Destination port of the packet is replaced with TranslatedPort.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AZFWNetworkRule": { + "Action": {"data_type": "string", "description": 'Action taken by the firewall following the match with this Network Rule. For example: Firewall may Allow/Deny this specific packet.'}, + "ActionReason": {"data_type": "string", "description": 'When no rule is triggered for a packet, this field contains the reason for the action performed by the firewall. For example: a packet dropped because no rule matched will show `Default Action`.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DestinationIp": {"data_type": "string", "description": "Packet's destination IP address."}, + "DestinationPort": {"data_type": "int", "description": "Packet's destination port."}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Policy": {"data_type": "string", "description": 'Name of the policy in which the triggered rule resides.'}, + "Protocol": {"data_type": "string", "description": "Packet's network protocol. For example: UDP, TCP."}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Rule": {"data_type": "string", "description": 'Name of the triggered rule.'}, + "RuleCollection": {"data_type": "string", "description": 'Name of the rule collection in which the triggered rule resides.'}, + "RuleCollectionGroup": {"data_type": "string", "description": 'Name of the rule collection group in which the triggered rule resides.'}, + "SourceIp": {"data_type": "string", "description": "Packet's source IP address."}, + "SourcePort": {"data_type": "int", "description": "Packet's source port."}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the data plane log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AZFWNetworkRuleAggregation": { + "Action": {"data_type": "string", "description": 'Action taken by the firewall following the match with this Network rule. For example: Firewall may Allow/Deny this specific session/packet.'}, + "ActionReason": {"data_type": "string", "description": 'When no rule is triggered for a request, this field contains the reason for the action performed by the firewall. For example: a packet dropped because no rule matched will show `Default Action`.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DestinationIp": {"data_type": "string", "description": "Packet's destination IP address."}, + "DestinationPort": {"data_type": "int", "description": "Packet's destination port."}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsDefaultRule": {"data_type": "bool", "description": 'True if no network rule was hit. False otherwise.'}, + "NetworkRuleCount": {"data_type": "int", "description": 'Aggregated count of network rule.'}, + "Policy": {"data_type": "string", "description": 'Name of the policy in which the triggered rule resides.'}, + "Protocol": {"data_type": "string", "description": "Packet's network protocol. For example: UDP, TCP."}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Rule": {"data_type": "string", "description": 'Name of the triggered rule.'}, + "RuleCollection": {"data_type": "string", "description": 'Name of the rule collection in which the triggered rule resides.'}, + "RuleCollectionGroup": {"data_type": "string", "description": 'Name of the rule collection group in which the triggered rule resides.'}, + "SourceIp": {"data_type": "string", "description": "Packet's source IP address."}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the data plane log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AZFWThreatIntel": { + "Action": {"data_type": "string", "description": 'Action taken by the firewall following the Threat Intelligence hit.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DestinationIp": {"data_type": "string", "description": "Packet's destination IP address."}, + "DestinationPort": {"data_type": "int", "description": "Packet's destination port."}, + "Fqdn": {"data_type": "string", "description": "Request's target address in FQDN (Fully qualified Domain Name). For example: www.microsoft.com."}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsTlsInspected": {"data_type": "bool", "description": 'True if connection is TLS inspected. False otherwise.'}, + "Protocol": {"data_type": "string", "description": "Packet's network protocol. For example: UDP, TCP."}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceIp": {"data_type": "string", "description": "Packet's source IP address."}, + "SourcePort": {"data_type": "int", "description": "Packet's source port."}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TargetUrl": {"data_type": "string", "description": "Request's target address URL. Available only for HTTP or TLS-inspected HTTPS requests. For example: https://www.microsoft.com/en-us/about."}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "ThreatDescription": {"data_type": "string", "description": 'Description of the Threat that was identified by the firewall.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the data plane log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AZKVAuditLogs": { + "AddressAuthorizationType": {"data_type": "string", "description": 'Address type (Public IP, subnet, private connection)'}, + "Algorithm": {"data_type": "string", "description": 'Algorithm used to generate the key'}, + "AppliedAssignmentId": {"data_type": "string", "description": 'AssignmentId that eiher granted or denied access as part of access check'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'IP address of the client that made the request'}, + "CertificateIssuerProperties": {"data_type": "dynamic", "description": 'Information about certificate issuer properties including provider, id'}, + "CertificatePolicyProperties": {"data_type": "dynamic", "description": 'Information about certificate policy properties including keyproperties, secretproperties, issuerproperties'}, + "CertificateProperties": {"data_type": "dynamic", "description": 'Information about certificate audit properties including atttributes, subject, hashing algorithm'}, + "CertificateRequestProperties": {"data_type": "dynamic", "description": 'Boolean value indicating if certificate request operation was cancelled'}, + "ClientInfo": {"data_type": "string", "description": 'User agent information'}, + "CorrelationId": {"data_type": "string", "description": 'An optional GUID that the client can pass to correlate client-side logs with service-side (Key Vault) logs.'}, + "DurationMs": {"data_type": "int", "description": 'Time it took to service the REST API request, in milliseconds. This does not include the network latency, so the time you measure on the client side might not match this time'}, + "EnabledForDeployment": {"data_type": "bool", "description": 'Specifies if the vault is enabled for deployment'}, + "EnabledForDiskEncryption": {"data_type": "bool", "description": 'Specifes if disk encryption is enabled'}, + "EnabledForTemplateDeployment": {"data_type": "bool", "description": 'Specifies whether template deployment is enabled'}, + "EnablePurgeProtection": {"data_type": "bool", "description": 'Specifies if purge protection is enabled'}, + "EnableRbacAuthorization": {"data_type": "bool", "description": 'Specifies if RBAC authorization is enabled'}, + "EnableSoftDelete": {"data_type": "bool", "description": 'Specified is the vault is enabled for soft delete'}, + "HsmPoolResourceId": {"data_type": "string", "description": 'Resource ID of the HSM pool'}, + "HttpStatusCode": {"data_type": "int", "description": 'HTTP status code of the request'}, + "Id": {"data_type": "string", "description": 'Resourceidentifier (Key ID or secret ID)'}, + "Identity": {"data_type": "dynamic", "description": 'Identity from the token that was presented in the REST API request. This is usually a user, a service principal, or the combination user+appId, as in the case of a request that results from an Azure PowerShell cmdlet.'}, + "IsAccessPolicyMatch": {"data_type": "bool", "description": 'True if the tenant matches vault tenant, and if the policy explicitly gives permission to the principal attempting the access.'}, + "IsAddressAuthorized": {"data_type": "bool", "description": 'Specifies whether request came from an authorized entity'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsRbacAuthorized": {"data_type": "bool", "description": 'Specifies whether an access was granted or not as part of an access check'}, + "KeyProperties": {"data_type": "dynamic", "description": 'Information about key properties including type, size, curve'}, + "NetworkAcls": {"data_type": "dynamic", "description": 'Information about network acls that govern access to the vault'}, + "Nsp": {"data_type": "dynamic", "description": "Network security perimeter properties including access control list, nsp id's associated with profiles."}, + "OperationName": {"data_type": "string", "description": 'Name of the operation'}, + "OperationVersion": {"data_type": "string", "description": 'REST api version requested by the client.'}, + "Properties": {"data_type": "dynamic", "description": 'Information that varies based on the operation (Operationname). In most cases, this field contains client information (the user agent string passed by the client), the exact REST API request URI, and the HTTP status code. In addition, when an object is returned as a result of a request (for example, KeyCreate or VaultGet), it also contains the key URI (as id), vault URI, or secret URI.'}, + "RequestUri": {"data_type": "string", "description": 'URI of the request'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'Additional description about the result, when available.'}, + "ResultSignature": {"data_type": "string", "description": 'HTTP status of the request/response'}, + "ResultType": {"data_type": "string", "description": 'Result of the REST API request.'}, + "SecretProperties": {"data_type": "dynamic", "description": 'Information about secret properties including type, atttributes'}, + "Sku": {"data_type": "dynamic", "description": 'Information about vault including family, name and capacity'}, + "SoftDeleteRetentionInDays": {"data_type": "int", "description": 'Specifies soft delete retention in days'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StorageAccountProperties": {"data_type": "dynamic", "description": 'Information about storage account properties including activekeyname, resourceid'}, + "StorageSasDefinitionProperties": {"data_type": "dynamic", "description": 'Information about storage sas definition properties including sastype, validityperiod'}, + "SubnetId": {"data_type": "string", "description": 'Id of subnet if request comes from a known subnet'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (in UTC) when operation occured.'}, + "Tlsversion": {"data_type": "string", "description": 'Network crypto protocol'}, + "TrustedService": {"data_type": "string", "description": 'Specifies whether the principal access the service is a trusted Service. If this field is null, principal is not a trusted service'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "VaultProperties": {"data_type": "dynamic", "description": 'Detailed vault properties containing accesspolicy, iprule, virtualnetwork etc'}, + }, + "AZKVPolicyEvaluationDetailsLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DurationMs": {"data_type": "int", "description": 'Time it took to service the REST API request, in milliseconds. This does not include the network latency, so the time you measure on the client side might not match this time'}, + "EvaluationDetails": {"data_type": "dynamic", "description": 'Details of evaluation'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsComplianceCheck": {"data_type": "bool", "description": 'Is Compliance check enabled'}, + "ObjectName": {"data_type": "string", "description": 'Name of the object'}, + "ObjectType": {"data_type": "string", "description": 'Type of object'}, + "OperationName": {"data_type": "string", "description": 'Name of the operation'}, + "Properties": {"data_type": "dynamic", "description": 'Information that varies based on the operation (operationName). In most cases, this field contains client information (the user agent string passed by the client), the exact REST API request URI, and the HTTP status code. In addition, when an object is returned as a result of a request (for example, KeyCreate or VaultGet), it also contains the key URI (as id), vault URI, or secret URI'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'Additional description about the result, when available'}, + "ResultSignature": {"data_type": "string", "description": 'HTTP status of the request/response'}, + "ResultType": {"data_type": "string", "description": 'Result of the REST API request'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (in UTC) when operation occured.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AZMSApplicationMetricLogs": { + "ActivityId": {"data_type": "string", "description": 'Internal ID, used to identify the specified activity.'}, + "AuthId": {"data_type": "string", "description": 'Authentication ID configured for Event Hub.'}, + "AuthType": {"data_type": "string", "description": 'Type of authentication (Azure Active Directory or SAS Policy).'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'Operation performed on Event Hub (ConsumerLag, ActiveConnection, IncomingMessages, Etc.).'}, + "Outcome": {"data_type": "string", "description": 'Result of operation. Possible values: Success/Failure.'}, + "Properties": {"data_type": "dynamic", "description": 'Metadata that are specific to the operation.'}, + "Protocol": {"data_type": "string", "description": 'Protocol used to perform the operation. Possible value: AMQP, Kafka, and SBMP.'}, + "Provider": {"data_type": "string", "description": 'Event provider name. Possible values: eventhub, relay, and servicebus.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The event start time (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Value": {"data_type": "int", "description": 'Value with respect to performed operation.'}, + }, + "AZMSArchiveLogs": { + "ActivityId": {"data_type": "string", "description": 'Internal ID, used for tracking.'}, + "ArchiveStep": {"data_type": "string", "description": 'The possible values: ArchiveFlushWriter, DestinationInit.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DurationMs": {"data_type": "int", "description": 'The duration of failure (in Milliseconds).'}, + "EventhubName": {"data_type": "string", "description": 'The Event Hubs full name(includes namespace name).'}, + "Failures": {"data_type": "int", "description": 'The number of occurrence of failures.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Message": {"data_type": "string", "description": 'Error message.'}, + "PartitionId": {"data_type": "int", "description": 'The Event Hubs partition being written to.'}, + "Provider": {"data_type": "string", "description": 'Event provider name. Possible values: eventhub, relay, and servicebus.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TaskName": {"data_type": "string", "description": 'The description of the task that failed.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The event generation time (UTC).'}, + "TrackingId": {"data_type": "string", "description": 'Internal ID, used for tracking.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AZMSAutoscaleLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Message": {"data_type": "string", "description": 'Informational message, which provides details about auto-inflate action. The message contains previous and current value of throughput unit for a given namespace and what triggered the inflate of the TU.'}, + "Provider": {"data_type": "string", "description": 'Event provider name. Possible values: eventhub, relay, and servicebus.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The event generation time (UTC).'}, + "TrackingId": {"data_type": "string", "description": 'Internal ID, which is used for tracking purposes.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AZMSCustomerManagedKeyUserLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": "Type of category for a message. It's one of the following values: error and info. For example, if the key from your key vault is being disabled, then it would be an information category or if a key can't be unwrapped, it could fall under error."}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Key": {"data_type": "string", "description": "The name of the key-vault key that's used to encrypt the Event Hubs namespace."}, + "KeyVault": {"data_type": "string", "description": 'The name of the key vault resource.'}, + "Message": {"data_type": "string", "description": 'The message, which provides detailes about an error or informational message.'}, + "Operation": {"data_type": "string", "description": "The operation that's performed on the key in your key vault. For example, disable/enable the key, wrap, or unwrap."}, + "Provider": {"data_type": "string", "description": 'Event provider name. Possible values: eventhub, relay, and servicebus.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StatusCode": {"data_type": "string", "description": "The code that's associated with the operation. Example: Error code, 404 means that key wasn't found."}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The event start time(UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Version": {"data_type": "string", "description": 'The version of the key-vault key.'}, + }, + "AZMSDiagnosticErrorLogs": { + "ActivityId": {"data_type": "string", "description": 'A randomly generated UUID that ensures uniqueness for the audit activity.'}, + "ActivityName": {"data_type": "string", "description": 'Operation name.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "EntityName": {"data_type": "string", "description": 'Entity name.'}, + "EntityType": {"data_type": "string", "description": 'Entity type.'}, + "ErrorCount": {"data_type": "int", "description": 'Count of identical errors during the aggregation period of 1 minute.'}, + "ErrorMessage": {"data_type": "string", "description": 'Detailed error message.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "NamespaceName": {"data_type": "string", "description": 'Namespace name.'}, + "OperationResult": {"data_type": "string", "description": 'Type of error (clienterror or serverbusy or quotaexceeded).'}, + "Provider": {"data_type": "string", "description": 'Event provider name. Possible values: eventhub, relay, and servicebus.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The event generation time (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AZMSHybridConnectionsEvents": { + "ActivityId": {"data_type": "string", "description": 'Internal ID, used to identify the specified activity.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Endpoint": {"data_type": "string", "description": 'The endpoint identifier. Can be sender or receiver.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Message": {"data_type": "string", "description": 'The details on performed task.'}, + "OperationName": {"data_type": "string", "description": 'The type of the Hybrid Connections operation that is being logged.'}, + "Provider": {"data_type": "string", "description": 'Event provider name. Possible values: eventhub, relay, and servicebus.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The log generation time (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AZMSKafkaCoordinatorLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientId": {"data_type": "string", "description": 'The client ID.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Message": {"data_type": "string", "description": 'The Informational or warning message, which provides detailes about actions done during the group coordiantion.'}, + "NamespaceName": {"data_type": "string", "description": 'The namespace name.'}, + "Operation": {"data_type": "string", "description": 'The name of operation that done during the group coordination.'}, + "Provider": {"data_type": "string", "description": 'Event provider name. Possible values: eventhub, relay, and servicebus.'}, + "RequestId": {"data_type": "string", "description": 'The request ID, which is used for tracking purposes.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The event generation time(UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AZMSKafkaUserErrorLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "EventhubName": {"data_type": "string", "description": 'Name of Event Hub.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Message": {"data_type": "string", "description": 'The informational message, which provides details about an error.'}, + "NamespaceName": {"data_type": "string", "description": 'Name of Event Hubs namespace.'}, + "Provider": {"data_type": "string", "description": 'Event provider name. Possible values: eventhub, relay, and servicebus.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The event start time (UTC).'}, + "TrackingId": {"data_type": "string", "description": 'The tracking ID, which is used for tracking purposes.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AZMSOperationalLogs": { + "ActivityId": {"data_type": "string", "description": 'Internal ID, used to identify the specified activity.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Caller": {"data_type": "string", "description": 'The caller of operation (the Azure portal or management client).'}, + "EventName": {"data_type": "string", "description": 'The name of management operation which is executed within Service Bus.'}, + "EventProperties": {"data_type": "dynamic", "description": 'The operation properties.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Provider": {"data_type": "string", "description": 'Event provider name. Possible values: eventhub, relay, and servicebus.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Status": {"data_type": "string", "description": 'The operation status.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The log generation time (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AZMSRunTimeAuditLogs": { + "ActivityId": {"data_type": "string", "description": 'A randomly generated UUID that ensures uniqueness for the audit activity.'}, + "ActivityName": {"data_type": "string", "description": 'Runtime operation name.'}, + "AuthKey": {"data_type": "string", "description": "Azure Active Directory application ID or SAS policy name that's used to authenticate to a resource."}, + "AuthType": {"data_type": "string", "description": 'Type of authentication (Azure Active Directory or SAS Policy).'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientIp": {"data_type": "string", "description": 'IP address of the client application.'}, + "Count": {"data_type": "int", "description": 'Total number of operations performed during the aggregated period of 1 minute.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "NetworkType": {"data_type": "string", "description": 'Type of the network access: Public or Private.'}, + "Properties": {"data_type": "dynamic", "description": 'Metadata that are specific to the data plane operation.'}, + "Protocol": {"data_type": "string", "description": 'Type of the protocol associated with the operation.'}, + "Provider": {"data_type": "string", "description": 'Event provider name. Possible values: eventhub, relay, and servicebus.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Status": {"data_type": "string", "description": 'Status of the activity (success or failure).'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The event generation time (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AZMSVnetConnectionEvents": { + "Action": {"data_type": "string", "description": 'Action done by the service when evaluating connection requests. Supported actions are accept connection and deny connection.'}, + "AddressIp": {"data_type": "string", "description": 'IP address of a client connecting to the Event Hubs or Service Bus service.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Count": {"data_type": "int", "description": 'Number of occurrences for the given action.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Message": {"data_type": "string", "description": 'Provides a reason why the action was done.'}, + "NamespaceName": {"data_type": "string", "description": 'Name of Event Hubs or Service Bus namespace.'}, + "Provider": {"data_type": "string", "description": 'Event provider name. Possible values: eventhub, relay, and servicebus.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The event generation time (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AzureActivity": { + "ActivityStatus": {"data_type": "string", "description": ''}, + "ActivityStatusValue": {"data_type": "string", "description": 'Status of the operation in display-friendly format. Common values include Started, In Progress, Succeeded, Failed, Active, Resolved.'}, + "ActivitySubstatus": {"data_type": "string", "description": ''}, + "ActivitySubstatusValue": {"data_type": "string", "description": 'Substatus of the operation in display-friendly format. E.g. OK (HTTP Status Code: 200).'}, + "Authorization": {"data_type": "string", "description": 'Blob of RBAC properties of the event. Usually includes the "action", "role" and "scope" properties. Stored as string. The use of Authorization_d should be preferred going forward.'}, + "Authorization_d": {"data_type": "dynamic", "description": 'Blob of RBAC properties of the event. Usually includes the "action", "role" and "scope" properties. Stored as dynamic column.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Caller": {"data_type": "string", "description": 'GUID of the caller.'}, + "CallerIpAddress": {"data_type": "string", "description": 'IP address of the user who has performed the operation UPN claim or SPN claim based on availability.'}, + "Category": {"data_type": "string", "description": ''}, + "CategoryValue": {"data_type": "string", "description": 'Category of the activity log e.g. Administrative, Policy, Security.'}, + "Claims": {"data_type": "string", "description": 'The JWT token used by Active Directory to authenticate the user or application to perform this operation in Resource Manager. The use of claims_d should be preferred going forward.'}, + "Claims_d": {"data_type": "dynamic", "description": 'The JWT token used by Active Directory to authenticate the user or application to perform this operation in Resource Manager.'}, + "CorrelationId": {"data_type": "string", "description": 'Usually a GUID in the string format. Events that share a correlationId belong to the same uber action.'}, + "EventDataId": {"data_type": "string", "description": 'Unique identifier of an event.'}, + "EventSubmissionTimestamp": {"data_type": "datetime", "description": 'Timestamp when the event became available for querying.'}, + "Hierarchy": {"data_type": "string", "description": 'Management group hierarchy of the management group or subscription that event belongs to.'}, + "HTTPRequest": {"data_type": "string", "description": 'Blob describing the Http Request. Usually includes the "clientRequestId", "clientIpAddress" and "method" (HTTP method. For example, PUT).'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'Level of the event. One of the following values: Critical, Error, Warning, Informational and Verbose.'}, + "OperationId": {"data_type": "string", "description": 'GUID of the operation'}, + "OperationName": {"data_type": "string", "description": ''}, + "OperationNameValue": {"data_type": "string", "description": 'Identifier of the operation e.g. Microsoft.Storage/storageAccounts/listAccountSas/action.'}, + "Properties": {"data_type": "string", "description": 'Set of \\ pairs (i.e. Dictionary) describing the details of the event. Stored as string. Usage of Properties_d is recommended instead.'}, + "Properties_d": {"data_type": "dynamic", "description": 'Set of \\ pairs (i.e. Dictionary) describing the details of the event. Stored as dynamic column.'}, + "Resource": {"data_type": "string", "description": ''}, + "ResourceGroup": {"data_type": "string", "description": 'Resource group name of the impacted resource.'}, + "ResourceId": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResourceProvider": {"data_type": "string", "description": ''}, + "ResourceProviderValue": {"data_type": "string", "description": 'Id of the resource provider for the impacted resource - e.g. Microsoft.Storage.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SubscriptionId": {"data_type": "string", "description": 'Subscription ID of the impacted resource.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp when the event was generated by the Azure service processing the request corresponding the event.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AzureAssessmentRecommendation": { + "AADTenantDomain": {"data_type": "string", "description": ''}, + "AADTenantId": {"data_type": "string", "description": ''}, + "AADTenantName": {"data_type": "string", "description": ''}, + "ActionArea": {"data_type": "string", "description": ''}, + "ActionAreaId": {"data_type": "string", "description": ''}, + "AffectedObjectName": {"data_type": "string", "description": ''}, + "AffectedObjectType": {"data_type": "string", "description": ''}, + "AssessmentId": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "CustomData": {"data_type": "string", "description": ''}, + "Description": {"data_type": "string", "description": ''}, + "FocusArea": {"data_type": "string", "description": ''}, + "FocusAreaId": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Recommendation": {"data_type": "string", "description": ''}, + "RecommendationId": {"data_type": "string", "description": ''}, + "RecommendationResult": {"data_type": "string", "description": ''}, + "RecommendationWeight": {"data_type": "real", "description": ''}, + "Resource": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Technology": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AzureAttestationDiagnostics": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'IP Address of the client that submitted the request.'}, + "ContentLength": {"data_type": "int", "description": 'Length of the content body in bytes.'}, + "ContentType": {"data_type": "string", "description": 'Content-Type header value passed by the client.'}, + "DurationMs": {"data_type": "real", "description": 'Amount of time it took to process request in milliseconds.'}, + "FailureDetails": {"data_type": "string", "description": 'Details of the request failure, if it failed. Blank if the request succeeded.'}, + "Identity": {"data_type": "dynamic", "description": 'JSON structure containing information about the caller.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'Error or Informational message indicating if the service processed the request.'}, + "OperationName": {"data_type": "string", "description": 'Name of the operation attempted on the resource.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResourceRegion": {"data_type": "string", "description": 'Region where the resource is located.'}, + "ResourceUri": {"data_type": "string", "description": 'URI of the resource.'}, + "ResultDetails": {"data_type": "string", "description": 'Detailed response messages included in the result, if available.'}, + "ResultSignature": {"data_type": "string", "description": 'HTTP status code returned from the service.'}, + "ResultType": {"data_type": "string", "description": 'Indicates if the request was successful or failed.'}, + "ServiceLocation": {"data_type": "string", "description": 'Location of the service which processed the request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was created.'}, + "TraceContext": {"data_type": "dynamic", "description": 'W3C trace context.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'HTTP header passed by the client, if applicable.'}, + }, + "AzureBackupOperations": { + "BackupManagementType": {"data_type": "string", "description": 'Type of workload associated with the operation, for example, DPM, Azure Backup Server, Azure Backup Agent (MAB).'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Category of the log, for example, AzureBackupOperations.'}, + "ExtendedProperties": {"data_type": "dynamic", "description": 'Additional properties applicable to the operation, for example, the associated backup item or server.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'High-level name of the action that is logged to this table, for example, DataOperations.'}, + "OperationStartTime": {"data_type": "datetime", "description": 'The start time of the operation.'}, + "OperationType": {"data_type": "string", "description": 'Type of the Azure Backup operation executed, for example, stop backup with delete data, modify policy, change passphrase.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SchemaVersion": {"data_type": "string", "description": 'The schema version.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "AzureDevOpsAuditing": { + "ActivityId": {"data_type": "string", "description": 'Unique identifier for the action that occurred.'}, + "ActorClientId": {"data_type": "string", "description": 'When the action was performed by a managed identity or other service principal, this value represents the client ID of that principal. Otherwise, this value is 00000000-0000-0000-0000-000000000000. When this field is populated, ActorCUID and ActorUserId will both be 00000000-0000-0000-0000-000000000000.'}, + "ActorCUID": {"data_type": "string", "description": 'When the action was performed by a user, this value represents a consistently unique identifier for that actor. Otherwise, this value is 00000000-0000-0000-0000-000000000000. When this field, along with ActorUserId, is populated, ActorClientId will be 00000000-0000-0000-0000-000000000000.'}, + "ActorDisplayName": {"data_type": "string", "description": 'Display name of the user who initiated the auditing event to be logged.'}, + "ActorUPN": {"data_type": "string", "description": "The actor's user principal name."}, + "ActorUserId": {"data_type": "string", "description": "When the action was performed by a user or Azure DevOps service, this value represents that actor's user identifier. Otherwise, this value is 00000000-0000-0000-0000-000000000000. When this field, along with ActorUserId, is populated, ActorClientId will be 00000000-0000-0000-0000-000000000000."}, + "Area": {"data_type": "string", "description": 'Part of the Azure DevOps product where the auditing event occurred.'}, + "AuthenticationMechanism": {"data_type": "string", "description": 'Type of authentication used by the actor.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Type of action that occurred when the auditing event was logged.'}, + "CategoryDisplayName": {"data_type": "string", "description": 'Type of action that occurred when the auditing event was logged.'}, + "CorrelationId": {"data_type": "string", "description": 'CorrelationId allows two or more auditing events to be grouped together. This happens when a single action causes a cascade of auditing entries. An example being project creation.'}, + "Data": {"data_type": "dynamic", "description": "Additional data that's unique to the type of auditing event."}, + "Details": {"data_type": "string", "description": 'Description of what happened.'}, + "Id": {"data_type": "string", "description": 'The identifier for the audit event, unique across services.'}, + "IpAddress": {"data_type": "string", "description": 'IP address where the event originated.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The unique identifier for the type of auditing event that occurred. For example, Git.CreateRepo identifies the an auditing event for Git repository creation.'}, + "ProjectId": {"data_type": "string", "description": "Unique identifier of the project that an auditing event occurred in. If not provided then the event isn't scoped to a particular project."}, + "ProjectName": {"data_type": "string", "description": "Friendly name of the project that an auditing event occurred in. If not provided then the event isn't scoped to a particular project."}, + "ScopeDisplayName": {"data_type": "string", "description": 'User friendly name for the scope level that an auditing event occurred at.'}, + "ScopeId": {"data_type": "string", "description": 'The organization identifier.'}, + "ScopeType": {"data_type": "string", "description": 'The level (scope) that the event occurred.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time the auditing event occurred in UTC.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The user agent from the request.'}, + }, + "AzureLoadTestingOperation": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'IP Address of the client that submitted the request.'}, + "CorrelationId": {"data_type": "string", "description": 'Unique identifier to be used to correlate logs.'}, + "DurationMs": {"data_type": "real", "description": 'Amount of time it took to process request in milliseconds.'}, + "FailureDetails": {"data_type": "string", "description": 'Details of the error in case if request is failed.'}, + "HttpStatusCode": {"data_type": "int", "description": 'HTTP status code of the API response.'}, + "Identity": {"data_type": "dynamic", "description": 'JSON structure containing information about the caller.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationId": {"data_type": "string", "description": 'Operation identifier for rest api'}, + "OperationName": {"data_type": "string", "description": 'Name of the operation attempted on the resource.'}, + "OperationVersion": {"data_type": "string", "description": 'Request api version'}, + "RequestBody": {"data_type": "dynamic", "description": 'Request body of the API calls.'}, + "RequestId": {"data_type": "string", "description": 'Unique identifier to be used to correlate request logs.'}, + "RequestMethod": {"data_type": "string", "description": 'HTTP method of the API request.'}, + "RequestUri": {"data_type": "string", "description": 'URI of the API request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResourceRegion": {"data_type": "string", "description": 'Region where the resource is located.'}, + "ResultType": {"data_type": "string", "description": 'Indicates if the request was successful or failed.'}, + "ServiceLocation": {"data_type": "string", "description": 'Location of the service which processed the request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'HTTP header passed by the client, if applicable.'}, + }, + "AzureMetrics": { + "Average": {"data_type": "real", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'Deprecated'}, + "Category": {"data_type": "string", "description": 'Deprecated'}, + "Confidence": {"data_type": "string", "description": 'Deprecated'}, + "CorrelationId": {"data_type": "string", "description": 'Deprecated'}, + "Count": {"data_type": "real", "description": 'Number of samples collected during the time range. Can be used to determine the number of values that contributed to the average value.'}, + "Description": {"data_type": "string", "description": 'Deprecated'}, + "DurationMs": {"data_type": "long", "description": 'Deprecated'}, + "FirstReportedDateTime": {"data_type": "string", "description": 'Deprecated'}, + "IndicatorThreatType": {"data_type": "string", "description": 'Deprecated'}, + "IsActive": {"data_type": "string", "description": 'Deprecated'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastReportedDateTime": {"data_type": "string", "description": 'Deprecated'}, + "MaliciousIP": {"data_type": "string", "description": 'Deprecated'}, + "Maximum": {"data_type": "real", "description": 'Maximum value collected during in the time range.'}, + "MetricName": {"data_type": "string", "description": 'Display name of the metric.'}, + "Minimum": {"data_type": "real", "description": 'Minimum value collected during in the time range.'}, + "OperationName": {"data_type": "string", "description": 'Deprecated'}, + "OperationVersion": {"data_type": "string", "description": 'Deprecated'}, + "RemoteIPCountry": {"data_type": "string", "description": 'Deprecated'}, + "RemoteIPLatitude": {"data_type": "real", "description": 'Deprecated'}, + "RemoteIPLongitude": {"data_type": "real", "description": 'Deprecated'}, + "Resource": {"data_type": "string", "description": 'Resource name of the Azure resource reporting the metric.'}, + "ResourceGroup": {"data_type": "string", "description": 'Resource group name of the Azure resource reporting the metric.'}, + "ResourceId": {"data_type": "string", "description": 'Resource ID of the Azure resource reporting the metric. Same as _ResourceId present for backward compatibility reasons. _ResourceId should be used'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResourceProvider": {"data_type": "string", "description": 'Resource provider of the Azure resource reporting the metric.'}, + "ResultDescription": {"data_type": "string", "description": 'Deprecated'}, + "ResultSignature": {"data_type": "string", "description": 'Deprecated'}, + "ResultType": {"data_type": "string", "description": "Reduces the set of data collected. The syntax allowed depends on the operation. See the operation's description for details."}, + "Severity": {"data_type": "int", "description": 'Deprecated'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SubscriptionId": {"data_type": "string", "description": 'Subscription id of the Azure resource reporting the metric.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was created.'}, + "TimeGrain": {"data_type": "string", "description": 'Time grain of the metric e.g. PT1M'}, + "TLPLevel": {"data_type": "string", "description": 'Deprecated'}, + "Total": {"data_type": "real", "description": 'Sum of all of the values in the time range.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UnitName": {"data_type": "string", "description": 'Unit of the metric. Examples include Seconds Percent Bytes.'}, + }, + "BehaviorAnalytics": { + "ActionType": {"data_type": "string", "description": 'The specific type of action that triggered the event.'}, + "ActivityInsights": {"data_type": "dynamic", "description": 'Activity and behavioral insights.'}, + "ActivityType": {"data_type": "string", "description": 'The activity type that triggered the event.'}, + "ActorName": {"data_type": "string", "description": 'The name of the user initiating the action that generated the event.'}, + "ActorPrincipalName": {"data_type": "string", "description": 'The principal name of the user initiating the action that generated the event.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DestinationDevice": {"data_type": "string", "description": 'The hostname of the destination device.'}, + "DestinationIPAddress": {"data_type": "string", "description": 'The destination IP address.'}, + "DestinationIPLocation": {"data_type": "string", "description": 'The destination Geo location based on the IP address.'}, + "Device": {"data_type": "string", "description": 'The name of the device on which the event occurred or which reported the event, depending on the schema.'}, + "DevicesInsights": {"data_type": "dynamic", "description": 'Devices metadata and insights.'}, + "EventProductVersion": {"data_type": "string", "description": 'The version of the product generating the event.'}, + "EventSource": {"data_type": "string", "description": 'Data source for this event.'}, + "EventVendor": {"data_type": "string", "description": 'The vendor of the product generating the event.'}, + "InvestigationPriority": {"data_type": "int", "description": 'Investigation priority score.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "NativeTableName": {"data_type": "string", "description": 'The original table from which the record was fetched.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceDevice": {"data_type": "string", "description": 'The hostname of the source device.'}, + "SourceIPAddress": {"data_type": "string", "description": 'The source IP address.'}, + "SourceIPLocation": {"data_type": "string", "description": 'The source Geo location based on the IP address.'}, + "SourceRecordId": {"data_type": "string", "description": 'The unique Id of the source raw event.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TargetName": {"data_type": "string", "description": 'The name of the target user in the action that generated the event.'}, + "TargetPrincipalName": {"data_type": "string", "description": 'The name of the target user in the action that generated the event.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time when the raw event was generated (UTC).'}, + "TimeProcessed": {"data_type": "datetime", "description": 'Time when enrichment processing occurred (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserName": {"data_type": "string", "description": 'User name of the account.'}, + "UserPrincipalName": {"data_type": "string", "description": 'User principal name of the account.'}, + "UsersInsights": {"data_type": "dynamic", "description": 'Users metadata and insights.'}, + }, + "BlockchainApplicationLog": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BlockchainMessage": {"data_type": "string", "description": ''}, + "BlockchainNodeName": {"data_type": "string", "description": ''}, + "Category": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": ''}, + "NodeLocation": {"data_type": "string", "description": ''}, + "OperationName": {"data_type": "string", "description": ''}, + "Resource": {"data_type": "string", "description": ''}, + "ResourceGroup": {"data_type": "string", "description": ''}, + "ResourceId": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResourceProvider": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SubscriptionId": {"data_type": "string", "description": ''}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "BlockchainProxyLog": { + "Agent": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BlockchainMemberName": {"data_type": "string", "description": ''}, + "BlockchainNodeName": {"data_type": "string", "description": ''}, + "Category": {"data_type": "string", "description": ''}, + "Code": {"data_type": "string", "description": ''}, + "Consortium": {"data_type": "string", "description": ''}, + "EthMethod": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogLevel": {"data_type": "string", "description": ''}, + "NodeHost": {"data_type": "string", "description": ''}, + "NodeLocation": {"data_type": "string", "description": ''}, + "OperationName": {"data_type": "string", "description": ''}, + "PublicUser": {"data_type": "string", "description": ''}, + "Remote": {"data_type": "string", "description": ''}, + "RequestMethodName": {"data_type": "string", "description": ''}, + "RequestSize": {"data_type": "int", "description": ''}, + "RequestTime": {"data_type": "real", "description": ''}, + "Resource": {"data_type": "string", "description": ''}, + "ResourceGroup": {"data_type": "string", "description": ''}, + "ResourceId": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResourceProvider": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SubscriptionId": {"data_type": "string", "description": ''}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Tenant": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "CassandraAudit": { + "BatchId": {"data_type": "string", "description": 'Internal identifier shared by all statements in a batch operation.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientIP": {"data_type": "string", "description": 'Client IP address.'}, + "ClientPort": {"data_type": "string", "description": 'Client port.'}, + "ClusterName": {"data_type": "string", "description": 'Cluster name.'}, + "CoordinatorIP": {"data_type": "string", "description": 'Host address of the coordinator node.'}, + "ExternalUserId": {"data_type": "string", "description": 'External user identity.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Operation": {"data_type": "string", "description": 'The CQL statement or a textual description of the operation.'}, + "OperationNaked": {"data_type": "string", "description": 'The CQL statement or a textual description of the operation, without bound values appended to prepared statements.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Status": {"data_type": "string", "description": 'Value is either ATTEMPT or FAILED.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "User": {"data_type": "string", "description": 'Username of the authenticated user.'}, + }, + "CassandraLogs": { + "AddressIp": {"data_type": "string", "description": 'IP address of the node that generated the logging event.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CassandraKey": {"data_type": "string", "description": 'Cassandra key.'}, + "CassandraKeyspace": {"data_type": "string", "description": 'Cassandra keyspace.'}, + "CassandraTable": {"data_type": "string", "description": 'Cassandra table.'}, + "ClusterName": {"data_type": "string", "description": 'Cluster name.'}, + "CodeCacheAfter": {"data_type": "long", "description": 'Code cache after garbage collection (in bytes). Code cache stores native code generated by JVM.'}, + "CodeCacheBefore": {"data_type": "long", "description": 'Code cache before garbage collection (in bytes). Code cache stores native code generated by JVM.'}, + "Collections": {"data_type": "int", "description": 'The number of garbage collections.'}, + "CompressedClassSpaceAfter": {"data_type": "long", "description": 'Compressed class space after garbage collection (in bytes). Compressed class space stores class information referred to by the objects in the JavaHeap.'}, + "CompressedClassSpaceBefore": {"data_type": "long", "description": 'Compressed class space before garbage collection (in bytes). Compressed class space stores class information referred to by the objects in the JavaHeap.'}, + "DeletionInfo": {"data_type": "string", "description": 'Deletion info.'}, + "DroppedCrossNodeTimeout": {"data_type": "int", "description": 'The number of messages dropped due to cross node timeout in last 5000ms.'}, + "DroppedInternalTimeout": {"data_type": "int", "description": 'The number of messages dropped due to internal timeout in last 5000ms.'}, + "DroppedMessages": {"data_type": "int", "description": 'The number of messages dropped in last 5000ms.'}, + "DroppedMessagesType": {"data_type": "string", "description": 'The type of messages dropped in last 5000ms.'}, + "DurationMs": {"data_type": "int", "description": 'Duration.'}, + "EdenSpaceAfter": {"data_type": "long", "description": 'Eden space after garbage collection (in bytes). Eden space is the memory region where objects are allocated when they are created.'}, + "EdenSpaceBefore": {"data_type": "long", "description": 'Eden space before garbage collection (in bytes). Eden space is the memory region where objects are allocated when they are created.'}, + "Endpoint": {"data_type": "string", "description": 'IP address of an endpoint.'}, + "EventCategory": {"data_type": "string", "description": 'Category of the logging event, e.g. startup, garbage_collection, compaction.'}, + "EventProduct": {"data_type": "string", "description": 'Product of the logging event, e.g. cassandra, dse, solr.'}, + "EventType": {"data_type": "string", "description": 'type of the logging event, e.g. commit_log_replay_skipped, unknown_table.'}, + "Exception": {"data_type": "string", "description": 'Throwable trace bound to the logging event, by default this will output the full trace as one would normally find with a call to Throwable.printStackTrace().'}, + "GCType": {"data_type": "string", "description": 'The type of garbage collection, e.g. ParNew, MarkSweepCompact, G1 Old.'}, + "HostId": {"data_type": "string", "description": 'The GUID assigned in the Cassandra cluster to uniquely identify this node. See the system.local table or nodetool status to find information about the host by its HostId.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'Severity level of the event, will be one of INFO, WARM, ERROR, or OFF.'}, + "LiveCells": {"data_type": "int", "description": 'The number of live cells.'}, + "MaxMemory": {"data_type": "long", "description": 'The maximum amount of memory (in bytes) that can be used for memory management.'}, + "Message": {"data_type": "string", "description": 'Application supplied message associated with the logging event.'}, + "MetaspaceAfter": {"data_type": "long", "description": 'Metaspace after garbage collection (in bytes). Metaspace stores classes metadata.'}, + "MetaspaceBefore": {"data_type": "long", "description": 'Metaspace before garbage collection (in bytes). Metaspace stores classes metadata.'}, + "OldGenAfter": {"data_type": "long", "description": 'Old Generation after garbage collection (in bytes). Old Generation is used to store long surviving objects.'}, + "OldGenBefore": {"data_type": "long", "description": 'Old Generation before garbage collection (in bytes). Old Generation is used to store long surviving objects.'}, + "PartitionKey": {"data_type": "string", "description": 'Partition key.'}, + "PartitionSize": {"data_type": "int", "description": 'Partition size.'}, + "PendingTasks": {"data_type": "int", "description": 'The number of pending tasks in gossip stage.'}, + "PercentFull": {"data_type": "real", "description": 'The percentage of full heap.'}, + "PermGenAfter": {"data_type": "long", "description": 'Permanent Generation space after garbage collection (in bytes). Permanent generation stores classes metadata (renamed to Metaspace in Java 8).'}, + "PermGenBefore": {"data_type": "long", "description": 'Permanent Generation space before garbage collection (in bytes). Permanent generation stores classes metadata (renamed to Metaspace in Java 8).'}, + "RequestedColumns": {"data_type": "int", "description": 'The number of columns requested.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SessionId": {"data_type": "string", "description": "Unique string identifying what query was running when this log was emitted. Use SHOW SESSION \\ to find details of the query's activity."}, + "SliceEnd": {"data_type": "string", "description": 'The end of the the column slice inclusive.'}, + "SliceStart": {"data_type": "string", "description": 'The start of the column slice inclusive.'}, + "SourceFile": {"data_type": "string", "description": 'File name where the logging request was issued.'}, + "SourceLine": {"data_type": "int", "description": 'Line number where the logging request was issued.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SSTableName": {"data_type": "string", "description": 'SSTable name.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "SurvivorSpaceAfter": {"data_type": "long", "description": 'Survivor space after garbage collection (in bytes). Survivor space stores the objects that have survived the garbage collection of the Eden space.'}, + "SurvivorSpaceBefore": {"data_type": "long", "description": 'Survivor space before garbage collection (in bytes). Survivor space stores the objects that have survived the garbage collection of the Eden space.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "ThreadId": {"data_type": "string", "description": 'ID of the thread that generated the logging event.'}, + "ThreadName": {"data_type": "string", "description": 'Name of the thread that generated the logging event.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was created.'}, + "TombstonedCells": {"data_type": "int", "description": 'The number of tombstoned cells.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UsedMemory": {"data_type": "long", "description": 'The amount of memory currently used (in bytes).'}, + }, + "CCFApplicationLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "File": {"data_type": "string", "description": 'The file name that generated the log message.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'An error or informational message indicating if the service processed the request.'}, + "LineNumber": {"data_type": "int", "description": 'The line number in the file that the message refers to.'}, + "Location": {"data_type": "string", "description": 'The Azure datacenter region where the pod is deployed.'}, + "Message": {"data_type": "string", "description": 'The Log message.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "CDBCassandraRequests": { + "AccountName": {"data_type": "string", "description": 'The name of the Cosmos DB account against which this request was issued.'}, + "ActivityId": {"data_type": "string", "description": 'The unique identifier (GUID) for this Cassandra API request.'}, + "Address": {"data_type": "string", "description": 'The IP address of the client that issued this request.'}, + "AuthorizationTokenType": {"data_type": "string", "description": 'The authorization token used for this request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CollectionName": {"data_type": "string", "description": 'The name of the Cosmos DB table/container against which this request was issued.'}, + "DatabaseName": {"data_type": "string", "description": 'The name of the Cosmos DB database against which this request was issued.'}, + "DurationMs": {"data_type": "real", "description": 'The server side execution time (in ms) for this request.'}, + "ErrorCode": {"data_type": "string", "description": 'The error code (if applicable) for this request.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The Cassandra API operation that was executed.'}, + "PIICommandText": {"data_type": "string", "description": 'Full query text with parameters (if opted in) for this request.'}, + "RateLimitingDelayMs": {"data_type": "real", "description": 'The estimated time (in ms) spent in retrying due to rate limited operations.'}, + "RegionName": {"data_type": "string", "description": 'The region against which this request was issued.'}, + "RequestCharge": {"data_type": "real", "description": 'The RU (Request Unit) consumption for this request.'}, + "RequestLength": {"data_type": "real", "description": 'The payload size (in bytes) of the request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResponseLength": {"data_type": "real", "description": 'The payload size (in bytes) of the server response.'}, + "RetriedDueToRateLimiting": {"data_type": "bool", "description": 'Boolean flag indicating if this request was retried server side due to throttles.'}, + "RetryCount": {"data_type": "int", "description": 'The number of server side retries issued for this request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (in UTC) of the Cassandra API data plane request.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The user agent suffix of the client issuing the request.'}, + }, + "CDBControlPlaneRequests": { + "AccountName": {"data_type": "string", "description": 'The name of the Cosmos DB account.'}, + "AcledSubnets": {"data_type": "string", "description": "The ACL'd subnets for the account."}, + "ActivityId": {"data_type": "string", "description": 'The Activity ID of the operation.'}, + "ApiKind": {"data_type": "string", "description": 'The API kind for the account (SQL, Graph, Mongo, Cassanda, Table) that is specified during account creation.'}, + "ApiKindResourceType": {"data_type": "string", "description": 'The resource against which this Control Plane operation was executed (e.g. Database, Container etc.)'}, + "AssociatedRoleDefinitionId": {"data_type": "string", "description": 'The ID of the IAM role definition for the IAM role created for the account.'}, + "BackupIntervalInMinutes": {"data_type": "real", "description": 'The time (in minutes) between consecutive backup snapshots for the Cosmos DB account.'}, + "BackupRetentionIntervalInHours": {"data_type": "real", "description": 'The duration of time (in hours) for which backup snapshots are retained for the Cosmos DB account.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Cors": {"data_type": "string", "description": "Collection of account's Cross Origin Resource Sharing Rules"}, + "CurrentWriteRegion": {"data_type": "string", "description": 'The current write region for this account (applies when a regional failover is triggered to choose a new write region).'}, + "DefaultConsistencyLevel": {"data_type": "string", "description": 'The default consistency level for the Cosmos DB account.'}, + "DurationMs": {"data_type": "real", "description": 'The time taken (in milliseconds) for this control plane operation to complete.'}, + "EnableAutomaticFailover": {"data_type": "bool", "description": 'Boolean flag to enable automatic failover for the Cosmos DB account.'}, + "EnableCassandraRequestsTrace": {"data_type": "bool", "description": 'Boolean flag indicating if diagnostic logs are enabled for all Cassandra API operations.'}, + "EnableControlPlaneRequestsTrace": {"data_type": "bool", "description": 'Boolean flag indicting if diagnostic logs are enabled for Control Plane operations.'}, + "EnableDataPlaneRequestsTrace": {"data_type": "bool", "description": 'Boolean flag indicating if diagnostic logs are enabled for all Data Plane Operations.'}, + "EnableGremlinRequestsTrace": {"data_type": "bool", "description": 'Boolean flag indicating if diagnostic logs are enabled for Gremlin operations.'}, + "EnableMongoRequestsTrace": {"data_type": "bool", "description": 'Boolean flag indicating if diagnostic logs are enabled for all Mongo API operations.'}, + "EnablePrivateEndpointConnection": {"data_type": "bool", "description": 'Boolean flag to enable private endpoints for the Cosmos DB account.'}, + "EnableVirtualNetworkFilter": {"data_type": "bool", "description": 'Boolean flag indicating if VNet filters were enabled for the account.'}, + "HttpMethod": {"data_type": "string", "description": 'The HTTP method issued for this control plane operation.'}, + "HttpStatusCode": {"data_type": "int", "description": 'The HTTP status code of the control plane operation.'}, + "IpRangeFilter": {"data_type": "string", "description": 'The IP range filter specified as part of the VNet rules for the Cosmos DB account.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsServiceManagedFailover": {"data_type": "bool", "description": 'Boolean flag to indicate if the failover event was initiated by the service or by the customer.'}, + "MaxStalenessIntervalInSeconds": {"data_type": "real", "description": 'The maximum staleness value (in seconds) for the Cosmos DB account when using the Bounded Staleness consistency setting.'}, + "MaxStalenessPrefix": {"data_type": "string", "description": 'The max staleness prefix for the Cosmos DB account when using the Bounded Staleness consistency setting.'}, + "MultipleWriteLocations": {"data_type": "bool", "description": 'Boolean flag indicating if the Cosmos DB account is a multi-master account.'}, + "NewWriteRegion": {"data_type": "string", "description": 'The new write region for the Cosmos DB account (after a user-initiated failover operation is executed).'}, + "OperationName": {"data_type": "string", "description": 'The Control Plane Operation that was executed.'}, + "OperationType": {"data_type": "string", "description": 'The type of control plane operation, which was executed. Examples of operations included Add/Remove region, Indexing Policy updates, VNet and firewall rule creation, Backup Retention Policy changes etc.'}, + "PrivateEndpointArmUrl": {"data_type": "string", "description": 'The ARM URL of the private endpoint created for the account.'}, + "PrivateEndpointConnections": {"data_type": "string", "description": 'The list of private endpoints for the Cosmos DB account (in each region).'}, + "RegionName": {"data_type": "string", "description": 'The region in which this control plan operation was executed.'}, + "ResourceDetails": {"data_type": "string", "description": 'The specific resource within the account against which the Control Plane Operation was executed. For e.g. the index for the container for which the indexing policy was created or updated.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResourceUri": {"data_type": "string", "description": 'The URI of the Cosmos DB resource (e.g. Database, Container) against which the control plane operation was execution.'}, + "Result": {"data_type": "string", "description": 'The result of the operation indicating either success or failure.'}, + "RoleAssignmentId": {"data_type": "string", "description": 'The role assignment Id for the IAM role created for the account.'}, + "RoleAssignmentPrincipalId": {"data_type": "string", "description": 'The Principal ID associated with the IAM Role Assignment created for the account.'}, + "RoleAssignmentPrincipalType": {"data_type": "string", "description": 'The Principal type of the IAM role assignment created for the account.'}, + "RoleAssignmentScope": {"data_type": "string", "description": 'The scope of access for the IAM role created for the account.'}, + "RoleDefinitionAssignableScopes": {"data_type": "string", "description": 'The assignable scopes for the IAM role created for the account.'}, + "RoleDefinitionId": {"data_type": "string", "description": 'The Id of the IAM role created for the account.'}, + "RoleDefinitionName": {"data_type": "string", "description": 'The name of the IAM role created for the account.'}, + "RoleDefinitionPermissions": {"data_type": "string", "description": 'The permissions associated with the IAM role created for the account.'}, + "RoleDefinitionType": {"data_type": "string", "description": 'The type of IAM role created for the account.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SqlQueryTextTraceType": {"data_type": "bool", "description": 'Boolean flag indicating if full query text logging is enabled.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (in UTC) when this Control Plane operation was executed against the Cosmos DB account.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "VirtualNetworkName": {"data_type": "string", "description": 'The name of the Vnet for the account.'}, + "VirtualNetworkResourceEntries": {"data_type": "string", "description": 'The list of IP addresses being included as part of the VNet rule for the account.'}, + "VnetArmUrl": {"data_type": "string", "description": 'The ARM URL for the VNet for the account.'}, + "VnetDatabaseAccountEntries": {"data_type": "string", "description": 'The list of virtual networks specified for the account.'}, + "VnetLocation": {"data_type": "string", "description": 'The Azure region in which the VNet for the account is location.'}, + "VnetResourceGroupName": {"data_type": "string", "description": 'The name of the resource group within which the VNet is created.'}, + }, + "CDBDataPlaneRequests": { + "AadAppliedRoleAssignmentId": {"data_type": "string", "description": 'The ID of the applied role assignment for the caller issuing the data plane request.'}, + "AadPrincipalId": {"data_type": "string", "description": 'The AAD Principal ID of the caller issuing the data plane request.'}, + "AccountName": {"data_type": "string", "description": 'The name of the Cosmos DB account.'}, + "ActivityId": {"data_type": "string", "description": 'The unique identifier (GUID) for this data plane operation'}, + "AuthTokenType": {"data_type": "string", "description": 'The authorization type (System Read/Write key) for this request by the Cosmos DB Gateway service when running in Gateway mode or using the REST API.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientIpAddress": {"data_type": "string", "description": 'The IP address of the client VM issuing the request.'}, + "CollectionName": {"data_type": "string", "description": 'The Cosmos DB container against which the request was issued.'}, + "ConnectionMode": {"data_type": "string", "description": 'The connection mode used by the client issuing the request - (Direct or Gateway mode).'}, + "DatabaseName": {"data_type": "string", "description": 'The Cosmos DB database against which the request was issued.'}, + "DurationMs": {"data_type": "real", "description": 'The server-side execution time (in milliseconds) for this request.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "KeyType": {"data_type": "string", "description": 'The authorization type (Primary/Secondary Read/Write key) for this request when running in Direct mode.'}, + "OperationName": {"data_type": "string", "description": 'The specific data plane operation executed against the account.'}, + "PartitionId": {"data_type": "string", "description": 'The physical partition ID for the Cosmos DB container against which the request was issued.'}, + "RegionName": {"data_type": "string", "description": 'The Azure region to which this request was issued.'}, + "RequestCharge": {"data_type": "real", "description": 'The RUs (Request Units) consumed by this operation.'}, + "RequestLength": {"data_type": "real", "description": 'The payload size (in bytes) for the request.'}, + "RequestResourceId": {"data_type": "string", "description": 'The ID of the specific Cosmos DB resource within the account against which the data plane request was executed.'}, + "RequestResourceType": {"data_type": "string", "description": 'The Cosmos DB resource type within the account against which the data plane request was executed, can be one of Database, Collection, Document, Attachment, User, Permission, StoredProcedure, Trigger, UserDefinedFunction, Offer.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResourceTokenPermissionId": {"data_type": "string", "description": 'The ID of the resource token associated with the resource accessed by this request.'}, + "ResourceTokenPermissionMode": {"data_type": "string", "description": 'The permission mode of the resource token associated with the resource accessed by this request.'}, + "ResourceTokenUserRid": {"data_type": "string", "description": 'The user ID associated with the resource token for the resource accessed by this request.'}, + "ResponseLength": {"data_type": "real", "description": 'The payload size (in bytes) of the server response.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StatusCode": {"data_type": "int", "description": 'The HTTP status code response for the data plane request, highlighting details of the success/failure of the request.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (in UTC) when the data plane request was issued.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The name of the user specified user agent suffix (as specified when initializing the Cosmos DB client) when running in Direct mode.'}, + }, + "CDBGremlinRequests": { + "AccountName": {"data_type": "string", "description": 'The name of the Cosmos DB account against which this request was issued.'}, + "ActivityId": {"data_type": "string", "description": 'The unique identifier (GUID) for this Graph API request.'}, + "Address": {"data_type": "string", "description": 'The IP address of the client, which issued this request.'}, + "AuthorizationTokenType": {"data_type": "string", "description": 'The authorization token used for this request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CollectionName": {"data_type": "string", "description": 'The name of the Cosmos DB table/container against which this request was issued.'}, + "DatabaseName": {"data_type": "string", "description": 'The name of the Cosmos DB database against which this request was issued.'}, + "DurationMs": {"data_type": "real", "description": 'The server-side execution time (in ms) for this request.'}, + "ErrorCode": {"data_type": "string", "description": 'The error code (if applicable) for this request.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The name of the Gremlin operation that was executed.'}, + "PIICommandText": {"data_type": "string", "description": 'Full query with parameters (if opted in) for this request.'}, + "RateLimitingDelayMs": {"data_type": "real", "description": 'The estimated time (in ms) spent retrying due to rate limited operations.'}, + "RegionName": {"data_type": "string", "description": 'The region against which this request was issued.'}, + "RequestCharge": {"data_type": "real", "description": 'The RUs (Request Units) consumed by this operation.'}, + "RequestLength": {"data_type": "real", "description": 'The payload size (in bytes) of the request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResponseLength": {"data_type": "real", "description": 'The payload size (in bytes) of the server response.'}, + "RetriedDueToRateLimiting": {"data_type": "bool", "description": 'Boolean flag indicating if this request was retried server side due to throttles.'}, + "RetryCount": {"data_type": "int", "description": 'The number of server side retries issued for this request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (in UTC) when this Graph API operation was executed on the server.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The user agent suffix of the client issuing the request.'}, + }, + "CDBMongoRequests": { + "AccountName": {"data_type": "string", "description": 'The name of the Cosmos DB account against which this Mongo API request was issued.'}, + "ActivityId": {"data_type": "string", "description": 'The unique identifier (GUID) for this Mongo API request.'}, + "Address": {"data_type": "string", "description": 'The IP address of the client VM which issued the request.'}, + "AuthorizationTokenType": {"data_type": "string", "description": 'The authorization token used for this request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CollectionName": {"data_type": "string", "description": 'The name of the Cosmos DB container against which this request was issued.'}, + "DatabaseName": {"data_type": "string", "description": 'The name of the Cosmos DB database against which this request was issued.'}, + "DurationMs": {"data_type": "real", "description": 'The server-side execution time (in ms) for this request.'}, + "ErrorCode": {"data_type": "string", "description": 'The error code (if applicable) for this request.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OpCode": {"data_type": "string", "description": 'The operation code for the Mongo API request.'}, + "OperationName": {"data_type": "string", "description": 'The Mongo API operation that was executed'}, + "PIICommandText": {"data_type": "string", "description": 'Full text query (if opted in) for this Mongo API request.'}, + "RateLimitingDelayMs": {"data_type": "real", "description": 'The estimated time (in ms) spent retrying due to rate limited operations.'}, + "RegionName": {"data_type": "string", "description": 'The region against which this request was issued.'}, + "RequestCharge": {"data_type": "real", "description": 'The RU (Request Unit) consumption for this request.'}, + "RequestLength": {"data_type": "real", "description": 'The payload size (in bytes) of the request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResponseLength": {"data_type": "real", "description": 'The payload size (in bytes) of the server response.'}, + "RetriedDueToRateLimiting": {"data_type": "bool", "description": 'Boolean flag indicating if this request was retried server side due to throttles.'}, + "RetryCount": {"data_type": "int", "description": 'The number of server side retries executed for this request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (in UTC) of the Mongo API data plane request.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The user agent suffix associated with the client issuing the request.'}, + "UserId": {"data_type": "string", "description": 'The user ID associated with the client issuing the request.'}, + }, + "CDBPartitionKeyRUConsumption": { + "AccountName": {"data_type": "string", "description": 'The name of the Cosmos DB account containing the physical partition.'}, + "ActivityId": {"data_type": "string", "description": 'The unique identifier (GUID) which can be correlated with the CDBDataPlaneRequests table for additional debugging.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CollectionName": {"data_type": "string", "description": 'The name of the Cosmos DB collection, which contains the partition.'}, + "DatabaseName": {"data_type": "string", "description": 'The name of the Cosmos DB database, which contains the partition.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The data plane operation that consumed RUs (Request Units) for this logical partition key.'}, + "PartitionKey": {"data_type": "string", "description": 'The logical partition key for which RU (Request Unit) consumption statistics were retrieved.'}, + "PartitionKeyRangeId": {"data_type": "string", "description": 'The physical partition containing the logical partition key against which the RU (Request Unit) consuming operation was issued.'}, + "RegionName": {"data_type": "string", "description": 'The Azure region from which statistics for this partition were retrieved.'}, + "RequestCharge": {"data_type": "real", "description": 'The RUs (Request Units) consumed by this request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (in UTC) when the request against the physical partition was issued.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "CDBPartitionKeyStatistics": { + "AccountName": {"data_type": "string", "description": 'The name of the Cosmos DB account containing the dataset for which partition key stats were generated.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CollectionName": {"data_type": "string", "description": 'The name of the Cosmos DB collection, which contains the partition.'}, + "DatabaseName": {"data_type": "string", "description": 'The name of the Cosmos DB database, which contains the partition.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "PartitionKey": {"data_type": "string", "description": 'The logical partition key for which storage statistics were retrieved.'}, + "RegionName": {"data_type": "string", "description": 'The Azure region from which statistics for this partition were retrieved.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SizeKb": {"data_type": "int", "description": 'The storage size (in KB) for the logical partition key within the physical partition.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (in UTC) when statistics for this logical partition key were generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "CDBQueryRuntimeStatistics": { + "AccountName": {"data_type": "string", "description": 'The name of the Cosmos DB account against which the query operation was issued.'}, + "ActivityId": {"data_type": "string", "description": 'The unique identifier (GUID) for this query operation, which can be correlating with the CDBDataPlaneRequests table for additional debugging.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CollectionName": {"data_type": "string", "description": 'The name of the Cosmos DB container against which this query was issued.'}, + "DatabaseName": {"data_type": "string", "description": 'The name of the Cosmos DB database containing the Cosmos DB container against which this query was issued.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "PartitionKeyRangeId": {"data_type": "string", "description": 'The physical partition to which this query was issued.'}, + "QueryText": {"data_type": "string", "description": 'The query text (obfuscated by default, full query string provided upon request) for the operation.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (in UTC) when this query operation was executed.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "CDBTableApiRequests": { + "AccountName": {"data_type": "string", "description": 'The name of the Cosmos DB account against which this request was issued.'}, + "ActivityId": {"data_type": "string", "description": 'The unique identifier (GUID) for this Table API request.'}, + "Address": {"data_type": "string", "description": 'The IP address of the client that issued this request.'}, + "AuthorizationTokenType": {"data_type": "string", "description": 'The authorization token used for this request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientRequestId": {"data_type": "string", "description": 'The unique client request identifier (GUID) for this Table API request.'}, + "DurationMs": {"data_type": "real", "description": 'The server side execution time (in ms) for this request.'}, + "ErrorCode": {"data_type": "string", "description": 'The error code (if applicable) for this request.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The Table API operation that was executed.'}, + "PIICommandText": {"data_type": "string", "description": 'Full query text with parameters (if opted in) for this request.'}, + "RegionName": {"data_type": "string", "description": 'The region against which this request was issued.'}, + "RequestCharge": {"data_type": "real", "description": 'The RU (Request Unit) consumption for this request.'}, + "RequestLength": {"data_type": "real", "description": 'The payload size (in bytes) of the request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResponseLength": {"data_type": "real", "description": 'The payload size (in bytes) of the server response.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TableName": {"data_type": "string", "description": 'The name of the Cosmos DB table against which this request was issued.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (in UTC) of the Table API data plane request.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The user agent suffix of the client issuing the request.'}, + }, + "ChaosStudioExperimentEventLogs": { + "Action": {"data_type": "string", "description": 'Fault name of the action.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Branch": {"data_type": "string", "description": 'Experiment Branch ID of the span.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for the Experiment run.'}, + "Error": {"data_type": "string", "description": 'Error detail of the span.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The location of the experiment.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SeverityLevel": {"data_type": "string", "description": 'Severity level of the event, one of: Informational, Warning, Error, Critical.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SpanType": {"data_type": "string", "description": 'One of experiment span types: Experiment, Branch, Step, or Action.'}, + "Status": {"data_type": "string", "description": 'Status of the span. For SpanType of Step or Branch, status is one of Started or Stopped. For Action, status is one of Started, Stopping, Stopped or Failed. For Experiment run, status is one of Started, Complete, Cancelling, Cancelled, Failed.'}, + "Step": {"data_type": "string", "description": 'Experiment Step ID of the span.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Target": {"data_type": "string", "description": 'Target resource ID of the fault.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the event was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "CHSMManagementAuditLogs": { + "AdditionalFields": {"data_type": "dynamic", "description": 'Information that varies based on the operation (operationName). This field provides additional information about the operation performed on a particular HSM partition.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CommandType": {"data_type": "string", "description": 'The type of command in hexadecimal format.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'Location of the CloudHsm resource.'}, + "LogType": {"data_type": "string", "description": 'The type of the log entry.'}, + "MemberId": {"data_type": "string", "description": 'HSM partition identifier to whom this particular audit log belong.'}, + "Opcode": {"data_type": "string", "description": 'Opcode that is used to describe the HSM operation performed.'}, + "OperationId": {"data_type": "string", "description": 'A GUID to correlate with service side logs.'}, + "OperationName": {"data_type": "string", "description": 'Name of the operation.'}, + "RebootCounter": {"data_type": "string", "description": "This is a persistent counter that gets incremented on every reboot of the HSM. This number never gets reset to '0'."}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "string", "description": 'The result of HSM operation performed.'}, + "SchemaVersion": {"data_type": "string", "description": 'Service side schema version.'}, + "SequenceNo": {"data_type": "string", "description": 'This is a volatile counter that gets incremented when logging every loggable command. On every reboot of the HSM or when the partition gets destroyed, the sequence number resets to zero.'}, + "SessionHandle": {"data_type": "string", "description": 'A hexadecimal number that represents the session handle.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when operation occured.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserId": {"data_type": "string", "description": 'User identification.'}, + "Version": {"data_type": "string", "description": 'Version number for HSM operation log.'}, + }, + "CHSMServiceOperationAuditLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'IP address of the client that made the request.'}, + "ClientInfo": {"data_type": "string", "description": 'User agent information.'}, + "ClientSdkPackageVersion": {"data_type": "string", "description": 'Version of the client SDK package.'}, + "DurationMs": {"data_type": "int", "description": 'Time it took to service the request, in milliseconds. This does not include the network latency, so the time you measure on the client side might not match this time.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "MemberId": {"data_type": "string", "description": 'Member ID of HSM in the Cloud HSM cluster.'}, + "Opcode": {"data_type": "string", "description": 'Operation code in HEX string format.'}, + "OperationName": {"data_type": "string", "description": 'Name of the operation'}, + "PoolType": {"data_type": "string", "description": 'Cloud HSM pool type.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'More detailed description of the result.'}, + "ResultSignature": {"data_type": "string", "description": 'Short signature of the result.'}, + "ResultType": {"data_type": "string", "description": 'Result of the request.'}, + "Sku": {"data_type": "dynamic", "description": 'Information about the Cloud HSM SKU including family and name.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when operation occured.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "CIEventsAudit": { + "Audience": {"data_type": "string", "description": 'The audience for which the accessToken was requested for.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIPAddress": {"data_type": "string", "description": 'Caller IP address, if the operation corresponds to an API call that would come from an entity with a publicly available IP address.'}, + "CallerObjectId": {"data_type": "string", "description": 'Azure Active Directory ObjectId of the caller.'}, + "Category": {"data_type": "string", "description": 'Log category of the event. Either Operational or Audit. All POST/PUT/PATCH/DELETE HTTP Requests are tagged with Audit, everything else with Operational.'}, + "Claims": {"data_type": "string", "description": 'Claims of the user or app JSON web token (JWT). Claim properties vary per organization and the Azure Active Directory configuration.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for the correlated events. Can be used to identify correlated events between multiple tables.'}, + "DurationMs": {"data_type": "long", "description": 'Duration of the operation in milliseconds.'}, + "EventType": {"data_type": "string", "description": 'Always ApiEvent, marking the log event as API event.'}, + "InstanceId": {"data_type": "string", "description": 'Customer Insights instanceId.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'Severity level of the event, is one of: Informational, Warning, Error, or Critical.'}, + "Method": {"data_type": "string", "description": 'HTTP method: GET/POST/PUT/PATCH/HEAD'}, + "OperationName": {"data_type": "string", "description": 'Name of the operation represented by this event.'}, + "OperationStatus": {"data_type": "string", "description": 'Success for HTTP status code < 400, ClientError for HTTP status code < 500, Error for HTTP Status >= 500.'}, + "Origin": {"data_type": "string", "description": 'URI indicating where a fetch originates from or unknown.'}, + "Path": {"data_type": "string", "description": 'Relative path of the request.'}, + "RequiredRoles": {"data_type": "string", "description": 'Required roles to do the operation. Admin role is allowed to do all operations.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultSignature": {"data_type": "string", "description": "Sub status of the event. If the operation corresponds to a REST API call, it's the HTTP status code."}, + "ResultType": {"data_type": "string", "description": 'Status of the event. Running, Skipped, Successful, Failure.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Uri": {"data_type": "string", "description": 'Absolute request URI.'}, + "UserAgent": {"data_type": "string", "description": 'Browser agent sending the request or unknown.'}, + "UserPrincipalName": {"data_type": "string", "description": 'The UserPrincipalName is the Azure AD username for the user accounts.'}, + "UserRole": {"data_type": "string", "description": 'Assigned role for the user or app.'}, + }, + "CIEventsOperational": { + "AdditionalInformation": {"data_type": "string", "description": 'Contains AffectedEntities, MessageCode and entityCount.'}, + "Audience": {"data_type": "string", "description": 'The audience for which the accessToken was requested for.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIPAddress": {"data_type": "string", "description": 'Caller IP address, if the operation corresponds to an API call that would come from an entity with a publicly available IP address.'}, + "CallerObjectId": {"data_type": "string", "description": 'Azure Active Directory ObjectId of the caller.'}, + "Category": {"data_type": "string", "description": 'Log category of the event. Either Operational or Audit. All POST/PUT/PATCH/DELETE HTTP Requests are tagged with Audit, everything else with Operational.'}, + "Claims": {"data_type": "string", "description": 'Claims of the user or app JSON web token (JWT). Claim properties vary per organization and the Azure Active Directory configuration.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for the correlated events. Can be used to identify correlated events between multiple tables.'}, + "DurationMs": {"data_type": "long", "description": 'Duration of the operation in milliseconds.'}, + "EndTime": {"data_type": "datetime", "description": 'Specifies the date and time that the workflow job ended (UTC)'}, + "Error": {"data_type": "string", "description": 'Error Message with more details.'}, + "EventType": {"data_type": "string", "description": 'The type of the event. Either ApiEvent or WorkflowEvent'}, + "FriendlyName": {"data_type": "string", "description": 'User friendly Name of the Export or the Entity which is processed.'}, + "Identifier": {"data_type": "string", "description": 'Depending on the OperationType in can be: the guid of the export configuration, the guid of the Enrichment, the Entity Name.'}, + "InstanceId": {"data_type": "string", "description": 'Customer Insights instance ID.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'Severity level of the event, is one of: Informational, Warning or Error.'}, + "Method": {"data_type": "string", "description": 'HTTP method: GET/POST/PUT/PATCH/HEAD'}, + "OperationName": {"data_type": "string", "description": 'Name of the operation represented by this event. {OperationType}.[WorkFlow|Task][Started|Completed].'}, + "OperationStatus": {"data_type": "string", "description": 'Success for HTTP Status code < 400, ClientError for HTTP Status code < 500, Error for HTTP Status >= 500.'}, + "OperationType": {"data_type": "string", "description": 'Identifier of the operation.'}, + "Origin": {"data_type": "string", "description": 'URI indicating where a fetch originates from or unknown.'}, + "Path": {"data_type": "string", "description": 'Relative path of the request.'}, + "RequiredRoles": {"data_type": "string", "description": 'Required roles to do the operation. Admin role is allowed to do all operations.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultSignature": {"data_type": "string", "description": "Sub status of the event. If the operation corresponds to a REST API call, it's the HTTP status code."}, + "ResultType": {"data_type": "string", "description": 'Status of the event. Running, Skipped, Successful, Failure.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StartTime": {"data_type": "datetime", "description": 'Specifies the date and time that the workflow job was started (UTC)'}, + "SubmittedBy": {"data_type": "string", "description": 'Workflow events only. The Azure Active Directory objectId of the user who triggered the workflow, see also properties.workflowSubmissionKinds.'}, + "SubmittedTime": {"data_type": "datetime", "description": 'Specifies the date and time that the workflow job was submitted (UTC)'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TasksCount": {"data_type": "int", "description": 'Workflow only. Number of tasks the Workflow triggers.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp of the event (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Uri": {"data_type": "string", "description": 'Absolute request URI.'}, + "UserAgent": {"data_type": "string", "description": 'Browser agent sending the request or unknown.'}, + "UserPrincipalName": {"data_type": "string", "description": 'The UserPrincipalName is the Azure AD username for the user accounts.'}, + "UserRole": {"data_type": "string", "description": 'Assigned role for the user or app.'}, + "WorkflowJobId": {"data_type": "string", "description": 'Identifier of the workflow run. All Workflow and Tasks events within the workflow execution have the same workflowJobId.'}, + "WorkflowStatus": {"data_type": "string", "description": 'Running, Successful.'}, + "WorkflowSubmissionKind": {"data_type": "string", "description": 'OnDemand or Scheduled.'}, + "WorkflowType": {"data_type": "string", "description": 'Full or incremental refresh.'}, + }, + "CloudAppEvents": { + "AccountDisplayName": {"data_type": "string", "description": 'Name displayed in the address book entry for the account user. This is usually a combination of the given name, middle initial, and surname of the user.'}, + "AccountId": {"data_type": "string", "description": 'An identifier for the account as found by Microsoft Cloud App Security. Could be Azure Active Directory ID, user principal name, or other identifiers'}, + "AccountObjectId": {"data_type": "string", "description": 'Unique identifier for the account in Azure AD'}, + "AccountType": {"data_type": "string", "description": 'Type of user account, indicating its general role and access levels, such as Regular, System, Admin, Application'}, + "ActionType": {"data_type": "string", "description": 'Type of activity that triggered the event'}, + "ActivityObjects": {"data_type": "dynamic", "description": 'List of objects, such as files or folders, that were involved in the recorded activity'}, + "ActivityType": {"data_type": "string", "description": 'Type of activity that triggered the event'}, + "AdditionalFields": {"data_type": "dynamic", "description": 'Additional information about the entity or event'}, + "AppInstanceId": {"data_type": "int", "description": 'Unique identifier for the instance of an application'}, + "Application": {"data_type": "string", "description": 'Application that performed the recorded action'}, + "ApplicationId": {"data_type": "int", "description": 'Unique identifier for the application'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "City": {"data_type": "string", "description": 'City where the client IP address is geolocated'}, + "CountryCode": {"data_type": "string", "description": 'Two-letter code indicating the country where the client IP address is geolocated'}, + "DeviceType": {"data_type": "string", "description": 'Type of device based on purpose and functionality, such as network device, workstation, server, mobile, gaming console, or printer'}, + "IPAddress": {"data_type": "string", "description": 'IP address assigned to the device during communication'}, + "IPCategory": {"data_type": "string", "description": 'Additional information about the IP address'}, + "IPTags": {"data_type": "dynamic", "description": 'Customer-defined information applied to specific IP addresses and IP address ranges'}, + "IsAdminOperation": {"data_type": "bool", "description": 'Indicates whether the activity was performed by an administrator'}, + "IsAnonymousProxy": {"data_type": "bool", "description": 'Indicates whether the IP address belongs to a known anonymous proxy'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsExternalUser": {"data_type": "bool", "description": "Indicates whether a user inside the network doesn't belong to the organization's domain"}, + "IsImpersonated": {"data_type": "bool", "description": 'Indicates whether the activity was performed by one user for another (impersonated) user'}, + "ISP": {"data_type": "string", "description": 'Internet service provider associated with the IP address'}, + "ObjectId": {"data_type": "string", "description": 'Unique identifier of the object that the recorded action was applied to'}, + "ObjectName": {"data_type": "string", "description": 'Name of the object that the recorded action was applied to'}, + "ObjectType": {"data_type": "string", "description": 'The type of object, such as a file or a folder, that the recorded action was applied to'}, + "OSPlatform": {"data_type": "string", "description": 'Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7'}, + "RawEventData": {"data_type": "dynamic", "description": 'Raw event information from the source application or service in JSON format'}, + "ReportId": {"data_type": "string", "description": 'Unique identifier for the event'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time (UTC) when the record was generated'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'User agent information from the web browser or other client application'}, + "UserAgentTags": {"data_type": "dynamic", "description": 'More information provided by Microsoft Defender for Cloud Apps in a tag in the user agent field. Can have any of the following values: Native client, Outdated browser, Outdated operating system, Robot'}, + }, + "CommonSecurityLog": { + "Activity": {"data_type": "string", "description": 'A string that represents a human-readable and understandable description of the event.'}, + "AdditionalExtensions": {"data_type": "string", "description": 'A placeholder for additional fields. Fields are logged as key-value pairs.'}, + "ApplicationProtocol": {"data_type": "string", "description": 'The protocol used in the application, such as HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CollectorHostName": {"data_type": "string", "description": 'The hostname of the collector machine running the agent.'}, + "CommunicationDirection": {"data_type": "string", "description": 'Any information about the direction the observed communication has taken. Valid values: 0 = Inbound, 1 = Outbound.'}, + "Computer": {"data_type": "string", "description": 'Host, from Syslog.'}, + "DestinationDnsDomain": {"data_type": "string", "description": 'The DNS part of the fully-qualified domain name (FQDN).'}, + "DestinationHostName": {"data_type": "string", "description": 'The destination that the event refers to in an IP network. The format should be an FQDN associated with the destination node, when a node is available. For example: host.domain.com or host.'}, + "DestinationIP": {"data_type": "string", "description": 'The destination IpV4 address that the event refers to in an IP network.'}, + "DestinationMACAddress": {"data_type": "string", "description": 'The destination MAC address (FQDN).'}, + "DestinationNTDomain": {"data_type": "string", "description": 'The Windows domain name of the destination address.'}, + "DestinationPort": {"data_type": "int", "description": 'Destination port. Valid values: 0 - 65535.'}, + "DestinationProcessId": {"data_type": "int", "description": 'The ID of the destination process associated with the event.'}, + "DestinationProcessName": {"data_type": "string", "description": "The name of the event's destination process, such as telnetd or sshd."}, + "DestinationServiceName": {"data_type": "string", "description": 'The service that is targeted by the event. For example: sshd.'}, + "DestinationTranslatedAddress": {"data_type": "string", "description": 'Identifies the translated destination referred to by the event in an IP network, as an IPv4 IP address.'}, + "DestinationTranslatedPort": {"data_type": "int", "description": 'Port after translation, such as a firewall Valid port numbers: 0 - 65535.'}, + "DestinationUserID": {"data_type": "string", "description": 'Identifies the destination user by ID. For example: in Unix, the root user is generally associated with the user ID 0.'}, + "DestinationUserName": {"data_type": "string", "description": 'Identifies the destination user by name.'}, + "DestinationUserPrivileges": {"data_type": "string", "description": "Defines the destination use's privileges. Valid values: Admninistrator, User, Guest."}, + "DeviceAction": {"data_type": "string", "description": 'The action mentioned in the event.'}, + "DeviceAddress": {"data_type": "string", "description": 'The IPv4 address of the device generating the event.'}, + "DeviceCustomDate1": {"data_type": "string", "description": 'One of two timestamp fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.'}, + "DeviceCustomDate1Label": {"data_type": "string", "description": 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.'}, + "DeviceCustomDate2": {"data_type": "string", "description": 'One of two timestamp fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.'}, + "DeviceCustomDate2Label": {"data_type": "string", "description": 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.'}, + "DeviceCustomFloatingPoint1": {"data_type": "real", "description": 'One of four floating point fields available to map fields that do not apply to any other in this dictionary.'}, + "DeviceCustomFloatingPoint1Label": {"data_type": "string", "description": 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.'}, + "DeviceCustomFloatingPoint2": {"data_type": "real", "description": 'One of four floating point fields available to map fields that do not apply to any other in this dictionary.'}, + "DeviceCustomFloatingPoint2Label": {"data_type": "string", "description": 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.'}, + "DeviceCustomFloatingPoint3": {"data_type": "real", "description": 'One of four floating point fields available to map fields that do not apply to any other in this dictionary.'}, + "DeviceCustomFloatingPoint3Label": {"data_type": "string", "description": 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.'}, + "DeviceCustomFloatingPoint4": {"data_type": "real", "description": 'One of four floating point fields available to map fields that do not apply to any other in this dictionary.'}, + "DeviceCustomFloatingPoint4Label": {"data_type": "string", "description": 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.'}, + "DeviceCustomIPv6Address1": {"data_type": "string", "description": 'One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.'}, + "DeviceCustomIPv6Address1Label": {"data_type": "string", "description": 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.'}, + "DeviceCustomIPv6Address2": {"data_type": "string", "description": 'One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.'}, + "DeviceCustomIPv6Address2Label": {"data_type": "string", "description": 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.'}, + "DeviceCustomIPv6Address3": {"data_type": "string", "description": 'One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.'}, + "DeviceCustomIPv6Address3Label": {"data_type": "string", "description": 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.'}, + "DeviceCustomIPv6Address4": {"data_type": "string", "description": 'One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.'}, + "DeviceCustomIPv6Address4Label": {"data_type": "string", "description": 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.'}, + "DeviceCustomNumber1": {"data_type": "int", "description": 'Soon to be a deprecated field. Will be replaced by FieldDeviceCustomNumber1.'}, + "DeviceCustomNumber1Label": {"data_type": "string", "description": 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.'}, + "DeviceCustomNumber2": {"data_type": "int", "description": 'Soon to be a deprecated field. Will be replaced by FieldDeviceCustomNumber2.'}, + "DeviceCustomNumber2Label": {"data_type": "string", "description": 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.'}, + "DeviceCustomNumber3": {"data_type": "int", "description": 'Soon to be a deprecated field. Will be replaced by FieldDeviceCustomNumber3.'}, + "DeviceCustomNumber3Label": {"data_type": "string", "description": 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.'}, + "DeviceCustomString1": {"data_type": "string", "description": 'One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.'}, + "DeviceCustomString1Label": {"data_type": "string", "description": 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.'}, + "DeviceCustomString2": {"data_type": "string", "description": 'One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.'}, + "DeviceCustomString2Label": {"data_type": "string", "description": 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.'}, + "DeviceCustomString3": {"data_type": "string", "description": 'One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.'}, + "DeviceCustomString3Label": {"data_type": "string", "description": 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.'}, + "DeviceCustomString4": {"data_type": "string", "description": 'One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.'}, + "DeviceCustomString4Label": {"data_type": "string", "description": 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.'}, + "DeviceCustomString5": {"data_type": "string", "description": 'One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.'}, + "DeviceCustomString5Label": {"data_type": "string", "description": 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.'}, + "DeviceCustomString6": {"data_type": "string", "description": 'One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.'}, + "DeviceCustomString6Label": {"data_type": "string", "description": 'All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.'}, + "DeviceDnsDomain": {"data_type": "string", "description": 'The DNS domain part of the full qualified domain name (FQDN).'}, + "DeviceEventCategory": {"data_type": "string", "description": "Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example: '/Monitor/Disk/Read'."}, + "DeviceEventClassID": {"data_type": "string", "description": 'String or integer that serves as a unique identifier per event type.'}, + "DeviceExternalID": {"data_type": "string", "description": 'A name that uniquely identifies the device generating the event.'}, + "DeviceFacility": {"data_type": "string", "description": 'The facility generating the event. For example: auth or local1.'}, + "DeviceInboundInterface": {"data_type": "string", "description": 'The interface on which the packet or data entered the device. For example: ethernet1/2.'}, + "DeviceMacAddress": {"data_type": "string", "description": 'The MAC address of the device generating the event.'}, + "DeviceName": {"data_type": "string", "description": 'The FQDN associated with the device node, when a node is available. For example: host.domain.com or host.'}, + "DeviceNtDomain": {"data_type": "string", "description": 'The Windows domain of the device address.'}, + "DeviceOutboundInterface": {"data_type": "string", "description": 'Interface on which the packet or data left the device.'}, + "DevicePayloadId": {"data_type": "string", "description": 'Unique identifier for the payload associated with the event.'}, + "DeviceProduct": {"data_type": "string", "description": 'String that together with device product and version definitions, uniquely identifies the type of sending device.'}, + "DeviceTimeZone": {"data_type": "string", "description": 'Timezone of the device generating the event.'}, + "DeviceTranslatedAddress": {"data_type": "string", "description": 'Identifies the translated device address that the event refers to, in an IP network. The format is an Ipv4 address.'}, + "DeviceVendor": {"data_type": "string", "description": 'String that together with device product and version definitions, uniquely identifies the type of sending device.'}, + "DeviceVersion": {"data_type": "string", "description": 'String that together with device product and version definitions, uniquely identifies the type of sending device.'}, + "EndTime": {"data_type": "datetime", "description": 'The time at which the activity related to the event ended.'}, + "EventCount": {"data_type": "int", "description": 'A count associated with the event, showing how many times the same event was observed.'}, + "EventOutcome": {"data_type": "string", "description": "Displays the outcome, usually as 'success' or 'failure'."}, + "EventType": {"data_type": "int", "description": 'Event type. Value values include: 0: base event, 1: aggregated, 2: correlation event, 3: action event. Note: This event can be omitted for base events.'}, + "ExternalID": {"data_type": "int", "description": 'Soon to be a deprecated field. Will be replaced by ExtID.'}, + "ExtID": {"data_type": "string", "description": 'An ID used by the originating device (will replace legacy ExternalID). Typically, these values have increasing values that are each associated with an event.'}, + "FieldDeviceCustomNumber1": {"data_type": "long", "description": 'One of three number fields available to map fields that do not apply to any other in this dictionary (will replace legacy DeviceCustomNumber1). Use sparingly and seek a more specific, dictionary supplied field when possible.'}, + "FieldDeviceCustomNumber2": {"data_type": "long", "description": 'One of three number fields available to map fields that do not apply to any other in this dictionary (will replace legacy DeviceCustomNumber2). Use sparingly and seek a more specific, dictionary supplied field when possible.'}, + "FieldDeviceCustomNumber3": {"data_type": "long", "description": 'One of three number fields available to map fields that do not apply to any other in this dictionary (will replace legacy DeviceCustomNumber3). Use sparingly and seek a more specific, dictionary supplied field when possible.'}, + "FileCreateTime": {"data_type": "string", "description": 'Time when the file was created.'}, + "FileHash": {"data_type": "string", "description": 'Hash of a file.'}, + "FileID": {"data_type": "string", "description": 'An ID associated with a file, such as the inode.'}, + "FileModificationTime": {"data_type": "string", "description": 'Time when the file was last modified.'}, + "FileName": {"data_type": "string", "description": "The file's name, without the path."}, + "FilePath": {"data_type": "string", "description": 'Full path to the file, including the filename. For example: C:\\ProgramFiles\\WindowsNT\\Accessories\\wordpad.exe or /usr/bin/zip.'}, + "FilePermission": {"data_type": "string", "description": "The file's permissions. For example: '2,1,1'."}, + "FileSize": {"data_type": "int", "description": 'The size of the file in bytes.'}, + "FileType": {"data_type": "string", "description": 'File type, such as pipe, socket, and so on.'}, + "FlexDate1": {"data_type": "string", "description": 'A timestamp field available to map a timestamp that does not apply to any other defined timestamp field in this dictionary. Use all flex fields sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary.'}, + "FlexDate1Label": {"data_type": "string", "description": 'The label field is a string and describes the purpose of the flex field.'}, + "FlexNumber1": {"data_type": "int", "description": 'Number fields available to map Int data that does not apply to any other field in this dictionary.'}, + "FlexNumber1Label": {"data_type": "string", "description": 'The label that describes the value in FlexNumber1'}, + "FlexNumber2": {"data_type": "int", "description": 'Number fields available to map Int data that does not apply to any other field in this dictionary.'}, + "FlexNumber2Label": {"data_type": "string", "description": 'The label that describes the value in FlexNumber2'}, + "FlexString1": {"data_type": "string", "description": 'One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary.'}, + "FlexString1Label": {"data_type": "string", "description": 'The label field is a string and describes the purpose of the flex field.'}, + "FlexString2": {"data_type": "string", "description": 'One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary.'}, + "FlexString2Label": {"data_type": "string", "description": 'The label field is a string and describes the purpose of the flex field.'}, + "IndicatorThreatType": {"data_type": "string", "description": 'The threat type of the MaliciousIP according to our TI feed.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogSeverity": {"data_type": "string", "description": 'A string or integer that describes the importance of the event. Valid string values: Unknown , Low, Medium, High, Very-High Valid integer values are: 0-3 = Low, 4-6 = Medium, 7-8 = High, 9-10 = Very-High.'}, + "MaliciousIP": {"data_type": "string", "description": 'If one of the IP in the message was correlate with the current TI feed we have it will show up here.'}, + "MaliciousIPCountry": {"data_type": "string", "description": 'The country of the MaliciousIP according to the GEO information at the time of the record ingestion.'}, + "MaliciousIPLatitude": {"data_type": "real", "description": 'The Latitude of the MaliciousIP according to the GEO information at the time of the record ingestion.'}, + "MaliciousIPLongitude": {"data_type": "real", "description": 'The Longitude of the MaliciousIP according to the GEO information at the time of the record ingestion.'}, + "Message": {"data_type": "string", "description": 'A message that gives more details about the event.'}, + "OldFileCreateTime": {"data_type": "string", "description": 'Time when the old file was created.'}, + "OldFileHash": {"data_type": "string", "description": 'Hash of the old file.'}, + "OldFileID": {"data_type": "string", "description": 'And ID associated with the old file, such as the inode.'}, + "OldFileModificationTime": {"data_type": "string", "description": 'Time when the old file was last modified.'}, + "OldFileName": {"data_type": "string", "description": 'Name of the old file.'}, + "OldFilePath": {"data_type": "string", "description": 'Full path to the old file, including the filename. For example: C:\\ProgramFiles\\WindowsNT\\Accessories\\wordpad.exe or /usr/bin/zip.'}, + "OldFilePermission": {"data_type": "string", "description": "Permissions of the old file. For example: '2,1,1'."}, + "OldFileSize": {"data_type": "int", "description": 'The size of the old file in bytes.'}, + "OldFileType": {"data_type": "string", "description": 'File type of the old file, such as a pipe, socket, and so on.'}, + "OriginalLogSeverity": {"data_type": "string", "description": 'A non-mapped version of LogSeverity. For example: Warning/Critical/Info insted of the normilized Low/Medium/High in the LogSeverity Field'}, + "ProcessID": {"data_type": "int", "description": 'Defines the ID of the process on the device generating the event.'}, + "ProcessName": {"data_type": "string", "description": 'Process name associated with the event. For example: in UNIX, the process generating the syslog entry.'}, + "Protocol": {"data_type": "string", "description": 'Transport protocol that identifies the Layer-4 protocol used. Possible values include protocol names, such as TCP or UDP.'}, + "Reason": {"data_type": "string", "description": "The reason an audit event was generated. For example 'bad password' or 'unknown user'. This could also be an error or return code. Example: '0x1234'."}, + "ReceiptTime": {"data_type": "string", "description": "The time at which the event related to the activity was received. Different then the 'Timegenerated' field, which is when the event was recieved in the log collector machine."}, + "ReceivedBytes": {"data_type": "long", "description": 'Number of bytes transferred inbound.'}, + "RemoteIP": {"data_type": "string", "description": "The remote IP address, derived from the event's direction value, if possible."}, + "RemotePort": {"data_type": "string", "description": "The remote port, derived from the event's direction value, if possible."}, + "ReportReferenceLink": {"data_type": "string", "description": 'Link to the report of the TI feed.'}, + "RequestClientApplication": {"data_type": "string", "description": 'The user agent associated with the request.'}, + "RequestContext": {"data_type": "string", "description": 'Describes the content from which the request originated, such as the HTTP Referrer.'}, + "RequestCookies": {"data_type": "string", "description": 'Cookies associated with the request.'}, + "RequestMethod": {"data_type": "string", "description": 'The method used to access a URL. Valid values include methods such as POST, GET, and so on.'}, + "RequestURL": {"data_type": "string", "description": 'The URL accessed for an HTTP request, including the protocol. For example: http://www/secure.com.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SentBytes": {"data_type": "long", "description": 'Number of bytes transferred outbound.'}, + "SimplifiedDeviceAction": {"data_type": "string", "description": 'A mapped version of DeviceAction, such as Denied > Deny.'}, + "SourceDnsDomain": {"data_type": "string", "description": 'The DNS domain part of the complete FQDN.'}, + "SourceHostName": {"data_type": "string", "description": 'Identifies the source that event refers to in an IP network. Format should be a fully qualified domain name (DQDN) associated with the source node, when a node is available. For example: host or host.domain.com.'}, + "SourceIP": {"data_type": "string", "description": 'The source that an event refers to in an IP network, as an IPv4 address.'}, + "SourceMACAddress": {"data_type": "string", "description": 'Source MAC address.'}, + "SourceNTDomain": {"data_type": "string", "description": 'The Windows domain name for the source address.'}, + "SourcePort": {"data_type": "int", "description": 'The source port number. Valid port numbers are 0 - 65535.'}, + "SourceProcessId": {"data_type": "int", "description": 'The ID of the source process associated with the event.'}, + "SourceProcessName": {"data_type": "string", "description": "The name of the event's source process."}, + "SourceServiceName": {"data_type": "string", "description": 'The service responsible for generating the event.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SourceTranslatedAddress": {"data_type": "string", "description": 'Identifies the translated source that the event refers to in an IP network.'}, + "SourceTranslatedPort": {"data_type": "int", "description": 'Source port after translation, such as a firewall. Valid port numbers are 0 - 65535.'}, + "SourceUserID": {"data_type": "string", "description": 'Identifies the source user by ID.'}, + "SourceUserName": {"data_type": "string", "description": 'Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field.'}, + "SourceUserPrivileges": {"data_type": "string", "description": "The source user's privileges. Valid values include: Administrator, User, Guest."}, + "StartTime": {"data_type": "datetime", "description": 'The time when the activity that the event refers to started.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "ThreatConfidence": {"data_type": "string", "description": 'The threat confidence of the MaliciousIP according to our TI feed.'}, + "ThreatDescription": {"data_type": "string", "description": 'The threat description of the MaliciousIP according to our TI feed.'}, + "ThreatSeverity": {"data_type": "int", "description": 'The threat severity of the MaliciousIP according to our TI feed at the time of the record ingestion.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Event collection time in UTC.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ComputerGroup": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": 'Name of the member computer.'}, + "Group": {"data_type": "string", "description": 'Name of the group.'}, + "GroupFullName": {"data_type": "string", "description": 'Full path to the group including the source and source name.'}, + "GroupId": {"data_type": "string", "description": 'ID of the group.'}, + "GroupSource": {"data_type": "string", "description": 'Source that group was collected from. Possible values are ActiveDirectory WSUSWSUSClientTargeting.'}, + "GroupSourceName": {"data_type": "string", "description": 'Name of the source that the group was collected from. For Active Directory this is the domain name.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the computer group was created or updated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ConfidentialWatchlist": { + "AzureTenantId": {"data_type": "string", "description": 'The AAD tenant ID to which this Watchlist table belongs.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events.'}, + "CreatedBy": {"data_type": "dynamic", "description": 'The JSON object with the user who created the Watchlist or Watchlist item, including: Object ID, email and name.'}, + "CreatedTimeUTC": {"data_type": "datetime", "description": 'The time (UTC) when the Watchlist or Watchlist item was first created.'}, + "DefaultDuration": {"data_type": "string", "description": 'The JSON object describing the default duration to live that each item of a Watchlist should inherit on creation. The default duration has this format : P(n)Y(n)M(n)DT(n)H(n)M(n)S, where P, Y, M, DT, H, M and S are invariant. For example, P3Y6M4DT12H30M9S represents a duration of three years, six months, four days, twelve hours, thirty minutes, and nine seconds.'}, + "_DTItemId": {"data_type": "string", "description": "The Watchlist or Watchlist item unique ID. As an example, a Watchlist 'RiskyUsers' can contain Watchlist item 'Name:John Doe; email:johndoe@contoso.com'. A Watchlist item has unique ID and belongs to a Watchlist. The containing Watchlist can identified using the 'WatchlistId'."}, + "_DTItemStatus": {"data_type": "string", "description": "Was the Watchlist or Watchlist item created, updated or deleted by user. As an example, a Watchlist 'RiskyUsers' can contain Watchlist item 'Name:John Doe; email:johndoe@contoso.com'. If a Watchlist is added, the the status would be 'Created'. If the name of the Watchlist is updated from 'RiskyUsers' to 'RiskyEmployees' the status would be 'Updated'."}, + "_DTItemType": {"data_type": "string", "description": "Distinguish between a Watchlist and a Watchlist item. As an example, a Watchlist 'RiskyUsers' can contain Watchlist item 'Name:John Doe; email:johndoe@contoso.com'. A Watchlist item type will belong to a Watchlist type and the containing Watchlist can identified using the 'WatchlistId'."}, + "_DTTimestamp": {"data_type": "datetime", "description": 'The time (UTC) when the event was generated.'}, + "EntityMapping": {"data_type": "dynamic", "description": 'The JSON object with Azure Sentinel entity mapping to input columns.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastUpdatedTimeUTC": {"data_type": "datetime", "description": 'The time (UTC) when Watchlist or Watchlist item was last updated.'}, + "Notes": {"data_type": "string", "description": 'The notes provided by user.'}, + "Provider": {"data_type": "string", "description": 'The input provider of the Watchlist.'}, + "SearchKey": {"data_type": "string", "description": 'The SearchKey is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field to join in other event tables by IP address.'}, + "Source": {"data_type": "string", "description": 'The input source of the Watchlist.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Tags": {"data_type": "string", "description": 'The JSON array of tags provided by user.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the event was generated.'}, + "TimeToLive": {"data_type": "datetime", "description": "The time to live for a Watchlist record, expressed as a date and time of day (e.g. 2020-08-20T17:00:00.9618037Z). Its original value is inherited from Watchlist's default duration. If TimeToLive passes, the record is considered deleted. A record's duration can be extended at any time by updating the TimeToLive value."}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UpdatedBy": {"data_type": "dynamic", "description": 'The JSON object with the user who last updated the Watchlist or Watchlist item, including: Object ID, email and name.'}, + "WatchlistAlias": {"data_type": "string", "description": 'The unique string referring to the Watchlist.'}, + "WatchlistCategory": {"data_type": "string", "description": 'The Watchlist category provided by user.'}, + "WatchlistId": {"data_type": "string", "description": 'The Resource Manager Watchlist resource name.'}, + "WatchlistItem": {"data_type": "dynamic", "description": 'The JSON object with key-value pairs from the input Watchlist source.'}, + "WatchlistItemId": {"data_type": "string", "description": 'The Watchlist item unique ID.'}, + "WatchlistName": {"data_type": "string", "description": 'The display name of Watchlist.'}, + }, + "ConfigurationChange": { + "Acls": {"data_type": "string", "description": 'The Access-Control List specifies which users or system processes are granted access to objects'}, + "Attributes": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ChangeCategory": {"data_type": "string", "description": 'The type of change that occurred: Added Removed Modified'}, + "Computer": {"data_type": "string", "description": ''}, + "ConfigChangeType": {"data_type": "string", "description": 'Type of configuration item that changed: Files Software WindowsServices Registry Daemons'}, + "Current": {"data_type": "string", "description": 'Current value'}, + "DateCreated": {"data_type": "datetime", "description": 'Date that the item was created'}, + "DateModified": {"data_type": "datetime", "description": 'Date that the item was last modified'}, + "FieldsChanged": {"data_type": "string", "description": 'Fields that were changed as part of the change record'}, + "FileContentChecksum": {"data_type": "string", "description": 'Checksum of the file content'}, + "FileSystemPath": {"data_type": "string", "description": 'File system path for the changed file'}, + "Hive": {"data_type": "string", "description": 'Registry hive for the changed registry key'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastSnapshotAge": {"data_type": "long", "description": 'Age of the last snapshot'}, + "Location": {"data_type": "string", "description": ''}, + "ManagementGroupName": {"data_type": "string", "description": "Name of a resource's assigned management group"}, + "Name": {"data_type": "string", "description": ''}, + "Previous": {"data_type": "string", "description": 'Previous value'}, + "PreviousAcls": {"data_type": "string", "description": 'Previous Acl value'}, + "PreviousAttributes": {"data_type": "string", "description": 'Previous attributes value'}, + "PreviousDateCreated": {"data_type": "datetime", "description": 'Previous date created time'}, + "PreviousDateModified": {"data_type": "datetime", "description": 'Previous date modified time'}, + "PreviousFileContentChecksum": {"data_type": "string", "description": 'Previous file content checksum value'}, + "PreviousSize": {"data_type": "long", "description": 'Previous file size'}, + "PreviousValueData": {"data_type": "string", "description": 'Previous registry value data'}, + "PreviousValueType": {"data_type": "string", "description": 'Previous registry value type'}, + "Publisher": {"data_type": "string", "description": 'Software publisher name'}, + "RegistryKey": {"data_type": "string", "description": 'Registry key name'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Size": {"data_type": "long", "description": 'Current size of the changed file'}, + "SoftwareDescription": {"data_type": "string", "description": 'Description of the software'}, + "SoftwareName": {"data_type": "string", "description": 'Name of the software'}, + "SoftwareType": {"data_type": "string", "description": 'Type of the software: Application Package Update'}, + "SourceComputerId": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "SvcAccount": {"data_type": "string", "description": 'User account that is associated with the service executable explicitly to provide a security context for the service'}, + "SvcChangeType": {"data_type": "string", "description": 'Service property that was changed'}, + "SvcController": {"data_type": "string", "description": 'Parent process for the daemon'}, + "SvcDisplayName": {"data_type": "string", "description": 'Human-frinedly name for the service'}, + "SvcName": {"data_type": "string", "description": 'Name of the service'}, + "SvcPath": {"data_type": "string", "description": 'The file path to the executable for the service'}, + "SvcPreviousAccount": {"data_type": "string", "description": 'Previous user account that was associated with the sevice executable'}, + "SvcPreviousController": {"data_type": "string", "description": 'Previous parent process for the daemon'}, + "SvcPreviousPath": {"data_type": "string", "description": 'Previous file path to the executable for the service'}, + "SvcPreviousRunlevels": {"data_type": "string", "description": 'Previous modes used by the daemon for system operation'}, + "SvcPreviousStartupType": {"data_type": "string", "description": 'Previous startup behavior of the service'}, + "SvcPreviousState": {"data_type": "string", "description": 'Previous state of the service'}, + "SvcRunlevels": {"data_type": "string", "description": 'Modes used by the daemon for system operation'}, + "SvcStartupType": {"data_type": "string", "description": 'Startup behavior of the service'}, + "SvcState": {"data_type": "string", "description": 'Current state of the service'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "ValueData": {"data_type": "string", "description": 'Data contained in the value and registry key being tracked'}, + "ValueName": {"data_type": "string", "description": 'Name of the value for the registry key being tracked'}, + "ValueType": {"data_type": "string", "description": 'Type of the value for the registry key being tracked'}, + "VMUUID": {"data_type": "string", "description": ''}, + }, + "ConfigurationData": { + "Acls": {"data_type": "string", "description": 'The Access-Control List specifies which users or system processes are granted access to objects'}, + "Architecture": {"data_type": "string", "description": 'Instruction set architecture for the software being tracked'}, + "Attributes": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "ConfigDataType": {"data_type": "string", "description": 'Type of configuration item: Files Software WindowsServices Registry Daemons'}, + "CurrentVersion": {"data_type": "string", "description": 'Current software version'}, + "DateCreated": {"data_type": "datetime", "description": 'Created date of the file'}, + "DateModified": {"data_type": "datetime", "description": 'Last modified date of the file'}, + "FileContentChecksum": {"data_type": "string", "description": 'Checksum of the reporting file'}, + "FileSystemPath": {"data_type": "string", "description": 'File system path for the reporting file'}, + "Hive": {"data_type": "string", "description": 'Registry hive for the reporting registry key'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": ''}, + "ManagementGroupName": {"data_type": "string", "description": ''}, + "Name": {"data_type": "string", "description": ''}, + "Publisher": {"data_type": "string", "description": 'Software publisher name'}, + "RegistryKey": {"data_type": "string", "description": 'Registy key name'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Size": {"data_type": "long", "description": 'Size of the file'}, + "SoftwareDescription": {"data_type": "string", "description": 'Description of the software'}, + "SoftwareName": {"data_type": "string", "description": 'Name of the software'}, + "SoftwareType": {"data_type": "string", "description": 'Type of the software: Application Package Update'}, + "SourceComputerId": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "SvcAccount": {"data_type": "string", "description": 'User account that is associated with the service executable explicitly to provide a security context for the service'}, + "SvcController": {"data_type": "string", "description": 'Service property that was changed'}, + "SvcDescription": {"data_type": "string", "description": 'Parent process for the daemon'}, + "SvcDisplayName": {"data_type": "string", "description": 'Human-frinedly name for the service'}, + "SvcName": {"data_type": "string", "description": 'Name of the service'}, + "SvcPath": {"data_type": "string", "description": 'The file path to the executable for the service'}, + "SvcRunlevels": {"data_type": "string", "description": 'Modes used by the daemon for system operation'}, + "SvcStartupType": {"data_type": "string", "description": 'Startup behavior of the service'}, + "SvcState": {"data_type": "string", "description": 'Current state of the service'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "ValueData": {"data_type": "string", "description": 'Data contained in the value and registry key being tracked'}, + "ValueName": {"data_type": "string", "description": 'Name of the value for the registry key being tracked'}, + "ValueType": {"data_type": "string", "description": 'Type of the value for the registry key being tracked'}, + "VMUUID": {"data_type": "string", "description": ''}, + }, + "ContainerAppConsoleLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ContainerAppName": {"data_type": "string", "description": 'The name of the Container App generating this log.'}, + "ContainerGroupId": {"data_type": "string", "description": "The ID of the container's pod (Container App replica) generating this log."}, + "ContainerGroupName": {"data_type": "string", "description": "The name of the container's pod (Container App replica) generating this log."}, + "ContainerId": {"data_type": "string", "description": 'The ID of the Container App generating this log.'}, + "ContainerImage": {"data_type": "string", "description": 'The image used in the container instance that generated this log.'}, + "ContainerName": {"data_type": "string", "description": 'The name of the container generating this log.'}, + "EnvironmentName": {"data_type": "string", "description": 'The name of the Container App Environment generating this log.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "JobName": {"data_type": "string", "description": 'The name of the kubernetes job running inside a managed AKS environment generating this log.'}, + "Location": {"data_type": "string", "description": 'The location of the Container App generating this log.'}, + "Log": {"data_type": "string", "description": "The log generated by the user's Container App."}, + "OperationName": {"data_type": "string", "description": 'The name of the operation generating this log.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RevisionName": {"data_type": "string", "description": 'The name of the revision generating this log.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Stream": {"data_type": "string", "description": 'The stream where the log was emitted.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time (UTC) when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ContainerAppSystemLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ComponentName": {"data_type": "string", "description": 'The name of component name.'}, + "ComponentType": {"data_type": "string", "description": 'The type of component such as SpringCloudConfig, SpringCloudEureka, etc.'}, + "ContainerAppName": {"data_type": "string", "description": 'The name of Container App generating this log.'}, + "ContainerName": {"data_type": "string", "description": 'The name of the container generating this log.'}, + "Count": {"data_type": "int", "description": 'How many times this log has been seen.'}, + "EnvironmentName": {"data_type": "string", "description": 'The name of the Container App Environment generating this log.'}, + "EventSource": {"data_type": "string", "description": 'The name of project generating this log. This includes but is not limited to systems components in the Container App Environments or open source integrations such as Keda or Dapr.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "JobName": {"data_type": "string", "description": 'The name of the Job generating this log.'}, + "Location": {"data_type": "string", "description": 'The location of the Container App generating this log.'}, + "Log": {"data_type": "string", "description": 'The log generated by the Container App Environment.'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation generating this log.'}, + "Reason": {"data_type": "string", "description": 'The reason why this event was generated.'}, + "ReplicaName": {"data_type": "string", "description": 'The name of Container App replica generating this log.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RevisionName": {"data_type": "string", "description": 'The name of the revision generating this log.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time (UTC) when the log was generated.'}, + "Type": {"data_type": "string", "description": 'For events emitted by the Container App Environment. Type indicates the severity level of the event.'}, + }, + "ContainerEvent": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ContainerGroup": {"data_type": "string", "description": 'The name of the container group associated with the record.'}, + "ContainerGroupInstanceID": {"data_type": "string", "description": 'A unique identifier for the container group associated with the record.'}, + "ContainerID": {"data_type": "string", "description": 'A unique identifier for the container associated with the record.'}, + "ContainerName": {"data_type": "string", "description": 'The name of the container associated with the record.'}, + "Count": {"data_type": "int", "description": 'How many times the event has occurred since the last poll.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The location of the resource associated with the record.'}, + "Message": {"data_type": "string", "description": 'If applicable, the message from the container.'}, + "OSType": {"data_type": "string", "description": 'The name of the operating system the container is based on.'}, + "Reason": {"data_type": "string", "description": '.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp when the event was generated by the Azure service processing the request corresponding the event.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ContainerImageInventory": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": 'Computer name/Node name'}, + "Failed": {"data_type": "int", "description": 'Count of containers with this image that are in failed state'}, + "Image": {"data_type": "string", "description": 'Name of Container Image'}, + "ImageID": {"data_type": "string", "description": 'Image ID of the container image'}, + "ImageSize": {"data_type": "string", "description": 'Size of the container image [amount of data (on disk) that is used for the writable layer]'}, + "ImageTag": {"data_type": "string", "description": 'Tag of the container image'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Paused": {"data_type": "int", "description": 'Count of containers with this image that are in paused state'}, + "Repository": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Running": {"data_type": "int", "description": 'Count of containers with this image that are in running state'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Stopped": {"data_type": "int", "description": 'Count of containers with this image that are in stopped state'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was created.'}, + "TotalContainer": {"data_type": "long", "description": 'Count of containers with this ContainerImage'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "VirtualSize": {"data_type": "string", "description": 'Virtual Size of the Container Image [Total amount of disk-space used for the read-only image data]'}, + }, + "ContainerInstanceLog": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ContainerGroup": {"data_type": "string", "description": 'The name of the container group associated with the record.'}, + "ContainerID": {"data_type": "string", "description": 'A unique identifier for the container associated with the record.'}, + "ContainerImage": {"data_type": "string", "description": 'The name of the container image associated with the record.'}, + "ContainerName": {"data_type": "string", "description": 'The name of the container associated with the record.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The location of the resource associated with the record.'}, + "Message": {"data_type": "string", "description": 'If applicable, the message from the container.'}, + "OSType": {"data_type": "string", "description": 'The name of the operating system the container is based on.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Source": {"data_type": "string", "description": 'Name of the logging component.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp when the event was generated by the Azure service processing the request corresponding the event.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ContainerInventory": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Command": {"data_type": "string", "description": 'entrypoint and the command executed for all running containers'}, + "ComposeGroup": {"data_type": "string", "description": 'Docker Compose Project name. Comes from container label : com.docker.compose.project'}, + "Computer": {"data_type": "string", "description": 'Computer name/Node name'}, + "ContainerHostname": {"data_type": "string", "description": ''}, + "ContainerID": {"data_type": "string", "description": 'Unique ContainerID'}, + "ContainerState": {"data_type": "string", "description": 'Last known state of the container'}, + "CreatedTime": {"data_type": "datetime", "description": 'Container creation time'}, + "EnvironmentVar": {"data_type": "string", "description": "Container's environment variables"}, + "ExitCode": {"data_type": "int", "description": 'Container exit code'}, + "FinishedTime": {"data_type": "datetime", "description": 'Container termination time'}, + "Image": {"data_type": "string", "description": 'Container Image Name'}, + "ImageID": {"data_type": "string", "description": 'Container Image ID'}, + "ImageTag": {"data_type": "string", "description": 'Container Image Tag'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Links": {"data_type": "string", "description": "Container's legacy Hostconfig links"}, + "Name": {"data_type": "string", "description": 'Name of the container'}, + "Ports": {"data_type": "string", "description": "Container's port bindings"}, + "Repository": {"data_type": "string", "description": "Container's Remote repository"}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StartedTime": {"data_type": "datetime", "description": 'Container start time'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ContainerLog": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": "Computer/node that's generating the log."}, + "ContainerID": {"data_type": "string", "description": 'Container ID for log source as seen by Docker engine.'}, + "Image": {"data_type": "string", "description": 'Container Image for log source as seen by Docker engine.'}, + "ImageTag": {"data_type": "string", "description": 'Used by Container solution only. Not populated by Azure Monitor for Containers.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogEntry": {"data_type": "string", "description": 'Actual log line.'}, + "LogEntrySource": {"data_type": "string", "description": 'Source of the log line. Possible values are stdout or stderr.'}, + "Name": {"data_type": "string", "description": 'Unique name of the container the form PODUid/ContainerName.'}, + "Repository": {"data_type": "string", "description": 'Used by Container solution only. Not populated by Azure Monitor for Containers.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was created.'}, + "TimeOfCommand": {"data_type": "datetime", "description": 'Time that the agent processed the log. This is an optional field mainly useful for troubleshooting latency issues on the agent.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ContainerLogV2": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": 'Name of the Computer/Node generating the log.'}, + "ContainerId": {"data_type": "string", "description": 'Container ID of the log source as seen by the Container engine.'}, + "ContainerName": {"data_type": "string", "description": 'Name of the Container generating the log.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "KubernetesMetadata": {"data_type": "dynamic", "description": 'Kubernetes Metadata including podUid, podLabels, podAnnotations and container image details, etc.'}, + "LogLevel": {"data_type": "string", "description": 'Categorize logs based on importance and severity. Possible values: CRITICAL, ERROR, WARNING, INFO, DEBUG, TRACE, UNKNOWN.'}, + "LogMessage": {"data_type": "dynamic", "description": 'Log message from stdout or stderr. Being a dynamic field, json log messages can be queried without parse_json.'}, + "LogSource": {"data_type": "string", "description": 'Source of the Log message. Possible vlaues are stdout or stderr.'}, + "PodName": {"data_type": "string", "description": 'Kubernetes Pod name for the Container generating the log.'}, + "PodNamespace": {"data_type": "string", "description": "Kubernetes Namespace for the container's pod."}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ContainerNodeInventory": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": 'Computer/node name in the cluster for which the event applies. If not, computer/node name of sourcing computer'}, + "DockerVersion": {"data_type": "string", "description": 'Container runtime version'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperatingSystem": {"data_type": "string", "description": 'Nodes host OS Image'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ContainerRegistryLoginEvents": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": ''}, + "Category": {"data_type": "string", "description": ''}, + "CorrelationId": {"data_type": "string", "description": ''}, + "DurationMs": {"data_type": "string", "description": ''}, + "Identity": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "JwtId": {"data_type": "string", "description": ''}, + "LoginServer": {"data_type": "string", "description": ''}, + "OperationName": {"data_type": "string", "description": ''}, + "Region": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": ''}, + "ResultType": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": ''}, + }, + "ContainerRegistryRepositoryEvents": { + "ArtifactType": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": ''}, + "Category": {"data_type": "string", "description": ''}, + "CorrelationId": {"data_type": "string", "description": ''}, + "Digest": {"data_type": "string", "description": ''}, + "DurationMs": {"data_type": "string", "description": ''}, + "Identity": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LoginServer": {"data_type": "string", "description": ''}, + "MediaType": {"data_type": "string", "description": ''}, + "OperationName": {"data_type": "string", "description": ''}, + "Region": {"data_type": "string", "description": ''}, + "Repository": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": ''}, + "ResultType": {"data_type": "string", "description": ''}, + "Size": {"data_type": "int", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Tag": {"data_type": "string", "description": ''}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": ''}, + "UserTenantId": {"data_type": "string", "description": ''}, + }, + "ContainerServiceLog": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Command": {"data_type": "string", "description": ''}, + "Computer": {"data_type": "string", "description": ''}, + "ContainerID": {"data_type": "string", "description": ''}, + "Image": {"data_type": "string", "description": ''}, + "ImageTag": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Repository": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "TimeOfCommand": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "CoreAzureBackup": { + "AgentVersion": {"data_type": "string", "description": ''}, + "ArchiveTierLatestRecoveryPointLocation": {"data_type": "string", "description": ''}, + "ArchiveTierLatestRecoveryPointTime": {"data_type": "datetime", "description": ''}, + "ArchiveTierOldestRecoveryPointLocation": {"data_type": "string", "description": ''}, + "ArchiveTierOldestRecoveryPointTime": {"data_type": "datetime", "description": ''}, + "ArchiveTierStorageConsumedInMBs": {"data_type": "real", "description": ''}, + "ArchiveTierStorageReplicationType": {"data_type": "string", "description": ''}, + "AzureBackupAgentVersion": {"data_type": "string", "description": ''}, + "AzureDataCenter": {"data_type": "string", "description": ''}, + "BackupItemAppVersion": {"data_type": "string", "description": ''}, + "BackupItemFriendlyName": {"data_type": "string", "description": ''}, + "BackupItemFrontEndSize": {"data_type": "real", "description": ''}, + "BackupItemId": {"data_type": "string", "description": ''}, + "BackupItemName": {"data_type": "string", "description": ''}, + "BackupItemProtectionState": {"data_type": "string", "description": ''}, + "BackupItemType": {"data_type": "string", "description": ''}, + "BackupItemUniqueId": {"data_type": "string", "description": ''}, + "BackupManagementServerName": {"data_type": "string", "description": ''}, + "BackupManagementServerOSVersion": {"data_type": "string", "description": ''}, + "BackupManagementServerType": {"data_type": "string", "description": ''}, + "BackupManagementServerUniqueId": {"data_type": "string", "description": ''}, + "BackupManagementServerVersion": {"data_type": "string", "description": ''}, + "BackupManagementType": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BillingGroupFriendlyName": {"data_type": "string", "description": ''}, + "BillingGroupUniqueId": {"data_type": "string", "description": ''}, + "Category": {"data_type": "string", "description": ''}, + "DatasourceFriendlyName": {"data_type": "string", "description": ''}, + "DatasourceResourceGroupName": {"data_type": "string", "description": ''}, + "DatasourceResourceId": {"data_type": "string", "description": ''}, + "DatasourceSetFriendlyName": {"data_type": "string", "description": ''}, + "DatasourceSetResourceId": {"data_type": "string", "description": ''}, + "DatasourceSetType": {"data_type": "string", "description": ''}, + "DatasourceSubscriptionId": {"data_type": "string", "description": ''}, + "DatasourceType": {"data_type": "string", "description": ''}, + "ExtendedProperties": {"data_type": "dynamic", "description": ''}, + "IsArchiveEnabled": {"data_type": "bool", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LatestRecoveryPointLocation": {"data_type": "string", "description": ''}, + "LatestRecoveryPointTime": {"data_type": "datetime", "description": ''}, + "OldestRecoveryPointLocation": {"data_type": "string", "description": ''}, + "OldestRecoveryPointTime": {"data_type": "datetime", "description": ''}, + "OperationName": {"data_type": "string", "description": ''}, + "PolicyId": {"data_type": "string", "description": ''}, + "PolicyName": {"data_type": "string", "description": ''}, + "PolicyUniqueId": {"data_type": "string", "description": ''}, + "ProtectedContainerFriendlyName": {"data_type": "string", "description": ''}, + "ProtectedContainerLocation": {"data_type": "string", "description": ''}, + "ProtectedContainerName": {"data_type": "string", "description": ''}, + "ProtectedContainerOSType": {"data_type": "string", "description": ''}, + "ProtectedContainerOSVersion": {"data_type": "string", "description": ''}, + "ProtectedContainerProtectionState": {"data_type": "string", "description": ''}, + "ProtectedContainerType": {"data_type": "string", "description": ''}, + "ProtectedContainerUniqueId": {"data_type": "string", "description": ''}, + "ProtectedContainerWorkloadType": {"data_type": "string", "description": ''}, + "ProtectionGroupName": {"data_type": "string", "description": ''}, + "ResourceGroupName": {"data_type": "string", "description": ''}, + "ResourceId": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SchemaVersion": {"data_type": "string", "description": ''}, + "SecondaryBackupProtectionState": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "State": {"data_type": "string", "description": ''}, + "StorageConsumedInMBs": {"data_type": "real", "description": ''}, + "StorageReplicationType": {"data_type": "string", "description": ''}, + "SubscriptionId": {"data_type": "string", "description": ''}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "VaultName": {"data_type": "string", "description": ''}, + "VaultTags": {"data_type": "string", "description": ''}, + "VaultType": {"data_type": "string", "description": ''}, + "VaultUniqueId": {"data_type": "string", "description": ''}, + }, + "DatabricksAccounts": { + "ActionName": {"data_type": "string", "description": 'The action of the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The service that logged the request.'}, + "Identity": {"data_type": "string", "description": 'Information about the user that makes the requests.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The unique identifier for the log messages.'}, + "OperationName": {"data_type": "string", "description": 'The action, such as login, logout, read, write, etc.'}, + "OperationVersion": {"data_type": "string", "description": 'The schema version of the Databricks operation-based diagnostic log format.'}, + "RequestId": {"data_type": "string", "description": 'Unique request ID.'}, + "RequestParams": {"data_type": "string", "description": 'Parameter key-value pairs used in the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "string", "description": 'The HTTP response to the request, including error message (if applicable), result, and statusCode.'}, + "ServiceName": {"data_type": "string", "description": 'The service of the source request.'}, + "SessionId": {"data_type": "string", "description": 'Session ID of the action.'}, + "SourceIPAddress": {"data_type": "string", "description": 'The IP address of the source request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp of the action (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The browser or API client used to make the request.'}, + }, + "DatabricksBrickStoreHttpGateway": { + "ActionName": {"data_type": "string", "description": 'The action name.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the log.'}, + "Identity": {"data_type": "dynamic", "description": 'The identity of the user who performed the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The log ID in Databricks domain.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "OperationVersion": {"data_type": "string", "description": 'The API version of the operation.'}, + "RequestId": {"data_type": "string", "description": 'The request ID.'}, + "RequestParams": {"data_type": "dynamic", "description": 'The request parameters.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "dynamic", "description": 'The response.'}, + "ServiceName": {"data_type": "string", "description": 'The service name.'}, + "SessionId": {"data_type": "string", "description": 'The session ID.'}, + "SourceIpAddress": {"data_type": "string", "description": 'The IP address of the client that performed the operation.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The user agent.'}, + }, + "DatabricksCapsule8Dataplane": { + "ActionName": {"data_type": "string", "description": 'The action of the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The service that logged the request.'}, + "Identity": {"data_type": "dynamic", "description": 'Information about the user that makes the requests.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The unique identifier for the log messages.'}, + "OperationName": {"data_type": "string", "description": 'The action, such as login, logout, read, write, etc.'}, + "OperationVersion": {"data_type": "string", "description": 'The Databricks schema version of the diagnostic log format.'}, + "RequestId": {"data_type": "string", "description": 'Unique request ID.'}, + "RequestParams": {"data_type": "dynamic", "description": 'Parameters, key-value pairs used in the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "dynamic", "description": 'The HTTP response to the request, including error message (if applicable), result, and status code.'}, + "ServiceName": {"data_type": "string", "description": 'The service of the source request.'}, + "SessionId": {"data_type": "string", "description": 'Session ID of the action.'}, + "SourceIPAddress": {"data_type": "string", "description": 'The IP address of the source request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp of the action (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The browser or API client used to make the request.'}, + }, + "DatabricksClamAVScan": { + "ActionName": {"data_type": "string", "description": 'The action of the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The service that logged the request.'}, + "Identity": {"data_type": "dynamic", "description": 'Information about the user that makes the requests.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The unique identifier for the log messages.'}, + "OperationName": {"data_type": "string", "description": 'The action, such as login, logout, read, write, etc.'}, + "OperationVersion": {"data_type": "string", "description": 'The Databricks schema version of the diagnostic log format.'}, + "RequestId": {"data_type": "string", "description": 'Unique request ID.'}, + "RequestParams": {"data_type": "dynamic", "description": 'Parameters, key-value pairs used in the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "dynamic", "description": 'The HTTP response to the request, including error message (if applicable), result, and status code.'}, + "ServiceName": {"data_type": "string", "description": 'The service of the source request.'}, + "SessionId": {"data_type": "string", "description": 'Session ID of the action.'}, + "SourceIPAddress": {"data_type": "string", "description": 'The IP address of the source request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp of the action (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The browser or API client used to make the request.'}, + }, + "DatabricksCloudStorageMetadata": { + "ActionName": {"data_type": "string", "description": 'The action name.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the log.'}, + "Identity": {"data_type": "dynamic", "description": 'The identity of the user who performed the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The log ID in Databricks domain.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "OperationVersion": {"data_type": "string", "description": 'The API version of the operation.'}, + "RequestId": {"data_type": "string", "description": 'The request ID.'}, + "RequestParams": {"data_type": "dynamic", "description": 'The request parameters.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "dynamic", "description": 'The response.'}, + "ServiceName": {"data_type": "string", "description": 'The service name.'}, + "SessionId": {"data_type": "string", "description": 'The session ID.'}, + "SourceIpAddress": {"data_type": "string", "description": 'The IP address of the client that performed the operation.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The user agent.'}, + }, + "DatabricksClusterLibraries": { + "ActionName": {"data_type": "string", "description": 'The action of the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The service that logged the request.'}, + "Identity": {"data_type": "dynamic", "description": 'Information about the user that makes the requests.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The unique identifier for the log messages.'}, + "OperationName": {"data_type": "string", "description": 'The action, such as login, logout, read, write, etc.'}, + "OperationVersion": {"data_type": "string", "description": 'The Databricks schema version of the diagnostic log format.'}, + "RequestId": {"data_type": "string", "description": 'Unique request ID.'}, + "RequestParams": {"data_type": "dynamic", "description": 'Parameters, key-value pairs used in the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "dynamic", "description": 'The HTTP response to the request, including error message (if applicable), result, and status code.'}, + "ServiceName": {"data_type": "string", "description": 'The service of the source request.'}, + "SessionId": {"data_type": "string", "description": 'Session ID of the action.'}, + "SourceIPAddress": {"data_type": "string", "description": 'The IP address of the source request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp of the action (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The browser or API client used to make the request.'}, + }, + "DatabricksClusters": { + "ActionName": {"data_type": "string", "description": 'The action of the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The service that logged the request.'}, + "Identity": {"data_type": "string", "description": 'Information about the user that makes the requests.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The unique identifier for the log messages.'}, + "OperationName": {"data_type": "string", "description": 'The action, such as login, logout, read, write, etc.'}, + "OperationVersion": {"data_type": "string", "description": 'The schema version of the Databricks operation-based diagnostic log format.'}, + "RequestId": {"data_type": "string", "description": 'Unique request ID.'}, + "RequestParams": {"data_type": "string", "description": 'Parameter key-value pairs used in the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "string", "description": 'The HTTP response to the request, including error message (if applicable), result, and statusCode.'}, + "ServiceName": {"data_type": "string", "description": 'The service of the source request.'}, + "SessionId": {"data_type": "string", "description": 'Session ID of the action.'}, + "SourceIPAddress": {"data_type": "string", "description": 'The IP address of the source request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp of the action (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The browser or API client used to make the request.'}, + }, + "DatabricksDashboards": { + "ActionName": {"data_type": "string", "description": 'The action name.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the log.'}, + "Identity": {"data_type": "dynamic", "description": 'The identity of the user who performed the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The log ID in Databricks domain.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "OperationVersion": {"data_type": "string", "description": 'The API version of the operation.'}, + "RequestId": {"data_type": "string", "description": 'The request ID.'}, + "RequestParams": {"data_type": "dynamic", "description": 'The request parameters.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "dynamic", "description": 'The response.'}, + "ServiceName": {"data_type": "string", "description": 'The service name.'}, + "SessionId": {"data_type": "string", "description": 'The session ID.'}, + "SourceIpAddress": {"data_type": "string", "description": 'The IP address of the client that performed the operation.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The user agent.'}, + }, + "DatabricksDatabricksSQL": { + "ActionName": {"data_type": "string", "description": 'The action of the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The service that logged the request.'}, + "Identity": {"data_type": "string", "description": 'Information about the user that makes the requests.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The unique identifier for the log messages.'}, + "OperationName": {"data_type": "string", "description": 'The action, such as login, logout, read, write, etc.'}, + "OperationVersion": {"data_type": "string", "description": 'The Databricks schema version of the diagnostic log format.'}, + "RequestId": {"data_type": "string", "description": 'Unique request ID.'}, + "RequestParams": {"data_type": "string", "description": 'Parameter key-value pairs used in the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "string", "description": 'The HTTP response to the request, including error message (if applicable), result, and statusCode.'}, + "ServiceName": {"data_type": "string", "description": 'The service of the source request.'}, + "SessionId": {"data_type": "string", "description": 'Session ID of the action.'}, + "SourceIPAddress": {"data_type": "string", "description": 'The IP address of the source request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp of the action (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The browser or API client used to make the request.'}, + }, + "DatabricksDataMonitoring": { + "ActionName": {"data_type": "string", "description": 'The action name.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the log.'}, + "Identity": {"data_type": "dynamic", "description": 'The identity of the user who performed the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The log ID in Databricks domain.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "OperationVersion": {"data_type": "string", "description": 'The API version of the operation.'}, + "RequestId": {"data_type": "string", "description": 'The request ID.'}, + "RequestParams": {"data_type": "dynamic", "description": 'The request parameters.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "dynamic", "description": 'The response.'}, + "ServiceName": {"data_type": "string", "description": 'The service name.'}, + "SessionId": {"data_type": "string", "description": 'The session ID.'}, + "SourceIpAddress": {"data_type": "string", "description": 'The IP address of the client that performed the operation.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The user agent.'}, + }, + "DatabricksDBFS": { + "ActionName": {"data_type": "string", "description": 'The action of the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The service that logged the request.'}, + "Identity": {"data_type": "string", "description": 'Information about the user that makes the requests.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The unique identifier for the log messages.'}, + "OperationName": {"data_type": "string", "description": 'The action, such as login, logout, read, write, etc.'}, + "OperationVersion": {"data_type": "string", "description": 'The Databricks schema version of the diagnostic log format.'}, + "RequestId": {"data_type": "string", "description": 'Unique request ID.'}, + "RequestParams": {"data_type": "string", "description": 'Parameter key-value pairs used in the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "string", "description": 'The HTTP response to the request, including error message (if applicable), result, and statusCode.'}, + "ServiceName": {"data_type": "string", "description": 'The service of the source request.'}, + "SessionId": {"data_type": "string", "description": 'Session ID of the action.'}, + "SourceIPAddress": {"data_type": "string", "description": 'The IP address of the source request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp of the action (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The browser or API client used to make the request.'}, + }, + "DatabricksDeltaPipelines": { + "ActionName": {"data_type": "string", "description": 'The action of the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The service that logged the request.'}, + "Identity": {"data_type": "string", "description": 'Information about the user that makes the requests.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The unique identifier for the log messages.'}, + "OperationName": {"data_type": "string", "description": 'The action, such as login, logout, read, write, etc.'}, + "OperationVersion": {"data_type": "string", "description": 'The Databricks schema version of the diagnostic log format.'}, + "RequestId": {"data_type": "string", "description": 'Unique request ID.'}, + "RequestParams": {"data_type": "string", "description": 'Parameter key-value pairs used in the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "string", "description": 'The HTTP response to the request, including error message (if applicable), result, and statusCode.'}, + "ServiceName": {"data_type": "string", "description": 'The service of the source request.'}, + "SessionId": {"data_type": "string", "description": 'Session ID of the action.'}, + "SourceIPAddress": {"data_type": "string", "description": 'The IP address of the source request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp of the action (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The browser or API client used to make the request.'}, + }, + "DatabricksFeatureStore": { + "ActionName": {"data_type": "string", "description": 'The action of the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The service that logged the request.'}, + "Identity": {"data_type": "string", "description": 'Information about the user that makes the requests.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The unique identifier for the log message that can be used to deduplicate them.'}, + "OperationName": {"data_type": "string", "description": 'The action, such as login, logout, read, write, etc.'}, + "OperationVersion": {"data_type": "string", "description": 'The schema version of the Databricks operation-based diagnostic log format.'}, + "RequestId": {"data_type": "string", "description": 'The unique request ID.'}, + "RequestParams": {"data_type": "string", "description": 'Parameter key-value pairs used in the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "string", "description": 'The HTTP response to the request, including error message (if applicable), result, and statusCode.'}, + "ServiceName": {"data_type": "string", "description": 'The service of the source request.'}, + "SessionId": {"data_type": "string", "description": 'Session ID of the action.'}, + "SourceIPAddress": {"data_type": "string", "description": 'The IP address of the source request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp of the action (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The browser or API client used to make the request.'}, + }, + "DatabricksFilesystem": { + "ActionName": {"data_type": "string", "description": 'The action name.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the log.'}, + "Identity": {"data_type": "dynamic", "description": 'The identity of the user who performed the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The log ID in Databricks domain.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "OperationVersion": {"data_type": "string", "description": 'The API version of the operation.'}, + "RequestId": {"data_type": "string", "description": 'The request ID.'}, + "RequestParams": {"data_type": "dynamic", "description": 'The request parameters.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "dynamic", "description": 'The response.'}, + "ServiceName": {"data_type": "string", "description": 'The service name.'}, + "SessionId": {"data_type": "string", "description": 'The session ID.'}, + "SourceIpAddress": {"data_type": "string", "description": 'The IP address of the client that performed the operation.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The user agent.'}, + }, + "DatabricksGenie": { + "ActionName": {"data_type": "string", "description": 'The action of the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The service that logged the request.'}, + "Identity": {"data_type": "string", "description": 'Information about the user that makes the requests.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The unique identifier for the log message that can be used to deduplicate them.'}, + "OperationName": {"data_type": "string", "description": 'The action, such as login, logout, read, write, etc.'}, + "OperationVersion": {"data_type": "string", "description": 'The schema version of the Databricks operation-based diagnostic log format.'}, + "RequestId": {"data_type": "string", "description": 'The unique request ID.'}, + "RequestParams": {"data_type": "string", "description": 'Parameter key-value pairs used in the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "string", "description": 'The HTTP response to the request, including error message (if applicable), result, and statusCode.'}, + "ServiceName": {"data_type": "string", "description": 'The service of the source request.'}, + "SessionId": {"data_type": "string", "description": 'Session ID of the action.'}, + "SourceIPAddress": {"data_type": "string", "description": 'The IP address of the source request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp of the action (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The browser or API client used to make the request.'}, + }, + "DatabricksGitCredentials": { + "ActionName": {"data_type": "string", "description": 'The action of the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The service that logged the request.'}, + "Identity": {"data_type": "dynamic", "description": 'Information about the user that makes the requests.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The unique identifier for the log messages.'}, + "OperationName": {"data_type": "string", "description": 'The action, such as login, logout, read, write, etc.'}, + "OperationVersion": {"data_type": "string", "description": 'The Databricks schema version of the diagnostic log format.'}, + "RequestId": {"data_type": "string", "description": 'Unique request ID.'}, + "RequestParams": {"data_type": "dynamic", "description": 'Parameter key-value pairs used in the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "dynamic", "description": 'The HTTP response to the request, including error message (if applicable), result, and statusCode.'}, + "ServiceName": {"data_type": "string", "description": 'The service of the source request.'}, + "SessionId": {"data_type": "string", "description": 'Session ID of the action.'}, + "SourceIPAddress": {"data_type": "string", "description": 'The IP address of the source request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp of the action (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The browser or API client used to make the request.'}, + }, + "DatabricksGlobalInitScripts": { + "ActionName": {"data_type": "string", "description": 'The action of the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The service that logged the request.'}, + "Identity": {"data_type": "string", "description": 'Information about the user that makes the requests.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The unique identifier for the log message that can be used to deduplicate them.'}, + "OperationName": {"data_type": "string", "description": 'The action, such as login, logout, read, write, etc.'}, + "OperationVersion": {"data_type": "string", "description": 'The schema version of the Databricks operation-based diagnostic log format.'}, + "RequestId": {"data_type": "string", "description": 'The unique request ID.'}, + "RequestParams": {"data_type": "string", "description": 'Parameter key-value pairs used in the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "string", "description": 'The HTTP response to the request, including error message (if applicable), result, and statusCode.'}, + "ServiceName": {"data_type": "string", "description": 'The service of the source request.'}, + "SessionId": {"data_type": "string", "description": 'Session ID of the action.'}, + "SourceIPAddress": {"data_type": "string", "description": 'The IP address of the source request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp of the action (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The browser or API client used to make the request.'}, + }, + "DatabricksIAMRole": { + "ActionName": {"data_type": "string", "description": 'The action of the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The service that logged the request.'}, + "Identity": {"data_type": "string", "description": 'Information about the user that makes the requests.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The unique identifier for the log message that can be used to deduplicate them.'}, + "OperationName": {"data_type": "string", "description": 'The action, such as login, logout, read, write, etc.'}, + "OperationVersion": {"data_type": "string", "description": 'The schema version of the Databricks operation-based diagnostic log format.'}, + "RequestId": {"data_type": "string", "description": 'The unique request ID.'}, + "RequestParams": {"data_type": "string", "description": 'Parameter key-value pairs used in the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "string", "description": 'The HTTP response to the request, including error message (if applicable), result, and statusCode.'}, + "ServiceName": {"data_type": "string", "description": 'The service of the source request.'}, + "SessionId": {"data_type": "string", "description": 'Session ID of the action.'}, + "SourceIPAddress": {"data_type": "string", "description": 'The IP address of the source request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp of the action (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The browser or API client used to make the request.'}, + }, + "DatabricksIngestion": { + "ActionName": {"data_type": "string", "description": 'The action name.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the log.'}, + "Identity": {"data_type": "dynamic", "description": 'The identity of the user who performed the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The log ID in Databricks domain.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "OperationVersion": {"data_type": "string", "description": 'The API version of the operation.'}, + "RequestId": {"data_type": "string", "description": 'The request ID.'}, + "RequestParams": {"data_type": "dynamic", "description": 'The request parameters.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "dynamic", "description": 'The response.'}, + "ServiceName": {"data_type": "string", "description": 'The service name.'}, + "SessionId": {"data_type": "string", "description": 'The session ID.'}, + "SourceIpAddress": {"data_type": "string", "description": 'The IP address of the client that performed the operation.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The user agent.'}, + }, + "DatabricksInstancePools": { + "ActionName": {"data_type": "string", "description": 'The action of the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The service that logged the request.'}, + "Identity": {"data_type": "string", "description": 'Information about the user that makes the requests.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The unique identifier for the log messages.'}, + "OperationName": {"data_type": "string", "description": 'The action, such as login, logout, read, write, etc.'}, + "OperationVersion": {"data_type": "string", "description": 'The Databricks schema version of the diagnostic log format.'}, + "RequestId": {"data_type": "string", "description": 'Unique request ID.'}, + "RequestParams": {"data_type": "string", "description": 'Parameter key-value pairs used in the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "string", "description": 'The HTTP response to the request, including error message (if applicable), result, and statusCode.'}, + "ServiceName": {"data_type": "string", "description": 'The service of the source request.'}, + "SessionId": {"data_type": "string", "description": 'Session ID of the action.'}, + "SourceIPAddress": {"data_type": "string", "description": 'The IP address of the source request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp of the action (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The browser or API client used to make the request.'}, + }, + "DatabricksJobs": { + "ActionName": {"data_type": "string", "description": 'The action of the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The service that logged the request.'}, + "Identity": {"data_type": "string", "description": 'Information about the user that makes the requests.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The unique identifier for the log messages.'}, + "OperationName": {"data_type": "string", "description": 'The action, such as login, logout, read, write, etc.'}, + "OperationVersion": {"data_type": "string", "description": 'The Databricks schema version of the diagnostic log format.'}, + "RequestId": {"data_type": "string", "description": 'Unique request ID.'}, + "RequestParams": {"data_type": "string", "description": 'Parameter key-value pairs used in the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "string", "description": 'The HTTP response to the request, including error message (if applicable), result, and statusCode.'}, + "ServiceName": {"data_type": "string", "description": 'The service of the source request.'}, + "SessionId": {"data_type": "string", "description": 'Session ID of the action.'}, + "SourceIPAddress": {"data_type": "string", "description": 'The IP address of the source request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp of the action (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The browser or API client used to make the request.'}, + }, + "DatabricksLineageTracking": { + "ActionName": {"data_type": "string", "description": 'The action name.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the log.'}, + "Identity": {"data_type": "dynamic", "description": 'The identity of the user who performed the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The log ID in Databricks domain.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "OperationVersion": {"data_type": "string", "description": 'The API version of the operation.'}, + "RequestId": {"data_type": "string", "description": 'The request ID.'}, + "RequestParams": {"data_type": "dynamic", "description": 'The request parameters.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "dynamic", "description": 'The response.'}, + "ServiceName": {"data_type": "string", "description": 'The service name.'}, + "SessionId": {"data_type": "string", "description": 'The session ID.'}, + "SourceIpAddress": {"data_type": "string", "description": 'The IP address of the client that performed the operation.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The user agent.'}, + }, + "DatabricksMarketplaceConsumer": { + "ActionName": {"data_type": "string", "description": 'The action name.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the log.'}, + "Identity": {"data_type": "dynamic", "description": 'The identity of the user who performed the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The log ID in Databricks domain.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "OperationVersion": {"data_type": "string", "description": 'The API version of the operation.'}, + "RequestId": {"data_type": "string", "description": 'The request ID.'}, + "RequestParams": {"data_type": "dynamic", "description": 'The request parameters.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "dynamic", "description": 'The response.'}, + "ServiceName": {"data_type": "string", "description": 'The service name.'}, + "SessionId": {"data_type": "string", "description": 'The session ID.'}, + "SourceIpAddress": {"data_type": "string", "description": 'The IP address of the client that performed the operation.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The user agent.'}, + }, + "DatabricksMLflowAcledArtifact": { + "ActionName": {"data_type": "string", "description": 'The action of the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The service that logged the request.'}, + "Identity": {"data_type": "string", "description": 'Information about the user that makes the requests.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The unique identifier for the log message that can be used to deduplicate them.'}, + "OperationName": {"data_type": "string", "description": 'The action, such as login, logout, read, write, etc.'}, + "OperationVersion": {"data_type": "string", "description": 'The schema version of the Databricks operation-based diagnostic log format.'}, + "RequestId": {"data_type": "string", "description": 'The unique request ID.'}, + "RequestParams": {"data_type": "string", "description": 'Parameter key-value pairs used in the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "string", "description": 'The HTTP response to the request, including error message (if applicable), result, and statusCode.'}, + "ServiceName": {"data_type": "string", "description": 'The service of the source request.'}, + "SessionId": {"data_type": "string", "description": 'Session ID of the action.'}, + "SourceIPAddress": {"data_type": "string", "description": 'The IP address of the source request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp of the action (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The browser or API client used to make the request.'}, + }, + "DatabricksMLflowExperiment": { + "ActionName": {"data_type": "string", "description": 'The action of the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The service that logged the request.'}, + "Identity": {"data_type": "string", "description": 'Information about the user that makes the requests.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The unique identifier for the log message that can be used to deduplicate them.'}, + "OperationName": {"data_type": "string", "description": 'The action, such as login, logout, read, write, etc.'}, + "OperationVersion": {"data_type": "string", "description": 'The schema version of the Databricks operation-based diagnostic log format.'}, + "RequestId": {"data_type": "string", "description": 'The unique request ID.'}, + "RequestParams": {"data_type": "string", "description": 'Parameter key-value pairs used in the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "string", "description": 'The HTTP response to the request, including error message (if applicable), result, and statusCode.'}, + "ServiceName": {"data_type": "string", "description": 'The service of the source request.'}, + "SessionId": {"data_type": "string", "description": 'Session ID of the action.'}, + "SourceIPAddress": {"data_type": "string", "description": 'The IP address of the source request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp of the action (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The browser or API client used to make the request.'}, + }, + "DatabricksModelRegistry": { + "ActionName": {"data_type": "string", "description": 'The action of the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The service that logged the request.'}, + "Identity": {"data_type": "string", "description": 'Information about the user that makes the requests.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The unique identifier for the log messages.'}, + "OperationName": {"data_type": "string", "description": 'The action, such as login, logout, read, write, etc.'}, + "OperationVersion": {"data_type": "string", "description": 'The Databricks schema version of the diagnostic log format.'}, + "RequestId": {"data_type": "string", "description": 'Unique request ID.'}, + "RequestParams": {"data_type": "string", "description": 'Parameter key-value pairs used in the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "string", "description": 'The HTTP response to the request, including error message (if applicable), result, and statusCode.'}, + "ServiceName": {"data_type": "string", "description": 'The service of the source request.'}, + "SessionId": {"data_type": "string", "description": 'Session ID of the action.'}, + "SourceIPAddress": {"data_type": "string", "description": 'The IP address of the source request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp of the action (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The browser or API client used to make the request.'}, + }, + "DatabricksNotebook": { + "ActionName": {"data_type": "string", "description": 'The action of the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The service that logged the request.'}, + "Identity": {"data_type": "string", "description": 'Information about the user that makes the requests.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The unique identifier for the log messages.'}, + "OperationName": {"data_type": "string", "description": 'The action, such as login, logout, read, write, etc.'}, + "OperationVersion": {"data_type": "string", "description": 'The Databricks schema version of the diagnostic log format.'}, + "RequestId": {"data_type": "string", "description": 'Unique request ID.'}, + "RequestParams": {"data_type": "string", "description": 'Parameter key-value pairs used in the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "string", "description": 'The HTTP response to the request, including error message (if applicable), result, and statusCode.'}, + "ServiceName": {"data_type": "string", "description": 'The service of the source request.'}, + "SessionId": {"data_type": "string", "description": 'Session ID of the action.'}, + "SourceIPAddress": {"data_type": "string", "description": 'The IP address of the source request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp of the action (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The browser or API client used to make the request.'}, + }, + "DatabricksPartnerHub": { + "ActionName": {"data_type": "string", "description": 'The action of the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The service that logged the request.'}, + "Identity": {"data_type": "dynamic", "description": 'Information about the user that makes the requests.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The unique identifier for the log messages.'}, + "OperationName": {"data_type": "string", "description": 'The action, such as login, logout, read, write, etc.'}, + "OperationVersion": {"data_type": "string", "description": 'The Databricks schema version of the diagnostic log format.'}, + "RequestId": {"data_type": "string", "description": 'Unique request ID.'}, + "RequestParams": {"data_type": "dynamic", "description": 'Parameters, key-value pairs used in the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "dynamic", "description": 'The HTTP response to the request, including error message (if applicable), result, and status code.'}, + "ServiceName": {"data_type": "string", "description": 'The service of the source request.'}, + "SessionId": {"data_type": "string", "description": 'Session ID of the action.'}, + "SourceIPAddress": {"data_type": "string", "description": 'The IP address of the source request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp of the action (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The browser or API client used to make the request.'}, + }, + "DatabricksPredictiveOptimization": { + "ActionName": {"data_type": "string", "description": 'The action name.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the log.'}, + "Identity": {"data_type": "dynamic", "description": 'The identity of the user who performed the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The log ID in Databricks domain.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "OperationVersion": {"data_type": "string", "description": 'The API version of the operation.'}, + "RequestId": {"data_type": "string", "description": 'The request ID.'}, + "RequestParams": {"data_type": "dynamic", "description": 'The request parameters.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "dynamic", "description": 'The response.'}, + "ServiceName": {"data_type": "string", "description": 'The service name.'}, + "SessionId": {"data_type": "string", "description": 'The session ID.'}, + "SourceIpAddress": {"data_type": "string", "description": 'The IP address of the client that performed the operation.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The user agent.'}, + }, + "DatabricksRemoteHistoryService": { + "ActionName": {"data_type": "string", "description": 'The action of the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The service that logged the request.'}, + "Identity": {"data_type": "string", "description": 'Information about the user that makes the requests.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The unique identifier for the log message that can be used to deduplicate them.'}, + "OperationName": {"data_type": "string", "description": 'The action, such as login, logout, read, write, etc.'}, + "OperationVersion": {"data_type": "string", "description": 'The schema version of the Databricks operation-based diagnostic log format.'}, + "RequestId": {"data_type": "string", "description": 'The unique request ID.'}, + "RequestParams": {"data_type": "string", "description": 'Parameter key-value pairs used in the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "string", "description": 'The HTTP response to the request, including error message (if applicable), result, and statusCode.'}, + "ServiceName": {"data_type": "string", "description": 'The service of the source request.'}, + "SessionId": {"data_type": "string", "description": 'Session ID of the action.'}, + "SourceIPAddress": {"data_type": "string", "description": 'The IP address of the source request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp of the action (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The browser or API client used to make the request.'}, + }, + "DatabricksRepos": { + "ActionName": {"data_type": "string", "description": 'The action of the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The service that logged the request.'}, + "Identity": {"data_type": "string", "description": 'Information about the user that makes the requests.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The unique identifier for the log messages.'}, + "OperationName": {"data_type": "string", "description": 'The action, such as login, logout, read, write, etc.'}, + "OperationVersion": {"data_type": "string", "description": 'The Databricks schema version of the diagnostic log format.'}, + "RequestId": {"data_type": "string", "description": 'Unique request ID.'}, + "RequestParams": {"data_type": "string", "description": 'Parameter key-value pairs used in the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "string", "description": 'The HTTP response to the request, including error message (if applicable), result, and statusCode.'}, + "ServiceName": {"data_type": "string", "description": 'The service of the source request.'}, + "SessionId": {"data_type": "string", "description": 'Session ID of the action.'}, + "SourceIPAddress": {"data_type": "string", "description": 'The IP address of the source request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp of the action (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The browser or API client used to make the request.'}, + }, + "DatabricksSecrets": { + "ActionName": {"data_type": "string", "description": 'The action of the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The service that logged the request.'}, + "Identity": {"data_type": "string", "description": 'Information about the user that makes the requests.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The unique identifier for the log messages.'}, + "OperationName": {"data_type": "string", "description": 'The action, such as login, logout, read, write, etc.'}, + "OperationVersion": {"data_type": "string", "description": 'The Databricks schema version of the diagnostic log format.'}, + "RequestId": {"data_type": "string", "description": 'Unique request ID.'}, + "RequestParams": {"data_type": "string", "description": 'Parameter key-value pairs used in the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "string", "description": 'The HTTP response to the request, including error message (if applicable), result, and statusCode.'}, + "ServiceName": {"data_type": "string", "description": 'The service of the source request.'}, + "SessionId": {"data_type": "string", "description": 'Session ID of the action.'}, + "SourceIPAddress": {"data_type": "string", "description": 'The IP address of the source request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp of the action (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The browser or API client used to make the request.'}, + }, + "DatabricksServerlessRealTimeInference": { + "ActionName": {"data_type": "string", "description": 'The action of the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The service that logged the request.'}, + "Identity": {"data_type": "dynamic", "description": 'Information about the user that makes the requests.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The unique identifier for the log messages.'}, + "OperationName": {"data_type": "string", "description": 'The action, such as login, logout, read, write, etc.'}, + "OperationVersion": {"data_type": "string", "description": 'The Databricks schema version of the diagnostic log format.'}, + "RequestId": {"data_type": "string", "description": 'Unique request ID.'}, + "RequestParams": {"data_type": "dynamic", "description": 'Parameter key-value pairs used in the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "dynamic", "description": 'The HTTP response to the request, including error message (if applicable), result, and statusCode.'}, + "ServiceName": {"data_type": "string", "description": 'The service of the source request.'}, + "SessionId": {"data_type": "string", "description": 'Session ID of the action.'}, + "SourceIPAddress": {"data_type": "string", "description": 'The IP address of the source request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp of the action (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The browser or API client used to make the request.'}, + }, + "DatabricksSQL": { + "ActionName": {"data_type": "string", "description": 'The action of the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The service that logged the request.'}, + "Identity": {"data_type": "string", "description": 'Information about the user that makes the requests.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The unique identifier for the log message that can be used to deduplicate them.'}, + "OperationName": {"data_type": "string", "description": 'The action, such as login, logout, read, write, etc.'}, + "OperationVersion": {"data_type": "string", "description": 'The schema version of the Databricks operation-based diagnostic log format.'}, + "RequestId": {"data_type": "string", "description": 'The unique request ID.'}, + "RequestParams": {"data_type": "string", "description": 'Parameter key-value pairs used in the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "string", "description": 'The HTTP response to the request, including error message (if applicable), result, and statusCode.'}, + "ServiceName": {"data_type": "string", "description": 'The service of the source request.'}, + "SessionId": {"data_type": "string", "description": 'Session ID of the action.'}, + "SourceIPAddress": {"data_type": "string", "description": 'The IP address of the source request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp of the action (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The browser or API client used to make the request.'}, + }, + "DatabricksSQLPermissions": { + "ActionName": {"data_type": "string", "description": 'The action of the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The service that logged the request.'}, + "Identity": {"data_type": "string", "description": 'Information about the user that makes the requests.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The unique identifier for the log messages.'}, + "OperationName": {"data_type": "string", "description": 'The action, such as login, logout, read, write, etc.'}, + "OperationVersion": {"data_type": "string", "description": 'The Databricks schema version of the diagnostic log format.'}, + "RequestId": {"data_type": "string", "description": 'Unique request ID.'}, + "RequestParams": {"data_type": "string", "description": 'Parameter key-value pairs used in the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "string", "description": 'The HTTP response to the request, including error message (if applicable), result, and statusCode.'}, + "ServiceName": {"data_type": "string", "description": 'The service of the source request.'}, + "SessionId": {"data_type": "string", "description": 'Session ID of the action.'}, + "SourceIPAddress": {"data_type": "string", "description": 'The IP address of the source request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp of the action (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The browser or API client used to make the request.'}, + }, + "DatabricksSSH": { + "ActionName": {"data_type": "string", "description": 'The action of the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The service that logged the request.'}, + "Identity": {"data_type": "string", "description": 'Information about the user that makes the requests.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The unique identifier for the log messages.'}, + "OperationName": {"data_type": "string", "description": 'The action, such as login, logout, read, write, etc.'}, + "OperationVersion": {"data_type": "string", "description": 'The Databricks schema version of the diagnostic log format.'}, + "RequestId": {"data_type": "string", "description": 'Unique request ID.'}, + "RequestParams": {"data_type": "string", "description": 'Parameter key-value pairs used in the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "string", "description": 'The HTTP response to the request, including error message (if applicable), result, and statusCode.'}, + "ServiceName": {"data_type": "string", "description": 'The service of the source request.'}, + "SessionId": {"data_type": "string", "description": 'Session ID of the action.'}, + "SourceIPAddress": {"data_type": "string", "description": 'The IP address of the source request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp of the action (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The browser or API client used to make the request.'}, + }, + "DatabricksUnityCatalog": { + "ActionName": {"data_type": "string", "description": 'The action of the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The service that logged the request.'}, + "Identity": {"data_type": "string", "description": 'Information about the user that makes the requests.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The unique identifier for the log messages.'}, + "OperationName": {"data_type": "string", "description": 'The action, such as login, logout, read, write, etc.'}, + "OperationVersion": {"data_type": "string", "description": 'The Databricks schema version of the diagnostic log format.'}, + "RequestId": {"data_type": "string", "description": 'Unique request ID.'}, + "RequestParams": {"data_type": "string", "description": 'Parameter key-value pairs used in the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "string", "description": 'The HTTP response to the request, including error message (if applicable), result, and statusCode.'}, + "ServiceName": {"data_type": "string", "description": 'The service of the source request.'}, + "SessionId": {"data_type": "string", "description": 'Session ID of the action.'}, + "SourceIPAddress": {"data_type": "string", "description": 'The IP address of the source request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp of the action (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The browser or API client used to make the request.'}, + }, + "DatabricksWebTerminal": { + "ActionName": {"data_type": "string", "description": 'The action of the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The service that logged the request.'}, + "Identity": {"data_type": "dynamic", "description": 'Information about the user that makes the requests.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The unique identifier for the log messages.'}, + "OperationName": {"data_type": "string", "description": 'The action, such as login, logout, read, write, etc.'}, + "OperationVersion": {"data_type": "string", "description": 'The Databricks schema version of the diagnostic log format.'}, + "RequestId": {"data_type": "string", "description": 'Unique request ID.'}, + "RequestParams": {"data_type": "dynamic", "description": 'Parameter key-value pairs used in the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "dynamic", "description": 'The HTTP response to the request, including error message (if applicable), result, and statusCode.'}, + "ServiceName": {"data_type": "string", "description": 'The service of the source request.'}, + "SessionId": {"data_type": "string", "description": 'Session ID of the action.'}, + "SourceIPAddress": {"data_type": "string", "description": 'The IP address of the source request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp of the action (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The browser or API client used to make the request.'}, + }, + "DatabricksWorkspace": { + "ActionName": {"data_type": "string", "description": 'The action of the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The service that logged the request.'}, + "Identity": {"data_type": "string", "description": 'Information about the user that makes the requests.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The unique identifier for the log messages.'}, + "OperationName": {"data_type": "string", "description": 'The action, such as login, logout, read, write, etc.'}, + "OperationVersion": {"data_type": "string", "description": 'The Databricks schema version of the diagnostic log format.'}, + "RequestId": {"data_type": "string", "description": 'Unique request ID.'}, + "RequestParams": {"data_type": "string", "description": 'Parameter key-value pairs used in the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "string", "description": 'The HTTP response to the request, including error message (if applicable), result, and statusCode.'}, + "ServiceName": {"data_type": "string", "description": 'The service of the source request.'}, + "SessionId": {"data_type": "string", "description": 'Session ID of the action.'}, + "SourceIPAddress": {"data_type": "string", "description": 'The IP address of the source request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp of the action (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The browser or API client used to make the request.'}, + }, + "DatabricksWorkspaceLogs": { + "ActionName": {"data_type": "string", "description": 'The action name.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the log.'}, + "Identity": {"data_type": "dynamic", "description": 'The identity of the user who performed the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogId": {"data_type": "string", "description": 'The log ID in Databricks domain.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "OperationVersion": {"data_type": "string", "description": 'The API version of the operation.'}, + "RequestId": {"data_type": "string", "description": 'The request ID.'}, + "RequestParams": {"data_type": "dynamic", "description": 'The request parameters.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Response": {"data_type": "dynamic", "description": 'The response.'}, + "ServiceName": {"data_type": "string", "description": 'The service name.'}, + "SessionId": {"data_type": "string", "description": 'The session ID.'}, + "SourceIpAddress": {"data_type": "string", "description": 'The IP address of the client that performed the operation.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The user agent.'}, + }, + "DataTransferOperations": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'Correlates different log messages for the same object.'}, + "Description": {"data_type": "string", "description": "Description of the object's state as it is transferred."}, + "FlowId": {"data_type": "string", "description": "The internal ID of the customer's flow."}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ObjectLastUpdated": {"data_type": "datetime", "description": 'Timestamp (in UTC) when the object was last updated.'}, + "ObjectName": {"data_type": "string", "description": "Name of the customer's object."}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Status": {"data_type": "string", "description": 'The status of the object as it is transferred. The status will let a customer know when the transfer has started, when it has finished, and if it has failed.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (in UTC) when the log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DataverseActivity": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientIp": {"data_type": "string", "description": 'The IP address of the device that was used when the activity was logged.'}, + "CorrelationId": {"data_type": "string", "description": 'A unique value used to associate related rows.'}, + "CrmOrganizationUniqueName": {"data_type": "string", "description": 'Unique name of the organization.'}, + "EntityId": {"data_type": "string", "description": 'Unique identifier of the entity.'}, + "EntityName": {"data_type": "string", "description": 'Name of the entity in the organization.'}, + "Fields": {"data_type": "dynamic", "description": 'JSON of Key Value pair reflecting the values that were created or updated.'}, + "InstanceUrl": {"data_type": "string", "description": 'URL to the instance.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ItemType": {"data_type": "string", "description": 'The type of object that was accessed or modified. See the ItemType table for details on the types of objects.'}, + "ItemUrl": {"data_type": "string", "description": 'URL to the record emitting the log.'}, + "Message": {"data_type": "string", "description": 'Name of the message called in the Dynamics 365 SDK.'}, + "Operation": {"data_type": "string", "description": 'The name of the operation that the user is performing.'}, + "OrganizationId": {"data_type": "string", "description": "The GUID for your organization's Office 365 tenant. This value will always be the same for your organization."}, + "OriginalObjectId": {"data_type": "string", "description": 'The ObjectId for Dataverse operation or business activity.'}, + "Query": {"data_type": "string", "description": 'The query filter parameters used while executing the FetchXML.'}, + "QueryResults": {"data_type": "dynamic", "description": 'One or multiple unique records returned by the Retrieve and Retrieve Multiple SDK message call.'}, + "ResultStatus": {"data_type": "string", "description": 'Indicates whether the action (specified in the Operation property) was successful or not.'}, + "ServiceContextId": {"data_type": "string", "description": 'The unique id associated with service context.'}, + "ServiceContextIdType": {"data_type": "string", "description": 'Application defined token to define context use.'}, + "ServiceName": {"data_type": "string", "description": 'Name of the Service generating the log.'}, + "SourceRecordId": {"data_type": "string", "description": 'Unique identifier of an audit record.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SystemUserId": {"data_type": "string", "description": 'Unique identifier of the user GUID in the organization.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time in (UTC) when the user performed the activity.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The user agent.'}, + "UserId": {"data_type": "string", "description": 'The Dataverse user ID of the user who performed the action (specified in the Operation property) that resulted in the record being logged.'}, + "UserKey": {"data_type": "string", "description": 'An alternative ID for the user identified in the UserId property.'}, + "UserType": {"data_type": "string", "description": 'The type of user that performed the operation. See the UserType table in Office 365 management activity api schema documentation for details on the types of users.'}, + "UserUpn": {"data_type": "string", "description": 'The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged.'}, + }, + "DCRLogErrors": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientRequestId": {"data_type": "string", "description": 'Guid passed in x-ms-client-request-id header while ingesting data.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for the correlated events. Can be used to identify correlated events between multiple tables.'}, + "InputStreamId": {"data_type": "string", "description": 'Stream name of the input.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Message": {"data_type": "string", "description": 'Error describing the issue.'}, + "OperationName": {"data_type": "string", "description": 'Name of the operation, Can be Ingestion or Transformation.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DCRLogTroubleshooting": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientRequestId": {"data_type": "string", "description": 'Guid passed in x-ms-client-request-id header while ingesting data.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for the correlated events. Can be used to identify correlated events between multiple tables.'}, + "InputStreamId": {"data_type": "string", "description": 'Stream name of the input.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Message": {"data_type": "string", "description": 'Error describing the issue.'}, + "OperationName": {"data_type": "string", "description": 'Name of the operation, Can be Ingestion or Transformation.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DefenderIoTRawEvent": { + "AgentVersion": {"data_type": "string", "description": 'The version of the agent.'}, + "AssociatedResourceId": {"data_type": "string", "description": 'The associated Azure resource ID.'}, + "AzureSubscriptionId": {"data_type": "string", "description": 'The Azure subscription ID.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DeviceId": {"data_type": "string", "description": 'The device ID.'}, + "EventDetails": {"data_type": "dynamic", "description": 'Additional raw event details.'}, + "IoTRawEventId": {"data_type": "string", "description": 'The internal raw event ID.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsEmpty": {"data_type": "bool", "description": 'Property identifying if the raw event contains data.'}, + "RawEventCategory": {"data_type": "string", "description": 'The category of the raw event - periodic or triggered.'}, + "RawEventName": {"data_type": "string", "description": 'The name of the raw event.'}, + "RawEventType": {"data_type": "string", "description": 'The type of the raw event - security, operational or diagnostic.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time the raw event was generated.'}, + "TimeStamp": {"data_type": "datetime", "description": 'The date and time the raw event was first detected.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DevCenterBillingEventLogs": { + "BilledResourceId": {"data_type": "string", "description": 'The resource within the DevCenter that gets billed.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BillingRegion": {"data_type": "string", "description": 'The billing region of the consomption resource.'}, + "EndTime": {"data_type": "datetime", "description": 'Time (UTC) when the consumption ended.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsOverMonthlyBillingCap": {"data_type": "bool", "description": 'Whether the consumption is included in the monthly cap.'}, + "MeterId": {"data_type": "string", "description": 'The meter ID for the consumption.'}, + "OperationName": {"data_type": "string", "description": 'The resource operation name for the log.'}, + "Quantity": {"data_type": "real", "description": 'The amount of usage in terms of the specified unit.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Sku": {"data_type": "string", "description": 'The Sku of the consumption resource. Can be DZH319G7LNXM, DZH3144F2XK5, DZH31814TZNG, etc.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StartTime": {"data_type": "datetime", "description": 'Time (UTC) when the consumption started.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time (UTC) when the log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UnitType": {"data_type": "string", "description": 'The unit in which the type of usage is measured. Can be Hourly or Monthly.'}, + "UsageResourceName": {"data_type": "string", "description": 'The name of the consumption resource.'}, + "UsageResourceUniqueId": {"data_type": "string", "description": 'The unique ID of the consumption resource.'}, + "UsageType": {"data_type": "string", "description": 'The type of resource being consumed.'}, + "UserId": {"data_type": "string", "description": 'User ID consuming the resource.'}, + }, + "DevCenterDiagnosticLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIdentity": {"data_type": "string", "description": 'User ID that created the request.'}, + "CorrelationId": {"data_type": "string", "description": 'ID which groups operation logs for ease of debugging.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The operation stage of the service from which the log entry was generated.'}, + "OperationResult": {"data_type": "string", "description": 'Displays whether operation was successful or unsuccessful.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResponseCode": {"data_type": "string", "description": 'HTTP status code of the completed operation.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TargetResourceId": {"data_type": "string", "description": 'Dataplane ID of the affected resource.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time (UTC) when the log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DevCenterResourceOperationLogs": { + "AdditionalProperties": {"data_type": "dynamic", "description": 'Property bag of dimensions that are useful for this entry.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'ID which groups operation logs for ease of debugging.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Message": {"data_type": "string", "description": 'The log message which has details about the state of the resource.'}, + "OperationName": {"data_type": "string", "description": 'The operation stage of the service from which the log entry was generated.'}, + "Region": {"data_type": "string", "description": 'The region the resource is located in.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SubResourceId": {"data_type": "string", "description": 'The resource within the DevCenter that this log relates to.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time (UTC) when the log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DeviceAppCrash": { + "AppID": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "EventId": {"data_type": "int", "description": ''}, + "EventName": {"data_type": "string", "description": ''}, + "HealthServiceId": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ProviderId": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DeviceAppLaunch": { + "AppID": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "EventId": {"data_type": "int", "description": ''}, + "EventName": {"data_type": "string", "description": ''}, + "HealthServiceId": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ProviderId": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DeviceCalendar": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "DelaySeconds": {"data_type": "int", "description": ''}, + "DeviceType": {"data_type": "string", "description": ''}, + "ErrorMessage": {"data_type": "string", "description": ''}, + "EventId": {"data_type": "int", "description": ''}, + "EventName": {"data_type": "string", "description": ''}, + "HealthServiceId": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ProviderId": {"data_type": "string", "description": ''}, + "ResultCode": {"data_type": "int", "description": ''}, + "SerialNumber": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SyncStatus": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DeviceCleanup": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "DeviceType": {"data_type": "string", "description": ''}, + "EventId": {"data_type": "int", "description": ''}, + "EventName": {"data_type": "string", "description": ''}, + "HealthServiceId": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ProviderId": {"data_type": "string", "description": ''}, + "SerialNumber": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "State": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DeviceConnectSession": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "DeviceType": {"data_type": "string", "description": ''}, + "EventId": {"data_type": "int", "description": ''}, + "EventName": {"data_type": "string", "description": ''}, + "HealthServiceId": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Opcode": {"data_type": "int", "description": ''}, + "ProviderId": {"data_type": "string", "description": ''}, + "SerialNumber": {"data_type": "string", "description": ''}, + "sessionClass": {"data_type": "string", "description": ''}, + "sessionConnected": {"data_type": "bool", "description": ''}, + "sessionDurationMilliSeconds": {"data_type": "real", "description": ''}, + "sessionType": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "wasCleanShutdown": {"data_type": "bool", "description": ''}, + }, + "DeviceEtw": { + "ActivityId": {"data_type": "string", "description": ''}, + "appName": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "DeviceType": {"data_type": "string", "description": ''}, + "EventId": {"data_type": "int", "description": ''}, + "EventName": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "period": {"data_type": "int", "description": ''}, + "ProcessId": {"data_type": "string", "description": ''}, + "ProviderId": {"data_type": "string", "description": ''}, + "SerialNumber": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "status": {"data_type": "int", "description": ''}, + "tags": {"data_type": "string", "description": ''}, + "ThreadId": {"data_type": "int", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "type": {"data_type": "int", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "wakeEnabled": {"data_type": "bool", "description": ''}, + }, + "DeviceEvents": { + "AccountDomain": {"data_type": "string", "description": 'Domain of the account.'}, + "AccountName": {"data_type": "string", "description": 'User name of the account.'}, + "AccountSid": {"data_type": "string", "description": 'Security identifier (SID) of the account.'}, + "ActionType": {"data_type": "string", "description": 'Type of activity that triggered the event.'}, + "AdditionalFields": {"data_type": "dynamic", "description": 'Additional information about the entity or event.'}, + "AppGuardContainerId": {"data_type": "string", "description": 'Identifier for the virtualized container used by Application Guard to isolate browser activity.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DeviceId": {"data_type": "string", "description": 'Unique identifier for the device in the service.'}, + "DeviceName": {"data_type": "string", "description": 'Fully qualified domain name (FQDN) of the device.'}, + "FileName": {"data_type": "string", "description": 'Domain of the account.'}, + "FileOriginIP": {"data_type": "string", "description": 'IP address where the file was downloaded from.'}, + "FileOriginUrl": {"data_type": "string", "description": 'URL where the file was downloaded from.'}, + "FileSize": {"data_type": "long", "description": 'Size of the file in bytes.'}, + "FolderPath": {"data_type": "string", "description": 'Domain of the account.'}, + "InitiatingProcessAccountDomain": {"data_type": "string", "description": 'Domain of the account that ran the process responsible for the event.'}, + "InitiatingProcessAccountName": {"data_type": "string", "description": 'User name of the account that ran the process responsible for the event.'}, + "InitiatingProcessAccountObjectId": {"data_type": "string", "description": 'Azure AD object ID of the user account that ran the process responsible for the event.'}, + "InitiatingProcessAccountSid": {"data_type": "string", "description": 'Security Identifier (SID) of the account that ran the process responsible for the event.'}, + "InitiatingProcessAccountUpn": {"data_type": "string", "description": 'User principal name (UPN) of the account that ran the process responsible for the event.'}, + "InitiatingProcessCommandLine": {"data_type": "string", "description": 'Command line used to run the process that initiated the event.'}, + "InitiatingProcessCreationTime": {"data_type": "datetime", "description": 'Date and time when the process that initiated the event was started.'}, + "InitiatingProcessFileName": {"data_type": "string", "description": 'Name of the process that initiated the event.'}, + "InitiatingProcessFileSize": {"data_type": "long", "description": 'Size in bytes of the file that ran the process responsible for the event.'}, + "InitiatingProcessFolderPath": {"data_type": "string", "description": 'Folder containing the process (image file) that initiated the event.'}, + "InitiatingProcessId": {"data_type": "long", "description": 'Process ID (PID) of the process that initiated the event.'}, + "InitiatingProcessLogonId": {"data_type": "long", "description": 'Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts.'}, + "InitiatingProcessMD5": {"data_type": "string", "description": 'MD5 hash of the process (image file) that initiated the event.'}, + "InitiatingProcessParentCreationTime": {"data_type": "datetime", "description": 'Date and time when the parent of the process responsible for the event was started.'}, + "InitiatingProcessParentFileName": {"data_type": "string", "description": 'Name of the parent process that spawned the process responsible for the event.'}, + "InitiatingProcessParentId": {"data_type": "long", "description": 'Process ID (PID) of the parent process that spawned the process responsible for the event.'}, + "InitiatingProcessSHA1": {"data_type": "string", "description": 'SHA-1 hash of the process (image file) that initiated the event.'}, + "InitiatingProcessSHA256": {"data_type": "string", "description": 'SHA-256 hash of the process (image file) that initiated the event. This field is usually not populated - use the SHA1 column when available.'}, + "InitiatingProcessVersionInfoCompanyName": {"data_type": "string", "description": 'Company name from the version information of the process (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoFileDescription": {"data_type": "string", "description": 'Description from the version information of the process (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoInternalFileName": {"data_type": "string", "description": 'Internal file name from the version information of the process (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoOriginalFileName": {"data_type": "string", "description": 'Original file name from the version information of the process (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoProductName": {"data_type": "string", "description": 'Product name from the version information of the process (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoProductVersion": {"data_type": "string", "description": 'Product version from the version information of the process (image file) responsible for the event.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LocalIP": {"data_type": "string", "description": 'IP address assigned to the local machine used during communication.'}, + "LocalPort": {"data_type": "int", "description": 'TCP port on the local machine used during communication.'}, + "LogonId": {"data_type": "long", "description": 'Identifier for a logon session. This identifier is unique on the same machine only between restarts.'}, + "MachineGroup": {"data_type": "string", "description": 'Machine group of the machine. This group is used by role-based access control to determine access to the machine.'}, + "MD5": {"data_type": "string", "description": 'MD5 hash of the file that the recorded action was applied to.'}, + "ProcessCommandLine": {"data_type": "string", "description": 'Command line used to create the new process.'}, + "ProcessCreationTime": {"data_type": "datetime", "description": 'Date and time the process was created.'}, + "ProcessId": {"data_type": "long", "description": 'Process ID (PID) of the newly created process.'}, + "ProcessTokenElevation": {"data_type": "string", "description": 'Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process.'}, + "RegistryKey": {"data_type": "string", "description": 'Registry key that the recorded action was applied to.'}, + "RegistryValueData": {"data_type": "string", "description": 'Data of the registry value that the recorded action was applied to.'}, + "RegistryValueName": {"data_type": "string", "description": 'Name of the registry value that the recorded action was applied to.'}, + "RemoteDeviceName": {"data_type": "string", "description": 'Name of the device that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information..'}, + "RemoteIP": {"data_type": "string", "description": 'IP address that was being connected to.'}, + "RemotePort": {"data_type": "int", "description": 'TCP port on the remote device that was being connected to.'}, + "RemoteUrl": {"data_type": "string", "description": 'URL or fully qualified domain name (FQDN) that was being connected to.'}, + "ReportId": {"data_type": "long", "description": 'Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns.'}, + "SHA1": {"data_type": "string", "description": 'SHA-1 hash of the file that the recorded action was applied to.'}, + "SHA256": {"data_type": "string", "description": 'SHA-256 of the file that the recorded action was applied to.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the event was recorded by the MDE agent on the endpoint.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DeviceFileCertificateInfo": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CertificateCountersignatureTime": {"data_type": "datetime", "description": 'Date and time (UTC) the certificate was countersigned.'}, + "CertificateCreationTime": {"data_type": "datetime", "description": 'Date and time (UTC) the certificate was created.'}, + "CertificateExpirationTime": {"data_type": "datetime", "description": 'Certificate expiry date and time (UTC).'}, + "CertificateSerialNumber": {"data_type": "string", "description": 'Identifier for the certificate that is unique to the issuing certificate authority (CA).'}, + "CrlDistributionPointUrls": {"data_type": "string", "description": 'A list of network shares URLs that contains certificates and certificate revocation (CRLs).'}, + "DeviceId": {"data_type": "string", "description": 'Unique identifier for the device in the service.'}, + "DeviceName": {"data_type": "string", "description": 'Fully qualified domain name (FQDN) of the device.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsRootSignerMicrosoft": {"data_type": "bool", "description": 'Indicates whether the signer of the root certificate is Microsoft.'}, + "IsSigned": {"data_type": "bool", "description": 'Indicates whether the file is signed.'}, + "Issuer": {"data_type": "string", "description": 'Information about the issuing certificate authority (CA).'}, + "IssuerHash": {"data_type": "string", "description": 'Unique hash value identifying issuing certificate authority (CA).'}, + "IsTrusted": {"data_type": "bool", "description": 'Indicates whether the file is trusted based on the results of the WinVerifyTrust function, which checks for unknown root certificate information, invalid signatures, revoked certificates, and other questionable attributes.'}, + "MachineGroup": {"data_type": "string", "description": 'Machine group of the machine. This group is used by role-based access control to determine access to the machine.'}, + "ReportId": {"data_type": "long", "description": 'Unique identifier for the event.'}, + "SHA1": {"data_type": "string", "description": 'SHA-1 hash of the file that the recorded action was applied to.'}, + "SignatureType": {"data_type": "string", "description": 'Indicates whether signature information was read as embedded content in the file itself or read from an external catalog file.'}, + "Signer": {"data_type": "string", "description": 'Information about the signer of the file.'}, + "SignerHash": {"data_type": "string", "description": 'Unique hash value identifying the signer.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the event was recorded by the MDE agent on the endpoint.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DeviceFileEvents": { + "ActionType": {"data_type": "string", "description": 'Type of activity that triggered the event.'}, + "AdditionalFields": {"data_type": "dynamic", "description": 'Additional information about the entity or event.'}, + "AppGuardContainerId": {"data_type": "string", "description": 'Identifier for the virtualized container used by Application Guard to isolate browser activity.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DeviceId": {"data_type": "string", "description": 'Unique identifier for the device in the service.'}, + "DeviceName": {"data_type": "string", "description": 'Fully qualified domain name (FQDN) of the device.'}, + "FileName": {"data_type": "string", "description": 'Name of the file that the recorded action was applied to.'}, + "FileOriginIP": {"data_type": "string", "description": 'IP address where the file was downloaded from.'}, + "FileOriginReferrerUrl": {"data_type": "string", "description": 'URL of the web page that links to the downloaded file.'}, + "FileOriginUrl": {"data_type": "string", "description": 'URL where the file was downloaded from.'}, + "FileSize": {"data_type": "long", "description": 'Size of the file in bytes.'}, + "FolderPath": {"data_type": "string", "description": 'Folder containing the file that the recorded action was applied to.'}, + "InitiatingProcessAccountDomain": {"data_type": "string", "description": 'Domain of the account that ran the process responsible for the event.'}, + "InitiatingProcessAccountName": {"data_type": "string", "description": 'User name of the account that ran the process responsible for the event.'}, + "InitiatingProcessAccountObjectId": {"data_type": "string", "description": 'Azure AD object ID of the user account that ran the process responsible for the event.'}, + "InitiatingProcessAccountSid": {"data_type": "string", "description": 'Security Identifier (SID) of the account that ran the process responsible for the event.'}, + "InitiatingProcessAccountUpn": {"data_type": "string", "description": 'User principal name (UPN) of the account that ran the process responsible for the event.'}, + "InitiatingProcessCommandLine": {"data_type": "string", "description": 'Command line used to run the process that initiated the event.'}, + "InitiatingProcessCreationTime": {"data_type": "datetime", "description": 'Date and time when the process that initiated the event was started.'}, + "InitiatingProcessFileName": {"data_type": "string", "description": 'Name of the process that initiated the event.'}, + "InitiatingProcessFileSize": {"data_type": "long", "description": 'Size in bytes of the process (image file) that initiated the event.'}, + "InitiatingProcessFolderPath": {"data_type": "string", "description": 'Folder containing the process (image file) that initiated the event.'}, + "InitiatingProcessId": {"data_type": "long", "description": 'Process ID (PID) of the process that initiated the event.'}, + "InitiatingProcessIntegrityLevel": {"data_type": "string", "description": 'Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources.'}, + "InitiatingProcessMD5": {"data_type": "string", "description": 'MD5 hash of the process (image file) that initiated the event.'}, + "InitiatingProcessParentCreationTime": {"data_type": "datetime", "description": 'Date and time when the parent of the process responsible for the event was started.'}, + "InitiatingProcessParentFileName": {"data_type": "string", "description": 'Name of the parent process that spawned the process responsible for the event.'}, + "InitiatingProcessParentId": {"data_type": "long", "description": 'Process ID (PID) of the parent process that spawned the process responsible for the event.'}, + "InitiatingProcessSHA1": {"data_type": "string", "description": 'SHA-1 hash of the process (image file) that initiated the event.'}, + "InitiatingProcessSHA256": {"data_type": "string", "description": 'SHA-256 hash of the process (image file) that initiated the event. This field is usually not populated - use the SHA1 column when available.'}, + "InitiatingProcessTokenElevation": {"data_type": "string", "description": 'Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event.'}, + "InitiatingProcessVersionInfoCompanyName": {"data_type": "string", "description": 'Company name from the version information of the process (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoFileDescription": {"data_type": "string", "description": 'Description from the version information of the process (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoInternalFileName": {"data_type": "string", "description": 'Internal file name from the version information of the process (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoOriginalFileName": {"data_type": "string", "description": 'Original file name from the version information of the process (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoProductName": {"data_type": "string", "description": 'Product name from the version information of the process (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoProductVersion": {"data_type": "string", "description": 'Product version from the version information of the process (image file) responsible for the event.'}, + "IsAzureInfoProtectionApplied": {"data_type": "bool", "description": 'Indicates whether the file is encrypted by Azure Information Protection.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "MachineGroup": {"data_type": "string", "description": 'Machine group of the machine. This group is used by role-based access control to determine access to the machine.'}, + "MD5": {"data_type": "string", "description": 'MD5 hash of the file that the recorded action was applied to.'}, + "PreviousFileName": {"data_type": "string", "description": 'Original name of the file that was renamed as a result of the action.'}, + "PreviousFolderPath": {"data_type": "string", "description": 'Original folder containing the file before the recorded action was applied.'}, + "ReportId": {"data_type": "long", "description": 'Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns.'}, + "RequestAccountDomain": {"data_type": "string", "description": 'Domain of the account used to remotely initiate the activity.'}, + "RequestAccountName": {"data_type": "string", "description": 'User name of account used to remotely initiate the activity.'}, + "RequestAccountSid": {"data_type": "string", "description": 'Security Identifier (SID) of the account used to remotely initiate the activity.'}, + "RequestProtocol": {"data_type": "string", "description": 'Network protocol, if applicable, used to initiate the activity: Unknown, Local, SMB, or NFS.'}, + "RequestSourceIP": {"data_type": "string", "description": 'IPv4 or IPv6 address of the remote device that initiated the activity.'}, + "RequestSourcePort": {"data_type": "int", "description": 'Source port on the remote device that initiated the activity.'}, + "SensitivityLabel": {"data_type": "string", "description": 'Label applied to an email, file, or other content to classify it for information protection.'}, + "SensitivitySubLabel": {"data_type": "string", "description": 'Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently.'}, + "SHA1": {"data_type": "string", "description": 'SHA-1 hash of the file that the recorded action was applied to.'}, + "SHA256": {"data_type": "string", "description": 'SHA-256 of the file that the recorded action was applied to.'}, + "ShareName": {"data_type": "string", "description": 'Name of shared folder containing the file.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the event was recorded by the MDE agent on the endpoint.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DeviceHardwareHealth": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "DeviceType": {"data_type": "string", "description": ''}, + "EventId": {"data_type": "int", "description": ''}, + "EventName": {"data_type": "string", "description": ''}, + "HealthServiceId": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ProviderId": {"data_type": "string", "description": ''}, + "SerialNumber": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DeviceHealth": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "DeviceType": {"data_type": "string", "description": ''}, + "EventId": {"data_type": "int", "description": ''}, + "EventName": {"data_type": "string", "description": ''}, + "HealthServiceId": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ProviderId": {"data_type": "string", "description": ''}, + "SerialNumber": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "State": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DeviceHeartbeat": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "DeviceType": {"data_type": "string", "description": ''}, + "EventId": {"data_type": "int", "description": ''}, + "EventName": {"data_type": "string", "description": ''}, + "HealthServiceId": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ProviderId": {"data_type": "string", "description": ''}, + "SerialNumber": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DeviceImageLoadEvents": { + "ActionType": {"data_type": "string", "description": 'Type of activity that triggered the event.'}, + "AppGuardContainerId": {"data_type": "string", "description": 'Identifier for the virtualized container used by Application Guard to isolate browser activity.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DeviceId": {"data_type": "string", "description": 'Unique identifier for the device in the service.'}, + "DeviceName": {"data_type": "string", "description": 'Fully qualified domain name (FQDN) of the device.'}, + "FileName": {"data_type": "string", "description": 'Domain of the account.'}, + "FileSize": {"data_type": "long", "description": 'Size of the file in bytes.'}, + "FolderPath": {"data_type": "string", "description": 'Domain of the account.'}, + "InitiatingProcessAccountDomain": {"data_type": "string", "description": 'Domain of the account that ran the process responsible for the event.'}, + "InitiatingProcessAccountName": {"data_type": "string", "description": 'User name of the account that ran the process responsible for the event.'}, + "InitiatingProcessAccountObjectId": {"data_type": "string", "description": 'Azure AD object ID of the user account that ran the process responsible for the event.'}, + "InitiatingProcessAccountSid": {"data_type": "string", "description": 'Security Identifier (SID) of the account that ran the process responsible for the event.'}, + "InitiatingProcessAccountUpn": {"data_type": "string", "description": 'User principal name (UPN) of the account that ran the process responsible for the event.'}, + "InitiatingProcessCommandLine": {"data_type": "string", "description": 'Command line used to run the process that initiated the event.'}, + "InitiatingProcessCreationTime": {"data_type": "datetime", "description": 'Date and time when the process that initiated the event was started.'}, + "InitiatingProcessFileName": {"data_type": "string", "description": 'Name of the process that initiated the event.'}, + "InitiatingProcessFileSize": {"data_type": "long", "description": 'Size in bytes of the process (image file) that initiated the event.'}, + "InitiatingProcessFolderPath": {"data_type": "string", "description": 'Folder containing the process (image file) that initiated the event.'}, + "InitiatingProcessId": {"data_type": "long", "description": 'Process ID (PID) of the process that initiated the event.'}, + "InitiatingProcessIntegrityLevel": {"data_type": "string", "description": 'Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources.'}, + "InitiatingProcessMD5": {"data_type": "string", "description": 'MD5 hash of the process (image file) that initiated the event.'}, + "InitiatingProcessParentCreationTime": {"data_type": "datetime", "description": 'Date and time when the parent of the process responsible for the event was started.'}, + "InitiatingProcessParentFileName": {"data_type": "string", "description": 'Name of the parent process that spawned the process responsible for the event.'}, + "InitiatingProcessParentId": {"data_type": "long", "description": 'Process ID (PID) of the parent process that spawned the process responsible for the event.'}, + "InitiatingProcessSHA1": {"data_type": "string", "description": 'SHA-1 hash of the process (image file) that initiated the event.'}, + "InitiatingProcessSHA256": {"data_type": "string", "description": 'SHA-256 hash of the process (image file) that initiated the event. This field is usually not populated - use the SHA1 column when available.'}, + "InitiatingProcessTokenElevation": {"data_type": "string", "description": 'Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event.'}, + "InitiatingProcessVersionInfoCompanyName": {"data_type": "string", "description": 'Company name from the version information of the process (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoFileDescription": {"data_type": "string", "description": 'Description from the version information of the process (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoInternalFileName": {"data_type": "string", "description": 'Internal file name from the version information of the process (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoOriginalFileName": {"data_type": "string", "description": 'Original file name from the version information of the process (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoProductName": {"data_type": "string", "description": 'Product name from the version information of the process (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoProductVersion": {"data_type": "string", "description": 'Product version from the version information of the process (image file) responsible for the event.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "MachineGroup": {"data_type": "string", "description": 'Machine group of the machine. This group is used by role-based access control to determine access to the machine.'}, + "MD5": {"data_type": "string", "description": 'MD5 hash of the file that the recorded action was applied to.'}, + "ReportId": {"data_type": "long", "description": 'Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns.'}, + "SHA1": {"data_type": "string", "description": 'SHA-1 hash of the file that the recorded action was applied to.'}, + "SHA256": {"data_type": "string", "description": 'SHA-256 of the file that the recorded action was applied to.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the event was recorded by the MDE agent on the endpoint.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DeviceInfo": { + "AadDeviceId": {"data_type": "string", "description": 'Unique identifier for the device in Azure Active Directory.'}, + "AdditionalFields": {"data_type": "dynamic", "description": 'Additional information about the entity or event.'}, + "AssetValue": {"data_type": "string", "description": 'Indicates the value of a device as assigned by the user.'}, + "AwsResourceName": {"data_type": "string", "description": 'Unique identifier of the AWS resource associated with the device.'}, + "AzureResourceId": {"data_type": "string", "description": 'Unique identifier of the Azure resource associated with the device.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientVersion": {"data_type": "string", "description": 'Version of the endpoint agent or sensor running on the machine.'}, + "DeviceCategory": {"data_type": "string", "description": 'Broader classification that groups certain device types under the following categories: Endpoint, Network device, IoT, Unknown.'}, + "DeviceDynamicTags": {"data_type": "string", "description": 'Device tags added and removed dynamically based on dynamic rules.'}, + "DeviceId": {"data_type": "string", "description": 'Unique identifier for the device in the service.'}, + "DeviceManualTags": {"data_type": "string", "description": 'Device tags created manually using the portal UI or public API.'}, + "DeviceName": {"data_type": "string", "description": 'Fully qualified domain name (FQDN) of the device.'}, + "DeviceObjectId": {"data_type": "string", "description": 'Unique identifier for the device in Azure AD.'}, + "DeviceSubtype": {"data_type": "string", "description": 'Additional modifier for certain types of devices, for example, a mobile device can be a tablet or a smartphone; only available if device discovery finds enough information about this attribute.'}, + "DeviceType": {"data_type": "string", "description": 'Type of device based on purpose and functionality, such as network device, workstation, server, mobile, gaming console, or printer.'}, + "ExclusionReason": {"data_type": "string", "description": 'Indicates the reason for device exclusion.'}, + "ExposureLevel": {"data_type": "string", "description": 'Indicates the exposure level of a device.'}, + "GcpFullResourceName": {"data_type": "string", "description": 'Unique identifier of the AWS resource associated with the device.'}, + "IsAzureADJoined": {"data_type": "bool", "description": 'Boolean indicator of whether machine is joined to the Azure Active Directory.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsExcluded": {"data_type": "bool", "description": 'Determines if the device is currently excluded from Microsoft Defender for Vulnerability Management experiences.'}, + "IsInternetFacing": {"data_type": "bool", "description": 'Indicates whether the device is internet-facing.'}, + "JoinType": {"data_type": "string", "description": "The device's Azure Active Directory join type."}, + "LoggedOnUsers": {"data_type": "dynamic", "description": 'List of all users that are logged on the machine at the time of the event in JSON array format.'}, + "MachineGroup": {"data_type": "string", "description": 'Machine group used to determine access to the machine and apply group-specific settings.'}, + "MergedDeviceIds": {"data_type": "string", "description": 'Previous device IDs that have been assigned to the same device.'}, + "MergedToDeviceId": {"data_type": "string", "description": 'The most recent device ID assigned to a device.'}, + "Model": {"data_type": "string", "description": 'Model name or number of the product from the vendor or manufacturer, only available if device discovery finds enough information about this attribute.'}, + "OnboardingStatus": {"data_type": "string", "description": 'Indicates whether the device is currently onboarded or not to Microsoft Defender for Endpoint or if the device is not supported.'}, + "OSArchitecture": {"data_type": "string", "description": 'Architecture of the operating system running on the machine.'}, + "OSBuild": {"data_type": "long", "description": 'Build version of the operating system running on the machine.'}, + "OSDistribution": {"data_type": "string", "description": 'Distribution of the OS platform, such as Ubuntu or RedHat for Linux platforms.'}, + "OSPlatform": {"data_type": "string", "description": 'Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.'}, + "OSVersion": {"data_type": "string", "description": 'Version of the operating system running on the machine.'}, + "OSVersionInfo": {"data_type": "string", "description": 'Additional information about the OS version, such as the popular name, code name, or version number.'}, + "PublicIP": {"data_type": "string", "description": 'Public IP address used by the onboarded machine to connect to the Windows Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy.'}, + "RegistryDeviceTag": {"data_type": "string", "description": 'Device tag added through the registry.'}, + "ReportId": {"data_type": "long", "description": 'Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns..'}, + "SensorHealthState": {"data_type": "string", "description": "Indicates health of the device's EDR sensor, if onboarded to Microsoft Defender For Endpoint."}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the event was recorded by the MDE agent on the endpoint.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Vendor": {"data_type": "string", "description": 'Name of the product vendor or manufacturer, only available if device discovery finds enough information about this attribute.'}, + }, + "DeviceLogonEvents": { + "AccountDomain": {"data_type": "string", "description": 'Domain of the account.'}, + "AccountName": {"data_type": "string", "description": 'User name of the account.'}, + "AccountSid": {"data_type": "string", "description": 'Security identifier (SID) of the account.'}, + "ActionType": {"data_type": "string", "description": 'Type of activity that triggered the event.'}, + "AdditionalFields": {"data_type": "dynamic", "description": 'Additional information about the entity or event.'}, + "AppGuardContainerId": {"data_type": "string", "description": 'Identifier for the virtualized container used by Application Guard to isolate browser activity.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DeviceId": {"data_type": "string", "description": 'Unique identifier for the device in the service.'}, + "DeviceName": {"data_type": "string", "description": 'Fully qualified domain name (FQDN) of the device.'}, + "FailureReason": {"data_type": "string", "description": 'Information explaining why the recorded action failed.'}, + "InitiatingProcessAccountDomain": {"data_type": "string", "description": 'Domain of the account that ran the process responsible for the event.'}, + "InitiatingProcessAccountName": {"data_type": "string", "description": 'User name of the account that ran the process responsible for the event.'}, + "InitiatingProcessAccountObjectId": {"data_type": "string", "description": 'Azure AD object ID of the user account that ran the process responsible for the event.'}, + "InitiatingProcessAccountSid": {"data_type": "string", "description": 'Security Identifier (SID) of the account that ran the process responsible for the event.'}, + "InitiatingProcessAccountUpn": {"data_type": "string", "description": 'User principal name (UPN) of the account that ran the process responsible for the event.'}, + "InitiatingProcessCommandLine": {"data_type": "string", "description": 'Command line used to run the process that initiated the event.'}, + "InitiatingProcessCreationTime": {"data_type": "datetime", "description": 'Date and time when the process that initiated the event was started.'}, + "InitiatingProcessFileName": {"data_type": "string", "description": 'Name of the process that initiated the event.'}, + "InitiatingProcessFileSize": {"data_type": "long", "description": 'Size in bytes of the process (image file) that initiated the event.'}, + "InitiatingProcessFolderPath": {"data_type": "string", "description": 'Folder containing the process (image file) that initiated the event.'}, + "InitiatingProcessId": {"data_type": "long", "description": 'Process ID (PID) of the process that initiated the event.'}, + "InitiatingProcessIntegrityLevel": {"data_type": "string", "description": 'Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources.'}, + "InitiatingProcessMD5": {"data_type": "string", "description": 'MD5 hash of the process (image file) that initiated the event.'}, + "InitiatingProcessParentCreationTime": {"data_type": "datetime", "description": 'Date and time when the parent of the process responsible for the event was started.'}, + "InitiatingProcessParentFileName": {"data_type": "string", "description": 'Name of the parent process that spawned the process responsible for the event.'}, + "InitiatingProcessParentId": {"data_type": "long", "description": 'Process ID (PID) of the parent process that spawned the process responsible for the event.'}, + "InitiatingProcessSHA1": {"data_type": "string", "description": 'SHA-1 hash of the process (image file) that initiated the event.'}, + "InitiatingProcessSHA256": {"data_type": "string", "description": 'SHA-256 hash of the process (image file) that initiated the event. This field is usually not populated - use the SHA1 column when available.'}, + "InitiatingProcessTokenElevation": {"data_type": "string", "description": 'Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event.'}, + "InitiatingProcessVersionInfoCompanyName": {"data_type": "string", "description": 'Company name from the version information of the process (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoFileDescription": {"data_type": "string", "description": 'Description from the version information of the process (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoInternalFileName": {"data_type": "string", "description": 'Internal file name from the version information of the process (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoOriginalFileName": {"data_type": "string", "description": 'Original file name from the version information of the process (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoProductName": {"data_type": "string", "description": 'Product name from the version information of the process (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoProductVersion": {"data_type": "string", "description": 'Product version from the version information of the process (image file) responsible for the event.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsLocalAdmin": {"data_type": "bool", "description": 'Boolean indicator of whether the user is a local administrator on the machine.'}, + "LogonId": {"data_type": "long", "description": 'Identifier for a logon session. This identifier is unique on the same machine only between restarts.'}, + "LogonType": {"data_type": "string", "description": 'Type of logon session, specifically interactive, remote interactive (RDP), network, batch, and service.'}, + "MachineGroup": {"data_type": "string", "description": 'Machine group of the machine. This group is used by role-based access control to determine access to the machine.'}, + "Protocol": {"data_type": "string", "description": 'Protocol used during the communication.'}, + "RemoteDeviceName": {"data_type": "string", "description": 'Name of the device that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information.'}, + "RemoteIP": {"data_type": "string", "description": 'IP address that was being connected to.'}, + "RemoteIPType": {"data_type": "string", "description": 'Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast.'}, + "RemotePort": {"data_type": "int", "description": 'TCP port on the remote device that was being connected to.'}, + "ReportId": {"data_type": "long", "description": 'Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the event was recorded by the MDE agent on the endpoint.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DeviceNetworkEvents": { + "ActionType": {"data_type": "string", "description": 'Type of activity that triggered the event.'}, + "AdditionalFields": {"data_type": "dynamic", "description": 'Additional information about the entity or event.'}, + "AppGuardContainerId": {"data_type": "string", "description": 'Identifier for the virtualized container used by Application Guard to isolate browser activity.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DeviceId": {"data_type": "string", "description": 'Unique identifier for the device in the service.'}, + "DeviceName": {"data_type": "string", "description": 'Fully qualified domain name (FQDN) of the device.'}, + "InitiatingProcessAccountDomain": {"data_type": "string", "description": 'Domain of the account that ran the initiating process.'}, + "InitiatingProcessAccountName": {"data_type": "string", "description": 'User name of the account that ran the initiating process.'}, + "InitiatingProcessAccountObjectId": {"data_type": "string", "description": 'Azure AD object ID of the user account that ran the initiating process.'}, + "InitiatingProcessAccountSid": {"data_type": "string", "description": 'Security Identifier (SID) of the account that ran the initiating process.'}, + "InitiatingProcessAccountUpn": {"data_type": "string", "description": 'User principal name (UPN) of the account that ran the initiating process.'}, + "InitiatingProcessCommandLine": {"data_type": "string", "description": 'Command line used to run the initiating process.'}, + "InitiatingProcessCreationTime": {"data_type": "datetime", "description": 'Date and time when the process that initiated the event was started.'}, + "InitiatingProcessFileName": {"data_type": "string", "description": 'Name of the initiating process.'}, + "InitiatingProcessFileSize": {"data_type": "long", "description": 'Size of the file (bytes) that ran the process responsible for the event.'}, + "InitiatingProcessFolderPath": {"data_type": "string", "description": 'Folder containing the initiating process (image file).'}, + "InitiatingProcessId": {"data_type": "long", "description": 'Process ID (PID) of the initiating process.'}, + "InitiatingProcessIntegrityLevel": {"data_type": "string", "description": 'Integrity level of the initiating process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources..'}, + "InitiatingProcessMD5": {"data_type": "string", "description": 'MD5 hash of the initiating process (image file).'}, + "InitiatingProcessParentCreationTime": {"data_type": "datetime", "description": 'Date and time when the parent of the process responsible for the event was started.'}, + "InitiatingProcessParentFileName": {"data_type": "string", "description": 'Name of the parent process that spawned the initiating process.'}, + "InitiatingProcessParentId": {"data_type": "long", "description": 'Process ID (PID) of the parent process that spawned the initiating process.'}, + "InitiatingProcessSHA1": {"data_type": "string", "description": 'SHA-1 hash of the initiating process (image file).'}, + "InitiatingProcessSHA256": {"data_type": "string", "description": 'SHA-256 hash of the initiating process (image file). In some cases this column may not be populated - please use the InitiatingProcessSHA1 column instead.'}, + "InitiatingProcessTokenElevation": {"data_type": "string", "description": 'Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the initiating process.'}, + "InitiatingProcessVersionInfoCompanyName": {"data_type": "string", "description": 'The company name in version information (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoFileDescription": {"data_type": "string", "description": 'The description in version information (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoInternalFileName": {"data_type": "string", "description": 'The internal file name in version information (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoOriginalFileName": {"data_type": "string", "description": 'The original file name in version information (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoProductName": {"data_type": "string", "description": 'The product name in version information (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoProductVersion": {"data_type": "string", "description": 'The product version in version information (image file) responsible for the event.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LocalIP": {"data_type": "string", "description": 'IP address assigned to the local machine used during communication.'}, + "LocalIPType": {"data_type": "string", "description": 'Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast.'}, + "LocalPort": {"data_type": "int", "description": 'TCP port on the local machine used during communication.'}, + "MachineGroup": {"data_type": "string", "description": 'Machine group of the machine. This group is used by role-based access control to determine access to the machine.'}, + "Protocol": {"data_type": "string", "description": 'IP protocol used, whether TCP or UDP.'}, + "RemoteIP": {"data_type": "string", "description": 'IP address that was being connected to.'}, + "RemoteIPType": {"data_type": "string", "description": 'Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast.'}, + "RemotePort": {"data_type": "int", "description": 'TCP port on the remote device that was being connected to.'}, + "RemoteUrl": {"data_type": "string", "description": 'URL or fully qualified domain name (FQDN) that was being connected to.'}, + "ReportId": {"data_type": "long", "description": 'Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns..'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the event was recorded by the MDE agent on the endpoint.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DeviceNetworkInfo": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ConnectedNetworks": {"data_type": "dynamic", "description": 'Networks that the adapter is connected to. Each JSON element in the array contains the network name, category (public, private or domain), a description, and a flag indicating if it is connected publicly to the internet.'}, + "DefaultGateways": {"data_type": "dynamic", "description": 'Default gateway addresses in JSON array format.'}, + "DeviceId": {"data_type": "string", "description": 'Unique identifier for the device in the service.'}, + "DeviceName": {"data_type": "string", "description": 'Fully qualified domain name (FQDN) of the device.'}, + "DnsAddresses": {"data_type": "dynamic", "description": 'DNS server addresses in JSON array format.'}, + "IPAddresses": {"data_type": "dynamic", "description": 'JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and the IP class (RFC 1918 & RFC 4291).'}, + "IPv4Dhcp": {"data_type": "string", "description": 'IPv4 address of the configured DHCP server.'}, + "IPv6Dhcp": {"data_type": "string", "description": 'IPv6 address of the configured DHCP server.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "MacAddress": {"data_type": "string", "description": 'MAC address of the network adapter.'}, + "MachineGroup": {"data_type": "string", "description": 'The machine-group which this machine is associated to. This group is used by role-based access control to determine access to the machine.'}, + "NetworkAdapterName": {"data_type": "string", "description": 'Name of the network adapter.'}, + "NetworkAdapterStatus": {"data_type": "string", "description": 'Operational status of the network adapter.'}, + "NetworkAdapterType": {"data_type": "string", "description": 'Network adapter type.'}, + "NetworkAdapterVendor": {"data_type": "string", "description": 'Name of the manufacturer or vendor of the network adapter.'}, + "ReportId": {"data_type": "long", "description": 'Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and/or Timestamp columns.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the event was recorded by the MDE agent on the endpoint.'}, + "TunnelType": {"data_type": "string", "description": 'Tunneling protocol, when the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DeviceProcessEvents": { + "AccountDomain": {"data_type": "string", "description": 'Domain of the account.'}, + "AccountName": {"data_type": "string", "description": 'User name of the account.'}, + "AccountObjectId": {"data_type": "string", "description": 'Unique identifier for the account in Azure AD.'}, + "AccountSid": {"data_type": "string", "description": 'Security Identifier (SID) of the account.'}, + "AccountUpn": {"data_type": "string", "description": 'User principal name (UPN) of the account.'}, + "ActionType": {"data_type": "string", "description": 'Type of activity that triggered the event.'}, + "AdditionalFields": {"data_type": "dynamic", "description": 'Additional information about the entity or event.'}, + "AppGuardContainerId": {"data_type": "string", "description": 'Identifier for the virtualized container used by Application Guard to isolate browser activity.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DeviceId": {"data_type": "string", "description": 'Unique identifier for the device in the service.'}, + "DeviceName": {"data_type": "string", "description": 'Fully qualified domain name (FQDN) of the device.'}, + "FileName": {"data_type": "string", "description": 'Name of the file that the recorded action was applied to.'}, + "FileSize": {"data_type": "long", "description": 'Size of the file in bytes.'}, + "FolderPath": {"data_type": "string", "description": 'Folder containing the file that the recorded action was applied to.'}, + "InitiatingProcessAccountDomain": {"data_type": "string", "description": 'Domain of the account that ran the process responsible for the event.'}, + "InitiatingProcessAccountName": {"data_type": "string", "description": 'User name of the account that ran the process responsible for the event.'}, + "InitiatingProcessAccountObjectId": {"data_type": "string", "description": 'Azure AD object ID of the user account that ran the process responsible for the event.'}, + "InitiatingProcessAccountSid": {"data_type": "string", "description": 'Security Identifier (SID) of the account that ran the process responsible for the event.'}, + "InitiatingProcessAccountUpn": {"data_type": "string", "description": 'User principal name (UPN) of the account that ran the process responsible for the event.'}, + "InitiatingProcessCommandLine": {"data_type": "string", "description": 'Command line used to run the process that initiated the event.'}, + "InitiatingProcessCreationTime": {"data_type": "datetime", "description": 'Date and time when the process that initiated the event was started.'}, + "InitiatingProcessFileName": {"data_type": "string", "description": 'Name of the process that initiated the event.'}, + "InitiatingProcessFileSize": {"data_type": "long", "description": 'The size of the file (bytes) that ran the process responsible for the event.'}, + "InitiatingProcessFolderPath": {"data_type": "string", "description": 'Folder containing the process (image file) that initiated the event.'}, + "InitiatingProcessId": {"data_type": "long", "description": 'Process ID (PID) of the process that initiated the event.'}, + "InitiatingProcessIntegrityLevel": {"data_type": "string", "description": 'Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources..'}, + "InitiatingProcessLogonId": {"data_type": "long", "description": 'Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts..'}, + "InitiatingProcessMD5": {"data_type": "string", "description": 'MD5 hash of the process (image file) that initiated the event.'}, + "InitiatingProcessParentCreationTime": {"data_type": "datetime", "description": 'Date and time when the parent of the process responsible for the event was started.'}, + "InitiatingProcessParentFileName": {"data_type": "string", "description": 'Name of the parent process that spawned the process responsible for the event.'}, + "InitiatingProcessParentId": {"data_type": "long", "description": 'Process ID (PID) of the parent process that spawned the process responsible for the event.'}, + "InitiatingProcessSHA1": {"data_type": "string", "description": 'SHA-1 hash of the process (image file) that initiated the event.'}, + "InitiatingProcessSHA256": {"data_type": "string", "description": 'SHA-256 hash of the process (image file) that initiated the event. In some cases this column may not be populated - please use the InitiatingProcessSHA1 column instead.'}, + "InitiatingProcessSignatureStatus": {"data_type": "string", "description": 'Information about the signature status of the process (image file) that initiated the event.'}, + "InitiatingProcessSignerType": {"data_type": "string", "description": 'Type of file signer of the process (image file) that initiated the event.'}, + "InitiatingProcessTokenElevation": {"data_type": "string", "description": 'Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event.'}, + "InitiatingProcessVersionInfoCompanyName": {"data_type": "string", "description": 'The company name in version information (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoFileDescription": {"data_type": "string", "description": 'The description in version information (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoInternalFileName": {"data_type": "string", "description": 'The internal file name in version information (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoOriginalFileName": {"data_type": "string", "description": 'The original file name in version information (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoProductName": {"data_type": "string", "description": 'The product name in version information (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoProductVersion": {"data_type": "string", "description": 'The product version in version information (image file) responsible for the event.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogonId": {"data_type": "long", "description": 'Identifier for a logon session. This identifier is unique on the same machine only between restarts.'}, + "MachineGroup": {"data_type": "string", "description": 'Machine group of the machine. This group is used by role-based access control to determine access to the machine.'}, + "MD5": {"data_type": "string", "description": 'MD5 hash of the file that the recorded action was applied to.'}, + "ProcessCommandLine": {"data_type": "string", "description": 'Command line used to create the new process.'}, + "ProcessCreationTime": {"data_type": "datetime", "description": 'Date and time the process was created.'}, + "ProcessId": {"data_type": "long", "description": 'Process ID (PID) of the newly created process.'}, + "ProcessIntegrityLevel": {"data_type": "string", "description": 'Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources..'}, + "ProcessTokenElevation": {"data_type": "string", "description": 'Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process.'}, + "ProcessVersionInfoCompanyName": {"data_type": "string", "description": 'Company name from the version information of the newly created process.'}, + "ProcessVersionInfoFileDescription": {"data_type": "string", "description": 'Description from the version information of the newly created process.'}, + "ProcessVersionInfoInternalFileName": {"data_type": "string", "description": 'Internal file name from the version information of the newly created process.'}, + "ProcessVersionInfoOriginalFileName": {"data_type": "string", "description": 'Original file name from the version information of the newly created process.'}, + "ProcessVersionInfoProductName": {"data_type": "string", "description": 'Product name from the version information of the newly created process.'}, + "ProcessVersionInfoProductVersion": {"data_type": "string", "description": 'Product version from the version information of the newly created process.'}, + "ReportId": {"data_type": "long", "description": 'Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns..'}, + "SHA1": {"data_type": "string", "description": 'SHA-1 hash of the file that the recorded action was applied to.'}, + "SHA256": {"data_type": "string", "description": 'SHA-256 of the file that the recorded action was applied to.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the event was recorded by the MDE agent on the endpoint.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DeviceRegistryEvents": { + "ActionType": {"data_type": "string", "description": 'Type of activity that triggered the event.'}, + "AppGuardContainerId": {"data_type": "string", "description": 'Identifier for the virtualized container used by Application Guard to isolate browser activity.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DeviceId": {"data_type": "string", "description": 'Unique identifier for the device in the service.'}, + "DeviceName": {"data_type": "string", "description": 'Fully qualified domain name (FQDN) of the device.'}, + "InitiatingProcessAccountDomain": {"data_type": "string", "description": 'Domain of the account that ran the initiating process.'}, + "InitiatingProcessAccountName": {"data_type": "string", "description": 'User name of the account that ran the initiating process.'}, + "InitiatingProcessAccountObjectId": {"data_type": "string", "description": 'Azure AD object ID of the user account that ran the initiating process.'}, + "InitiatingProcessAccountSid": {"data_type": "string", "description": 'Security Identifier (SID) of the account that ran the initiating process.'}, + "InitiatingProcessAccountUpn": {"data_type": "string", "description": 'User principal name (UPN) of the account that ran the initiating process.'}, + "InitiatingProcessCommandLine": {"data_type": "string", "description": 'Command line used to run the initiating process.'}, + "InitiatingProcessCreationTime": {"data_type": "datetime", "description": 'Date and time when the process that initiated the event was started.'}, + "InitiatingProcessFileName": {"data_type": "string", "description": 'Name of the initiating process.'}, + "InitiatingProcessFileSize": {"data_type": "long", "description": 'The size of the file (bytes) that ran the process responsible for the event.'}, + "InitiatingProcessFolderPath": {"data_type": "string", "description": 'Folder containing the initiating process (image file).'}, + "InitiatingProcessId": {"data_type": "long", "description": 'Process ID (PID) of the initiating process.'}, + "InitiatingProcessIntegrityLevel": {"data_type": "string", "description": 'Integrity level of the initiating process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources..'}, + "InitiatingProcessMD5": {"data_type": "string", "description": 'MD5 hash of the initiating process (image file).'}, + "InitiatingProcessParentCreationTime": {"data_type": "datetime", "description": 'Date and time when the parent of the process responsible for the event was started.'}, + "InitiatingProcessParentFileName": {"data_type": "string", "description": 'Name of the parent process that spawned the initiating process.'}, + "InitiatingProcessParentId": {"data_type": "long", "description": 'Process ID (PID) of the parent process that spawned the initiating process.'}, + "InitiatingProcessSHA1": {"data_type": "string", "description": 'SHA-1 hash of the initiating process (image file).'}, + "InitiatingProcessSHA256": {"data_type": "string", "description": 'SHA-256 hash of the initiating process (image file). In some cases this column may not be populated - please use the InitiatingProcessSHA1 column instead.'}, + "InitiatingProcessTokenElevation": {"data_type": "string", "description": 'Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the initiating process.'}, + "InitiatingProcessVersionInfoCompanyName": {"data_type": "string", "description": 'The company name in version information (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoFileDescription": {"data_type": "string", "description": 'The description in version information (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoInternalFileName": {"data_type": "string", "description": 'The internal file name in version information (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoOriginalFileName": {"data_type": "string", "description": 'The original file name in version information (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoProductName": {"data_type": "string", "description": 'The product name in version information (image file) responsible for the event.'}, + "InitiatingProcessVersionInfoProductVersion": {"data_type": "string", "description": 'The product version in version information (image file) responsible for the event.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "MachineGroup": {"data_type": "string", "description": 'Machine group of the machine. This group is used by role-based access control to determine access to the machine.'}, + "PreviousRegistryKey": {"data_type": "string", "description": 'Original registry key before it was modified.'}, + "PreviousRegistryValueData": {"data_type": "string", "description": 'Original data of the registry value before it was modified.'}, + "PreviousRegistryValueName": {"data_type": "string", "description": 'Original name of the registry value before it was modified.'}, + "RegistryKey": {"data_type": "string", "description": 'Registry key that the recorded action was applied to.'}, + "RegistryValueData": {"data_type": "string", "description": 'Data of the registry value that the recorded action was applied to.'}, + "RegistryValueName": {"data_type": "string", "description": 'Name of the registry value that the recorded action was applied to.'}, + "RegistryValueType": {"data_type": "string", "description": 'Data type, such as binary or string, of the registry value that the recorded action was applied to.'}, + "ReportId": {"data_type": "long", "description": 'Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns..'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the event was recorded by the MDE agent on the endpoint.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DeviceSkypeHeartbeat": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "EventId": {"data_type": "int", "description": ''}, + "EventName": {"data_type": "string", "description": ''}, + "HealthServiceId": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ProviderId": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "State": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DeviceSkypeSignIn": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "EventId": {"data_type": "int", "description": ''}, + "EventName": {"data_type": "string", "description": ''}, + "HealthServiceId": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Opcode": {"data_type": "int", "description": ''}, + "ProviderId": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DeviceTvmSecureConfigurationAssessment": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ConfigurationCategory": {"data_type": "string", "description": 'Category or grouping to which the configuration belongs'}, + "ConfigurationId": {"data_type": "string", "description": 'Unique identifier for a specific configuration'}, + "ConfigurationImpact": {"data_type": "real", "description": 'Rated impact of the configuration to the overall configuration score (1-10)'}, + "ConfigurationSubcategory": {"data_type": "string", "description": 'Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features.'}, + "Context": {"data_type": "dynamic", "description": 'Machine data configuration context'}, + "DeviceId": {"data_type": "string", "description": 'Unique identifier for the device in the service'}, + "DeviceName": {"data_type": "string", "description": 'Fully qualified domain name (FQDN) of the device'}, + "IsApplicable": {"data_type": "bool", "description": 'Indicates whether the configuration or policy is applicable'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsCompliant": {"data_type": "bool", "description": 'Indicates whether the configuration or policy is properly configured'}, + "IsExpectedUserImpact": {"data_type": "bool", "description": 'Indicates if user impact is expected when configuration applied'}, + "OSPlatform": {"data_type": "string", "description": 'Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time when the record was generated'}, + "Timestamp": {"data_type": "datetime", "description": 'Date and time when the record was generated'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DeviceTvmSecureConfigurationAssessmentKB": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ConfigurationBenchmarks": {"data_type": "dynamic", "description": 'List of industry benchmarks which recommend the same or similar configuration.'}, + "ConfigurationCategory": {"data_type": "string", "description": 'Category or grouping to which the configuration belongs.'}, + "ConfigurationDescription": {"data_type": "string", "description": 'Description of the configuration.'}, + "ConfigurationId": {"data_type": "string", "description": 'Unique identifier for a specific configuration.'}, + "ConfigurationImpact": {"data_type": "real", "description": 'Rated impact of the configuration to the overall configuration score (1-10).'}, + "ConfigurationName": {"data_type": "string", "description": 'Display name of the configuration.'}, + "ConfigurationSubcategory": {"data_type": "string", "description": 'Subcategory or subgrouping to which the configuration belongs. Commonly, this describes specific capabilities or features.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "RelatedMitreTactics": {"data_type": "dynamic", "description": 'Related tactics from Mitre knowledge base.'}, + "RelatedMitreTechniques": {"data_type": "dynamic", "description": 'Related techniques from Mitre knowledge base.'}, + "RemediationOptions": {"data_type": "string", "description": 'Recommended actions to reduce or address any associated risks'}, + "RiskDescription": {"data_type": "string", "description": 'Description of any associated risks.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Tags": {"data_type": "dynamic", "description": 'Labels representing various attributes, used to identify or categorize a security configuration.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time when the record was generated.'}, + "Timestamp": {"data_type": "datetime", "description": 'Date and time when the record was generated'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DeviceTvmSoftwareInventory": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DeviceId": {"data_type": "string", "description": 'Unique identifier for the device in the service'}, + "DeviceName": {"data_type": "string", "description": 'Fully qualified domain name (FQDN) of the device'}, + "EndOfSupportDate": {"data_type": "datetime", "description": 'End-of-support (EOS) or end-of-life (EOL) date of the software product'}, + "EndOfSupportStatus": {"data_type": "string", "description": 'Indicates the lifecycle stage of the software product relative to its specified end-of-support (EOS) or end-of-life (EOL) date'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OSArchitecture": {"data_type": "string", "description": 'Architecture of the operating system running on the machine'}, + "OSPlatform": {"data_type": "string", "description": 'Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7'}, + "OSVersion": {"data_type": "string", "description": 'Version of the operating system running on the machine'}, + "ProductCodeCpe": {"data_type": "string", "description": 'The standard Common Platform Enumeration (CPE) name of the software product version'}, + "SoftwareName": {"data_type": "string", "description": 'Name of the software product'}, + "SoftwareVendor": {"data_type": "string", "description": 'Name of the software vendor'}, + "SoftwareVersion": {"data_type": "string", "description": 'Version number of the software product'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time when the record was generated'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DeviceTvmSoftwareVulnerabilities": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CveId": {"data_type": "string", "description": 'Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system'}, + "CveTags": {"data_type": "dynamic", "description": 'Array of tags relevant to the CVE; example: ZeroDay, NoSecurityUpdate'}, + "DeviceId": {"data_type": "string", "description": 'Unique identifier for the device in the service'}, + "DeviceName": {"data_type": "string", "description": 'Fully qualified domain name (FQDN) of the device'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OSArchitecture": {"data_type": "string", "description": 'Architecture of the operating system running on the machine'}, + "OSPlatform": {"data_type": "string", "description": 'Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7'}, + "OSVersion": {"data_type": "string", "description": 'Version of the operating system running on the machine'}, + "RecommendedSecurityUpdate": {"data_type": "string", "description": 'Name or description of the security update provided by the software vendor to address the vulnerability'}, + "RecommendedSecurityUpdateId": {"data_type": "string", "description": 'Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles'}, + "SoftwareName": {"data_type": "string", "description": 'Name of the software product'}, + "SoftwareVendor": {"data_type": "string", "description": 'Name of the software vendor'}, + "SoftwareVersion": {"data_type": "string", "description": 'Version number of the software product'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time when the record was generated'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "VulnerabilitySeverityLevel": {"data_type": "string", "description": 'Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape'}, + }, + "DeviceTvmSoftwareVulnerabilitiesKB": { + "AffectedSoftware": {"data_type": "dynamic", "description": 'List of all software products affected by the vulnerability.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CveId": {"data_type": "string", "description": 'Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system.'}, + "CvssScore": {"data_type": "real", "description": 'Severity score assigned to the security vulnerability under the Common Vulnerability Scoring System (CVSS).'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsExploitAvailable": {"data_type": "bool", "description": 'Indicates whether exploit code for the vulnerability is publicly available.'}, + "LastModifiedTime": {"data_type": "datetime", "description": 'Date and time the item or related metadata was last modified.'}, + "PublishedDate": {"data_type": "datetime", "description": 'Date vulnerability was disclosed to the public.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time when the record was generated.'}, + "Timestamp": {"data_type": "datetime", "description": 'Date and time when the record was generated'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "VulnerabilityDescription": {"data_type": "string", "description": 'Description of the vulnerability and associated risks.'}, + "VulnerabilitySeverityLevel": {"data_type": "string", "description": 'Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape.'}, + }, + "DHAppReliability": { + "AppFileDisplayName": {"data_type": "string", "description": ''}, + "AppFileName": {"data_type": "string", "description": ''}, + "AppFileVersion": {"data_type": "string", "description": ''}, + "AppName": {"data_type": "string", "description": ''}, + "AppVersion": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "ComputerID": {"data_type": "string", "description": ''}, + "ConfigMgrClientID": {"data_type": "string", "description": ''}, + "CrashFreeDevicesPercentForIndustryTrailing": {"data_type": "real", "description": ''}, + "DeviceLastSeenTime": {"data_type": "datetime", "description": ''}, + "HangFreeDevicesPercentForIndustryTrailing": {"data_type": "real", "description": ''}, + "HasCrashesDaily": {"data_type": "bool", "description": ''}, + "HasCrashesTrailing": {"data_type": "bool", "description": ''}, + "HasHangsDaily": {"data_type": "bool", "description": ''}, + "HasHangsTrailing": {"data_type": "bool", "description": ''}, + "HasIncidentsDaily": {"data_type": "bool", "description": ''}, + "HasIncidentsTrailing": {"data_type": "bool", "description": ''}, + "HasUsageDaily": {"data_type": "bool", "description": ''}, + "HasUsageTrailing": {"data_type": "bool", "description": ''}, + "IncidentFreeDevicesPercentForIndustryTrailing": {"data_type": "real", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OSBuildNumber": {"data_type": "int", "description": ''}, + "OSRevisionNumber": {"data_type": "int", "description": ''}, + "OSVersion": {"data_type": "string", "description": ''}, + "Publisher": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DHDriverReliability": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "ComputerID": {"data_type": "string", "description": ''}, + "DeviceLastSeenTime": {"data_type": "datetime", "description": ''}, + "DriverKernelModeCrashCount": {"data_type": "int", "description": ''}, + "DriverName": {"data_type": "string", "description": ''}, + "DriverPercentCrashFreeDevicesForIndustry": {"data_type": "real", "description": ''}, + "DriverVendor": {"data_type": "string", "description": ''}, + "DriverVersion": {"data_type": "string", "description": ''}, + "HardwareType": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DHLogonFailures": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "ComputerID": {"data_type": "string", "description": ''}, + "Country": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogonStatus": {"data_type": "string", "description": ''}, + "LogonSubStatus": {"data_type": "string", "description": ''}, + "Manufacturer": {"data_type": "string", "description": ''}, + "Model": {"data_type": "string", "description": ''}, + "ModelFamily": {"data_type": "string", "description": ''}, + "OSArchitecture": {"data_type": "string", "description": ''}, + "OSBuildNumber": {"data_type": "int", "description": ''}, + "OSEdition": {"data_type": "string", "description": ''}, + "OSRevisionNumber": {"data_type": "int", "description": ''}, + "OSVersion": {"data_type": "string", "description": ''}, + "ProviderId": {"data_type": "string", "description": ''}, + "ProviderName": {"data_type": "string", "description": ''}, + "SignInFailureCount": {"data_type": "long", "description": ''}, + "SignInFailureReason": {"data_type": "string", "description": ''}, + "SignInUserError": {"data_type": "string", "description": ''}, + "SuggestedSignInRemediation": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DHLogonMetrics": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "ComputerID": {"data_type": "string", "description": ''}, + "Country": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Manufacturer": {"data_type": "string", "description": ''}, + "Model": {"data_type": "string", "description": ''}, + "ModelFamily": {"data_type": "string", "description": ''}, + "OSArchitecture": {"data_type": "string", "description": ''}, + "OSBuildNumber": {"data_type": "int", "description": ''}, + "OSEdition": {"data_type": "string", "description": ''}, + "OSRevisionNumber": {"data_type": "int", "description": ''}, + "OSVersion": {"data_type": "string", "description": ''}, + "PreferredSignInProviderId": {"data_type": "string", "description": ''}, + "PreferredSignInProviderName": {"data_type": "string", "description": ''}, + "ProviderId": {"data_type": "string", "description": ''}, + "ProviderName": {"data_type": "string", "description": ''}, + "SignInIndustrySuccessRate": {"data_type": "real", "description": ''}, + "SignInSuccessRate": {"data_type": "real", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "TotalDailySignIns": {"data_type": "long", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DHOSCrashData": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "ComputerID": {"data_type": "string", "description": ''}, + "DriverName": {"data_type": "string", "description": ''}, + "DriverVersion": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "KernelModeCrashBugCheckCode": {"data_type": "string", "description": ''}, + "KernelModeCrashCount": {"data_type": "int", "description": ''}, + "KernelModeCrashFailureId": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DHOSReliability": { + "AbnormalShutdownCount": {"data_type": "int", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "ComputerID": {"data_type": "string", "description": ''}, + "ConfigMgrClientID": {"data_type": "string", "description": ''}, + "Country": {"data_type": "string", "description": ''}, + "DeviceLastSeenTime": {"data_type": "datetime", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "KernelModeCrashCount": {"data_type": "int", "description": ''}, + "KernelModeCrashFreePercentForIndustry": {"data_type": "real", "description": ''}, + "Manufacturer": {"data_type": "string", "description": ''}, + "Model": {"data_type": "string", "description": ''}, + "ModelFamily": {"data_type": "string", "description": ''}, + "OSArchitecture": {"data_type": "string", "description": ''}, + "OSBuildNumber": {"data_type": "int", "description": ''}, + "OSEdition": {"data_type": "string", "description": ''}, + "OSRevisionNumber": {"data_type": "int", "description": ''}, + "OSVersion": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DHWipAppLearning": { + "AppName": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "ComputerID": {"data_type": "string", "description": ''}, + "ConfigMgrClientID": {"data_type": "string", "description": ''}, + "EventFiredTime": {"data_type": "datetime", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "WipActionType": {"data_type": "string", "description": ''}, + "WipAppId": {"data_type": "string", "description": ''}, + "WipAppIdType": {"data_type": "string", "description": ''}, + "WipAppRuleType": {"data_type": "string", "description": ''}, + }, + "DnsAuditEvents": { + "Action": {"data_type": "string", "description": 'If a query meets the criteria of a policy, the action is the response that the policy requires.'}, + "ActiveKey": {"data_type": "string", "description": "Signing key of the KSK's active key."}, + "AdditionalData": {"data_type": "dynamic", "description": 'Additional information not already scoped into its own dedicated field.'}, + "Base64Data": {"data_type": "string", "description": 'Key data.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BufferSize": {"data_type": "int", "description": 'Size of the buffer used for logging the event data.(in bytes)'}, + "ChildZone": {"data_type": "string", "description": 'Name of a child zone.'}, + "ClientSubnetList": {"data_type": "string", "description": 'The list of IPv4 and IPv6 of the client subnet.'}, + "ClientSubnetRecord": {"data_type": "string", "description": 'Then name of the client subnet.'}, + "Condition": {"data_type": "string", "description": 'Specific circumstances or requirements that trigger certain actions or policies.'}, + "Criteria": {"data_type": "string", "description": 'Criteria or conditions that triggered the event.'}, + "CryptoAlgorithm": {"data_type": "string", "description": 'The cryptographic algorithm used for securing DNS-related operations.'}, + "CurrentRolloverStatus": {"data_type": "string", "description": 'The state of the key rollover process from one key to another.'}, + "CurrentState": {"data_type": "string", "description": 'The current status of a DNS key or zone.'}, + "DenialOfExistence": {"data_type": "string", "description": 'The method used to prove that a certain DNS record does not exist.'}, + "Digest": {"data_type": "string", "description": 'A secure fingerprint, allowing DNS resolvers to validate the authenticity of the trust anchor information.'}, + "DigestType": {"data_type": "string", "description": 'Specifies the type of cryptographic hash algorithm used for generating the digest (hash) value.'}, + "DistributeTrustAnchor": {"data_type": "string", "description": 'Relates to the distribution of a trust anchor for DNSSEC, which is a secure public key that helps in the validation of DNS data.'}, + "DnsKeyRecordSetTtl": {"data_type": "int", "description": 'The time-to-live (TTL) value assigned to DNSKEY records when signing a DNS zone. This value determines how long a DNSKEY record will be considered valid before it needs to be refreshed.'}, + "DnsKeySignatureValidityPeriod": {"data_type": "int", "description": 'The duration in seconds that a DNSKEY record’s signature is considered valid.'}, + "DnsQuery": {"data_type": "string", "description": 'The domain that needs to be resolved.'}, + "DnsQueryType": {"data_type": "int", "description": 'The DNS resource record type codes as defined by the Internet Assigned Numbers Authority (IANA).'}, + "DSRecordGenerationAlgorithm": {"data_type": "string", "description": 'The algorithm used to generate the Delegation Signer (DS) record from the DNSKEY record.'}, + "DSRecordSetTtl": {"data_type": "int", "description": 'The time-to-live (TTL) value for the DS (Delegation Signer) record set.'}, + "DSSignatureValidityPeriod": {"data_type": "int", "description": 'The period in seconds that a DS (Delegation Signer) record’s signature is considered valid.'}, + "EnableRfc5011KeyRollover": {"data_type": "string", "description": 'The process of automating the update and rollover of DNSSEC keys in accordance with RFC 5011 standards.'}, + "EventGuid": {"data_type": "string", "description": 'Unique identifier for the specific event.'}, + "EventId": {"data_type": "string", "description": 'Identifier for the underlying Windows event.'}, + "EventString": {"data_type": "string", "description": 'Human-readable description of the event.'}, + "EventType": {"data_type": "string", "description": 'Type of DNS event (e.g., zone transfer, dynamic update, DNSSEC signing).'}, + "FilePath": {"data_type": "string", "description": 'The location of a file or directory that the DNS server is interacting with.'}, + "Forwarders": {"data_type": "string", "description": 'DNS forwarders used by the server.'}, + "InitialRolloverOffset": {"data_type": "int", "description": 'The initial time delay (in seconds) before the first rollover action is triggered for a DNSSEC key.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsEnabled": {"data_type": "string", "description": 'This parameter indicates whether the policy or exception list is currently active.'}, + "IsKeyMasterServer": {"data_type": "string", "description": 'Whether the DNS server is the key master server for a DNSSEC-signed zone.'}, + "KeyId": {"data_type": "string", "description": 'The unique identifier of a DNSSEC signing key.'}, + "KeyLength": {"data_type": "int", "description": 'The length of the cryptographic key used in DNSSEC signing operations.'}, + "KeyMasterServer": {"data_type": "string", "description": 'The DNS server that is responsible for generating and managing the DNSSEC keys for a zone.'}, + "KeyOrZone": {"data_type": "string", "description": 'The signing key used for authentication and data integrity in a specific DNS zone.'}, + "KeyProtocol": {"data_type": "string", "description": 'Protocol used for DNSSEC key management (e.g., DNSKEY, DS).'}, + "KeyStorageProvider": {"data_type": "string", "description": 'The system or service that is responsible for securely storing the DNSSEC keys.'}, + "KeyTag": {"data_type": "int", "description": 'A numeric identifier for the cryptographic key used by the DS record.'}, + "KeyType": {"data_type": "string", "description": 'The type of DNSSEC signing key being used.'}, + "KskOrZsk": {"data_type": "string", "description": 'The type of signing key used in a specific DNS zone.'}, + "LastRolloverTime": {"data_type": "datetime", "description": 'The last time a rollover process took place.'}, + "ListenAddresses": {"data_type": "string", "description": 'IP addresses on which the DNS server listens.'}, + "LookupValue": {"data_type": "string", "description": 'Type of DNS lookup (e.g., recursive, iterative).'}, + "MasterServer": {"data_type": "string", "description": 'The primary DNS server from which a secondary DNS server obtains zone data.'}, + "Name": {"data_type": "string", "description": 'Specifies the domain name or hostname associated with a specific record.'}, + "NameServer": {"data_type": "string", "description": 'Name server responsible for the DNS event.'}, + "NewPropertyValues": {"data_type": "string", "description": 'The set of properties after they were updated for a specific policy or exception list in the DNS server or zone.'}, + "NewValue": {"data_type": "string", "description": 'The updated value assigned to a specific property key within the DNS zone.'}, + "NextKey": {"data_type": "string", "description": 'The upcoming key that will be used in the DNS zone signing process after the current active and standby keys.'}, + "NextRolloverAction": {"data_type": "string", "description": 'The rollover action performed.'}, + "NextRolloverTime": {"data_type": "datetime", "description": 'The next time a rollover process should happen.'}, + "NodeName": {"data_type": "string", "description": 'The node name within the DNS zone.'}, + "NSec3HashAlgorithm": {"data_type": "int", "description": 'The cryptographic hash algorithm used in the NSEC3 protocol for DNSSEC.'}, + "NSec3Iterations": {"data_type": "int", "description": 'The number of additional hashing iterations a DNSSEC-enabled DNS server uses.'}, + "NSec3OptOut": {"data_type": "string", "description": 'Indicates if the DNSSEC NSEC3 protocol is configured to allow unsigned delegations.'}, + "NSec3RandomSaltLength": {"data_type": "int", "description": 'The length of the random salt value used in the NSEC3 protocol for DNSSEC.'}, + "NSec3UserSalt": {"data_type": "string", "description": 'The user-defined salt value used in the NSEC3 protocol for DNSSEC.'}, + "OldPropertyValues": {"data_type": "string", "description": 'The set of properties before they were updated for a specific policy or exception list in the DNS server or zone.'}, + "ParentHasSecureDelegation": {"data_type": "string", "description": 'Whether the parent zone has a secure delegation to the child zone.'}, + "Policy": {"data_type": "string", "description": 'Defines rules or guidelines for managing specific aspects of DNS behavior.'}, + "ProcessingOrder": {"data_type": "int", "description": 'Determines the sequence in which policies are applied.'}, + "PropagationTime": {"data_type": "int", "description": 'Time taken for the event information to propagate. Duration (e.g., milliseconds) or β€œImmediate” if no delay.'}, + "PropertyKey": {"data_type": "string", "description": 'Specific property or setting affected by the event.'}, + "RDATA": {"data_type": "string", "description": 'Represents the data of the resource record that was created, deleted, or scavenged in the DNS zone.'}, + "RecursionScope": {"data_type": "string", "description": 'A specific area or set of conditions under which DNS recursion is allowed or applied on a DNS server.'}, + "ReplicationScope": {"data_type": "string", "description": 'Scope of DNS replication (e.g., forest-wide, domain-specific).'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RolloverPeriod": {"data_type": "int", "description": 'Time interval for log rollover (e.g., daily, weekly).'}, + "RolloverType": {"data_type": "string", "description": 'Type of rollover (e.g., overwrite, append).'}, + "ScavengeServers": {"data_type": "string", "description": 'Servers involved in DNS scavenging (aging and cleanup of stale records).'}, + "Scope": {"data_type": "string", "description": 'The scope of the event (e.g., server-wide, zone-specific).'}, + "Scopes": {"data_type": "string", "description": 'DNS scopes impacted by the event (e.g., global, local).'}, + "SecureDelegationPollingPeriod": {"data_type": "int", "description": 'Interval for polling secure delegation information. Numeric value (e.g., minutes) or β€œDisabled” if not applicable.'}, + "SeizedOrTransferred": {"data_type": "string", "description": 'Refers to the action taken, either a seizure (when control is forcibly transferred) or a voluntary transfer of the key master role.'}, + "ServerName": {"data_type": "string", "description": 'Represents the DNS server where the policy or exception list is being configured.'}, + "Setting": {"data_type": "string", "description": 'Specific DNS configuration setting modified by the event.'}, + "SignatureInceptionOffset": {"data_type": "int", "description": 'Offset time for DNSSEC signature inception. Duration (e.g., seconds) or β€œImmediate” if no delay.'}, + "Source": {"data_type": "string", "description": 'Source of the DNS event (e.g., server, client).'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StandbyKey": {"data_type": "string", "description": 'the backup key that will be used if the current active key is compromised or needs to be replaced in the DNS zone signing process.'}, + "StoreKeysInAD": {"data_type": "string", "description": 'Specifies whether the keys are stored in Active Directory Domain Services (AD DS). This setting applies only to Active Directory-integrated zones when the vendor of KeyStorageProvider is Microsoft.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "SubTreeAging": {"data_type": "string", "description": 'Mechanism that affects the aging (expiration) of DNS records within a specific subtree or branch of a DNS zone.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the event was generated.'}, + "TTL": {"data_type": "int", "description": 'The time-to-live for the DNS record, indicating how long the record should be cached before it is discarded or refreshed.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "VirtualizationID": {"data_type": "string", "description": 'A unique key to manage and coordinate activities within the virtualized environment.'}, + "WithNewKeys": {"data_type": "string", "description": 'Indicates whether new DNSSEC keys were generated.'}, + "WithWithout": {"data_type": "string", "description": 'Whether key signing key (KSK) metadata is included or excluded when exporting DNSSEC settings for a specific zone.'}, + "Zone": {"data_type": "string", "description": 'The zone related to the activity.'}, + "ZoneFile": {"data_type": "string", "description": 'The name of the zone file.'}, + "ZoneName": {"data_type": "string", "description": 'The name of a DNS zone on which the zone which the event relates to.'}, + "ZoneScope": {"data_type": "string", "description": 'A list of scopes and weights for the zone.'}, + "ZoneSignatureValidityPeriod": {"data_type": "int", "description": 'The amount of time that signatures that cover all other record sets are valid.'}, + }, + "DnsEvents": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientIP": {"data_type": "string", "description": ''}, + "Computer": {"data_type": "string", "description": ''}, + "Confidence": {"data_type": "string", "description": ''}, + "Description": {"data_type": "string", "description": ''}, + "EventId": {"data_type": "int", "description": ''}, + "IndicatorThreatType": {"data_type": "string", "description": ''}, + "IPAddresses": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "MaliciousIP": {"data_type": "string", "description": ''}, + "Message": {"data_type": "string", "description": ''}, + "Name": {"data_type": "string", "description": ''}, + "QueryType": {"data_type": "string", "description": ''}, + "RemoteIPCountry": {"data_type": "string", "description": ''}, + "RemoteIPLatitude": {"data_type": "real", "description": ''}, + "RemoteIPLongitude": {"data_type": "real", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Result": {"data_type": "string", "description": ''}, + "ResultCode": {"data_type": "int", "description": ''}, + "Severity": {"data_type": "int", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "SubType": {"data_type": "string", "description": ''}, + "TaskCategory": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "DnsInventory": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "DnsSecSigned": {"data_type": "string", "description": ''}, + "DomainName": {"data_type": "string", "description": ''}, + "DynamicUpdate": {"data_type": "string", "description": ''}, + "ForestName": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "NameServers": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResourceRecordName": {"data_type": "string", "description": ''}, + "ResourceRecordType": {"data_type": "string", "description": ''}, + "ServerIPs": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "SubType": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "ZoneName": {"data_type": "string", "description": ''}, + }, + "DNSQueryLogs": { + "AdditionalRecords": {"data_type": "dynamic", "description": 'Array of additional resource records.'}, + "Answer": {"data_type": "dynamic", "description": 'Array of answers for DNS query.'}, + "Authority": {"data_type": "dynamic", "description": 'Array of authority DNS servers for DNS query.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DestinationIpAddress": {"data_type": "string", "description": 'The IP address of the instance that the query was sent to (outbound endpoints).'}, + "DestinationPort": {"data_type": "int", "description": 'The port on the instance that the query was sent to.'}, + "DnsForwardingRulesetDomain": {"data_type": "string", "description": 'The domain which was hit in the DNS Forwarding ruleset.'}, + "DnsForwardingRulesetId": {"data_type": "string", "description": 'The ID of the DNS forwarding ruleset which was hit.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'Name of the operation.'}, + "PrivateResolverEndpointId": {"data_type": "string", "description": 'The ID of the resolver endpoint. Can be inbound, or outbound.'}, + "QueryClass": {"data_type": "string", "description": 'Specifies the protocol family. For example, IN for Internet.'}, + "QueryName": {"data_type": "string", "description": 'The domain name (contoso.com) or subdomain name (www.contoso.com) that was specified in the query.'}, + "QueryResponseTime": {"data_type": "int", "description": 'Response time for resolution of DNS query.'}, + "QueryType": {"data_type": "string", "description": 'Either the DNS record type that was specified in the request, or ANY.'}, + "Region": {"data_type": "string", "description": 'The region where the virtual network was created in.'}, + "ResolutionPath": {"data_type": "string", "description": 'Resolution path can be private zones, ruleset, or public DNS resolution.'}, + "ResolverPolicyDomainListId": {"data_type": "string", "description": 'The ID of the domain list which was hit.'}, + "ResolverPolicyId": {"data_type": "string", "description": 'The ID of the security policy which filtered the query.'}, + "ResolverPolicyRuleAction": {"data_type": "string", "description": 'Result after evaluation of the policy rules.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResponseCode": {"data_type": "int", "description": 'Response code that resolver returned in response to the DNS query.'}, + "SourceIpAddress": {"data_type": "string", "description": 'The IP address of the instance that the query originated from.'}, + "SourcePort": {"data_type": "int", "description": 'The port on the instance that the query originated from.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time (UTC) when the log was created.'}, + "Transport": {"data_type": "string", "description": 'The protocol (UDP or TCP) used to submit the DNS query.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Version": {"data_type": "string", "description": 'The version number of the query log format.'}, + "VirtualNetworkId": {"data_type": "string", "description": 'The ID of the virtual network that the query originated in.'}, + }, + "DSMAzureBlobStorageLogs": { + "AccountName": {"data_type": "string", "description": 'The name of the storage account.'}, + "AggregationCount": {"data_type": "long", "description": 'Number of events that were aggregated into a single entry.'}, + "AggregationLastEventTime": {"data_type": "datetime", "description": 'The time (UTC) when the last request was received by storage.'}, + "AuthenticationHash": {"data_type": "string", "description": 'The hash of authentication token.'}, + "AuthenticationType": {"data_type": "string", "description": 'The type of authentication that was used to make the request. E.g. OAuth, SAS, etc.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'The IP address of the requester.'}, + "Category": {"data_type": "string", "description": 'The category of requested operation.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID that is used to correlate resource logs with data sensitivity logs.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The location of storage account.'}, + "OperationName": {"data_type": "string", "description": 'The type of REST operation that was performed. For example: GetBlob, DeleteBlob.'}, + "RequesterAppId": {"data_type": "string", "description": 'The Open Authorization (OAuth) application ID that is used as the requester.'}, + "RequesterObjectId": {"data_type": "string", "description": 'The Open Authorization (OAuth) object ID that is used as the requester.'}, + "RequesterTenantId": {"data_type": "string", "description": 'The Open Authorization (OAuth) tenant ID that is used as the requester.'}, + "RequesterUpn": {"data_type": "string", "description": 'The user principal names (UPN) of requestor.'}, + "ResourceGroup": {"data_type": "string", "description": 'The Resource Group name of the storage account that was accessed.'}, + "ResourceSubscriptionId": {"data_type": "string", "description": 'The subscription ID (GUID) of the storage account being accessed.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StatusCode": {"data_type": "string", "description": 'The HTTP status code for the request. If the request is interrupted, this value might be set to Unknown.'}, + "SumResponseBodySize": {"data_type": "long", "description": 'The sum of packets in responses written by the storage service, in bytes. If request(s) are unsuccessful, this value may be empty.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time (UTC) when the first request was received by storage.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Uri": {"data_type": "string", "description": 'Uniform resource identifier that is requested.'}, + "UserAgentHeader": {"data_type": "string", "description": 'The user-agent header value.'}, + }, + "DSMDataClassificationLogs": { + "AssetLastScanTime": {"data_type": "datetime", "description": 'The time (UTC) when the resource scan for sensitivity was performed by Azure Purview.'}, + "AssetType": {"data_type": "string", "description": 'Type of asset that was scanned by Azure Purview (e.g., File, Table).'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClassificationDetails": {"data_type": "dynamic", "description": 'For every classification found in the resource - corresponding Instance Count (i.e. how many occurrences of a specific type of classification was present) and Confidence (i.e. Match Accuracy) is listed.'}, + "Classifications": {"data_type": "dynamic", "description": 'JSON containing the list of classifications that were discovered.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID that is used to correlate resource logs with data sensitivity logs.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SourceType": {"data_type": "string", "description": 'Type of resource that was scanned by Azure Purview (Azure Blob, Azure File, etc.).'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time (UTC) when Azure Purview scan of asset occurred.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Uri": {"data_type": "string", "description": 'Uniform resource identifier representing the asset that was scanned.'}, + }, + "DSMDataLabelingLogs": { + "AssetLastScanTime": {"data_type": "datetime", "description": 'The time (UTC) when the resource scan for sensitivity was performed by Azure Purview.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'The ID that is used to correlate resource logs with data sensitivity logs.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "SensitivityLabelName": {"data_type": "string", "description": 'The name of sensitive label found and/or applied.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time (UTC) when Azure Purview scan of asset occurred.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Uri": {"data_type": "string", "description": 'Uniform resource identifier representing the resource that was scanned.'}, + }, + "DynamicEventCollection": { + "AccountSid": {"data_type": "string", "description": 'Security identifier (SID) of the account.'}, + "AdditionalFields": {"data_type": "dynamic", "description": 'Additional information about the entity or event.'}, + "AppGuardContainerId": {"data_type": "string", "description": 'Identifier for the virtualized container used by Application Guard to isolate browser activity.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DeviceId": {"data_type": "string", "description": 'Unique identifier for the device in the service.'}, + "DeviceName": {"data_type": "string", "description": 'Fully qualified domain name (FQDN) of the device.'}, + "EventId": {"data_type": "long", "description": 'Contains the unique event identifier.'}, + "InitiatingProcessAccountDomain": {"data_type": "string", "description": 'Domain of the account that ran the process responsible for the event.'}, + "InitiatingProcessAccountName": {"data_type": "string", "description": 'User name of the account that ran the process responsible for the event.'}, + "InitiatingProcessAccountObjectId": {"data_type": "string", "description": 'Azure AD object ID of the user account that ran the process responsible for the event.'}, + "InitiatingProcessAccountSid": {"data_type": "string", "description": 'Security Identifier (SID) of the account that ran the process responsible for the event.'}, + "InitiatingProcessAccountUpn": {"data_type": "string", "description": 'User principal name (UPN) of the account that ran the process responsible for the event. In Active Directory, a UPN is the name of a system user in an email address format (for example: john.doe@domain.com)'}, + "InitiatingProcessFolderPath": {"data_type": "string", "description": 'Folder containing the process (image file) that initiated the event.'}, + "InitiatingProcessId": {"data_type": "long", "description": 'Process ID (PID) of the process that initiated the event.'}, + "InitiatingProcessLogonId": {"data_type": "long", "description": 'Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts.'}, + "InitiatingProcessMD5": {"data_type": "string", "description": 'MD5 hash of the process (image file) that initiated the event.'}, + "InitiatingProcessParentFileName": {"data_type": "string", "description": 'Name of the parent process that spawned the process responsible for the event.'}, + "InitiatingProcessParentId": {"data_type": "long", "description": 'Process ID (PID) of the parent process that spawned the process responsible for the event.'}, + "InitiatingProcessSHA1": {"data_type": "string", "description": 'SHA-1 hash of the process (image file) that initiated the event.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LocalIP": {"data_type": "string", "description": 'IP address assigned to the local machine used during communication.'}, + "LocalPort": {"data_type": "int", "description": 'TCP port on the local machine used during communication.'}, + "MachineGroup": {"data_type": "string", "description": 'Machine group of the machine. This group is used by role-based access control to determine access to the machine.'}, + "ProcessCommandLine": {"data_type": "string", "description": 'Command line used to create the new process.'}, + "RemoteDeviceName": {"data_type": "string", "description": 'Name of the device that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information..'}, + "RemoteIP": {"data_type": "string", "description": 'IP address that was being connected to.'}, + "RemotePort": {"data_type": "int", "description": 'TCP port on the remote device that was being connected to.'}, + "ReportId": {"data_type": "long", "description": 'Unique identifier for the event.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time (UTC) when the record was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "Dynamics365Activity": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientIP": {"data_type": "string", "description": 'The IP address of the device that was used when the activity was logged'}, + "CorrelationId": {"data_type": "string", "description": 'A unique value used to associate related rows'}, + "CrmOrganizationUniqueName": {"data_type": "string", "description": 'Unique name of the organization'}, + "EntityId": {"data_type": "string", "description": 'Unique identifier of the entity'}, + "EntityName": {"data_type": "string", "description": 'Name of the entity in the organization'}, + "Fields": {"data_type": "dynamic", "description": 'JSON of Key Value pair reflecting the values that were created or updated'}, + "InstanceUrl": {"data_type": "string", "description": 'URL to the instance'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ItemType": {"data_type": "string", "description": 'The type of object that was accessed or modified. See the ItemType table for details on the types of objects'}, + "ItemUrl": {"data_type": "string", "description": 'URL to the record emitting the log'}, + "Message": {"data_type": "string", "description": 'Name of the message called in the Dynamics365 SDK'}, + "OfficeWorkload": {"data_type": "string", "description": 'The Office 365 service where the activity occurred'}, + "Operation": {"data_type": "string", "description": 'The name of the operation that the user is performing'}, + "OrganizationId": {"data_type": "string", "description": "The GUID for your organization's Office 365 tenant. This value will always be the same for your organization"}, + "OriginalObjectId": {"data_type": "string", "description": 'The ObjectId for SharePoint and OneDrive about business activity'}, + "Query": {"data_type": "string", "description": 'The query filter parameters used while executing the FetchXML'}, + "QueryResults": {"data_type": "dynamic", "description": 'One or multiple unique records returned by the Retrieve and Retrieve Multiple SDK message call'}, + "RecordType": {"data_type": "string", "description": 'The type of operation indicated by the record. See the AuditLogRecordType table in Office 365 management activity api schema documentation for details on the types of audit log records'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultStatus": {"data_type": "string", "description": 'Indicates whether the action (specified in the Operation property) was successful or not'}, + "ServiceName": {"data_type": "string", "description": 'Name of the Service generating the log'}, + "SourceRecordId": {"data_type": "string", "description": 'Unique identifier of an audit record'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "SystemUserId": {"data_type": "string", "description": 'Unique identifier of the user GUID in the organization'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time in Coordinated Universal Time (UTC) when the user performed the activity'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The user agent'}, + "UserId": {"data_type": "string", "description": 'The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged'}, + "UserKey": {"data_type": "string", "description": 'An alternative ID for the user identified in the UserId property'}, + "UserType": {"data_type": "string", "description": 'The type of user that performed the operation. See the UserType table in Office 365 management activity api schema documentation for details on the types of users'}, + }, + "DynamicSummary": { + "AzureTenantId": {"data_type": "string", "description": 'The AAD tenant ID to which this DynamicSummary table belongs.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CreatedBy": {"data_type": "dynamic", "description": 'The JSON object with the user who created summary, including: object ID, email and name.'}, + "CreatedTimeUTC": {"data_type": "datetime", "description": 'The time (UTC) when the summary was created.'}, + "EventTimeUTC": {"data_type": "datetime", "description": 'The time (UTC) when the summary item occurred originally.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ObservableType": {"data_type": "string", "description": 'Observables are stateful events ot properties that are related to the operation of computing system, which are helpful in identifying indicators of compromise. For example, login.'}, + "ObservableValue": {"data_type": "string", "description": 'Value for observable type, such as: anomalous RDP activity.'}, + "PackedContent": {"data_type": "dynamic", "description": 'The JSON object has packed columns which can be generated by using KQL pack_all().'}, + "Query": {"data_type": "string", "description": 'This is the query that was used to generate the result.'}, + "QueryEndDate": {"data_type": "datetime", "description": 'Events that occurred before this datetime will be included in the result.'}, + "QueryStartDate": {"data_type": "datetime", "description": 'Events that occurred after this datetime will be included in the result.'}, + "RelationId": {"data_type": "string", "description": 'The original data source ID'}, + "RelationName": {"data_type": "string", "description": 'The original data source name.'}, + "SearchKey": {"data_type": "string", "description": 'SearchKey is used to optimize query performance when using DynamicSummary for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field to join in other event tables by IP address.'}, + "SourceInfo": {"data_type": "dynamic", "description": 'The JSON object with the data producer info, including source, name, version.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SummaryDataType": {"data_type": "string", "description": 'This flag is used to tell if the record is either a summary level or a summary item level record.'}, + "SummaryDescription": {"data_type": "string", "description": 'The description provided by user.'}, + "SummaryId": {"data_type": "string", "description": 'Summary unique ID.'}, + "SummaryItemId": {"data_type": "string", "description": 'Summary item unique ID.'}, + "SummaryName": {"data_type": "string", "description": 'The Summary display name, unique within workspace.'}, + "SummaryStatus": {"data_type": "string", "description": 'Active or deleted.'}, + "Tactics": {"data_type": "dynamic", "description": 'MITRE ATT&CK tactics are what attackers are trying to achieve. For example, exfiltration.'}, + "Techniques": {"data_type": "dynamic", "description": 'MITRE ATT&CK techniques are how those tactics are accomplished.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the event was ingested to Azure Monitor.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UpdatedBy": {"data_type": "dynamic", "description": 'The JSON object with the user who updated summary, including: object ID, email and name.'}, + "UpdatedTimeUTC": {"data_type": "datetime", "description": 'The time (UTC) when the summary was updated.'}, + }, + "EGNFailedHttpDataPlaneOperations": { + "AuthenticationType": {"data_type": "string", "description": 'Type of authentication used by the client. SharedAccessKey - request uses the SAS key, SharedAccessSignature - request uses a SAS token generated from SAS key, EntraIdAccessToken - Microsoft Entra issued JSON Web Token (JWT) token, Unknown - None of the above authentication types.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'The IP address of the client issuing the request.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "NetworkAccess": {"data_type": "string", "description": 'The type of network used by the client issuing the request. Allowed values are: PublicAccess - when connecting via public IP, PrivateAccess - when connecting via private link'}, + "ObjectId": {"data_type": "string", "description": 'The Microsoft Entra ObjectId of the caller issuing the request.'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultSignature": {"data_type": "string", "description": 'The result of the operation. Possible values are: ServiceError, ClientError, QuotaExceeded, AuthnError, AuthzError, ConnectionLost'}, + "ResultType": {"data_type": "string", "description": 'The type of the result. Possible values are: Failed.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log was generated.'}, + "TLSVersion": {"data_type": "string", "description": 'The transport layer security (TLS) version used by the client connection. Possible values are: 1.2 and 1.3'}, + "TotalOperations": {"data_type": "string", "description": "The total number of request with above values issued within the minute. These traces aren't emitted for each request. An aggregate for each unique combination of above values is emitted every minute"}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "EGNFailedMqttConnections": { + "AuthenticationType": {"data_type": "string", "description": 'Type of authentication used by the client.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientIdentity": {"data_type": "string", "description": "Value of the client's identity."}, + "ClientIdentitySource": {"data_type": "string", "description": 'Source of the identity of the client issuing the request.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The name of the operation.'}, + "Protocol": {"data_type": "string", "description": 'Protocol used by the client to connect. Possible values are: MQTT3, MQTT3-WS, MQTT5, MQTT5-WS.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'Additional description about the result.'}, + "ResultSignature": {"data_type": "string", "description": 'The result of the operation.'}, + "SessionName": {"data_type": "string", "description": "Name of the session provided by the client in the MQTT CONNECT packet's clientId field."}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "EGNFailedMqttPublishedMessages": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientIdentity": {"data_type": "string", "description": "Value of the client's identity."}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The name of the operation.'}, + "Protocol": {"data_type": "string", "description": 'Protocol used by the client to connect. Possible values are: MQTT3, MQTT3-WS, MQTT5, MQTT5-WS.'}, + "Qos": {"data_type": "int", "description": 'Quality of service used by the client to publish. Possible values are: 0,1'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'Additional description about the result.'}, + "ResultSignature": {"data_type": "string", "description": 'The result of the operation.'}, + "SessionName": {"data_type": "string", "description": "Name of the session provided by the client in the MQTT CONNECT packet's clientId field."}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log was generated.'}, + "TopicName": {"data_type": "string", "description": 'MQTT Topic Name used by the client to publish.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "EGNFailedMqttSubscriptions": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The name of the operation.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'Additional description about the result.'}, + "ResultSignature": {"data_type": "string", "description": 'The result of the operation.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log was generated.'}, + "TopicFilters": {"data_type": "string", "description": 'MQTT Topic Filters that the client subscribed to.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "EGNMqttDisconnections": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientIdentity": {"data_type": "string", "description": "Value of the client's identity."}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The name of the operation.'}, + "Protocol": {"data_type": "string", "description": 'Protocol used by the client to connect. Possible values are: MQTT3, MQTT3-WS, MQTT5, MQTT5-WS.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'Additional description about the result.'}, + "ResultSignature": {"data_type": "string", "description": 'The result of the operation.'}, + "SessionName": {"data_type": "string", "description": "Name of the session provided by the client in the MQTT CONNECT packet's clientId field."}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "EGNSuccessfulHttpDataPlaneOperations": { + "AuthenticationType": {"data_type": "string", "description": 'Type of authentication used by the client. SharedAccessKey - request uses the SAS key, SharedAccessSignature - request uses a SAS token generated from SAS key, EntraIdAccessToken - Microsoft Entra issued JSON Web Token (JWT) token, Unknown - None of the above authentication types.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'The IP address of the client issuing the request.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "NetworkAccess": {"data_type": "string", "description": 'The type of network used by the client issuing the request. Allowed values are: PublicAccess - when connecting via public IP, PrivateAccess - when connecting via private link'}, + "ObjectId": {"data_type": "string", "description": 'The Microsoft Entra ObjectId of the caller issuing the request.'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultType": {"data_type": "string", "description": 'The result of the operation. Possible values are: Succeeded.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log was generated.'}, + "TLSVersion": {"data_type": "string", "description": 'The transport layer security (TLS) version used by the client connection. Possible values are: 1.2 and 1.3'}, + "TotalOperations": {"data_type": "string", "description": "The total number of request with above values issued within the minute. These traces aren't emitted for each request. An aggregate for each unique combination of above values is emitted every minute"}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "EGNSuccessfulMqttConnections": { + "AuthenticationType": {"data_type": "string", "description": 'Type of authentication used by the client.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientIdentity": {"data_type": "string", "description": "Value of the client's identity."}, + "ClientIdentitySource": {"data_type": "string", "description": 'Source of the identity of the client issuing the request.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The name of the operation.'}, + "Protocol": {"data_type": "string", "description": 'Protocol used by the client to connect. Possible values are: MQTT3, MQTT3-WS, MQTT5, MQTT5-WS.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SessionName": {"data_type": "string", "description": "Name of the session provided by the client in the MQTT CONNECT packet's clientId field."}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "EmailAttachmentInfo": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DetectionMethods": {"data_type": "string", "description": 'Sender email address in the from header, which is visible to email recipients on their email clients.'}, + "FileName": {"data_type": "string", "description": 'Name of the file that the recorded action was applied to.'}, + "FileSize": {"data_type": "long", "description": 'Size of the file in bytes.'}, + "FileType": {"data_type": "string", "description": 'File extension type.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "NetworkMessageId": {"data_type": "string", "description": 'Unique identifier for the email, generated by Office 365.'}, + "RecipientEmailAddress": {"data_type": "string", "description": 'Email address of the recipient, or email address of the recipient after distribution list expansion.'}, + "RecipientObjectId": {"data_type": "string", "description": 'Email recipient unique identifier in Azure AD.'}, + "ReportId": {"data_type": "string", "description": 'Unique identifier for the event.'}, + "SenderDisplayName": {"data_type": "string", "description": 'Sender email address in the from header, which is visible to email recipients on their email clients.'}, + "SenderFromAddress": {"data_type": "string", "description": 'Sender domain in the from header, which is visible to email recipients on their email clients.'}, + "SenderObjectId": {"data_type": "string", "description": 'Sender email address in the from header, which is visible to email recipients on their email clients.'}, + "SHA256": {"data_type": "string", "description": 'SHA-256 of the file that the recorded action was applied to.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "ThreatNames": {"data_type": "string", "description": 'Sender email address in the from header, which is visible to email recipients on their email clients.'}, + "ThreatTypes": {"data_type": "string", "description": 'Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time (UTC) when the record was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "EmailEvents": { + "AdditionalFields": {"data_type": "dynamic", "description": 'Additional information about the entity or event.'}, + "AttachmentCount": {"data_type": "int", "description": 'Number of attachments in the email.'}, + "AuthenticationDetails": {"data_type": "string", "description": 'List of pass or fail verdicts by email authentication protocols like DMARC, DKIM, SPF or a combination of multiple authentication types (CompAuth).'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BulkComplaintLevel": {"data_type": "int", "description": 'Threshold assigned to email from bulk mailers, a high bulk complaint level (BCL) means the email is more likely to generate complaints, and thus more likely to be spam.'}, + "ConfidenceLevel": {"data_type": "string", "description": 'List of confidence levels of any spam or phishing verdicts. For spam, this column shows the spam confidence level (SCL), indicating if the email was skipped (-1), found to be not spam (0,1), found to be spam with moderate confidence (5,6), or found to be spam with high confidence (9). For phishing, this column displays whether the confidence level is "High" or "Low".'}, + "Connectors": {"data_type": "string", "description": 'Custom instructions that define organizational mail flow and how the email was routed.'}, + "DeliveryAction": {"data_type": "string", "description": 'Action of the delivered email.'}, + "DeliveryLocation": {"data_type": "string", "description": 'Location of the delivered email: Inbox/Folder, On-premises/External, Junk, Quarantine, Failed, Dropped, Deleted items.'}, + "DetectionMethods": {"data_type": "string", "description": 'Delivery action of the email: Delivered, Junked, Blocked, or Replaced.'}, + "EmailAction": {"data_type": "string", "description": 'Final action taken on the email based on filter verdict, policies, and user actions: Move message to junk mail folder, Add X-header, Modify subject, Redirect message, Delete message, send to quarantine, No action taken, Bcc message.'}, + "EmailActionPolicy": {"data_type": "string", "description": 'Action policy that took effect: Antispam high-confidence, Antispam, Antispam bulk mail, Antispam phishing, Anti-phishing domain impersonation, Anti-phishing user impersonation, Anti-phishing spoof, Anti-phishing graph impersonation, Antimalware Safe Attachments, Enterprise Transport Rules (ETR).'}, + "EmailActionPolicyGuid": {"data_type": "string", "description": 'Unique identifier of the policy that took effect.'}, + "EmailClusterId": {"data_type": "long", "description": 'Identifier of the email cluster. Emails are clustered (grouped) based on heuristic analysis of their contents.'}, + "EmailDirection": {"data_type": "string", "description": 'Email direction: Inbound, Outbound, Intra-org.'}, + "EmailLanguage": {"data_type": "string", "description": 'Detected language of the email content.'}, + "InternetMessageId": {"data_type": "string", "description": 'Public-facing identifier for the email that is set by the sending email system.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LatestDeliveryAction": {"data_type": "string", "description": 'Last known action attempted on an email by the service or by an admin through manual remediation.'}, + "LatestDeliveryLocation": {"data_type": "string", "description": 'Last known location of the email.'}, + "NetworkMessageId": {"data_type": "string", "description": 'Unique identifier for the email, generated by Office 365.'}, + "OrgLevelAction": {"data_type": "string", "description": 'Action taken on the email in response to matches to a policy defined at the organizational level.'}, + "OrgLevelPolicy": {"data_type": "string", "description": 'Organizational policy that triggered the action taken on the email.'}, + "RecipientEmailAddress": {"data_type": "string", "description": 'Recipient email address or email address of the recipient after distribution list expansion.'}, + "RecipientObjectId": {"data_type": "string", "description": 'Email recipient Azure AD identifier.'}, + "ReportId": {"data_type": "string", "description": 'Unique identifier for the event.'}, + "SenderDisplayName": {"data_type": "string", "description": 'Sender email address in the from header, which is visible to email recipients on their email clients.'}, + "SenderFromAddress": {"data_type": "string", "description": 'Sender domain in the from header, which is visible to email recipients on their email clients.'}, + "SenderFromDomain": {"data_type": "string", "description": 'Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats.'}, + "SenderIPv4": {"data_type": "string", "description": 'IPv4 address of the last detected mail server that relayed the message.'}, + "SenderIPv6": {"data_type": "string", "description": 'IPv6 address of the last detected mail server that relayed the message.'}, + "SenderMailFromAddress": {"data_type": "string", "description": 'Sender email address in the MAIL from header, also known as the envelope sender or the Return-Path address.'}, + "SenderMailFromDomain": {"data_type": "string", "description": 'Sender domain in the MAIL from header, also known as the envelope sender or the Return-Path address.'}, + "SenderObjectId": {"data_type": "string", "description": 'Sender email address in the from header, which is visible to email recipients on their email clients.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Subject": {"data_type": "string", "description": 'Email subject field.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "ThreatNames": {"data_type": "string", "description": 'Sender email address in the from header, which is visible to email recipients on their email clients.'}, + "ThreatTypes": {"data_type": "string", "description": 'Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time (UTC) when the record was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UrlCount": {"data_type": "int", "description": 'Number of embedded URLs in the email.'}, + "UserLevelAction": {"data_type": "string", "description": 'Action taken on the email in response to matches to a mailbox policy defined by the recipient.'}, + "UserLevelPolicy": {"data_type": "string", "description": 'End user mailbox policy that triggered the action taken on the email.'}, + }, + "EmailPostDeliveryEvents": { + "Action": {"data_type": "string", "description": 'Action taken on the entity'}, + "ActionResult": {"data_type": "string", "description": 'Result of the action'}, + "ActionTrigger": {"data_type": "string", "description": 'Indicates whether an action was triggered by an administrator (manually or through approval of a pending automated action), or by some special mechanism, such as a ZAP or String Delivery'}, + "ActionType": {"data_type": "string", "description": 'Type of activity that triggered the event'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DeliveryLocation": {"data_type": "string", "description": 'Delivered email location: Inbox/Folder, On-premises/External, Junk, Quarantine, Failed, Dropped, Deleted items'}, + "DetectionMethods": {"data_type": "string", "description": 'Methods used to detect malware, phishing, or other threats found in the email'}, + "InternetMessageId": {"data_type": "string", "description": 'Public-facing identifier for the email that is set by the sending email system'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "NetworkMessageId": {"data_type": "string", "description": 'Email unique identifier generated by Office 365'}, + "RecipientEmailAddress": {"data_type": "string", "description": 'Recipient email address or email address of the recipient after distribution list expansion'}, + "ReportId": {"data_type": "string", "description": 'Unique identifier for the event'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "ThreatTypes": {"data_type": "string", "description": 'Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time (UTC) when the record was generated'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "EmailUrlInfo": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "NetworkMessageId": {"data_type": "string", "description": 'Email unique identifier generated by Office 365'}, + "ReportId": {"data_type": "string", "description": 'Unique identifier for the event'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time (UTC) when the record was generated'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Url": {"data_type": "string", "description": 'Information about URLs on Office 365 emails'}, + "UrlDomain": {"data_type": "string", "description": 'Domain part of the Url'}, + "UrlLocation": {"data_type": "string", "description": 'Indicates which part of the email the URL is located'}, + }, + "EnrichedMicrosoft365AuditLogs": { + "ActorUserType": {"data_type": "string", "description": 'The type of user that performed the operation. Possible types includes: Admin, System, Application, Service Principal and Other.'}, + "AdditionalProperties": {"data_type": "dynamic", "description": 'Additional activity fields'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientIp": {"data_type": "string", "description": "The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. Also, for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null."}, + "DeviceId": {"data_type": "string", "description": 'The ID of the source device as reported in the record.'}, + "DeviceOperatingSystem": {"data_type": "string", "description": 'The client connecting operating system type.'}, + "DeviceOperatingSystemVersion": {"data_type": "string", "description": 'The client connecting operating system version.'}, + "Id": {"data_type": "string", "description": 'Unique identifier of an audit record.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ObjectId": {"data_type": "string", "description": 'For SharePoint and OneDrive for business activity, the full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet.'}, + "Operation": {"data_type": "string", "description": 'The name of the user or admin activity that performed the activity.'}, + "OrganizationId": {"data_type": "string", "description": "The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs."}, + "RecordType": {"data_type": "int", "description": 'The type of operation indicated by the record. See the AuditLogRecordType table for details on the types of audit log records.'}, + "ResultStatus": {"data_type": "string", "description": 'Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceeded, or Failed.'}, + "SourceIp": {"data_type": "string", "description": 'The IP address from which the connection or session originated.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time in UTC when the user performed the activity.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UniqueTokenId": {"data_type": "string", "description": 'The unique token identifier'}, + "UserId": {"data_type": "string", "description": 'The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\\system or NT AUTHORITY\\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. For more information, see the app@sharepoint user in audit records.'}, + "UserKey": {"data_type": "string", "description": 'An alternative ID for the user identified in the UserId property. For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange. This property may also specify the same value as the UserID property for events occurring in other services and events performed by system accounts.'}, + "UserType": {"data_type": "string", "description": 'The type of user that performed the operation.'}, + "Workload": {"data_type": "string", "description": 'The Office 365 service where the activity occurred.'}, + }, + "ETWEvent": { + "AzureDeploymentID": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ChannelName": {"data_type": "string", "description": ''}, + "Computer": {"data_type": "string", "description": ''}, + "EventId": {"data_type": "int", "description": ''}, + "EventMessage": {"data_type": "string", "description": ''}, + "EventSourceName": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "KeywordName": {"data_type": "string", "description": ''}, + "Level": {"data_type": "string", "description": ''}, + "Message": {"data_type": "string", "description": ''}, + "OpcodeName": {"data_type": "string", "description": ''}, + "Pid": {"data_type": "int", "description": ''}, + "ProviderGuid": {"data_type": "string", "description": ''}, + "Role": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TaskName": {"data_type": "string", "description": ''}, + "Tid": {"data_type": "int", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "Event": { + "AzureDeploymentID": {"data_type": "string", "description": 'Azure deployment ID of the cloud service the log belongs to. Only populated when events are collected using Azure Diagnostics agent and collected from Azure storage.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": 'Name of the computer that the event was collected from.'}, + "EventCategory": {"data_type": "int", "description": 'Category of the event.'}, + "EventData": {"data_type": "string", "description": 'All event data in raw format.'}, + "EventID": {"data_type": "int", "description": 'Number of the event.'}, + "EventLevel": {"data_type": "int", "description": 'Severity of the event in numeric form.'}, + "EventLevelName": {"data_type": "string", "description": 'Severity of the event in text form.'}, + "EventLog": {"data_type": "string", "description": 'Name of the event log that the event was collected from.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ManagementGroupName": {"data_type": "string", "description": 'Name of the management group for System Center Operations Manager agents. For other agents this value is AOI-\\'}, + "Message": {"data_type": "string", "description": 'Event message for the different Languages. The language is defined by the LCID attribute.'}, + "ParameterXml": {"data_type": "string", "description": 'Event parameter values in XML format.'}, + "RenderedDescription": {"data_type": "string", "description": 'Event description with parameter values.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Role": {"data_type": "string", "description": 'Role of the cloud service the log belongs to. Only populated when events are collected using Azure Diagnostics agent and collected from Azure storage.'}, + "Source": {"data_type": "string", "description": 'Source of the event.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserName": {"data_type": "string", "description": 'User name of the account that logged the event.'}, + }, + "ExchangeAssessmentRecommendation": { + "ActionArea": {"data_type": "string", "description": 'The segment in which action is to be performed'}, + "ActionAreaId": {"data_type": "string", "description": 'ID generated for Action Area'}, + "ActiveDirectorySite": {"data_type": "string", "description": ''}, + "AffectedObjectName": {"data_type": "string", "description": 'Name of the affected object'}, + "AffectedObjectType": {"data_type": "string", "description": 'Type of object which is affected'}, + "AssessmentId": {"data_type": "string", "description": 'ID of the assessment'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": 'The machine from which data is uploaded'}, + "CustomData": {"data_type": "string", "description": ''}, + "Description": {"data_type": "string", "description": 'Description of the recommendation'}, + "ExchangeAdminGroup": {"data_type": "string", "description": ''}, + "ExchangeDAG": {"data_type": "string", "description": ''}, + "ExchangeMailboxDatabase": {"data_type": "string", "description": ''}, + "ExchangeOrganization": {"data_type": "string", "description": ''}, + "ExchangePublicFolderDatabase": {"data_type": "string", "description": ''}, + "ExchangeServer": {"data_type": "string", "description": ''}, + "FocusArea": {"data_type": "string", "description": 'Area to be focussed on'}, + "FocusAreaId": {"data_type": "string", "description": 'ID of the Focus Area'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Recommendation": {"data_type": "string", "description": 'Generated recommendation'}, + "RecommendationId": {"data_type": "string", "description": 'ID of the recommendation generated'}, + "RecommendationResult": {"data_type": "string", "description": 'Result of the recommendation generated'}, + "RecommendationWeight": {"data_type": "real", "description": 'Weight of recommendation'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Technology": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ExchangeOnlineAssessmentRecommendation": { + "ActionArea": {"data_type": "string", "description": 'The segment in which action is to be performed'}, + "ActionAreaId": {"data_type": "string", "description": 'ID generated for Action Area'}, + "AffectedObjectName": {"data_type": "string", "description": 'Name of the affected object'}, + "AffectedObjectType": {"data_type": "string", "description": 'Type of object which is affected'}, + "AssessmentId": {"data_type": "string", "description": 'ID of the assessment'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": 'The machine from which data is uploaded'}, + "CustomData": {"data_type": "string", "description": ''}, + "Description": {"data_type": "string", "description": 'Description of the recommendation'}, + "Domain": {"data_type": "string", "description": 'Domain of the system'}, + "ExchangeOrganization": {"data_type": "string", "description": ''}, + "FocusArea": {"data_type": "string", "description": 'Area to be focussed on'}, + "FocusAreaId": {"data_type": "string", "description": 'ID of the Focus Area'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "O365TenantId": {"data_type": "string", "description": 'ID of O365 Tenant'}, + "Recommendation": {"data_type": "string", "description": 'Generated recommendation'}, + "RecommendationId": {"data_type": "string", "description": 'ID of the recommendation generated'}, + "RecommendationResult": {"data_type": "string", "description": 'Result of the recommendation generated'}, + "RecommendationWeight": {"data_type": "real", "description": 'Weight of recommendation'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Technology": {"data_type": "string", "description": ''}, + "TenantName": {"data_type": "string", "description": 'Name of the Tenant'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "FailedIngestion": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Database": {"data_type": "string", "description": 'The name of the database holding the target table'}, + "Details": {"data_type": "string", "description": 'Detailed description of the failure and error message'}, + "ErrorCode": {"data_type": "string", "description": "The failure's error code"}, + "FailedOn": {"data_type": "datetime", "description": 'Time at which this ingest operation failed'}, + "FailureStatus": {"data_type": "string", "description": "The failure's status. `Permanent`, or `RetryAttemptsExceeded` indicates that the operation exceeded the max retries or max time limit following a recurring transient error"}, + "IngestionSourceId": {"data_type": "string", "description": 'A unique identifier representing the ingested source'}, + "IngestionSourcePath": {"data_type": "string", "description": 'The path of the ingestion data sources or the Azure blob storage URI'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationId": {"data_type": "string", "description": "The ingestion's operation ID"}, + "OriginatesFromUpdatePolicy": {"data_type": "bool", "description": 'Indicates whether or not the failure originate from an update policy'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultType": {"data_type": "string", "description": 'The final state of this data ingestion operation'}, + "RootActivityId": {"data_type": "string", "description": "The ingestion's activity ID"}, + "ShouldRetry": {"data_type": "bool", "description": 'Indicates whether or not the failure is transient and should be retried'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Table": {"data_type": "string", "description": 'The name of the target table into which the data is ingested'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "FunctionAppLogs": { + "ActivityId": {"data_type": "string", "description": 'The activity ID that logged the message.'}, + "AppName": {"data_type": "string", "description": 'The Function application name.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The log category name.'}, + "EventId": {"data_type": "int", "description": 'The event ID.'}, + "EventName": {"data_type": "string", "description": 'The event name.'}, + "ExceptionDetails": {"data_type": "string", "description": 'The exception details. This includes the exception type, message, and stack trace.'}, + "ExceptionMessage": {"data_type": "string", "description": 'The exception message.'}, + "ExceptionType": {"data_type": "string", "description": 'The exception type (e.g., System.InvalidOperationException).'}, + "FunctionInvocationId": {"data_type": "string", "description": 'The invocation ID that logged the message.'}, + "FunctionName": {"data_type": "string", "description": 'The name of the function that logged the message.'}, + "HostInstanceId": {"data_type": "string", "description": 'The host instance ID.'}, + "HostVersion": {"data_type": "string", "description": 'The Functions host version.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The log level. Valid values are Trace, Debug, Information, Warning, Error, or Critical.'}, + "LevelId": {"data_type": "int", "description": 'The integer value of the log level. Valid values are 0 (Trace), 1 (Debug), 2 (Information), 3 (Warning), 4 (Error), or 5 (Critical).'}, + "Location": {"data_type": "string", "description": 'The location of the server that processed the request (e.g., South Central US).'}, + "Message": {"data_type": "string", "description": 'The log message.'}, + "ProcessId": {"data_type": "int", "description": 'The process ID.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RoleInstance": {"data_type": "string", "description": 'The role instance ID.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the log.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "GCPAuditLogs": { + "AuthenticationInfo": {"data_type": "dynamic", "description": 'Authentication information.'}, + "AuthorizationInfo": {"data_type": "dynamic", "description": 'Authorization information. If there are multiple resources or permissions involved, then there is one AuthorizationInfo element for each {resource, permission} tuple.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "GCPResourceName": {"data_type": "string", "description": 'The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name.'}, + "GCPResourceType": {"data_type": "string", "description": "The identifier of the type associated with this resource, such as 'pubsub_subscription'."}, + "InsertId": {"data_type": "string", "description": 'Optional. Providing a unique identifier for the log entry allows Logging to remove duplicate entries with the same timestamp and insertId in a single query result.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogName": {"data_type": "string", "description": 'Information including a suffix identifying the log sub-type (e.g., admin activity, system access, data access) and where in the hierarchy the request was made.'}, + "Metadata": {"data_type": "dynamic", "description": 'Other service-specific data about the request, response, and other information associated with the current audited event.'}, + "MethodName": {"data_type": "string", "description": 'The name of the service method or operation. For API calls, this should be the name of the API method.'}, + "NumResponseItems": {"data_type": "string", "description": 'The number of items returned from a list or query API method, if applicable.'}, + "PrincipalEmail": {"data_type": "string", "description": 'The email address of the authenticated user (or service account on behalf of third party principal) making the request. For third party identity callers, the principalSubject field is populated instead of this field. For privacy reasons, the principal email address is sometimes redacted.'}, + "ProjectId": {"data_type": "string", "description": 'The identifier of the Google Cloud Platform (GCP) project associated with this resource, such as "my-project".'}, + "Request": {"data_type": "dynamic", "description": 'The operation request. This may not include all request parameters, such as those that are too large, privacy-sensitive, or duplicated elsewhere in the log record. It should never include user-generated data, such as file contents. When the JSON object represented here has a proto equivalent, the proto name will be indicated in the @type property.'}, + "RequestMetadata": {"data_type": "dynamic", "description": 'Metadata about the operation.'}, + "ResourceLocation": {"data_type": "dynamic", "description": 'The resource location information.'}, + "ResourceOriginalState": {"data_type": "dynamic", "description": 'The resource original state before mutation. Present only for operations which have successfully modified the targeted resource(s). In general, this field should contain all changed fields, except those that are already been included in request, response, metadata or serviceData fields. When the JSON object represented here has a proto equivalent, the proto name will be indicated in the @type property.'}, + "Response": {"data_type": "dynamic", "description": 'The operation response. This may not include all response elements, such as those that are too large, privacy-sensitive, or duplicated elsewhere in the log record. It should never include user-generated data, such as file contents. When the JSON object represented here has a proto equivalent, the proto name will be indicated in the @type property.'}, + "ServiceData": {"data_type": "dynamic", "description": 'An object containing fields of an arbitrary type. An additional field "@type" contains a URI identifying the type. Example: { "id": 1234, "@type": "types.example.com/standard/id" }.'}, + "ServiceName": {"data_type": "string", "description": "The name of the API service performing the operation. For example, 'compute.googleapis.com'."}, + "Severity": {"data_type": "string", "description": 'Optional. The severity of the log entry. For example, the following filter expression will match log entries with severities INFO, NOTICE, and WARNING.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Status": {"data_type": "dynamic", "description": 'The status of the overall operation.'}, + "StatusMessage": {"data_type": "string", "description": 'The message status of the overall operation.'}, + "Subscription": {"data_type": "string", "description": 'A named resource representing the stream of messages from a single, specific topic, to be delivered to the subscribing application.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time the log entry was received by logging.'}, + "Timestamp": {"data_type": "datetime", "description": 'The time the event described by the log entry occurred.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "GoogleCloudSCC": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Findings": {"data_type": "dynamic", "description": 'A dynamic array of all the findings associated with the resource.'}, + "FindingsResource": {"data_type": "dynamic", "description": 'A dynamic array of the resource that was affected by the security finding.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "SourceProperties": {"data_type": "dynamic", "description": 'A map of additional properties about the source of the security finding.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time at which the security finding was first detected.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "HDInsightAmbariClusterAlerts": { + "AlertFirmness": {"data_type": "string", "description": 'The firmness of the alert.'}, + "AlertID": {"data_type": "int", "description": 'The ID of the alert message.'}, + "AlertInstance": {"data_type": "string", "description": 'Instance number of the alert.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterName": {"data_type": "string", "description": 'The name of the cluster the alert came from.'}, + "ClusterType": {"data_type": "string", "description": 'The type of cluster where the alert was generated.'}, + "ComponentName": {"data_type": "string", "description": 'The component that generated the alert.'}, + "DefinitionId": {"data_type": "int", "description": 'Id of the alert definition.'}, + "DefinitionName": {"data_type": "string", "description": 'Name of the alert definition'}, + "HostFQDN": {"data_type": "string", "description": 'The FQDN of the host where the alert was generated.'}, + "HostName": {"data_type": "string", "description": 'The name of the host where the alert was generated.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Label": {"data_type": "string", "description": 'The label of the alert.'}, + "LatestTimestamp": {"data_type": "long", "description": 'The latest time the alert occurred.'}, + "MaintenanceState": {"data_type": "string", "description": 'The maintenance classifaction state of the alert.'}, + "Occurences": {"data_type": "int", "description": 'The number of times an alert has occurred.'}, + "OriginalTimestamp": {"data_type": "long", "description": 'The timestamp the alert first occurred.'}, + "ReferenceURI": {"data_type": "string", "description": 'The URI to the alert.'}, + "RepeatTolerance": {"data_type": "int", "description": 'The total number of occurences an alert can have before being escalated.'}, + "RepeatToleranceRemaining": {"data_type": "int", "description": 'The amount of occurences left before an alert gets escalted.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Scope": {"data_type": "string", "description": 'The scope of the alert.'}, + "ServiceName": {"data_type": "string", "description": 'The name of the service that generated the alert.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "State": {"data_type": "string", "description": 'The state of the alert.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "Text": {"data_type": "string", "description": 'The informational text of the alert.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "HDInsightAmbariSystemMetrics": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BytesIn": {"data_type": "real", "description": 'Bytes ingested in last timeframe.'}, + "BytesOut": {"data_type": "real", "description": 'Bytes sent out.'}, + "CachedMemory": {"data_type": "real", "description": 'amount of cached memory in KB.'}, + "ClusterName": {"data_type": "string", "description": 'Name of the cluster the host belongs to.'}, + "ClusterType": {"data_type": "string", "description": 'Type of cluster the record came from.'}, + "CpuIdle": {"data_type": "real", "description": 'Percent of CPU time spent in idle state in past cycle.'}, + "CpuIOWait": {"data_type": "real", "description": 'Percent of CPU time spent waiting for I/O requests in past cycle.'}, + "CpuNice": {"data_type": "real", "description": 'Percent of CPU time spent running processes with positive nice values.'}, + "CpuSystem": {"data_type": "real", "description": 'Percent of CPU time spent running system level processes in past cycle.'}, + "CpuUser": {"data_type": "real", "description": 'Percent of CPU time spent running user level processes in past cycle.'}, + "DiskFree": {"data_type": "real", "description": 'Amount of free disk space (in GB).'}, + "DiskTotal": {"data_type": "real", "description": 'Total disk space (in GB).'}, + "FifteenMinutLoad": {"data_type": "real", "description": 'load over past 15 minutes.'}, + "FiveMinuteLoad": {"data_type": "real", "description": 'load over past five minutes.'}, + "FreeMemory": {"data_type": "real", "description": 'amount of free memory in KB.'}, + "FreeSwapMemory": {"data_type": "real", "description": 'amount of free swap memory in KB.'}, + "HostName": {"data_type": "string", "description": 'Name of the host the record came from.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "NumberOfCpu": {"data_type": "real", "description": 'Number of CPU cores running on the node.'}, + "OneMinuteLoad": {"data_type": "real", "description": 'load over past one minute.'}, + "PacketsIn": {"data_type": "real", "description": 'Packets ingest in last timeframe.'}, + "PacketsOut": {"data_type": "real", "description": 'Packets sent out in last timeframe.'}, + "ProcessesRun": {"data_type": "real", "description": 'Processes run in last timeframe.'}, + "ReadBytes": {"data_type": "real", "description": 'Number of bytes read.'}, + "ReadCount": {"data_type": "real", "description": 'Number of read operations.'}, + "ReadTime": {"data_type": "real", "description": 'Time spent on read operations.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SharedMemory": {"data_type": "real", "description": 'amount of sharedmemory in KB.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "TotalMemory": {"data_type": "real", "description": 'total amount of memory in KB.'}, + "TotalProcesses": {"data_type": "real", "description": 'Total amount of processes run on host.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "WriteBytes": {"data_type": "real", "description": 'Number of bytes written.'}, + "WriteCount": {"data_type": "real", "description": 'Number of write operations.'}, + "WriteTime": {"data_type": "real", "description": 'Time spent on write operations.'}, + }, + "HDInsightGatewayAuditLogs": { + "AccessRequestCount": {"data_type": "real", "description": 'Number of login requests associated with the user.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterDnsName": {"data_type": "string", "description": 'The DNS name of the cluster.'}, + "ErrorMessage": {"data_type": "string", "description": 'Any error message associated with the login attempt.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Status": {"data_type": "string", "description": 'The outcome of the login attempt.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserName": {"data_type": "string", "description": 'The username used for the login attempt.'}, + }, + "HDInsightHadoopAndYarnLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterName": {"data_type": "string", "description": 'Name of cluster.'}, + "ClusterType": {"data_type": "string", "description": 'Type of the cluster.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "HostName": {"data_type": "string", "description": 'Name of host where log was emitted.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogLevel": {"data_type": "string", "description": 'log level of message (INFO, WARN, ERROR, etc.).'}, + "LogType": {"data_type": "string", "description": 'The name of the log file that a record came from (e.g. YarnTimeLineServer, YarnResourceManager, etc.).'}, + "Message": {"data_type": "string", "description": 'message from Hadoop or YARN log.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "HDInsightHadoopAndYarnMetrics": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterName": {"data_type": "string", "description": 'Name of cluster.'}, + "ClusterType": {"data_type": "string", "description": 'Name of cluster.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "HostName": {"data_type": "string", "description": 'Name of host where log was emitted.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "MetricName": {"data_type": "string", "description": 'Name of the metric for the record (e.g. AppsCompleted, AppsKilled, AppsFailed , etc).'}, + "MetricNamespace": {"data_type": "string", "description": 'Category of metric (value of jmx query URIs e.g. Hadoop:service=ResourceManager,name=QueueMetrics, etc).'}, + "MetricValue": {"data_type": "real", "description": 'Value of metric in the record.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Tags": {"data_type": "dynamic", "description": "Information about the record. For example a record may be tagged with 'yarn' if it is in the yarn context."}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "HDInsightHBaseLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterName": {"data_type": "string", "description": 'Name of cluster.'}, + "ClusterType": {"data_type": "string", "description": 'Name of cluster.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "HostName": {"data_type": "string", "description": 'Name of host where log was emitted.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogLevel": {"data_type": "string", "description": 'log level of message (INFO, WARN, ERROR, etc.).'}, + "LogType": {"data_type": "string", "description": 'The name of the log file that a record came from (e.g. RegionServer, HMaster).'}, + "Message": {"data_type": "string", "description": 'message from HBase log.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "HDInsightHBaseMetrics": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterName": {"data_type": "string", "description": 'Name of cluster.'}, + "ClusterType": {"data_type": "string", "description": 'Type of the cluster.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "HostName": {"data_type": "string", "description": 'Name of host where log was emitted.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "MetricName": {"data_type": "string", "description": 'Name of the metric for the record (e.g. queueSize, receivedBytes, numActiveHandler, etc).'}, + "MetricNamespace": {"data_type": "string", "description": 'Category of metric (value of the jmx query string e.g. Hadoop:service=HBase,name=Master,sub=IPC, etc).'}, + "MetricValue": {"data_type": "real", "description": 'Value of metric in the record.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Tags": {"data_type": "dynamic", "description": "Information about the record. For example a record may be tagged with 'master' if it is in the HMaster context."}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "HDInsightHiveAndLLAPLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterName": {"data_type": "string", "description": 'Name of cluster.'}, + "ClusterType": {"data_type": "string", "description": 'Type of the cluster.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "HostName": {"data_type": "string", "description": 'Name of host where log was emitted.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogLevel": {"data_type": "string", "description": 'log level of message (INFO, WARN, ERROR, etc.).'}, + "LogType": {"data_type": "string", "description": 'The name of the log file that a record came from (e.g. HiveServerLog, WebHCatLog, etc.).'}, + "Message": {"data_type": "string", "description": 'message from Hive or LLAP log.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "HDInsightHiveAndLLAPMetrics": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterName": {"data_type": "string", "description": 'Name of cluster.'}, + "ClusterType": {"data_type": "string", "description": 'Type of the cluster.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "HostName": {"data_type": "string", "description": 'Name of host where log was emitted.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "MetricName": {"data_type": "string", "description": 'Name of the metric for the record (e.g. CacheCapacityRemaining, CacheCapacityRemainingPercentage,CacheCapacityTotal, etc).'}, + "MetricNamespace": {"data_type": "string", "description": 'Category of metric (value of jmx query string e.g. Hadoop:service=LlapDaemon,name=LlapDaemonCacheMetrics, etc).'}, + "MetricValue": {"data_type": "real", "description": 'Value of metric in the record.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Tags": {"data_type": "dynamic", "description": "Information about the record. For example a record may be tagged with 'LlapDaemon' if it came from that process."}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "HDInsightHiveQueryAppStats": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientIpAddress": {"data_type": "string", "description": "The query client's IP address."}, + "ClusterName": {"data_type": "string", "description": 'Name of cluster.'}, + "ClusterType": {"data_type": "string", "description": 'Type of cluster (e.g. LLAP or Hadoop).'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "Domain": {"data_type": "string", "description": 'The domain associated with the query.'}, + "Entity": {"data_type": "string", "description": "Name of the query's entity."}, + "EntityType": {"data_type": "string", "description": "The type of the query's entity."}, + "ExecutionMode": {"data_type": "string", "description": 'The execution mode of the query.'}, + "HiveInstanceType": {"data_type": "string", "description": 'The type of hive instance running the query.'}, + "HostName": {"data_type": "string", "description": 'Name of host where log was emitted.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsMapReduce": {"data_type": "bool", "description": 'True if the query is a MapReduce query.'}, + "IsTez": {"data_type": "bool", "description": 'True if the query is a Tez query.'}, + "MetricName": {"data_type": "string", "description": 'Name of the metric for the record (e.g. AppsCompleted, AppsKilled, AppsFailed , etc).'}, + "MetricValue": {"data_type": "real", "description": 'Value of metric in the record.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "QueryCompletionTime": {"data_type": "long", "description": 'Time that query was completed.'}, + "QuerySubmissionTime": {"data_type": "long", "description": 'Time that query was submitted.'}, + "Queue": {"data_type": "string", "description": 'The queue the query was served from.'}, + "RequestUser": {"data_type": "string", "description": 'The client user that submitted the request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SessionId": {"data_type": "string", "description": 'The session ID of the query.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TablesRead": {"data_type": "string", "description": 'The tables read by the query.'}, + "Tags": {"data_type": "dynamic", "description": "Information about the record. For example a record may be tagged with 'yarn' if it is in the yarn context."}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "ThreadName": {"data_type": "string", "description": 'The name of the thread running the query.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "User": {"data_type": "string", "description": 'The user of the Hive instance executing the query.'}, + }, + "HDInsightHiveTezAppStats": { + "AMContainerLogs": {"data_type": "string", "description": 'The Application Master? container logs.'}, + "ApplicationId": {"data_type": "string", "description": 'The ID of the Application that the metrics describe.'}, + "ApplicationName": {"data_type": "string", "description": 'The name of the application that the metrics describe.'}, + "ApplicationType": {"data_type": "string", "description": 'The type of application.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterId": {"data_type": "long", "description": 'The final status of the application if it has reached a terminal state.'}, + "ClusterName": {"data_type": "string", "description": 'Name of cluster.'}, + "ClusterType": {"data_type": "string", "description": 'Name of cluster.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "ElapsedTime": {"data_type": "long", "description": 'The time elapsed while the application was running.'}, + "FinalStatus": {"data_type": "string", "description": 'The final status of the application if it has reached a terminal state.'}, + "FinishedTime": {"data_type": "long", "description": 'The time the application finished.'}, + "HostName": {"data_type": "string", "description": 'Name of host where log was emitted.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogAggregationStatus": {"data_type": "string", "description": 'The log aggregation status.'}, + "MetricName": {"data_type": "string", "description": 'Name of the metric for the record (e.g. AppsCompleted, AppsKilled, AppsFailed , etc).'}, + "MetricValue": {"data_type": "real", "description": 'Value of metric in the record.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "Queue": {"data_type": "string", "description": 'The queue of the application.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StartedTime": {"data_type": "long", "description": 'The time the application started.'}, + "State": {"data_type": "string", "description": 'The state of the application.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Tags": {"data_type": "dynamic", "description": "Information about the record. For example a record may be tagged with 'yarn' if it is in the yarn context."}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "TrackingUI": {"data_type": "string", "description": '?.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UnmanagedApplication": {"data_type": "bool", "description": 'True if application is unmanaged, false if otherwise.'}, + "User": {"data_type": "string", "description": 'The name of the user of the application.'}, + }, + "HDInsightJupyterNotebookEvents": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterDnsName": {"data_type": "string", "description": 'The DNS name of the cluster running the application.'}, + "ClusterTenantId": {"data_type": "string", "description": 'The tenant ID of the cluster running the application.'}, + "Dim0": {"data_type": "string", "description": 'Varies based of of type of event.'}, + "Dim1": {"data_type": "datetime", "description": 'Varies based of of type of event.'}, + "Dim10": {"data_type": "string", "description": 'Varies based of of type of event.'}, + "Dim2": {"data_type": "int", "description": 'Varies based of of type of event.'}, + "Dim3": {"data_type": "int", "description": 'Varies based of of type of event.'}, + "Dim4": {"data_type": "string", "description": 'Varies based of of type of event.'}, + "Dim5": {"data_type": "int", "description": 'Varies based of of type of event.'}, + "Dim6": {"data_type": "string", "description": 'Varies based of of type of event.'}, + "Dim7": {"data_type": "string", "description": 'Varies based of of type of event.'}, + "Dim8": {"data_type": "string", "description": 'Varies based of of type of event.'}, + "Dim9": {"data_type": "string", "description": 'Varies based of of type of event.'}, + "EventName": {"data_type": "string", "description": 'The name of the event.'}, + "Host": {"data_type": "string", "description": 'The FQDN of the host.'}, + "IpAddress": {"data_type": "string", "description": 'The IP Address of the node running the application.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Region": {"data_type": "string", "description": 'The region of the cluster running the application.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Role": {"data_type": "string", "description": 'The type of node the application running the application.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserSubscriptionId": {"data_type": "string", "description": 'The subscription ID of the cluster running the application'}, + }, + "HDInsightKafkaLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterName": {"data_type": "string", "description": 'Name of cluster.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "HostName": {"data_type": "string", "description": 'Name of host where log was emitted.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogLevel": {"data_type": "string", "description": 'log level of message (INFO, WARN, ERROR, etc.).'}, + "LogType": {"data_type": "string", "description": 'The name of the log file that a record came from (e.g. KafkaServer, KafkaController).'}, + "Message": {"data_type": "string", "description": 'message from Kafka log.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "HDInsightKafkaMetrics": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterName": {"data_type": "string", "description": 'Name of cluster.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "HostName": {"data_type": "string", "description": 'Name of host where log was emitted.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "MetricDataType": {"data_type": "string", "description": 'CollectD datatype of the metric (e.g. gauge, counter, etc.). Determines how metric is portrayed over time. Please reference CollectD documentation for more information: https://collectd.org/wiki/index.php/Data_source .'}, + "MetricName": {"data_type": "string", "description": 'Name of the metric for the record (e.g. OfflinePartitionsCount, UnderReplicatedPartitions, LeaderCount, etc).'}, + "MetricNamespace": {"data_type": "string", "description": 'Category of metric (e.g. RequestMetrics, BrokerTopicMetrics, KafkaController, etc).'}, + "MetricValue": {"data_type": "real", "description": 'Value of metric in the record.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Tags": {"data_type": "string", "description": "Information about the record. For example a record may be tagged with 'kafka.network' if it is a network related metric."}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "HDInsightKafkaServerLog": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterDnsName": {"data_type": "string", "description": 'Name of cluster'}, + "ClusterType": {"data_type": "string", "description": 'Type of the Cluster'}, + "CorrelationId": {"data_type": "string", "description": 'Id of associated events'}, + "FluentdIngestTimestamp": {"data_type": "datetime", "description": 'Time log was ingested by Fluentd framework'}, + "HostName": {"data_type": "string", "description": 'Name of host where log was emitted'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Message": {"data_type": "string", "description": 'Entry of Kafka Server Log'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "HDInsightOozieLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterName": {"data_type": "string", "description": 'Name of cluster.'}, + "ClusterType": {"data_type": "string", "description": 'Name of cluster.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "HostName": {"data_type": "string", "description": 'Name of host where log was emitted.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogLevel": {"data_type": "string", "description": 'log level of message (INFO, WARN, ERROR, etc.).'}, + "LogType": {"data_type": "string", "description": 'The name of the log file that a record came from.'}, + "Message": {"data_type": "string", "description": 'message from Oozie log.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "HDInsightRangerAuditLogs": { + "AccessName": {"data_type": "string", "description": 'Name of the access method.'}, + "Action": {"data_type": "string", "description": 'Type of action made by the event.'}, + "AdditionalInfo": {"data_type": "string", "description": 'Additional info about the request including the remote and forwarded IPs'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CliIpAddress": {"data_type": "string", "description": 'IP address of where CLI request was made.'}, + "CliType": {"data_type": "string", "description": 'Type of CLI used to create request.'}, + "ClusterName": {"data_type": "string", "description": 'Name of cluster.'}, + "ClusterResource": {"data_type": "string", "description": 'Resource involved in request event.'}, + "ClusterResourceType": {"data_type": "string", "description": 'The type of resource accessed.'}, + "ClusterType": {"data_type": "string", "description": 'Type of the cluster that emitted the record.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "Enforcer": {"data_type": "string", "description": 'Name of the policy enforcer.'}, + "EventCount": {"data_type": "int", "description": 'Number of events associated with the request.'}, + "EventDurationMs": {"data_type": "int", "description": 'Duration of the event in milliseconds.'}, + "HostName": {"data_type": "string", "description": 'Name of host where log was emitted.'}, + "Id": {"data_type": "string", "description": 'ID of the event request.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogType": {"data_type": "string", "description": 'Type of log the record came from.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "Policy": {"data_type": "int", "description": 'Code representing the policy.'}, + "Repo": {"data_type": "string", "description": 'Name the repo.'}, + "RepoType": {"data_type": "int", "description": 'Integer representing the repo type.'}, + "RequestData": {"data_type": "string", "description": 'Source that provides the request data.'}, + "RequestUser": {"data_type": "string", "description": 'Username associated with the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Result": {"data_type": "int", "description": 'Status code of the event result.'}, + "SequenceNumber": {"data_type": "int", "description": 'Sequence number of the event.'}, + "SessionId": {"data_type": "string", "description": 'ID associated witht the user session.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Tags": {"data_type": "string", "description": 'List of tags associated with the event.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "HDInsightSecurityLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterName": {"data_type": "string", "description": 'Name of cluster.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "HostName": {"data_type": "string", "description": 'Name of host where log was emitted.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogType": {"data_type": "string", "description": 'The name of the log file that a record came from (e.g. AmbariAuditLog, AuthLog).'}, + "Message": {"data_type": "string", "description": 'message from log file.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "HDInsightSparkApplicationEvents": { + "AppAttemptId": {"data_type": "string", "description": 'The application attempt id.'}, + "ApplicationId": {"data_type": "string", "description": 'The application id of the application producing the record.'}, + "AppName": {"data_type": "string", "description": 'The application name.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterDnsName": {"data_type": "string", "description": 'The DNS name of the cluster running the application.'}, + "ClusterTenantId": {"data_type": "string", "description": 'The tenant ID of the cluster running the application.'}, + "CompletionTime": {"data_type": "datetime", "description": 'The time (UTC) the application submission completed.'}, + "Host": {"data_type": "string", "description": 'The fqdn the node was run on.'}, + "IpAddress": {"data_type": "string", "description": 'The IP Address of the node running the application.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Region": {"data_type": "string", "description": 'The region of the cluster running the application.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Role": {"data_type": "string", "description": 'The type of node running the application.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SparkUser": {"data_type": "string", "description": 'The Spark User associated with the record.'}, + "SubmissionTime": {"data_type": "datetime", "description": 'The time (UTC) the application was submitted.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserSubscriptionId": {"data_type": "string", "description": 'The subscription ID of the cluster running the application'}, + }, + "HDInsightSparkBlockManagerEvents": { + "AddedTime": {"data_type": "datetime", "description": 'The time (UTC) the event was added.'}, + "ApplicationId": {"data_type": "string", "description": 'The application ID of the application producing the record.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BlockHost": {"data_type": "string", "description": 'The block host.'}, + "BlockManagerHost": {"data_type": "string", "description": 'The host where the Block Manager is running.'}, + "ClusterDnsName": {"data_type": "string", "description": 'The DNS name of the cluster the Block Manager is running on.'}, + "ClusterTenantId": {"data_type": "string", "description": 'The tenant ID of the cluster the Block Manager is running on.'}, + "ExecutorId": {"data_type": "string", "description": 'The ID of the executor running the application.'}, + "Host": {"data_type": "string", "description": 'The FQDN of the host.'}, + "IpAddress": {"data_type": "string", "description": 'The IP Address of the node the Block Manager is running on.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "MaxMemory": {"data_type": "long", "description": 'The max memory usage from the event.'}, + "MaxOffHeapMemory": {"data_type": "long", "description": 'The max off heap memory usage from the event.'}, + "MaxOnHeapMemory": {"data_type": "long", "description": 'The max on heap memory usage from the event.'}, + "Region": {"data_type": "string", "description": 'The region of the cluster the Block Manager is running on.'}, + "RemovedTime": {"data_type": "datetime", "description": 'The time (UTC) the application was removed.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Role": {"data_type": "string", "description": 'The type of node the Block Manager is running on.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserSubscriptionId": {"data_type": "string", "description": 'The subscription ID of the cluster the Block Manager is running on.'}, + }, + "HDInsightSparkEnvironmentEvents": { + "ApplicationId": {"data_type": "string", "description": 'The application ID of the application producing the record.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterDnsName": {"data_type": "string", "description": 'The DNS name of the cluster running the application.'}, + "ClusterTenantId": {"data_type": "string", "description": 'The tenant ID of the cluster running the application.'}, + "Host": {"data_type": "string", "description": 'The FQDN of the host.'}, + "IpAddress": {"data_type": "string", "description": 'The IP Address of the node running the application.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Region": {"data_type": "string", "description": 'The region of the cluster running the application.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Role": {"data_type": "string", "description": 'The type of node running the application.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SparkDeployMode": {"data_type": "string", "description": 'The spark deployment mode of the application.'}, + "SparkExecutorCores": {"data_type": "int", "description": 'The number of Executor cores.'}, + "SparkExecutorInstances": {"data_type": "int", "description": 'The number of Spark Executor instances.'}, + "SparkExecutorMemory": {"data_type": "string", "description": 'The memory usage of the Spark Executor'}, + "SparkMaster": {"data_type": "string", "description": 'The master mode of the Spark Application'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserSubscriptionId": {"data_type": "string", "description": 'The subscription ID of the cluster running the application'}, + "YarnMaxAttempts": {"data_type": "int", "description": 'The max number of attempts Yarn will make for the application.'}, + "YarnQueue": {"data_type": "string", "description": 'The type of YARN queue for the application.'}, + "YarnTags": {"data_type": "string", "description": 'The YARN tag of the application.'}, + }, + "HDInsightSparkExecutorEvents": { + "AddedTime": {"data_type": "datetime", "description": 'The time (UTC) the Executor was added.'}, + "ApplicationId": {"data_type": "string", "description": 'The application ID of the application producing the record.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterDnsName": {"data_type": "string", "description": 'The DNS name of the cluster running the Executor.'}, + "ClusterTenantId": {"data_type": "string", "description": 'The tenant ID of the cluster running the Executor.'}, + "ExecutorCores": {"data_type": "int", "description": 'The number of cores the Spark Executor has.'}, + "ExecutorHost": {"data_type": "string", "description": 'The host the Executor ran on'}, + "ExecutorId": {"data_type": "string", "description": 'The ID of the Spark Executor.'}, + "Host": {"data_type": "string", "description": 'The FQDN of the host.'}, + "IpAddress": {"data_type": "string", "description": 'The IP Address of the node running the Executor.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Region": {"data_type": "string", "description": 'The region of the cluster running the Executor.'}, + "RemovedReason": {"data_type": "string", "description": 'The reason the Executor was removed.'}, + "RemovedTime": {"data_type": "datetime", "description": 'The time (UTC) the Executor was removed.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Role": {"data_type": "string", "description": 'The type of node running the Executor.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserSubscriptionId": {"data_type": "string", "description": 'The subscription ID of the cluster running the Executor.'}, + }, + "HDInsightSparkExtraEvents": { + "ApplicationId": {"data_type": "string", "description": 'The application ID of the application producing the record.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterDnsName": {"data_type": "string", "description": 'The DNS name of the cluster running the application.'}, + "ClusterTenantId": {"data_type": "string", "description": 'The tenant ID of the cluster running the application.'}, + "EventJson": {"data_type": "string", "description": 'Json with information about the event.'}, + "Host": {"data_type": "string", "description": 'The FQDN of the host.'}, + "IpAddress": {"data_type": "string", "description": 'The IP Address of the node running the application.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Region": {"data_type": "string", "description": 'The region of the cluster running the application.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Role": {"data_type": "string", "description": 'The type of node running the application.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserSubscriptionId": {"data_type": "string", "description": 'The subscription ID of the cluster running the application.'}, + }, + "HDInsightSparkJobEvents": { + "ApplicationId": {"data_type": "string", "description": 'The application ID of the application producing the record.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterDnsName": {"data_type": "string", "description": 'The DNS name of the cluster running the job.'}, + "ClusterTenantId": {"data_type": "string", "description": 'The tenant ID of the cluster running the job.'}, + "CompletionTime": {"data_type": "datetime", "description": 'The time (UTC) the job was completed.'}, + "Host": {"data_type": "string", "description": 'The FQDN of the host.'}, + "IpAddress": {"data_type": "string", "description": 'The IP Address of the node running the job.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "JobId": {"data_type": "string", "description": 'The ID of the job.'}, + "JobResult": {"data_type": "string", "description": 'The result of the job.'}, + "Region": {"data_type": "string", "description": 'The region of the cluster running the job.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Role": {"data_type": "string", "description": 'The type of node running the job.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StageIds": {"data_type": "string", "description": 'The stages included in the job.'}, + "SubmissionTime": {"data_type": "datetime", "description": 'The time (UTC) the job was submitted.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserSubscriptionId": {"data_type": "string", "description": 'The subscription ID of the cluster running the job.'}, + }, + "HDInsightSparkLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterName": {"data_type": "string", "description": 'Name of cluster.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "HostName": {"data_type": "string", "description": 'Name of host where log was emitted.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogLevel": {"data_type": "string", "description": 'log level of message (INFO, WARN, ERROR, etc.).'}, + "LogType": {"data_type": "string", "description": 'The name of the log file that a record came from (e.g. SparkExecutorLog, SparkDriverLog).'}, + "Message": {"data_type": "string", "description": 'message from HBase log.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "HDInsightSparkSQLExecutionEvents": { + "ApplicationId": {"data_type": "string", "description": 'The application ID of the application producing the record.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterDnsName": {"data_type": "string", "description": 'The DNS name of the cluster running the Spark SQL execution.'}, + "ClusterTenantId": {"data_type": "string", "description": 'The tenant ID of the cluster running the Spark SQL execution.'}, + "EndTime": {"data_type": "datetime", "description": 'The time (UTC) the Spark SQL execution ended.'}, + "ExecutionId": {"data_type": "string", "description": 'The ID of the Spark SQL execution.'}, + "Host": {"data_type": "string", "description": 'The FQDN of the host.'}, + "IpAddress": {"data_type": "string", "description": 'The IP Address of the node running the Spark SQL execution.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "PhysicalPlanDescription": {"data_type": "string", "description": 'The description of the Physical/Logical plan of the Spark SQL execution.'}, + "Region": {"data_type": "string", "description": 'The region of the cluster running the Spark SQL execution.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Role": {"data_type": "string", "description": 'The type of node running the Spark SQL execution.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SparkPlanInfo": {"data_type": "string", "description": 'Json object containing information on the Spark SQL execution.'}, + "StartTime": {"data_type": "datetime", "description": 'The time (UTC) the Spark SQL execution started.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserSubscriptionId": {"data_type": "string", "description": 'The subscription ID of the cluster running the Spark SQL execution.'}, + }, + "HDInsightSparkStageEvents": { + "ApplicationId": {"data_type": "string", "description": 'The application ID of the application producing the record.'}, + "AttemptId": {"data_type": "string", "description": 'The Id of the stage attempt.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterDnsName": {"data_type": "string", "description": 'The DNS name of the cluster running the stage.'}, + "ClusterTenantId": {"data_type": "string", "description": 'The tenant ID of the cluster running the stage.'}, + "CompletionTime": {"data_type": "datetime", "description": 'The time (UTC) the stage was completed.'}, + "Details": {"data_type": "string", "description": 'The exception details for any stage failures.'}, + "FailureReason": {"data_type": "string", "description": 'The reason for failure if the stage failed.'}, + "Host": {"data_type": "string", "description": 'The FQDN of the host.'}, + "IpAddress": {"data_type": "string", "description": 'The IP Address of the node running the stage.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "RDDInfo": {"data_type": "string", "description": 'Json containing information about RDDs used in the stage.'}, + "Region": {"data_type": "string", "description": 'The region of the cluster running the stage.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Role": {"data_type": "string", "description": 'The type of node running the stage.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StageId": {"data_type": "string", "description": 'The ID of the stage.'}, + "StageName": {"data_type": "string", "description": 'The name of the stage.'}, + "SubmissionTime": {"data_type": "datetime", "description": 'The time (UTC) the stage was submitted.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TaskCount": {"data_type": "int", "description": 'The count of tasks associated with the stage.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserSubscriptionId": {"data_type": "string", "description": 'The subscription ID of the cluster running the stage.'}, + }, + "HDInsightSparkStageTaskAccumulables": { + "ApplicationId": {"data_type": "string", "description": 'The application ID of the application producing the record.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterDnsName": {"data_type": "string", "description": 'The DNS name of the cluster where the metric was collected.'}, + "ClusterTenantId": {"data_type": "string", "description": 'The tenant ID of the cluster where the metric was collected.'}, + "Entity": {"data_type": "string", "description": 'The name of the entity being described.'}, + "EntityId": {"data_type": "string", "description": 'The ID of the entity.'}, + "Host": {"data_type": "string", "description": 'The FQDN of the host where the metric was collected.'}, + "IpAddress": {"data_type": "string", "description": 'The IP Address of the node where the metric was collected.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "MetricId": {"data_type": "string", "description": 'The ID of the metric.'}, + "MetricName": {"data_type": "string", "description": 'The name of the metric.'}, + "MetricValue": {"data_type": "long", "description": 'The value of the metric.'}, + "ParentId": {"data_type": "string", "description": 'The ID of the parent entity.'}, + "Region": {"data_type": "string", "description": 'The region of the cluster where the metric was collected.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Role": {"data_type": "string", "description": 'The type of node where the metric was collected.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserSubscriptionId": {"data_type": "string", "description": 'The subscription ID of the cluster where the metric was collected.'}, + }, + "HDInsightSparkTaskEvents": { + "ApplicationId": {"data_type": "string", "description": 'The application ID of the application producing the record.'}, + "AttemptId": {"data_type": "string", "description": 'The ID of task attempt.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BytesRead": {"data_type": "long", "description": 'The number bytes read during the task.'}, + "BytesWritten": {"data_type": "long", "description": 'The number of bytes written by the task.'}, + "ClusterDnsName": {"data_type": "string", "description": 'The DNS name of the cluster running the task.'}, + "ClusterTenantId": {"data_type": "string", "description": 'The tenant ID of the cluster running the task.'}, + "DiskBytesSpilled": {"data_type": "long", "description": 'The number of disk bytes spilled.'}, + "EndReason": {"data_type": "string", "description": 'Reason why the task ended.'}, + "ExecutorCPUTime": {"data_type": "long", "description": 'The CPU time consumed by the task executor.'}, + "ExecutorDeserializeCPUTime": {"data_type": "long", "description": 'The CPU time the task executor spent deserializing.'}, + "ExecutorDeserializeTime": {"data_type": "long", "description": 'The time the task executor spent deserializing.'}, + "ExecutorId": {"data_type": "string", "description": 'The ID executor.'}, + "ExecutorRunTime": {"data_type": "long", "description": 'The time task executor spent running.'}, + "Failed": {"data_type": "bool", "description": 'Boolean describing whether the task failed.'}, + "FinishTime": {"data_type": "datetime", "description": 'The time (UTC) the task finished.'}, + "Host": {"data_type": "string", "description": 'The FQDN of the host running the task.'}, + "InputMetrics": {"data_type": "long", "description": 'The metrics associated with the task input.'}, + "IpAddress": {"data_type": "string", "description": 'The IP Address of the node running the task.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "JvmGcTime": {"data_type": "long", "description": 'The time the JVM spent garbage collecting.'}, + "Killed": {"data_type": "bool", "description": 'Boolean describing whether the task was killed.'}, + "LaunchTime": {"data_type": "datetime", "description": 'The time (UTC) the task was launched.'}, + "MemoryBytesSpilled": {"data_type": "long", "description": 'The bytes of memory spilled.'}, + "NumUpdatedBlockStatuses": {"data_type": "long", "description": 'The number updated block statuses during the task.'}, + "OutputMetrics": {"data_type": "long", "description": 'The metrics associated with the task output.'}, + "PeakExecutionMemory": {"data_type": "long", "description": 'The peak amount of memory used during execution.'}, + "RecordsRead": {"data_type": "long", "description": 'The number of records read during the task.'}, + "RecordsWritten": {"data_type": "long", "description": 'The number of records written by the task.'}, + "Region": {"data_type": "string", "description": 'The region of the cluster running the task.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultSerializationTime": {"data_type": "long", "description": 'The serialization time spent while getting the result.'}, + "ResultSize": {"data_type": "long", "description": 'Size of the result.'}, + "Role": {"data_type": "string", "description": 'The type of node running the task.'}, + "SchedulerDelay": {"data_type": "long", "description": 'The amount of delay the scheduler experienced.'}, + "ShuffleBytesWritten": {"data_type": "long", "description": 'The bytes written during the shuffle task.'}, + "ShuffleFetchWaitTime": {"data_type": "long", "description": 'The time spent waitng for fetching.'}, + "ShuffleLocalBlocksFetched": {"data_type": "long", "description": 'The number of local blocks fethced during the shuffle task.'}, + "ShuffleReadMetrics": {"data_type": "long", "description": 'The metrics associated with shuffle reads.'}, + "ShuffleRecordsWritten": {"data_type": "long", "description": 'The number of records written during the shuffle task.'}, + "ShuffleRemoteBlocksFetched": {"data_type": "long", "description": 'The number of remote blocks fethced during the shuffle task.'}, + "ShuffleTotalBlocksFetched": {"data_type": "long", "description": 'The number of blocks fethced during the shuffle task.'}, + "ShuffleTotalBytesRead": {"data_type": "long", "description": 'The number bytes read during the shuffle task.'}, + "ShuffleWriteMetrics": {"data_type": "long", "description": 'The metrics associated with shuffle writes.'}, + "ShuffleWriteTime": {"data_type": "long", "description": 'The time spent writing during the shuffle task.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StageId": {"data_type": "string", "description": 'The ID of the stage associated with the task.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TaskId": {"data_type": "string", "description": 'The ID of the task.'}, + "TaskType": {"data_type": "string", "description": 'The task type.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UpdatedBlocks": {"data_type": "long", "description": 'The number of updated blocks.'}, + "UserSubscriptionId": {"data_type": "string", "description": 'The subscription ID of the cluster running the task'}, + }, + "HDInsightStormLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterName": {"data_type": "string", "description": 'Name of cluster.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "HostName": {"data_type": "string", "description": 'Name of host where log was emitted.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogLevel": {"data_type": "string", "description": 'The severity level of the log (e.g. INFO,WARN, ERROR, etc.)'}, + "LogType": {"data_type": "string", "description": 'The name of the log file that a record came from (e.g. StormNimbus, StormSupervisor).'}, + "Message": {"data_type": "string", "description": 'message from Storm log.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "HDInsightStormMetrics": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterName": {"data_type": "string", "description": 'Name of cluster.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "HostName": {"data_type": "string", "description": 'Name of host where log was emitted.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "MetricDataType": {"data_type": "string", "description": 'CollectD datatype of the metric (e.g. gauge, counter, etc.). Determines how metric is portrayed over time. Please reference CollectD documentation for more information: https://collectd.org/wiki/index.php/Data_source .'}, + "MetricName": {"data_type": "string", "description": 'Name of the metric for the record (e.g. num-submitTopology-calls-Count).'}, + "MetricNamespace": {"data_type": "string", "description": 'Category of metric(e.g. StormNimbusMetrics, StormSupervisorMetrics, etc).'}, + "MetricValue": {"data_type": "real", "description": 'Value of metric in the record.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "HDInsightStormTopologyMetrics": { + "Acked": {"data_type": "real", "description": 'The number of Tuple "trees" successfully processed. A value of 0 is expected if no acking is done.'}, + "AssignedCPUPercent": {"data_type": "real", "description": 'Percent of CPU cores assigned to the topology.'}, + "AssignedMemOffHeapMB": {"data_type": "real", "description": 'MB of off heap memory assigned to the topology.'}, + "AssignedMemOnHeapMB": {"data_type": "real", "description": 'MB of on heap memory assigned to the topology.'}, + "AssignedTotalMemMB": {"data_type": "real", "description": 'MB of total memory assigned to the topology.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BoltId": {"data_type": "string", "description": 'The ID of the bolt.'}, + "Capacity": {"data_type": "real", "description": "If this is around 1.0, the corresponding Bolt is running as fast as it can, so you may want to increase the Bolt's parallelism. This is (number executed * average execute latency) / measurement time."}, + "ClusterName": {"data_type": "string", "description": 'The name of the cluster.'}, + "ClusterType": {"data_type": "string", "description": 'The type of the cluster.'}, + "CompleteLatencyMs": {"data_type": "real", "description": 'The average time (millisecond) a Tuple "tree" takes to be completely processed by the Topology. A value of 0 is expected if no acking is done.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "Debug": {"data_type": "bool", "description": 'Boolean representing whether debug tracing is activated.'}, + "Emitted": {"data_type": "real", "description": 'The number of Tuples emitted.'}, + "EncodedBoltId": {"data_type": "string", "description": 'The encoded ID of the bolt.'}, + "EncodedId": {"data_type": "string", "description": 'The enocded ID of the topology.'}, + "EncodedSpoutId": {"data_type": "string", "description": 'The encoded ID of the Spout.'}, + "ErrorHost": {"data_type": "string", "description": 'Host where the error occurred.'}, + "ErrorPort": {"data_type": "string", "description": 'Port associated with the error.'}, + "ErrorWorkerLogLink": {"data_type": "string", "description": 'Link to the log of the worker where an error occurred.'}, + "Executed": {"data_type": "real", "description": 'The number of incoming Tuples processed.'}, + "ExecuteLatencyMs": {"data_type": "real", "description": 'The average time (millisecond) a Tuple spends in the execute method. The execute method may complete without sending an Ack for the tuple.'}, + "Executors": {"data_type": "int", "description": 'The number of threads being used to execute a task.'}, + "ExecutorsTotal": {"data_type": "int", "description": 'The total amount of executors currently used and already used to execute a task.'}, + "Failed": {"data_type": "real", "description": 'The number of Tuple "trees" that were explicitly failed or timed out before acking was completed. A value of 0 is expected if no acking is done.'}, + "HostName": {"data_type": "string", "description": 'Hostname of the host the record came from.'}, + "Id": {"data_type": "string", "description": 'The name of the component the record is from (could be spout, bolt, or name of topology).'}, + "InstanceName": {"data_type": "string", "description": 'Type of record shape (there are bolt, spout, topology, and topology_stats record shapes).'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastError": {"data_type": "string", "description": 'Last error to occur in the component.'}, + "MsgTimeout": {"data_type": "real", "description": 'The number of seconds until a message times out.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "Owner": {"data_type": "string", "description": 'Name of the user that owns the topology.'}, + "ProcessLatencyMs": {"data_type": "real", "description": 'The average time (millisecond) it takes to Ack a Tuple after it is first received. Bolts that join, aggregate or batch may not Ack a tuple until a number of other Tuples have been received(.'}, + "ReplicationCount": {"data_type": "int", "description": 'The amount of replicas kept by the topology.'}, + "RequestedCpuPercent": {"data_type": "real", "description": 'The percent of CPU requested by the topology.'}, + "RequestMemOffHeapMB": {"data_type": "real", "description": 'MB of off heap memory requested by the topology.'}, + "RequestMemOnHeapMB": {"data_type": "real", "description": 'MB of on heap memory requested by the topology.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SamplingPct": {"data_type": "real", "description": 'Percentage of messages sampled to calculate metrics.'}, + "SchedulerDisplayResource": {"data_type": "bool", "description": 'Boolean describing the scheduler display setting.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SpoutId": {"data_type": "string", "description": 'The ID of the spout.'}, + "Status": {"data_type": "string", "description": 'The status of the topology.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Tasks": {"data_type": "int", "description": 'The number of tasks running.'}, + "TasksTotal": {"data_type": "int", "description": 'The total amount of tasks run.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "TopologyId": {"data_type": "string", "description": 'The ID of the topology.'}, + "TopologyName": {"data_type": "string", "description": 'Name of the topology.'}, + "Transferred": {"data_type": "real", "description": 'The number of Tuples emitted that sent to one or more bolts.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Uptime": {"data_type": "string", "description": 'The length of time an Executor (thread) has been alive.'}, + "UptimeSeconds": {"data_type": "real", "description": 'The amount of time the topology has been running in seconds.'}, + "Window": {"data_type": "real", "description": 'The time window for the metrics in the record in seconds.'}, + "WindowHint": {"data_type": "string", "description": 'The time window for the metrics in the record in hours, minutes, seconds format.'}, + "WindowPretty": {"data_type": "string", "description": 'String description of the time window for the metrics in the record.'}, + "Workers": {"data_type": "string", "description": 'JSON with worker specific metrics.'}, + "WorkersTotal": {"data_type": "int", "description": 'The total amount of workers.'}, + }, + "HealthStateChangeEvent": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CurrentMonitorState": {"data_type": "string", "description": 'Current state of the monitor (Critical, Warning, Healthy, Unknown, None).'}, + "CurrentStateFirstObservedTimestamp": {"data_type": "datetime", "description": 'Timestamp (UTC) when the current state of the monitor was first observed.'}, + "EvaluationTimestamp": {"data_type": "datetime", "description": 'Timestamp (UTC) when the monitor health state change event was created.'}, + "Evidence": {"data_type": "dynamic", "description": 'Snapshot of samples and reason the monitor changed state.'}, + "ImpactStartTimestamp": {"data_type": "datetime", "description": 'Timestamp (UTC) the monitor start change to non-healthy (Critical, Warning) state.'}, + "InstrumentationData": {"data_type": "dynamic", "description": 'Current state of the monitor (Critical, Warning, Healthy, Unknown, None).'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "MonitorConfiguration": {"data_type": "dynamic", "description": 'Configuration for the monitor. Aggregate monitor configuration is an empty string.'}, + "MonitoredObject": {"data_type": "string", "description": 'Object the monitor is monitoring. Values only exist for dynamic monitors, e.g. D: for monitor logical-disks|D:|free-space-mb.'}, + "MonitorName": {"data_type": "string", "description": 'Name of the monitor, e.g. logical-disks|C:|free-space-mb for Windows platform, filesystems|/var/lib|free-space-mb for Linux platform.'}, + "MonitorResourceId": {"data_type": "string", "description": 'ARM resource id of the monitor.'}, + "MonitorType": {"data_type": "string", "description": 'Type of the monitor. Same as the monitor name for static monitors, replaces MonitoredObject with * for dynamic monitors.'}, + "ParentMonitorName": {"data_type": "string", "description": 'Parent monitor name, e.g. logical-disks|C: for Windows platform, filesystems for Linux platform.'}, + "PreviousMonitorState": {"data_type": "string", "description": 'Previous state of the monitor (Critical, Warning, Healthy, Unknown, None).'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the record was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "Heartbeat": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Value is Direct Agent SCOM Agent or SCOM Management Server.'}, + "Computer": {"data_type": "string", "description": 'Computer name'}, + "ComputerEnvironment": {"data_type": "string", "description": 'Environment that hosts the computer: Azure or Non-Azure'}, + "ComputerIP": {"data_type": "string", "description": 'IP address of the computer. Note that public IP is used'}, + "ComputerPrivateIPs": {"data_type": "dynamic", "description": 'The list of private IP addresses of the computer.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsGatewayInstalled": {"data_type": "bool", "description": 'If Log Analytics gateway is installed value is true otherwise value is false.'}, + "ManagementGroupName": {"data_type": "string", "description": 'Name of Operations Manager management group.'}, + "OSMajorVersion": {"data_type": "string", "description": 'Operating system major version.'}, + "OSMinorVersion": {"data_type": "string", "description": 'Operating system minor version.'}, + "OSName": {"data_type": "string", "description": 'Name of OS.'}, + "OSType": {"data_type": "string", "description": 'Type of OS. Possible values are Windows or Linux.'}, + "RemoteIPCountry": {"data_type": "string", "description": 'Geographic location where computer is deployed.'}, + "RemoteIPLatitude": {"data_type": "real", "description": "Latitude of computer's geographic location."}, + "RemoteIPLongitude": {"data_type": "real", "description": "Longitude of computer's geographic location."}, + "Resource": {"data_type": "string", "description": 'Resource group name of the Azure resource running the agent.'}, + "ResourceGroup": {"data_type": "string", "description": 'Resource name of the Azure resource running the agent.'}, + "ResourceId": {"data_type": "string", "description": 'Resource ID of the Azure resource running the agent. Retained for for backward compatibility. _ResourceId should be used.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResourceProvider": {"data_type": "string", "description": 'Resource provider of the Azure resource running the agent'}, + "ResourceType": {"data_type": "string", "description": 'Type of the Azure resource running the agent. Examples include virtualmachines or managedclusters.'}, + "SCAgentChannel": {"data_type": "string", "description": 'Specfies how agent is connected to workspace. Possible values are Direct or SCManagementServer.'}, + "Solutions": {"data_type": "string", "description": 'List of solutions deployed on the agent at the moment when Heartbeat was issued.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SubscriptionId": {"data_type": "string", "description": 'Subscription ID of the Azure resource running the agent'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Version": {"data_type": "string", "description": 'Version of the agent.'}, + "VMUUID": {"data_type": "string", "description": 'Unique identifier of the virtual machine.'}, + }, + "HuntingBookmark": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BookmarkId": {"data_type": "string", "description": 'Guid - the bookmark ARM resource name'}, + "BookmarkName": {"data_type": "string", "description": 'Bookmark name given by the user'}, + "BookmarkType": {"data_type": "string", "description": 'Can be used to mark bookmark origin - currently not used'}, + "CreatedBy": {"data_type": "string", "description": 'JSON object with the user who created the bookmark, including: ObjectID, email and name'}, + "CreatedTime": {"data_type": "datetime", "description": 'The timestamp of bookmark first creation time'}, + "Entities": {"data_type": "string", "description": 'A serialized JSON of entities mapped by this bookmark'}, + "EventTime": {"data_type": "datetime", "description": 'The timestamp of the original event that is bookmarked'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastUpdatedTime": {"data_type": "datetime", "description": 'The timestamp of bookmark last update time'}, + "Notes": {"data_type": "string", "description": 'Notes provided by user'}, + "QueryEndTime": {"data_type": "datetime", "description": 'Query time range end time'}, + "QueryResultRow": {"data_type": "string", "description": 'JSON object with a single result row of the query'}, + "QueryStartTime": {"data_type": "datetime", "description": 'Query time range start time'}, + "QueryText": {"data_type": "string", "description": 'Original log analytics query text'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SoftDeleted": {"data_type": "bool", "description": 'Was the bookmark deleted by user'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Tags": {"data_type": "string", "description": 'Comma seperated list of tags provided by user'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the log'}, + "Type": {"data_type": "string", "description": ''}, + "UpdatedBy": {"data_type": "string", "description": 'JSON object with the user who last updated the bookmark, including: ObjectID, email and name'}, + }, + "IdentityDirectoryEvents": { + "AccountDisplayName": {"data_type": "string", "description": 'Name of the account user displayed in the address book'}, + "AccountDomain": {"data_type": "string", "description": 'Domain of the account'}, + "AccountName": {"data_type": "string", "description": 'User name of the account'}, + "AccountObjectId": {"data_type": "string", "description": 'Unique identifier for the account in Azure AD'}, + "AccountSid": {"data_type": "string", "description": 'Security Identifier (SID) of the account'}, + "AccountUpn": {"data_type": "string", "description": 'User principal name (UPN) of the account'}, + "ActionType": {"data_type": "string", "description": 'Type of activity that triggered the event'}, + "AdditionalFields": {"data_type": "dynamic", "description": 'Additional information about the entity or event'}, + "Application": {"data_type": "string", "description": 'Application that performed the recorded action'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DestinationDeviceName": {"data_type": "string", "description": 'Name of the device running the server application that processed the recorded action'}, + "DestinationIPAddress": {"data_type": "string", "description": 'IP address of the device running the server application that processed the recorded action'}, + "DestinationPort": {"data_type": "string", "description": 'Destination port of related network communications'}, + "DeviceName": {"data_type": "string", "description": 'Fully qualified domain name (FQDN) of the device'}, + "IPAddress": {"data_type": "string", "description": 'IP address assigned to the endpoint and used during related network communications'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ISP": {"data_type": "string", "description": 'Internet service provider (ISP) associated with the endpoint IP address'}, + "Location": {"data_type": "string", "description": 'City, country, or other geographic location associated with the event'}, + "Port": {"data_type": "string", "description": 'TCP port used during communication'}, + "Protocol": {"data_type": "string", "description": 'Protocol used during the communication'}, + "ReportId": {"data_type": "string", "description": 'Unique identifier for the event'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TargetAccountDisplayName": {"data_type": "string", "description": 'Display name of the account that the recorded action was applied to'}, + "TargetAccountUpn": {"data_type": "string", "description": 'User principal name (UPN) of the account that the recorded action was applied to'}, + "TargetDeviceName": {"data_type": "string", "description": 'Fully qualified domain name (FQDN) of the device that the recorded action was applied to'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time (UTC) when the record was generated'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "IdentityInfo": { + "AccountCloudSID": {"data_type": "string", "description": 'The Azure AD security identifier of the account'}, + "AccountCreationTime": {"data_type": "datetime", "description": 'The date the user account was created (UTC)'}, + "AccountDisplayName": {"data_type": "string", "description": 'The user account display name'}, + "AccountDomain": {"data_type": "string", "description": 'Domain name of the user account'}, + "AccountName": {"data_type": "string", "description": 'User name of the account'}, + "AccountObjectId": {"data_type": "string", "description": 'The Azure Active Directory object ID for the account'}, + "AccountSID": {"data_type": "string", "description": 'The on premises security identifier of the account'}, + "AccountTenantId": {"data_type": "string", "description": 'The Azure Active Directory Tenant ID of the account'}, + "AccountUPN": {"data_type": "string", "description": 'User principal name of the account'}, + "AdditionalMailAddresses": {"data_type": "dynamic", "description": 'Additional email addresses of the user'}, + "Applications": {"data_type": "string", "description": 'All known applications this user account accessed'}, + "AssignedRoles": {"data_type": "dynamic", "description": 'AAD roles the user account is assigned to'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BlastRadius": {"data_type": "string", "description": 'The potential impact of the user account in the org (low/medium/high)'}, + "ChangeSource": {"data_type": "string", "description": 'The source of the latest change of the entity'}, + "City": {"data_type": "string", "description": 'The city of the user account as defined in AAD'}, + "CompanyName": {"data_type": "string", "description": 'The name for the company in which the user works.'}, + "Country": {"data_type": "string", "description": 'The country of the user account as defined in AAD'}, + "DeletedDateTime": {"data_type": "datetime", "description": 'The date and time the user was deleted'}, + "Department": {"data_type": "string", "description": 'The user account department as defined in AAD'}, + "EmployeeId": {"data_type": "string", "description": 'The employee identifier assigned to the user by the organization'}, + "EntityRiskScore": {"data_type": "dynamic", "description": 'The risk score of the entity as part of the UEBA scoring process'}, + "ExtensionProperty": {"data_type": "dynamic", "description": 'ExtensionProperty fields from Azure AD'}, + "GivenName": {"data_type": "string", "description": 'The user account given name'}, + "GroupMembership": {"data_type": "dynamic", "description": 'Azure AD Groups the user account is a member'}, + "InvestigationPriority": {"data_type": "int", "description": 'The Investigation Priority score of the account'}, + "InvestigationPriorityPercentile": {"data_type": "int", "description": 'The account score compared to the organization'}, + "IsAccountEnabled": {"data_type": "bool", "description": 'Indication if the account is enabled in AAD or not'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsMFARegistered": {"data_type": "bool", "description": 'Indication if MFA is registered for this user account or not'}, + "IsServiceAccount": {"data_type": "bool", "description": 'The account is a service account.'}, + "JobTitle": {"data_type": "string", "description": 'The user account job title as defined in AAD'}, + "LastSeenDate": {"data_type": "datetime", "description": 'Date of the last activity observed in this account'}, + "MailAddress": {"data_type": "string", "description": 'The user account primary email address'}, + "Manager": {"data_type": "string", "description": 'The user accounts manager alias'}, + "OnPremisesDistinguishedName": {"data_type": "string", "description": 'Active Directory distinguished name (DN). A DN is a sequence of relative distinguished names (RDN) connected by commas.'}, + "OnPremisesExtensionAttributes": {"data_type": "string", "description": 'OnPremisesExtensionAttributes field from Azure AD'}, + "Phone": {"data_type": "string", "description": 'The phone number of the user account as defined in AAD'}, + "RelatedAccounts": {"data_type": "dynamic", "description": 'Various accounts that correlate to a certain user'}, + "RiskLevel": {"data_type": "string", "description": 'The AAD risk level (Low/Medium/High) of the user account'}, + "RiskLevelDetails": {"data_type": "string", "description": 'Details regarding the AAD risk level'}, + "RiskState": {"data_type": "string", "description": 'Indication if the account is at risk now or if the risk was remediated'}, + "SAMAccountName": {"data_type": "string", "description": 'The SAM account name of the account.'}, + "ServicePrincipals": {"data_type": "dynamic", "description": 'Azure AD service principals that are owned by the user'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "State": {"data_type": "string", "description": 'The geographical state of the user account as defined in AAD'}, + "StreetAddress": {"data_type": "string", "description": 'The office street address of the user account as defined in AAD'}, + "Surname": {"data_type": "string", "description": 'The user account surname'}, + "Tags": {"data_type": "string", "description": 'Relevant information on the user account which is important for investigation: Sensitive\\ VIP\\ Administrator'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time when the event was generated (UTC)'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UACFlags": {"data_type": "string", "description": 'User Access control flags from AD & AAD'}, + "UserAccountControl": {"data_type": "dynamic", "description": 'Security attributes of the user account in the AD domain'}, + "UserState": {"data_type": "string", "description": 'The current state in AAD of the account (Active/Disabled/Dormant/Lockout)'}, + "UserStateChangedOn": {"data_type": "datetime", "description": 'Date of the last time the account state was changed (UTC)'}, + "UserType": {"data_type": "string", "description": 'The user type as appears in Azure AD'}, + }, + "IdentityLogonEvents": { + "AccountDisplayName": {"data_type": "string", "description": 'Name of the account user displayed in the address book'}, + "AccountDomain": {"data_type": "string", "description": 'Domain of the account'}, + "AccountName": {"data_type": "string", "description": 'User name of the account'}, + "AccountObjectId": {"data_type": "string", "description": 'Unique identifier for the account in Azure AD'}, + "AccountSid": {"data_type": "string", "description": 'Security Identifier (SID) of the account'}, + "AccountUpn": {"data_type": "string", "description": 'User principal name (UPN) of the account'}, + "ActionType": {"data_type": "string", "description": 'Type of activity that triggered the event'}, + "AdditionalFields": {"data_type": "dynamic", "description": 'Additional information about the entity or event'}, + "Application": {"data_type": "string", "description": 'Application that performed the recorded action'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DestinationDeviceName": {"data_type": "string", "description": 'Name of the device running the server application that processed the recorded action'}, + "DestinationIPAddress": {"data_type": "string", "description": 'IP address of the device running the server application that processed the recorded action'}, + "DestinationPort": {"data_type": "string", "description": 'Destination port of related network communications'}, + "DeviceName": {"data_type": "string", "description": 'Fully qualified domain name (FQDN) of the device'}, + "DeviceType": {"data_type": "string", "description": 'Type of device'}, + "FailureReason": {"data_type": "string", "description": 'Information explaining why the recorded action failed'}, + "IPAddress": {"data_type": "string", "description": 'IP address assigned to the endpoint and used during related network communications'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ISP": {"data_type": "string", "description": 'Internet service provider (ISP) associated with the endpoint IP address'}, + "Location": {"data_type": "string", "description": 'City, country, or other geographic location associated with the event'}, + "LogonType": {"data_type": "string", "description": 'Type of logon session'}, + "OSPlatform": {"data_type": "string", "description": 'Platform of the operating system running on the machine'}, + "Port": {"data_type": "string", "description": 'TCP port used during communication'}, + "Protocol": {"data_type": "string", "description": 'Network protocol used'}, + "ReportId": {"data_type": "string", "description": 'Unique identifier for the event'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TargetAccountDisplayName": {"data_type": "string", "description": 'Display name of the account that the recorded action was applied to'}, + "TargetDeviceName": {"data_type": "string", "description": 'Fully qualified domain name (FQDN) of the device that the recorded action was applied to'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time (UTC) when the record was generated'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "IdentityQueryEvents": { + "AccountDisplayName": {"data_type": "string", "description": 'Name of the account user displayed in the address book'}, + "AccountDomain": {"data_type": "string", "description": 'Domain of the account'}, + "AccountName": {"data_type": "string", "description": 'User name of the account'}, + "AccountObjectId": {"data_type": "string", "description": 'Unique identifier for the account in Azure AD'}, + "AccountSid": {"data_type": "string", "description": 'Security Identifier (SID) of the account'}, + "AccountUpn": {"data_type": "string", "description": 'User principal name (UPN) of the account'}, + "ActionType": {"data_type": "string", "description": 'Type of activity that triggered the event'}, + "AdditionalFields": {"data_type": "dynamic", "description": 'Additional information about the entity or event'}, + "Application": {"data_type": "string", "description": 'Application that performed the recorded action'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DestinationDeviceName": {"data_type": "string", "description": 'Name of the device running the server application that processed the recorded action'}, + "DestinationIPAddress": {"data_type": "string", "description": 'IP address of the device running the server application that processed the recorded action'}, + "DestinationPort": {"data_type": "string", "description": 'Destination port of related network communications'}, + "DeviceName": {"data_type": "string", "description": 'Fully qualified domain name (FQDN) of the device'}, + "IPAddress": {"data_type": "string", "description": 'IP address assigned to the endpoint and used during related network communications'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'City, country, or other geographic location associated with the event'}, + "Port": {"data_type": "string", "description": 'TCP port used during communication'}, + "Protocol": {"data_type": "string", "description": 'Protocol used during the communication'}, + "Query": {"data_type": "string", "description": 'String used to run the query'}, + "QueryTarget": {"data_type": "string", "description": 'Name of user, group, device, domain, or any other entity type being queried'}, + "QueryType": {"data_type": "string", "description": 'Type of query, such as QueryGroup, QueryUser, or EnumerateUsers'}, + "ReportId": {"data_type": "string", "description": 'Unique identifier for the event'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TargetAccountDisplayName": {"data_type": "string", "description": 'Display name of the account that the recorded action was applied to'}, + "TargetAccountUpn": {"data_type": "string", "description": 'User principal name (UPN) of the account that the recorded action was applied to'}, + "TargetDeviceName": {"data_type": "string", "description": 'Fully qualified domain name (FQDN) of the device that the recorded action was applied to'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time (UTC) when the record was generated'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "IISAssessmentRecommendation": { + "ActionArea": {"data_type": "string", "description": ''}, + "ActionAreaId": {"data_type": "string", "description": ''}, + "AffectedObjectName": {"data_type": "string", "description": ''}, + "AffectedObjectType": {"data_type": "string", "description": ''}, + "AssessmentId": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "Description": {"data_type": "string", "description": ''}, + "FocusArea": {"data_type": "string", "description": ''}, + "FocusAreaId": {"data_type": "string", "description": ''}, + "IISApplication": {"data_type": "string", "description": ''}, + "IISApplicationPool": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Recommendation": {"data_type": "string", "description": ''}, + "RecommendationId": {"data_type": "string", "description": ''}, + "RecommendationResult": {"data_type": "string", "description": ''}, + "RecommendationWeight": {"data_type": "real", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "WebServer": {"data_type": "string", "description": ''}, + "WebSite": {"data_type": "string", "description": ''}, + }, + "InsightsMetrics": { + "AgentId": {"data_type": "string", "description": 'Unique ID of the agent that sourced the metric instance'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": 'Computer name/Node name that sourced the metric instance'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Name": {"data_type": "string", "description": 'Name of the metric'}, + "Namespace": {"data_type": "string", "description": "Name space/Category of the metric. Ex;- 'container.azm.ms/disk'"}, + "Origin": {"data_type": "string", "description": "Source of the metric. Ex;- 'container.azm.ms/telegraf'"}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Tags": {"data_type": "string", "description": 'Dimensions of the metric in json'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Val": {"data_type": "real", "description": 'Value of the metric'}, + "Value": {"data_type": "string", "description": ''}, + }, + "IntuneAuditLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": ''}, + "CorrelationId": {"data_type": "string", "description": ''}, + "Identity": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": ''}, + "Properties": {"data_type": "string", "description": ''}, + "ResultDescription": {"data_type": "string", "description": ''}, + "ResultType": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "IntuneDeviceComplianceOrg": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ComplianceState": {"data_type": "string", "description": 'The compliance state of the device.'}, + "DeviceHealthThreatLevel": {"data_type": "string", "description": 'The device health threat level.'}, + "DeviceId": {"data_type": "string", "description": 'The Id of the device.'}, + "DeviceName": {"data_type": "string", "description": 'The name of the device.'}, + "DeviceType": {"data_type": "string", "description": 'The type of the device.'}, + "IMEI": {"data_type": "string", "description": 'The international mobile equipment identifier of the device.'}, + "InGracePeriodUntil": {"data_type": "string", "description": 'The device grace period end time.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastContact": {"data_type": "string", "description": 'The date and time of last contact.'}, + "ManagementAgents": {"data_type": "string", "description": 'The management agents.'}, + "OS": {"data_type": "string", "description": 'The operating system of the device.'}, + "OSDescription": {"data_type": "string", "description": 'The operating system of the device.'}, + "OSVersion": {"data_type": "string", "description": 'The version of the operating system.'}, + "OwnerType": {"data_type": "string", "description": 'The type of owner.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Result": {"data_type": "string", "description": 'The result of the operation.'}, + "RetireAfterDatetime": {"data_type": "string", "description": 'The retire after date time.'}, + "SerialNumber": {"data_type": "string", "description": 'The serial number of the device'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time when the report was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UPN": {"data_type": "string", "description": 'The user principal name.'}, + "UserEmail": {"data_type": "string", "description": 'The user email address.'}, + "UserId": {"data_type": "string", "description": 'The Id of the user.'}, + "UserName": {"data_type": "string", "description": 'The user name.'}, + }, + "IntuneDevices": { + "AADTenantId": {"data_type": "string", "description": 'The AAD Tenant ID'}, + "AndroidPatchLevel": {"data_type": "string", "description": 'The Android patch level of the device'}, + "BatchId": {"data_type": "string", "description": 'The unique ID for the exported report'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CategoryName": {"data_type": "string", "description": 'The category name of the device'}, + "CompliantState": {"data_type": "string", "description": 'The compliant state of the device'}, + "CreatedDate": {"data_type": "string", "description": 'The date and time of the device entry was created'}, + "DeviceId": {"data_type": "string", "description": 'The ID of the device'}, + "DeviceName": {"data_type": "string", "description": 'The name of the device'}, + "DeviceRegistrationState": {"data_type": "string", "description": 'The registration state of the device'}, + "DeviceState": {"data_type": "string", "description": 'The state of the device'}, + "EasID": {"data_type": "string", "description": 'The Emergency Alert System Identification of the device'}, + "EncryptionStatusString": {"data_type": "string", "description": 'String describing whether the device is encrypted'}, + "GraphDeviceIsManaged": {"data_type": "bool", "description": 'Boolean describing whether the graph device is managed'}, + "IMEI": {"data_type": "string", "description": 'The international mobile equipment identifier of the device'}, + "InGracePeriodUntil": {"data_type": "string", "description": 'The device grace period end time'}, + "IntuneAccountId": {"data_type": "string", "description": 'The Intune Account ID'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "JailBroken": {"data_type": "string", "description": 'String describing whether the device is jail broken'}, + "JoinType": {"data_type": "string", "description": 'The device join type'}, + "LastContact": {"data_type": "string", "description": 'The date and time of last contact'}, + "ManagedBy": {"data_type": "string", "description": 'The authority that the device is managed by'}, + "ManagedDeviceName": {"data_type": "string", "description": 'The managed device name'}, + "Manufacturer": {"data_type": "string", "description": 'The manufacturer of the device'}, + "MEID": {"data_type": "string", "description": 'The mobile equipment identifier of the device'}, + "Model": {"data_type": "string", "description": 'The model of the device'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation'}, + "OS": {"data_type": "string", "description": 'The operating system of the device'}, + "OSVersion": {"data_type": "string", "description": 'The version of the operating system'}, + "Ownership": {"data_type": "string", "description": 'The ownership of the device'}, + "PhoneNumber": {"data_type": "string", "description": 'The phone number'}, + "PrimaryUser": {"data_type": "string", "description": 'The ID of the primary user'}, + "ReferenceId": {"data_type": "string", "description": 'The AAD Device ID'}, + "Result": {"data_type": "string", "description": 'The result of the operation'}, + "SerialNumber": {"data_type": "string", "description": 'The serial number of the device'}, + "SkuFamily": {"data_type": "string", "description": 'The stock-keeping unit family of the device'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Stats": {"data_type": "dynamic", "description": 'Statistics about the export, including the number of records exported per export'}, + "StorageFree": {"data_type": "long", "description": 'The free storage size of the device'}, + "StorageTotal": {"data_type": "long", "description": 'The total storage size of the device'}, + "SubscriberCarrierNetwork": {"data_type": "string", "description": 'The subscriber carrier network'}, + "SupervisedStatusString": {"data_type": "string", "description": 'String describing whether the device is supervised'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time when the report was generated (UTC)'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UPN": {"data_type": "string", "description": 'The user principal name'}, + "UserEmail": {"data_type": "string", "description": 'The user email address'}, + "UserName": {"data_type": "string", "description": 'The user name'}, + "WifiMacAddress": {"data_type": "string", "description": 'The WiFi MAC address of the device'}, + }, + "IntuneOperationalLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": ''}, + "Properties": {"data_type": "string", "description": ''}, + "Result": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "IoTHubDistributedTracing": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerLocalTimeUtc": {"data_type": "datetime", "description": 'Creation time of the message as reported by the device local clock'}, + "Category": {"data_type": "string", "description": 'Category of the log event'}, + "DependencyType": {"data_type": "string", "description": 'For outgoing requests (dependencies), describes type of the dependency'}, + "DurationMs": {"data_type": "int", "description": 'Duration of the operation in milliseconds'}, + "EventKind": {"data_type": "string", "description": 'Kind of the event'}, + "InstanceId": {"data_type": "string", "description": 'Name of the instance that processed request'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsRoutingEnabled": {"data_type": "bool", "description": 'Either true or false, indicates whether or not message routing is enabled in the IoT Hub'}, + "Level": {"data_type": "string", "description": 'Level of severity of the event'}, + "Location": {"data_type": "string", "description": 'Azure region in which the Iot Hub is located'}, + "MessageSize": {"data_type": "int", "description": 'The size of the message in bytes'}, + "OperationName": {"data_type": "string", "description": 'Operation name of the event'}, + "ParentId": {"data_type": "string", "description": 'Unique identifier of current span within trace (16 hex characters). A request without a parent id is the root of the trace.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResourceSubName": {"data_type": "string", "description": 'Name of sub-component that reports this message'}, + "ResultDescription": {"data_type": "string", "description": 'Result description of the event, typically elaborates on the error'}, + "ResultSignature": {"data_type": "int", "description": 'The status code of the event'}, + "ResultType": {"data_type": "string", "description": "Result type of the event, typically empty unless it's an error"}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SpanId": {"data_type": "string", "description": 'Unique identifier of current span within trace (16 hex characters)'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time at which this event is generated and logged'}, + "TraceFlags": {"data_type": "int", "description": 'A bit field for controlling tracing options. For example, sampling and trace level.'}, + "TraceId": {"data_type": "string", "description": 'Globally unique identifier of the trace (32 hex characters)'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Uri": {"data_type": "string", "description": 'Absolute request URI'}, + }, + "KubeEvents": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterId": {"data_type": "string", "description": 'ID of the kubernetes cluster from which the event was sourced'}, + "ClusterName": {"data_type": "string", "description": 'ID of the kubernetes cluster from which the event was sourced'}, + "Computer": {"data_type": "string", "description": 'Computer/node name in the cluster for which the event applies. If not, computer/node name of sourcing computer'}, + "Count": {"data_type": "real", "description": 'Cumulative count of the number of occurences of a specific event [event.count] .'}, + "FirstSeen": {"data_type": "datetime", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "KubeEventType": {"data_type": "string", "description": "Type of kubernetes event [event.type]. Ex;- 'Normal'"}, + "LastSeen": {"data_type": "datetime", "description": 'Time event was last observed [event.lastTimestamp]'}, + "Message": {"data_type": "string", "description": 'Event message [event.message]'}, + "Name": {"data_type": "string", "description": "Involved kubernetes object's name [event.InvolvedObject.name]. Ex;- 'autoschedulejob-158393400-gkv4g'"}, + "Namespace": {"data_type": "string", "description": "Involved kubernetes object's namespace [event.InvolvedObject.namespace]. Ex;- 'kube-system'"}, + "ObjectKind": {"data_type": "string", "description": 'Kind of kubernetes object applicable for the event [event.InvolvedObject.kind] . Ex;- pod'}, + "Reason": {"data_type": "string", "description": 'Reason as seen in kubernetes event [event.reason]'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceComponent": {"data_type": "string", "description": 'Source component that generated the event [event.source.component] . Ex;- default-scheduler'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "KubeHealth": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterId": {"data_type": "string", "description": ''}, + "Details": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "MonitorConfig": {"data_type": "string", "description": ''}, + "MonitorInstanceId": {"data_type": "string", "description": ''}, + "MonitorLabels": {"data_type": "string", "description": ''}, + "MonitorTypeId": {"data_type": "string", "description": ''}, + "NewState": {"data_type": "string", "description": ''}, + "OldState": {"data_type": "string", "description": ''}, + "ParentMonitorInstanceId": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeFirstObserved": {"data_type": "datetime", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "KubeMonAgentEvents": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Category of the event. For example: container.azm.ms/promscraping, container.azm.ms/configmap.'}, + "ClusterId": {"data_type": "string", "description": 'ID of the kubernetes cluster from which the event was sourced'}, + "ClusterName": {"data_type": "string", "description": 'ID of the kubernetes cluster from which the event was sourced'}, + "Computer": {"data_type": "string", "description": 'Computer/node name in the cluster for which the event applies. If not, computer/node name of sourcing computer'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'Event level for the event. [Error, Warning, Info]'}, + "Message": {"data_type": "string", "description": 'Event message.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Tags": {"data_type": "string", "description": 'Dimensions/properties for the event'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "KubeNodeInventory": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterId": {"data_type": "string", "description": 'ID of the Kubernetes cluster from which the event was sourced.'}, + "ClusterName": {"data_type": "string", "description": 'ID of the Kubernetes cluster from which the event was sourced.'}, + "Computer": {"data_type": "string", "description": 'Computer/node name in the cluster for which the event applies. If not, computer/node name of sourcing computer.'}, + "CreationTimeStamp": {"data_type": "datetime", "description": 'Node created time.'}, + "DockerVersion": {"data_type": "string", "description": 'Container runtime version.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "KubeletVersion": {"data_type": "string", "description": 'Version of Kubelet in the node.'}, + "KubeProxyVersion": {"data_type": "string", "description": 'Version of KubeProxy in the node.'}, + "KubernetesProviderID": {"data_type": "string", "description": 'Provider ID for Kubernetes.'}, + "Labels": {"data_type": "string", "description": 'Kubernetes Node Labels.'}, + "LastTransitionTimeReady": {"data_type": "datetime", "description": 'Last transition to or from ready condition for the node (no matter ready is true/false).'}, + "OperatingSystem": {"data_type": "string", "description": "Node's host OS Image."}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Status": {"data_type": "string", "description": "Comma separated list of node's status.conditions.type for conditions.status that are true."}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "KubePodInventory": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterId": {"data_type": "string", "description": 'ID of the kubernetes cluster from which the event was sourced'}, + "ClusterName": {"data_type": "string", "description": 'ID of the kubernetes cluster from which the event was sourced'}, + "Computer": {"data_type": "string", "description": 'Computer/node name in the cluster that has this pod/container. Unscheduled pods will have this as empty.'}, + "ContainerCreationTimeStamp": {"data_type": "datetime", "description": 'Container creation time'}, + "ContainerID": {"data_type": "string", "description": "Container's ID"}, + "ContainerLastStatus": {"data_type": "string", "description": "Container's last observed last status"}, + "ContainerName": {"data_type": "string", "description": 'Container name. This is in poduid/containername format.'}, + "ContainerRestartCount": {"data_type": "int", "description": 'Restart count for the container'}, + "ContainerStartTime": {"data_type": "datetime", "description": 'Time container started.'}, + "ContainerStatus": {"data_type": "string", "description": "Container's last observered current state [container.state]"}, + "ContainerStatusReason": {"data_type": "string", "description": "Reason if any for container's status."}, + "ControllerKind": {"data_type": "string", "description": "Container/Pod's controller kind. For example: ReplicaSet"}, + "ControllerName": {"data_type": "string", "description": "Container/Pod's controller Name. Ex;- kubernetes-dashboard-9f5bf9974"}, + "InstanceName": {"data_type": "string", "description": 'Not used currently[for future use]'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Name": {"data_type": "string", "description": 'Kubernetes Pod Name'}, + "Namespace": {"data_type": "string", "description": 'Kubernetes Namespace for the pod/container'}, + "PodCreationTimeStamp": {"data_type": "datetime", "description": 'Pod creation time'}, + "PodIp": {"data_type": "string", "description": "Pod's IP Address"}, + "PodLabel": {"data_type": "string", "description": 'Pod Labels'}, + "PodRestartCount": {"data_type": "int", "description": 'Restart count for the pod. [Sum of all restarts of all containers in the pod]'}, + "PodStartTime": {"data_type": "datetime", "description": "Pod's start time (for started pods)"}, + "PodStatus": {"data_type": "string", "description": 'Last observed Pod Status [pod.status.phase]'}, + "PodUid": {"data_type": "string", "description": 'Unique ID of the pod'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ServiceName": {"data_type": "string", "description": 'Kubernetes Service the pod belongs to (if any)'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "KubePVInventory": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterId": {"data_type": "string", "description": 'The ID of the Kubernetes cluster of the persistent volume'}, + "ClusterName": {"data_type": "string", "description": 'The name of the Kubernetes cluster of the persistent volume'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "PVAccessModes": {"data_type": "string", "description": 'A comma separated list of access modes of the persistent volume'}, + "PVCapacityBytes": {"data_type": "real", "description": 'The capacity of the persistent volume measured in bytes'}, + "PVCName": {"data_type": "string", "description": 'The Kubernetes persistent volume claim name'}, + "PVCNamespace": {"data_type": "string", "description": 'The Kubernetes namespace of the persistent volume claim'}, + "PVCreationTimeStamp": {"data_type": "datetime", "description": 'The Kubernetes persistent volume creation time'}, + "PVName": {"data_type": "string", "description": 'The Kubernetes persistent volume name'}, + "PVStatus": {"data_type": "string", "description": 'The status of the persistent volume: Available, Bound, Released, or Failed'}, + "PVStorageClassName": {"data_type": "string", "description": 'The name of the storage class of the persistent volume'}, + "PVType": {"data_type": "string", "description": 'The type of persistent volume from the list of Kubernetes supported volume plugins'}, + "PVTypeInfo": {"data_type": "dynamic", "description": 'The specific dimensions relating to the type of the persistent volume'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time the record was created'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "KubeServices": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterId": {"data_type": "string", "description": 'ID of the Kubernetes cluster from which the event was sourced.'}, + "ClusterIp": {"data_type": "string", "description": 'Cluster IP address of the service.'}, + "ClusterName": {"data_type": "string", "description": 'Name of the Kubernetes cluster from which the event was sourced.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Namespace": {"data_type": "string", "description": 'Kubernetes namespace for the service.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SelectorLabels": {"data_type": "string", "description": 'Selector labels for label based services.'}, + "ServiceName": {"data_type": "string", "description": 'Name of the Kubernetes service.'}, + "ServiceType": {"data_type": "string", "description": 'Type of Kubernetes service [ClusterIP/NodePort/LoadBalancer/ExternalName].'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "LAQueryLogs": { + "AADClientId": {"data_type": "string", "description": 'AAD ClientId used by the caller.'}, + "AADEmail": {"data_type": "string", "description": 'AAD Email of the caller.'}, + "AADObjectId": {"data_type": "string", "description": 'AAD ObjectId of the caller.'}, + "AADTenantId": {"data_type": "string", "description": 'AAD TenantId of the caller.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsBillableQuery": {"data_type": "bool", "description": 'Indicates whether query execution is billed.'}, + "IsWorkspaceInFailover": {"data_type": "bool", "description": 'Indicates whether the queried workspace was in failover mode.'}, + "QueryText": {"data_type": "string", "description": 'The full body of the query as submitted by the user.'}, + "QueryTimeRangeEnd": {"data_type": "datetime", "description": 'The end time (UTC) of the time range across which the query was was requested by the caller to be executed.'}, + "QueryTimeRangeStart": {"data_type": "datetime", "description": 'The starting time (UTC) of the time range across which the query was was requested by the caller to be executed.'}, + "RequestClientApp": {"data_type": "string", "description": 'ClientApp string in the request header (x-ms-app).'}, + "RequestContext": {"data_type": "dynamic", "description": 'ResourceId of all referenced workspaces, applications, and resources across which the query was requested by the caller to be executed.'}, + "RequestContextFilters": {"data_type": "dynamic", "description": 'Filters applied to the request context.'}, + "RequestTarget": {"data_type": "string", "description": 'ResourceId of the request URL.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResponseCode": {"data_type": "int", "description": 'The HTTP response code for the request.'}, + "ResponseDurationMs": {"data_type": "real", "description": 'The duration (in ms) that the query took to execute.'}, + "ResponseRowCount": {"data_type": "int", "description": 'The number of rows that were returned.'}, + "ScannedGB": {"data_type": "real", "description": 'For billable queries, like Basic logs queries, indicates the total GB of data scanned in the query.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StatsCPUTimeMs": {"data_type": "real", "description": 'The CPU (in ms) used in the execution of this query.'}, + "StatsDataProcessedEnd": {"data_type": "datetime", "description": 'The end time (UTC) of the time range across which the data processed.'}, + "StatsDataProcessedStart": {"data_type": "datetime", "description": 'The starting time (UTC) of the time range across which the data processed.'}, + "StatsRegionCount": {"data_type": "int", "description": 'The number of regions that the workspaces accessed are spread across.'}, + "StatsWorkspaceCount": {"data_type": "int", "description": 'The number of workspaces that the query accessed, either explicitly or otherwise.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) at which the query was submitted.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "WorkspaceRegion": {"data_type": "string", "description": 'The region of the queried workspace.'}, + }, + "LASummaryLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BinSize": {"data_type": "int", "description": 'The time ranges summarization is performed in minutes. For example, when bin is 60, summarization is performed every 60 minutes.'}, + "BinStartTime": {"data_type": "datetime", "description": 'The bin start time (UTC). For example, value can be 2023-01-01T2:00:00.000Z for bin processed between 2:00 - 3:00.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Message": {"data_type": "string", "description": 'An error message when applicable.'}, + "QueryDurationMs": {"data_type": "long", "description": 'The execution duration in milliseconds.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultsRecordCount": {"data_type": "long", "description": 'The number of records returned in aggregation.'}, + "RuleLastModifiedTime": {"data_type": "datetime", "description": 'The time the rule last modified. Can be used to reason changes in results, duration, etc.'}, + "RuleName": {"data_type": "string", "description": 'The rule name.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Status": {"data_type": "string", "description": 'The bin execution status. Can be Started, Succeeded or Failed.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The bin execution start time (UTC). It represents the time bin processing started, and decoupled from bin time range. For example, TimeGenerated can be 2023-01-01T3:05:10.123Z when processing hourly bin between 2:00 - 3:00.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "LinuxAuditLog": { + "a0": {"data_type": "string", "description": ''}, + "a1": {"data_type": "string", "description": ''}, + "a2": {"data_type": "string", "description": ''}, + "a3": {"data_type": "string", "description": ''}, + "a4": {"data_type": "string", "description": ''}, + "a5": {"data_type": "string", "description": ''}, + "a6": {"data_type": "string", "description": ''}, + "a7": {"data_type": "string", "description": ''}, + "a8": {"data_type": "string", "description": ''}, + "a9": {"data_type": "string", "description": ''}, + "acct": {"data_type": "string", "description": ''}, + "addr": {"data_type": "string", "description": ''}, + "arch": {"data_type": "string", "description": ''}, + "argc": {"data_type": "long", "description": ''}, + "audit_user": {"data_type": "string", "description": ''}, + "AuditID": {"data_type": "string", "description": ''}, + "auid": {"data_type": "long", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "cmd": {"data_type": "string", "description": ''}, + "comm": {"data_type": "string", "description": ''}, + "Computer": {"data_type": "string", "description": ''}, + "ComputerEnvironment": {"data_type": "string", "description": ''}, + "cwd": {"data_type": "string", "description": ''}, + "data": {"data_type": "string", "description": ''}, + "effective_group": {"data_type": "string", "description": ''}, + "effective_user": {"data_type": "string", "description": ''}, + "egid": {"data_type": "long", "description": ''}, + "euid": {"data_type": "long", "description": ''}, + "exe": {"data_type": "string", "description": ''}, + "exit": {"data_type": "string", "description": ''}, + "ExternalAgentIp": {"data_type": "string", "description": ''}, + "family": {"data_type": "string", "description": ''}, + "filetype": {"data_type": "string", "description": ''}, + "gid": {"data_type": "long", "description": ''}, + "group": {"data_type": "string", "description": ''}, + "hostname": {"data_type": "string", "description": ''}, + "icmptype": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "key": {"data_type": "string", "description": ''}, + "ManagementGroup": {"data_type": "string", "description": ''}, + "ManagementGroupName": {"data_type": "string", "description": ''}, + "name": {"data_type": "string", "description": ''}, + "node": {"data_type": "string", "description": ''}, + "op": {"data_type": "string", "description": ''}, + "path": {"data_type": "string", "description": ''}, + "pid": {"data_type": "long", "description": ''}, + "ppid": {"data_type": "long", "description": ''}, + "RawRecord": {"data_type": "string", "description": ''}, + "RecordType": {"data_type": "string", "description": ''}, + "res": {"data_type": "string", "description": ''}, + "ResourceId": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "result": {"data_type": "string", "description": ''}, + "SerialNumber": {"data_type": "string", "description": ''}, + "ses": {"data_type": "long", "description": ''}, + "SourceComputerId": {"data_type": "string", "description": ''}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "success": {"data_type": "string", "description": ''}, + "syscall": {"data_type": "string", "description": ''}, + "terminal": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "TimeUploaded": {"data_type": "datetime", "description": ''}, + "tty": {"data_type": "string", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "uid": {"data_type": "long", "description": ''}, + "user": {"data_type": "string", "description": ''}, + "vm": {"data_type": "string", "description": ''}, + }, + "LogicAppWorkflowRuntime": { + "ActionName": {"data_type": "string", "description": 'The name of the workflow action.'}, + "ActionTrackingId": {"data_type": "string", "description": 'The unique ID of the workflow action.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientKeywords": {"data_type": "string", "description": 'The client keywords sent through the header.'}, + "ClientTrackingId": {"data_type": "string", "description": 'The unique ID of the client.'}, + "Code": {"data_type": "string", "description": 'The HTTP status code of the request.'}, + "EndTime": {"data_type": "datetime", "description": 'The end time (UTC) of the operation.'}, + "Error": {"data_type": "string", "description": 'The error message of this operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The geographical run location of the workflow.'}, + "OperationName": {"data_type": "string", "description": 'The name of this operation.'}, + "OriginRunId": {"data_type": "string", "description": 'The unique ID of the original workflow run, only relevant for resubmission scenarios.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RetryHistory": {"data_type": "string", "description": 'The retry history of the workflow action.'}, + "RunId": {"data_type": "string", "description": 'The unique ID of the workflow run.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StartTime": {"data_type": "datetime", "description": 'The start time (UTC) of the operation.'}, + "Status": {"data_type": "string", "description": 'The status of the operation, e.g. Succeeded, Failed, Skipped, Ignored.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Tags": {"data_type": "string", "description": 'The custom tags associated with the workflow.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "TrackedProperties": {"data_type": "string", "description": 'The custom tracked properties.'}, + "TriggerName": {"data_type": "string", "description": 'The name of the workflow trigger.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "WorkflowId": {"data_type": "string", "description": 'The unique ID of the workflow.'}, + "WorkflowName": {"data_type": "string", "description": 'The name of the workflow.'}, + }, + "MAApplication": { + "AppCategory": {"data_type": "string", "description": ''}, + "AppLanguage": {"data_type": "string", "description": ''}, + "AppName": {"data_type": "string", "description": ''}, + "AppType": {"data_type": "string", "description": ''}, + "AppVendor": {"data_type": "string", "description": ''}, + "AppVersion": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "HasSupportStatement": {"data_type": "bool", "description": ''}, + "Importance": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsVirtualized": {"data_type": "bool", "description": ''}, + "MonthlyActiveDevices": {"data_type": "int", "description": ''}, + "NPId": {"data_type": "string", "description": ''}, + "ProgramId": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TestOwner": {"data_type": "string", "description": ''}, + "TestPlan": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "TotalInstalls": {"data_type": "int", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "MAApplicationHealth": { + "ActiveDevicesOnSource": {"data_type": "int", "description": ''}, + "ActiveDevicesOnTarget": {"data_type": "int", "description": ''}, + "AppLanguage": {"data_type": "string", "description": ''}, + "AppName": {"data_type": "string", "description": ''}, + "AppVendor": {"data_type": "string", "description": ''}, + "AppVersion": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DevicesWithCrashesOnSource": {"data_type": "int", "description": ''}, + "DevicesWithCrashesOnTarget": {"data_type": "int", "description": ''}, + "DevicesWithCrashesPercentOnTargetForCommercial": {"data_type": "real", "description": ''}, + "HealthStatus": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OSVersion": {"data_type": "string", "description": ''}, + "ProgramId": {"data_type": "string", "description": ''}, + "SessionsWithCrashesOnSource": {"data_type": "int", "description": ''}, + "SessionsWithCrashesOnTarget": {"data_type": "int", "description": ''}, + "SessionsWithCrashesPercentOnTargetForCommercial": {"data_type": "real", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "TotalDevicesInstalledOnSource": {"data_type": "int", "description": ''}, + "TotalDevicesInstalledOnTarget": {"data_type": "int", "description": ''}, + "TotalSessionsOnSource": {"data_type": "int", "description": ''}, + "TotalSessionsOnTarget": {"data_type": "int", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "MAApplicationHealthAlternativeVersions": { + "AdoptionStatus": {"data_type": "string", "description": ''}, + "AppLanguage": {"data_type": "string", "description": ''}, + "AppName": {"data_type": "string", "description": ''}, + "AppVendor": {"data_type": "string", "description": ''}, + "AppVersion": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DevicesWithCrashesPercentOnTargetForCommercial": {"data_type": "real", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OSVersion": {"data_type": "string", "description": ''}, + "ProgramId": {"data_type": "string", "description": ''}, + "SessionsWithCrashesPercentOnTargetForCommercial": {"data_type": "real", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "MAApplicationHealthIssues": { + "AppFileDisplayName": {"data_type": "string", "description": ''}, + "AppFileName": {"data_type": "string", "description": ''}, + "AppFileVersion": {"data_type": "string", "description": ''}, + "AppLanguage": {"data_type": "string", "description": ''}, + "AppName": {"data_type": "string", "description": ''}, + "AppVendor": {"data_type": "string", "description": ''}, + "AppVersion": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DeviceId": {"data_type": "string", "description": ''}, + "DiagnosticSignature": {"data_type": "string", "description": ''}, + "FailureId": {"data_type": "string", "description": ''}, + "FailureInstanceCount": {"data_type": "int", "description": ''}, + "FirstFailureDate": {"data_type": "datetime", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastFailureDate": {"data_type": "datetime", "description": ''}, + "OSVersion": {"data_type": "string", "description": ''}, + "ProgramId": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "MAApplicationInstance": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DeviceId": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ProgramID": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "MAApplicationInstanceReadiness": { + "AppLanguage": {"data_type": "string", "description": ''}, + "AppName": {"data_type": "string", "description": ''}, + "AppVendor": {"data_type": "string", "description": ''}, + "AppVersion": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ConfigMgrClientID": {"data_type": "string", "description": ''}, + "DeploymentPlanId": {"data_type": "string", "description": ''}, + "DeviceId": {"data_type": "string", "description": ''}, + "DeviceName": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Issue": {"data_type": "string", "description": ''}, + "ProgramId": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "MAApplicationReadiness": { + "AdoptionStatus": {"data_type": "string", "description": ''}, + "AHAInsight": {"data_type": "string", "description": ''}, + "AppCategory": {"data_type": "string", "description": ''}, + "AppLanguage": {"data_type": "string", "description": ''}, + "AppName": {"data_type": "string", "description": ''}, + "AppType": {"data_type": "string", "description": ''}, + "AppVendor": {"data_type": "string", "description": ''}, + "AppVersion": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DeploymentPlanId": {"data_type": "string", "description": ''}, + "DevicesWithIssues": {"data_type": "int", "description": ''}, + "Guidance": {"data_type": "string", "description": ''}, + "HasSupportStatement": {"data_type": "bool", "description": ''}, + "Importance": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Issue": {"data_type": "string", "description": ''}, + "IsVirtualized": {"data_type": "bool", "description": ''}, + "MonthlyActiveDevices": {"data_type": "int", "description": ''}, + "Notes": {"data_type": "string", "description": ''}, + "NPId": {"data_type": "string", "description": ''}, + "ProgramId": {"data_type": "string", "description": ''}, + "Remediation": {"data_type": "string", "description": ''}, + "RiskAssessment": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TestOwner": {"data_type": "string", "description": ''}, + "TestPlan": {"data_type": "string", "description": ''}, + "TestResult": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "TotalInstalls": {"data_type": "int", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UpgradeDecision": {"data_type": "string", "description": ''}, + }, + "MADeploymentPlan": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CompletionDate": {"data_type": "datetime", "description": ''}, + "DeploymentPlanId": {"data_type": "string", "description": ''}, + "DeploymentTask": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Name": {"data_type": "string", "description": ''}, + "OfficeTargetBuild": {"data_type": "string", "description": ''}, + "OfficeTargetRelease": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "WindowsTargetBuild": {"data_type": "string", "description": ''}, + "WindowsTargetRelease": {"data_type": "string", "description": ''}, + }, + "MADevice": { + "AbnormalShutdownCount": {"data_type": "int", "description": ''}, + "AbnormalShutdownCountTrailing": {"data_type": "int", "description": ''}, + "AssignedToDeploymentPlan": {"data_type": "bool", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BiosVersion": {"data_type": "string", "description": ''}, + "ConfigMgrClientID": {"data_type": "string", "description": ''}, + "DeviceAge": {"data_type": "int", "description": ''}, + "DeviceId": {"data_type": "string", "description": ''}, + "DeviceLastSeenDate": {"data_type": "datetime", "description": ''}, + "DeviceName": {"data_type": "string", "description": ''}, + "DiskFreeSpace": {"data_type": "int", "description": ''}, + "InventoryCompleteness": {"data_type": "bool", "description": ''}, + "InventoryVersion": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "KernelModeCrashCount": {"data_type": "int", "description": ''}, + "KernelModeCrashCountTrailing": {"data_type": "int", "description": ''}, + "KernelModeCrashFreePercentTrailingIndustry": {"data_type": "real", "description": ''}, + "Manufacturer": {"data_type": "string", "description": ''}, + "Model": {"data_type": "string", "description": ''}, + "ModelFamily": {"data_type": "string", "description": ''}, + "OEMSerialNumber": {"data_type": "string", "description": ''}, + "OfficeAudienceFFN": {"data_type": "string", "description": ''}, + "OfficeAudiencesGroup": {"data_type": "string", "description": ''}, + "OfficeBuild": {"data_type": "string", "description": ''}, + "OfficeChannel": {"data_type": "string", "description": ''}, + "OfficeVersion": {"data_type": "string", "description": ''}, + "OSArchitecture": {"data_type": "string", "description": ''}, + "OSBuild": {"data_type": "string", "description": ''}, + "OSBuildNumber": {"data_type": "int", "description": ''}, + "OSEdition": {"data_type": "string", "description": ''}, + "OSFamily": {"data_type": "string", "description": ''}, + "OSRevisionNumber": {"data_type": "int", "description": ''}, + "OSServicingBranch": {"data_type": "string", "description": ''}, + "OSVersion": {"data_type": "string", "description": ''}, + "Processor": {"data_type": "string", "description": ''}, + "Region": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "TotalDiskSize": {"data_type": "int", "description": ''}, + "TotalRAM": {"data_type": "real", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "WindowsTelemetryLevel": {"data_type": "int", "description": ''}, + }, + "MADeviceNotEnrolled": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ConfigMgrClientID": {"data_type": "string", "description": ''}, + "ConfigMgrLastSeenDate": {"data_type": "datetime", "description": ''}, + "DeviceName": {"data_type": "string", "description": ''}, + "HasEnrollmentError": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OEMSerialNumber": {"data_type": "string", "description": ''}, + "PropertyBag": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "MADeviceNRT": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DeviceFirstSeenDate": {"data_type": "datetime", "description": ''}, + "DeviceId": {"data_type": "string", "description": ''}, + "DeviceName": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Manufacturer": {"data_type": "string", "description": ''}, + "ModelFamily": {"data_type": "string", "description": ''}, + "OSBuildNumber": {"data_type": "int", "description": ''}, + "OSRevisionNumber": {"data_type": "int", "description": ''}, + "OSVersion": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "MADeviceReadiness": { + "AppIssues": {"data_type": "int", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ConfigMgrClientID": {"data_type": "string", "description": ''}, + "DeploymentPlanId": {"data_type": "string", "description": ''}, + "DeviceId": {"data_type": "string", "description": ''}, + "DeviceLastSeenDate": {"data_type": "datetime", "description": ''}, + "DeviceName": {"data_type": "string", "description": ''}, + "DeviceStatus": {"data_type": "int", "description": ''}, + "DriverIssues": {"data_type": "int", "description": ''}, + "InventoryCompleteness": {"data_type": "bool", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "MacroIssues": {"data_type": "int", "description": ''}, + "Manufacturer": {"data_type": "string", "description": ''}, + "ModelFamily": {"data_type": "string", "description": ''}, + "OfficeAddInIssues": {"data_type": "int", "description": ''}, + "OfficeAppIssues": {"data_type": "int", "description": ''}, + "OfficeBuild": {"data_type": "string", "description": ''}, + "OfficeUpgradeDecision": {"data_type": "string", "description": ''}, + "OfficeVersion": {"data_type": "string", "description": ''}, + "OSBuild": {"data_type": "string", "description": ''}, + "OSVersion": {"data_type": "string", "description": ''}, + "PilotDevice": {"data_type": "bool", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SysReqIssues": {"data_type": "int", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "TotalIssues": {"data_type": "int", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "WindowsUpgradeDecision": {"data_type": "string", "description": ''}, + }, + "MADriverInstanceReadiness": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ConfigMgrClientID": {"data_type": "string", "description": ''}, + "DeploymentPlanId": {"data_type": "string", "description": ''}, + "DeviceId": {"data_type": "string", "description": ''}, + "DeviceName": {"data_type": "string", "description": ''}, + "DriverName": {"data_type": "string", "description": ''}, + "DriverVersion": {"data_type": "string", "description": ''}, + "HardwareID": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Issue": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "MADriverReadiness": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DeploymentPlanId": {"data_type": "string", "description": ''}, + "DriverAvailability": {"data_type": "string", "description": ''}, + "DriverDate": {"data_type": "string", "description": ''}, + "DriverKey": {"data_type": "long", "description": ''}, + "DriverName": {"data_type": "string", "description": ''}, + "DriverVendor": {"data_type": "string", "description": ''}, + "DriverVersion": {"data_type": "string", "description": ''}, + "Guidance": {"data_type": "string", "description": ''}, + "HardwareID": {"data_type": "string", "description": ''}, + "HardwareName": {"data_type": "string", "description": ''}, + "HardwareType": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Issue": {"data_type": "string", "description": ''}, + "Remediation": {"data_type": "string", "description": ''}, + "RiskAssessment": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "TotalComputers": {"data_type": "int", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UpgradeDecision": {"data_type": "string", "description": ''}, + }, + "MAOfficeAddin": { + "AddinInstanceId": {"data_type": "string", "description": ''}, + "AddinName": {"data_type": "string", "description": ''}, + "AddinProducts": {"data_type": "string", "description": ''}, + "AddinPublisher": {"data_type": "string", "description": ''}, + "AddinRemarks": {"data_type": "string", "description": ''}, + "AddinSupportStatementUrl": {"data_type": "string", "description": ''}, + "AddinSupportStatus": {"data_type": "string", "description": ''}, + "AddinVersion": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Importance": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TestOwner": {"data_type": "string", "description": ''}, + "TestPlan": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "TotalInstalls": {"data_type": "int", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "MAOfficeAddinInstance": { + "AddinInstanceId": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DeviceId": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "MAOfficeAddinReadiness": { + "AddinInstanceId": {"data_type": "string", "description": ''}, + "AddinName": {"data_type": "string", "description": ''}, + "AddinProducts": {"data_type": "string", "description": ''}, + "AddinPublisher": {"data_type": "string", "description": ''}, + "AddinRemarks": {"data_type": "string", "description": ''}, + "AddinSupportStatementUrl": {"data_type": "string", "description": ''}, + "AddinSupportStatus": {"data_type": "string", "description": ''}, + "AddinVersion": {"data_type": "string", "description": ''}, + "AdoptionStatus": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DeploymentPlanId": {"data_type": "string", "description": ''}, + "Guidance": {"data_type": "string", "description": ''}, + "Importance": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Issue": {"data_type": "string", "description": ''}, + "Remediation": {"data_type": "string", "description": ''}, + "RiskAssessment": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TargetOfficeBitness": {"data_type": "string", "description": ''}, + "TestOwner": {"data_type": "string", "description": ''}, + "TestPlan": {"data_type": "string", "description": ''}, + "TestResult": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "TotalInstalls": {"data_type": "int", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UpgradeDecision": {"data_type": "string", "description": ''}, + }, + "MAOfficeAppInstance": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DeviceId": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OfficeAppId": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "MAOfficeAppReadiness": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DeploymentPlanId": {"data_type": "string", "description": ''}, + "DevicesWithIssues": {"data_type": "int", "description": ''}, + "Guidance": {"data_type": "string", "description": ''}, + "Importance": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Issue": {"data_type": "string", "description": ''}, + "MonthlyActiveUsers": {"data_type": "int", "description": ''}, + "Notes": {"data_type": "string", "description": ''}, + "OfficeAppArchitecture": {"data_type": "string", "description": ''}, + "OfficeAppId": {"data_type": "string", "description": ''}, + "OfficeAppMajorVersion": {"data_type": "int", "description": ''}, + "OfficeAppName": {"data_type": "string", "description": ''}, + "OfficeAppRelease": {"data_type": "string", "description": ''}, + "OfficeAppVersion": {"data_type": "string", "description": ''}, + "Remediation": {"data_type": "string", "description": ''}, + "RiskAssessment": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TestOwner": {"data_type": "string", "description": ''}, + "TestPlan": {"data_type": "string", "description": ''}, + "TestResult": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "TotalInstalls": {"data_type": "int", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UpgradeDecision": {"data_type": "string", "description": ''}, + }, + "MAOfficeBuildInfo": { + "AvailabilityDate": {"data_type": "datetime", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BuildId": {"data_type": "int", "description": ''}, + "BuildVersion": {"data_type": "string", "description": ''}, + "EOSDate": {"data_type": "datetime", "description": ''}, + "FeatureCurrency": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "KBUrl": {"data_type": "string", "description": ''}, + "OfferedBuildType": {"data_type": "string", "description": ''}, + "ReleaseType": {"data_type": "string", "description": ''}, + "ReleaseVersion": {"data_type": "string", "description": ''}, + "SecurityCompliance": {"data_type": "string", "description": ''}, + "ServicingChannel": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "MAOfficeCurrencyAssessment": { + "AssessmentTime": {"data_type": "datetime", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BuildId": {"data_type": "int", "description": ''}, + "BuildVersion": {"data_type": "string", "description": ''}, + "DeviceId": {"data_type": "string", "description": ''}, + "FeatureCurrency": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastEventTime": {"data_type": "datetime", "description": ''}, + "ReleaseVersion": {"data_type": "string", "description": ''}, + "SecurityCompliance": {"data_type": "string", "description": ''}, + "ServicingChannel": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "MAOfficeSuiteInstance": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DeviceId": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OfficeAppId": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "MAProposedPilotDevices": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Coverage": {"data_type": "real", "description": ''}, + "DeploymentPlanId": {"data_type": "string", "description": ''}, + "DeviceFamily": {"data_type": "string", "description": ''}, + "DeviceId": {"data_type": "string", "description": ''}, + "DeviceName": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "PilotStatus": {"data_type": "string", "description": ''}, + "Rank": {"data_type": "int", "description": ''}, + "Redundancy": {"data_type": "real", "description": ''}, + "Source": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "MAWindowsBuildInfo": { + "AvailabilityDate": {"data_type": "datetime", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BuildId": {"data_type": "int", "description": ''}, + "BuildVersion": {"data_type": "string", "description": ''}, + "EOSDate": {"data_type": "datetime", "description": ''}, + "ExtEOSDate": {"data_type": "datetime", "description": ''}, + "FeatureCurrencyExtended": {"data_type": "string", "description": ''}, + "FeatureCurrencyPaid": {"data_type": "string", "description": ''}, + "FeatureCurrencyStandard": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "KB": {"data_type": "string", "description": ''}, + "KBUrl": {"data_type": "string", "description": ''}, + "OfferedBuildType": {"data_type": "string", "description": ''}, + "PaidEOSDate": {"data_type": "datetime", "description": ''}, + "ReleaseType": {"data_type": "string", "description": ''}, + "ReleaseVersion": {"data_type": "string", "description": ''}, + "SecurityCompliance": {"data_type": "string", "description": ''}, + "ServicingChannel": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "MAWindowsCurrencyAssessment": { + "AssessmentTime": {"data_type": "datetime", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BuildId": {"data_type": "int", "description": ''}, + "BuildVersion": {"data_type": "string", "description": ''}, + "DeviceEOSDate": {"data_type": "datetime", "description": ''}, + "DeviceId": {"data_type": "string", "description": ''}, + "DeviceServicingLevel": {"data_type": "string", "description": ''}, + "FeatureCurrency": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastEventTime": {"data_type": "datetime", "description": ''}, + "ReleaseServicingLevel": {"data_type": "string", "description": ''}, + "ReleaseVersion": {"data_type": "string", "description": ''}, + "SecurityCompliance": {"data_type": "string", "description": ''}, + "ServicingChannel": {"data_type": "string", "description": ''}, + "ServicingState": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "MAWindowsCurrencyAssessmentDailyCounts": { + "AggregationTime": {"data_type": "datetime", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BuildId": {"data_type": "int", "description": ''}, + "BuildVersion": {"data_type": "string", "description": ''}, + "DeviceCount": {"data_type": "int", "description": ''}, + "FeatureCurrencyLegend": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ReleaseVersion": {"data_type": "string", "description": ''}, + "SecurityComplianceLegend": {"data_type": "string", "description": ''}, + "ServicingChannel": {"data_type": "string", "description": ''}, + "SnapshotTime": {"data_type": "datetime", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "MAWindowsDeploymentStatus": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BuildId": {"data_type": "int", "description": ''}, + "DeploymentDuration": {"data_type": "int", "description": ''}, + "DeploymentEndTime": {"data_type": "datetime", "description": ''}, + "DeploymentOverviewStatus": {"data_type": "string", "description": ''}, + "DeploymentStage": {"data_type": "string", "description": ''}, + "DeploymentStartTime": {"data_type": "datetime", "description": ''}, + "DeploymentStatus": {"data_type": "string", "description": ''}, + "DeviceId": {"data_type": "string", "description": ''}, + "DeviceName": {"data_type": "string", "description": ''}, + "ErrorCode": {"data_type": "int", "description": ''}, + "ErrorDescription": {"data_type": "string", "description": ''}, + "ExtendedErrorCode": {"data_type": "int", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastEventTime": {"data_type": "datetime", "description": ''}, + "Manufacturer": {"data_type": "string", "description": ''}, + "Model": {"data_type": "string", "description": ''}, + "PauseState": {"data_type": "string", "description": ''}, + "RecommendedAction": {"data_type": "string", "description": ''}, + "ReleaseType": {"data_type": "string", "description": ''}, + "ReleaseVersion": {"data_type": "string", "description": ''}, + "SourceBuild": {"data_type": "string", "description": ''}, + "StateName": {"data_type": "string", "description": ''}, + "TargetBuild": {"data_type": "string", "description": ''}, + "TargetReleaseName": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UpdateDeferral": {"data_type": "int", "description": ''}, + "UpdateSource": {"data_type": "string", "description": ''}, + }, + "MAWindowsDeploymentStatusNRT": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DeploymentStage": {"data_type": "string", "description": ''}, + "DeviceId": {"data_type": "string", "description": ''}, + "DeviceName": {"data_type": "string", "description": ''}, + "ErrorCode": {"data_type": "int", "description": ''}, + "ErrorDescription": {"data_type": "string", "description": ''}, + "ErrorFriendlyName": {"data_type": "string", "description": ''}, + "ExtendedErrorCode": {"data_type": "int", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Manufacturer": {"data_type": "string", "description": ''}, + "Model": {"data_type": "string", "description": ''}, + "RecommendedAction": {"data_type": "string", "description": ''}, + "SourceBuild": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SourceVersion": {"data_type": "string", "description": ''}, + "TargetBuild": {"data_type": "string", "description": ''}, + "TargetVersion": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UpdateSource": {"data_type": "string", "description": ''}, + }, + "McasShadowItReporting": { + "AadTenantId": {"data_type": "string", "description": ''}, + "AppCategory": {"data_type": "string", "description": ''}, + "AppId": {"data_type": "string", "description": ''}, + "AppInstance": {"data_type": "string", "description": ''}, + "AppName": {"data_type": "string", "description": ''}, + "AppScore": {"data_type": "int", "description": ''}, + "AppTags": {"data_type": "dynamic", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BlockedEvents": {"data_type": "int", "description": ''}, + "Date": {"data_type": "datetime", "description": ''}, + "DownloadedBytes": {"data_type": "int", "description": ''}, + "EnrichedUserName": {"data_type": "string", "description": ''}, + "IpAddress": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "MachineId": {"data_type": "string", "description": ''}, + "MachineName": {"data_type": "string", "description": ''}, + "RawUserName": {"data_type": "string", "description": ''}, + "RichUserName": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StreamName": {"data_type": "string", "description": ''}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "TotalBytes": {"data_type": "int", "description": ''}, + "TotalEvents": {"data_type": "int", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UploadedBytes": {"data_type": "int", "description": ''}, + "UserName": {"data_type": "string", "description": ''}, + }, + "MCCEventLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CacheNodeId": {"data_type": "string", "description": 'Unique CacheNode identifier.'}, + "EgressMbps": {"data_type": "real", "description": 'The total data volume (MB) per second delivered including: data volume (MB) that came directly from cache (hitMbps) and data volume (MB) that Microsoft Connected Cache had to download from CDN to see the cache (missMbps).'}, + "HitMbps": {"data_type": "real", "description": 'Data volume (MB) per second that came directly from Microsoft Connected Cache.'}, + "HitRatioMbps": {"data_type": "real", "description": 'Ratio of Data volume (MB) per second that came directly from Microsoft Connected Cache(hitMbps) to The total data volume (MB) per second delivered(egressMbps).'}, + "Hits": {"data_type": "int", "description": 'The number of times data is found in the cache.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Misses": {"data_type": "int", "description": 'The number of times data is not found in the cache and had to download from CDN.'}, + "MissMbps": {"data_type": "real", "description": 'Data volume (MB) per second that Microsoft Connected Cache had to download from CDN to see the cache.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "MCVPAuditLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerAccessLevels": {"data_type": "string", "description": 'The caller access level - Administrator, Writer or Reader.'}, + "CallerIdentities": {"data_type": "string", "description": 'The caller identity, user alias or email address.'}, + "CallerIpAddress": {"data_type": "string", "description": 'IPV4 caller ip address.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationAccessLevel": {"data_type": "string", "description": 'The operation access level of the request - Administrator, Writer or Reader.'}, + "OperationCategories": {"data_type": "string", "description": 'The operation request categories like Provision, Connection or Claims.'}, + "OperationCategoryDescription": {"data_type": "string", "description": 'The operation request category general description.'}, + "OperationName": {"data_type": "string", "description": 'The operation request name where the audit log was created.'}, + "OperationResult": {"data_type": "string", "description": 'The operation request result - Success or Fail.'}, + "OperationResultDescription": {"data_type": "string", "description": 'The operation request result description. The column will contain information if the OperationResult value is other than Success or Fail.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SpanId": {"data_type": "string", "description": 'An identifier of the request as known by the caller.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (in UTC) when the audit log was created.'}, + "TraceId": {"data_type": "string", "description": 'An identifier for distributed tracing through a system (W3C TraceContext).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "MCVPOperationLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DeviceName": {"data_type": "string", "description": 'Device friendly name.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Message": {"data_type": "string", "description": 'The general log message.'}, + "OperationName": {"data_type": "string", "description": 'The operation name where the log was created.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SeverityText": {"data_type": "string", "description": 'The log severity.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SpanId": {"data_type": "string", "description": 'An identifier of the request as known by the caller.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (in UTC) when the log was created.'}, + "TraceId": {"data_type": "string", "description": 'An identifier for distributed tracing through a system (W3C TraceContext).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "VehicleId": {"data_type": "string", "description": 'Unique vehicle identifier.'}, + }, + "MDCDetectionDNSEvents": { + "Addresses": {"data_type": "dynamic", "description": 'The list of IP addresses resolved by the DNS lookup call.'}, + "AzureResourceId": {"data_type": "string", "description": 'The Azure resource ID of the K8S cluster resource.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Comm": {"data_type": "string", "description": 'The command name which initiated the dns lookup call - i.e. curl, wget etc.'}, + "ContainerId": {"data_type": "string", "description": 'The container id of the docker container which initiated the dns lookup call.'}, + "ContainerName": {"data_type": "string", "description": 'The name of the docker container which initiated the dns lookup call.'}, + "DataPipelineMetadata": {"data_type": "dynamic", "description": 'Holds Data PipelineMetadata.'}, + "Digest": {"data_type": "string", "description": 'The digest of the Image running in the docker container which initiated the dns lookup call.'}, + "Domain": {"data_type": "string", "description": 'The domain name that was queried/resolved by the DNS lookup call.'}, + "Gid": {"data_type": "string", "description": 'The group id of the user who initiated the dns lookup call.'}, + "ImageName": {"data_type": "string", "description": 'The name of the Image running in the docker container which initiated the dns lookup call.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Latency": {"data_type": "string", "description": 'The latency of the DNS lookup call.'}, + "NameServer": {"data_type": "string", "description": 'The nameserver used in order to resolve the DNS lookup call.'}, + "Namespace": {"data_type": "string", "description": 'The namespace of the pod in which the container is running.'}, + "NodeName": {"data_type": "string", "description": 'The name of the node on which the pod is running.'}, + "PacketId": {"data_type": "string", "description": 'The packet id in the packet that was sent for the DNS lookup call.'}, + "PID": {"data_type": "string", "description": 'The process id of the process which initiated the dns lookup call.'}, + "PodName": {"data_type": "string", "description": 'The name of the pod in which the container is running.'}, + "Ppid": {"data_type": "string", "description": 'The parent process id of the process which initiated the dns lookup call.'}, + "QR": {"data_type": "string", "description": 'Q for Query packets, R for Response packets.'}, + "Qtype": {"data_type": "string", "description": 'The type of the DNS query - i.e. A, AAAA, CNAME etc.'}, + "Rcode": {"data_type": "string", "description": 'A string representing Succes/Error DNS lookup result.'}, + "Region": {"data_type": "string", "description": 'The region where the K8S cluster is deployed.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "Tid": {"data_type": "string", "description": 'The thread id of the DNS lookup call.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time (UTC) when the monitored entity was created, renamed, modified or deleted.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Uid": {"data_type": "string", "description": 'The user id of the user who initiated the dns lookup call.'}, + }, + "MDCDetectionFimEvents": { + "AgentId": {"data_type": "string", "description": 'Holds the Tivan Agent Id.'}, + "AzureResourceId": {"data_type": "string", "description": 'The Azure resource ID of the resource whose monitored entity was created, renamed, modified or deleted.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": 'The name of the machine on which the monitored entity was created, renamed, modified or deleted.'}, + "DataPipelineMetadata": {"data_type": "dynamic", "description": 'Holds Data PipelineMetadata.'}, + "EventType": {"data_type": "string", "description": "The type of change that occurred on the entity. Must be either 'Created', 'Modified', 'Renamed' or 'Deleted'."}, + "FileName": {"data_type": "string", "description": 'Holds the name of the file that was created, renamed, modified or deleted.'}, + "FilePath": {"data_type": "string", "description": 'Holds the path of the file that was created, renamed, modified or deleted.'}, + "FileType": {"data_type": "string", "description": 'Holds the type of the file that was created, renamed, modified or deleted. Example of possible values: Zip, PDF, Xar etc.'}, + "InitiatingProcessId": {"data_type": "string", "description": 'Holds the process Id of the initiating process that caused the monitored entity event.'}, + "InitiatingProcessName": {"data_type": "string", "description": 'Holds the name of the initiating process that caused the monitored entity event.'}, + "Inode": {"data_type": "string", "description": 'Holds the Tivan Agent Id.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsDir": {"data_type": "bool", "description": 'True if event is for a directory, false if event is for a file.'}, + "Region": {"data_type": "string", "description": 'The region the resource whose monitored entity was created, renamed, modified or deleted.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time (UTC) when the monitored entity was created, renamed, modified or deleted.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "MDCFileIntegrityMonitoringEvents": { + "AADTenantID": {"data_type": "string", "description": 'The AAD tenant ID of the subscription in which the monitored entity was created, renamed, modified or deleted.'}, + "AzureResourceId": {"data_type": "string", "description": 'The Azure resource ID of the resource whose monitored entity was created, renamed, modified or deleted.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ChangeType": {"data_type": "string", "description": "The type of change that occurred on the entity. For 'File' entity must be either 'Created', 'Modified', 'Renamed' or 'Deleted'. For 'Registry' entity must be either 'RegistryKeyCreated', 'RegistryKeyDeleted', 'RegistryValueSet', 'RegistryValueDeleted', 'RegistryKeyRenamed'."}, + "CloudIdentifier": {"data_type": "string", "description": 'The cloud identifier of the resource.'}, + "CloudProvider": {"data_type": "string", "description": 'The cloud provider of the resource.'}, + "CloudResourceType": {"data_type": "string", "description": 'The type of the cloud resource.'}, + "Computer": {"data_type": "string", "description": 'The name of the machine on which the monitored entity was created, renamed, modified or deleted.'}, + "FileMd5": {"data_type": "string", "description": "Relevant for 'File' monitored entity type. Holds the MD5 of the file that was modified, created or deleted."}, + "FileName": {"data_type": "string", "description": "Relevant for 'File' monitored entity type. Holds the name of the file that was created, renamed, modified or deleted."}, + "FilePath": {"data_type": "string", "description": "Relevant for 'File' monitored entity type. Holds the path of the file that was created, renamed, modified or deleted."}, + "FileSha1": {"data_type": "string", "description": "Relevant for 'File' monitored entity type. Holds the SHA1 of the file that was modified, created or deleted."}, + "FileSha256": {"data_type": "string", "description": "Relevant for 'File' monitored entity type. Holds the SHA256 of the file that was modified, created or deleted."}, + "FileSize": {"data_type": "long", "description": "Relevant for 'File' monitored entity type. Holds the current size (in bytes) of the file that was created, renamed, modified or deleted."}, + "FileType": {"data_type": "string", "description": "Relevant for 'File' monitored entity type. Holds the type of the file that was created, renamed, modified or deleted. Example of possible values: Zip, PDF, Xar etc."}, + "InitiatingProcessAccountDomainName": {"data_type": "string", "description": 'Holds the account domain name of the initiating process that caused the monitored entity event.'}, + "InitiatingProcessAccountName": {"data_type": "string", "description": 'Holds the account name of the initiating process that caused the monitored entity event.'}, + "InitiatingProcessAccountSid": {"data_type": "string", "description": 'Holds the account SID of the initiating process that caused the monitored entity event.'}, + "InitiatingProcessCreationTime": {"data_type": "datetime", "description": 'Holds the creation time of the initiating process that caused the monitored entity event.'}, + "InitiatingProcessFirstSeen": {"data_type": "datetime", "description": 'Holds the first seen time of the initiating process that caused the monitored entity event.'}, + "InitiatingProcessId": {"data_type": "long", "description": 'Holds the process Id of the initiating process that caused the monitored entity event.'}, + "InitiatingProcessImageFileName": {"data_type": "string", "description": 'Holds the image file name of the initiating process that caused the monitored entity event.'}, + "InitiatingProcessImageFilePath": {"data_type": "string", "description": 'Holds the image file path of the initiating process that caused the monitored entity event.'}, + "InitiatingProcessImageFileType": {"data_type": "string", "description": 'Holds the image file type of the initiating process that caused the monitored entity event.'}, + "InitiatingProcessName": {"data_type": "string", "description": 'Holds the name of the initiating process that caused the monitored entity event.'}, + "InitiatingProcessSessionId": {"data_type": "long", "description": 'Holds the session Id of the initiating process that caused the monitored entity event.'}, + "InitiatingProcessSource": {"data_type": "string", "description": 'Holds the source of the initiating process that caused the monitored entity event.'}, + "InitProcImageCreationTimeUtc": {"data_type": "datetime", "description": 'Holds the image creation time for the image of the initiating process that caused the monitored entity event.'}, + "InitProcImageFileSizeInBytes": {"data_type": "long", "description": 'Holds the image file size (in Bytes) of the initiating process that caused the monitored entity event.'}, + "InitProcImageLastAccessTimeUtc": {"data_type": "datetime", "description": 'Holds the image last access time for the image of the initiating process that caused the monitored entity event.'}, + "InitProcImageLastWriteTimeUtc": {"data_type": "datetime", "description": 'Holds the image last write time for the image of the initiating process that caused the monitored entity event.'}, + "InitProcImageLsHash": {"data_type": "string", "description": 'Holds the image LS hash for the image of the initiating process that caused the monitored entity event.'}, + "InitProcImageMd5": {"data_type": "string", "description": 'Holds the image MD5 for the image of the initiating process that caused the monitored entity event.'}, + "InitProcImagePeTimestampUtc": {"data_type": "datetime", "description": 'Holds the image PE time for the image of the initiating process that caused the monitored entity event.'}, + "InitProcImageSha1": {"data_type": "string", "description": 'Holds the image SHA 1 for the image of the initiating process that caused the monitored entity event.'}, + "InitProcImageSha256": {"data_type": "string", "description": 'Holds the image SHA 256 for the image of the initiating process that caused the monitored entity event.'}, + "InitProcVersionInfoCompanyName": {"data_type": "string", "description": 'Holds the version info company name of the initiating process that caused the monitored entity event.'}, + "InitProcVersionInfoFileDescription": {"data_type": "string", "description": 'Holds the version info file description of the initiating process that caused the monitored entity event.'}, + "InitProcVersionInfoInternalFileName": {"data_type": "string", "description": 'Holds the version info internal file name of the initiating process that caused the monitored entity event.'}, + "InitProcVersionInfoOriginalFileName": {"data_type": "string", "description": 'Holds the version info original file name of the initiating process that caused the monitored entity event.'}, + "InitProcVersionInfoProductName": {"data_type": "string", "description": 'Holds the version info product name of the initiating process that caused the monitored entity event.'}, + "InitProcVersionInfoProductVersion": {"data_type": "string", "description": 'Holds the version info product version of the initiating process that caused the monitored entity event.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "MonitoredEntityType": {"data_type": "string", "description": "The type of the monitored entity that was created, renamed, modified or deleted. Can be either 'File' or 'Registry'."}, + "NewValueData": {"data_type": "string", "description": "Relevant for 'Registry' monitored entity type. Holds the New registry value data."}, + "NewValueName": {"data_type": "string", "description": "Relevant for 'Registry' monitored entity type. Holds the New registry value name."}, + "NewValueType": {"data_type": "string", "description": "Relevant for 'Registry' monitored entity type. Holds the New registry value type."}, + "OldValueData": {"data_type": "string", "description": "Relevant for 'Registry' monitored entity type. Holds the previous registry value data."}, + "OldValueFullRegistryKey": {"data_type": "string", "description": "Relevant for 'Registry' monitored entity type. Holds the previous full registry key."}, + "OldValueName": {"data_type": "string", "description": "Relevant for 'Registry' monitored entity type. Holds the previous registry value name."}, + "OldValueType": {"data_type": "string", "description": "Relevant for 'Registry' monitored entity type. Holds the previous registry value type."}, + "OriginalFileName": {"data_type": "string", "description": "Relevant for 'File' monitored entity type and for a 'Rename' change type. Holds the original name the file that was renamed, before the rename occured."}, + "OriginalFilePath": {"data_type": "string", "description": "Relevant for 'File' monitored entity type and for a 'Rename' change type. Holds the original path of the file that was renamed, before the rename occured."}, + "RegistryHive": {"data_type": "string", "description": "Relevant for 'Registry' monitored entity type. Holds the grouping configuration settings for the operating system and applications."}, + "RegistryKey": {"data_type": "string", "description": "Relevant for 'Registry' monitored entity type. Holds the full registry key of the registry that was created or the new registry key of the registry that was renamed."}, + "RequestAccountDomain": {"data_type": "string", "description": "Relevant for 'File' monitored entity type. Holds the domain of the account of the user that caused the file event."}, + "RequestAccountName": {"data_type": "string", "description": "Relevant for 'File' monitored entity type. Holds the name of the account of the user that caused the file event."}, + "RequestAccountSid": {"data_type": "string", "description": "Relevant for 'File' monitored entity type. Holds the SID of the account of the user that caused the file event."}, + "RequestSource": {"data_type": "string", "description": "Relevant for 'File' monitored entity type. Holds the source of the account of the user that caused the file event. For example Local/SMB/NFS."}, + "RequestSourceIP": {"data_type": "string", "description": "Relevant for 'File' monitored entity type. Holds the source IP of the account of the user that caused the file event. For remote file, the IP from which the request came."}, + "RequestSourcePort": {"data_type": "string", "description": "Relevant for 'File' monitored entity type. Holds the source port of the account of the user that caused the file event. For remote file, the port from which the request came."}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time (UTC) when the monitored entity was created, renamed, modified or deleted.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "MDECustomCollectionDeviceFileEvents": { + "ActionType": {"data_type": "string", "description": 'Type of activity that triggered the event.'}, + "AdditionalFields": {"data_type": "dynamic", "description": 'Additional information about the entity or event.'}, + "AppGuardContainerId": {"data_type": "string", "description": 'Identifier for the virtualized container used by Application Guard to isolate browser activity.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DeviceId": {"data_type": "string", "description": 'Unique identifier for the device in the service.'}, + "DeviceName": {"data_type": "string", "description": 'Fully qualified domain name (FQDN) of the device.'}, + "FileName": {"data_type": "string", "description": 'Name of the file that the recorded action was applied to.'}, + "FileOriginIP": {"data_type": "string", "description": 'IP address where the file was downloaded from.'}, + "FileOriginReferrerUrl": {"data_type": "string", "description": 'URL of the web page that links to the downloaded file.'}, + "FileOriginUrl": {"data_type": "string", "description": 'URL where the file was downloaded from.'}, + "FileSize": {"data_type": "long", "description": 'Size of the file in bytes.'}, + "FolderPath": {"data_type": "string", "description": 'Folder containing the file that the recorded action was applied to.'}, + "InitProcessAccountDomain": {"data_type": "string", "description": 'Domain of the account that ran the process responsible for the event.'}, + "InitProcessAccountName": {"data_type": "string", "description": 'User name of the account that ran the process responsible for the event.'}, + "InitProcessAccountObjectId": {"data_type": "string", "description": 'Azure AD object ID of the user account that ran the process responsible for the event.'}, + "InitProcessAccountSid": {"data_type": "string", "description": 'Security Identifier (SID) of the account that ran the process responsible for the event.'}, + "InitProcessAccountUpn": {"data_type": "string", "description": 'User principal name (UPN) of the account that ran the process responsible for the event.'}, + "InitProcessCommandLine": {"data_type": "string", "description": 'Command line used to run the process that initiated the event.'}, + "InitProcessCreationTime": {"data_type": "datetime", "description": 'Date and time when the process that initiated the event was started.'}, + "InitProcessFileName": {"data_type": "string", "description": 'Name of the process that initiated the event.'}, + "InitProcessFileSize": {"data_type": "long", "description": 'Size in bytes of the process (image file) that initiated the event.'}, + "InitProcessFolderPath": {"data_type": "string", "description": 'Folder containing the process (image file) that initiated the event.'}, + "InitProcessId": {"data_type": "long", "description": 'Process ID (PID) of the process that initiated the event.'}, + "InitProcessIntegrityLevel": {"data_type": "string", "description": 'Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources.'}, + "InitProcessMD5": {"data_type": "string", "description": 'MD5 hash of the process (image file) that initiated the event.'}, + "InitProcessParentCreationTime": {"data_type": "datetime", "description": 'Date and time when the parent of the process responsible for the event was started.'}, + "InitProcessParentFileName": {"data_type": "string", "description": 'Name of the parent process that spawned the process responsible for the event.'}, + "InitProcessParentId": {"data_type": "long", "description": 'Process ID (PID) of the parent process that spawned the process responsible for the event.'}, + "InitProcessSHA1": {"data_type": "string", "description": 'SHA-1 hash of the process (image file) that initiated the event.'}, + "InitProcessSHA256": {"data_type": "string", "description": 'SHA-256 hash of the process (image file) that initiated the event. This field is usually not populated - use the SHA1 column when available.'}, + "InitProcessTokenElevation": {"data_type": "string", "description": 'Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event.'}, + "InitProcessVersionInfoCompanyName": {"data_type": "string", "description": 'Company name from the version information of the process (image file) responsible for the event.'}, + "InitProcessVersionInfoFileDescription": {"data_type": "string", "description": 'Description from the version information of the process (image file) responsible for the event.'}, + "InitProcessVersionInfoInternalFileName": {"data_type": "string", "description": 'Internal file name from the version information of the process (image file) responsible for the event.'}, + "InitProcessVersionInfoOriginalFileName": {"data_type": "string", "description": 'Original file name from the version information of the process (image file) responsible for the event.'}, + "InitProcessVersionInfoProductName": {"data_type": "string", "description": 'Product name from the version information of the process (image file) responsible for the event.'}, + "InitProcessVersionInfoProductVersion": {"data_type": "string", "description": 'Product version from the version information of the process (image file) responsible for the event.'}, + "IsAzureInfoProtectionApplied": {"data_type": "bool", "description": 'Indicates whether the file is encrypted by Azure Information Protection.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "MachineGroup": {"data_type": "string", "description": 'Machine group of the machine. This group is used by role-based access control to determine access to the machine.'}, + "MD5": {"data_type": "string", "description": 'MD5 hash of the file that the recorded action was applied to.'}, + "PreviousFileName": {"data_type": "string", "description": 'Original name of the file that was renamed as a result of the action.'}, + "PreviousFolderPath": {"data_type": "string", "description": 'Original folder containing the file before the recorded action was applied.'}, + "ReportId": {"data_type": "long", "description": 'Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns.'}, + "RequestAccountDomain": {"data_type": "string", "description": 'Domain of the account used to remotely initiate the activity.'}, + "RequestAccountName": {"data_type": "string", "description": 'User name of account used to remotely initiate the activity.'}, + "RequestAccountSid": {"data_type": "string", "description": 'Security Identifier (SID) of the account used to remotely initiate the activity.'}, + "RequestProtocol": {"data_type": "string", "description": 'Network protocol, if applicable, used to initiate the activity: Unknown, Local, SMB, or NFS.'}, + "RequestSourceIP": {"data_type": "string", "description": 'IPv4 or IPv6 address of the remote device that initiated the activity.'}, + "RequestSourcePort": {"data_type": "int", "description": 'Source port on the remote device that initiated the activity.'}, + "SensitivityLabel": {"data_type": "string", "description": 'Label applied to an email, file, or other content to classify it for information protection.'}, + "SensitivitySubLabel": {"data_type": "string", "description": 'Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently.'}, + "SHA1": {"data_type": "string", "description": 'SHA-1 hash of the file that the recorded action was applied to.'}, + "SHA256": {"data_type": "string", "description": 'SHA-256 of the file that the recorded action was applied to.'}, + "ShareName": {"data_type": "string", "description": 'Name of shared folder containing the file.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the event was recorded by the MDE agent on the endpoint.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "MicrosoftAzureBastionAuditLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientIpAddress": {"data_type": "string", "description": 'Browser IP Address that was used to log into the VirtualMachine from Bastion'}, + "ClientPort": {"data_type": "int", "description": 'Browser Port Number that was used to log into the VirtualMachine from Bastion'}, + "Duration": {"data_type": "int", "description": 'Duration in milliseconds where the Bastion Session lasted (available only when the Bastion Session ended)'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The location of the server that processed the request (e.g., South Central US).'}, + "Message": {"data_type": "string", "description": "Additonal text that's assoicated of this event"}, + "OperationName": {"data_type": "string", "description": 'The name of the operation represented by this event'}, + "Protocol": {"data_type": "string", "description": 'Protocol (could be ssh or rdp) that was used to log into the VirtualMachine from Bastion'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResourceType": {"data_type": "string", "description": 'Resource Type that was accessed during the session. This could be a VM/VMSS/BSL/etc.'}, + "SessionEndTime": {"data_type": "string", "description": 'Timestamp (UTC) of when the Bastion Session was ended'}, + "SessionStartTime": {"data_type": "datetime", "description": 'Timestamp (UTC) of when the Bastion Session was started'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TargetResourceId": {"data_type": "string", "description": 'ResourceID of the VirtualMachine where the Bastion was connected to'}, + "TargetVMIPAddress": {"data_type": "string", "description": 'IP Address of VirtualMachine where the Bastion was connected to'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "Time": {"data_type": "datetime", "description": 'The timestamp (UTC) of the log'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "TunnelId": {"data_type": "string", "description": 'Internal Bastion Connection GUID'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'Browser User Agent that the request was sent'}, + "UserEmail": {"data_type": "string", "description": 'UserEmail account that was used to log into the VirtualMachine'}, + "UserName": {"data_type": "string", "description": 'UserName that was used to log into the VirtualMachine from Bastion'}, + }, + "MicrosoftDataShareReceivedSnapshotLog": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The name of the log that belongs to'}, + "CorrelationId": {"data_type": "string", "description": 'CorrelationId of the event, this can be use as a reference to join with other tables'}, + "DataSetMappingType": {"data_type": "string", "description": 'Indicating the dataSetMapping type, this can be Blob/container/bolbfolder,etc'}, + "DataSetName": {"data_type": "string", "description": 'Name of provider source dataset'}, + "DataSetType": {"data_type": "string", "description": 'Indicating the dataSet type, this can be Blob/container/bolbfolder,etc'}, + "DetailMessage": {"data_type": "string", "description": 'This shows the event details. Can be empty if synchronization is not finished'}, + "EndTime": {"data_type": "string", "description": 'Datashare synchronization end time, can be empty if job not finished'}, + "FilesRead": {"data_type": "string", "description": 'Number of files read from source'}, + "FilesWritten": {"data_type": "string", "description": 'Number of files written into sink'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The name of the operation represented by this event'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SizeRead": {"data_type": "string", "description": 'Size of files read from source'}, + "SizeWritten": {"data_type": "string", "description": 'Size of files into sink in bytes'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StartTime": {"data_type": "string", "description": 'Datashare synchronization start time'}, + "Status": {"data_type": "string", "description": 'Synchronization status, can be inprogress/succeed/failed'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time (UTC) when the event is generated'}, + "TriggerType": {"data_type": "string", "description": 'Indicating whether the trigger is on-demand trigger or manual trigger'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "MicrosoftDataShareSentSnapshotLog": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The name of the log that belongs to'}, + "CorrelationId": {"data_type": "string", "description": 'CorrelationId of the event, this can be use as a reference to join with other tables'}, + "DataSetMappingType": {"data_type": "string", "description": 'Indicating the dataSetMapping type, this can be Blob/container/bolbfolder,etc'}, + "DataSetName": {"data_type": "string", "description": 'Name of provider source dataset'}, + "DataSetType": {"data_type": "string", "description": 'Indicating the dataSet type, this can be Blob/container/bolbfolder,etc'}, + "DetailMessage": {"data_type": "string", "description": 'This shows the event details. Can be empty if synchronization is not finished'}, + "EndTime": {"data_type": "string", "description": 'Datashare synchronization end time, can be empty if job not finished'}, + "FilesRead": {"data_type": "string", "description": 'Number of files read from source'}, + "FilesWritten": {"data_type": "string", "description": 'Number of files written into sink'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The name of the operation represented by this event'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SizeRead": {"data_type": "string", "description": 'Size of files read from source'}, + "SizeWritten": {"data_type": "string", "description": 'Size of files into sink in bytes'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StartTime": {"data_type": "string", "description": 'Datashare synchronization start time'}, + "Status": {"data_type": "string", "description": 'Synchronization status, can be inprogress/succeed/failed'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time (UTC) when the event is generated'}, + "TriggerType": {"data_type": "string", "description": 'Indicating whether the trigger is on-demand trigger or manual trigger'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "MicrosoftDataShareShareLog": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The name of the log that belongs to'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The name of the operation represented by this event'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the log'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "MicrosoftDynamicsTelemetryPerformanceLogs": { + "ActivityId": {"data_type": "string", "description": 'Unique identifier for an activity'}, + "BatchJobId": {"data_type": "long", "description": 'Id of the batch job'}, + "BatchJobTaskId": {"data_type": "long", "description": 'Task Id of the batch job'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallStack": {"data_type": "string", "description": 'Execution call stack'}, + "Category": {"data_type": "string", "description": 'Log category'}, + "ClassName": {"data_type": "string", "description": 'Name of the class'}, + "ConnectionType": {"data_type": "string", "description": 'Type of the connection'}, + "CountOfDdl": {"data_type": "int", "description": 'Count of data definition requests'}, + "CountOfDelete": {"data_type": "int", "description": 'Count of delete requests'}, + "CountOfInsert": {"data_type": "int", "description": 'Count of insert requests'}, + "CountOfOther": {"data_type": "int", "description": 'Count of other requests'}, + "CountOfProc": {"data_type": "int", "description": 'Count of procedure requests'}, + "CountOfSelect": {"data_type": "int", "description": 'Count of select requests'}, + "CountOfUpdate": {"data_type": "int", "description": 'Count of update requests'}, + "Duration": {"data_type": "int", "description": 'Duration (in milliseconds) of the form execution time'}, + "DurationInMilliSeconds": {"data_type": "int", "description": 'Duration in milliseconds of the batch jobs'}, + "Environment": {"data_type": "string", "description": 'Name of the environment as deployed in Lifecycle Services'}, + "EnvironmentId": {"data_type": "string", "description": 'Unique identifier for an environment as shown in Lifecycle Services'}, + "ErrorMessage": {"data_type": "string", "description": 'Error message logged in the application'}, + "EventMessage": {"data_type": "string", "description": 'Additional information about the event'}, + "EventName": {"data_type": "string", "description": 'Name of the event'}, + "ExecutionResultRowCount": {"data_type": "int", "description": 'Returned rowCount from the executed SQL query'}, + "ExecutionStatus": {"data_type": "int", "description": 'Execution Status of the query'}, + "ExecutionTimeSeconds": {"data_type": "real", "description": 'Execution time in seconds for the AosDatabaseSlowQuery event'}, + "formName": {"data_type": "string", "description": 'Name of the form in Finance and Operations'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsValid": {"data_type": "bool", "description": 'Is it valid'}, + "IsWarmEvent": {"data_type": "bool", "description": 'Is this a warm event'}, + "LegalEntity": {"data_type": "long", "description": 'Legal entity'}, + "Parameters": {"data_type": "dynamic", "description": 'Collection of SQL performance metrics'}, + "Pid": {"data_type": "int", "description": 'Process id'}, + "QueryType": {"data_type": "string", "description": 'Type of the executed SQL query'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Role": {"data_type": "string", "description": 'Type of the machine (AOS/BI) emitting the events'}, + "RoleInstance": {"data_type": "string", "description": 'Name of the machine emitting the events'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SqlCpu": {"data_type": "real", "description": 'SqlCpu Utilization'}, + "SqlSpid": {"data_type": "int", "description": 'Process id for the SQL statement (SqlSpid)'}, + "SqlStatement": {"data_type": "string", "description": 'SQL query statement'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the log.'}, + "TransactionDurationSeconds": {"data_type": "real", "description": 'Transaction duration in seconds for Aos Large Active Transactions'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "MicrosoftDynamicsTelemetrySystemMetricsLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Log category'}, + "EnvironmentId": {"data_type": "string", "description": 'Unique identifier for an environment as shown in Lifecycle Services'}, + "EventName": {"data_type": "string", "description": 'Name of the event'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Role": {"data_type": "string", "description": 'Type of the machine (AOS/BI) emitting the events'}, + "RoleInstance": {"data_type": "string", "description": 'Name of the machine emitting the events'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the log.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "MicrosoftGraphActivityLogs": { + "AadTenantId": {"data_type": "string", "description": 'The Azure AD tenant ID.'}, + "ApiVersion": {"data_type": "string", "description": 'The API version of the event.'}, + "AppId": {"data_type": "string", "description": 'The identifier for the application.'}, + "ATContent": {"data_type": "string", "description": 'Reserved for future use.'}, + "ATContentH": {"data_type": "string", "description": 'Reserved for future use.'}, + "ATContentP": {"data_type": "string", "description": 'Reserved for future use.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientAuthMethod": {"data_type": "int", "description": 'Indicates how the client was authenticated. For a public client, the value is 0. If client ID and client secret are used, the value is 1. If a client certificate was used for authentication, the value is 2.'}, + "ClientRequestId": {"data_type": "string", "description": 'Optional. The client request identifier when sent. If no client request identifier is sent, the value will be equal to the operation identifier.'}, + "DurationMs": {"data_type": "int", "description": 'The duration of the request in milliseconds.'}, + "IdentityProvider": {"data_type": "string", "description": 'The identity provider that authenticated the subject of the token.'}, + "IPAddress": {"data_type": "string", "description": 'The IP address of the client from where the request occurred.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The name of the region that served the request.'}, + "OperationId": {"data_type": "string", "description": 'The identifier for the batch. For non-batched requests, this will be unique per request. For batched requests, this will be the same for all requests in the batch.'}, + "RequestId": {"data_type": "string", "description": 'The identifier representing the request.'}, + "RequestMethod": {"data_type": "string", "description": 'The HTTP method of the event.'}, + "RequestUri": {"data_type": "string", "description": 'The URI of the request.'}, + "ResponseSizeBytes": {"data_type": "int", "description": 'The size of the response in Bytes.'}, + "ResponseStatusCode": {"data_type": "int", "description": 'The HTTP response status code for the event.'}, + "Roles": {"data_type": "string", "description": 'The roles in token claims.'}, + "Scopes": {"data_type": "string", "description": 'The scopes in token claims.'}, + "ServicePrincipalId": {"data_type": "string", "description": 'The identifier of the servicePrincipal making the request.'}, + "SignInActivityId": {"data_type": "string", "description": 'The identifier representing the sign-in activitys.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time the request was received.'}, + "TokenIssuedAt": {"data_type": "datetime", "description": 'The timestamp the token was issued at.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The user agent information related to request.'}, + "UserId": {"data_type": "string", "description": 'The identifier of the user making the request.'}, + "Wids": {"data_type": "string", "description": 'Denotes the tenant-wide roles assigned to this user.'}, + }, + "MicrosoftHealthcareApisAuditLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIdentity": {"data_type": "dynamic", "description": "The caller's identity."}, + "CallerIdentityIssuer": {"data_type": "string", "description": 'The JWD token Issuer.'}, + "CallerIdentityObjectId": {"data_type": "string", "description": 'The AAD object ID.'}, + "CallerIPAddress": {"data_type": "string", "description": 'The IP address of the caller.'}, + "CorrelationId": {"data_type": "string", "description": 'The correlation id of the request.'}, + "FhirResourceType": {"data_type": "string", "description": 'The resource type the operation was executed for.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The location of the server that processed the request (e.g., South Central US).'}, + "LogCategory": {"data_type": "string", "description": 'The audit event category.'}, + "OperationDuration": {"data_type": "int", "description": 'The duration of the operation in ms.'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation represented by this event.'}, + "Properties": {"data_type": "dynamic", "description": 'Additional properties.'}, + "RequestUri": {"data_type": "string", "description": 'The URI of the request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultType": {"data_type": "string", "description": 'The result type.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StatusCode": {"data_type": "int", "description": 'The HTTP status code.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the log.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "MicrosoftPurviewInformationProtection": { + "ActionSource": {"data_type": "string", "description": 'The source of the label action.'}, + "ActionSourceDetail": {"data_type": "string", "description": 'More details about the source of the label action.'}, + "AppAccessContext": {"data_type": "dynamic", "description": 'The application context for the user or service principal that performed the action.'}, + "Application": {"data_type": "string", "description": 'The application that where the activity happened.'}, + "ApplicationMode": {"data_type": "string", "description": 'The label application mode, how the label was applied.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientIP": {"data_type": "string", "description": 'The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format.'}, + "Common": {"data_type": "dynamic", "description": 'Azure Information Protection - common event data.'}, + "ConditionMatch": {"data_type": "dynamic", "description": 'The condition match that triggered the auto labeling.'}, + "ContentType": {"data_type": "string", "description": 'Content type.'}, + "CorrelationId": {"data_type": "string", "description": 'Correlation ID.'}, + "CurrentProtectionType": {"data_type": "dynamic", "description": 'Current protection event information.'}, + "CurrentProtectionTypeName": {"data_type": "string", "description": 'The type of protection applied.'}, + "DataState": {"data_type": "string", "description": 'Azure Information Protection - data state.'}, + "DeviceName": {"data_type": "string", "description": 'The device on which the activity happened.'}, + "EmailInfo": {"data_type": "dynamic", "description": 'The information required when the internalTarget is an email.'}, + "ExchangeMetaData": {"data_type": "dynamic", "description": 'Exchange auto labeling metadata.'}, + "ExecutionRuleId": {"data_type": "string", "description": 'The ID of the rule that was executed.'}, + "ExecutionRuleName": {"data_type": "string", "description": 'The name of the rule that was executed.'}, + "ExecutionRuleVersion": {"data_type": "string", "description": 'The version of the rule that was executed.'}, + "Id": {"data_type": "string", "description": 'Unique identifier of an audit record.'}, + "IrmContentId": {"data_type": "string", "description": 'The unique ID used for identifying the encrypted document after the operation is complete.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsViewableByExternalUsers": {"data_type": "bool", "description": 'Is viewable by external users.'}, + "ItemCreationTime": {"data_type": "datetime", "description": 'The date and time the item was created.'}, + "ItemLastModifiedTime": {"data_type": "datetime", "description": 'The date and time the item was last modified.'}, + "ItemName": {"data_type": "string", "description": 'The item name.'}, + "ItemSize": {"data_type": "string", "description": 'The item size.'}, + "JustificationText": {"data_type": "string", "description": 'The justification to be provided, when configured by the admin in the sensitivity label policy, only when the sensitivity label is downgraded or removed by the user.'}, + "LabelAction": {"data_type": "string", "description": 'The action applied by the label.'}, + "LabelAppliedDateTime": {"data_type": "datetime", "description": 'The date and time the label was applied.'}, + "LabelEventType": {"data_type": "string", "description": 'The label operation.'}, + "LabelName": {"data_type": "string", "description": 'The label name applied to the item.'}, + "LabelVersion": {"data_type": "string", "description": 'The label version applied by the auto labeling policy.'}, + "MachineName": {"data_type": "string", "description": 'The machine name.'}, + "MgtRuleId": {"data_type": "string", "description": 'Management rule ID.'}, + "ObjectId": {"data_type": "string", "description": 'For SharePoint and OneDrive for Business activity, the full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet.'}, + "OldSensitivityLabelId": {"data_type": "string", "description": 'The identifier of the sensitivity label previously applied to the document before the operation to change/remove the label was triggered.'}, + "OldSensitivityLabelOwnerEmail": {"data_type": "string", "description": 'The email address of the owner of the old sensitivity label.'}, + "Operation": {"data_type": "string", "description": 'The name of the user or admin activity.'}, + "OrganizationId": {"data_type": "string", "description": "The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs."}, + "OverriddenActions": {"data_type": "dynamic", "description": 'Actions that were overridden by the rule actions.'}, + "OverRideReason": {"data_type": "string", "description": 'The reason the sensitivity label was overridden.'}, + "OverRideType": {"data_type": "string", "description": 'Override type.'}, + "Platform": {"data_type": "string", "description": 'The platform on which the activity happened.'}, + "PolicyId": {"data_type": "string", "description": 'Policy ID.'}, + "PolicyName": {"data_type": "string", "description": 'Policy name.'}, + "PolicyVersion": {"data_type": "string", "description": 'Policy version.'}, + "PreviousProtectionType": {"data_type": "dynamic", "description": 'Previous protection event information.'}, + "PreviousProtectionTypeName": {"data_type": "string", "description": 'Previous protection type.'}, + "ProtectionEventData": {"data_type": "dynamic", "description": 'Azure Information Protection - protection event data.'}, + "ProtectionEventTypeName": {"data_type": "string", "description": 'Protection event type name.'}, + "Receivers": {"data_type": "dynamic", "description": 'The email addresses of the receivers.'}, + "RecordType": {"data_type": "int", "description": 'The type of operation indicated by the record.'}, + "RecordTypeName": {"data_type": "string", "description": 'The record type name.'}, + "ResultStatus": {"data_type": "string", "description": 'Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceeded, or Failed. For Exchange admin activity, the value is either True or False.'}, + "RuleActions": {"data_type": "dynamic", "description": 'Actions defined by the rules.'}, + "RuleMode": {"data_type": "string", "description": 'The current mode of the rule.'}, + "Scope": {"data_type": "string", "description": 'Was this event created by a hosted O365 service or an on-premises server.'}, + "ScopedLocationId": {"data_type": "string", "description": 'The address that triggered the policy match.'}, + "Sender": {"data_type": "string", "description": 'The email address of the sender.'}, + "SensitiveInfoDetectionIsIncluded": {"data_type": "bool", "description": 'Determines if sensitive info detection is included.'}, + "SensitiveInfoTypeData": {"data_type": "dynamic", "description": 'Azure Information Protection - sensitive information types.'}, + "SensitivityLabelId": {"data_type": "string", "description": 'The identifier for the sensitivity label recommended, as per the policy that was matched based on the contents of the document.'}, + "SensitivityLabelOwnerEmail": {"data_type": "string", "description": 'The email address of the owner of the sensitivity label.'}, + "SensitivityLabelPolicyId": {"data_type": "string", "description": 'The identifier for the sensitivity labeling policy that was matched based on the content of the document.'}, + "Severity": {"data_type": "string", "description": 'The severity of the auto label policy match.'}, + "SharePointMetaData": {"data_type": "dynamic", "description": 'SharePoint auto labeling metadata.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TargetLocation": {"data_type": "string", "description": "The location of the document with respect to the user' device."}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time when the user performed the activity.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserId": {"data_type": "string", "description": 'The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged.'}, + "UserKey": {"data_type": "string", "description": 'An alternative ID for the user identified in the UserId property. This property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange.'}, + "UserType": {"data_type": "string", "description": 'The type of user that performed the operation.'}, + "Workload": {"data_type": "string", "description": 'The Office 365 service where the activity occurred.'}, + "WorkLoadItemId": {"data_type": "string", "description": 'The workload item id.'}, + }, + "MNFDeviceUpdates": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DeviceId": {"data_type": "string", "description": 'Device ID of the Nexus cluster which was generating the log.'}, + "DeviceTime": {"data_type": "long", "description": 'Time when the log was generated in the Nexus cluster. This is in unix time format which is the number of seconds elapsed since January 1, 1970 UTC.'}, + "EventCategory": {"data_type": "string", "description": 'Event category describing the category of events on Nexus network fabric devices.'}, + "EventName": {"data_type": "string", "description": 'Event name describing the update performed on Nexus network fabric devices.'}, + "FabricId": {"data_type": "string", "description": 'Fabric ID of the Nexus cluster which was generating the log.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Properties": {"data_type": "dynamic", "description": 'Properties of the log.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "MNFSystemSessionHistoryUpdates": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DeviceId": {"data_type": "string", "description": 'Device ID of the Nexus cluster which was generating the log.'}, + "DeviceName": {"data_type": "string", "description": 'Name of the device which was generating the log.'}, + "DiffTimeStamp": {"data_type": "long", "description": 'Time when the diffs were generated in the Nexus cluster. This is in unix time format which is the number of seconds elapsed since January 1, 1970 UTC.'}, + "EventCategory": {"data_type": "string", "description": 'Event category describing the category of events on Nexus network fabric devices.'}, + "FabricId": {"data_type": "string", "description": 'Fabric ID of the Nexus cluster which was generating the log.'}, + "GnmiTimeStamp": {"data_type": "long", "description": 'Time when the log was generated in the Nexus cluster. This is in unix time format which is the number of seconds elapsed since January 1, 1970 UTC.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SessionDiffs": {"data_type": "string", "description": 'Differences in the session.'}, + "SessionUpdateSessionId": {"data_type": "string", "description": 'Session ID of the update.'}, + "SessionUpdateSize": {"data_type": "long", "description": 'Size of the session update.'}, + "SessionUpdateTimeStamp": {"data_type": "long", "description": 'Time when the session was updated. This is in unix time format which is the number of seconds elapsed since January 1, 1970 UTC.'}, + "SessionUpdateUser": {"data_type": "string", "description": 'User who updated the session.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "MNFSystemStateMessageUpdates": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DeviceId": {"data_type": "string", "description": 'Device ID of the Nexus cluster which was generating the log.'}, + "DeviceTime": {"data_type": "long", "description": 'Time when the log was generated in the Nexus cluster. This is in unix time format which is the number of seconds elapsed since January 1, 1970 UTC.'}, + "EventCategory": {"data_type": "string", "description": 'Event category describing the category of events on Nexus network fabric devices.'}, + "EventName": {"data_type": "string", "description": 'Event name describing the update performed on Nexus network fabric devices.'}, + "FabricId": {"data_type": "string", "description": 'Fabric ID of the Nexus cluster which was generating the log.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Properties": {"data_type": "dynamic", "description": 'Properties of the log.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "NCBMBreakGlassAuditLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterManagerName": {"data_type": "string", "description": 'Name of the ClusterManager managing the Nexus cluster.'}, + "ClusterName": {"data_type": "string", "description": 'Name of the on-prem Nexus cluster.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'Location of the Nexus Baremetal machine.'}, + "Log": {"data_type": "string", "description": 'The log message generated by the system during user access.'}, + "Message": {"data_type": "string", "description": 'The message parsed from the log on user access.'}, + "Mode": {"data_type": "string", "description": 'Mode of the operation by the user.'}, + "Node": {"data_type": "string", "description": 'Host name of the Baremetal Machine.'}, + "ProcessId": {"data_type": "int", "description": 'ID of the process emitting the log.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "User": {"data_type": "string", "description": 'User accessing the system.'}, + }, + "NCBMSecurityDefenderLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterManagerName": {"data_type": "string", "description": 'Name of the ClusterManager managing the Nexus cluster.'}, + "ClusterName": {"data_type": "string", "description": 'Name of the on-prem Nexus cluster.'}, + "ComponentName": {"data_type": "string", "description": 'Name of the defender component managing the Nexus cluster.'}, + "ComponentVersion": {"data_type": "string", "description": 'Version of the defender component managing the Nexus cluster.'}, + "ContainerName": {"data_type": "string", "description": 'Name of the container generating the log for the Nexus cluster.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'Location of the Nexus Baremetal machine.'}, + "LogType": {"data_type": "string", "description": 'Type of defender log E.g. Trace, Heartbeat.'}, + "Message": {"data_type": "string", "description": 'Syslog message generated by the Baremetal machine.'}, + "NamespaceName": {"data_type": "string", "description": 'Namespace where the pod is running in the Nexus cluster.'}, + "Node": {"data_type": "string", "description": 'Host name of the Baremetal Machine.'}, + "PodName": {"data_type": "string", "description": 'Pod name generating the log in the Nexus cluster.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Severity": {"data_type": "string", "description": 'Severity of the log record. E.g. Info, Warning, Critical, Error, Notice, Debug.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "NCBMSecurityLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterManagerName": {"data_type": "string", "description": 'Name of the ClusterManager managing the Nexus cluster.'}, + "ClusterName": {"data_type": "string", "description": 'Name of the on-prem Nexus cluster.'}, + "Facility": {"data_type": "string", "description": 'Log facility type. E.g. daemon, kern, syslog, user.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'Location of the Nexus Baremetal machine.'}, + "Message": {"data_type": "string", "description": 'Syslog message generated by the Baremetal machine.'}, + "Node": {"data_type": "string", "description": 'Host name of the Baremetal Machine.'}, + "ProcessId": {"data_type": "int", "description": 'ID of the process emitting the log.'}, + "ProcessName": {"data_type": "string", "description": 'Identification of the process generating the log.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Severity": {"data_type": "string", "description": 'Severity of the log record. E.g. Info, Warning, Critical, Error, Notice, Debug.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "NCBMSystemLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterManagerName": {"data_type": "string", "description": 'Name of the ClusterManager managing the Nexus cluster.'}, + "ClusterName": {"data_type": "string", "description": 'Name of the on-prem Nexus cluster.'}, + "Facility": {"data_type": "string", "description": 'Log facility type. E.g. daemon, kern, syslog, user.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'Location of the Nexus Baremetal machine.'}, + "Message": {"data_type": "string", "description": 'Syslog message generated by the Baremetal machine.'}, + "Node": {"data_type": "string", "description": 'Host name of the Baremetal Machine.'}, + "ProcessId": {"data_type": "int", "description": 'ID of the process emitting the log.'}, + "ProcessName": {"data_type": "string", "description": 'Identification of the process generating the log.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Severity": {"data_type": "string", "description": 'Severity of the log record. E.g. Info, Warning, Critical, Error, Notice, Debug.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "NCCKubernetesLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterManagerName": {"data_type": "string", "description": 'Name of the ClusterManager managing the Nexus cluster.'}, + "ClusterName": {"data_type": "string", "description": 'Name of the On-prem Nexus cluster.'}, + "ContainerName": {"data_type": "string", "description": 'Name of the container generating the log for the Nexus cluster.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'Location of the Nexus cluster.'}, + "Message": {"data_type": "string", "description": 'Message generated by the kubernetes containers running on Nexus cluster.'}, + "NamespaceName": {"data_type": "string", "description": 'Namespace where the pod is running in the Nexus cluster.'}, + "Node": {"data_type": "string", "description": 'Node name of the Nexus cluster which is generating the log.'}, + "PodName": {"data_type": "string", "description": 'Pod name generating the log in the Nexus cluster.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Severity": {"data_type": "string", "description": 'Severity of the log record. E.g. Info, Warning, Critical, Error, Notice, Debug.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "NCCVMOrchestrationLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterManagerName": {"data_type": "string", "description": 'Name of the ClusterManager managing the Nexus cluster.'}, + "ClusterName": {"data_type": "string", "description": 'Name of the On-prem Nexus cluster.'}, + "ContainerName": {"data_type": "string", "description": 'Name of the container generating the log for the Nexus cluster.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'Location of the Nexus cluster.'}, + "Message": {"data_type": "string", "description": 'Message generated by the kubernetes containers running on Nexus cluster.'}, + "NamespaceName": {"data_type": "string", "description": 'Namespace where the pod is running in the Nexus cluster.'}, + "Node": {"data_type": "string", "description": 'Node name of the Nexus cluster which is generating the log.'}, + "PodName": {"data_type": "string", "description": 'Pod name generating the log in the Nexus cluster.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Severity": {"data_type": "string", "description": 'Severity of the log record Severity of the log record. E.g. Info, Warning, Critical, Error, Notice, Debug.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "NCMClusterOperationsLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterManagerName": {"data_type": "string", "description": 'Name of the ClusterManager managing the Nexus cluster.'}, + "ClusterName": {"data_type": "string", "description": 'Name of the On-prem Nexus cluster.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'Log level of the message.'}, + "Location": {"data_type": "string", "description": 'Location of the Nexus cluster.'}, + "Message": {"data_type": "string", "description": 'Message generated by the kubernetes containers running on Nexus cluster.'}, + "Node": {"data_type": "string", "description": 'Node name of the Nexus cluster which is generating the log.'}, + "OperationID": {"data_type": "string", "description": 'Unique identifier for the operation.'}, + "PodName": {"data_type": "string", "description": 'Pod name generating the log in the Nexus cluster.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "NCSStorageAlerts": { + "Action": {"data_type": "string", "description": 'Action for the storage appliance.'}, + "ArrayController": {"data_type": "string", "description": 'Array controller name of the storage appliance.'}, + "ArrayName": {"data_type": "string", "description": 'Array name of the storage appliance.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterManagerName": {"data_type": "string", "description": 'Name of the ClusterManager managing the Nexus cluster.'}, + "ClusterName": {"data_type": "string", "description": 'Name of the on-prem Nexus cluster.'}, + "ContainerName": {"data_type": "string", "description": 'Name of the container generating the log for the Nexus cluster.'}, + "Domain": {"data_type": "string", "description": 'Array domain of the storage appliance.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'Location of the Nexus cluster.'}, + "Message": {"data_type": "string", "description": 'Message generated by the kubernetes containers running on Nexus cluster.'}, + "Node": {"data_type": "string", "description": 'Node name of the Nexus cluster which is generating the log.'}, + "PodName": {"data_type": "string", "description": 'Pod name generating the log in the Nexus cluster.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Severity": {"data_type": "string", "description": 'Array result of the storage appliance.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "User": {"data_type": "string", "description": 'Array user of the storage appliance.'}, + }, + "NCSStorageAudits": { + "Action": {"data_type": "string", "description": 'Action for the storage appliance.'}, + "ArrayController": {"data_type": "string", "description": 'Array controller name of the storage appliance.'}, + "ArrayName": {"data_type": "string", "description": 'Array name of the storage appliance.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterManagerName": {"data_type": "string", "description": 'Name of the ClusterManager managing the Nexus cluster.'}, + "ClusterName": {"data_type": "string", "description": 'Name of the on-prem Nexus cluster.'}, + "ContainerName": {"data_type": "string", "description": 'Name of the container generating the log for the Nexus cluster.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'Location of the Nexus cluster.'}, + "Message": {"data_type": "string", "description": 'Message generated by the kubernetes containers running on Nexus cluster.'}, + "Node": {"data_type": "string", "description": 'Node name of the Nexus cluster which is generating the log.'}, + "PodName": {"data_type": "string", "description": 'Pod name generating the log in the Nexus cluster.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Result": {"data_type": "string", "description": 'Array result of the storage appliance.'}, + "Session": {"data_type": "string", "description": 'Array session of the storage appliance.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "User": {"data_type": "string", "description": 'Array user of the storage appliance.'}, + }, + "NCSStorageLogs": { + "ArrayController": {"data_type": "string", "description": 'Array controller name of the storage appliance.'}, + "ArrayName": {"data_type": "string", "description": 'Array name of the storage appliance.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClusterManagerName": {"data_type": "string", "description": 'Name of the ClusterManager managing the Nexus cluster.'}, + "ClusterName": {"data_type": "string", "description": 'Name of the on-prem Nexus cluster.'}, + "ContainerName": {"data_type": "string", "description": 'Name of the container generating the log for the Nexus cluster.'}, + "IPAddress": {"data_type": "string", "description": 'IP address generating the log in the Nexus cluster.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'Location of the Nexus cluster.'}, + "Message": {"data_type": "string", "description": 'Message generated by the kubernetes containers running on Nexus cluster.'}, + "Node": {"data_type": "string", "description": 'Node name of the Nexus cluster which is generating the log.'}, + "PodName": {"data_type": "string", "description": 'Pod name generating the log in the Nexus cluster.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "NetworkAccessTraffic": { + "AccessType": {"data_type": "string", "description": 'Type of accessed application. Access type options: QuickAccess, PrivateAccess.'}, + "Action": {"data_type": "string", "description": 'The action taken on the network session. Allowed, Denied.'}, + "AgentVersion": {"data_type": "string", "description": 'The version of the agent connecting.'}, + "AppId": {"data_type": "string", "description": 'Destination Application ID accessed in Azure AD during the transaction.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ConnectionId": {"data_type": "string", "description": 'Unique identifier representing the connection this traffic log was initiated from.'}, + "ConnectionStatus": {"data_type": "string", "description": 'Status of a connection. Status options: Open, Active, Closed.'}, + "ConnectorId": {"data_type": "string", "description": 'Private access connector ID.'}, + "ConnectorIp": {"data_type": "string", "description": 'Private access connector IP.'}, + "ConnectorName": {"data_type": "string", "description": 'Private access connector name.'}, + "Description": {"data_type": "string", "description": 'Additional details describing the traffic.'}, + "DestinationFqdn": {"data_type": "string", "description": 'The destination device hostname, including domain information when available.'}, + "DestinationIp": {"data_type": "string", "description": 'The IP address of the connection or session destination.'}, + "DestinationPort": {"data_type": "int", "description": 'The destination IP port.'}, + "DestinationUrl": {"data_type": "string", "description": 'The Url link of the connection or session destination.'}, + "DestinationWebCategories": {"data_type": "string", "description": "The destination FQDN's Web Categories."}, + "DeviceCategory": {"data_type": "string", "description": 'Device type the transaction originated from. Client, Branch.'}, + "DeviceId": {"data_type": "string", "description": 'The ID of the source device as reported in the record.'}, + "DeviceOperatingSystem": {"data_type": "string", "description": 'The client connecting operating system type.'}, + "DeviceOperatingSystemVersion": {"data_type": "string", "description": 'The client connecting operating system version.'}, + "FilteringProfileId": {"data_type": "string", "description": 'The ID of the Filtering Profile associated with the action performed on traffic.'}, + "FilteringProfileName": {"data_type": "string", "description": 'The name of the Filtering Profile associated with the action performed on traffic.'}, + "InitiatingProcessName": {"data_type": "string", "description": 'The process initiating the traffic transaction.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "NetworkProtocol": {"data_type": "string", "description": 'The network protocol, IPv6 or IPv4.'}, + "OriginHeader": {"data_type": "string", "description": 'The origin header value.'}, + "PolicyId": {"data_type": "string", "description": 'The ID of the policy for which the request was denied by its rule.'}, + "PolicyName": {"data_type": "string", "description": 'The name of the filtering policy associated with the action performed on traffic.'}, + "PolicyRuleId": {"data_type": "string", "description": 'The ID of the rule for which the request was denied by.'}, + "ProcessingRegion": {"data_type": "string", "description": 'Region where the request was processed by the backend service.'}, + "ReceivedBytes": {"data_type": "long", "description": 'The number of bytes received.'}, + "ReferrerHeader": {"data_type": "string", "description": 'The Referer header value.'}, + "ResourceTenantId": {"data_type": "string", "description": 'Tenant ID that owns the resource.'}, + "RuleName": {"data_type": "string", "description": 'The name of the rule associated with the action performed on traffic.'}, + "SentBytes": {"data_type": "long", "description": 'The number of bytes sent.'}, + "SessionId": {"data_type": "string", "description": 'Unique identifier representing the session.'}, + "SourceIp": {"data_type": "string", "description": 'The IP address from which the connection or session originated.'}, + "SourcePort": {"data_type": "int", "description": 'The IP port from which the connection originated.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "ThreatType": {"data_type": "string", "description": 'The identified threat type associated with the traffic.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time (UTC) that the event was generated.'}, + "TrafficType": {"data_type": "string", "description": 'The type of the target destination traffic.'}, + "TransactionId": {"data_type": "string", "description": 'Unique identifier that representing a roundtrip of request response.'}, + "TransportProtocol": {"data_type": "string", "description": 'The IP protocol used by the connection or session as listed in IANA protocol assignment.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserId": {"data_type": "string", "description": 'A machine-readable, alphanumeric, unique representation of the source user.'}, + "UserPrincipalName": {"data_type": "string", "description": 'The source username, including domain information when available.'}, + "XForwardedFor": {"data_type": "string", "description": 'X-Forwarded-For header of the HTTP request.'}, + }, + "NetworkMonitoring": { + "AddressType": {"data_type": "string", "description": ''}, + "AgentCapability": {"data_type": "int", "description": ''}, + "AgentFqdn": {"data_type": "string", "description": ''}, + "AgentId": {"data_type": "string", "description": ''}, + "AgentIP": {"data_type": "string", "description": ''}, + "AlertsCount": {"data_type": "int", "description": ''}, + "AvgHopLatencyList": {"data_type": "string", "description": ''}, + "AzureHopListDiagnosticCode": {"data_type": "string", "description": ''}, + "AzureHopListHealth": {"data_type": "string", "description": ''}, + "AzureHopListIPAddress": {"data_type": "string", "description": ''}, + "AzureHopListResourceID": {"data_type": "string", "description": ''}, + "AzureHopListType": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BitsInPerSecond": {"data_type": "long", "description": ''}, + "BitsOutPerSecond": {"data_type": "long", "description": ''}, + "CircuitName": {"data_type": "string", "description": ''}, + "CircuitRegion": {"data_type": "string", "description": ''}, + "CircuitResourceGroup": {"data_type": "string", "description": ''}, + "CircuitResourceId": {"data_type": "string", "description": ''}, + "CircuitSKUFamily": {"data_type": "string", "description": ''}, + "CircuitSKUTier": {"data_type": "string", "description": ''}, + "CircuitSubscriptionId": {"data_type": "string", "description": ''}, + "Computer": {"data_type": "string", "description": ''}, + "ConnectionMonitorResourceId": {"data_type": "string", "description": ''}, + "ConnectionResourceId": {"data_type": "string", "description": ''}, + "CustomFieldName": {"data_type": "string", "description": ''}, + "CustomFieldValueFloat": {"data_type": "long", "description": ''}, + "CustomFieldValueHex": {"data_type": "string", "description": ''}, + "CustomFieldValueInt": {"data_type": "long", "description": ''}, + "CustomFieldValueString": {"data_type": "string", "description": ''}, + "CustomMonitoringData": {"data_type": "string", "description": ''}, + "CustomOid": {"data_type": "string", "description": ''}, + "CustomOidResponseSuffix": {"data_type": "string", "description": ''}, + "DestinationNetwork": {"data_type": "string", "description": ''}, + "DestinationNetworkNodeInterface": {"data_type": "string", "description": ''}, + "DestinationNetworkNodeLink": {"data_type": "string", "description": ''}, + "DestinationSubNetwork": {"data_type": "string", "description": ''}, + "Details": {"data_type": "string", "description": ''}, + "DeviceComponentType": {"data_type": "string", "description": ''}, + "DeviceMonitoringChannel": {"data_type": "string", "description": ''}, + "DeviceState": {"data_type": "string", "description": ''}, + "DeviceType": {"data_type": "string", "description": ''}, + "DiagnosticHop": {"data_type": "string", "description": ''}, + "DiagnosticHopLatency": {"data_type": "string", "description": ''}, + "DiskCount": {"data_type": "int", "description": ''}, + "EgressByteCount": {"data_type": "long", "description": ''}, + "EgressPacketCount": {"data_type": "long", "description": ''}, + "EndpointId": {"data_type": "int", "description": ''}, + "Enterprise": {"data_type": "string", "description": ''}, + "ExporterIp": {"data_type": "string", "description": ''}, + "ExportProtocol": {"data_type": "string", "description": ''}, + "FanCount": {"data_type": "int", "description": ''}, + "FriendlyName": {"data_type": "string", "description": ''}, + "GenTrapType": {"data_type": "string", "description": ''}, + "HighLatency": {"data_type": "real", "description": ''}, + "HostFqdn": {"data_type": "string", "description": ''}, + "HostFqdn1": {"data_type": "string", "description": ''}, + "HostFqdn2": {"data_type": "string", "description": ''}, + "HostIp": {"data_type": "string", "description": ''}, + "HostIp1": {"data_type": "string", "description": ''}, + "HostIp2": {"data_type": "string", "description": ''}, + "IcmpPingStatus": {"data_type": "string", "description": ''}, + "ifAdminStatus": {"data_type": "string", "description": ''}, + "ifHCInBroadcastPkts": {"data_type": "long", "description": ''}, + "ifHCInMulticastPkts": {"data_type": "long", "description": ''}, + "ifHCInOctets": {"data_type": "long", "description": ''}, + "ifHCInUcastPkts": {"data_type": "long", "description": ''}, + "ifHCOutBroadcastPkts": {"data_type": "long", "description": ''}, + "ifHCOutMulticastPkts": {"data_type": "long", "description": ''}, + "ifHCOutOctetsMib2": {"data_type": "int", "description": ''}, + "ifHCOutUcastPkts": {"data_type": "long", "description": ''}, + "ifHighSpeed": {"data_type": "long", "description": ''}, + "ifInDiscardsMib2": {"data_type": "long", "description": ''}, + "ifInErrors": {"data_type": "long", "description": ''}, + "ifMtu": {"data_type": "long", "description": ''}, + "ifOperStatus": {"data_type": "string", "description": ''}, + "ifOutDiscards": {"data_type": "long", "description": ''}, + "ifOutErrors": {"data_type": "long", "description": ''}, + "ifOutQLen": {"data_type": "long", "description": ''}, + "ifPhysAddress": {"data_type": "string", "description": ''}, + "ifType": {"data_type": "string", "description": ''}, + "InBroadCastPktsPerSec": {"data_type": "long", "description": ''}, + "Index": {"data_type": "long", "description": ''}, + "InDiscardsPercent": {"data_type": "int", "description": ''}, + "InDiscardsPerSec": {"data_type": "long", "description": ''}, + "InErrorsPercent": {"data_type": "int", "description": ''}, + "InErrorsPerSec": {"data_type": "long", "description": ''}, + "IngressByteCount": {"data_type": "long", "description": ''}, + "IngressPacketCount": {"data_type": "long", "description": ''}, + "InMultiCastPktsPerSec": {"data_type": "long", "description": ''}, + "InOctetsPerSec": {"data_type": "long", "description": ''}, + "InterfaceCount": {"data_type": "int", "description": ''}, + "InterfaceId": {"data_type": "int", "description": ''}, + "InternalByteCount": {"data_type": "long", "description": ''}, + "InternalPacketCount": {"data_type": "long", "description": ''}, + "InUnicastPktsPerSec": {"data_type": "long", "description": ''}, + "IpV4Addresses": {"data_type": "string", "description": ''}, + "IpV4Subnets": {"data_type": "string", "description": ''}, + "IpV6Addresses": {"data_type": "string", "description": ''}, + "IpV6Subnets": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsPrimary": {"data_type": "bool", "description": ''}, + "L2ConnectedNodes": {"data_type": "string", "description": ''}, + "L2ConnectedPorts": {"data_type": "string", "description": ''}, + "L4Port": {"data_type": "int", "description": ''}, + "L4Protocol": {"data_type": "string", "description": ''}, + "L7Protocol": {"data_type": "string", "description": ''}, + "LatencyBenchmark": {"data_type": "real", "description": ''}, + "LatencyFaultLinks": {"data_type": "string", "description": ''}, + "LatencyHealthIndicator": {"data_type": "bool", "description": ''}, + "LatencyHealthState": {"data_type": "string", "description": ''}, + "LatencyMode": {"data_type": "string", "description": ''}, + "LatencyThreshold": {"data_type": "real", "description": ''}, + "LatencyThresholdMode": {"data_type": "string", "description": ''}, + "Loss": {"data_type": "real", "description": ''}, + "LossBenchmark": {"data_type": "real", "description": ''}, + "LossFaultLinks": {"data_type": "string", "description": ''}, + "LossHealthIndicator": {"data_type": "bool", "description": ''}, + "LossHealthState": {"data_type": "string", "description": ''}, + "LossMode": {"data_type": "string", "description": ''}, + "LossThreshold": {"data_type": "real", "description": ''}, + "LossThresholdMode": {"data_type": "string", "description": ''}, + "LowLatency": {"data_type": "real", "description": ''}, + "MachineType": {"data_type": "int", "description": ''}, + "MaxHopLatencyList": {"data_type": "string", "description": ''}, + "MedianLatency": {"data_type": "real", "description": ''}, + "MemAvailablePercent": {"data_type": "int", "description": ''}, + "MemCount": {"data_type": "int", "description": ''}, + "MemTotalInMB": {"data_type": "long", "description": ''}, + "MessageCode": {"data_type": "string", "description": ''}, + "MessageDetails": {"data_type": "string", "description": ''}, + "MessageType": {"data_type": "string", "description": ''}, + "MicrosoftEdge": {"data_type": "string", "description": ''}, + "MicrosoftEdgeAlias": {"data_type": "string", "description": ''}, + "MinHopLatencyList": {"data_type": "string", "description": ''}, + "Model": {"data_type": "string", "description": ''}, + "NodeLinkCount": {"data_type": "int", "description": ''}, + "NodeUniqueName": {"data_type": "string", "description": ''}, + "NotificationCode": {"data_type": "int", "description": ''}, + "NotificationType": {"data_type": "string", "description": ''}, + "NPMAgentEnvironment": {"data_type": "string", "description": ''}, + "OSType": {"data_type": "string", "description": ''}, + "OutBroadCastPktsPerSec": {"data_type": "long", "description": ''}, + "OutDiscardsPercent": {"data_type": "int", "description": ''}, + "OutDiscardsPerSec": {"data_type": "long", "description": ''}, + "OutErrorsPercent": {"data_type": "long", "description": ''}, + "OutErrorsPerSec": {"data_type": "long", "description": ''}, + "OutMultiCastPktsPerSec": {"data_type": "long", "description": ''}, + "OutOctetsPerSec": {"data_type": "long", "description": ''}, + "OutUnicastPktsPerSec": {"data_type": "long", "description": ''}, + "Path": {"data_type": "string", "description": ''}, + "PathInformation": {"data_type": "string", "description": ''}, + "PeeringLocation": {"data_type": "string", "description": ''}, + "PeeringName": {"data_type": "string", "description": ''}, + "PeeringType": {"data_type": "string", "description": ''}, + "PingDelayInMsec": {"data_type": "real", "description": ''}, + "Port": {"data_type": "int", "description": ''}, + "PortName": {"data_type": "string", "description": ''}, + "PrefixLength": {"data_type": "string", "description": ''}, + "PrimaryBytesInPerSecond": {"data_type": "long", "description": ''}, + "PrimaryBytesOutPerSecond": {"data_type": "long", "description": ''}, + "ProcessorCount": {"data_type": "int", "description": ''}, + "ProcessorTimePercent": {"data_type": "int", "description": ''}, + "Protocol": {"data_type": "string", "description": ''}, + "ProviderEdge": {"data_type": "string", "description": ''}, + "ProviderEdgeAlias": {"data_type": "string", "description": ''}, + "ProvisioningState": {"data_type": "string", "description": ''}, + "ResponseCodeHealthState": {"data_type": "string", "description": ''}, + "RouteDestination": {"data_type": "string", "description": ''}, + "RouteMetric": {"data_type": "string", "description": ''}, + "RouteNextHop": {"data_type": "string", "description": ''}, + "RouterIP": {"data_type": "string", "description": ''}, + "RouterName": {"data_type": "string", "description": ''}, + "RouteTableIpV4NextHops": {"data_type": "string", "description": ''}, + "RouteTableIpV6NextHops": {"data_type": "string", "description": ''}, + "RouteTableNextHopNodes": {"data_type": "string", "description": ''}, + "RuleName": {"data_type": "string", "description": ''}, + "SecondaryBytesInPerSecond": {"data_type": "long", "description": ''}, + "SecondaryBytesOutPerSecond": {"data_type": "long", "description": ''}, + "ServiceKey": {"data_type": "string", "description": ''}, + "ServiceLossHealthState": {"data_type": "string", "description": ''}, + "ServiceLossPercent": {"data_type": "real", "description": ''}, + "ServiceProvider": {"data_type": "string", "description": ''}, + "ServiceResponseCode": {"data_type": "long", "description": ''}, + "ServiceResponseHealthState": {"data_type": "string", "description": ''}, + "ServiceResponseThreshold": {"data_type": "real", "description": ''}, + "ServiceResponseThresholdMode": {"data_type": "string", "description": ''}, + "ServiceResponseTime": {"data_type": "real", "description": ''}, + "ServiceTestId": {"data_type": "int", "description": ''}, + "SnmpManagementIpV4Address": {"data_type": "string", "description": ''}, + "SnmpManagementIpV6Address": {"data_type": "string", "description": ''}, + "SnmpPingStatus": {"data_type": "string", "description": ''}, + "SnmpVersion": {"data_type": "string", "description": ''}, + "SourceNetwork": {"data_type": "string", "description": ''}, + "SourceNetworkNodeInterface": {"data_type": "string", "description": ''}, + "SourceNetworkNodeLink": {"data_type": "string", "description": ''}, + "SourceSubNetwork": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SpecificTrapType": {"data_type": "string", "description": ''}, + "SubnetId": {"data_type": "string", "description": ''}, + "SubnetId1": {"data_type": "string", "description": ''}, + "SubnetId2": {"data_type": "string", "description": ''}, + "SubnetLinkCount": {"data_type": "int", "description": ''}, + "SubscriptionId": {"data_type": "string", "description": ''}, + "SubType": {"data_type": "string", "description": ''}, + "SupportsSnmp": {"data_type": "bool", "description": ''}, + "sysContact": {"data_type": "string", "description": ''}, + "sysDescr": {"data_type": "string", "description": ''}, + "sysLocation": {"data_type": "string", "description": ''}, + "sysName": {"data_type": "string", "description": ''}, + "sysObjectID": {"data_type": "string", "description": ''}, + "sysUpTime": {"data_type": "long", "description": ''}, + "Target": {"data_type": "string", "description": ''}, + "TestName": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "TimeProcessed": {"data_type": "datetime", "description": ''}, + "TimeSinceActive": {"data_type": "int", "description": ''}, + "ToS": {"data_type": "int", "description": ''}, + "TotalByteCount": {"data_type": "long", "description": ''}, + "TotalFlowRecords": {"data_type": "long", "description": ''}, + "TotalPacketCount": {"data_type": "long", "description": ''}, + "TotalPeerings": {"data_type": "int", "description": ''}, + "TotalSessions": {"data_type": "int", "description": ''}, + "TraceRouteCompletionTime": {"data_type": "datetime", "description": ''}, + "TrapCollectionIntervalInSeconds": {"data_type": "int", "description": ''}, + "TrapCount": {"data_type": "int", "description": ''}, + "TrapData": {"data_type": "string", "description": ''}, + "TrapOid": {"data_type": "string", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UtilizationHealthState": {"data_type": "string", "description": ''}, + "Vendor": {"data_type": "string", "description": ''}, + "VirtualNetwork": {"data_type": "string", "description": ''}, + "VLan": {"data_type": "int", "description": ''}, + }, + "NetworkSessions": { + "AdditionalFields": {"data_type": "dynamic", "description": 'When no respective column in the schema matches, additional fields can be stored in a JSON bag.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CloudAppId": {"data_type": "string", "description": 'The ID of the destination application for an HTTP application as identified by a proxy. This value is usually specific to the proxy used.'}, + "CloudAppName": {"data_type": "string", "description": 'The name of the destination application for an HTTP application as identified by a proxy.'}, + "CloudAppOperation": {"data_type": "string", "description": 'The operation the user performed in the context of the destination application for an HTTP application as identified by a proxy. This value is usually specific to the proxy used.'}, + "CloudAppRiskLevel": {"data_type": "string", "description": 'The risk level associated with an HTTP application as identified by a proxy. This value is usually specific to the proxy used.'}, + "DstBytes": {"data_type": "long", "description": 'The number of bytes sent from the destination to the source for the connection or session.'}, + "DstDomainHostname": {"data_type": "string", "description": 'The domain of the destination host.'}, + "DstDvcDomain": {"data_type": "string", "description": 'The Domain of the destination device.'}, + "DstDvcFqdn": {"data_type": "string", "description": 'The fully qualified domain name of the host where the log was created.'}, + "DstDvcHostname": {"data_type": "string", "description": 'The device name of the destination device.'}, + "DstDvcIpAddr": {"data_type": "string", "description": 'The destination IP address of a device that is not directly associated with the network packet.'}, + "DstDvcMacAddr": {"data_type": "string", "description": 'The destination MAC address of a device that is not directly associated with the network packet.'}, + "DstGeoCity": {"data_type": "string", "description": 'The city associated with the destination IP address.'}, + "DstGeoCountry": {"data_type": "string", "description": 'The country associated with the source IP address.'}, + "DstGeoLatitude": {"data_type": "real", "description": 'The latitude of the geographical coordinate associated with the destination IP address.'}, + "DstGeoLongitude": {"data_type": "real", "description": 'The longitude of the geographical coordinate associated with the destination IP address'}, + "DstGeoRegion": {"data_type": "string", "description": 'The region within a country associated with the destination IP address.'}, + "DstInterfaceGuid": {"data_type": "string", "description": 'GUID of the network interface which was used for authentication request.'}, + "DstInterfaceName": {"data_type": "string", "description": 'The network interface used for the connection or session by the destination device.'}, + "DstIpAddr": {"data_type": "string", "description": 'The IP address of the connection or session destination.'}, + "DstMacAddr": {"data_type": "string", "description": 'The MAC address of the network interface at which the connection or session terminated.'}, + "DstNatIpAddr": {"data_type": "string", "description": 'If reported by an intermediary NAT device such as a firewall, the IP address used by the NAT device for communication with the source.'}, + "DstNatPortNumber": {"data_type": "int", "description": 'If reported by an intermediary NAT device such as a firewall, the port used by the NAT device for communication with the source.'}, + "DstPackets": {"data_type": "long", "description": 'The number of packets sent from the destination to the source for the connection or session. The meaning of a packet is defined by the reporting device.'}, + "DstPortNumber": {"data_type": "int", "description": 'The destination IP port.'}, + "DstResourceId": {"data_type": "string", "description": 'The resource Id of the destination device.'}, + "DstUserAadId": {"data_type": "string", "description": 'The Azure AD account object ID of the user at the destination end of the session.'}, + "DstUserDomain": {"data_type": "string", "description": 'The domain or computer name of the account at the destination of the session.'}, + "DstUserName": {"data_type": "string", "description": "The username of the identity associated with the session's destination."}, + "DstUserSid": {"data_type": "string", "description": "The User ID of the identity associated with the session's destination. Typically, the identity used to authenticate a server."}, + "DstUserUpn": {"data_type": "string", "description": "The UPN of the identity associated with the session's destination."}, + "DstZone": {"data_type": "string", "description": 'The network zone of the destination, as defined by the reporting device.'}, + "DvcAction": {"data_type": "string", "description": 'If reported by an intermediary device such as a firewall, the action taken by device.'}, + "DvcHostname": {"data_type": "string", "description": 'The device name of the device generating the message.'}, + "DvcInboundInterface": {"data_type": "string", "description": 'If reported by an intermediary device such as a firewall, the network interface used by it for the connection to the source device.'}, + "DvcIpAddr": {"data_type": "string", "description": 'The IP address of the device generating the record.'}, + "DvcMacAddr": {"data_type": "string", "description": 'The MAC address of the network interface of the reporting device from which the event was sent.'}, + "DvcOutboundInterface": {"data_type": "string", "description": 'If reported by an intermediary device such as a firewall, the network interface used by it for the connection to the destination device.'}, + "EventCount": {"data_type": "int", "description": 'The number of events aggregated, if applicable.'}, + "EventEndTime": {"data_type": "datetime", "description": 'The time in which the event ended.'}, + "EventMessage": {"data_type": "string", "description": 'A general message or description, either included in, or generated from the record.'}, + "EventOriginalUid": {"data_type": "string", "description": 'The record ID from the reporting device.'}, + "EventProduct": {"data_type": "string", "description": 'The product generating the event.'}, + "EventProductVersion": {"data_type": "string", "description": 'The version of the product generating the event.'}, + "EventReportUrl": {"data_type": "string", "description": 'A link to the full report created by the reporting device.'}, + "EventResourceId": {"data_type": "string", "description": 'The resource ID of the device generating the message.'}, + "EventResult": {"data_type": "string", "description": 'The result reported for the activity. Empty value when not applicable.'}, + "EventResultDetails": {"data_type": "string", "description": 'Reason for the result reported in EventResult'}, + "EventSchemaVersion": {"data_type": "string", "description": 'Azure Sentinel Schema Version.'}, + "EventSeverity": {"data_type": "string", "description": 'If the activity reported has a security impact, denotes the severity of the impact.'}, + "EventStartTime": {"data_type": "datetime", "description": 'The time in which the event stated.'}, + "EventSubType": {"data_type": "string", "description": 'Additional description of type if applicable.'}, + "EventTimeIngested": {"data_type": "datetime", "description": 'The time the event was ingested to Azure Sentinel. Will be added by Azure Sentinel.'}, + "EventType": {"data_type": "string", "description": 'Type of event being collected.'}, + "EventUid": {"data_type": "string", "description": 'Unique identifier used by Sentinel to mark a row.'}, + "EventVendor": {"data_type": "string", "description": 'The vendor of the product generating the event.'}, + "FileExtension": {"data_type": "string", "description": 'The type of the file transmitted over the network connections for protocols such as FTP and HTTP.'}, + "FileHashMd5": {"data_type": "string", "description": 'The MD5 hash value of the file transmitted over the network connections for protocols.'}, + "FileHashSha1": {"data_type": "string", "description": 'The SHA1 hash value of the file transmitted over the network connections for protocols.'}, + "FileHashSha256": {"data_type": "string", "description": 'The SHA256 hash value of the file transmitted over the network connections for protocols.'}, + "FileHashSha512": {"data_type": "string", "description": 'The SHA512 hash value of the file transmitted over the network connections for protocols.'}, + "FileMimeType": {"data_type": "string", "description": 'The MIME type of the file transmitted over the network connections for protocols such as FTP and HTTP.'}, + "FileName": {"data_type": "string", "description": 'The filename transmitted over the network connections for protocols such as FTP and HTTP which provide the file name information.'}, + "FilePath": {"data_type": "string", "description": 'The full path, including file name, of the file.'}, + "FileSize": {"data_type": "int", "description": 'The file size, in bytes, of the file transmitted over the network connections for protocols.'}, + "HttpContentType": {"data_type": "string", "description": 'The HTTP Response content type header for HTTP/HTTPS network sessions.'}, + "HttpReferrerOriginal": {"data_type": "string", "description": 'The HTTP referrer header for HTTP/HTTPS network sessions.'}, + "HttpRequestMethod": {"data_type": "string", "description": 'The HTTP Method for HTTP/HTTPS network sessions.'}, + "HttpRequestTime": {"data_type": "int", "description": 'The amount of time it took to send the request to the server, if applicable.'}, + "HttpRequestXff": {"data_type": "string", "description": 'The HTTP X-Forwarded-For header for HTTP/HTTPS network sessions.'}, + "HttpResponseTime": {"data_type": "int", "description": 'The amount of time it took to receive a response in the server, if applicable.'}, + "HttpStatusCode": {"data_type": "string", "description": 'The HTTP Status Code for HTTP/HTTPS network sessions.'}, + "HttpUserAgentOriginal": {"data_type": "string", "description": 'The HTTP user agent header for HTTP/HTTPS network sessions.'}, + "HttpVersion": {"data_type": "string", "description": 'The HTTP Request Version for HTTP/HTTPS network connections.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "NetworkApplicationProtocol": {"data_type": "string", "description": 'The application layer protocol used by the connection or session.'}, + "NetworkBytes": {"data_type": "long", "description": 'Number of bytes sent in both directions. If both BytesReceived and BytesSent exist, BytesTotal should equal their sum.'}, + "NetworkDirection": {"data_type": "string", "description": 'The direction the connection or session, into or out of the organization.'}, + "NetworkDuration": {"data_type": "int", "description": 'The amount of time, in millisecond, for the completion of the network session or connection.'}, + "NetworkIcmpCode": {"data_type": "int", "description": 'For an ICMP message, ICMP message type numeric value (RFC 2780 or RFC 4443).'}, + "NetworkIcmpType": {"data_type": "string", "description": 'For an ICMP message, ICMP message type text representation (RFC 2780 or RFC 4443).'}, + "NetworkPackets": {"data_type": "long", "description": 'Number of packets sent in both directions. If both PacketsReceived and PacketsSent exist, BytesTotal should equal their sum.'}, + "NetworkProtocol": {"data_type": "string", "description": 'The IP protocol used by the connection or session. Typically, TCP, UDP or ICMP.'}, + "NetworkRuleName": {"data_type": "string", "description": 'The name or ID of the rule by which DeviceAction was decided upon.'}, + "NetworkRuleNumber": {"data_type": "int", "description": 'Matched rule number.'}, + "NetworkSessionId": {"data_type": "string", "description": 'The session identifier as reported by the reporting device.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SrcBytes": {"data_type": "long", "description": 'The number of bytes sent from the source to the destination for the connection or session.'}, + "SrcDvcDomain": {"data_type": "string", "description": 'Domain of the device from which session was initiated.'}, + "SrcDvcFqdn": {"data_type": "string", "description": 'The fully qualified domain name of the host where the log was created.'}, + "SrcDvcHostname": {"data_type": "string", "description": 'The device name of the source device.'}, + "SrcDvcIpAddr": {"data_type": "string", "description": 'The source IP address of a device not directly associated with the network packet (collected by a provider or explicitly calculated).'}, + "SrcDvcMacAddr": {"data_type": "string", "description": 'The source MAC address of a device that is not directly associated with the network packet.'}, + "SrcDvcModelName": {"data_type": "string", "description": 'The model of the source device.'}, + "SrcDvcModelNumber": {"data_type": "string", "description": 'The model number of the source device.'}, + "SrcDvcOs": {"data_type": "string", "description": 'The OS of the source device.'}, + "SrcDvcType": {"data_type": "string", "description": 'The type of the source device.'}, + "SrcGeoCity": {"data_type": "string", "description": 'The city associated with the source IP address.'}, + "SrcGeoCountry": {"data_type": "string", "description": 'The country associated with the source IP address.'}, + "SrcGeoLatitude": {"data_type": "real", "description": 'The latitude of the geographical coordinate associated with the source IP address.'}, + "SrcGeoLongitude": {"data_type": "real", "description": 'The longitude of the geographical coordinate associated with the source IP address.'}, + "SrcGeoRegion": {"data_type": "string", "description": 'The region within a country associated with the source IP address.'}, + "SrcInterfaceGuid": {"data_type": "string", "description": 'GUID of the network interface used.'}, + "SrcInterfaceName": {"data_type": "string", "description": 'The network interface used for the connection or session by the source device.'}, + "SrcIpAddr": {"data_type": "string", "description": 'The IP address from which the connection or session originated.'}, + "SrcMacAddr": {"data_type": "string", "description": 'The MAC address of the network interface from which the connection od session originated.'}, + "SrcNatIpAddr": {"data_type": "string", "description": 'If reported by an intermediary NAT device such as a firewall, the IP address used by the NAT device for communication with the destination.'}, + "SrcNatPortNumber": {"data_type": "int", "description": 'If reported by an intermediary NAT device such as a firewall, the port used by the NAT device for communication with the destination.'}, + "SrcPackets": {"data_type": "long", "description": 'The number of packets sent from the source to the destination for the connection or session. The meaning of a packet is defined by the reporting device.'}, + "SrcPortNumber": {"data_type": "int", "description": 'The IP port from which the connection originated. May not be relevant for a session comprising multiple connections.'}, + "SrcResourceId": {"data_type": "string", "description": 'The resource ID of the device generating the message.'}, + "SrcUserAadId": {"data_type": "string", "description": 'The Azure AD account object ID of the user at the source end of the session.'}, + "SrcUserDomain": {"data_type": "string", "description": 'The domain for the account initiating the session.'}, + "SrcUserName": {"data_type": "string", "description": 'The username of the identity associated with the sessions source. Typically, user performing an action on the client.'}, + "SrcUserSid": {"data_type": "string", "description": 'The user ID of the identity associated with the sessions source. Typically, user performing an action on the client.'}, + "SrcUserUpn": {"data_type": "string", "description": 'UPN of the account initiating the session.'}, + "SrcZone": {"data_type": "string", "description": 'The network zone of the source, as defined by the reporting device.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "ThreatCategory": {"data_type": "string", "description": 'The category of a threat identified by a security system such as Web Security Gateway of an IPS and is associated with this network session.'}, + "ThreatId": {"data_type": "string", "description": 'The ID of a threat identified by a security system such as Web Security Gateway of an IPS and is associated with this network session.'}, + "ThreatName": {"data_type": "string", "description": 'The name of the threat or malware identified.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time the event occurred, as reported by reporting source.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UrlCategory": {"data_type": "string", "description": 'The defined grouping of a URL (or could be just based on the domain in the URL) related to what it is (i.e.: adult, news, advertising, parked domains, etc.).'}, + "UrlHostname": {"data_type": "string", "description": 'The domain part of an HTTP request URL for HTTP/HTTPS network sessions.'}, + "UrlOriginal": {"data_type": "string", "description": 'The HTTP request URL for HTTP/HTTPS network sessions.'}, + }, + "NGXOperationLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Facility": {"data_type": "string", "description": 'The facility of log records from syslog as defined in RFC 3164.Facility can be one of kern, user, mail, daemon, auth, intern, lpr, news, uucp, clock, authpriv, ftp, ntp, audit, alert, cron, local0..local7. Default is local7.'}, + "FilePath": {"data_type": "string", "description": 'The file path where log records come from.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The location (region) the NGINX instance was accessed in.'}, + "Message": {"data_type": "string", "description": 'The message of the log record.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Severity": {"data_type": "string", "description": 'The severity of log records from syslog as defined in RFC 3164.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Tag": {"data_type": "string", "description": 'The tag of log records from syslog.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log record was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "NGXSecurityLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Facility": {"data_type": "string", "description": 'The facility of log records from syslog as defined in RFC 3164.Facility can be one of kern, user, mail, daemon, auth, intern, lpr, news, uucp, clock, authpriv, ftp, ntp, audit, alert, cron, local0..local7. Default is local7.'}, + "FilePath": {"data_type": "string", "description": 'The file path where log records come from.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The location (region) the NGINX instance was accessed in.'}, + "Message": {"data_type": "string", "description": 'The message of the log record.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Severity": {"data_type": "string", "description": 'The severity of log records from syslog as defined in RFC 3164.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Tag": {"data_type": "string", "description": 'The tag of log records from syslog.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log record was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "NSPAccessLogs": { + "AccessRuleVersion": {"data_type": "string", "description": 'Access rule version of the NSP profile to which PaaS resource is associated.'}, + "AppId": {"data_type": "string", "description": 'Unique GUID representing the app ID of resource in the Azure Active Directory.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'NSP access log categories.'}, + "DestinationEmailAddress": {"data_type": "string", "description": 'Email address of destination receiver. It be must specified if available.'}, + "DestinationFqdn": {"data_type": "string", "description": 'Fully Qualified Domain(FQDN) name of the destination.'}, + "DestinationParameters": {"data_type": "string", "description": 'List of optional destination properties in key-value pair format. For example: [ {Param1}: {value1}, {Param2}: {value2}, ...].'}, + "DestinationPhoneNumber": {"data_type": "string", "description": 'Phone number of destination receiver. It be must specified if available.'}, + "DestinationPort": {"data_type": "string", "description": 'Port number of outbound connection, when available.'}, + "DestinationProtocol": {"data_type": "string", "description": "Application layer protocol and transport layer protocol used for outbound connection in the format {AppProtocol}:{TransportProtocol}. For example: 'HTTPS:TCP'. It be must specified if available."}, + "DestinationResourceId": {"data_type": "string", "description": 'Resource ID of destination PaaS resource for an outbound connection, when available.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'Indicates the region of NSP.'}, + "MatchedRule": {"data_type": "string", "description": "JSON property bag containing matched access rule name. It can be either NSP access rule name or resource rule name (not it's resource ID)."}, + "OperationName": {"data_type": "string", "description": 'Indicates top-level PaaS operation name.'}, + "OperationVersion": {"data_type": "string", "description": 'The API version associated with the operation.'}, + "Parameters": {"data_type": "string", "description": 'List of optional PaaS resource properties in key-value pair format. For example: [ {Param1}: {value1}, {Param2}: {value2}, ...].'}, + "Profile": {"data_type": "string", "description": 'Name of the NSP profile associated to the resource.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultAction": {"data_type": "string", "description": "Indicates whether the result of evaluation is 'Approved' or 'Denied'."}, + "ResultDescription": {"data_type": "string", "description": 'Additional description about the operation result, when available.'}, + "ResultDirection": {"data_type": "string", "description": "Direction of evaluation result whether 'Inbound' or 'Outbound'."}, + "RuleType": {"data_type": "string", "description": 'Indicates where the rule is defined: NSP or PaaS resource.'}, + "ServiceFqdn": {"data_type": "string", "description": 'Fully Qualified Domain Name (FQDN) of PaaS resource emitting NSP access logs.'}, + "ServiceResourceId": {"data_type": "string", "description": 'Resource ID of PaaS resource emitting NSP access logs.'}, + "SourceAppId": {"data_type": "string", "description": 'Unique GUID representing the app ID of source in the Azure Active Directory.'}, + "SourceIpAddress": {"data_type": "string", "description": 'IP address of source making inbound connection, when available.'}, + "SourceParameters": {"data_type": "string", "description": 'List of optional source properties in key-value pair format. For example: [ {Param1}: {value1}, {Param2}: {value2}, ...].'}, + "SourcePerimeterGuids": {"data_type": "string", "description": 'List of perimeter GUIDs of source resource. It should be specified only if allowed based on perimeter GUID.'}, + "SourcePort": {"data_type": "string", "description": 'Port number of inbound connection, when available.'}, + "SourceProtocol": {"data_type": "string", "description": "Application layer protocol and transport layer protocol used for inbound connection in the format {AppProtocol}:{TransportProtocol}. For example: 'HTTPS:TCP'. It be must specified if available."}, + "SourceResourceId": {"data_type": "string", "description": 'Resource ID of source PaaS resource for an inbound connection, when available.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Event generation time.'}, + "TrafficType": {"data_type": "string", "description": "Indicates whether traffic is 'Private', 'Public', 'Intra' or 'Cross' perimeter."}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "NTAInsights": { + "AdFlag": {"data_type": "real", "description": 'A ternary series containing (+1, -1, 0) marking up/down/no anomaly respectively.'}, + "AdScore": {"data_type": "real", "description": 'Anomaly score.'}, + "AggregationType": {"data_type": "string", "description": 'Type of data aggregation - 1 for short aggregation and 2 for long aggregation.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DataPoints": {"data_type": "string", "description": 'Data points for aggregated data.'}, + "FlowStatus": {"data_type": "string", "description": 'The considered traffic is Allowed/Denied/All.'}, + "InsightsResourceId": {"data_type": "string", "description": 'Resource ID for the resource for which data is aggregated'}, + "IntervalEnd": {"data_type": "datetime", "description": 'End time of the data insights processing interval.'}, + "IntervalStart": {"data_type": "datetime", "description": 'Start time of the data insights processing interval.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Periodicity": {"data_type": "real", "description": 'The number of hours after whichthe data repeats itself.'}, + "PivotType": {"data_type": "string", "description": 'Pivot type for insights aggregation.'}, + "ProcessingTime": {"data_type": "datetime", "description": 'The time when periodicty is calculated.'}, + "Region": {"data_type": "string", "description": 'Region of Vnet flow logs.'}, + "SchemaVersion": {"data_type": "string", "description": 'Schema version.'}, + "SeriesNumber": {"data_type": "real", "description": 'An incremental value to represent the last aggregated series.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SubType": {"data_type": "string", "description": 'Subtype for the insights logs.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time when the data gets ingested into the Log Analytics Workspace.'}, + "TrafficTime": {"data_type": "datetime", "description": 'Time when the anomaly has occured in data pattern.'}, + "TrafficVolumeActual": {"data_type": "real", "description": 'The actual traffic volume in the time period.'}, + "TrafficVolumeBaseline": {"data_type": "real", "description": 'The predicted value of the series, according to the decomposition per the anomaly calculation algorithm.'}, + "TrafficVolumeUnit": {"data_type": "string", "description": 'The aggregated values represent Flows/Bytes/Packets.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "NTAIpDetails": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DnsDomain": {"data_type": "string", "description": 'For Malicious IPs only: Domain name associated with this IP.'}, + "FaSchemaVersion": {"data_type": "string", "description": 'Schema version.'}, + "FlowIntervalEndTime": {"data_type": "datetime", "description": 'End time of the flow log processing interval.'}, + "FlowIntervalStartTime": {"data_type": "datetime", "description": 'Start time of the flow log processing interval. This is time from which flow interval is measured.'}, + "FlowType": {"data_type": "string", "description": 'Can be AzurePublic/ExternalPublic/MaliciousFlow.'}, + "Ip": {"data_type": "string", "description": 'Public IP whose information is provided in the record.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'For Azure Public IP: Azure region of virtual network/network interface/virtual machine to which the IP belongs OR Global for IP 168.63.129.16. For External Public IP and Malicious IP: 2-letter country code where IP is located (ISO 3166-1 alpha-2).'}, + "Port": {"data_type": "int", "description": 'For Malicious IPs only: Port associated with this IP.'}, + "PublicIpDetails": {"data_type": "string", "description": 'For AzurePublic IP: Azure Service owning the IP OR "Microsoft Virtual Public IP" for IP 168.63.129.16 . ExternalPublic/Malicious IP: WhoIS information of the IP.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SubType": {"data_type": "string", "description": 'Subtype for the flow logs. Use only FlowLog, other values of SubType_s are for internal workings of the product.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "ThreatDescription": {"data_type": "string", "description": 'For Malicious IPs only: Description of the threat posed by the malicious IP.'}, + "ThreatType": {"data_type": "string", "description": 'For Malicious IPs only: One of the threats from the list of currently allowed values.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time when the data gets ingested into the Log Analytics Workspace.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Url": {"data_type": "string", "description": 'For Malicious IPs only: Url associated with this IP.'}, + }, + "NTANetAnalytics": { + "AclGroup": {"data_type": "string", "description": 'Access control list group refers to the network security group associated with the network security group rule name (or) the network group associated with the security admin configuration which allowed or denied the connection.'}, + "AclRule": {"data_type": "string", "description": 'Access control list rule refers to the network security group rule name or the security admin rule name which allowed or denied the connection.'}, + "AllowedInFlows": {"data_type": "long", "description": 'Count of inbound flows that were allowed. This represents the number of flows that shared the same four-tuple inbound to the network interface at which the flow was captured.'}, + "AllowedOutFlows": {"data_type": "long", "description": 'Count of outbound flows that were allowed(Outbound to the network interface at which the flow was captured).'}, + "AzureRegion": {"data_type": "string", "description": 'Azure region locations.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BytesDestToSrc": {"data_type": "long", "description": 'Represents bytes sent from the destination to the source of the flow.'}, + "BytesSrcToDest": {"data_type": "long", "description": 'Represents bytes sent from the source to the destination of the flow.'}, + "CompletedFlows": {"data_type": "long", "description": 'This is populated with non-zero value when a flow gets a Completed event.'}, + "ConnectingVnets": {"data_type": "string", "description": 'Space separated list of virtual network names.'}, + "ConnectionName": {"data_type": "string", "description": 'Connection Name.'}, + "ConnectionType": {"data_type": "string", "description": 'Type of the connection. Possible values are VNetPeering, VpnGateway, and ExpressRoute.'}, + "Country": {"data_type": "string", "description": 'Two letter country code (ISO 3166-1 alpha-2).'}, + "DeniedInFlows": {"data_type": "long", "description": 'Count of inbound flows that were denied(Inbound to the network interface at which the flow was captured).'}, + "DeniedOutFlows": {"data_type": "long", "description": 'Count of outbound flows that were denied(Outbound to the network interface at which the flow was captured).'}, + "DestApplicationGateway": {"data_type": "string", "description": 'Application gateway associated with the destination IP in the flow.'}, + "DestExpressRouteCircuit": {"data_type": "string", "description": 'Express route circuit associated with the destination IP in the flow.'}, + "DestIp": {"data_type": "string", "description": 'Destination IP address.'}, + "DestLoadBalancer": {"data_type": "string", "description": 'Load balancer associated with the destination IP in the flow.'}, + "DestLocalNetworkGateway": {"data_type": "string", "description": 'Local network gateway associated with the destination IP in the flow.'}, + "DestNic": {"data_type": "string", "description": 'NIC associated with the destination IP in the flow.'}, + "DestPort": {"data_type": "int", "description": 'Destination port.'}, + "DestPublicIps": {"data_type": "string", "description": 'Destination public IP addresses flow information.'}, + "DestRegion": {"data_type": "string", "description": 'Azure region of virtual network/ network interface/ virtual machine to which the destination IP in the flow belongs to.'}, + "DestSubnet": {"data_type": "string", "description": 'Subnet associated with the destination IP in the flow.'}, + "DestSubscription": {"data_type": "string", "description": 'Subscription Id of virtual network/ network interface/ virtual machine to which the destination IP in the flow belongs to.'}, + "DestVm": {"data_type": "string", "description": 'Virtual machine associated with the destination IP in the flow.'}, + "ExpressRouteCircuitPeeringType": {"data_type": "string", "description": 'The peering type of the associated express route circuit for the flow.'}, + "FaSchemaVersion": {"data_type": "string", "description": 'Schema version for ingestion.'}, + "FlowDirection": {"data_type": "string", "description": 'Direction of the flow which can be inbound or outbound.'}, + "FlowEncryption": {"data_type": "string", "description": 'The type of flow encryption.'}, + "FlowEndTime": {"data_type": "datetime", "description": 'Last occurrence of the flow (which will get aggregated) in the flow log processing interval between "FlowIntervalStartTime_t" and "FlowIntervalEndTime_t". In terms of flow log v2, this field contains the time when the last flow with the same four-tuple started (marked as "B" in the raw flow record).'}, + "FlowIntervalEndTime": {"data_type": "datetime", "description": 'Ending time(in UTC) of the flow log processing interval.'}, + "FlowIntervalStartTime": {"data_type": "datetime", "description": 'Starting time(in UTC) of the flow log processing interval. This is time from which flow interval is measured.'}, + "FlowLogResourceId": {"data_type": "string", "description": 'The resource Id for the flow log'}, + "FlowStartTime": {"data_type": "datetime", "description": 'First occurrence of the flow (which will get aggregated) in the flow log processing interval between "FlowIntervalStartTime_t" and "FlowIntervalEndTime_t".'}, + "FlowStatus": {"data_type": "string", "description": 'Status of flow which can be allowed or denied.'}, + "FlowType": {"data_type": "string", "description": 'Category of the flows(allowed values are IntraVNet, InterVNet, S2S, P2S, AzurePublic, ExternalPublic, MaliciousFlow, Unknown Private, Unknown) based on IP addresses involved in flow.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsFlowCapturedAtUdrHop": {"data_type": "bool", "description": 'True if flow gets captured at a UDR hop.'}, + "L4Protocol": {"data_type": "string", "description": 'Transport Protocol,T = TCP, U = UDP.'}, + "L7Protocol": {"data_type": "string", "description": 'Application Layer protocol name.'}, + "MacAddress": {"data_type": "string", "description": 'MAC address of the network interface at which the flow was captured.'}, + "NsgList": {"data_type": "string", "description": 'Network Security Group(NSG) associated with the flow. This is a placeholder for NSG flow logging.'}, + "NsgRule": {"data_type": "string", "description": 'NSG rule that allowed or denied this flow. This is a placeholder for NSG flow logging.'}, + "NsgRuleType": {"data_type": "string", "description": 'The type of Network Security Group(NSG) rule used by the flow. This is a placeholder for NSG flow logging.'}, + "PacketsDestToSrc": {"data_type": "long", "description": 'Represents packets sent from the destination to the source of the flow.'}, + "PacketsSrcToDest": {"data_type": "long", "description": 'Represents packets sent from the source to the destination of the flow.'}, + "PrivateEndpointResourceId": {"data_type": "string", "description": 'Resource ID of the private endpoint resource.'}, + "PrivateLinkResourceId": {"data_type": "string", "description": 'Resource ID of the private link service.'}, + "PrivateLinkResourceName": {"data_type": "string", "description": 'Resource name of the private link service.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SrcApplicationGateway": {"data_type": "string", "description": 'Application gateway associated with the source IP in the flow.'}, + "SrcExpressRouteCircuit": {"data_type": "string", "description": 'Express route circuit associated with the source IP in the flow.'}, + "SrcIp": {"data_type": "string", "description": 'Source IP address.'}, + "SrcLoadBalancer": {"data_type": "string", "description": 'Load balancer associated with the source IP in the flow.'}, + "SrcLocalNetworkGateway": {"data_type": "string", "description": 'Local network gateway associated with the source IP in the flow.'}, + "SrcNic": {"data_type": "string", "description": 'NIC associated with the source IP in the flow.'}, + "SrcPort": {"data_type": "int", "description": 'Source port.'}, + "SrcPublicIps": {"data_type": "string", "description": 'Source public IP addresses flow information.'}, + "SrcRegion": {"data_type": "string", "description": 'Azure region of virtual network/ network interface/ virtual machine to which the source IP in the flow belongs to.'}, + "SrcSubnet": {"data_type": "string", "description": 'Subnet associated with the source IP in the flow.'}, + "SrcSubscription": {"data_type": "string", "description": 'Subscription of the Azure virtual network/ network interface/ virtual machine to which the source IP in the flow belongs to.'}, + "SrcVm": {"data_type": "string", "description": 'Virtual machine associated with the source IP in the flow.'}, + "Status": {"data_type": "string", "description": 'Status of the ingestion. Possible values can be Completed, Partial or Failed.'}, + "SubType": {"data_type": "string", "description": 'Subtype of the ingestion. Values can be Flowlog and StatusMessage.'}, + "TargetResourceId": {"data_type": "string", "description": 'Target Resource Id for the resource where flow logging has been enabled.'}, + "TargetResourceType": {"data_type": "string", "description": 'Target Resource Type where flow logging is enabled. It can be virtual network(VNET)/subnet(SUBNET)/network interface(NIC).'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time when the data gets ingested into the log analytics workspace.'}, + "TimeProcessed": {"data_type": "datetime", "description": 'Time(in UTC) at which the traffic analytics processed the raw flow logs from the storage account.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "NTATopologyDetails": { + "Access": {"data_type": "string", "description": 'Access(Allow/Deny) associated with network security group rule.'}, + "AddressPrefixes": {"data_type": "string", "description": 'The address prefixes associated with the discovered resource.'}, + "AllowForwardedTraffic": {"data_type": "bool", "description": 'Whether the forwarded traffic from the VMs in the local virtual network will be allowed/disallowed in remote virtual network.'}, + "AllowGatewayTransit": {"data_type": "bool", "description": 'If gateway links can be used in remote virtual networking to link to this virtual network.'}, + "AllowVirtualNetworkAccess": {"data_type": "bool", "description": 'Whether the VMs in the local virtual network space would be able to access the VMs in remote virtual network space.'}, + "AppGatewayType": {"data_type": "string", "description": 'Type of the application gateway resource. This would be either internal or internet facing.'}, + "ApplicationGatewayBackendPools": {"data_type": "string", "description": 'Pool of application gateway backend IP addresses.'}, + "AzureAsn": {"data_type": "long", "description": 'The Azure ASN of express route circuit peering.'}, + "AzureResourceType": {"data_type": "string", "description": 'Resource type of the discovered resource.'}, + "BackendAddressPool": {"data_type": "string", "description": 'The reference to backend address pool resource.'}, + "BackendIpAddress": {"data_type": "string", "description": 'Backend IP address associated with the inbound NAT rules.'}, + "BackendPort": {"data_type": "int", "description": 'Backend port associated with the inbound NAT rules. The port used for the internal endpoint. Acceptable values range from 1 to 65535.'}, + "BackendSubnets": {"data_type": "string", "description": 'List of space separated subnets associated with the discovered resource.'}, + "BgpEnabled": {"data_type": "bool", "description": 'Whether BGP is enabled for this resource or not.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CircuitProvisioningState": {"data_type": "string", "description": 'The current provisioning state of express route circuit.'}, + "ComponentType": {"data_type": "string", "description": 'Component type of the status message. Possible values are Flowlog/Topology.'}, + "ConnectionStatus": {"data_type": "string", "description": 'Gateway connection status.'}, + "ConnectionType": {"data_type": "string", "description": 'Connection type of the discovered connection.'}, + "Description": {"data_type": "string", "description": 'Description of with network security group rule.'}, + "DestinationAddressPrefix": {"data_type": "string", "description": 'Destination address prefix associated with network security group rule.'}, + "DestinationPortRange": {"data_type": "string", "description": 'Destination port range associated with network security group rule.'}, + "Direction": {"data_type": "string", "description": 'Direction associated with network security group rule.'}, + "DiscoveryRegion": {"data_type": "string", "description": 'The region where resource is discovered.'}, + "EgressBytesTransferred": {"data_type": "long", "description": 'The egress bytes transferred in this connection.'}, + "EnableIpForwarding": {"data_type": "bool", "description": 'Indicates whether IP forwarding is enabled on the network interface.'}, + "EncryptionEnabled": {"data_type": "bool", "description": 'Indicates whether encryption is enabled on the virtual network.'}, + "EncryptionEnforcement": {"data_type": "string", "description": 'Indicates whether the encrypted virtual network allows VM that does not support encryption. Possible values include DropUnencrypted/AllowUnencrypted.'}, + "FloatingIpEnabled": {"data_type": "bool", "description": "Configures a virtual machine's endpoint for the floating IP capability required to configure a SQL AlwaysOn Availability Group. This setting is required when using the SQL AlwaysOn Availability Groups in SQL server. This setting can't be changed after you create the endpoint."}, + "FlowLogStorageAccount": {"data_type": "string", "description": 'Id of the storage account which is used to store the flow log.'}, + "FrontendIpAddress": {"data_type": "string", "description": 'Frontend IP address associated with the inbound NAT rule.'}, + "FrontendIps": {"data_type": "string", "description": 'Frontend IP address of the load balancer.'}, + "FrontendPort": {"data_type": "int", "description": 'Frontend port associated with the inbound NAT rules. The port for the external endpoint. Port numbers for each rule must be unique within the Load Balancer. Acceptable values range from 1 to 65534.'}, + "FrontendSubnet": {"data_type": "string", "description": 'The subnet of the discovered load balancer resource. This will be populated when the load balancer is internal load balancer.'}, + "FrontendSubnets": {"data_type": "string", "description": 'List of space separated subnets of the discovered load balancer resource. This will be populated when the load balancer is internal load balancer.'}, + "GatewayConnectionType": {"data_type": "string", "description": 'Gateway connection type.'}, + "GatewaySubnet": {"data_type": "string", "description": 'Subnet associated with the application aateway resource.'}, + "GatewayType": {"data_type": "string", "description": 'Gateway Type assocaited with virtual network gateway, VPN or express route.'}, + "IngressBytesTransferred": {"data_type": "long", "description": 'The ingress bytes transferred in this connection.'}, + "IpAddress": {"data_type": "string", "description": 'Gateway IP address of the discovered resource.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsFlowEnabled": {"data_type": "bool", "description": 'Flag to enable/disable flow logging.'}, + "IsVirtualAppliance": {"data_type": "bool", "description": 'Boolean to specify if the discovered resource is a virtual appliance.'}, + "LoadBalancerBackendPools": {"data_type": "string", "description": 'Pool of load balancer backend IP addresses.'}, + "LoadBalancerType": {"data_type": "string", "description": 'The type of the discovered load balancer resource. Possible values are internal load balancer or internet facing load balancer.'}, + "LocalNetworkGateway": {"data_type": "string", "description": 'The reference to local network gateway resource.'}, + "LocalPreference": {"data_type": "string", "description": 'Local preference value as set with the set local-preference route-map configuration command of the express route circuit route.'}, + "MacAddress": {"data_type": "string", "description": 'MAC address of the discovered NIC.'}, + "Name": {"data_type": "string", "description": 'Name of the discovered resource.'}, + "Network": {"data_type": "string", "description": 'IP address of a network entity associated with the express route circuit route.'}, + "NextHopIp": {"data_type": "string", "description": 'The IP address packets should be forwarded to. Next hop values are only allowed in routes where the next hop type is virtual appliance.'}, + "NextHopType": {"data_type": "string", "description": 'The type of azure hop the packet should be sent to.'}, + "Nsg": {"data_type": "string", "description": 'The reference to the network security group resource.'}, + "Path": {"data_type": "string", "description": 'Autonomous system paths to the destination network of the express route circuit route.'}, + "Peer": {"data_type": "string", "description": 'The reference to peerings resource.'}, + "PeerAsn": {"data_type": "long", "description": 'The peer ASN of express route circuit peering.'}, + "PeeringType": {"data_type": "string", "description": 'The peering type of express route circuit peering.'}, + "PrimaryAzurePort": {"data_type": "string", "description": 'The primary port of express route circuit peering.'}, + "PrimaryBytesIn": {"data_type": "long", "description": 'The primary bytes in of the peering.'}, + "PrimaryBytesOut": {"data_type": "long", "description": 'The primary bytes out of the peering.'}, + "PrimaryNextHop": {"data_type": "string", "description": 'Primary next hop address of the express route circuit route.'}, + "PrimaryPeerAddressPrefix": {"data_type": "string", "description": 'The primary peer address prefix of express route circuit peering.'}, + "Priority": {"data_type": "int", "description": 'Specifies the priority for the virtual machine. Minimum api-version: 2019-03-01.'}, + "PrivateEndpointResourceId": {"data_type": "string", "description": 'Resource ID of the private endpoint resource.'}, + "PrivateFrontendIps": {"data_type": "string", "description": 'Front end private IP addresses associated with the application gateway resource.'}, + "PrivateIpAddresses": {"data_type": "string", "description": 'Private IP address of the IP configuration.'}, + "PrivateLinkResourceId": {"data_type": "string", "description": 'Resource ID of the private link service.'}, + "Protocol": {"data_type": "string", "description": 'Protocol associated with network security group rule.'}, + "PublicFrontendIps": {"data_type": "string", "description": 'Front end public IP addresses associated with the application gateway resource.'}, + "PublicIpAddresses": {"data_type": "string", "description": 'Public IP address bound to the IP configuration.'}, + "Region": {"data_type": "string", "description": 'Region of the discovered resource.'}, + "RouteTable": {"data_type": "string", "description": 'The reference to the route table resource.'}, + "RoutingWeight": {"data_type": "int", "description": 'The routing weight.'}, + "RuleType": {"data_type": "string", "description": 'The type of the network security group rule.'}, + "SchemaVersion": {"data_type": "string", "description": 'This is topology schema version and not related to flow log schema version.'}, + "SecondaryAzurePort": {"data_type": "string", "description": 'The secondary port of express route circuit peering.'}, + "SecondaryBytesIn": {"data_type": "long", "description": 'The secondary bytes in of the peering.'}, + "SecondaryBytesOut": {"data_type": "long", "description": 'The secondary bytes out of the peering.'}, + "SecondaryNextHop": {"data_type": "string", "description": 'Secondary next hop address of the express route circuit route.'}, + "SecondaryPeerAddressPrefix": {"data_type": "string", "description": 'The secondary peer address prefix of express route circuit peering.'}, + "ServiceProviderProperties": {"data_type": "string", "description": '"Contains service provider properties in an express route circuit. Service provider properties semicolon seperated "ServiceProviderName;ServiceProviderBandwidthInMbps;ServiceProviderPeeringLocation"".'}, + "ServiceProviderProvisioningState": {"data_type": "string", "description": 'The service provider provisioning state state of the resource.'}, + "Sku": {"data_type": "string", "description": 'SKU or pricing associated with the discovered resource.'}, + "SkuDetail": {"data_type": "string", "description": '"The SKU of express route circuit. Express route circuit SKU detail semicolon seperated "Family;Name;Tier"".'}, + "SourceAddressPrefix": {"data_type": "string", "description": 'Source address prefix associated with network security group rule.'}, + "SourcePortRange": {"data_type": "string", "description": 'Source port range associated with network security group rule.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "State": {"data_type": "string", "description": 'The peering state of express route circuit peering.'}, + "Status": {"data_type": "string", "description": 'Status of the ingestion. Possible values can be Completed/Partial/Failed.'}, + "Subnet1": {"data_type": "string", "description": 'Subnet associated with the discovered subnetwork connection.'}, + "Subnet2": {"data_type": "string", "description": 'Subnet associated with the discovered subnetwork connection.'}, + "SubnetPrefixes": {"data_type": "string", "description": 'Space separated string of address prefixes in local network address space.'}, + "SubnetRegion1": {"data_type": "string", "description": 'Subnet region associated with the discovered subnetwork connection.'}, + "SubnetRegion2": {"data_type": "string", "description": 'Subnet region associated with the discovered subnetwork connection.'}, + "Subnetwork": {"data_type": "string", "description": 'The refrence to the subnetwork resource.'}, + "Subscription": {"data_type": "string", "description": 'Subscription guid of the discovered resource.'}, + "SubscriptionName": {"data_type": "string", "description": 'Subscription name of the discovered resource.'}, + "SubType": {"data_type": "string", "description": 'Subtype of the ingestion. Values can be Topology and StatusMessage.'}, + "Tags": {"data_type": "string", "description": 'Tags associated with the discovered resource.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time when the data gets ingested into the log analytics workspace.'}, + "TimeProcessed": {"data_type": "datetime", "description": 'Time(in UTC) at which the traffic analytics discovered the topology resource.'}, + "TopologyVersion": {"data_type": "string", "description": 'Topology version.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UseRemoteGateways": {"data_type": "bool", "description": 'If remote gateways can be used on this virtual network. If the flag is set to true, and allowGatewayTransit on remote peering is also true, virtual network will use gateways of remote virtual network for transit. Only one peering can have this flag set to true. This flag cannot be set if virtual network already has a gateway.'}, + "VipAddress": {"data_type": "string", "description": 'Space separated list of IP addresses associated with virtual network gateway.'}, + "VirtualAppliances": {"data_type": "string", "description": 'Virtual appliances associated with the discovered subnetwork connection.'}, + "VirtualMachine": {"data_type": "string", "description": 'The reference to a virtual machine.'}, + "VirtualNetwork1": {"data_type": "string", "description": 'The reference to the virtual network resource associated with the virtual network peering.'}, + "VirtualNetwork2": {"data_type": "string", "description": 'The reference to the virtual network resource associated with the virtual network peering.'}, + "VirtualNetworkGateway1": {"data_type": "string", "description": 'The reference to virtual network gateway resource.'}, + "VirtualNetworkGateway2": {"data_type": "string", "description": 'The reference to virtual network gateway resource.'}, + "VirtualSubnetwork": {"data_type": "string", "description": 'Virtual subnetwork associated with virtual network gateway.'}, + "VlanId": {"data_type": "int", "description": 'The VLAN Id of the peering.'}, + "VmssName": {"data_type": "string", "description": 'The virtual machine scale set name.'}, + "VnetEncryptionSupported": {"data_type": "bool", "description": 'Indicates whether the virtual machine this nic is attached to supports encryption.'}, + "VpnClientAddressPrefixes": {"data_type": "string", "description": 'The reference to the address prefix resource which represents address prefix for P2S VpnClient. Will be empty when no point to site is configured.'}, + "Weight": {"data_type": "int", "description": 'Route weight of the express route circuit route.'}, + "Zones": {"data_type": "string", "description": 'The virtual machine zones information.'}, + }, + "NWConnectionMonitorDestinationListenerResult": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ConnectionMonitorResourceId": {"data_type": "string", "description": 'The connection monitor resource id of the test'}, + "DestinationAddress": {"data_type": "string", "description": 'The address of the destination configured for the test'}, + "DestinationAgentId": {"data_type": "string", "description": 'The destination agent id'}, + "DestinationIP": {"data_type": "string", "description": 'The IP address of the destination'}, + "DestinationName": {"data_type": "string", "description": 'The destination end point name'}, + "DestinationPort": {"data_type": "int", "description": 'The Destination port configured for the test'}, + "DestinationResourceId": {"data_type": "string", "description": 'The resource id of the Destination machine'}, + "DestinationSubnet": {"data_type": "string", "description": 'If applicable, the subnet of the destination configured for the test'}, + "DestinationType": {"data_type": "string", "description": 'The type of the destination machine configured for the test'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Issues": {"data_type": "string", "description": 'The issues identfied by Destination Listener'}, + "ListeningOutcome": {"data_type": "string", "description": 'The listening outcome result'}, + "Protocol": {"data_type": "string", "description": 'The protocol of the test'}, + "RecordId": {"data_type": "string", "description": 'The record id for unique identification of test result record'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TestConfigurationName": {"data_type": "string", "description": 'The test configuration name to which the test belongs to'}, + "TestGroupName": {"data_type": "string", "description": 'The test group name to which the test belongs to'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "NWConnectionMonitorDNSResult": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ChecksFailed": {"data_type": "int", "description": 'The total number of checks failed under the test'}, + "ChecksTotal": {"data_type": "int", "description": 'The total number of checks done under the test'}, + "ConnectionMonitorResourceId": {"data_type": "string", "description": 'The connection monitor resource id of the test'}, + "DestinationAddress": {"data_type": "string", "description": 'The address of the destination configured for the test'}, + "DestinationAgentId": {"data_type": "string", "description": 'The destination agent id'}, + "DestinationIP": {"data_type": "string", "description": 'The IP address of the destination'}, + "DestinationName": {"data_type": "string", "description": 'The destination end point name'}, + "DestinationPort": {"data_type": "int", "description": 'The destination port configured for the test'}, + "DestinationResourceId": {"data_type": "string", "description": 'The resource id of the Destination machine'}, + "DestinationSubnet": {"data_type": "string", "description": 'If applicable, the subnet of the destination'}, + "DestinationType": {"data_type": "string", "description": 'The type of the destination machine configured for the test'}, + "DomainName": {"data_type": "string", "description": 'The domain name of DNS Test'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Protocol": {"data_type": "string", "description": 'The protocol of the test'}, + "RecordId": {"data_type": "string", "description": 'The record id for unique identification of test result record'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResponseRecordCount": {"data_type": "int", "description": 'The total count of DNS response records'}, + "ResponseRecords": {"data_type": "string", "description": 'The DNS Response records'}, + "ResponseRecordType": {"data_type": "string", "description": 'The type of DNS response record'}, + "SourceAddress": {"data_type": "string", "description": 'The address of the source configured for the test'}, + "SourceAgentId": {"data_type": "string", "description": 'The source agent id'}, + "SourceIP": {"data_type": "string", "description": 'The IP address of the source'}, + "SourceName": {"data_type": "string", "description": 'The source end point name'}, + "SourceResourceId": {"data_type": "string", "description": 'The resource id of the source machine'}, + "SourceSubnet": {"data_type": "string", "description": 'The subnet of the source'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SourceType": {"data_type": "string", "description": 'The type of the source machine configured for the test'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TestConfigurationName": {"data_type": "string", "description": 'The test configuration name to which the test belongs to'}, + "TestGroupName": {"data_type": "string", "description": 'The test group name to which the test belongs to'}, + "TestResult": {"data_type": "string", "description": 'The result of the test'}, + "TestResultCriterion": {"data_type": "string", "description": 'The result criterion of the test'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "ValidationChecks": {"data_type": "string", "description": 'The validation checks of DNS Result'}, + "ValidationIssues": {"data_type": "string", "description": 'The issues identified as part of DNS Test'}, + }, + "NWConnectionMonitorPathResult": { + "AdditionalData": {"data_type": "string", "description": 'The additional data for the test'}, + "AvgRoundTripTimeMs": {"data_type": "real", "description": 'The average round trip time for the test'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ChecksFailed": {"data_type": "int", "description": 'The total number of checks failed under the test'}, + "ChecksFailedPercentThreshold": {"data_type": "int", "description": 'The checks failed percent threshold set for the test'}, + "ChecksTotal": {"data_type": "int", "description": 'The total number of checks done under the test'}, + "ConnectionMonitorResourceId": {"data_type": "string", "description": 'The connection monitor resource id of the test'}, + "DestinationAddress": {"data_type": "string", "description": 'The address of the destination configured for the test'}, + "DestinationAgentId": {"data_type": "string", "description": 'The destination agent id'}, + "DestinationIP": {"data_type": "string", "description": 'The IP address of the destination'}, + "DestinationName": {"data_type": "string", "description": 'The destination end point name'}, + "DestinationPort": {"data_type": "int", "description": 'The destination port configured for the test'}, + "DestinationResourceId": {"data_type": "string", "description": 'The resource id of the Destination machine'}, + "DestinationSubnet": {"data_type": "string", "description": 'If applicable, the subnet of the destination'}, + "DestinationType": {"data_type": "string", "description": 'The type of the destination machine configured for the test'}, + "HopAddresses": {"data_type": "string", "description": 'The hop addresses identified for the test'}, + "HopLinkTypes": {"data_type": "string", "description": 'The hop link types identified for the test'}, + "HopResourceIds": {"data_type": "string", "description": 'The hop resource ids identified for the test'}, + "Hops": {"data_type": "string", "description": 'The hops identified for the test'}, + "HopTypes": {"data_type": "string", "description": 'The hop types identified for the test'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Issues": {"data_type": "string", "description": 'The issues identified for the test'}, + "JitterMs": {"data_type": "real", "description": 'The mean deviation round trip time for the test'}, + "MaxRoundTripTimeMs": {"data_type": "real", "description": 'The maximum round trip time for the test'}, + "MinRoundTripTimeMs": {"data_type": "real", "description": 'The minimum round trip time (ms) for the test'}, + "PathTestResult": {"data_type": "string", "description": 'The result of the test'}, + "PathTestResultCriterion": {"data_type": "string", "description": 'The result criterion of the test'}, + "Protocol": {"data_type": "string", "description": 'The protocol of the test'}, + "RecordId": {"data_type": "string", "description": 'The record id for unique identification of test result record'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RoundTripTimeMsThreshold": {"data_type": "real", "description": 'The round trip threshold (ms) set for the test'}, + "SourceAddress": {"data_type": "string", "description": 'The address of the source configured for the test'}, + "SourceAgentId": {"data_type": "string", "description": 'The source agent id'}, + "SourceIP": {"data_type": "string", "description": 'The IP address of the source'}, + "SourceName": {"data_type": "string", "description": 'The source end point name'}, + "SourceResourceId": {"data_type": "string", "description": 'The resource id of the source machine'}, + "SourceSubnet": {"data_type": "string", "description": 'The subnet of the source'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SourceType": {"data_type": "string", "description": 'The type of the source machine configured for the test'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TestConfigurationName": {"data_type": "string", "description": 'The test configuration name to which the test belongs to'}, + "TestGroupName": {"data_type": "string", "description": 'The test group name to which the test belongs to'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "TopologyId": {"data_type": "string", "description": 'The topology id of the path record'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "NWConnectionMonitorTestResult": { + "AdditionalData": {"data_type": "string", "description": 'The additional data for the test'}, + "AvgRoundTripTimeMs": {"data_type": "real", "description": 'The average round trip time for the test'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ChecksFailed": {"data_type": "int", "description": 'The total number of checks failed under the test'}, + "ChecksFailedPercentThreshold": {"data_type": "int", "description": 'The checks failed percent threshold set for the test'}, + "ChecksTotal": {"data_type": "int", "description": 'The total number of checks done under the test'}, + "ConnectionMonitorResourceId": {"data_type": "string", "description": 'The connection monitor resource id of the test'}, + "DestinationAddress": {"data_type": "string", "description": 'The address of the destination configured for the test'}, + "DestinationAgentId": {"data_type": "string", "description": 'The destination agent id'}, + "DestinationIP": {"data_type": "string", "description": 'The IP address of the destination'}, + "DestinationName": {"data_type": "string", "description": 'The destination end point name'}, + "DestinationPort": {"data_type": "int", "description": 'The destination port configured for the test'}, + "DestinationResourceId": {"data_type": "string", "description": 'The resource id of the Destination machine'}, + "DestinationSubnet": {"data_type": "string", "description": 'If applicable, the subnet of the destination'}, + "DestinationType": {"data_type": "string", "description": 'The type of the destination machine configured for the test'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "JitterMs": {"data_type": "real", "description": 'The mean deviation round trip time for the test'}, + "MaxRoundTripTimeMs": {"data_type": "real", "description": 'The maximum round trip time for the test'}, + "MinRoundTripTimeMs": {"data_type": "real", "description": 'The minimum round trip time (ms) for the test'}, + "Protocol": {"data_type": "string", "description": 'The protocol of the test'}, + "RecordId": {"data_type": "string", "description": 'The record id for unique identification of test result record'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RoundTripTimeMsThreshold": {"data_type": "real", "description": 'The round trip threshold (ms) set for the test'}, + "SourceAddress": {"data_type": "string", "description": 'The address of the source configured for the test'}, + "SourceAgentId": {"data_type": "string", "description": 'The source agent id'}, + "SourceIP": {"data_type": "string", "description": 'The IP address of the source'}, + "SourceName": {"data_type": "string", "description": 'The source end point name'}, + "SourceResourceId": {"data_type": "string", "description": 'The resource id of the source machine'}, + "SourceSubnet": {"data_type": "string", "description": 'The subnet of the source'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SourceType": {"data_type": "string", "description": 'The type of the source machine configured for the test'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TestConfigurationName": {"data_type": "string", "description": 'The test configuration name to which the test belongs to'}, + "TestGroupName": {"data_type": "string", "description": 'The test group name to which the test belongs to'}, + "TestResult": {"data_type": "string", "description": 'The result of the test'}, + "TestResultCriterion": {"data_type": "string", "description": 'The result criterion of the test'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "OEPAirFlowTask": { + "AdditionalLogContent": {"data_type": "string", "description": 'Additional log content, if there is any more info that needs to be populated'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Logs generated as a result of operations executed using OAK APIs are grouped into categories. Categories in OAK are logical groupings based on the data source.'}, + "CodePath": {"data_type": "string", "description": 'The task inside the DAG run which generated the log'}, + "Content": {"data_type": "string", "description": 'Log details as a result of operation performed.'}, + "CorrelationId": {"data_type": "string", "description": 'Unique identifier to be used to correlate logs, when available.'}, + "DagName": {"data_type": "string", "description": "Name of the DAG run - as per Airflow's list of DAGs present"}, + "DagTaskName": {"data_type": "string", "description": 'Name of Task executed in Airflow DAG.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The region of the resource emitting the event.'}, + "LogLevel": {"data_type": "string", "description": 'Log Level of the log - Info/Debug/Warning/Error'}, + "OperationName": {"data_type": "string", "description": 'The operation name for which the log entry was created.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RunId": {"data_type": "string", "description": 'To identify the particular DAG run which generated the log'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (in UTC) when the log was created.'}, + "TryNumber": {"data_type": "string", "description": 'Still not available'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "OEPAuditLogs": { + "Action": {"data_type": "string", "description": 'Action performed,which can be CREATE,PUBLISH,UPDATE,DELETE,READ and JOB_RUN.'}, + "ActionId": {"data_type": "string", "description": 'ID of the action performed.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Logs generated as a result of operations executed using OAK APIs are grouped into categories. Categories in OAK are logical groupings based on the data source.'}, + "DataPartitionId": {"data_type": "string", "description": 'Represents the data partition ID.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The region of the resource emitting the event.'}, + "Message": {"data_type": "string", "description": 'The message about the operation.'}, + "OperationDescription": {"data_type": "string", "description": 'Description of operation that was performed.'}, + "OperationName": {"data_type": "string", "description": 'The operation name for which the log entry was created.'}, + "Puid": {"data_type": "string", "description": 'The client ID.'}, + "RequestId": {"data_type": "string", "description": 'The request ID uniquely identify the request made to Microsoft Energy Data Services for an operation.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultType": {"data_type": "string", "description": 'Result of the REST API request.'}, + "ServiceName": {"data_type": "string", "description": 'The name of service which is emitting the event.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "OEPDataplaneLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Logs generated as a result of operations executed using OAK APIs are grouped into categories. Categories in OAK are logical groupings based on the data source.'}, + "CorrelationId": {"data_type": "string", "description": 'Unique identifier to be used to correlate logs, when available.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The region of the resource emitting the event.'}, + "LogLevel": {"data_type": "string", "description": 'Log level of message (INFO, WARN, ERROR, etc.).'}, + "Message": {"data_type": "string", "description": 'Log details as a result of operation performed.'}, + "OperationName": {"data_type": "string", "description": 'The operation name for which the log entry was created.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "OEPElasticOperator": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Logs generated as a result of operations executed using OAK APIs are grouped into categories. Categories in OAK are logical groupings based on the data source.'}, + "Content": {"data_type": "string", "description": 'Log details as a result of operation performed.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The region of the resource emitting the event.'}, + "Namespace": {"data_type": "string", "description": 'Namespace from which logs were generated, represents the data partition.'}, + "OperationName": {"data_type": "string", "description": 'The operation name for which the log entry was created.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (in UTC) when the log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "OEPElasticsearch": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Logs generated as a result of operations executed using OAK APIs are grouped into categories. Categories in OAK are logical groupings based on the data source.'}, + "Content": {"data_type": "string", "description": 'Log details as a result of operation performed.'}, + "Duration": {"data_type": "string", "description": "Time taken for performing the operation. Value is taken from 'took' property in Elasticsearch cluster as string, like '1.3ms', '478.9micros' etc."}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The region of the resource emitting the event.'}, + "Namespace": {"data_type": "string", "description": 'Namespace from which logs were generated, represents the data partition.'}, + "OperationName": {"data_type": "string", "description": 'The operation name for which the log entry was created.'}, + "PodName": {"data_type": "string", "description": 'Elasticsearch pod name.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Source": {"data_type": "string", "description": 'Source responsible for the log. It could be a search query or a record to be indexed in case of slow logs and null otherwise.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (in UTC) when the log was created.'}, + "TotalHits": {"data_type": "string", "description": "Total number of hits for a search operation. For example, value can be '3 hits' for 3 hits, '-1' for no hits, or 'null' if it is not a search slow log."}, + "Type": {"data_type": "string", "description": 'Type of log. Can be index_search_slowlog, index_indexing_slowlog, server, deprecation etc.'}, + }, + "OfficeActivity": { + "AADGroupId": {"data_type": "string", "description": 'Azure Active Directory group id'}, + "AADTarget": {"data_type": "string", "description": 'The user that the action (identified by the Operation property) was performed on'}, + "Activity": {"data_type": "string", "description": 'The activity that the user performed.'}, + "Actor": {"data_type": "string", "description": 'The user or service principal that performed the action'}, + "ActorContextId": {"data_type": "string", "description": 'The GUID of the organization that the actor belongs to'}, + "ActorIpAddress": {"data_type": "string", "description": "The actor's IP address in IPV4 or IPV6 address format"}, + "AddOnGuid": {"data_type": "string", "description": 'The unique identifier of the add-on generated this event'}, + "AddonName": {"data_type": "string", "description": 'The name of the add-on that generated this event'}, + "AddOnType": {"data_type": "string", "description": 'The type of add-on that generated this event'}, + "AffectedItems": {"data_type": "string", "description": 'Information about each item in the group'}, + "AppDistributionMode": {"data_type": "string", "description": 'Application distribution mode'}, + "AppId": {"data_type": "string", "description": 'Application ID'}, + "Application": {"data_type": "string", "description": 'The application name'}, + "ApplicationId": {"data_type": "string", "description": 'SharePoint application ID'}, + "AppPoolName": {"data_type": "string", "description": 'The App pool name'}, + "AzureActiveDirectory_EventType": {"data_type": "string", "description": 'The type of Azure AD event'}, + "AzureADAppId": {"data_type": "string", "description": 'Teams Application Azure AD ID'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ChannelGuid": {"data_type": "string", "description": 'A unique identifier for the channel being audited'}, + "ChannelName": {"data_type": "string", "description": 'The name of the channel being audited'}, + "ChannelType": {"data_type": "string", "description": 'The type of channel being audited (Standard/Private)'}, + "ChatName": {"data_type": "string", "description": 'The name of the chat'}, + "ChatThreadId": {"data_type": "string", "description": 'The Id of the chat thread'}, + "Client": {"data_type": "string", "description": 'Details about the client device, device OS, and device browser that was used for the of the account login event'}, + "Client_IPAddress": {"data_type": "string", "description": 'The IP address of the device that was used when the operation was logged'}, + "ClientAppId": {"data_type": "string", "description": 'Client application ID'}, + "ClientInfoString": {"data_type": "string", "description": 'Information about the email client that was used to perform the operation'}, + "ClientIP": {"data_type": "string", "description": 'The IP address of the device that was used when the activity was logged'}, + "ClientMachineName": {"data_type": "string", "description": 'The machine name that hosts the Outlook client'}, + "ClientProcessName": {"data_type": "string", "description": 'The email client that was used to access the mailbox'}, + "ClientVersion": {"data_type": "string", "description": 'The version of the email client'}, + "CommunicationType": {"data_type": "string", "description": 'The type of communications that was conducted'}, + "CrossMailboxOperations": {"data_type": "bool", "description": 'Indicates if the operation involved more than one mailbox'}, + "CustomEvent": {"data_type": "string", "description": 'Optional string for custom events'}, + "DataCenterSecurityEventType": {"data_type": "int", "description": 'The type of dmdlet event in lock box'}, + "DestFolder": {"data_type": "string", "description": 'The destination folder'}, + "DestinationFileExtension": {"data_type": "string", "description": 'The file extension of a file that is copied or moved'}, + "DestinationFileName": {"data_type": "string", "description": 'The name of the file that is copied or moved'}, + "DestinationRelativeUrl": {"data_type": "string", "description": 'The URL of the destination folder where a file is copied or moved'}, + "DestMailboxId": {"data_type": "string", "description": 'Set only if the CrossMailboxOperations parameter is True'}, + "DestMailboxOwnerMasterAccountSid": {"data_type": "string", "description": 'Set only if the CrossMailboxOperations parameter is True'}, + "DestMailboxOwnerSid": {"data_type": "string", "description": 'Set only if the CrossMailboxOperations parameter is True'}, + "DestMailboxOwnerUPN": {"data_type": "string", "description": 'Set only if the CrossMailboxOperations parameter is True'}, + "EffectiveOrganization": {"data_type": "string", "description": 'The name of the tenant that the elevation/cmdlet was targeted at'}, + "ElevationApprovedTime": {"data_type": "datetime", "description": 'The timestamp for when the elevation was approved'}, + "ElevationApprover": {"data_type": "string", "description": 'The name of a Microsoft manager'}, + "ElevationDuration": {"data_type": "int", "description": 'The duration for which the elevation was active (in Hours)'}, + "ElevationRequestId": {"data_type": "string", "description": 'A unique identifier for the elevation request'}, + "ElevationRole": {"data_type": "string", "description": 'The role the elevation was requested for'}, + "ElevationTime": {"data_type": "datetime", "description": 'The start time of the elevation'}, + "Event_Data": {"data_type": "string", "description": 'Optional payload for custom events'}, + "EventSource": {"data_type": "string", "description": 'Identifies that an event occurred in SharePoint. Possible values are SharePoint or ObjectModel'}, + "ExtendedProperties": {"data_type": "string", "description": 'The extended properties of the Azure AD event'}, + "ExternalAccess": {"data_type": "string", "description": 'Specifies whether the cmdlet was run by a user in your organization'}, + "ExtraProperties": {"data_type": "dynamic", "description": 'A list of extra properties'}, + "Folder": {"data_type": "string", "description": 'The folder where a group of items is located'}, + "Folders": {"data_type": "string", "description": 'Information about the source folders involved in an operation'}, + "GenericInfo": {"data_type": "string", "description": 'Used for comments and other generic information'}, + "InternalLogonType": {"data_type": "int", "description": 'Reserved for internal use'}, + "InterSystemsId": {"data_type": "string", "description": 'The GUID that track the actions across components within the Office 365 service'}, + "IntraSystemId": {"data_type": "string", "description": "The GUID that's generated by Azure Active Directory to track the action"}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsManagedDevice": {"data_type": "bool", "description": 'Indicates if operation was created by a device managed by the organization'}, + "Item": {"data_type": "string", "description": 'Represents the item upon which the operation was performed'}, + "ItemName": {"data_type": "string", "description": 'The string in the Subject field of the email message'}, + "ItemType": {"data_type": "string", "description": 'The type of object that was accessed or modified. See the ItemType table for details on the types of objects'}, + "LoginStatus": {"data_type": "int", "description": 'This property is from OrgIdLogon.LoginStatus directly. The mapping of various interesting logon failures could be done by alerting algorithms'}, + "Logon_Type": {"data_type": "string", "description": 'Indicates the type of user who accessed the mailbox and performed the operation that was logged'}, + "LogonUserDisplayName": {"data_type": "string", "description": 'The user-friendly name of the user who performed the operation'}, + "LogonUserSid": {"data_type": "string", "description": 'The SID of the user who performed the operation'}, + "MachineDomainInfo": {"data_type": "string", "description": 'Information about device sync operations'}, + "MachineId": {"data_type": "string", "description": 'Information about device sync operations'}, + "MailboxGuid": {"data_type": "string", "description": 'The Exchange GUID of the mailbox that was accessed'}, + "MailboxOwnerMasterAccountSid": {"data_type": "string", "description": "Mailbox owner account's master account SID"}, + "MailboxOwnerSid": {"data_type": "string", "description": 'The SID of the mailbox owner'}, + "MailboxOwnerUPN": {"data_type": "string", "description": 'The email address of the person who owns the mailbox that was accessed'}, + "Members": {"data_type": "dynamic", "description": 'A list of users within a Team'}, + "MessageId": {"data_type": "string", "description": 'An identifier for a chat or channel message'}, + "ModifiedObjectResolvedName": {"data_type": "string", "description": 'This is the user friendly name of the object that was modified by the cmdlet'}, + "ModifiedProperties": {"data_type": "string", "description": 'The property is included for admin events, such as adding a user as a member of a site or a site collection admin group'}, + "Name": {"data_type": "string", "description": 'Only present for settings events. Name of the setting that changed'}, + "NewValue": {"data_type": "string", "description": 'Only present for settings events. New value of the setting'}, + "OfficeId": {"data_type": "string", "description": 'Unique identifier of an audit record'}, + "OfficeObjectId": {"data_type": "string", "description": 'For SharePoint and OneDrive for Business activity'}, + "OfficeTenantId": {"data_type": "string", "description": 'The office tenant id'}, + "OfficeWorkload": {"data_type": "string", "description": 'The Office 365 service where the activity occurred'}, + "OldValue": {"data_type": "string", "description": 'Only present for settings events. Old value of the setting'}, + "Operation": {"data_type": "string", "description": 'The name of the operation that the user is performing'}, + "OperationProperties": {"data_type": "dynamic", "description": 'Additional operation properties'}, + "OperationScope": {"data_type": "string", "description": 'The scope the operation was performed on'}, + "OrganizationId": {"data_type": "string", "description": "The GUID for your organization's Office 365 tenant. This value will always be the same for your organization"}, + "OrganizationName": {"data_type": "string", "description": 'The name of the tenant'}, + "OriginatingServer": {"data_type": "string", "description": 'The name of the server from which the cmdlet was executed'}, + "Parameters": {"data_type": "string", "description": 'The name and value for all parameters that were used with the cmdlet that is identified in the Operations property'}, + "RecordType": {"data_type": "string", "description": 'The type of operation indicated by the record. See the AuditLogRecordType table for details on the types of audit log records'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultReasonType": {"data_type": "string", "description": 'Reason for the result reported in ResultType'}, + "ResultStatus": {"data_type": "string", "description": 'Indicates whether the action (specified in the Operation property) was successful or not'}, + "SendAsUserMailboxGuid": {"data_type": "string", "description": 'The Exchange GUID of the mailbox that was accessed to send email as'}, + "SendAsUserSmtp": {"data_type": "string", "description": 'SMTP address of the user who is being impersonated'}, + "SendonBehalfOfUserMailboxGuid": {"data_type": "string", "description": 'The Exchange GUID of the mailbox that was accessed to send mail on behalf of'}, + "SendOnBehalfOfUserSmtp": {"data_type": "string", "description": 'SMTP address of the user on whose behalf the email is sent'}, + "SharingType": {"data_type": "string", "description": 'The type of sharing permissions that were assigned to the user that the resource was shared with. This user is identified by the UserSharedWith parameter'}, + "Site_": {"data_type": "string", "description": 'The GUID of the site where the file or folder accessed by the user is located'}, + "Site_Url": {"data_type": "string", "description": 'The URL of the site where the file or folder accessed by the user is located'}, + "Source_Name": {"data_type": "string", "description": 'The entity that triggered the audited operation. Possible values are SharePoint or ObjectModel'}, + "SourceFileExtension": {"data_type": "string", "description": 'The file extension of the file that was accessed by the user'}, + "SourceFileName": {"data_type": "string", "description": 'The name of the file or folder accessed by the user'}, + "SourceRecordId": {"data_type": "string", "description": 'Unique identifier of an audit record'}, + "SourceRelativeUrl": {"data_type": "string", "description": 'The URL of the folder that contains the file accessed by the user'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SRPolicyId": {"data_type": "string", "description": 'Policy ID'}, + "SRPolicyName": {"data_type": "string", "description": 'Policy name'}, + "SRRuleMatchDetails": {"data_type": "dynamic", "description": 'Rule details'}, + "Start_Time": {"data_type": "datetime", "description": 'The date and time at which the cmdlet was executed'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "SupportTicketId": {"data_type": "string", "description": "The customer support ticket ID for the action in 'act-on-behalf-of' situations"}, + "TabType": {"data_type": "string", "description": 'The type of tab that generated this event'}, + "TargetContextId": {"data_type": "string", "description": 'The GUID of the organization that the targeted user belongs to'}, + "TargetUserId": {"data_type": "string", "description": 'Target user id'}, + "TargetUserOrGroupName": {"data_type": "string", "description": 'Stores the UPN or name of the target user or group that a resource was shared with'}, + "TargetUserOrGroupType": {"data_type": "string", "description": 'Identifies whether the target user or group is a Member, Guest, Group, or Partner'}, + "TeamGuid": {"data_type": "string", "description": 'A unique identifier for the team being audited'}, + "TeamName": {"data_type": "string", "description": 'The name of the team being audited'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time in Coordinated Universal Time (UTC) when the user performed the activity'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The user agent'}, + "UserDomain": {"data_type": "string", "description": 'The domain of the user'}, + "UserId": {"data_type": "string", "description": 'The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged'}, + "UserKey": {"data_type": "string", "description": 'An alternative ID for the user identified in the UserId property'}, + "UserSharedWith": {"data_type": "string", "description": 'The user that a resource was shared with'}, + "UserType": {"data_type": "string", "description": 'The type of user that performed the operation. See the UserType table for details on the types of users'}, + }, + "OLPSupplyChainEntityOperations": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientApplicationId": {"data_type": "string", "description": 'Application ID of the client making the API request.'}, + "ClientName": {"data_type": "string", "description": 'Name of the client making the API request.'}, + "ClientObjectId": {"data_type": "string", "description": 'Object ID of the client making the API request.'}, + "ClientTenantId": {"data_type": "string", "description": 'Tenant ID of the client making the API request.'}, + "CorrelationId": {"data_type": "string", "description": 'Unique identifier to be used to correlate logs.'}, + "CustomRequestAttributes": {"data_type": "dynamic", "description": 'Client defined arbitrary data in the API request.'}, + "DurationMs": {"data_type": "real", "description": 'Time it took to service the REST API request, in milliseconds.'}, + "HttpStatusCode": {"data_type": "int", "description": 'HTTP status code of the API response.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The operation name for which the log entry was created.'}, + "RequestBody": {"data_type": "dynamic", "description": 'Request body of the API calls.'}, + "RequestId": {"data_type": "string", "description": 'Unique identifier to be used to correlate request logs.'}, + "RequestMethod": {"data_type": "string", "description": 'HTTP method of the API request.'}, + "RequestUri": {"data_type": "string", "description": 'URI of the API request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResponseBody": {"data_type": "dynamic", "description": 'Request body of the API calls.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "OLPSupplyChainEvents": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'Unique identifier to be used to correlate logs with OLPSupplyChainEntityOperations.'}, + "DurationMs": {"data_type": "real", "description": 'Time it took to service the REST API request, in milliseconds.'}, + "EventBody": {"data_type": "dynamic", "description": 'The event body.'}, + "EventId": {"data_type": "string", "description": 'Unique identifier for each event.'}, + "EventType": {"data_type": "string", "description": 'The type of the event, can be Microsoft.OpenLogisticsPlatform.EntityCreated, Microsoft.OpenLogisticsPlatform.EntityUpdated etc.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The operation name for which the log entry was created.'}, + "RequestId": {"data_type": "string", "description": 'Unique identifier to be used to correlate request logs.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "SupplyChainResourceType": {"data_type": "string", "description": 'The type of supplychain resource for which the event is generated, can be Item, Warehouse, WarehouseItem etc.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "Operation": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": 'Name of a physical or virtual machine having membership with Log Analytics agent.'}, + "CorrelationId": {"data_type": "string", "description": 'GUID that is shared with telemetry belonging to the same uber action.'}, + "Detail": {"data_type": "string", "description": 'User friendly string that describes further details about the operation'}, + "ErrorId": {"data_type": "string", "description": 'Deprecated.'}, + "HelpLink": {"data_type": "string", "description": 'Reference URL for additional contextual information.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ManagementGroupName": {"data_type": "string", "description": 'Name of the Operations Manager management group for System Center Operations Manager agents.'}, + "OperationCategory": {"data_type": "string", "description": 'Name of the area that produced the record.'}, + "OperationKey": {"data_type": "string", "description": 'Operation ID. Can be a GUID or string.'}, + "OperationStatus": {"data_type": "string", "description": 'Operation status description. Ccommon values include Warning Succeeded Failed Error.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Solution": {"data_type": "string", "description": 'Name of the managed solution that produced the record. Can also include other sources such as RestAPI.'}, + "SourceComputerId": {"data_type": "string", "description": 'Unique GUID identifier for a computer.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time that the record was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "Perf": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BucketEndTime": {"data_type": "datetime", "description": ''}, + "BucketStartTime": {"data_type": "datetime", "description": ''}, + "Computer": {"data_type": "string", "description": 'Computer that the event was collected from.'}, + "CounterName": {"data_type": "string", "description": 'Name of the performance counter.'}, + "CounterPath": {"data_type": "string", "description": 'Full path of the counter in the form \\\\\\\\object(instance)\\counter.'}, + "CounterValue": {"data_type": "real", "description": ''}, + "InstanceName": {"data_type": "string", "description": 'Name of the event instance. Empty if no instance.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Max": {"data_type": "real", "description": ''}, + "Min": {"data_type": "real", "description": ''}, + "ObjectName": {"data_type": "string", "description": 'Name of the performance object.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SampleCount": {"data_type": "int", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StandardDeviation": {"data_type": "real", "description": ''}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the data was sampled.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "PFTitleAuditLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the log, will be one of Informational, Warning, Error, or Critical.'}, + "Location": {"data_type": "string", "description": 'The region of the Azure PlayFab Title, generating the log.'}, + "ModifiedPlayerId": {"data_type": "string", "description": 'Player ID on which the action taken.'}, + "OperationName": {"data_type": "string", "description": 'The operation name combined with operation type represents the action performed for which the log was generated.'}, + "OperationType": {"data_type": "string", "description": 'The operation name combined with operation type represents the action performed for which the log was generated.'}, + "PlayFabPlayerAccountPoolId": {"data_type": "string", "description": 'ID of Azure PlayFab PlayerAccountPool associated with the Azure PlayFab Title for which the log was generated.'}, + "PlayFabTitleId": {"data_type": "string", "description": 'ID of Azure PlayFab Title for which the log was generated.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserId": {"data_type": "string", "description": 'ID of the user who performed the action which generated the log.'}, + "UserName": {"data_type": "string", "description": 'Name or Email of the user who performed the action which generated the log.'}, + }, + "PowerAppsActivity": { + "ActorName": {"data_type": "string", "description": 'The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\\system or NT AUTHORITY\\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. For more information, see the app@sharepoint user in audit records.'}, + "ActorUserId": {"data_type": "string", "description": 'An alternative ID for the user identified in the UserId property. For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange. This property may also specify the same value as the UserID property for events occurring in other services and events performed by system accounts.'}, + "ActorUserType": {"data_type": "string", "description": 'The type of user that performed the operation. For example: Admin, System, Application, Service Principal, Guest or Other.'}, + "AdditionalInfo": {"data_type": "dynamic", "description": 'Additional information if any (e.g. the environment name)'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "EventOriginalType": {"data_type": "string", "description": 'The name of the user or admin activity that performed the activity. For a description of the most common operations/activities, see "Search the audit log" in the Office 365 Protection Center. For Exchange admin activity, this property identifies the name of the cmdlet that was run. For Dlp events, this can be "DlpRuleMatch", "DlpRuleUndo" or "DlpInfo", which are described under "DLP schema" below.'}, + "EventOriginalUid": {"data_type": "string", "description": 'Unique identifier of an audit record.'}, + "EventResult": {"data_type": "string", "description": 'Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceeded, or Failed.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ObjectId": {"data_type": "string", "description": 'The full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet.'}, + "OrganizationId": {"data_type": "string", "description": "The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs."}, + "RecordType": {"data_type": "string", "description": 'The type of operation indicated by the record. See the AuditLogRecordType table for details on the types of audit log records.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SrcIpAddr": {"data_type": "string", "description": "The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. Also, for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null."}, + "TargetAppName": {"data_type": "string", "description": 'The name of the app where the event occurred.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time in (UTC) when the user performed the activity.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Workload": {"data_type": "string", "description": 'The Office 365 service where the activity occurred.'}, + }, + "PowerAutomateActivity": { + "ActorName": {"data_type": "string", "description": 'The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\\system or NT AUTHORITY\\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. For more information, see the app@sharepoint user in audit records.'}, + "ActorUserId": {"data_type": "string", "description": 'An alternative ID for the user identified in the UserId property. For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange. This property may also specify the same value as the UserID property for events occurring in other services and events performed by system accounts.'}, + "ActorUserType": {"data_type": "string", "description": 'The type of user that performed the operation. Possible types are: Admin, System, Application, Service Principal and Other.'}, + "AdditionalInfo": {"data_type": "dynamic", "description": 'More information, for example, the environment name.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "EventOriginalType": {"data_type": "string", "description": 'The name of the user or admin activity that performed the activity. For a description of the most common operations/activities, see "Search the audit log" in the Office 365 Protection Center. For Exchange admin activity, this property identifies the name of the cmdlet that was run. For Dlp events, this can be "DlpRuleMatch", "DlpRuleUndo" or "DlpInfo", which are described under "DLP schema" below.'}, + "EventOriginalUid": {"data_type": "string", "description": 'Unique identifier of an audit record.'}, + "EventResult": {"data_type": "string", "description": 'Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceeded, or Failed.'}, + "FlowConnectorNames": {"data_type": "string", "description": 'Connector names listed in the flow.'}, + "FlowDetailsUrl": {"data_type": "string", "description": "Link to the flow's details page."}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LicenseDisplayName": {"data_type": "string", "description": 'Display name of the license.'}, + "ObjectId": {"data_type": "string", "description": 'The full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet.'}, + "OrganizationId": {"data_type": "string", "description": "The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs."}, + "RecipientUpn": {"data_type": "string", "description": 'If permission was updated, shows the UPN of the permission recipient.'}, + "RecordType": {"data_type": "string", "description": 'The type of operation indicated by the record. See the AuditLogRecordType table for details on the types of audit log records.'}, + "SharingPermission": {"data_type": "string", "description": 'Type of permission shared with another user (3 = Owner/ReadWrite, 2 = Run-only user/Read).'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SrcIpAddr": {"data_type": "string", "description": "The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. Also, for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null."}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time in (UTC) when the user performed the activity.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserUpn": {"data_type": "string", "description": 'Unique ID of the user. Always equivalent to UserKey.'}, + "Workload": {"data_type": "string", "description": 'The Office 365 service where the activity occurred.'}, + }, + "PowerBIActivity": { + "Activity": {"data_type": "string", "description": 'The name of the user or admin activity.'}, + "ActivityId": {"data_type": "string", "description": 'A unique identifier for the activity.'}, + "ActorName": {"data_type": "string", "description": 'The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\\system or NT AUTHORITY\\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. For more information, see the app@sharepoint user in audit records.'}, + "ActorUserId": {"data_type": "string", "description": 'An alternative ID for the user identified in the UserId property. For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange. This property may also specify the same value as the UserID property for events occurring in other services and events performed by system accounts.'}, + "ActorUserType": {"data_type": "string", "description": 'The type of user that performed the operation. Possible types are: Admin, System, Application, Service Principal and Other.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DashboardId": {"data_type": "string", "description": 'The ID of the dashboard that the activity was performed on.'}, + "DashboardName": {"data_type": "string", "description": 'The name of the dashboard where the event occurred.'}, + "DataClassification": {"data_type": "string", "description": 'The data classification, if exists, for the dashboard where the event occurred.'}, + "DatasetName": {"data_type": "string", "description": 'The name of the dataset where the event occurred.'}, + "DistributionMethod": {"data_type": "string", "description": 'Indicates the distribution method of the content.'}, + "EventOriginalType": {"data_type": "string", "description": 'The name of the user or admin activity that performed the activity. For a description of the most common operations/activities, see "Search the audit log" in the Office 365 Protection Center. For Exchange admin activity, this property identifies the name of the cmdlet that was run. For Dlp events, this can be "DlpRuleMatch", "DlpRuleUndo" or "DlpInfo", which are described under "DLP schema" below.'}, + "EventOriginalUid": {"data_type": "string", "description": 'Unique identifier of an audit record.'}, + "EventProduct": {"data_type": "string", "description": 'The Microsoft product name (PowerBI).'}, + "EventResult": {"data_type": "string", "description": 'Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceeded, or Failed.'}, + "EventVendor": {"data_type": "string", "description": 'Service vendor name.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsSuccess": {"data_type": "string", "description": 'Indicates whether the action was successful or not.'}, + "ItemName": {"data_type": "string", "description": 'The name of the item that the activity was performed on.'}, + "MembershipInformation": {"data_type": "string", "description": 'Membership information about the group.'}, + "ObjectId": {"data_type": "string", "description": 'The full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet.'}, + "OrganizationId": {"data_type": "string", "description": "The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs."}, + "OrgAppPermission": {"data_type": "string", "description": 'Permissions list for an organizational app (entire organization, specific users, or specific groups).'}, + "PbiWorkspaceName": {"data_type": "string", "description": 'The name of the PowerBI workspace where the event occurred.'}, + "RecordType": {"data_type": "string", "description": 'The type of operation indicated by the record. See the AuditLogRecordType table for details on the types of audit log records.'}, + "ReportName": {"data_type": "string", "description": 'The name of the report where the event occurred.'}, + "RequestId": {"data_type": "string", "description": 'A unique identifier for the request.'}, + "Scope": {"data_type": "string", "description": 'Event can be created by a hosted Office 365 service or an on-premises server. Possible values are online and onprem. Note that SharePoint is the only workload currently sending events from on-premises to Office 365.'}, + "SharingInformation": {"data_type": "string", "description": 'Information about the person to whom a sharing invitation is sent.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SrcIpAddr": {"data_type": "string", "description": "The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. Also, for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null."}, + "SwitchState": {"data_type": "string", "description": 'Information about the state of various tenant level switches.'}, + "TargetAppName": {"data_type": "string", "description": 'The name of the app where the event occurred.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time in (UTC) when the user performed the activity.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": "Information about the user's browser. This information is provided by the browser."}, + "UserType": {"data_type": "string", "description": 'The type of user that performed the operation. Possible types are: Admin, System, Application, Service Principal and Other.'}, + "Workload": {"data_type": "string", "description": 'The Office 365 service where the activity occurred.'}, + "WorkspaceId": {"data_type": "string", "description": 'The ID of the PowerBI workspace.'}, + }, + "PowerBIAuditTenant": { + "AuditData": {"data_type": "string", "description": 'The complete audit record containing relevant operation details such as workspace name or dataset name.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'An event ID that can be used to correlated events between multiple tables.'}, + "CustomerTenantId": {"data_type": "string", "description": "Customer's Power BI tenant identifier."}, + "ExecutingUser": {"data_type": "string", "description": 'The user executing the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'Contains the severity level of the operation being logged. Success, Informational, Warning, or Error.'}, + "LogAnalyticsCategory": {"data_type": "string", "description": 'Unique category of the events like like Audit/Security/Request.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with the log record.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp(UTC) of when the log entry was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "PowerBIDatasetsTenant": { + "ApplicationContext": {"data_type": "dynamic", "description": 'Unique identifiers providing details about the context of the operation. E.g. Report ID, DatasetID.'}, + "ApplicationName": {"data_type": "string", "description": 'Contains the name of the client application that created the connection to the Power BI dataset. This is provided by the application and is optional.'}, + "ArtifactId": {"data_type": "string", "description": 'Unique ID of the resource logging the data.'}, + "ArtifactKind": {"data_type": "string", "description": 'Type of artifact logging the operation e.g. Dataset.'}, + "ArtifactName": {"data_type": "string", "description": 'The name of the Power BI artifact logging this operation.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'An event ID that can be used to correlated events between multiple tables.'}, + "CpuTimeMs": {"data_type": "long", "description": 'Amount of CPU time (in milliseconds) used by the operation.'}, + "CustomerTenantId": {"data_type": "string", "description": 'Unique identifier of the Power BI tenant.'}, + "DatasetMode": {"data_type": "string", "description": 'The mode of the dataset. Import, DirectQuery or Composite.'}, + "DurationMs": {"data_type": "long", "description": 'Amount of time (in milliseconds) taken by the operation.'}, + "EventText": {"data_type": "string", "description": 'Contains verbose information associated with operation e.g. DAX query.'}, + "ExecutingUser": {"data_type": "string", "description": 'The user executing the operation.'}, + "Identity": {"data_type": "dynamic", "description": 'Information about user and claims.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'Contains the severity level of the operation being logged. Success, Informational, Warning, or Error.'}, + "LogAnalyticsCategory": {"data_type": "string", "description": 'Unique category of the events like Audit/Security/Request.'}, + "OperationDetailName": {"data_type": "string", "description": 'Provides subcategories of OperationName.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with the log record.'}, + "PowerBIWorkspaceId": {"data_type": "string", "description": 'Unique identifier of the Power BI workspace that contains the artifact being operated on.'}, + "PowerBIWorkspaceName": {"data_type": "string", "description": 'Name of the Power BI workspace containing the artifact.'}, + "PremiumCapacityId": {"data_type": "string", "description": 'Unique identifier of the Premium capacity hosting the artifact being operated on.'}, + "ProgressCounter": {"data_type": "long", "description": 'Progress Counter.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Status": {"data_type": "string", "description": 'Status of the operation.'}, + "StatusCode": {"data_type": "int", "description": 'Status code of the operation. It covers success and failure.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp(UTC) of when the log entry was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "User": {"data_type": "string", "description": 'The user on whose behalf the operation is running. Used when an end user identity must be impersonated on the server.'}, + "XmlaObjectPath": {"data_type": "string", "description": "A comma-separated list of parents, starting with the object's parent."}, + "XmlaProperties": {"data_type": "string", "description": 'Properties of the XMLA request.'}, + "XmlaRequestId": {"data_type": "string", "description": 'Unique Identifier of request.'}, + "XmlaSessionId": {"data_type": "string", "description": 'Analysis services session identifier.'}, + }, + "PowerBIDatasetsTenantPreview": { + "ApplicationContext": {"data_type": "string", "description": 'Property bag of unique identifiers providing details about the application executing the request. E.g. report ID.'}, + "ApplicationName": {"data_type": "string", "description": 'Contains the name of the client application that created the connection to the server. This column is populated with the values passed by the application rather than the displayed name of the program.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientHostName": {"data_type": "string", "description": 'The name of the computer on which the client application is running. This column is populated with the values passed by the client application.'}, + "ClientProcessId": {"data_type": "string", "description": 'Contains the process ID of the client application.'}, + "ConnectionId": {"data_type": "string", "description": 'Unique identifier of the connection.'}, + "CPUTime": {"data_type": "long", "description": 'Amount of CPU time (in milliseconds) used by the event.'}, + "CustomerTenantId": {"data_type": "string", "description": 'Unique identifier of the Power BI tenant.'}, + "DatabaseName": {"data_type": "string", "description": 'Contains the name of the database in which the query is running.'}, + "Duration": {"data_type": "long", "description": 'Amount of time (in milliseconds) taken by the event.'}, + "EffectiveUsername": {"data_type": "string", "description": 'The user on whose behalf the operation is running. Used when an end user identity must be impersonated on the server.'}, + "Error": {"data_type": "string", "description": 'Contains the error number of any error associated with the event.'}, + "EventClass": {"data_type": "string", "description": 'Event Class is used to categorize events.'}, + "EventSubclass": {"data_type": "string", "description": 'Event Subclass provides additional information about each event class.'}, + "IntegerData": {"data_type": "long", "description": 'Contains the integer data associated with the reported event, such as the current count of the number of rows processed for a processing event.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ObjectId": {"data_type": "string", "description": 'Contains the object ID associated with the reported event.'}, + "ObjectName": {"data_type": "string", "description": 'The name of the object for which the event occurred.'}, + "ObjectPath": {"data_type": "string", "description": "Object path. A comma-separated list of parents, starting with the object's parent."}, + "ObjectReference": {"data_type": "string", "description": 'Object reference. Encoded as XML for all parents, using tags to describe the object.'}, + "ObjectType": {"data_type": "int", "description": 'Identifies the type of object associated with a particular lock. For example, a lock timeout on a database will indicate the object type 100002, which is the Database object type.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "PremiumCapacityId": {"data_type": "string", "description": 'Unique identifier of the Premium capacity being operated on.'}, + "ProgressTotal": {"data_type": "long", "description": 'An integer representing how many rows have been processed in the current operation at a point in time.'}, + "RequestParameters": {"data_type": "string", "description": 'Contains the parameters for parameterized queries and commands associated with the event.'}, + "RequestProperties": {"data_type": "string", "description": 'Contains the properties of the XMLA request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RootActivityId": {"data_type": "string", "description": 'Unique Identifier of request'}, + "SessionId": {"data_type": "string", "description": 'Unique identifier of a session which represents multiple transactions occurring within the same scope e.g. Sharing calculated members.'}, + "Severity": {"data_type": "string", "description": 'Contains the severity level of an exception associated with the command event. Values are: 0 = Success, 1 = Informational, 2 = Warning, 3 = Error.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SpId": {"data_type": "int", "description": 'Server process ID. This uniquely identifies a user session. This directly corresponds to the session GUID used by XML/A.'}, + "StartTime": {"data_type": "datetime", "description": 'Contains the time at which the event started, when available.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Success": {"data_type": "string", "description": 'Indicates if the operation was successful. 1 = success. 0 = failure.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TextData": {"data_type": "string", "description": 'Contains verbose information associated with the event'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "WorkspaceId": {"data_type": "string", "description": 'Unique identifier of the workspace being operated on.'}, + }, + "PowerBIDatasetsWorkspace": { + "ApplicationContext": {"data_type": "dynamic", "description": 'Unique identifiers providing details about the context of the operation. E.g. Report ID, DatasetID.'}, + "ApplicationName": {"data_type": "string", "description": 'Contains the name of the client application that created the connection to the Power BI dataset. This is provided by the application and is optional.'}, + "ArtifactId": {"data_type": "string", "description": 'Unique ID of the resource logging the data.'}, + "ArtifactKind": {"data_type": "string", "description": 'Type of artifact logging the operation e.g. Dataset.'}, + "ArtifactName": {"data_type": "string", "description": 'The name of the Power BI artifact logging this operation.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'An event ID that can be used to correlated events between multiple tables.'}, + "CpuTimeMs": {"data_type": "long", "description": 'Amount of CPU time (in milliseconds) used by the operation.'}, + "CustomerTenantId": {"data_type": "string", "description": 'Unique identifier of the Power BI tenant.'}, + "DatasetMode": {"data_type": "string", "description": 'The mode of the dataset. Import, DirectQuery or Composite.'}, + "DurationMs": {"data_type": "long", "description": 'Amount of time (in milliseconds) taken by the operation.'}, + "EventText": {"data_type": "string", "description": 'Contains verbose information associated with operation e.g. DAX query.'}, + "ExecutingUser": {"data_type": "string", "description": 'The user executing the operation.'}, + "Identity": {"data_type": "dynamic", "description": 'Information about user and claims.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'Contains the severity level of the operation being logged. Success, Informational, Warning, or Error.'}, + "LogAnalyticsCategory": {"data_type": "string", "description": 'Unique category of the events like Audit/Security/Request.'}, + "OperationDetailName": {"data_type": "string", "description": 'Provides subcategories of OperationName.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with the log record.'}, + "PowerBIWorkspaceId": {"data_type": "string", "description": 'Unique identifier of the Power BI workspace that contains the artifact being operated on.'}, + "PowerBIWorkspaceName": {"data_type": "string", "description": 'Name of the Power BI workspace containing the artifact.'}, + "PremiumCapacityId": {"data_type": "string", "description": 'Unique identifier of the Premium capacity hosting the artifact being operated on.'}, + "ProgressCounter": {"data_type": "long", "description": 'Progress Counter.'}, + "ReplicaId": {"data_type": "string", "description": 'Replica identifier.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Status": {"data_type": "string", "description": 'Status of the operation.'}, + "StatusCode": {"data_type": "int", "description": 'Status code of the operation. It covers success and failure.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp(UTC) of when the log entry was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "User": {"data_type": "string", "description": 'The user on whose behalf the operation is running. Used when an end user identity must be impersonated on the server.'}, + "XmlaObjectPath": {"data_type": "string", "description": "A comma-separated list of parents, starting with the object's parent."}, + "XmlaProperties": {"data_type": "string", "description": 'Properties of the XMLA request.'}, + "XmlaRequestId": {"data_type": "string", "description": 'Unique Identifier of request.'}, + "XmlaSessionId": {"data_type": "string", "description": 'Analysis services session identifier.'}, + }, + "PowerBIDatasetsWorkspacePreview": { + "ApplicationContext": {"data_type": "string", "description": 'Property bag of unique identifiers providing details about the application executing the request. E.g. report ID.'}, + "ApplicationName": {"data_type": "string", "description": 'Contains the name of the client application that created the connection to the server. This column is populated with the values passed by the application rather than the displayed name of the program.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientHostName": {"data_type": "string", "description": 'The name of the computer on which the client application is running. This column is populated with the values passed by the client application.'}, + "ClientProcessId": {"data_type": "string", "description": 'Contains the process ID of the client application.'}, + "ConnectionId": {"data_type": "string", "description": 'Unique identifier of the connection.'}, + "CPUTime": {"data_type": "long", "description": 'Amount of CPU time (in milliseconds) used by the event.'}, + "CustomerTenantId": {"data_type": "string", "description": 'Unique identifier of the Power BI tenant.'}, + "DatabaseName": {"data_type": "string", "description": 'Contains the name of the database in which the query is running.'}, + "Duration": {"data_type": "long", "description": 'Amount of time (in milliseconds) taken by the event.'}, + "EffectiveUsername": {"data_type": "string", "description": 'The user on whose behalf the operation is running. Used when an end user identity must be impersonated on the server.'}, + "Error": {"data_type": "string", "description": 'Contains the error number of any error associated with the event.'}, + "EventClass": {"data_type": "string", "description": 'Event Class is used to categorize events.'}, + "EventSubclass": {"data_type": "string", "description": 'Event Subclass provides additional information about each event class.'}, + "IntegerData": {"data_type": "long", "description": 'Contains the integer data associated with the reported event, such as the current count of the number of rows processed for a processing event.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ObjectId": {"data_type": "string", "description": 'Contains the object ID associated with the reported event.'}, + "ObjectName": {"data_type": "string", "description": 'The name of the object for which the event occurred.'}, + "ObjectPath": {"data_type": "string", "description": "Object path. A comma-separated list of parents, starting with the object's parent."}, + "ObjectReference": {"data_type": "string", "description": 'Object reference. Encoded as XML for all parents, using tags to describe the object.'}, + "ObjectType": {"data_type": "int", "description": 'Identifies the type of object associated with a particular lock. For example, a lock timeout on a database will indicate the object type 100002, which is the Database object type.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "PremiumCapacityId": {"data_type": "string", "description": 'Unique identifier of the Premium capacity being operated on.'}, + "ProgressTotal": {"data_type": "long", "description": 'An integer representing how many rows have been processed in the current operation at a point in time.'}, + "RequestParameters": {"data_type": "string", "description": 'Contains the parameters for parameterized queries and commands associated with the event.'}, + "RequestProperties": {"data_type": "string", "description": 'Contains the properties of the XMLA request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RootActivityId": {"data_type": "string", "description": 'Unique Identifier of request'}, + "SessionId": {"data_type": "string", "description": 'Unique identifier of a session which represents multiple transactions occurring within the same scope e.g. Sharing calculated members.'}, + "Severity": {"data_type": "string", "description": 'Contains the severity level of an exception associated with the command event. Values are: 0 = Success, 1 = Informational, 2 = Warning, 3 = Error.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SpId": {"data_type": "int", "description": 'Server process ID. This uniquely identifies a user session. This directly corresponds to the session GUID used by XML/A.'}, + "StartTime": {"data_type": "datetime", "description": 'Contains the time at which the event started, when available.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Success": {"data_type": "string", "description": 'Indicates if the operation was successful. 1 = success. 0 = failure.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TextData": {"data_type": "string", "description": 'Contains verbose information associated with the event'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "WorkspaceId": {"data_type": "string", "description": 'Unique identifier of the workspace being operated on.'}, + }, + "PowerBIReportUsageTenant": { + "ArtifactId": {"data_type": "string", "description": 'Report unique identifier.'}, + "ArtifactKind": {"data_type": "string", "description": 'Type of artifact this entry describe.'}, + "ArtifactName": {"data_type": "string", "description": 'Report friendly name. As at time of event being raised.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BootstrapDurationMs": {"data_type": "long", "description": 'The duration of Power BI application initialization in milliseconds.'}, + "BrowserName": {"data_type": "string", "description": 'Name of the browser used to view the report.'}, + "BrowserTabId": {"data_type": "string", "description": 'Unique identifier of the browser tab used to view the report.'}, + "BrowserVersion": {"data_type": "string", "description": 'Browser version number.'}, + "CallerIpAddress": {"data_type": "string", "description": 'IP address of the user machine initiating the activity.'}, + "ClientVersion": {"data_type": "string", "description": 'Version number of the Power BI client (where applicable).'}, + "ConsumptionMethod": {"data_type": "string", "description": 'Describes the method used to consume the content such as Power BI Web App.'}, + "CorrelationId": {"data_type": "string", "description": 'Root activity ID. Will be replaced by correlation vector in future.'}, + "CustomerTenantId": {"data_type": "string", "description": 'Customer Tenant ID where the operation was performed.'}, + "DatasetId": {"data_type": "string", "description": 'Dataset unique identifier.'}, + "DatasetLocation": {"data_type": "string", "description": 'What infrastrcure is the phsyical SSAS dataset hosted on.'}, + "DatasetMode": {"data_type": "string", "description": 'What type of SSAS data model is it i.e. Import/DirectQuery/Composite.'}, + "DatasetName": {"data_type": "string", "description": 'Dataset friendly name. As at time of event being raised.'}, + "DistributionMethod": {"data_type": "string", "description": 'For report views which distribution method did the user leverage to access it.'}, + "DurationMs": {"data_type": "long", "description": 'How long did the entire operation take from start to finish in milliseconds.'}, + "EffectiveDAXQueryDurationMs": {"data_type": "long", "description": 'What was the DAX query duration from First query start to Last Query end in milliseconds. Applies to all model types.'}, + "EffectiveDQQueryDurationMs": {"data_type": "long", "description": 'For DQ sources what was the DQ query duration from First query start to Last query end in milliseconds.'}, + "EffectiveRenderDurationMs": {"data_type": "long", "description": 'For reports what was the report render duration excluding bootstrap time in milliseconds.'}, + "EffectiveVisualLoadDurationMs": {"data_type": "long", "description": 'For reports what was the visual loading duration from first visual start to last visual end in milliseconds.'}, + "EmbedAppId": {"data_type": "string", "description": 'For PaaS embed the GUID of the application registered with Azure AD which hosts the Power BI content.'}, + "EmbedType": {"data_type": "string", "description": 'For embedded reports which method was used to embed the content.'}, + "ExecutingUser": {"data_type": "string", "description": 'UserPrincipalName of the user executing/using the artifact. Can be impersonated.'}, + "HomeWorkspaceId": {"data_type": "string", "description": 'For app and direct share report cases the unique identifier of the workspace hosting the dataset that powers the report.'}, + "HomeWorkspaceName": {"data_type": "string", "description": 'For app and direct share report cases the name of the workspace hosting the dataset that powers the report.'}, + "Identity": {"data_type": "dynamic", "description": 'User and claim details.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsBootstrapIncluded": {"data_type": "bool", "description": 'For report view events shows whether the operation incurs application bootstrapping to initialize Power BI before the report load.'}, + "IsQueryResultCacheEnabled": {"data_type": "bool", "description": 'For models on Premium capacities shows whether Query Result Caching enabled.'}, + "Level": {"data_type": "string", "description": 'Log classification indicating if the entry is informational or represents a warning or error state.'}, + "LogAnalyticsCategory": {"data_type": "string", "description": 'Category of the operation being logged.'}, + "OperatingSystemName": {"data_type": "string", "description": 'Operating System name.'}, + "OperatingSystemVersion": {"data_type": "string", "description": 'Operating System version number.'}, + "OperationEndTimestamp": {"data_type": "datetime", "description": 'End timestamp for the reported operation applicable to operations with an absolute duration. UTC date time value in RFC3339 format.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with the log record.'}, + "OperationStartTimestamp": {"data_type": "datetime", "description": 'Start timestamp for the reported operations applicable to operations with an absolute duration. UTC date time value in RFC3339 format.'}, + "OperationVersion": {"data_type": "string", "description": 'This is the version of the event.'}, + "PowerBIAppId": {"data_type": "string", "description": 'Unique identifier of the Power BI App if a report was viewed through the app.'}, + "PowerBIAppName": {"data_type": "string", "description": 'Name of the Power BI App if a report was viewed through the app.'}, + "PowerBIWorkspaceId": {"data_type": "string", "description": 'PowerBI workspace unique identifier - the workspace containing the artifact.'}, + "PowerBIWorkspaceName": {"data_type": "string", "description": 'Friendly name of the Power BI workspace containing the artifact as at the time when the event was raised.'}, + "PremiumCapacityId": {"data_type": "string", "description": 'Premium capacity unique identifier.'}, + "Region": {"data_type": "string", "description": 'Azure region containing the artifact reporting the event. Typically the value shown in the About screen in the service under \\"Your data is stored in:\\"'}, + "ReportPageId": {"data_type": "string", "description": 'Power BI Interactive Report page/section unique identifier.'}, + "ReportPageName": {"data_type": "string", "description": 'Power BI Interactive Report page friendly name. As at time of event being raised.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Status": {"data_type": "string", "description": 'Status of the operation.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp(UTC) of when the log entry was generated.'}, + "TotalDAXQueryDurationMs": {"data_type": "long", "description": 'Sum of all DAX query durations in milliseconds. Applies to all model types.'}, + "TotalDQQueryDurationMs": {"data_type": "long", "description": 'For DQ Sources sum of all DQ query durations in milliseconds.'}, + "TotalVisibleVisualCount": {"data_type": "int", "description": 'For reports how many total visuals were on the page that was viewed. Excludes hidden visuals.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'Information the client sends to the server typically contains operating system and client browser details.'}, + "UserFirstName": {"data_type": "string", "description": 'The first name of the top level user principal that initiated the action.'}, + "UserLastName": {"data_type": "string", "description": 'The last name of the top level user principal that initiated the action.'}, + "UserSession": {"data_type": "string", "description": 'Unique identifier of the user session.'}, + "VisualTypesAndCounts": {"data_type": "string", "description": 'For reportswhich visuals were on the page that was viewed and how many. Includes Custom visuals.'}, + }, + "PowerBIReportUsageWorkspace": { + "ArtifactId": {"data_type": "string", "description": 'Report unique identifier.'}, + "ArtifactKind": {"data_type": "string", "description": 'Type of artifact this entry describe.'}, + "ArtifactName": {"data_type": "string", "description": 'Report friendly name. As at time of event being raised.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BootstrapDurationMs": {"data_type": "long", "description": 'The duration of Power BI application initialization in milliseconds.'}, + "BrowserName": {"data_type": "string", "description": 'Name of the browser used to view the report.'}, + "BrowserTabId": {"data_type": "string", "description": 'Unique identifier of the browser tab used to view the report.'}, + "BrowserVersion": {"data_type": "string", "description": 'Browser version number.'}, + "CallerIpAddress": {"data_type": "string", "description": 'IP address of the user machine initiating the activity.'}, + "ClientVersion": {"data_type": "string", "description": 'Version number of the Power BI client (where applicable).'}, + "ConsumptionMethod": {"data_type": "string", "description": 'Describes the method used to consume the content such as Power BI Web App.'}, + "CorrelationId": {"data_type": "string", "description": 'Root activity ID. Will be replaced by correlation vector in future.'}, + "CustomerTenantId": {"data_type": "string", "description": 'Customer Tenant ID where the operation was performed.'}, + "DatasetId": {"data_type": "string", "description": 'Dataset unique identifier.'}, + "DatasetLocation": {"data_type": "string", "description": 'What infrastrcure is the phsyical SSAS dataset hosted on.'}, + "DatasetMode": {"data_type": "string", "description": 'What type of SSAS data model is it i.e. Import/DirectQuery/Composite.'}, + "DatasetName": {"data_type": "string", "description": 'Dataset friendly name. As at time of event being raised.'}, + "DistributionMethod": {"data_type": "string", "description": 'For report views which distribution method did the user leverage to access it.'}, + "DurationMs": {"data_type": "long", "description": 'How long did the entire operation take from start to finish in milliseconds.'}, + "EffectiveDAXQueryDurationMs": {"data_type": "long", "description": 'What was the DAX query duration from First query start to Last Query end in milliseconds. Applies to all model types.'}, + "EffectiveDQQueryDurationMs": {"data_type": "long", "description": 'For DQ sources what was the DQ query duration from First query start to Last query end in milliseconds.'}, + "EffectiveRenderDurationMs": {"data_type": "long", "description": 'For reports what was the report render duration excluding bootstrap time in milliseconds.'}, + "EffectiveVisualLoadDurationMs": {"data_type": "long", "description": 'For reports what was the visual loading duration from first visual start to last visual end in milliseconds.'}, + "EmbedAppId": {"data_type": "string", "description": 'For PaaS embed the GUID of the application registered with Azure AD which hosts the Power BI content.'}, + "EmbedType": {"data_type": "string", "description": 'For embedded reports which method was used to embed the content.'}, + "ExecutingUser": {"data_type": "string", "description": 'UserPrincipalName of the user executing/using the artifact. Can be impersonated.'}, + "HomeWorkspaceId": {"data_type": "string", "description": 'For app and direct share report cases the unique identifier of the workspace hosting the dataset that powers the report.'}, + "HomeWorkspaceName": {"data_type": "string", "description": 'For app and direct share report cases the name of the workspace hosting the dataset that powers the report.'}, + "Identity": {"data_type": "dynamic", "description": 'User and claim details.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsBootstrapIncluded": {"data_type": "bool", "description": 'For report view events shows whether the operation incurs application bootstrapping to initialize Power BI before the report load.'}, + "IsQueryResultCacheEnabled": {"data_type": "bool", "description": 'For models on Premium capacities shows whether Query Result Caching enabled.'}, + "Level": {"data_type": "string", "description": 'Log classification indicating if the entry is informational or represents a warning or error state.'}, + "LogAnalyticsCategory": {"data_type": "string", "description": 'Category of the operation being logged.'}, + "OperatingSystemName": {"data_type": "string", "description": 'Operating System name.'}, + "OperatingSystemVersion": {"data_type": "string", "description": 'Operating System version number.'}, + "OperationEndTimestamp": {"data_type": "datetime", "description": 'End timestamp for the reported operation applicable to operations with an absolute duration. UTC date time value in RFC3339 format.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with the log record.'}, + "OperationStartTimestamp": {"data_type": "datetime", "description": 'Start timestamp for the reported operations applicable to operations with an absolute duration. UTC date time value in RFC3339 format.'}, + "OperationVersion": {"data_type": "string", "description": 'This is the version of the event.'}, + "PowerBIAppId": {"data_type": "string", "description": 'Unique identifier of the Power BI App if a report was viewed through the app.'}, + "PowerBIAppName": {"data_type": "string", "description": 'Name of the Power BI App if a report was viewed through the app.'}, + "PowerBIWorkspaceId": {"data_type": "string", "description": 'PowerBI workspace unique identifier - the workspace containing the artifact.'}, + "PowerBIWorkspaceName": {"data_type": "string", "description": 'Friendly name of the Power BI workspace containing the artifact as at the time when the event was raised.'}, + "PremiumCapacityId": {"data_type": "string", "description": 'Premium capacity unique identifier.'}, + "Region": {"data_type": "string", "description": 'Azure region containing the artifact reporting the event. Typically the value shown in the About screen in the service under \\"Your data is stored in:\\"'}, + "ReportPageId": {"data_type": "string", "description": 'Power BI Interactive Report page/section unique identifier.'}, + "ReportPageName": {"data_type": "string", "description": 'Power BI Interactive Report page friendly name. As at time of event being raised.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Status": {"data_type": "string", "description": 'Status of the operation.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp(UTC) of when the log entry was generated.'}, + "TotalDAXQueryDurationMs": {"data_type": "long", "description": 'Sum of all DAX query durations in milliseconds. Applies to all model types.'}, + "TotalDQQueryDurationMs": {"data_type": "long", "description": 'For DQ Sources sum of all DQ query durations in milliseconds.'}, + "TotalVisibleVisualCount": {"data_type": "int", "description": 'For reports how many total visuals were on the page that was viewed. Excludes hidden visuals.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'Information the client sends to the server typically contains operating system and client browser details.'}, + "UserFirstName": {"data_type": "string", "description": 'The first name of the top level user principal that initiated the action.'}, + "UserLastName": {"data_type": "string", "description": 'The last name of the top level user principal that initiated the action.'}, + "UserSession": {"data_type": "string", "description": 'Unique identifier of the user session.'}, + "VisualTypesAndCounts": {"data_type": "string", "description": 'For reportswhich visuals were on the page that was viewed and how many. Includes Custom visuals.'}, + }, + "PowerPlatformAdminActivity": { + "ActorName": {"data_type": "string", "description": 'The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\\system or NT AUTHORITY\\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. For more information, see the app@sharepoint user in audit records.'}, + "ActorUserId": {"data_type": "string", "description": 'An alternative ID for the user identified in the UserId property. For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange. This property may also specify the same value as the UserID property for events occurring in other services and events performed by system accounts.'}, + "ActorUserType": {"data_type": "string", "description": 'The type of user that performed the operation. For example: Admin, System, Application, Service Principal, Guest or Other.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "EventOriginalType": {"data_type": "string", "description": 'The name of the user or admin activity that performed the activity. For a description of the most common operations/activities, see "Search the audit log" in the Office 365 Protection Center. For Exchange admin activity, this property identifies the name of the cmdlet that was run. For Dlp events, this can be "DlpRuleMatch", "DlpRuleUndo" or "DlpInfo", which are described under "DLP schema" below.'}, + "EventOriginalUid": {"data_type": "string", "description": 'Unique identifier of an audit record.'}, + "EventResult": {"data_type": "string", "description": 'Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceeded, or Failed.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OrganizationId": {"data_type": "string", "description": "The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs."}, + "PropertyCollection": {"data_type": "dynamic", "description": 'Additional information property bag for the event.'}, + "RecordType": {"data_type": "string", "description": 'The type of operation indicated by the record. See the AuditLogRecordType table for details on the types of audit log records.'}, + "RequiresCustomerKeyEncryption": {"data_type": "bool", "description": 'Status of the Customer Key Encryption requirement for the event.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time in (UTC) when the user performed the activity.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Workload": {"data_type": "string", "description": 'The Office 365 service where the activity occurred.'}, + }, + "PowerPlatformConnectorActivity": { + "ActorName": {"data_type": "string", "description": 'The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\\system or NT AUTHORITY\\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. For more information, see the app@sharepoint user in audit records.'}, + "ActorUserId": {"data_type": "string", "description": 'An alternative ID for the user identified in the UserId property. For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange. This property may also specify the same value as the UserID property for events occurring in other services and events performed by system accounts.'}, + "ActorUserType": {"data_type": "string", "description": 'The type of user that performed the operation. Possible types are: Admin, System, Application, Service Principal and Other.'}, + "AdditionalInfo": {"data_type": "dynamic", "description": 'More information, for example, the environment name.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ConnectorId": {"data_type": "string", "description": 'The unique ID of the resource. Examples: custom api, and connection or gateway.'}, + "EventOriginalType": {"data_type": "string", "description": 'The name of the user or admin activity that performed the activity. For a description of the most common operations/activities, see "Search the audit log" in the Office 365 Protection Center. For Exchange admin activity, this property identifies the name of the cmdlet that was run. For Dlp events, this can be "DlpRuleMatch", "DlpRuleUndo" or "DlpInfo", which are described under "DLP schema" below.'}, + "EventOriginalUid": {"data_type": "string", "description": 'Unique identifier of an audit record.'}, + "EventResult": {"data_type": "string", "description": 'Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceeded, or Failed.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ObjectId": {"data_type": "string", "description": 'The full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet.'}, + "OrganizationId": {"data_type": "string", "description": "The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs."}, + "RecordType": {"data_type": "string", "description": 'The type of operation indicated by the record. See the AuditLogRecordType table for details on the types of audit log records.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SrcIpAddr": {"data_type": "string", "description": "The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. Also, for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null."}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time in (UTC) when the user performed the activity.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Workload": {"data_type": "string", "description": 'The Office 365 service where the activity occurred.'}, + }, + "PowerPlatformDlpActivity": { + "ActorName": {"data_type": "string", "description": 'The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\\system or NT AUTHORITY\\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. For more information, see the app@sharepoint user in audit records.'}, + "ActorUserId": {"data_type": "string", "description": 'An alternative ID for the user identified in the UserId property. For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange. This property may also specify the same value as the UserID property for events occurring in other services and events performed by system accounts.'}, + "ActorUserType": {"data_type": "string", "description": 'The type of user that performed the operation. Possible types are: Admin, System, Application, Service Principal and Other.'}, + "AdditionalInfo": {"data_type": "dynamic", "description": 'More information, for example, the environment name.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "EventOriginalType": {"data_type": "string", "description": 'The name of the user or admin activity that performed the activity. For a description of the most common operations/activities, see "Search the audit log" in the Office 365 Protection Center. For Exchange admin activity, this property identifies the name of the cmdlet that was run. For Dlp events, this can be "DlpRuleMatch", "DlpRuleUndo" or "DlpInfo", which are described under "DLP schema" below.'}, + "EventOriginalUid": {"data_type": "string", "description": 'Unique identifier of an audit record.'}, + "EventResult": {"data_type": "string", "description": 'Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceeded, or Failed.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ObjectId": {"data_type": "string", "description": 'The full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet.'}, + "OrganizationId": {"data_type": "string", "description": "The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs."}, + "PolicyName": {"data_type": "string", "description": 'Name of the DLP policy.'}, + "RecordType": {"data_type": "string", "description": 'The type of operation indicated by the record. See the AuditLogRecordType table for details on the types of audit log records.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SrcIpAddr": {"data_type": "string", "description": "The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. Also, for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null."}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time in (UTC) when the user performed the activity.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Workload": {"data_type": "string", "description": 'The Office 365 service where the activity occurred.'}, + }, + "ProjectActivity": { + "ActorName": {"data_type": "string", "description": 'The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\\system or NT AUTHORITY\\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. For more information, see the app@sharepoint user in audit records.'}, + "ActorUserId": {"data_type": "string", "description": 'An alternative ID for the user identified in the UserId property. For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange. This property may also specify the same value as the UserID property for events occurring in other services and events performed by system accounts.'}, + "ActorUserType": {"data_type": "string", "description": 'The type of user that performed the operation. Possible types are: Admin, System, Application, Service Principal and Other.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "EventOriginalType": {"data_type": "string", "description": 'The name of the user or admin activity that performed the activity. For a description of the most common operations/activities, see "Search the audit log" in the Office 365 Protection Center. For Exchange admin activity, this property identifies the name of the cmdlet that was run. For Dlp events, this can be "DlpRuleMatch", "DlpRuleUndo" or "DlpInfo", which are described under "DLP schema" below.'}, + "EventOriginalUid": {"data_type": "string", "description": 'Unique identifier of an audit record.'}, + "EventProduct": {"data_type": "string", "description": 'The Microsoft service name.'}, + "EventResult": {"data_type": "string", "description": 'Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceeded, or Failed.'}, + "EventVendor": {"data_type": "string", "description": 'The vendor service name.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ObjectId": {"data_type": "string", "description": 'For SharePoint and OneDrive for business activity, the full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet.'}, + "OnBehalfOfResId": {"data_type": "string", "description": 'The resource ID the action was taken on behalf of.'}, + "OrganizationId": {"data_type": "string", "description": "The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs."}, + "ProjectAction": {"data_type": "string", "description": 'The project action that was taken.'}, + "ProjectEntity": {"data_type": "string", "description": 'The project entity the audit was for.'}, + "RecordType": {"data_type": "string", "description": 'The type of operation indicated by the record. See the AuditLogRecordType table for details on the types of audit log records.'}, + "Scope": {"data_type": "string", "description": 'Event can be created by a hosted Office 365 service or an on-premises server. Possible values are online and onprem. Note that SharePoint is the only workload currently sending events from on-premises to Office 365.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SrcIpAddr": {"data_type": "string", "description": "The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. Also, for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null."}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time in UTC when the user performed the activity.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserType": {"data_type": "string", "description": 'The type of user that performed the operation.'}, + "Workload": {"data_type": "string", "description": 'The Office 365 service where the activity occurred.'}, + }, + "ProtectionStatus": { + "AMProductVersion": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "ComputerEnvironment": {"data_type": "string", "description": ''}, + "ComputerIP_Hidden": {"data_type": "string", "description": ''}, + "DetectionId": {"data_type": "string", "description": ''}, + "DeviceName": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ManagementGroupName": {"data_type": "string", "description": ''}, + "OSName": {"data_type": "string", "description": ''}, + "ProtectionStatus": {"data_type": "string", "description": ''}, + "ProtectionStatusDetails": {"data_type": "string", "description": ''}, + "ProtectionStatusRank": {"data_type": "int", "description": ''}, + "Resource": {"data_type": "string", "description": ''}, + "ResourceGroup": {"data_type": "string", "description": ''}, + "ResourceId": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResourceProvider": {"data_type": "string", "description": ''}, + "ResourceType": {"data_type": "string", "description": ''}, + "ScanDate": {"data_type": "datetime", "description": ''}, + "SignatureVersion": {"data_type": "string", "description": ''}, + "SourceComputerId": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SubscriptionId": {"data_type": "string", "description": ''}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "Threat": {"data_type": "string", "description": ''}, + "ThreatStatus": {"data_type": "string", "description": ''}, + "ThreatStatusDetails": {"data_type": "string", "description": ''}, + "ThreatStatusRank": {"data_type": "int", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "TypeofProtection": {"data_type": "string", "description": ''}, + "VMUUID": {"data_type": "string", "description": ''}, + }, + "PurviewDataSensitivityLogs": { + "ActivityType": {"data_type": "string", "description": 'The type of data sensitivity event: classification, labeling.'}, + "AssetCreationTime": {"data_type": "datetime", "description": 'Time (UTC) at which the asset was created.'}, + "AssetLastScanTime": {"data_type": "datetime", "description": 'Time (UTC) at which the asset was last scanned.'}, + "AssetModifiedTime": {"data_type": "datetime", "description": 'Time (UTC) at which the asset was last modified.'}, + "AssetName": {"data_type": "string", "description": 'Name of the asset scanned.'}, + "AssetPath": {"data_type": "string", "description": 'Path of the asset scanned in a source.'}, + "AssetType": {"data_type": "string", "description": 'Type of asset that was scanned: file, column, table, generic.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Classification": {"data_type": "dynamic", "description": 'Names of the classifications found.'}, + "ClassificationDetails": {"data_type": "dynamic", "description": 'List of classification details: ID, name, count, uniquecount, confidence.'}, + "ClassificationTrigger": {"data_type": "string", "description": 'The trigger for the classification event.'}, + "FileExtension": {"data_type": "string", "description": 'File extension of the asset scanned. Only populated when asset type is a file.'}, + "FileSize": {"data_type": "long", "description": 'File size of the asset scanned in bytes. Only populated when asset type is a file.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "PurviewAccountName": {"data_type": "string", "description": 'Name of the Purview account.'}, + "PurviewRegion": {"data_type": "string", "description": 'Region of the Purview account.'}, + "PurviewTenantId": {"data_type": "string", "description": 'Tenant ID associated with the Purview account.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SensitivityLabel": {"data_type": "dynamic", "description": 'Names for the labels found.'}, + "SensitivityLabelDetails": {"data_type": "dynamic", "description": 'List of label details: ID, name, order.'}, + "SensitivityLabelTrigger": {"data_type": "string", "description": 'The trigger for the sensitivity label event.'}, + "SourceCollectionName": {"data_type": "string", "description": 'Name of the data source collection name in Purview.'}, + "SourceName": {"data_type": "string", "description": 'Name of the data source scanned as registered in Purview.'}, + "SourcePath": {"data_type": "string", "description": 'Resource Path of the data source. Ex: ARM path for Azure resources and ARN for AWS resources.'}, + "SourceRegion": {"data_type": "string", "description": 'The location of the data source that was scanned.'}, + "SourceScanId": {"data_type": "string", "description": 'The associated Purview scan ID for the source.'}, + "SourceSubscriptionId": {"data_type": "string", "description": 'Subscription ID associated with the data source. Account ID for AWS resources.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SourceType": {"data_type": "string", "description": 'Type of data source scanned: azuredatalakegen1, azureblob, azuredataexplorer, amazons3 etc.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time (UTC) when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "PurviewScanStatusLogs": { + "AssetsClassified": {"data_type": "long", "description": 'Number of assets classified from the scan.'}, + "AssetsDiscovered": {"data_type": "long", "description": 'Number of assets discovered from the scan.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Log type category.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events. Can be used to identify correlated events between multiple tables.'}, + "DataSourceName": {"data_type": "string", "description": 'Name of the data source where the scan is run.'}, + "DataSourceType": {"data_type": "string", "description": 'Type of data source where the scan is run. For example: AzureDataExplorer, SQLServer etc.'}, + "ErrorDetails": {"data_type": "string", "description": 'Error detail while running the scan.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogLevel": {"data_type": "string", "description": 'Log level of message (INFO, WARN, ERROR, etc.).'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultType": {"data_type": "string", "description": 'Result of the scan at the current state. For example: Throttled, Queued etc.'}, + "RunType": {"data_type": "string", "description": 'Run Type of the scan. For example: Manual, Scheduled etc.'}, + "ScanName": {"data_type": "string", "description": 'Name of the scan associated with the scan status log event.'}, + "ScanQueueTimeInSeconds": {"data_type": "long", "description": 'Time spent by this scan waiting in the queue.'}, + "ScanResultId": {"data_type": "string", "description": 'Guid of the Scan Result.'}, + "ScanTotalRunTimeInSeconds": {"data_type": "long", "description": 'Total time to complete the scan.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "PurviewSecurityLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIdentities": {"data_type": "dynamic", "description": 'Contains information about the identity that performed the operation. May contain the objectId, username, PUID etc. of the identity.'}, + "EntityName": {"data_type": "string", "description": 'Name of the entity for which the operation was performed.'}, + "EntityType": {"data_type": "string", "description": 'Type of the entity for which the operation was performed.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'Location of the Purview account.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "Properties": {"data_type": "dynamic", "description": 'Additional properties of the operation.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'Description of the result of the operation. May also contain the error description if the operation failed.'}, + "ResultType": {"data_type": "string", "description": 'Result of the operation.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "REDConnectionEvents": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientIp": {"data_type": "string", "description": 'The Redis client IP address.'}, + "ConnectionId": {"data_type": "long", "description": 'Unique connection ID assigned by Redis.'}, + "EventEpochTime": {"data_type": "long", "description": 'The unix timestamp (number of seconds since January 1, 1970) when the event happened in UTC. This can be converted to datetime format using function unixtime_seconds_todatetime in log analytics workspace.'}, + "EventStatus": {"data_type": "int", "description": 'Results of an authentication request as a status code (only applicable for authentication event).'}, + "EventType": {"data_type": "string", "description": 'Type of connection event(new_conn/auth/close_conn).'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The location (i.e. region) of the Azure Cache for Redis Enterprise instance that was accessed.'}, + "OperationName": {"data_type": "string", "description": 'The Redis operation associated with the log record.'}, + "PrivateLinkIPv6": {"data_type": "string", "description": 'The Redis client private link IPv6 address (if applicable).'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) when event audit log was captured.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "RemoteNetworkHealthLogs": { + "BgpRoutesAdvertisedCount": {"data_type": "int", "description": 'Count of BGP routes advertised through tunnel.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CreatedDateTime": {"data_type": "datetime", "description": 'The date and time (UTC) that the event was generated.'}, + "Description": {"data_type": "string", "description": 'Description and summary of the event.'}, + "DestinationIp": {"data_type": "string", "description": 'The IP address of the destination.'}, + "Id": {"data_type": "string", "description": 'A unique identifier for each remoteNetworkHealthEvent.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ReceivedBytes": {"data_type": "long", "description": 'The number of bytes sent from the destination to the source.'}, + "RemoteNetworkId": {"data_type": "string", "description": 'A unique identifier for each remoteNetwork site.'}, + "SentBytes": {"data_type": "long", "description": 'The number of bytes sent from the source to the destination for the connection or session.'}, + "SourceIp": {"data_type": "string", "description": 'The public IP address.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Status": {"data_type": "string", "description": 'Remote network status. Possible values are: tunnelDisconnected, tunnelConnected, bgpDisconnected, bgpConnected, remoteNetworkAlive, unknownFutureValue.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time (UTC) that the event was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ResourceManagementPublicAccessLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'Client IP address.'}, + "Category": {"data_type": "string", "description": 'A category type associated with the operation.'}, + "CorrelationId": {"data_type": "string", "description": 'An event ID that can be used to correlated events between multiple tables.'}, + "DurationMs": {"data_type": "long", "description": 'Amount of time (in milliseconds) taken by the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ObjectIdentifier": {"data_type": "string", "description": 'Object ID for the caller of the operation.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with the log record.'}, + "OperationType": {"data_type": "string", "description": 'The resource type and operation associated with the log record.'}, + "OperationVersion": {"data_type": "string", "description": 'An API version associated with the operation.'}, + "PrivateLinkAssociationIds": {"data_type": "dynamic", "description": 'List of private link association resource IDs present at the scope.'}, + "ProviderName": {"data_type": "string", "description": 'The resource provider name associated with the log record.'}, + "ResultSignature": {"data_type": "int", "description": 'Status code of the operation. It covers success and failure.'}, + "ResultType": {"data_type": "string", "description": 'Status of the operation.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log entry was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Uri": {"data_type": "string", "description": 'The resource URI for the operation.'}, + }, + "SCCMAssessmentRecommendation": { + "ActionArea": {"data_type": "string", "description": ''}, + "ActionAreaId": {"data_type": "string", "description": ''}, + "AffectedObjectName": {"data_type": "string", "description": ''}, + "AffectedObjectType": {"data_type": "string", "description": ''}, + "AssessmentId": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "CustomData": {"data_type": "string", "description": ''}, + "Description": {"data_type": "string", "description": ''}, + "FocusArea": {"data_type": "string", "description": ''}, + "FocusAreaId": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Recommendation": {"data_type": "string", "description": ''}, + "RecommendationId": {"data_type": "string", "description": ''}, + "RecommendationResult": {"data_type": "string", "description": ''}, + "RecommendationWeight": {"data_type": "real", "description": ''}, + "SiteCode": {"data_type": "string", "description": ''}, + "SiteServer": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Technology": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "SCOMAssessmentRecommendation": { + "ActionArea": {"data_type": "string", "description": ''}, + "ActionAreaId": {"data_type": "string", "description": ''}, + "AffectedObjectName": {"data_type": "string", "description": ''}, + "AffectedObjectType": {"data_type": "string", "description": ''}, + "AssessmentId": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "CustomData": {"data_type": "string", "description": ''}, + "DatabaseName": {"data_type": "string", "description": ''}, + "Description": {"data_type": "string", "description": ''}, + "FocusArea": {"data_type": "string", "description": ''}, + "FocusAreaId": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ManagementGroupName": {"data_type": "string", "description": ''}, + "Recommendation": {"data_type": "string", "description": ''}, + "RecommendationId": {"data_type": "string", "description": ''}, + "RecommendationResult": {"data_type": "string", "description": ''}, + "RecommendationWeight": {"data_type": "real", "description": ''}, + "Server": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SqlInstanceName": {"data_type": "string", "description": ''}, + "Technology": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "SecureScoreControls": { + "AssessedResourceId": {"data_type": "string", "description": 'The ID of the assessed resource'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ControlId": {"data_type": "string", "description": 'The ID of the assessed control'}, + "ControlName": {"data_type": "string", "description": 'The display name of the control'}, + "ControlType": {"data_type": "string", "description": 'The type of security control (for example, BuiltIn)'}, + "CurrentScore": {"data_type": "real", "description": 'The current secure score per control'}, + "Description": {"data_type": "string", "description": 'The description of the control'}, + "Environment": {"data_type": "string", "description": 'Data source environment.'}, + "HealthyResources": {"data_type": "int", "description": 'The number of healthy resources'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsSnapshot": {"data_type": "bool", "description": "Indicates whether the data was exported as part of a snapshot when 'true', or streamed in real-time when 'false'."}, + "MaxScore": {"data_type": "int", "description": 'The maximum control score'}, + "NotApplicableResources": {"data_type": "int", "description": 'The number of not applicable resources'}, + "PercentageScore": {"data_type": "real", "description": 'The percentage of the score (current score divided by max score)'}, + "Properties": {"data_type": "dynamic", "description": 'The complete set of metadata.'}, + "RecommendationResourceIds": {"data_type": "dynamic", "description": 'The recommendation resource IDs for the recommendations assessed in the control'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResourceProviderType": {"data_type": "string", "description": 'Resource provider type of the assessed resource'}, + "SecureScoresSubscriptionId": {"data_type": "string", "description": 'The ID of the subscription'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The (UTC) date and time the control score was generated'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UnhealthyResources": {"data_type": "int", "description": 'The number of unhealthy resources'}, + "Weight": {"data_type": "long", "description": 'The weight for calculation of an aggregated score for several scopes'}, + }, + "SecureScores": { + "AssessedResourceId": {"data_type": "string", "description": 'The ID of the assessed resource'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CurrentScore": {"data_type": "real", "description": 'The current secure score per control'}, + "DisplayName": {"data_type": "string", "description": 'The initiative s name'}, + "Environment": {"data_type": "string", "description": 'Data source environment.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsSnapshot": {"data_type": "bool", "description": "Indicates whether the data was exported as part of a snapshot when 'true', or streamed in real-time when 'false'."}, + "MaxScore": {"data_type": "int", "description": 'The maximum control score'}, + "PercentageScore": {"data_type": "real", "description": 'The percentage of the score (current score divided by max score)'}, + "Properties": {"data_type": "dynamic", "description": 'The complete set of metadata.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResourceProviderType": {"data_type": "string", "description": 'Resource provider type of the assessed resource'}, + "SecureScoresSubscriptionId": {"data_type": "string", "description": 'The ID of the subscription'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The (UTC) date and time the control score was generated'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Weight": {"data_type": "long", "description": 'The weight for calculation of an aggregated score for several scopes'}, + }, + "SecurityAlert": { + "AlertLink": {"data_type": "string", "description": ''}, + "AlertName": {"data_type": "string", "description": ''}, + "AlertSeverity": {"data_type": "string", "description": ''}, + "AlertType": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CompromisedEntity": {"data_type": "string", "description": ''}, + "ConfidenceLevel": {"data_type": "string", "description": ''}, + "ConfidenceScore": {"data_type": "real", "description": ''}, + "Description": {"data_type": "string", "description": ''}, + "DisplayName": {"data_type": "string", "description": ''}, + "EndTime": {"data_type": "datetime", "description": ''}, + "Entities": {"data_type": "string", "description": ''}, + "ExtendedLinks": {"data_type": "string", "description": ''}, + "ExtendedProperties": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsIncident": {"data_type": "bool", "description": ''}, + "ProcessingEndTime": {"data_type": "datetime", "description": ''}, + "ProductComponentName": {"data_type": "string", "description": ''}, + "ProductName": {"data_type": "string", "description": ''}, + "ProviderName": {"data_type": "string", "description": ''}, + "RemediationSteps": {"data_type": "string", "description": ''}, + "ResourceId": {"data_type": "string", "description": ''}, + "SourceComputerId": {"data_type": "string", "description": ''}, + "StartTime": {"data_type": "datetime", "description": ''}, + "Status": {"data_type": "string", "description": ''}, + "SubTechniques": {"data_type": "string", "description": ''}, + "SystemAlertId": {"data_type": "string", "description": ''}, + "Tactics": {"data_type": "string", "description": ''}, + "Techniques": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "VendorName": {"data_type": "string", "description": ''}, + "VendorOriginalId": {"data_type": "string", "description": ''}, + "WorkspaceResourceGroup": {"data_type": "string", "description": ''}, + "WorkspaceSubscriptionId": {"data_type": "string", "description": ''}, + }, + "SecurityAttackPathData": { + "AdditionalRemediationSteps": {"data_type": "string", "description": 'The manual remediation steps of the attack path.'}, + "Assessments": {"data_type": "dynamic", "description": 'The assessments mapped to the attack path.'}, + "AttackPathId": {"data_type": "string", "description": 'The ID of the attack path.'}, + "AttackStory": {"data_type": "string", "description": 'The attack story.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Description": {"data_type": "string", "description": 'The description of the attack path.'}, + "DisplayName": {"data_type": "string", "description": 'The display name of the attack path.'}, + "EntrypointId": {"data_type": "string", "description": 'The ID of the attack path enry point.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Mitre": {"data_type": "string", "description": 'MITRE mapping of the path.'}, + "Path": {"data_type": "dynamic", "description": 'The nodes, edges & insights that create the path.'}, + "PotentialImpact": {"data_type": "string", "description": 'The potenrial impact of the attack path.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RiskFactors": {"data_type": "dynamic", "description": 'The risk factors of the attack path.'}, + "RiskLevel": {"data_type": "string", "description": 'The risk level of the attack path.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TargetId": {"data_type": "string", "description": 'The ID of the attack path target.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time the attack path was exported.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "SecurityBaseline": { + "ActualResult": {"data_type": "string", "description": ''}, + "AnalyzeOperation": {"data_type": "string", "description": ''}, + "AnalyzeResult": {"data_type": "string", "description": ''}, + "AssessmentId": {"data_type": "string", "description": ''}, + "AzId": {"data_type": "string", "description": ''}, + "BaselineRuleType": {"data_type": "string", "description": ''}, + "BaselineType": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CceId": {"data_type": "string", "description": ''}, + "Computer": {"data_type": "string", "description": ''}, + "ComputerEnvironment": {"data_type": "string", "description": ''}, + "Description": {"data_type": "string", "description": ''}, + "ExpectedResult": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ManagementGroupName": {"data_type": "string", "description": ''}, + "OSName": {"data_type": "string", "description": ''}, + "Resource": {"data_type": "string", "description": ''}, + "ResourceGroup": {"data_type": "string", "description": ''}, + "ResourceId": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResourceProvider": {"data_type": "string", "description": ''}, + "ResourceType": {"data_type": "string", "description": ''}, + "RuleSetting": {"data_type": "string", "description": ''}, + "RuleSeverity": {"data_type": "string", "description": ''}, + "SitePath": {"data_type": "string", "description": ''}, + "SourceComputerId": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SubscriptionId": {"data_type": "string", "description": ''}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "SecurityBaselineSummary": { + "AssessmentId": {"data_type": "string", "description": ''}, + "BaselineType": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "ComputerEnvironment": {"data_type": "string", "description": ''}, + "CriticalFailedRules": {"data_type": "int", "description": ''}, + "InformationalFailedRules": {"data_type": "int", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ManagementGroupName": {"data_type": "string", "description": ''}, + "OSName": {"data_type": "string", "description": ''}, + "PercentageOfPassedRules": {"data_type": "int", "description": ''}, + "Resource": {"data_type": "string", "description": ''}, + "ResourceGroup": {"data_type": "string", "description": ''}, + "ResourceId": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResourceProvider": {"data_type": "string", "description": ''}, + "ResourceType": {"data_type": "string", "description": ''}, + "SourceComputerId": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SubscriptionId": {"data_type": "string", "description": ''}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "TotalAssessedRules": {"data_type": "int", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "WarningFailedRules": {"data_type": "int", "description": ''}, + }, + "SecurityDetection": { + "AccountsSeen": {"data_type": "int", "description": ''}, + "AlertSeverity": {"data_type": "string", "description": ''}, + "AlertTitle": {"data_type": "string", "description": ''}, + "AssociatedResource": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ChildProcess": {"data_type": "string", "description": ''}, + "CommandLine": {"data_type": "string", "description": ''}, + "Computer": {"data_type": "string", "description": ''}, + "Description": {"data_type": "string", "description": ''}, + "DetectionID": {"data_type": "string", "description": ''}, + "Duration": {"data_type": "string", "description": ''}, + "ExtendedProperties": {"data_type": "string", "description": ''}, + "FailedAttempts": {"data_type": "int", "description": ''}, + "FullPath": {"data_type": "string", "description": ''}, + "InvalidAccountsSeen": {"data_type": "int", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsFirstParty": {"data_type": "bool", "description": ''}, + "LogChannel": {"data_type": "string", "description": ''}, + "OccuringDatacenter": {"data_type": "string", "description": ''}, + "OriginalSeverity": {"data_type": "string", "description": ''}, + "ParentProcess": {"data_type": "string", "description": ''}, + "ProcessName": {"data_type": "string", "description": ''}, + "Provider": {"data_type": "string", "description": ''}, + "RemediationSteps": {"data_type": "string", "description": ''}, + "ReportingSystem": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ServiceId": {"data_type": "string", "description": ''}, + "SubjectDomainName": {"data_type": "string", "description": ''}, + "SubjectUserName": {"data_type": "string", "description": ''}, + "SubscriptionId": {"data_type": "string", "description": ''}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "SuccessfulLogins": {"data_type": "int", "description": ''}, + "SuspiciousProcess": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "ValidAccountsSeen": {"data_type": "int", "description": ''}, + }, + "SecurityEvent": { + "AccessMask": {"data_type": "string", "description": 'Hexadecimal mask for the requested or performed operation.'}, + "Account": {"data_type": "string", "description": 'The Security context for services or users.'}, + "AccountDomain": {"data_type": "string", "description": "Subject's domain or computer name."}, + "AccountExpires": {"data_type": "string", "description": 'The date when the account expires.'}, + "AccountName": {"data_type": "string", "description": 'The name of the account that requested the "remove domain trust" operation.'}, + "AccountSessionIdentifier": {"data_type": "string", "description": 'A unique identifier that is generated by the machine when the session is created.'}, + "AccountType": {"data_type": "string", "description": "Identifies whether the account is a computer account (machine) or a user's."}, + "Activity": {"data_type": "string", "description": 'The descriptive title of the event occurred.'}, + "AdditionalInfo": {"data_type": "string", "description": 'Additional information that is provided by the source, which do not mapped to other fields, represented by list.'}, + "AdditionalInfo2": {"data_type": "string", "description": 'Additional information that is provided by the source, which do not mapped to other fields, represented by list.'}, + "AllowedToDelegateTo": {"data_type": "string", "description": 'The list of SPNs to which this account can present delegated credentials.'}, + "Attributes": {"data_type": "string", "description": 'Additional information about the event.'}, + "AuditPolicyChanges": {"data_type": "string", "description": 'Events that are generated when changes are made to the system audit policy or audit settings on a file or registry key.'}, + "AuditsDiscarded": {"data_type": "int", "description": 'Number of audit messages that were discarded.'}, + "AuthenticationLevel": {"data_type": "int", "description": 'Number of audit messages that were discarded.'}, + "AuthenticationPackageName": {"data_type": "string", "description": 'the name of loaded Authentication Package. The format is: DLL\\_PATH\\_AND\\_NAME: AUTHENTICATION\\_PACKAGE\\_NAME.'}, + "AuthenticationProvider": {"data_type": "string", "description": 'The identity of the provider responsible for the authentication process (can include a certificate authority, a username, a password authentication system, etc).'}, + "AuthenticationServer": {"data_type": "string", "description": 'The server in which located the authentication provider.'}, + "AuthenticationService": {"data_type": "int", "description": 'The service in which located the authentication provider.'}, + "AuthenticationType": {"data_type": "string", "description": 'the type of authentication that was used for the event (two-factor authentication, biometric authentication, etc).'}, + "AzureDeploymentID": {"data_type": "string", "description": 'Azure deployment ID of the cloud service the log belongs to.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CACertificateHash": {"data_type": "string", "description": "The hash value of the certificate authority's (CA) certificate that was used to authenticate the user who performed the event."}, + "CalledStationID": {"data_type": "string", "description": 'Information about the ID of the station that initiated the action that led to the security event.'}, + "CallerProcessId": {"data_type": "string", "description": 'Hexadecimal Process ID of the process that attempted the logon. Process ID (PID) is a number used by the operating system to uniquely identify an active process.'}, + "CallerProcessName": {"data_type": "string", "description": 'Full path and the name of the executable for the process.'}, + "CallingStationID": {"data_type": "string", "description": 'Information about the ID of the station that initiated the action that led to the security event.'}, + "CAPublicKeyHash": {"data_type": "string", "description": 'Hash value that identifies the public key of a certification authority (CA) that issued a certificate.'}, + "CategoryId": {"data_type": "string", "description": 'The category of the security event that occurred (login attempt, data breach, etc).'}, + "CertificateDatabaseHash": {"data_type": "string", "description": 'Hash value that identifies the database that issued a certificate.'}, + "Channel": {"data_type": "string", "description": 'The channel to which the event was logged.'}, + "ClassId": {"data_type": "string", "description": "'Class Guid' attribute of device."}, + "ClassName": {"data_type": "string", "description": "'Class' attribute of device."}, + "ClientAddress": {"data_type": "string", "description": 'IP address of the computer from which the TGT request was received.'}, + "ClientIPAddress": {"data_type": "string", "description": 'IP address of the computer that initiated the action that led to the event.'}, + "ClientName": {"data_type": "string", "description": "computer name from which the user was reconnected. Has 'Unknown' value for console session."}, + "CommandLine": {"data_type": "string", "description": 'The command line arguments that were passed to an application or process that was involved in the event.'}, + "CompatibleIds": {"data_type": "string", "description": "'Compatible Ids' attribute of device. To see device properties, start Device Manager, open specific device properties, and click 'Details':"}, + "Computer": {"data_type": "string", "description": 'The name of the computer on which the event occurred.'}, + "Correlation": {"data_type": "string", "description": 'The activity identifiers that consumers can use to group related events together.'}, + "DCDNSName": {"data_type": "string", "description": 'The DNS name of the domain controller that was involved in the event.'}, + "DeviceDescription": {"data_type": "string", "description": 'the description of the device that was involved in the event.'}, + "DeviceId": {"data_type": "string", "description": 'The unique identifier of the device that was involved in the event.'}, + "DisplayName": {"data_type": "string", "description": "It is a name, displayed in the address book for a particular account. This is usually the combination of the user's first name, middle initial, and last name."}, + "Disposition": {"data_type": "string", "description": 'The event outcome/ resolution, such as whether the event was resolved or whether any action was taken in response to the event.'}, + "DomainBehaviorVersion": {"data_type": "string", "description": 'msDS-Behavior-Version domain attribute was modified. Numeric value.'}, + "DomainName": {"data_type": "string", "description": 'The name of removed trusted domain.'}, + "DomainPolicyChanged": {"data_type": "string", "description": 'Indicates whether any domain policies have been changed as part of the event (password policies, security policies, etc).'}, + "DomainSid": {"data_type": "string", "description": "SID of the trust partner. This parameter might not be captured in the event, and in that case appears as 'NULL SID'."}, + "EAPType": {"data_type": "string", "description": 'The type of Extensible Authentication Protocol (EAP) that was used for the event authentication process.'}, + "ElevatedToken": {"data_type": "string", "description": "A 'Yes' or 'No' flag. If 'Yes', then the session this event represents is elevated and has administrator privileges."}, + "ErrorCode": {"data_type": "int", "description": "Contains error code for Failure events. For Success events this parameter has '0x0' value."}, + "EventData": {"data_type": "string", "description": 'Event specific data associated with the event.'}, + "EventID": {"data_type": "int", "description": 'The identifier that the provider used to identify the event.'}, + "EventLevelName": {"data_type": "string", "description": 'The rendered message string of the level specified in the event.'}, + "EventRecordId": {"data_type": "string", "description": 'The record number assigned to the event when it was logged.'}, + "EventSourceName": {"data_type": "string", "description": 'The name of the software that logs the event (applicationor a succomponent).'}, + "ExtendedQuarantineState": {"data_type": "string", "description": 'The state of the network quarantine process, if applicable. Network quarantine is a process by which unauthorized devices are prevented from accessing a network until they meet certain security requirements or have been checked for malware.'}, + "FailureReason": {"data_type": "string", "description": "textual explanation of Status field value. For this event, it typically has 'Account locked out' value."}, + "FileHash": {"data_type": "string", "description": 'The hash value for any files that are were accessed or modified as part of the event, or any files that were used in the authentication or authorization process.'}, + "FilePath": {"data_type": "string", "description": 'Full path and filename of the key file on which the operation was performed.'}, + "FilePathNoUser": {"data_type": "string", "description": 'The path of any files that are related to the event, excluding the username or other user-specific information.'}, + "Filter": {"data_type": "string", "description": 'Filters that are used in the performed event.'}, + "ForceLogoff": {"data_type": "string", "description": "'\\Security Settings\\Local Policies\\Security Options\\Network security: Force logoff when logon hours expire' group policy."}, + "Fqbn": {"data_type": "string", "description": 'The fully qualified binary name (FQBN) for any files that are related to the event.'}, + "FullyQualifiedSubjectMachineName": {"data_type": "string", "description": 'The fully qualified domain name (FQDN) of the machine that initiated the event.'}, + "FullyQualifiedSubjectUserName": {"data_type": "string", "description": 'The username of the user or service that initiated the event in FQDN format.'}, + "GroupMembership": {"data_type": "string", "description": 'The list of group SIDs which logged account belongs to (member of). Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.'}, + "HandleId": {"data_type": "string", "description": 'Hexadecimal value of a handle to Object Name. This field can be used for correlation with other events.'}, + "HardwareIds": {"data_type": "string", "description": "'Hardware Ids' attribute of device. To see device properties, start Device Manager, open specific device properties, and click 'Details':"}, + "HomeDirectory": {"data_type": "string", "description": "User's home directory. If homeDrive attribute is set and specifies a drive letter, homeDirectory should be a UNC path. The path must be a network UNC of the form \\\\Server\\Share\\Directory."}, + "HomePath": {"data_type": "string", "description": "User's home path. The path must be a network UNC of the form \\\\Server\\Share\\Directory."}, + "InterfaceUuid": {"data_type": "string", "description": 'The unique identifier (UUID) for the network interface that was used for the event.'}, + "IpAddress": {"data_type": "string", "description": 'the network address (usually IPv4 or IPv6) associated with the event.'}, + "IpPort": {"data_type": "string", "description": 'The network port number associated with the event.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "KeyLength": {"data_type": "int", "description": 'The length of NTLM Session Security key. Typically it has 128 bit or 56 bit length.'}, + "Keywords": {"data_type": "string", "description": 'A bitmask of the keywords defined in the event.'}, + "Level": {"data_type": "string", "description": 'Windows categorizes every event with a severity level. The levels in order of severity are information, verbose, warning, error and critical expressed in numbers.'}, + "LmPackageName": {"data_type": "string", "description": 'The name of the package or software component that is currently using the Local Security Authority (LSA) on the machine where the event is being generated.'}, + "LocationInformation": {"data_type": "string", "description": "'Location information' attribute of device. To see device properties, start Device Manager, open specific device properties, and click 'Details':"}, + "LockoutDuration": {"data_type": "string", "description": "'\\Security Settings\\Account Policies\\Account Lockout Policy\\Account lockout duration' group policy. Numeric value."}, + "LockoutObservationWindow": {"data_type": "string", "description": "'\\Security Settings\\Account Policies\\Account Lockout Policy\\Reset account lockout counter after' group policy. Numeric value."}, + "LockoutThreshold": {"data_type": "string", "description": "'\\Security Settings\\Account Policies\\Account Lockout Policy\\Account lockout threshold' group policy. Numeric value."}, + "LoggingResult": {"data_type": "string", "description": 'The result of the logon process.'}, + "LogonGuid": {"data_type": "string", "description": 'A GUID that can help you correlate this event with another event that can contain the same Logon GUID.'}, + "LogonHours": {"data_type": "string", "description": 'Hours that the account is allowed to logon to the domain.'}, + "LogonID": {"data_type": "string", "description": 'Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID.'}, + "LogonProcessName": {"data_type": "string", "description": 'The name of registered logon process.'}, + "LogonType": {"data_type": "int", "description": 'The type of logon which was performed.'}, + "LogonTypeName": {"data_type": "string", "description": 'The type of logon or authentication event that is being captured by the event log (common values:Interactive, Network, RemoteInteractive, Unlock).'}, + "MachineAccountQuota": {"data_type": "string", "description": 'ms-DS-MachineAccountQuota domain attribute was modified. Numeric value.'}, + "MachineInventory": {"data_type": "string", "description": 'Information about the hardware configuration and software environment of the computer where the event is being generated. It can include different data points, for instance: the make and model of the computer, the amount of RAM or storage space available, the version numbers of various software applications, etc).'}, + "MachineLogon": {"data_type": "string", "description": 'Information about a successful logon event in the machine.'}, + "ManagementGroupName": {"data_type": "string", "description": 'Additional information based on the resource type.'}, + "MandatoryLabel": {"data_type": "string", "description": 'ID of integrity label which was assigned to the new process.'}, + "MaxPasswordAge": {"data_type": "string", "description": 'The period of time (in days) that a password can be used before the system requires the user to change it.'}, + "MemberName": {"data_type": "string", "description": 'The user account that was involved in the event.'}, + "MemberSid": {"data_type": "string", "description": 'The security identifier (SID) associated with the user account that was involved in the event.'}, + "MinPasswordAge": {"data_type": "string", "description": 'The period of time (in days) that a password must be used before the system requires the user to change it.'}, + "MinPasswordLength": {"data_type": "string", "description": 'The least number of characters that can make up a password for a user account.'}, + "MixedDomainMode": {"data_type": "string", "description": 'The domain mode of a system or domain controller.'}, + "NASIdentifier": {"data_type": "string", "description": 'The identifier of the network access server (NAS) that was involved in the event.'}, + "NASIPv4Address": {"data_type": "string", "description": 'The IPv4Address of the network access server (NAS) that was involved in the event, if applicable.'}, + "NASIPv6Address": {"data_type": "string", "description": 'The IPv6Address of the network access server (NAS) that was involved in the event, if applicable.'}, + "NASPort": {"data_type": "string", "description": 'the port on the network access server that was used in the event.'}, + "NASPortType": {"data_type": "string", "description": 'the type of network access server (NAS) used in the event.'}, + "NetworkPolicyName": {"data_type": "string", "description": 'The name of the network policy associated with the event.'}, + "NewDate": {"data_type": "string", "description": 'New date in UTC time zone. The format is YYYY-MM-DD.'}, + "NewMaxUsers": {"data_type": "string", "description": 'The new maximum number of users allowed for a resource in the event.'}, + "NewProcessId": {"data_type": "string", "description": 'Hexadecimal Process ID of the new process. Process ID (PID) is a number used by the operating system to uniquely identify an active process.'}, + "NewProcessName": {"data_type": "string", "description": 'Full path and the name of the executable for the new process.'}, + "NewRemark": {"data_type": "string", "description": "The new value of network share 'Comments:' field. Has 'N/A' value if it isn't set."}, + "NewShareFlags": {"data_type": "string", "description": 'The share flags associated with a resource in the event, for instance: information on whether the resource is read-only or read/write, whether it is hidden, and other parameters that can affect access and permissions.'}, + "NewTime": {"data_type": "string", "description": 'New time that was set in UTC time zone. The format is YYYY-MM-DDThh:mm:ss.nnnnnnnZ'}, + "NewUacValue": {"data_type": "string", "description": 'Specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account.'}, + "NewValue": {"data_type": "string", "description": 'New value for changed registry key value.'}, + "NewValueType": {"data_type": "string", "description": 'New type of changed registry key value.'}, + "ObjectName": {"data_type": "string", "description": 'Name and other identifying information for the object for which access was requested. For example, for a file, the path would be included.'}, + "ObjectServer": {"data_type": "string", "description": 'Contains the name of the Windows subsystem calling the routine.'}, + "ObjectType": {"data_type": "string", "description": 'The type of an object that was accessed during the operation.'}, + "ObjectValueName": {"data_type": "string", "description": 'The name of modified registry key value.'}, + "OemInformation": {"data_type": "string", "description": 'The original equipment manufacturer (OEM) associated with a device or system in the event.'}, + "OldMaxUsers": {"data_type": "string", "description": 'The previous maximum number of users allowed for a resource in the event.'}, + "OldRemark": {"data_type": "string", "description": "the old value of network share 'Comments:' field. Has 'N/A' value if it isn't set."}, + "OldShareFlags": {"data_type": "string", "description": 'The previous share flags associated with a resource in the event, for instance: information on whether the resource is read-only or read/write, whether it is hidden, and other parameters that can affect access and permissions.'}, + "OldUacValue": {"data_type": "string", "description": 'Specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. This parameter contains the previous value of userAccountControl attribute of user object.'}, + "OldValue": {"data_type": "string", "description": 'Old value for changed registry key value.'}, + "OldValueType": {"data_type": "string", "description": 'Old type of changed registry key value.'}, + "Opcode": {"data_type": "string", "description": 'The opcode element is defined by the SystemPropertiesType complex type.'}, + "OperationType": {"data_type": "string", "description": 'The type of operation which was performed on an object'}, + "PackageName": {"data_type": "string", "description": 'The name of the LAN Manager sub-package (NTLM-family protocol name) that was used during logon.'}, + "ParentProcessName": {"data_type": "string", "description": 'The name of the parent process associated with the event.'}, + "PasswordHistoryLength": {"data_type": "string", "description": '\\Security Settings\\Account Policies\\Password Policy\\Enforce password history" group policy. Numeric value.'}, + "PasswordLastSet": {"data_type": "string", "description": "Last time the account's password was modified."}, + "PasswordProperties": {"data_type": "string", "description": 'The password policies or properties associated with the event, for example: password length, complexity and expiration date.'}, + "PreviousDate": {"data_type": "string", "description": 'The previous date associated with the event.'}, + "PreviousTime": {"data_type": "string", "description": 'Previous time in UTC time zone. The format is YYYY-MM-DDThh:mm:ss.nnnnnnnZ.'}, + "PrimaryGroupId": {"data_type": "string", "description": "Relative Identifier (RID) of user's object primary group."}, + "PrivateKeyUsageCount": {"data_type": "string", "description": 'The number of times a private key has been used.'}, + "PrivilegeList": {"data_type": "string", "description": 'The privileges, including user, group, or system privileges associated with the event.'}, + "Process": {"data_type": "string", "description": 'The name of the process that generates the event.'}, + "ProcessId": {"data_type": "string", "description": 'Identifies the process that generated the event.'}, + "ProcessName": {"data_type": "string", "description": 'Full path and the name of the executable for the process.'}, + "ProfilePath": {"data_type": "string", "description": "Specifies a path to the account's profile. This value can be a null string, a local absolute path, or a UNC path."}, + "Properties": {"data_type": "string", "description": 'Depends on Object Type. This field can be empty or contain the list of the object properties that were accessed.'}, + "ProtocolSequence": {"data_type": "string", "description": 'Information about the protocol used for an authentication attempt.'}, + "ProxyPolicyName": {"data_type": "string", "description": 'Name of the policy that was used to configure the proxy server for connecting to the network.'}, + "QuarantineHelpURL": {"data_type": "string", "description": 'URL that provides help with troubleshooting a network quarantine issue.'}, + "QuarantineSessionID": {"data_type": "string", "description": 'Identifier of the session where the file was assessed for quarantine.'}, + "QuarantineSessionIdentifier": {"data_type": "string", "description": 'Identifier of the session where the file was assessed for quarantine.'}, + "QuarantineState": {"data_type": "string", "description": 'It shows whether the file is quarantined.'}, + "QuarantineSystemHealthResult": {"data_type": "string", "description": 'Report that shows the status of the files that have been quarantined.'}, + "RelativeTargetName": {"data_type": "string", "description": 'Relative name of the accessed target file or folder. This file-path is relative to the network share. If access was requested for the share itself, then this field appears as "\\".'}, + "RemoteIpAddress": {"data_type": "string", "description": 'The IP address of the computer that initiated a remote connection.'}, + "RemotePort": {"data_type": "string", "description": 'The port number of the remote computer that initiated a connection.'}, + "Requester": {"data_type": "string", "description": 'The event requester identifier.'}, + "RequestId": {"data_type": "string", "description": "A unique identifier that's associated with particular requests, such as those made over HTTP."}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RestrictedAdminMode": {"data_type": "string", "description": 'Only populated for RemoteInteractive logon type sessions. This is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Win8.1/2012R2 but this flag was added to the event in Win10.'}, + "RowsDeleted": {"data_type": "string", "description": 'The number of rows that were deleted as a part of a particular operation.'}, + "SamAccountName": {"data_type": "string", "description": 'logon name for account used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name).'}, + "ScriptPath": {"data_type": "string", "description": "Specifies the path of the account's logon script."}, + "SecurityDescriptor": {"data_type": "string", "description": 'Information about the security settings and permissions of a particular object or resource.'}, + "ServiceAccount": {"data_type": "string", "description": 'The security context that the service will run as when started.'}, + "ServiceFileName": {"data_type": "string", "description": 'Indicates the type of service that was registered with the Service Control Manager.'}, + "ServiceName": {"data_type": "string", "description": 'The name of installed service.'}, + "ServiceStartType": {"data_type": "int", "description": 'Contains information about how a particular service should be started, whether it should be started automatically or manually.'}, + "ServiceType": {"data_type": "string", "description": 'Indicates the type of service that was registered with the Service Control Manager.'}, + "SessionName": {"data_type": "string", "description": 'The name of the session to which the user was reconnected.'}, + "ShareLocalPath": {"data_type": "string", "description": 'The local path of accessed network share.'}, + "ShareName": {"data_type": "string", "description": 'The name of accessed network share. The format is: \\\\*\\SHARE_NAME.'}, + "SidHistory": {"data_type": "string", "description": 'Contains previous SIDs used for the object if the object was moved from another domain.'}, + "SourceComputerId": {"data_type": "string", "description": 'Unique identifier assigned to each computer in a Windows domain.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Status": {"data_type": "string", "description": "The reason why logon failed. For this event, it typically has '0xC0000234' value. The most common status codes are listed in Table 12. Windows logon status codes."}, + "StorageAccount": {"data_type": "string", "description": 'Sets the storage account access key.'}, + "SubcategoryGuid": {"data_type": "string", "description": 'The unique GUID of changed subcategory.'}, + "SubcategoryId": {"data_type": "string", "description": 'A unique identifier for a specific type of the event.'}, + "Subject": {"data_type": "string", "description": 'Information about the security principal (for instance: user account) that initiated the event.'}, + "SubjectAccount": {"data_type": "string", "description": 'Information about the account that is initiating the event.'}, + "SubjectDomainName": {"data_type": "string", "description": 'Information about the domain or workgroup to which the subject account belongs.'}, + "SubjectKeyIdentifier": {"data_type": "string", "description": 'A unique identifier for a particular certificate subject.'}, + "SubjectLogonId": {"data_type": "string", "description": 'A unique identifier for the logon session associated with the subject account.'}, + "SubjectMachineName": {"data_type": "string", "description": 'Information about the machine or system from which the event was created.'}, + "SubjectMachineSID": {"data_type": "string", "description": 'The security identifier (SID) for the machine that generated the event.'}, + "SubjectUserName": {"data_type": "string", "description": 'The name of the user account that generated the event.'}, + "SubjectUserSid": {"data_type": "string", "description": 'The security identifier (SID) for the user account that generated the event.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "SubStatus": {"data_type": "string", "description": "Additional information about logon failure. The most common substatus codes listed in the 'Table 12. Windows logon status codes'."}, + "SystemProcessId": {"data_type": "int", "description": 'Identifies the process that generated the event.'}, + "SystemThreadId": {"data_type": "int", "description": 'Identifies the thread that generated the event.'}, + "SystemUserId": {"data_type": "string", "description": 'The ID of the user who is responsible for the event.'}, + "TableId": {"data_type": "string", "description": 'The specific data table identifier the event data is stored in.'}, + "TargetAccount": {"data_type": "string", "description": 'The account targeted by the event (user name, computer name, etc).'}, + "TargetDomainName": {"data_type": "string", "description": 'The name of the domain that the target account belongs to.'}, + "TargetInfo": {"data_type": "string", "description": 'Additional information about the event target (for example: the path to a file or folder, the name of a registry key, etc).'}, + "TargetLinkedLogonId": {"data_type": "string", "description": 'Information that helps to link related events together by their logon attempt IDs. It can be useful in keeping all relevant events organized, tracking activity across multiple sessions, and identifying the attack source.'}, + "TargetLogonGuid": {"data_type": "string", "description": 'A globally unique identifier (GUID) associated with the logon session related to the event.'}, + "TargetLogonId": {"data_type": "string", "description": 'A unique identifier associated with the logon session related to the event.'}, + "TargetOutboundDomainName": {"data_type": "string", "description": 'The domain that the account specified in the TargetAccount field was authenticated against during an outbound authentication attempt.'}, + "TargetOutboundUserName": {"data_type": "string", "description": 'The name of the user account that was authenticated during an outbound authentication attempt.'}, + "TargetServerName": {"data_type": "string", "description": 'The name of the server on which the new process was run. Has "localhost" value if the process was run locally.'}, + "TargetSid": {"data_type": "string", "description": 'The security identifier (SID) of the server on which the new process was run.'}, + "TargetUser": {"data_type": "string", "description": 'The user account identifier that generated the new process.'}, + "TargetUserName": {"data_type": "string", "description": 'The name of the user account that generated the new process.'}, + "TargetUserSid": {"data_type": "string", "description": 'The security identifier (SID) associated with the user or resource involved in the event.'}, + "Task": {"data_type": "int", "description": 'The task defined in the event.'}, + "TemplateContent": {"data_type": "string", "description": 'The content of the event message or notification in a structured form.'}, + "TemplateDSObjectFQDN": {"data_type": "string", "description": 'FQDN of the DS object that represents the GPO template.'}, + "TemplateInternalName": {"data_type": "string", "description": 'The internal name of the GPO template.'}, + "TemplateOID": {"data_type": "string", "description": 'the unique identifier for the template that was used to create the event.'}, + "TemplateSchemaVersion": {"data_type": "string", "description": 'Version of the template schema that defines the data to include with an event.'}, + "TemplateVersion": {"data_type": "string", "description": 'Version of the template that defines the data to include with an event.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time stamp when the event was generated on the computer.'}, + "TokenElevationType": {"data_type": "string", "description": 'Type of token that was assigned to a new process in accordance with User Account Control Policy.'}, + "TransmittedServices": {"data_type": "string", "description": 'The list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user - most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see https://msdn.microsoft.com/library/cc246072.aspx.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAccountControl": {"data_type": "string", "description": 'Shows the list of changes in userAccountControl attribute. You will see a line of text for each change.'}, + "UserParameters": {"data_type": "string", "description": "If you change any setting using Active Directory Users and Computers management console in Dial-in tab of user's account properties, then you will see in this field. For local accounts, this field is not applicable and always has \\ value."}, + "UserPrincipalName": {"data_type": "string", "description": "Internet-style login name for the account, based on the Internet standard RFC 822. By convention this should map to the account's email name."}, + "UserWorkstations": {"data_type": "string", "description": 'Contains the list of NetBIOS or DNS names of the computers from which the user can logon. Each computer name is separated by a comma. The name of a computer is the sAMAccountName property of a computer object.'}, + "VendorIds": {"data_type": "string", "description": "'Hardware Ids' attribute of device. To see device properties, start Device Manager, open specific device properties, and click 'Details'."}, + "Version": {"data_type": "int", "description": "Contains the version number of the event's definition."}, + "VirtualAccount": {"data_type": "string", "description": "A 'Yes' or 'No' flag, which indicates if the account is a virtual account (e.g., 'Managed Service Account'), which was introduced in Windows 7 and Windows Server 2008 R2 to provide the ability to identify the account that a given Service uses, instead of just using 'NetworkService'."}, + "Workstation": {"data_type": "string", "description": 'The name of the machine that was used to perform the event.'}, + "WorkstationName": {"data_type": "string", "description": 'Machine name from which a logon attempt was performed.'}, + }, + "SecurityIncident": { + "AdditionalData": {"data_type": "dynamic", "description": 'Additional data on the incident'}, + "AlertIds": {"data_type": "dynamic", "description": 'The IDs of the alerts related to the incident'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BookmarkIds": {"data_type": "dynamic", "description": 'The IDs of the bookmarks related to the incident'}, + "Classification": {"data_type": "string", "description": 'The classification the incident was given when closed'}, + "ClassificationComment": {"data_type": "string", "description": 'Description of the reason the incident was closed'}, + "ClassificationReason": {"data_type": "string", "description": 'The classification reason the incident was given when closed'}, + "ClosedTime": {"data_type": "datetime", "description": 'Timestamp (UTC) of when the incident was last closed'}, + "Comments": {"data_type": "dynamic", "description": 'The comments added to the incident'}, + "CreatedTime": {"data_type": "datetime", "description": 'Timestamp (UTC) of when the incident was created'}, + "Description": {"data_type": "string", "description": 'The description of the incident'}, + "FirstActivityTime": {"data_type": "datetime", "description": 'Timestamp (UTC) of when the first activity in the incident occured'}, + "FirstModifiedTime": {"data_type": "datetime", "description": 'Timestamp (UTC) of when the incident was first modified'}, + "IncidentName": {"data_type": "string", "description": 'The resource name of the incident'}, + "IncidentNumber": {"data_type": "int", "description": 'The sequential number of the incident'}, + "IncidentUrl": {"data_type": "string", "description": 'The URI to open the incident in Azure Sentinel portal'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Labels": {"data_type": "dynamic", "description": 'The labels added to the incident'}, + "LastActivityTime": {"data_type": "datetime", "description": 'Timestamp (UTC) of when the last activity in the incident occured'}, + "LastModifiedTime": {"data_type": "datetime", "description": 'Timestamp (UTC) of when the incident was last modified'}, + "ModifiedBy": {"data_type": "string", "description": 'The source of the change in the incident'}, + "Owner": {"data_type": "dynamic", "description": 'The user the incident is assigned to'}, + "ProviderIncidentId": {"data_type": "string", "description": 'The incident ID assigned by the incident provider'}, + "ProviderName": {"data_type": "string", "description": 'The name of the source provider that generated the incident'}, + "RelatedAnalyticRuleIds": {"data_type": "dynamic", "description": 'The IDs of the Analytic rules associated with the incident'}, + "Severity": {"data_type": "string", "description": 'The severity of the incident'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Status": {"data_type": "string", "description": 'The status of the incident'}, + "Tasks": {"data_type": "dynamic", "description": 'The tasks added to the incident'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) of when the incident was ingested'}, + "Title": {"data_type": "string", "description": 'The title of the incident'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "SecurityIoTRawEvent": { + "AgentVersion": {"data_type": "string", "description": 'The version of the agent.'}, + "AssociatedResourceId": {"data_type": "string", "description": 'The associated Azure resource ID.'}, + "AzureSubscriptionId": {"data_type": "string", "description": 'The Azure subscription ID.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DeviceId": {"data_type": "string", "description": 'The device ID.'}, + "EventDetails": {"data_type": "string", "description": 'Additional raw event details.'}, + "IoTRawEventId": {"data_type": "string", "description": 'The internal raw event ID.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsEmpty": {"data_type": "bool", "description": 'Property identifying if the raw event contains data.'}, + "RawEventCategory": {"data_type": "string", "description": 'The category of the raw event - periodic or triggered.'}, + "RawEventName": {"data_type": "string", "description": 'The name of the raw event.'}, + "RawEventType": {"data_type": "string", "description": 'The type of the raw event - security, operational or diagnostic.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time the raw event was generated.'}, + "TimeStamp": {"data_type": "datetime", "description": 'The date and time the raw event was first detected.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "SecurityNestedRecommendation": { + "AdditionalData": {"data_type": "dynamic", "description": 'Additional details of the sub-assessment'}, + "AssessedResourceId": {"data_type": "string", "description": 'Id of the assessed resource'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Category of the sub-assessment'}, + "Cause": {"data_type": "string", "description": 'Cause of the assessment status'}, + "Description": {"data_type": "string", "description": 'Description of the assessment status'}, + "Id": {"data_type": "string", "description": 'Id of the assessed recommendation'}, + "Impact": {"data_type": "string", "description": 'Description of the impact of this sub-assessment'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsSnapshot": {"data_type": "bool", "description": "Indicates whether the data was exported as part of a snapshot when 'true', or streamed in real-time when 'false'."}, + "NestedRecommendationId": {"data_type": "string", "description": 'Id of the nested-recommendation'}, + "ParentRecommendationId": {"data_type": "string", "description": 'Id of the parent recommendation'}, + "RecommendationLink": {"data_type": "string", "description": 'Recommendation link URL'}, + "RecommendationName": {"data_type": "string", "description": 'Display name of the sub-assessment'}, + "RecommendationSeverity": {"data_type": "string", "description": 'The sub-assessment severity level'}, + "RecommendationState": {"data_type": "string", "description": 'The sub-assessment state'}, + "RecommendationSubscriptionId": {"data_type": "string", "description": "Recommendation's subscription Id"}, + "RemediationDescription": {"data_type": "string", "description": 'Information on how to remediate this sub-assessment'}, + "RemidiationDescription": {"data_type": "string", "description": 'Information on how to remediate this sub-assessment'}, + "ResourceDetails": {"data_type": "dynamic", "description": 'Details of the resource that was assessed'}, + "ResourceGroup": {"data_type": "string", "description": 'Resource group name'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResourceProviderType": {"data_type": "string", "description": 'Resource provider type of the assessed resource'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SubAssessmentTimeGeneration": {"data_type": "datetime", "description": 'The date and time the sub-assessment was generated'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time the sub-assessment was exported'}, + "Type": {"data_type": "string", "description": 'Resource type'}, + "VulnerabilityId": {"data_type": "string", "description": 'Vulnerability Id'}, + }, + "SecurityRecommendation": { + "AssessedResourceId": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Description": {"data_type": "string", "description": ''}, + "DeviceId": {"data_type": "string", "description": ''}, + "DiscoveredTimeUTC": {"data_type": "datetime", "description": ''}, + "Environment": {"data_type": "string", "description": ''}, + "FirstEvaluationDate": {"data_type": "datetime", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsSnapshot": {"data_type": "bool", "description": ''}, + "PolicyDefinitionId": {"data_type": "string", "description": ''}, + "Properties": {"data_type": "dynamic", "description": ''}, + "ProviderName": {"data_type": "string", "description": ''}, + "RecommendationAdditionalData": {"data_type": "dynamic", "description": ''}, + "RecommendationDisplayName": {"data_type": "string", "description": ''}, + "RecommendationId": {"data_type": "string", "description": ''}, + "RecommendationName": {"data_type": "string", "description": ''}, + "RecommendationSeverity": {"data_type": "string", "description": ''}, + "RecommendationState": {"data_type": "string", "description": ''}, + "ResolvedTimeUTC": {"data_type": "datetime", "description": ''}, + "ResourceRegion": {"data_type": "string", "description": ''}, + "StatusChangeDate": {"data_type": "datetime", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "SecurityRegulatoryCompliance": { + "AssessedResourceId": {"data_type": "string", "description": 'The ID of the assessed resource'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ComplianceControl": {"data_type": "string", "description": 'The name of regulatory compliance control'}, + "ComplianceStandard": {"data_type": "string", "description": 'The name of compliance standard'}, + "FailedResources": {"data_type": "int", "description": 'The number of resources that failed this assessment'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsSnapshot": {"data_type": "bool", "description": "Indicates whether the data was exported as part of a snapshot when 'true', or streamed in real-time when 'false'."}, + "PassedResources": {"data_type": "int", "description": 'The number of resources that passed this assessment'}, + "Properties": {"data_type": "dynamic", "description": 'The complete set of metadata.'}, + "RecommendationId": {"data_type": "string", "description": 'The ID of the assessed recommendation'}, + "RecommendationLink": {"data_type": "string", "description": 'A link for more details on the assessment result'}, + "RecommendationName": {"data_type": "string", "description": 'Recommendation display name'}, + "RegulatoryComplianceSubscriptionId": {"data_type": "string", "description": 'The subscription ID of the assessed resource'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResourceProviderType": {"data_type": "string", "description": 'Resource provider type of the assessed resource'}, + "SkippedResources": {"data_type": "int", "description": 'The number of resources that passed this assessment'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "State": {"data_type": "string", "description": 'The assessment state'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The (UTC) date and time the assessment was generated'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "SentinelAudit": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'A unique record identifier.'}, + "Description": {"data_type": "string", "description": 'The operation description.'}, + "ExtendedProperties": {"data_type": "dynamic", "description": 'Additional information based on the resource type.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The name of the operation that triggered the event.'}, + "SentinelResourceId": {"data_type": "string", "description": 'The Sentinel resource ID.'}, + "SentinelResourceKind": {"data_type": "string", "description": 'The resource kind, for example: connector kind (such as Office365, AmazonWebServicesCloudTrail), alert rule kind (scheduld).'}, + "SentinelResourceName": {"data_type": "string", "description": 'The Sentinel resource name.'}, + "SentinelResourceType": {"data_type": "string", "description": 'The resource type, for example: DataConnector, AlertRule, etc.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Status": {"data_type": "string", "description": 'Status of the operation, for example: Success, Failure, Warning, Informational, Partial Success.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the event was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "WorkspaceId": {"data_type": "string", "description": 'The workspace ID.'}, + }, + "SentinelHealth": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Description": {"data_type": "string", "description": 'The operation description.'}, + "ExtendedProperties": {"data_type": "dynamic", "description": 'Additional information based on the resource type.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The name of the operation that triggered the event.'}, + "Reason": {"data_type": "string", "description": 'The operation reason.'}, + "RecordId": {"data_type": "string", "description": 'A unique record identifier.'}, + "SentinelResourceId": {"data_type": "string", "description": 'The Sentinel resource ID.'}, + "SentinelResourceKind": {"data_type": "string", "description": 'The resource kind, for example: connector kind (such as Office365, AmazonWebServicesCloudTrail), alert rule kind (scheduld).'}, + "SentinelResourceName": {"data_type": "string", "description": 'The Sentinel resource name.'}, + "SentinelResourceType": {"data_type": "string", "description": 'The resource type, for example: DataConnector, AlertRule, etc.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Status": {"data_type": "string", "description": 'Status of the operation, for example: Success, Failure, Warning, Informational, Partial Success.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the event was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "WorkspaceId": {"data_type": "string", "description": 'The workspace ID.'}, + }, + "ServiceFabricOperationalEvent": { + "ApplicationName": {"data_type": "string", "description": ''}, + "ApplicationTypeName": {"data_type": "string", "description": ''}, + "ApplicationTypeVersion": {"data_type": "string", "description": ''}, + "AzureDeploymentID": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ChannelName": {"data_type": "string", "description": ''}, + "Computer": {"data_type": "string", "description": ''}, + "EventId": {"data_type": "int", "description": ''}, + "EventMessage": {"data_type": "string", "description": ''}, + "EventSourceName": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "KeywordName": {"data_type": "string", "description": ''}, + "Level": {"data_type": "string", "description": ''}, + "OpcodeName": {"data_type": "string", "description": ''}, + "PartitionId": {"data_type": "string", "description": ''}, + "Pid": {"data_type": "int", "description": ''}, + "ProviderGuid": {"data_type": "string", "description": ''}, + "Role": {"data_type": "string", "description": ''}, + "ServiceName": {"data_type": "string", "description": ''}, + "ServiceTypeName": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TaskName": {"data_type": "string", "description": ''}, + "Tid": {"data_type": "int", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UpgradeDomains": {"data_type": "string", "description": ''}, + }, + "ServiceFabricReliableActorEvent": { + "ActorId": {"data_type": "string", "description": ''}, + "ActorIdKind": {"data_type": "int", "description": ''}, + "ActorType": {"data_type": "string", "description": ''}, + "ApplicationName": {"data_type": "string", "description": ''}, + "ApplicationTypeName": {"data_type": "string", "description": ''}, + "AzureDeploymentID": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ChannelName": {"data_type": "string", "description": ''}, + "Computer": {"data_type": "string", "description": ''}, + "CountOfWaitingMethodCalls": {"data_type": "long", "description": ''}, + "EventId": {"data_type": "int", "description": ''}, + "EventMessage": {"data_type": "string", "description": ''}, + "EventSourceName": {"data_type": "string", "description": ''}, + "Exception": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsStateful": {"data_type": "bool", "description": ''}, + "KeywordName": {"data_type": "string", "description": ''}, + "Level": {"data_type": "string", "description": ''}, + "MethodExecutionTimeTicks": {"data_type": "long", "description": ''}, + "MethodName": {"data_type": "string", "description": ''}, + "MethodSignature": {"data_type": "string", "description": ''}, + "NodeId": {"data_type": "string", "description": ''}, + "NodeName": {"data_type": "string", "description": ''}, + "OpcodeName": {"data_type": "string", "description": ''}, + "PartitionId": {"data_type": "string", "description": ''}, + "Pid": {"data_type": "int", "description": ''}, + "ProviderGuid": {"data_type": "string", "description": ''}, + "ReplicaId": {"data_type": "long", "description": ''}, + "ReplicaOrInstanceId": {"data_type": "long", "description": ''}, + "Role": {"data_type": "string", "description": ''}, + "SaveStateExecutionTimeTicks": {"data_type": "long", "description": ''}, + "ServiceName": {"data_type": "string", "description": ''}, + "ServiceTypeName": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TaskName": {"data_type": "string", "description": ''}, + "Tid": {"data_type": "int", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ServiceFabricReliableServiceEvent": { + "ActualCancellationTimeMillis": {"data_type": "real", "description": ''}, + "ApplicationName": {"data_type": "string", "description": ''}, + "ApplicationTypeName": {"data_type": "string", "description": ''}, + "AzureDeploymentID": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ChannelName": {"data_type": "string", "description": ''}, + "Computer": {"data_type": "string", "description": ''}, + "EventId": {"data_type": "int", "description": ''}, + "EventMessage": {"data_type": "string", "description": ''}, + "EventSourceName": {"data_type": "string", "description": ''}, + "Exception": {"data_type": "string", "description": ''}, + "InstanceId": {"data_type": "long", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "KeywordName": {"data_type": "string", "description": ''}, + "Level": {"data_type": "string", "description": ''}, + "OpcodeName": {"data_type": "string", "description": ''}, + "PartitionId": {"data_type": "string", "description": ''}, + "Pid": {"data_type": "int", "description": ''}, + "ProviderGuid": {"data_type": "string", "description": ''}, + "ReplicaId": {"data_type": "long", "description": ''}, + "Role": {"data_type": "string", "description": ''}, + "ServiceName": {"data_type": "string", "description": ''}, + "ServiceTypeName": {"data_type": "string", "description": ''}, + "SlowCancellationTimeMillis": {"data_type": "real", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TaskName": {"data_type": "string", "description": ''}, + "Tid": {"data_type": "int", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "WasCanceled": {"data_type": "bool", "description": ''}, + }, + "SfBAssessmentRecommendation": { + "ActionArea": {"data_type": "string", "description": ''}, + "ActionAreaId": {"data_type": "string", "description": ''}, + "AffectedObjectName": {"data_type": "string", "description": ''}, + "AffectedObjectType": {"data_type": "string", "description": ''}, + "AssessmentId": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "CustomData": {"data_type": "string", "description": ''}, + "Description": {"data_type": "string", "description": ''}, + "Domain": {"data_type": "string", "description": ''}, + "FocusArea": {"data_type": "string", "description": ''}, + "FocusAreaId": {"data_type": "string", "description": ''}, + "Forest": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LyncCentralMgmtStoreDatabase": {"data_type": "string", "description": ''}, + "LyncFEPool": {"data_type": "string", "description": ''}, + "LyncFrontEnd": {"data_type": "string", "description": ''}, + "LyncInternalDomain": {"data_type": "string", "description": ''}, + "LyncOrganization": {"data_type": "string", "description": ''}, + "LyncSimpleURLDomain": {"data_type": "string", "description": ''}, + "LyncSite": {"data_type": "string", "description": ''}, + "LyncUserStoreDatabase": {"data_type": "string", "description": ''}, + "Recommendation": {"data_type": "string", "description": ''}, + "RecommendationId": {"data_type": "string", "description": ''}, + "RecommendationResult": {"data_type": "string", "description": ''}, + "RecommendationWeight": {"data_type": "real", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Technology": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "SfBOnlineAssessmentRecommendation": { + "ActionArea": {"data_type": "string", "description": ''}, + "ActionAreaId": {"data_type": "string", "description": ''}, + "AffectedObjectName": {"data_type": "string", "description": ''}, + "AffectedObjectType": {"data_type": "string", "description": ''}, + "AssessmentId": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "CustomData": {"data_type": "string", "description": ''}, + "Description": {"data_type": "string", "description": ''}, + "Domain": {"data_type": "string", "description": ''}, + "FocusArea": {"data_type": "string", "description": ''}, + "FocusAreaId": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "O365TenantId": {"data_type": "string", "description": ''}, + "Recommendation": {"data_type": "string", "description": ''}, + "RecommendationId": {"data_type": "string", "description": ''}, + "RecommendationResult": {"data_type": "string", "description": ''}, + "RecommendationWeight": {"data_type": "real", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Technology": {"data_type": "string", "description": ''}, + "TenantName": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "SharePointOnlineAssessmentRecommendation": { + "ActionArea": {"data_type": "string", "description": ''}, + "ActionAreaId": {"data_type": "string", "description": ''}, + "AffectedObjectName": {"data_type": "string", "description": ''}, + "AffectedObjectType": {"data_type": "string", "description": ''}, + "AssessmentId": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "CustomData": {"data_type": "string", "description": ''}, + "Description": {"data_type": "string", "description": ''}, + "FocusArea": {"data_type": "string", "description": ''}, + "FocusAreaId": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "O365TenantId": {"data_type": "string", "description": ''}, + "Recommendation": {"data_type": "string", "description": ''}, + "RecommendationId": {"data_type": "string", "description": ''}, + "RecommendationResult": {"data_type": "string", "description": ''}, + "RecommendationWeight": {"data_type": "real", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Technology": {"data_type": "string", "description": ''}, + "TenantName": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "SignalRServiceDiagnosticLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'The IP of the client or server connects to SignalR service.'}, + "Collection": {"data_type": "string", "description": "The collection of the log event. Can be 'Connection', 'Authorization', 'Throttling' or 'Message'. 'Connection' collection includes the logs about the lifetime of connections. 'Authorization' includes the logs about the authorization of connections. 'Throttling' includes the logs about the throttled connections. 'Message' includes the logs about the tracing messages."}, + "ConnectionId": {"data_type": "string", "description": 'The connection ID of the connection connected to SignalR service.'}, + "ConnectionType": {"data_type": "string", "description": "The connection type. Can be 'Server' and 'Client'. 'Server' means the connection connects to an app server. 'Client' means the connection connects to a SignalR client."}, + "GroupName": {"data_type": "string", "description": 'A group can have any number of clients, and a client can be a member of any number of groups.'}, + "HubName": {"data_type": "string", "description": 'The SignalR Hubs API enables you to call methods on connected clients from the server.'}, + "InvocationId": {"data_type": "string", "description": "The invocation ID of the message. It's only available in ASP.NET SignalR."}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": "The level of the log. Can be 'Informational', 'Warning', 'Error' or 'Critical'."}, + "Location": {"data_type": "string", "description": 'The location of Azure SignalR service.'}, + "Message": {"data_type": "string", "description": 'The message of the log event. It describes the log event in detail.'}, + "MessageTracingId": {"data_type": "long", "description": "The tracing ID of the message. It's used for tracing messages."}, + "MessageType": {"data_type": "string", "description": "The type of the messsage. Can be 'BroadcastDataMessage', 'MultiConnectionDataMessage', 'GroupBroadcastDataMessage', 'MultiGroupBroadcastDataMessage', 'UserDataMessage', 'MultiUserDataMessage', 'JoinGroupWithAckMessage' and 'LeaveGroupWithAckMessage'. For more details, see https://www.nuget.org/packages/Microsoft.Azure.SignalR.Protocols."}, + "OperationName": {"data_type": "string", "description": 'The operation name of the log event. it can be used to filter the log based on a specific operation name.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the log.'}, + "TransportType": {"data_type": "string", "description": "The transport type of the connection. Can be 'WebSockets', 'ServerSentEvents', or 'LongPolling'. For more details, see dotnet/api/microsoft.aspnetcore.http.connections.httptransporttype."}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserId": {"data_type": "string", "description": 'The user ID of the connection. It is defined by the client or app server.'}, + }, + "SigninLogs": { + "AADTenantId": {"data_type": "string", "description": ''}, + "AlternateSignInName": {"data_type": "string", "description": "The identification that the user provided to sign in. It may be the userPrincipalName but it's also populated when a user signs in using other identifiers."}, + "AppDisplayName": {"data_type": "string", "description": 'The application name displayed in the Azure Portal.'}, + "AppId": {"data_type": "string", "description": 'The application identifier in Azure Active Directory.'}, + "AppliedConditionalAccessPolicies": {"data_type": "string", "description": ''}, + "AppliedEventListeners": {"data_type": "dynamic", "description": 'Detailed information about the listeners, such as Azure Logic Apps and Azure Functions, that were triggered by the corresponding events in the sign-in event.'}, + "AuthenticationContextClassReferences": {"data_type": "string", "description": 'Contains a collection of values that represent the conditional access authentication contexts applied to the sign-in.'}, + "AuthenticationDetails": {"data_type": "string", "description": 'The result of the authentication attempt and additional details on the authentication method.'}, + "AuthenticationMethodsUsed": {"data_type": "string", "description": 'The authentication methods used. Possible values: SMS, Authenticator App, App Verification code, Password, FIDO, PTA, or PHS.'}, + "AuthenticationProcessingDetails": {"data_type": "string", "description": 'Additional authentication processing details, such as the agent name in case of PTA/PHS or Server/farm name in case of federated authentication.'}, + "AuthenticationProtocol": {"data_type": "string", "description": 'Lists the protocol type or grant type used in the authentication. The possible values are: none, oAuth2, ropc, wsFederation, saml20, deviceCode. For authentications that use protocols other than the possible values listed, the protocol type is listed as none.'}, + "AuthenticationRequirement": {"data_type": "string", "description": 'This holds the highest level of authentication needed through all the sign-in steps, for sign-in to succeed.'}, + "AuthenticationRequirementPolicies": {"data_type": "string", "description": 'Sources of authentication requirement, such as conditional access, per-user MFA, identity protection, and security defaults.'}, + "AutonomousSystemNumber": {"data_type": "string", "description": 'The Autonomous System Number (ASN) of the network used by the actor.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": ''}, + "ClientAppUsed": {"data_type": "string", "description": 'The legacy client used for sign-in activity. For example: Browser, Exchange ActiveSync, Modern clients, IMAP, MAPI, SMTP, or POP.'}, + "ConditionalAccessPolicies": {"data_type": "dynamic", "description": 'A list of conditional access policies that are triggered by the corresponding sign-in activity.'}, + "ConditionalAccessStatus": {"data_type": "string", "description": 'The status of the conditional access policy triggered. Possible values: success, failure, or notApplied.'}, + "CorrelationId": {"data_type": "string", "description": "The identifier that's sent from the client when sign-in is initiated. This is used for troubleshooting the corresponding sign-in activity when calling for support."}, + "CreatedDateTime": {"data_type": "datetime", "description": 'The date and time the sign-in was initiated. The Timestamp type is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.'}, + "CrossTenantAccessType": {"data_type": "string", "description": 'Describes the type of cross-tenant access used by the actor to access the resource.'}, + "DeviceDetail": {"data_type": "dynamic", "description": 'The device information from where the sign-in occurred. Includes information such as deviceId, OS, and browser.'}, + "DurationMs": {"data_type": "long", "description": ''}, + "FlaggedForReview": {"data_type": "bool", "description": 'During a failed sign in, a user may click a button in the Azure portal to mark the failed event for tenant admins. If a user clicked the button to flag the failed sign in, this value is true.'}, + "HomeTenantId": {"data_type": "string", "description": 'The tenant identifier of the user initiating the sign in. Not applicable in Managed Identity or service principal sign ins.'}, + "Id": {"data_type": "string", "description": 'The identifier representing the sign-in activity.'}, + "Identity": {"data_type": "string", "description": 'The display name of the actor identified in the signin.'}, + "IPAddress": {"data_type": "string", "description": 'The IP address of the client from where the sign-in occurred.'}, + "IPAddressFromResourceProvider": {"data_type": "string", "description": 'The IP address a user used to reach a resource provider, used to determine Conditional Access compliance for some policies. For example, when a user interacts with Exchange Online, the IP address Exchange receives from the user may be recorded here. This value is often null.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsInteractive": {"data_type": "bool", "description": "Indicates whether a user sign in is interactive. In interactive sign in, the user provides an authentication factor to Azure AD. These factors include passwords, responses to MFA challenges, biometric factors, or QR codes that a user provides to Azure AD or an associated app. In non-interactive sign in, the user doesn't provide an authentication factor. Instead, the client app uses a token or code to authenticate or access a resource on behalf of a user. Non-interactive sign ins are commonly used for a client to sign in on a user's behalf in a process transparent to the user."}, + "IsRisky": {"data_type": "bool", "description": ''}, + "Level": {"data_type": "string", "description": ''}, + "Location": {"data_type": "string", "description": 'The 2 letter country code from where the sign-in occurred. Depending on IP address provided, this value may not always resolve to a city or region level of detail.'}, + "LocationDetails": {"data_type": "dynamic", "description": 'Provides the city, state, country/region and latitude and longitude from where the sign-in happened.'}, + "MfaDetail": {"data_type": "dynamic", "description": 'This property is deprecated.'}, + "NetworkLocationDetails": {"data_type": "string", "description": 'The network location details including the type of network used and its names.'}, + "OperationName": {"data_type": "string", "description": ''}, + "OperationVersion": {"data_type": "string", "description": ''}, + "OriginalRequestId": {"data_type": "string", "description": 'The request identifier of the first request in the authentication sequence.'}, + "ProcessingTimeInMilliseconds": {"data_type": "string", "description": ''}, + "Resource": {"data_type": "string", "description": ''}, + "ResourceDisplayName": {"data_type": "string", "description": 'The name of the resource that the user signed in to.'}, + "ResourceGroup": {"data_type": "string", "description": ''}, + "ResourceId": {"data_type": "string", "description": 'The identifier of the resource that the user signed in to.'}, + "ResourceIdentity": {"data_type": "string", "description": 'The resource that the user signed in to.'}, + "ResourceProvider": {"data_type": "string", "description": ''}, + "ResourceServicePrincipalId": {"data_type": "string", "description": 'The identifier of the service principal representing the target resource in the sign-in event.'}, + "ResourceTenantId": {"data_type": "string", "description": 'The tenant identifier of the resource referenced in the sign in.'}, + "ResultDescription": {"data_type": "string", "description": 'Provides the error message or the reason for failure for the corresponding sign-in activity.'}, + "ResultSignature": {"data_type": "string", "description": ''}, + "ResultType": {"data_type": "string", "description": "Provides the 5-6 digit error code that's generated during a sign-in event. 0 indicates success; other values are failures. You can find more information using the Azure AD Error Codes documentation or https://login.microsoftonline.com/error."}, + "RiskDetail": {"data_type": "string", "description": 'The reason behind a specific state of a risky user, sign-in, or a risk event. Possible values: none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, or adminConfirmedSigninCompromised. The value none means that no action has been performed on the user or sign-in so far. Note: Details for this property are only available for Azure AD Premium P2 customers. All other customers are returned hidden.'}, + "RiskEventTypes": {"data_type": "string", "description": 'This property is deprecated.'}, + "RiskEventTypes_V2": {"data_type": "string", "description": 'The list of risk event types associated with the sign-in. Possible values: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, or generic.'}, + "RiskLevel": {"data_type": "string", "description": ''}, + "RiskLevelAggregated": {"data_type": "string", "description": 'The aggregated risk level. Possible values: none, low, medium, high, or hidden. The value hidden means the user or sign-in was not enabled for Azure AD Identity Protection. Note: Details for this property are only available for Azure AD Premium P2 customers. All other customers are returned hidden.'}, + "RiskLevelDuringSignIn": {"data_type": "string", "description": 'The risk level during sign-in. Possible values: none, low, medium, high, or hidden. The value hidden means the user or sign-in was not enabled for Azure AD Identity Protection. Note: Details for this property are only available for Azure AD Premium P2 customers. All other customers are returned hidden.'}, + "RiskState": {"data_type": "string", "description": 'The risk state of a risky user, sign-in, or a risk event. Possible values: none, confirmedSafe, remediated, dismissed, atRisk, or confirmedCompromised.'}, + "ServicePrincipalId": {"data_type": "string", "description": 'The application identifier used for sign-in. This field is populated when you are signing in using an application.'}, + "ServicePrincipalName": {"data_type": "string", "description": 'The application name used for sign-in. This field is populated when you are signing in using an application.'}, + "SessionLifetimePolicies": {"data_type": "string", "description": 'Any conditional access session management policies that were applied during the sign-in event.'}, + "SignInIdentifier": {"data_type": "string", "description": "The identification that the user provided to sign in. It may be the userPrincipalName but it's also populated when a user signs in using other identifiers."}, + "SignInIdentifierType": {"data_type": "string", "description": 'The type of sign in identifier. Possible values are: userPrincipalName, phoneNumber, proxyAddress, qrCode, onPremisesUserPrincipalName.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Status": {"data_type": "dynamic", "description": 'The sign-in status. Includes the error code and description of the error (in case of a sign-in failure).'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "TokenIssuerName": {"data_type": "string", "description": 'The name of the identity provider. For example, sts.microsoft.com.'}, + "TokenIssuerType": {"data_type": "string", "description": 'The type of identity provider. The possible values are: AzureAD, or ADFederationServices, AzureADBackupAuth, ADFederationServicesMFAAdapter, NPSExtension.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UniqueTokenIdentifier": {"data_type": "string", "description": 'A unique base64 encoded request identifier used to track tokens issued by Azure AD as they are redeemed at resource providers.'}, + "UserAgent": {"data_type": "string", "description": 'The user agent information related to sign-in.'}, + "UserDisplayName": {"data_type": "string", "description": 'The display name of the user.'}, + "UserId": {"data_type": "string", "description": 'The identifier of the user.'}, + "UserPrincipalName": {"data_type": "string", "description": 'The UPN of the user.'}, + "UserType": {"data_type": "string", "description": 'Identifies whether the user is a member or guest in the tenant. Possible values are: member and guest.'}, + }, + "SPAssessmentRecommendation": { + "ActionArea": {"data_type": "string", "description": ''}, + "ActionAreaId": {"data_type": "string", "description": ''}, + "AffectedObjectName": {"data_type": "string", "description": ''}, + "AffectedObjectType": {"data_type": "string", "description": ''}, + "AssessmentId": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "CustomData": {"data_type": "string", "description": ''}, + "DatabaseName": {"data_type": "string", "description": ''}, + "Description": {"data_type": "string", "description": ''}, + "Farm": {"data_type": "string", "description": ''}, + "FocusArea": {"data_type": "string", "description": ''}, + "FocusAreaId": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Recommendation": {"data_type": "string", "description": ''}, + "RecommendationId": {"data_type": "string", "description": ''}, + "RecommendationResult": {"data_type": "string", "description": ''}, + "RecommendationWeight": {"data_type": "real", "description": ''}, + "Server": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Technology": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "WebApplication": {"data_type": "string", "description": ''}, + }, + "SQLAssessmentRecommendation": { + "ActionArea": {"data_type": "string", "description": ''}, + "ActionAreaId": {"data_type": "string", "description": ''}, + "AffectedObjectName": {"data_type": "string", "description": ''}, + "AffectedObjectResult": {"data_type": "string", "description": ''}, + "AffectedObjectType": {"data_type": "string", "description": ''}, + "AssessmentId": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "CustomData": {"data_type": "string", "description": ''}, + "DatabaseName": {"data_type": "string", "description": ''}, + "Description": {"data_type": "string", "description": ''}, + "FocusArea": {"data_type": "string", "description": ''}, + "FocusAreaId": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Recommendation": {"data_type": "string", "description": ''}, + "RecommendationId": {"data_type": "string", "description": ''}, + "RecommendationResult": {"data_type": "string", "description": ''}, + "RecommendationWeight": {"data_type": "real", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SqlInstanceName": {"data_type": "string", "description": ''}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Technology": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "SqlAtpStatus": { + "AgentId": {"data_type": "string", "description": 'ID of the source monitoring agent'}, + "AgentStartTime": {"data_type": "datetime", "description": 'The start time of the Microsoft Monitoring Agent process running SQL ATP solution. This can help find agents who restart frequently or not at all and can indicate a problem or machine with out-of-date configuration'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientIP": {"data_type": "string", "description": 'Client IP address of the source computer'}, + "Computer": {"data_type": "string", "description": 'Name of the computer that hosts the SQL Server'}, + "HostResourceId": {"data_type": "string", "description": 'Resource ID of the machine hosting the SQL Instance, if exists'}, + "IntelligencePackVersion": {"data_type": "string", "description": 'The IP version of SQL Advanced Threat Protection running on the machine'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastError": {"data_type": "string", "description": 'The last error from SQL Advanced Threat Protection (if exists). The error refer to the time passed from the previous status entry and can help diagnose transient or persistent issues with SQL ATP protection'}, + "MachineUUID": {"data_type": "string", "description": 'The unique identifier of the machine running the Microsoft Monitoring Agent'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SqlInstanceName": {"data_type": "string", "description": 'SQL Server instance name'}, + "SqlInstanceStartTime": {"data_type": "datetime", "description": 'The start time of the SQL Server instance'}, + "SqlInstanceVersion": {"data_type": "string", "description": 'SQL Server instance version'}, + "Status": {"data_type": "string", "description": 'SQL Advanced Threat Protection status for the SQL instance'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "SqlDataClassification": { + "AgentId": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ColumnName": {"data_type": "string", "description": ''}, + "ColumnsCount": {"data_type": "int", "description": ''}, + "ColumnType": {"data_type": "string", "description": ''}, + "Computer": {"data_type": "string", "description": ''}, + "DatabaseName": {"data_type": "string", "description": ''}, + "InformationType": {"data_type": "string", "description": ''}, + "InformationTypeId": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Label": {"data_type": "string", "description": ''}, + "LabelId": {"data_type": "string", "description": ''}, + "ManagementGroupName": {"data_type": "string", "description": ''}, + "Rank": {"data_type": "string", "description": ''}, + "RecordType": {"data_type": "string", "description": ''}, + "ResourceGroup": {"data_type": "string", "description": ''}, + "ResourceId": {"data_type": "string", "description": ''}, + "ResourceProvider": {"data_type": "string", "description": ''}, + "ResourceType": {"data_type": "string", "description": ''}, + "ScanStartTime": {"data_type": "datetime", "description": ''}, + "SchemaName": {"data_type": "string", "description": ''}, + "ServerInstanceName": {"data_type": "string", "description": ''}, + "ServerInstanceType": {"data_type": "string", "description": ''}, + "ServerVersion": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SubscriptionId": {"data_type": "string", "description": ''}, + "TableName": {"data_type": "string", "description": ''}, + "TablesCount": {"data_type": "int", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "SQLSecurityAuditEvents": { + "ActionId": {"data_type": "string", "description": 'ID of the audit action.'}, + "ActionName": {"data_type": "string", "description": 'The name of the audit action.'}, + "AdditionalInformation": {"data_type": "string", "description": 'Unique information that only applies to a single event is returned as XML.'}, + "AffectedRows": {"data_type": "long", "description": 'Number of rows affected by the executed statement.'}, + "ApplicationName": {"data_type": "string", "description": 'Name of client application which executed the statement that caused the audit event.'}, + "AuditSchemaVersion": {"data_type": "int", "description": 'The audit logs schema version.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the log.'}, + "ClassType": {"data_type": "string", "description": 'The type of auditable entity that the audit occurs on.'}, + "ClassTypeDescription": {"data_type": "string", "description": 'The description of the class type.'}, + "ClientIp": {"data_type": "string", "description": 'Source IP of the client application'}, + "ClientTlsVersion": {"data_type": "int", "description": 'Client TLS version'}, + "ConnectionId": {"data_type": "string", "description": 'ID of the connection in the server.'}, + "DatabaseName": {"data_type": "string", "description": 'The database context in which the action occurred.'}, + "DatabasePrincipalId": {"data_type": "int", "description": 'ID of the database user context that the action is performed in.'}, + "DatabasePrincipalName": {"data_type": "string", "description": 'Current user.'}, + "DataSensitivityInformation": {"data_type": "string", "description": 'Information types and sensitivity labels returned by the audited query, based on the classified columns in the database.'}, + "DurationMs": {"data_type": "long", "description": 'Query execution duration in milliseconds.'}, + "EventId": {"data_type": "string", "description": 'unique Guid identifying each audit event.'}, + "EventTime": {"data_type": "datetime", "description": 'The time (UTC) the event was fired at.'}, + "HostName": {"data_type": "string", "description": 'The host name.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsColumnPermission": {"data_type": "bool", "description": 'Flag indicating if this is a column level permission.'}, + "IsServerLevelAudit": {"data_type": "bool", "description": 'Boolean indicating whether this was generated from a server level audit or database level audit.'}, + "LogicalServerName": {"data_type": "string", "description": 'Logical server name.'}, + "ObjectId": {"data_type": "int", "description": 'The ID of the entity on which the audit occurred.'}, + "ObjectName": {"data_type": "string", "description": 'The name of the entity on which the audit occurred.'}, + "PermissionBitmask": {"data_type": "string", "description": 'In some actions, this is the permissions that were grant, denied, or revoked.'}, + "ResourceGroup": {"data_type": "string", "description": 'Resource group of the SQL resoruce.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResponseRows": {"data_type": "long", "description": 'Number of rows returned in the result set.'}, + "SchemaName": {"data_type": "string", "description": 'The schema context in which the action occurred.'}, + "SecurableClassType": {"data_type": "string", "description": 'The type of auditable entity that the audit occurs on.'}, + "SequenceGroupId": {"data_type": "string", "description": 'Unique identifier.'}, + "SequenceNumber": {"data_type": "int", "description": 'Tracks the sequence of records within a single audit record that was too large to fit in the write buffer for audits.'}, + "ServerPrincipalId": {"data_type": "int", "description": 'ID of the login context that the action is performed in.'}, + "ServerPrincipalName": {"data_type": "string", "description": 'Current login. Is nullable.'}, + "ServerPrincipalSid": {"data_type": "string", "description": 'Current login SID.'}, + "SessionContext": {"data_type": "string", "description": 'The Session context key value content. provided as an XML.'}, + "SessionId": {"data_type": "int", "description": 'ID of the session on which the event occurred.'}, + "SessionServerPrincipalName": {"data_type": "string", "description": 'Server principal for session. Is nullable. Returns the identity of the original login which was connected to the instance of SQL Server in case there were explicit or implicit context switches.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Statement": {"data_type": "string", "description": 'TSQL statement if it exists.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Succeeded": {"data_type": "bool", "description": 'Indicates whether the action that triggered the event succeeded. Is not nullable. For all events other than login events, this only reports whether the permission check succeeded or failed, not the operation.'}, + "TargetDatabasePrincipalId": {"data_type": "int", "description": 'The database principal the GRANT/DENY/REVOKE operation is performed on.'}, + "TargetDatabasePrincipalName": {"data_type": "string", "description": 'Target user of action.'}, + "TargetServerPrincipalId": {"data_type": "int", "description": 'Server principal that the GRANT/DENY/REVOKE operation is performed on.'}, + "TargetServerPrincipalName": {"data_type": "string", "description": 'Target login of action.'}, + "TargetServerPrincipalSid": {"data_type": "string", "description": 'SID of target login.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "TransactionId": {"data_type": "long", "description": 'Unique identifier to identify multiple audit events in one transaction.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserDefinedEventId": {"data_type": "int", "description": 'User defined event id passed as an argument to sp_audit_write.'}, + "UserDefinedInformation": {"data_type": "string", "description": 'Used to record any extra information the user wants to record in audit log by using the sp_audit_write stored procedure.'}, + }, + "SqlVulnerabilityAssessmentResult": { + "ActualResult": {"data_type": "string", "description": ''}, + "AgentId": {"data_type": "string", "description": ''}, + "BenchmarkReferences": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": ''}, + "CheckId": {"data_type": "string", "description": ''}, + "Computer": {"data_type": "string", "description": ''}, + "DatabaseName": {"data_type": "string", "description": ''}, + "Description": {"data_type": "string", "description": ''}, + "Impact": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ManagementGroupName": {"data_type": "string", "description": ''}, + "Query": {"data_type": "string", "description": ''}, + "Remediation": {"data_type": "string", "description": ''}, + "RemediationScripts": {"data_type": "string", "description": ''}, + "ResourceGroup": {"data_type": "string", "description": ''}, + "ResourceId": {"data_type": "string", "description": ''}, + "ResourceProvider": {"data_type": "string", "description": ''}, + "ResourceType": {"data_type": "string", "description": ''}, + "Risk": {"data_type": "string", "description": ''}, + "ScanId": {"data_type": "string", "description": ''}, + "ServerInstanceName": {"data_type": "string", "description": ''}, + "ServerInstanceType": {"data_type": "string", "description": ''}, + "ServerVersion": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Status": {"data_type": "string", "description": ''}, + "SubscriptionId": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Title": {"data_type": "string", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "SqlVulnerabilityAssessmentScanStatus": { + "AgentId": {"data_type": "string", "description": 'ID of the source monitoring agent'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": 'Name of the computer that hosts the assessed SQL Server'}, + "DatabaseName": {"data_type": "string", "description": 'Database name'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ScanId": {"data_type": "string", "description": 'Vulnerability Assessment scan ID'}, + "ServerInstanceName": {"data_type": "string", "description": 'SQL Server instance name'}, + "ServerVersion": {"data_type": "string", "description": 'SQL Server version'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Status": {"data_type": "string", "description": 'Vulnerability assessment scan status i.e. Finding, NonFinding, InternalError'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "StorageBlobLogs": { + "AccessTier": {"data_type": "string", "description": 'The access tier of the storage account.'}, + "AccountName": {"data_type": "string", "description": 'The name of the storage account.'}, + "AuthenticationHash": {"data_type": "string", "description": 'The hash of authentication token.'}, + "AuthenticationType": {"data_type": "string", "description": 'The type of authentication that was used to make the request.'}, + "AuthorizationDetails": {"data_type": "dynamic", "description": 'Detailed policy information used to authorize the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'The IP address of the requester, including the port number.'}, + "Category": {"data_type": "string", "description": 'The category of requested operation.'}, + "ClientRequestId": {"data_type": "string", "description": 'The x-ms-client-request-id header value of the request.'}, + "ConditionsUsed": {"data_type": "string", "description": 'A semicolon-separated list of key-value pairs that represent a condition.'}, + "ContentLengthHeader": {"data_type": "long", "description": 'The value of the Content-Length header for the request sent to the storage service.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID that is used to correlate logs across resources.'}, + "DestinationUri": {"data_type": "string", "description": 'Records the destination URI for operations.'}, + "DurationMs": {"data_type": "real", "description": 'The total time, expressed in milliseconds, to perform the requested operation. This includes the time to read the incoming request, and to send the response to the requester.'}, + "Etag": {"data_type": "string", "description": 'The ETag identifier for the returned object, in quotes.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastModifiedTime": {"data_type": "datetime", "description": 'The Last Modified Time (LMT) for the returned object. This field is empty for operations that can return multiple objects.'}, + "Location": {"data_type": "string", "description": 'The location of storage account.'}, + "MetricResponseType": {"data_type": "string", "description": 'Records the metric response for correlation between metrics and logs.'}, + "ObjectKey": {"data_type": "string", "description": 'The key of the requested object, in quotes.'}, + "OperationCount": {"data_type": "int", "description": 'The number of each logged operation that is involved in the request. This count starts with an index of 0. Some requests require more than one operation, such as a request to copy a blob. Most requests perform only one operation.'}, + "OperationName": {"data_type": "string", "description": 'The type of REST operation that was performed.'}, + "OperationVersion": {"data_type": "string", "description": 'The storage service version that was specified when the request was made. This is equivalent to the value of the x-ms-version header.'}, + "Protocol": {"data_type": "string", "description": 'The protocol that is used in the operation.'}, + "ReferrerHeader": {"data_type": "string", "description": 'The Referer header value.'}, + "RehydratePriority": {"data_type": "string", "description": 'The priority used to rehydrate an archived blob.'}, + "RequestBodySize": {"data_type": "long", "description": 'The size of the request packets, expressed in bytes, that are read by the storage service. If a request is unsuccessful, this value might be empty.'}, + "RequesterAppId": {"data_type": "string", "description": 'The Open Authorization (OAuth) application ID that is used as the requester.'}, + "RequesterAudience": {"data_type": "string", "description": 'The OAuth audience of the request.'}, + "RequesterObjectId": {"data_type": "string", "description": 'The OAuth object ID of the requester.'}, + "RequesterTenantId": {"data_type": "string", "description": 'The OAuth tenant ID of identity.'}, + "RequesterTokenIssuer": {"data_type": "string", "description": 'The OAuth token issuer.'}, + "RequesterUpn": {"data_type": "string", "description": 'The User Principal Names of requestor.'}, + "RequestHeaderSize": {"data_type": "long", "description": 'The size of the request header expressed in bytes. If a request is unsuccessful, this value might be empty.'}, + "RequestMd5": {"data_type": "string", "description": 'The value of either the Content-MD5 header or the x-ms-content-md5 header in the request. The MD5 hash value specified in this field represents the content in the request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResponseBodySize": {"data_type": "long", "description": 'The size of the response packets written by the storage service, in bytes. If a request is unsuccessful, this value may be empty.'}, + "ResponseHeaderSize": {"data_type": "long", "description": 'The size of the response header expressed in bytes. If a request is unsuccessful, this value might be empty.'}, + "ResponseMd5": {"data_type": "string", "description": 'The value of the MD5 hash calculated by the storage service.'}, + "SasExpiryStatus": {"data_type": "string", "description": 'Records any violations in the request SAS token as per the SAS policy set in the storage account. Ex: longer SAS token duration specified than allowed per SAS policy'}, + "SchemaVersion": {"data_type": "string", "description": 'The schema version of the log.'}, + "ServerLatencyMs": {"data_type": "real", "description": "The total time expressed in milliseconds to perform the requested operation. This value doesn't include network latency (the time to read the incoming request and send the response to the requester)."}, + "ServiceType": {"data_type": "string", "description": 'The service associated with this request.'}, + "SourceAccessTier": {"data_type": "string", "description": 'The source tier of the storage account.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SourceUri": {"data_type": "string", "description": 'Records the source URI for operations.'}, + "StatusCode": {"data_type": "string", "description": 'The HTTP status code for the request. If the request is interrupted, this value might be set to Unknown.'}, + "StatusText": {"data_type": "string", "description": 'The status of the requested operation.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The Universal Time Coordinated (UTC) time when the request was received by storage.'}, + "TlsVersion": {"data_type": "string", "description": 'The TLS version used in the connection of request.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Uri": {"data_type": "string", "description": 'Uniform resource identifier that is requested.'}, + "UserAgentHeader": {"data_type": "string", "description": 'The User-Agent header value, in quotes.'}, + }, + "StorageCacheOperationEvents": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'Unique identifier to be used to correlate logs, if available.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The region of the resource associated with the event.'}, + "OperationName": {"data_type": "string", "description": 'The operation name for which the log entry was created.'}, + "PrimingJobName": {"data_type": "string", "description": 'Name of the priming job associated with the operation, if available.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResponseCode": {"data_type": "int", "description": 'HTTP status of API request.'}, + "ResultDescription": {"data_type": "string", "description": 'Details about the result, if available.'}, + "ResultType": {"data_type": "string", "description": 'Result of the REST API request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StorageTargetName": {"data_type": "string", "description": 'Name of the storage target associated with the operation, if available.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "StorageCacheUpgradeEvents": { + "AvailableFirmwareVersion": {"data_type": "string", "description": 'The firmware version for upgrade, if available.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'Unique identifier to be used to correlate logs, if available.'}, + "CurrentFirmwareVersion": {"data_type": "string", "description": 'The firmware version currently running.'}, + "Description": {"data_type": "string", "description": 'The description of the upgrade event.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The region of the resource associated with the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "StorageCacheWarningEvents": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'Unique identifier to be used to correlate logs, if available.'}, + "Description": {"data_type": "string", "description": 'The description of the warning event.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the event: Informational, Warning, Error, or Critical.'}, + "Location": {"data_type": "string", "description": 'The region of the resource associated with the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "State": {"data_type": "string", "description": 'The state of the warning: Active or Cleared.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (UTC) when the log was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "StorageFileLogs": { + "AccountName": {"data_type": "string", "description": 'The name of the storage account.'}, + "AuthenticationHash": {"data_type": "string", "description": 'The hash of authentication token.'}, + "AuthenticationType": {"data_type": "string", "description": 'The type of authentication that was used to make the request.'}, + "AuthorizationDetails": {"data_type": "dynamic", "description": 'Detailed policy information used to authorize the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'The IP address of the requester, including the port number.'}, + "Category": {"data_type": "string", "description": 'The category of requested operation.'}, + "ClientRequestId": {"data_type": "string", "description": 'The x-ms-client-request-id header value of the request.'}, + "ConditionsUsed": {"data_type": "string", "description": 'A semicolon-separated list of key-value pairs that represent a condition.'}, + "ContentLengthHeader": {"data_type": "long", "description": 'The value of the Content-Length header for the request sent to the storage service.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID that is used to correlate logs across resources.'}, + "DurationMs": {"data_type": "real", "description": 'The total time, expressed in milliseconds, to perform the requested operation. This includes the time to read the incoming request, and to send the response to the requester.'}, + "Etag": {"data_type": "string", "description": 'The ETag identifier for the returned object, in quotes.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastModifiedTime": {"data_type": "datetime", "description": 'The Last Modified Time (LMT) for the returned object. This field is empty for operations that can return multiple objects.'}, + "Location": {"data_type": "string", "description": 'The location of storage account.'}, + "MetricResponseType": {"data_type": "string", "description": 'Records the metric response for correlation between metrics and logs.'}, + "ObjectKey": {"data_type": "string", "description": 'The key of the requested object, in quotes.'}, + "OperationCount": {"data_type": "int", "description": 'The number of each logged operation that is involved in the request. This count starts with an index of 0. Some requests require more than one operation, such as a request to copy a blob. Most requests perform only one operation.'}, + "OperationName": {"data_type": "string", "description": 'The type of REST operation that was performed.'}, + "OperationVersion": {"data_type": "string", "description": 'The storage service version that was specified when the request was made. This is equivalent to the value of the x-ms-version header.'}, + "Protocol": {"data_type": "string", "description": 'The protocol that is used in the operation.'}, + "ReferrerHeader": {"data_type": "string", "description": 'The Referer header value.'}, + "RequestBodySize": {"data_type": "long", "description": 'The size of the request packets, expressed in bytes, that are read by the storage service. If a request is unsuccessful, this value might be empty.'}, + "RequesterAppId": {"data_type": "string", "description": 'The Open Authorization (OAuth) application ID that is used as the requester.'}, + "RequesterAudience": {"data_type": "string", "description": 'The OAuth audience of the request.'}, + "RequesterObjectId": {"data_type": "string", "description": 'The OAuth object ID of the requester.'}, + "RequesterTenantId": {"data_type": "string", "description": 'The OAuth tenant ID of identity.'}, + "RequesterTokenIssuer": {"data_type": "string", "description": 'The OAuth token issuer.'}, + "RequesterUpn": {"data_type": "string", "description": 'The User Principal Names of requester.'}, + "RequesterUserName": {"data_type": "string", "description": 'The user name of requester for SMB.'}, + "RequestHeaderSize": {"data_type": "long", "description": 'The size of the request header expressed in bytes. If a request is unsuccessful, this value might be empty.'}, + "RequestMd5": {"data_type": "string", "description": 'The value of either the Content-MD5 header or the x-ms-content-md5 header in the request. The MD5 hash value specified in this field represents the content in the request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResponseBodySize": {"data_type": "long", "description": 'The size of the response packets written by the storage service, in bytes. If a request is unsuccessful, this value may be empty.'}, + "ResponseHeaderSize": {"data_type": "long", "description": 'The size of the response header expressed in bytes. If a request is unsuccessful, this value might be empty.'}, + "ResponseMd5": {"data_type": "string", "description": 'The value of the MD5 hash calculated by the storage service.'}, + "SasExpiryStatus": {"data_type": "string", "description": 'Records any violations in the request SAS token as per the SAS policy set in the storage account. Ex: longer SAS token duration specified than allowed per SAS policy'}, + "SchemaVersion": {"data_type": "string", "description": 'The schema version of the log.'}, + "ServerLatencyMs": {"data_type": "real", "description": "The total time expressed in milliseconds to perform the requested operation. This value doesn't include network latency (the time to read the incoming request and send the response to the requester)."}, + "ServiceType": {"data_type": "string", "description": 'The service associated with this request.'}, + "SmbCommandDetail": {"data_type": "string", "description": 'More information about this specific request rather than the general type of request.'}, + "SmbCommandMajor": {"data_type": "int", "description": 'Value in SMB2_HEADER.Command, and is currently a number between 0 and 18 inclusive.'}, + "SmbCommandMinor": {"data_type": "string", "description": 'The subclass of SmbCommandMajor, where appropriate.'}, + "SmbCreditsConsumed": {"data_type": "int", "description": 'The ingress or egress consumed by the request, in units of 64k.'}, + "SmbFileId": {"data_type": "string", "description": 'The FileId associated with file or directory. Roughly analogous to an NTFS FileId.'}, + "SmbMessageID": {"data_type": "string", "description": 'The connection relative MessageId.'}, + "SmbPersistentHandleID": {"data_type": "string", "description": 'Persistent HandleID from an SMB2 Create request that survives network reconnects. Referenced in [MS-SMB2] 2.2.14.1 as SMB2_FILEID.Persistent.'}, + "SmbPrimarySID": {"data_type": "string", "description": 'Security Identifier of Kerberos Authenticated request'}, + "SmbSessionID": {"data_type": "string", "description": 'The SMB2 SessionId established at SessionSetup time.'}, + "SmbStatusCode": {"data_type": "string", "description": 'Status code for SMB in a hex format.'}, + "SmbTreeConnectID": {"data_type": "string", "description": 'The SMB TreeConnectID established at TreeConnect time.'}, + "SmbVolatileHandleID": {"data_type": "string", "description": 'Volatile HandleID from an SMB2 Create request that is recycled on network reconnects. Referenced in [MS-SMB2] 2.2.14.1 as SMB2_FILEID.Volatile.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StatusCode": {"data_type": "string", "description": 'The HTTP status code for the request. If the request is interrupted, this value might be set to Unknown.'}, + "StatusText": {"data_type": "string", "description": 'The status of the requested operation.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The Universal Time Coordinated (UTC) time when the request was received by storage.'}, + "TlsVersion": {"data_type": "string", "description": 'The TLS version used in the connection of request.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Uri": {"data_type": "string", "description": 'Uniform resource identifier that is requested.'}, + "UserAgentHeader": {"data_type": "string", "description": 'The User-Agent header value, in quotes.'}, + }, + "StorageMalwareScanningResults": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BlobEtag": {"data_type": "string", "description": 'The Etag of the scanned blob.'}, + "BlobUri": {"data_type": "string", "description": 'The URI of the scanned blob.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID of a specific scan.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ScanFinishedTimeUtc": {"data_type": "datetime", "description": 'Scan finished time in UTC.'}, + "ScanResultDetails": {"data_type": "dynamic", "description": 'Information regarding the scan results.'}, + "ScanResultType": {"data_type": "string", "description": 'Type of the scan result (Malicious, Error, No Threat Found, Not Scanned).'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StorageAccountLocation": {"data_type": "string", "description": 'The location of the storage account.'}, + "StorageAccountName": {"data_type": "string", "description": 'The name of the storage account.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "StorageMoverCopyLogsFailed": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Details": {"data_type": "string", "description": 'The error description and any additional details if available.'}, + "FileSize": {"data_type": "long", "description": 'The file size in bytes (if available). Only applicable when item type is File.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ItemPath": {"data_type": "string", "description": 'Relative path of the item from the migration source, and target root directories.'}, + "ItemType": {"data_type": "string", "description": "Type of the item, either 'F' for file, or 'D' for directory."}, + "JobRunName": {"data_type": "string", "description": 'Unique name of the job run which generated this log.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StatusCode": {"data_type": "string", "description": 'The storage mover status code.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time in UTC when the log was generated on the Storage Mover agent.'}, + "TransferResult": {"data_type": "string", "description": 'The final transfer result of the item. One of: Excluded, Failed, Transferred, NoCopyNecessary, Unsupported.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "StorageMoverCopyLogsTransferred": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Details": {"data_type": "string", "description": 'The error description and any additional details if available.'}, + "FileSize": {"data_type": "long", "description": 'The file size in bytes (if available). Only applicable when item type is File.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ItemPath": {"data_type": "string", "description": 'Relative path of the item from the migration source, and target root directories.'}, + "ItemType": {"data_type": "string", "description": "Type of the item, either 'F' for file, or 'D' for directory."}, + "JobRunName": {"data_type": "string", "description": 'Unique name of the job run which generated this log.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StatusCode": {"data_type": "string", "description": 'The storage mover status code.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time in UTC when the log was generated on the Storage Mover agent.'}, + "TransferResult": {"data_type": "string", "description": 'The final transfer result of the item. One of: Excluded, Failed, Transferred, NoCopyNecessary, Unsupported.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "StorageMoverJobRunLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "JobRunName": {"data_type": "string", "description": 'JobRunName'}, + "Level": {"data_type": "string", "description": 'The log level. Can be Informational, Warning or Error.'}, + "Message": {"data_type": "string", "description": 'Log message.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StatusCode": {"data_type": "string", "description": 'Status code associated with the log message.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time in UTC when the log was generated on the Storage Mover agent.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "StorageQueueLogs": { + "AccountName": {"data_type": "string", "description": 'The name of the storage account.'}, + "AuthenticationHash": {"data_type": "string", "description": 'The hash of authentication token.'}, + "AuthenticationType": {"data_type": "string", "description": 'The type of authentication that was used to make the request.'}, + "AuthorizationDetails": {"data_type": "dynamic", "description": 'Detailed policy information used to authorize the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'The IP address of the requester, including the port number.'}, + "Category": {"data_type": "string", "description": 'The category of requested operation.'}, + "ClientRequestId": {"data_type": "string", "description": 'The x-ms-client-request-id header value of the request.'}, + "ConditionsUsed": {"data_type": "string", "description": 'A semicolon-separated list of key-value pairs that represent a condition.'}, + "ContentLengthHeader": {"data_type": "long", "description": 'The value of the Content-Length header for the request sent to the storage service.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID that is used to correlate logs across resources.'}, + "DurationMs": {"data_type": "real", "description": 'The total time, expressed in milliseconds, to perform the requested operation. This includes the time to read the incoming request, and to send the response to the requester.'}, + "Etag": {"data_type": "string", "description": 'The ETag identifier for the returned object, in quotes.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastModifiedTime": {"data_type": "datetime", "description": 'The Last Modified Time (LMT) for the returned object. This field is empty for operations that can return multiple objects.'}, + "Location": {"data_type": "string", "description": 'The location of storage account.'}, + "MetricResponseType": {"data_type": "string", "description": 'Records the metric response for correlation between metrics and logs.'}, + "ObjectKey": {"data_type": "string", "description": 'The key of the requested object, in quotes.'}, + "OperationCount": {"data_type": "int", "description": 'The number of each logged operation that is involved in the request. This count starts with an index of 0. Some requests require more than one operation, such as a request to copy a blob. Most requests perform only one operation.'}, + "OperationName": {"data_type": "string", "description": 'The type of REST operation that was performed.'}, + "OperationVersion": {"data_type": "string", "description": 'The storage service version that was specified when the request was made. This is equivalent to the value of the x-ms-version header.'}, + "Protocol": {"data_type": "string", "description": 'The protocol that is used in the operation.'}, + "ReferrerHeader": {"data_type": "string", "description": 'The Referer header value.'}, + "RequestBodySize": {"data_type": "long", "description": 'The size of the request packets, expressed in bytes, that are read by the storage service. If a request is unsuccessful, this value might be empty.'}, + "RequesterAppId": {"data_type": "string", "description": 'The Open Authorization (OAuth) application ID that is used as the requester.'}, + "RequesterAudience": {"data_type": "string", "description": 'The OAuth audience of the request.'}, + "RequesterObjectId": {"data_type": "string", "description": 'The OAuth object ID of the requester.'}, + "RequesterTenantId": {"data_type": "string", "description": 'The OAuth tenant ID of identity.'}, + "RequesterTokenIssuer": {"data_type": "string", "description": 'The OAuth token issuer.'}, + "RequesterUpn": {"data_type": "string", "description": 'The User Principal Names of requestor.'}, + "RequestHeaderSize": {"data_type": "long", "description": 'The size of the request header expressed in bytes. If a request is unsuccessful, this value might be empty.'}, + "RequestMd5": {"data_type": "string", "description": 'The value of either the Content-MD5 header or the x-ms-content-md5 header in the request. The MD5 hash value specified in this field represents the content in the request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResponseBodySize": {"data_type": "long", "description": 'The size of the response packets written by the storage service, in bytes. If a request is unsuccessful, this value may be empty.'}, + "ResponseHeaderSize": {"data_type": "long", "description": 'The size of the response header expressed in bytes. If a request is unsuccessful, this value might be empty.'}, + "ResponseMd5": {"data_type": "string", "description": 'The value of the MD5 hash calculated by the storage service.'}, + "SasExpiryStatus": {"data_type": "string", "description": 'Records any violations in the request SAS token as per the SAS policy set in the storage account. Ex: longer SAS token duration specified than allowed per SAS policy'}, + "SchemaVersion": {"data_type": "string", "description": 'The schema version of the log.'}, + "ServerLatencyMs": {"data_type": "real", "description": "The total time expressed in milliseconds to perform the requested operation. This value doesn't include network latency (the time to read the incoming request and send the response to the requester)."}, + "ServiceType": {"data_type": "string", "description": 'The service associated with this request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StatusCode": {"data_type": "string", "description": 'The HTTP status code for the request. If the request is interrupted, this value might be set to Unknown.'}, + "StatusText": {"data_type": "string", "description": 'The status of the requested operation.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The Universal Time Coordinated (UTC) time when the request was received by storage.'}, + "TlsVersion": {"data_type": "string", "description": 'The TLS version used in the connection of request.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Uri": {"data_type": "string", "description": 'Uniform resource identifier that is requested.'}, + "UserAgentHeader": {"data_type": "string", "description": 'The User-Agent header value, in quotes.'}, + }, + "StorageTableLogs": { + "AccountName": {"data_type": "string", "description": 'The name of the storage account.'}, + "AuthenticationHash": {"data_type": "string", "description": 'The hash of authentication token.'}, + "AuthenticationType": {"data_type": "string", "description": 'The type of authentication that was used to make the request.'}, + "AuthorizationDetails": {"data_type": "dynamic", "description": 'Detailed policy information used to authorize the request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'The IP address of the requester, including the port number.'}, + "Category": {"data_type": "string", "description": 'The category of requested operation.'}, + "ClientRequestId": {"data_type": "string", "description": 'The x-ms-client-request-id header value of the request.'}, + "ConditionsUsed": {"data_type": "string", "description": 'A semicolon-separated list of key-value pairs that represent a condition.'}, + "ContentLengthHeader": {"data_type": "long", "description": 'The value of the Content-Length header for the request sent to the storage service.'}, + "CorrelationId": {"data_type": "string", "description": 'The ID that is used to correlate logs across resources.'}, + "DurationMs": {"data_type": "real", "description": 'The total time, expressed in milliseconds, to perform the requested operation. This includes the time to read the incoming request, and to send the response to the requester.'}, + "Etag": {"data_type": "string", "description": 'The ETag identifier for the returned object, in quotes.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastModifiedTime": {"data_type": "datetime", "description": 'The Last Modified Time (LMT) for the returned object. This field is empty for operations that can return multiple objects.'}, + "Location": {"data_type": "string", "description": 'The location of storage account.'}, + "MetricResponseType": {"data_type": "string", "description": 'Records the metric response for correlation between metrics and logs.'}, + "ObjectKey": {"data_type": "string", "description": 'The key of the requested object, in quotes.'}, + "OperationCount": {"data_type": "int", "description": 'The number of each logged operation that is involved in the request. This count starts with an index of 0. Some requests require more than one operation, such as a request to copy a blob. Most requests perform only one operation.'}, + "OperationName": {"data_type": "string", "description": 'The type of REST operation that was performed.'}, + "OperationVersion": {"data_type": "string", "description": 'The storage service version that was specified when the request was made. This is equivalent to the value of the x-ms-version header.'}, + "Protocol": {"data_type": "string", "description": 'The protocol that is used in the operation.'}, + "ReferrerHeader": {"data_type": "string", "description": 'The Referer header value.'}, + "RequestBodySize": {"data_type": "long", "description": 'The size of the request packets, expressed in bytes, that are read by the storage service. If a request is unsuccessful, this value might be empty.'}, + "RequesterAppId": {"data_type": "string", "description": 'The Open Authorization (OAuth) application ID that is used as the requester.'}, + "RequesterAudience": {"data_type": "string", "description": 'The OAuth audience of the request.'}, + "RequesterObjectId": {"data_type": "string", "description": 'The OAuth object ID of the requester.'}, + "RequesterTenantId": {"data_type": "string", "description": 'The OAuth tenant ID of identity.'}, + "RequesterTokenIssuer": {"data_type": "string", "description": 'The OAuth token issuer.'}, + "RequesterUpn": {"data_type": "string", "description": 'The User Principal Names of requestor.'}, + "RequestHeaderSize": {"data_type": "long", "description": 'The size of the request header expressed in bytes. If a request is unsuccessful, this value might be empty.'}, + "RequestMd5": {"data_type": "string", "description": 'The value of either the Content-MD5 header or the x-ms-content-md5 header in the request. The MD5 hash value specified in this field represents the content in the request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResponseBodySize": {"data_type": "long", "description": 'The size of the response packets written by the storage service, in bytes. If a request is unsuccessful, this value may be empty.'}, + "ResponseHeaderSize": {"data_type": "long", "description": 'The size of the response header expressed in bytes. If a request is unsuccessful, this value might be empty.'}, + "ResponseMd5": {"data_type": "string", "description": 'The value of the MD5 hash calculated by the storage service.'}, + "SasExpiryStatus": {"data_type": "string", "description": 'Records any violations in the request SAS token as per the SAS policy set in the storage account. Ex: longer SAS token duration specified than allowed per SAS policy'}, + "SchemaVersion": {"data_type": "string", "description": 'The schema version of the log.'}, + "ServerLatencyMs": {"data_type": "real", "description": "The total time expressed in milliseconds to perform the requested operation. This value doesn't include network latency (the time to read the incoming request and send the response to the requester)."}, + "ServiceType": {"data_type": "string", "description": 'The service associated with this request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StatusCode": {"data_type": "string", "description": 'The HTTP status code for the request. If the request is interrupted, this value might be set to Unknown.'}, + "StatusText": {"data_type": "string", "description": 'The status of the requested operation.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The Universal Time Coordinated (UTC) time when the request was received by storage.'}, + "TlsVersion": {"data_type": "string", "description": 'The TLS version used in the connection of request.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Uri": {"data_type": "string", "description": 'Uniform resource identifier that is requested.'}, + "UserAgentHeader": {"data_type": "string", "description": 'The User-Agent header value, in quotes.'}, + }, + "SucceededIngestion": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Database": {"data_type": "string", "description": 'The name of the database holding the target table'}, + "IngestionSourceId": {"data_type": "string", "description": 'A unique identifier representing the ingested source'}, + "IngestionSourcePath": {"data_type": "string", "description": 'The path of the ingestion data sources or the Azure blob storage URI'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationId": {"data_type": "string", "description": "The ingestion's operation ID"}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultType": {"data_type": "string", "description": 'The final state of this data ingestion operation'}, + "RootActivityId": {"data_type": "string", "description": "The ingestion's activity ID"}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "SucceededOn": {"data_type": "datetime", "description": 'Time at which this ingest operation successfully ended'}, + "Table": {"data_type": "string", "description": 'The name of the target table into which the data is ingested'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "SynapseBigDataPoolApplicationsEnded": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the log.'}, + "CorrelationId": {"data_type": "string", "description": 'A GUID used to group together a set of related events.'}, + "Identity": {"data_type": "dynamic", "description": 'A JSON blob that describes the identity of the user or application that performed the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "Properties": {"data_type": "dynamic", "description": 'extended properties related to this event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "SynapseBuiltinSqlPoolRequestsEnded": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the log.'}, + "CorrelationId": {"data_type": "string", "description": 'A GUID used to group together a set of related events.'}, + "DurationMs": {"data_type": "int", "description": 'The total elapsed time in milliseconds.'}, + "ErrorCode": {"data_type": "int", "description": 'The error/success code'}, + "Identity": {"data_type": "dynamic", "description": 'A JSON blob that describes the identity of the user or application that performed the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "Properties": {"data_type": "dynamic", "description": 'extended properties related to this event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultType": {"data_type": "string", "description": 'The status of the request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "SynapseDXCommand": { + "ApplicationName": {"data_type": "string", "description": 'The name of the application that invoked the command'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": "The log category for these events will be 'Command'"}, + "CommandType": {"data_type": "string", "description": "Command type. like 'DatabasesShow'"}, + "CorrelationId": {"data_type": "string", "description": 'The client request ID'}, + "DatabaseName": {"data_type": "string", "description": 'The name of the database the command ran on'}, + "Duration": {"data_type": "string", "description": "Command duration as a string like '00:00:00.0156250'"}, + "FailureReason": {"data_type": "string", "description": 'The reason for the failure'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastUpdatedOn": {"data_type": "datetime", "description": 'The last time this command was updated'}, + "Principal": {"data_type": "string", "description": "Principal that invoked the query like 'aaduser=USER_ID;TENANT'"}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResourceUtilization": {"data_type": "dynamic", "description": 'Resurce consumption for the exuected command'}, + "RootActivityId": {"data_type": "string", "description": 'The root activity ID'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StartedOn": {"data_type": "datetime", "description": 'The time (UTC) when this command started'}, + "State": {"data_type": "string", "description": "The state the command ended with, like 'Completed'"}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "Text": {"data_type": "string", "description": 'Text of the invoked command'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time (UTC) when this event was generated'}, + "TotalCPU": {"data_type": "string", "description": 'Total CPU runtime across cluster nodes'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "User": {"data_type": "string", "description": 'User that invoked the query'}, + "WorkloadGroup": {"data_type": "string", "description": 'Workload are a means of resource governance for incoming requests to the cluster'}, + }, + "SynapseDXFailedIngestion": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Database": {"data_type": "string", "description": 'The name of the database holding the target table'}, + "Details": {"data_type": "string", "description": 'Details of the failure'}, + "ErrorCode": {"data_type": "string", "description": "Failure's error code like 'BadRequest_EmptyBlob'"}, + "FailedOn": {"data_type": "datetime", "description": 'The time this ingest operation failed'}, + "FailureStatus": {"data_type": "string", "description": "Failure's status like 'Permanent'"}, + "IngestionSourceId": {"data_type": "string", "description": 'The ID of the ingestion source'}, + "IngestionSourcePath": {"data_type": "string", "description": 'Azure blob storage URI'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationId": {"data_type": "string", "description": "The ingestion's operation ID"}, + "OriginatesFromUpdatePolicy": {"data_type": "bool", "description": 'Indicates if the failure originates from an Update Policy'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultType": {"data_type": "string", "description": "Final state of this data ingestion operation like 'Failed'"}, + "RootActivityId": {"data_type": "string", "description": "The ingestion's activity ID Used for debugging issues"}, + "ShouldRetry": {"data_type": "bool", "description": 'Indicates if the failure is temporary and the operation should be retried'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Table": {"data_type": "string", "description": 'The name of the target table the data is ingested into'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time (UTC) when this event was generated'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "SynapseDXIngestionBatching": { + "BatchingType": {"data_type": "string", "description": 'Batching type: Whether the batch reached the limit of batching time, data size, or number of files set by the the batching policy'}, + "BatchSizeBytes": {"data_type": "long", "description": 'Total uncompressed size of data in this batch (bytes)'}, + "BatchTimeSeconds": {"data_type": "real", "description": 'Total batching time of this batch (seconds)'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Database": {"data_type": "string", "description": 'The name of the database holding the target table'}, + "DataSourcesInBatch": {"data_type": "int", "description": 'Number of data sources in this batch'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RootActivityId": {"data_type": "string", "description": "The operation's activity ID"}, + "SourceCreationTime": {"data_type": "datetime", "description": 'When the first blobs in this batch were created (UTC time)'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Table": {"data_type": "string", "description": 'The name of the target table the data is ingested into'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time (UTC) this event was generated'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "SynapseDXQuery": { + "ApplicationName": {"data_type": "string", "description": 'The name of the application that invoked the query'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CacheDiskHits": {"data_type": "long", "description": 'Disk cache hits'}, + "CacheDiskMisses": {"data_type": "long", "description": 'Disk cache misses'}, + "CacheMemoryHits": {"data_type": "long", "description": 'Memory cache hits'}, + "CacheMemoryMisses": {"data_type": "long", "description": 'Memory cache misses'}, + "CacheShardsBypassBytes": {"data_type": "long", "description": 'Shards cache bypass bytes'}, + "CacheShardsColdHits": {"data_type": "long", "description": 'Shards cold cache hits'}, + "CacheShardsColdMisses": {"data_type": "long", "description": 'Shards cold cache misses'}, + "CacheShardsHotHits": {"data_type": "long", "description": 'Shards hot cache hits'}, + "CacheShardsHotMisses": {"data_type": "long", "description": 'Shards hot cache misses'}, + "Category": {"data_type": "string", "description": "The log category for these events will be 'Query'"}, + "CorrelationId": {"data_type": "string", "description": 'The client request ID'}, + "DatabaseName": {"data_type": "string", "description": 'The name of the database the command ran on'}, + "Duration": {"data_type": "string", "description": "Query duration as a string like '00:00:00.0156250'"}, + "ExtentsMaxDataScannedTime": {"data_type": "datetime", "description": 'Maximum data scan time'}, + "ExtentsMinDataScannedTime": {"data_type": "datetime", "description": 'Minimum data scan time'}, + "FailureReason": {"data_type": "string", "description": 'The reason for the failure'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastUpdatedOn": {"data_type": "datetime", "description": 'The time (UTC) this command ended'}, + "MemoryPeak": {"data_type": "long", "description": 'Memory peak'}, + "Principal": {"data_type": "string", "description": "The principal that invoked the query like 'aaduser=USER_ID;TENANT'"}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RootActivityId": {"data_type": "string", "description": 'The root activity ID'}, + "ScannedExtentsCount": {"data_type": "long", "description": 'Scanned extents count'}, + "ScannedRowsCount": {"data_type": "long", "description": 'Scanned rows count'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StartedOn": {"data_type": "datetime", "description": 'The time (UTC) this command started'}, + "State": {"data_type": "string", "description": "The state the command ended with like 'Completed'"}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TableCount": {"data_type": "int", "description": 'Table count'}, + "TablesStatistics": {"data_type": "dynamic", "description": 'Tables statistics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "Text": {"data_type": "string", "description": 'Text of the invoked query'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time (UTC) this event was generated'}, + "TotalCPU": {"data_type": "string", "description": 'Total CPU runtime across cluster nodes'}, + "TotalExtentsCount": {"data_type": "long", "description": 'Total extents count'}, + "TotalRowsCount": {"data_type": "long", "description": 'Total rows count'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "User": {"data_type": "string", "description": 'User that invoked the query'}, + "WorkloadGroup": {"data_type": "string", "description": 'Workload are a means of resource governance for incoming requests to the cluster'}, + }, + "SynapseDXSucceededIngestion": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Database": {"data_type": "string", "description": 'The name of the database holding the target table'}, + "IngestionSourceId": {"data_type": "string", "description": 'The ingestion source ID'}, + "IngestionSourcePath": {"data_type": "string", "description": 'Azure blob storage URI'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationId": {"data_type": "string", "description": "The ingestion's operation ID"}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultType": {"data_type": "string", "description": "Final state of this data ingestion operation like 'Succeeded'"}, + "RootActivityId": {"data_type": "string", "description": "The ingestion's activity ID"}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "SucceededOn": {"data_type": "datetime", "description": 'The time this ingest operation ended successfully'}, + "Table": {"data_type": "string", "description": 'The name of the target table the data is ingested into'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time (UTC) when this event was generated'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "SynapseDXTableDetails": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CachingPolicy": {"data_type": "dynamic", "description": "Table's effective entity caching policy, serialized as JSON"}, + "CachingPolicyOrigin": {"data_type": "string", "description": 'Caching policy origin entity (Table/Database/Cluster)'}, + "CorrelationId": {"data_type": "string", "description": 'The client request ID'}, + "DatabaseName": {"data_type": "string", "description": 'Name of the database'}, + "HotExtentCount": {"data_type": "long", "description": 'Total number of extents in the table, stored in the hot cache'}, + "HotExtentSize": {"data_type": "real", "description": 'Total size of extents (compressed size + index size) in the table, stored in the hot cache (in bytes)'}, + "HotOriginalSize": {"data_type": "long", "description": 'Total original size of data in the table, stored in the hot cache (in bytes)'}, + "HotRowCount": {"data_type": "long", "description": 'Total number of rows in the table, stored in the hot cache'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "MaxExtentsCreationTime": {"data_type": "datetime", "description": 'Maximum creation time of an extent in the table (or null, if there are no extents)'}, + "MinExtentsCreationTime": {"data_type": "datetime", "description": 'Minimum creation time of an extent in the table (or null, if there are no extents)'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RetentionPolicy": {"data_type": "dynamic", "description": "Table's effective entity retention policy, serialized as JSON"}, + "RetentionPolicyOrigin": {"data_type": "string", "description": 'Retention policy origin entity (Table/Database/Cluster)'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TableName": {"data_type": "string", "description": 'Name of the table'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time (UTC) this event was generated'}, + "TotalExtentCount": {"data_type": "long", "description": 'Total number of extents in the table'}, + "TotalExtentSize": {"data_type": "real", "description": 'Total size of extents (compressed size + index size) in the table (in bytes)'}, + "TotalOriginalSize": {"data_type": "real", "description": 'The total original data size in the table (in bytes)'}, + "TotalRowCount": {"data_type": "long", "description": 'Total number of rows in the table'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "SynapseDXTableUsageStatistics": { + "ApplicationName": {"data_type": "string", "description": 'The name of the application that invoked the command'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'The client request ID'}, + "DatabaseName": {"data_type": "string", "description": 'Name of the database'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "MaxCreatedOn": {"data_type": "datetime", "description": 'Lastest extent time of the table'}, + "MinCreatedOn": {"data_type": "datetime", "description": 'Earliest extent time of the table'}, + "Principal": {"data_type": "string", "description": "Principal that invoked the query like 'aaduser=USER_ID;TENANT'"}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RootActivityId": {"data_type": "string", "description": 'The root activity ID'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StartedOn": {"data_type": "datetime", "description": 'The time (UTC) the table usage statistics operation started'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TableName": {"data_type": "string", "description": 'Name of the table'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time (UTC) this event was generated'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "User": {"data_type": "string", "description": 'User that invoked the query'}, + }, + "SynapseGatewayApiRequests": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the log.'}, + "ClientCorrelationId": {"data_type": "string", "description": 'The client correlation id of this query.'}, + "CorrelationId": {"data_type": "string", "description": 'A GUID used to group together a set of related events.'}, + "Identity": {"data_type": "dynamic", "description": 'A JSON blob that describes the identity of the user or application that performed the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The region of the resource emitting the event.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "OperationVersion": {"data_type": "string", "description": 'The API Version of the operation.'}, + "RequestUri": {"data_type": "string", "description": 'The request URI for this query.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'The static text description of this operation.'}, + "ResultSignature": {"data_type": "string", "description": 'The sub status of the event'}, + "ResultType": {"data_type": "string", "description": 'Status of the event.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "SynapseGatewayEvents": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the log.'}, + "CorrelationId": {"data_type": "string", "description": 'A GUID used to group together a set of related events.'}, + "Identity": {"data_type": "dynamic", "description": 'A JSON blob that describes the identity of the user or application that performed the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The region of the resource emitting the event.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "OperationVersion": {"data_type": "string", "description": 'The API Version of the operation.'}, + "RequestUri": {"data_type": "string", "description": 'The request URI for this query.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'The static text description of this operation.'}, + "ResultSignature": {"data_type": "string", "description": 'The sub status of the event'}, + "ResultType": {"data_type": "string", "description": 'Status of the event.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "SynapseIntegrationActivityRuns": { + "ActivityName": {"data_type": "string", "description": 'The name of the activity run.'}, + "ActivityRunId": {"data_type": "string", "description": 'The run id of the activity run.'}, + "ActivityType": {"data_type": "string", "description": 'The type of the activity run.'}, + "Annotations": {"data_type": "dynamic", "description": 'The annotation details of the log record.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the log.'}, + "CorrelationId": {"data_type": "string", "description": 'The correlationId for the log record.'}, + "EffectiveIntegrationRuntime": {"data_type": "string", "description": 'The effective integration runtime the activity run job.'}, + "End": {"data_type": "datetime", "description": 'The end time (UTC) for the activity run.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The log type info level of the record.'}, + "Location": {"data_type": "string", "description": 'The location of the resource in the cloud where this log is originated.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "PipelineName": {"data_type": "string", "description": 'The pipeline name of the activity flow.'}, + "PipelineRunId": {"data_type": "string", "description": 'The pipeline runId of the activity flow.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Start": {"data_type": "datetime", "description": 'The start time (UTC) of the activity run.'}, + "Status": {"data_type": "string", "description": 'The Status of the sql requests.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Tags": {"data_type": "dynamic", "description": 'The associated tags of the log record.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserProperties": {"data_type": "dynamic", "description": 'The user properties of the log record.'}, + }, + "SynapseIntegrationPipelineRuns": { + "Annotations": {"data_type": "dynamic", "description": 'The annotation details of the log record.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the log.'}, + "CorrelationId": {"data_type": "string", "description": 'The correlationId for the log record.'}, + "End": {"data_type": "datetime", "description": 'The end time (UTC) for the pipelien run.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The log type info level of the record.'}, + "Location": {"data_type": "string", "description": 'The location of the resource in the cloud where this log is originated.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "Parameters": {"data_type": "dynamic", "description": 'The parameter details of the pipeline run.'}, + "PipelineName": {"data_type": "string", "description": 'The name of the pipeline flow.'}, + "PipelineTenantId": {"data_type": "string", "description": 'The tenantId details of the pipeline run.'}, + "Predecessors": {"data_type": "dynamic", "description": 'The predecessors information of the pipeline log.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RunId": {"data_type": "string", "description": 'The run id of the pipeline job.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Start": {"data_type": "datetime", "description": 'The start time (UTC) of the pipeline run.'}, + "Status": {"data_type": "string", "description": 'The Status of the SQL requests.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "SystemParameters": {"data_type": "dynamic", "description": 'The system parameter details of the pipeline run.'}, + "Tags": {"data_type": "dynamic", "description": 'The associated tags of the log record.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The type of the pipeline run.'}, + "UserProperties": {"data_type": "dynamic", "description": 'The user properties of the log record.'}, + }, + "SynapseIntegrationTriggerRuns": { + "Annotations": {"data_type": "dynamic", "description": 'The annotation details of the log record.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the log.'}, + "CorrelationId": {"data_type": "string", "description": 'The correlationId for the log record.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The log type info level of the record.'}, + "Location": {"data_type": "string", "description": 'The location of the resource in the cloud where this log is originated.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "Parameters": {"data_type": "dynamic", "description": 'The parameter details of the pipeline run.'}, + "PipelineTenantId": {"data_type": "string", "description": 'The tenantId details of the pipeline run.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Start": {"data_type": "datetime", "description": 'The start time (UTC) of the trigger run.'}, + "Status": {"data_type": "string", "description": 'The Status of the SQL requests.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "SystemParameters": {"data_type": "dynamic", "description": 'The system parameter details of the pipeline run.'}, + "Tags": {"data_type": "dynamic", "description": 'The associated tags of the log record.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "TriggerEvent": {"data_type": "string", "description": 'The trigger id of the log record.'}, + "TriggerId": {"data_type": "string", "description": 'The trigger id of the log record.'}, + "TriggerName": {"data_type": "string", "description": 'The trigger name of the log record.'}, + "TriggerType": {"data_type": "string", "description": 'The trigger type of the log record.'}, + "Type": {"data_type": "string", "description": 'The type of the pipeline run.'}, + "UserProperties": {"data_type": "dynamic", "description": 'The user properties of the log record.'}, + }, + "SynapseLinkEvent": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "int", "description": 'The log type info level of the record.'}, + "LinkConnectionName": {"data_type": "string", "description": 'The Synapse Link connection name.'}, + "Location": {"data_type": "string", "description": 'The location of the resource in the cloud where this log is originated.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "Properties": {"data_type": "dynamic", "description": 'The properties associated with Synapse Link operation.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "SynapseRBACEvents": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the log.'}, + "CorrelationId": {"data_type": "string", "description": 'A GUID used to group together a set of related events.'}, + "Identity": {"data_type": "dynamic", "description": 'A JSON blob that describes the identity of the user or application that performed the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The region of the resource emitting the event.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "OperationVersion": {"data_type": "string", "description": 'The API version of the operation.'}, + "Properties": {"data_type": "dynamic", "description": 'extended properties related to this event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'The static text description of this operation.'}, + "ResultSignature": {"data_type": "string", "description": 'The sub status of the event.'}, + "ResultType": {"data_type": "string", "description": 'Status of the event.'}, + "RoleAssignmentId": {"data_type": "string", "description": 'The Role Assignment Id for this event.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "SynapseRbacOperations": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the log.'}, + "CorrelationId": {"data_type": "string", "description": 'A GUID used to group together a set of related events.'}, + "Identity": {"data_type": "dynamic", "description": 'A JSON blob that describes the identity of the user or application that performed the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The region of the resource emitting the event.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "OperationVersion": {"data_type": "string", "description": 'The API version of the operation.'}, + "Properties": {"data_type": "dynamic", "description": 'extended properties related to this event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": 'The static text description of this operation.'}, + "ResultSignature": {"data_type": "string", "description": 'The sub status of the event.'}, + "ResultType": {"data_type": "string", "description": 'Status of the event.'}, + "RoleAssignmentId": {"data_type": "string", "description": 'The Role Assignment Id for this event.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "SynapseScopePoolScopeJobsEnded": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'A GUID used to group together a set of related events.'}, + "Identity": {"data_type": "dynamic", "description": 'A JSON blob that describes the identity of the user or application that performed the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "Properties": {"data_type": "dynamic", "description": 'Extended properties related to this event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "SynapseScopePoolScopeJobsStateChange": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'A GUID used to group together a set of related events.'}, + "Identity": {"data_type": "dynamic", "description": 'A JSON blob that describes the identity of the user or application that performed the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "Properties": {"data_type": "dynamic", "description": 'Extended properties related to this event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "SynapseSqlPoolDmsWorkers": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BytesProcessed": {"data_type": "int", "description": 'The bytes processed of the DMS workers.'}, + "Category": {"data_type": "string", "description": 'The category of the log.'}, + "CpuTime": {"data_type": "int", "description": 'The cpu time for the DMS workers.'}, + "DestinationInfo": {"data_type": "string", "description": 'The row count of the DMS workers.'}, + "DistributionId": {"data_type": "int", "description": 'The distribution id of the DMS workers.'}, + "DmsCpuId": {"data_type": "int", "description": 'The DMS cpu Id for the DMS workers.'}, + "DmsStepIndex": {"data_type": "int", "description": 'The DMS step index of the DMS workers.'}, + "EndTime": {"data_type": "datetime", "description": 'The end time (UTC) for the DMS workers.'}, + "ErrorId": {"data_type": "string", "description": 'The errorId of the DMS workers.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogicalServerName": {"data_type": "string", "description": 'The logical server name of the SQL DW.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "PdwNodeId": {"data_type": "int", "description": 'The pdw node id of the DMS workers.'}, + "RequestId": {"data_type": "string", "description": 'The requestId of the DMS workers.'}, + "ResourceGroup": {"data_type": "string", "description": 'The azure resourceGroup of the SQL DW.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RowsProcessed": {"data_type": "int", "description": 'The rows processed of the DMS workers.'}, + "SourceInfo": {"data_type": "string", "description": 'The row count of the DMS workers.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SqlSpId": {"data_type": "int", "description": 'The SQL Sp Id for the DMS workers.'}, + "StartTime": {"data_type": "datetime", "description": 'The startTime (UTC) of the DMS workers.'}, + "Status": {"data_type": "string", "description": 'The status of the DMS workers.'}, + "StepIndex": {"data_type": "int", "description": 'The step index of the DMS workers.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The type of the DMS workers.'}, + }, + "SynapseSqlPoolExecRequests": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the log.'}, + "ClassifierName": {"data_type": "string", "description": 'The classifier name of the execution requests.'}, + "ClientCorrelationId": {"data_type": "string", "description": 'The correlation set by client/user.'}, + "Command": {"data_type": "string", "description": 'The SQL command of the execution requests.'}, + "DatabaseId": {"data_type": "string", "description": 'The databaseId of the execution requests.'}, + "EndCompileTime": {"data_type": "datetime", "description": 'The end compile time (UTC) of the execution requests.'}, + "EndTime": {"data_type": "datetime", "description": 'The end time (UTC) for the execution requests.'}, + "ErrorId": {"data_type": "string", "description": 'The errorId of the execution requests.'}, + "ExplainOutput": {"data_type": "string", "description": 'The output explain of the execution requests.'}, + "Importance": {"data_type": "string", "description": 'The importance of the execution requests.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Label": {"data_type": "string", "description": 'The label of the execution requests.'}, + "LogicalServerName": {"data_type": "string", "description": 'The logical server name of the SQL DW.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "RequestId": {"data_type": "string", "description": 'The requestId of the execution requests.'}, + "ResourceAllocationPercent": {"data_type": "string", "description": 'The resource allocation percent of the execution requests.'}, + "ResourceClass": {"data_type": "string", "description": 'The resource class of the execution requests.'}, + "ResourceGroup": {"data_type": "string", "description": 'The azure resourceGroup of the SQL DW.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultCacheHit": {"data_type": "string", "description": 'The result cache hit of the execution requests.'}, + "RootQueryId": {"data_type": "string", "description": 'The rootQueryId of the execution requests.'}, + "ScopeDepth": {"data_type": "int", "description": 'The scope depth of the execution requests.'}, + "SessionId": {"data_type": "string", "description": 'The Session ID of the SQL pool instance.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StartTime": {"data_type": "datetime", "description": 'The startTime (UTC) of the execution requests.'}, + "StatementType": {"data_type": "string", "description": 'The statement type of the execution requests.'}, + "Status": {"data_type": "string", "description": 'The status of the execution requests.'}, + "SubmitTime": {"data_type": "datetime", "description": 'The submitTime (UTC) of the execution requests.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "SynapseSqlPoolRequestSteps": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the log.'}, + "Command": {"data_type": "string", "description": 'The SQL command of the execution requests.'}, + "DistributionType": {"data_type": "string", "description": 'The distribution type of the execution requests.'}, + "EndCompileTime": {"data_type": "datetime", "description": 'The end compile time (UTC) of the execution requests.'}, + "EndTime": {"data_type": "datetime", "description": 'The end time (UTC) for the execution requests.'}, + "ErrorId": {"data_type": "string", "description": 'The errorId of the execution requests.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LocationType": {"data_type": "string", "description": 'The location type of the execution requests.'}, + "LogicalServerName": {"data_type": "string", "description": 'The logical server name of the SQL DW.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "OperationType": {"data_type": "string", "description": 'The operation type of the execution requests.'}, + "RequestId": {"data_type": "string", "description": 'The requestId of the execution requests.'}, + "ResourceGroup": {"data_type": "string", "description": 'The azure resourceGroup of the SQL DW.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RowCount": {"data_type": "int", "description": 'The row count of the execution requests.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StartTime": {"data_type": "datetime", "description": 'The startTime (UTC) of the execution requests.'}, + "Status": {"data_type": "string", "description": 'The status of the execution requests.'}, + "StepIndex": {"data_type": "int", "description": 'The step index of the execution requests.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "SynapseSqlPoolSqlRequests": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the log.'}, + "Command": {"data_type": "string", "description": 'The command of the SQL requests.'}, + "DistributionId": {"data_type": "int", "description": 'The distribution id of the SQL requests.'}, + "EndTime": {"data_type": "datetime", "description": 'The end time (UTC) for the SQL requests.'}, + "ErrorId": {"data_type": "string", "description": 'The error id of the SQL requests.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LogicalServerName": {"data_type": "string", "description": 'The logical server name of the SQL DW.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "PdwNodeId": {"data_type": "int", "description": 'The PdwNodeId of the SQL requests.'}, + "RequestId": {"data_type": "string", "description": 'The request Id of the SQL requests.'}, + "ResourceGroup": {"data_type": "string", "description": 'The azure resourceGroup of the SQL DW.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "RowCount": {"data_type": "int", "description": 'The row count of the SQL requests.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SpId": {"data_type": "int", "description": 'The sp id of the SQL requests.'}, + "StartTime": {"data_type": "datetime", "description": 'The startTime (UTC) of the SQL requests.'}, + "Status": {"data_type": "string", "description": 'The Status of the SQL requests.'}, + "StepIndex": {"data_type": "int", "description": 'The step index of the SQL requests.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "SynapseSqlPoolWaits": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the log.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LockType": {"data_type": "string", "description": 'The lock type of the SQL instance.'}, + "LogicalServerName": {"data_type": "string", "description": 'The logical server name of the SQL DW.'}, + "OperationName": {"data_type": "string", "description": 'The operation associated with log record.'}, + "Priority": {"data_type": "int", "description": 'The priority of the waits.'}, + "RequestId": {"data_type": "string", "description": 'The request ID of the waits.'}, + "ResourceGroup": {"data_type": "string", "description": 'The azure resourceGroup of the SQL DW.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SessionId": {"data_type": "string", "description": 'The session ID of the SQL request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "State": {"data_type": "string", "description": 'The State of the waits.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "Syslog": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CollectorHostName": {"data_type": "string", "description": 'Name of the remote device that generated the message.'}, + "Computer": {"data_type": "string", "description": 'Computer that the event was collected from.'}, + "EventTime": {"data_type": "datetime", "description": 'Date and time that the event was generated.'}, + "Facility": {"data_type": "string", "description": 'The part of the system that generated the message.'}, + "HostIP": {"data_type": "string", "description": 'IP address of the system sending the message.'}, + "HostName": {"data_type": "string", "description": 'Name of the system sending the message.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ProcessID": {"data_type": "int", "description": 'ID of the process that generated the message.'}, + "ProcessName": {"data_type": "string", "description": 'Name of the process that generated the message.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SeverityLevel": {"data_type": "string", "description": 'Severity level of the event.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "SyslogMessage": {"data_type": "string", "description": 'Text of the message.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "ThreatIntelIndicators": { + "AdditionalFields": {"data_type": "dynamic", "description": 'The type specifc fields that Sentinel adds. Contains the TLPLevel: white, green, amber, or red.'}, + "AzureTenantId": {"data_type": "string", "description": 'The tenant that submitted the indicator.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Confidence": {"data_type": "int", "description": 'The confidence that the creator has in the correctness of their data. The value must be a number in the range of 0-100.'}, + "Created": {"data_type": "datetime", "description": 'The date when the indicator was created.'}, + "Data": {"data_type": "dynamic", "description": 'All object properties, formatted according to the STIX specification (https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.pdf).'}, + "Id": {"data_type": "string", "description": 'A value that uniquely identifies the indicator STIX object. This value is usable with Sentinel APIs.'}, + "IsActive": {"data_type": "bool", "description": 'A value that specifies if an indicator is active and valid for detections.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsDeleted": {"data_type": "bool", "description": 'A value that indicates whether the data was deleted from Sentinel or not.'}, + "LastUpdateMethod": {"data_type": "string", "description": 'The component that last updated the indicator.'}, + "Modified": {"data_type": "datetime", "description": 'The date when the indicator was modified.'}, + "ObservableKey": {"data_type": "string", "description": 'The entire left-hand side of an equality comparison from the pattern.'}, + "ObservableValue": {"data_type": "string", "description": 'The entire right-hand side of an equality comparison from the pattern.'}, + "Pattern": {"data_type": "string", "description": 'The detection pattern for this indicator MAY be expressed as a STIX pattern.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Revoked": {"data_type": "bool", "description": 'A value that specifies whether the indicator was revoked.'}, + "Source": {"data_type": "string", "description": 'The name of the source.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Tags": {"data_type": "string", "description": 'Sentinel defined tags for the indicator.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time of indicator ingestion.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "ValidFrom": {"data_type": "datetime", "description": 'The time from which this indicator is considered a valid indicator of the behaviors it is related or represents.'}, + "ValidUntil": {"data_type": "datetime", "description": 'The time at which this indicator should no longer be considered a valid indicator of the bahviors it is related to or represents.'}, + "WorkspaceId": {"data_type": "string", "description": 'The workspace that submitted the indicator.'}, + }, + "ThreatIntelligenceIndicator": { + "Action": {"data_type": "string", "description": 'Action to take on indicator match.'}, + "Active": {"data_type": "bool", "description": 'Indicates whether indicator is active.'}, + "ActivityGroupNames": {"data_type": "string", "description": 'Activity groups associated with indicator.'}, + "AdditionalInformation": {"data_type": "string", "description": 'Free text additional information for indicator.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ConfidenceScore": {"data_type": "real", "description": 'Confidence rating of the indicator, from 0 to 100.'}, + "Description": {"data_type": "string", "description": 'Description of the indicator.'}, + "DiamondModel": {"data_type": "string", "description": 'Diamond model value for the indicator, one of adversary, capability, infrastructure or victim.'}, + "DomainName": {"data_type": "string", "description": 'The domain name observable.'}, + "EmailEncoding": {"data_type": "string", "description": 'The email encoding observable.'}, + "EmailLanguage": {"data_type": "string", "description": 'The email language observable.'}, + "EmailRecipient": {"data_type": "string", "description": 'The email recipient observable.'}, + "EmailSenderAddress": {"data_type": "string", "description": 'The email sender address observable.'}, + "EmailSenderName": {"data_type": "string", "description": 'The email sender name observable.'}, + "EmailSourceDomain": {"data_type": "string", "description": 'The email source domain observable.'}, + "EmailSourceIpAddress": {"data_type": "string", "description": 'The email source IP address observable.'}, + "EmailSubject": {"data_type": "string", "description": 'The email subject observable.'}, + "EmailXMailer": {"data_type": "string", "description": 'The email X-Mailer observable.'}, + "ExpirationDateTime": {"data_type": "datetime", "description": 'Time of indicator expiration.'}, + "ExternalIndicatorId": {"data_type": "string", "description": 'Identifier for indicator from submitting system.'}, + "FileCompileDateTime": {"data_type": "datetime", "description": 'The file compilation time observable.'}, + "FileCreatedDateTime": {"data_type": "datetime", "description": 'The file creation time observable.'}, + "FileHashType": {"data_type": "string", "description": 'The file hash type observable.'}, + "FileHashValue": {"data_type": "string", "description": 'The file hash value observable.'}, + "FileMutexName": {"data_type": "string", "description": 'The file mutex name observable.'}, + "FileName": {"data_type": "string", "description": 'The file name observable.'}, + "FilePacker": {"data_type": "string", "description": 'The file packer observable.'}, + "FilePath": {"data_type": "string", "description": 'The file path observable.'}, + "FileSize": {"data_type": "int", "description": 'The file size observable.'}, + "FileType": {"data_type": "string", "description": 'The file type observable.'}, + "IndicatorId": {"data_type": "string", "description": 'Unique identifier for indicator, calculated by receiving system.'}, + "IndicatorProvider": {"data_type": "string", "description": 'The name of the entity that provided the indicator.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "KillChainActions": {"data_type": "bool", "description": "Indicates whether kill chain value 'actions' is set."}, + "KillChainC2": {"data_type": "bool", "description": "Indicates whether kill chain value 'C2' is set."}, + "KillChainDelivery": {"data_type": "bool", "description": "Indicates whether kill chain value 'delivery' is set."}, + "KillChainExploitation": {"data_type": "bool", "description": "Indicates whether kill chain value 'exploitation' is set."}, + "KillChainReconnaissance": {"data_type": "bool", "description": "Indicates whether kill chain value 'reconniassance' is set."}, + "KillChainWeaponization": {"data_type": "bool", "description": "Indicates whether kill chain value 'weaponization' is set."}, + "KnownFalsePositives": {"data_type": "string", "description": 'Text describing situations where indicator may cause false positives.'}, + "MalwareNames": {"data_type": "string", "description": 'List of malware names associated with indicator'}, + "NetworkCidrBlock": {"data_type": "string", "description": 'The network CIDR block observable.'}, + "NetworkDestinationAsn": {"data_type": "int", "description": 'The network destination autonomous system number observable.'}, + "NetworkDestinationCidrBlock": {"data_type": "string", "description": 'The network destination CIDR block observable.'}, + "NetworkDestinationIP": {"data_type": "string", "description": 'The network destination IP address.'}, + "NetworkDestinationPort": {"data_type": "int", "description": 'The network destination port observable.'}, + "NetworkIP": {"data_type": "string", "description": 'The network IP address observable.'}, + "NetworkPort": {"data_type": "int", "description": 'The network port observable.'}, + "NetworkProtocol": {"data_type": "int", "description": 'The network protocol observable.'}, + "NetworkSourceAsn": {"data_type": "int", "description": 'The network source autonomous system number observable.'}, + "NetworkSourceCidrBlock": {"data_type": "string", "description": 'The network source CIDR block observable.'}, + "NetworkSourceIP": {"data_type": "string", "description": 'The network source IP address observable.'}, + "NetworkSourcePort": {"data_type": "int", "description": 'The network source port observable.'}, + "PassiveOnly": {"data_type": "bool", "description": 'Indicates whether the indicator should trigger an event that is visible to a user.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Tags": {"data_type": "string", "description": 'Free form tags.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "ThreatSeverity": {"data_type": "int", "description": 'Indicator severity rating from 0 to 5. Higher value indicates greater severity.'}, + "ThreatType": {"data_type": "string", "description": 'Threat type of indicator.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time of indicator ingestion.'}, + "TrafficLightProtocolLevel": {"data_type": "string", "description": 'Industry standard traffic light protocol level, one of white, green, amber or red.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Url": {"data_type": "string", "description": 'The url observable.'}, + "UserAgent": {"data_type": "string", "description": 'The user agent observable.'}, + }, + "ThreatIntelObjects": { + "AdditionalFields": {"data_type": "dynamic", "description": 'The type specifc fields that Sentinel adds. Contains the TLPLevel: white, green, amber, or red.'}, + "AzureTenantId": {"data_type": "string", "description": 'The tenant that submitted the STIX object.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Data": {"data_type": "dynamic", "description": 'All object properties, formatted according to STIX specification (https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.pdf).'}, + "Id": {"data_type": "string", "description": 'A value that uniquely identifies the STIX object. This value is usable with Sentinel APIs.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsDeleted": {"data_type": "bool", "description": 'A value that indicates whether the data was deleted from Sentinel or not.'}, + "LastUpdateMethod": {"data_type": "string", "description": 'The component that last updated the record.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Source": {"data_type": "string", "description": 'The name of the source.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StixType": {"data_type": "string", "description": 'The name of this STIX Object.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time of STIX object ingestion.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "WorkspaceId": {"data_type": "string", "description": 'The workspace that submitted the STIX object.'}, + }, + "TSIIngress": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'Category of the log event.'}, + "CorrelationId": {"data_type": "string", "description": 'The correlation ID of the request.'}, + "ErrorCode": {"data_type": "string", "description": 'The code associated with the error'}, + "EventSourceProperties": {"data_type": "dynamic", "description": 'A collection of properties specific to your event source. Contains details such as the consumer group and the access key name.'}, + "EventSourceType": {"data_type": "string", "description": 'The type of event source. It could either be Event hub or IoT hub.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": 'The severity level of the event.'}, + "Location": {"data_type": "string", "description": 'The location of the resource.'}, + "Message": {"data_type": "string", "description": 'The message associated with the error. Includes details on what went wrong and how to mitigate the error.'}, + "OperationName": {"data_type": "string", "description": 'Operation name of the event.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultDescription": {"data_type": "string", "description": "Description of the result of the operation, such as 'Received forbidden error'."}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time (UTC) at which this event is generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "UAApp": { + "AppCategory": {"data_type": "string", "description": ''}, + "AppLanguage": {"data_type": "string", "description": ''}, + "AppName": {"data_type": "string", "description": ''}, + "AppOwner": {"data_type": "string", "description": ''}, + "AppType": {"data_type": "string", "description": ''}, + "AppVendor": {"data_type": "string", "description": ''}, + "AppVersion": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "ComputerID": {"data_type": "string", "description": ''}, + "ComputersWithIssues": {"data_type": "int", "description": ''}, + "Guidance": {"data_type": "string", "description": ''}, + "Importance": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsRollup": {"data_type": "bool", "description": ''}, + "Issue": {"data_type": "string", "description": ''}, + "MonthlyActiveComputers": {"data_type": "int", "description": ''}, + "PercentActiveComputers": {"data_type": "string", "description": ''}, + "ReadyForWindows": {"data_type": "string", "description": ''}, + "RollupLevel": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TestPlan": {"data_type": "string", "description": ''}, + "TestResult": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "TotalInstalls": {"data_type": "int", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UpgradeAssessment": {"data_type": "string", "description": ''}, + "UpgradeDecision": {"data_type": "string", "description": ''}, + }, + "UAComputer": { + "AppIssues": {"data_type": "int", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "ComputerID": {"data_type": "string", "description": ''}, + "ConfigMgrClientID": {"data_type": "string", "description": ''}, + "DeploymentError": {"data_type": "string", "description": ''}, + "DeploymentErrorDetails": {"data_type": "string", "description": ''}, + "DeploymentStatus": {"data_type": "string", "description": ''}, + "DriverIssues": {"data_type": "int", "description": ''}, + "HoursToUninstall": {"data_type": "int", "description": ''}, + "InventoryVersion": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ItemRank": {"data_type": "int", "description": ''}, + "LastScan": {"data_type": "datetime", "description": ''}, + "Manufacturer": {"data_type": "string", "description": ''}, + "Model": {"data_type": "string", "description": ''}, + "OriginBuild": {"data_type": "string", "description": ''}, + "OriginOSVersion": {"data_type": "string", "description": ''}, + "OSArchitecture": {"data_type": "string", "description": ''}, + "OSBuild": {"data_type": "string", "description": ''}, + "OSEdition": {"data_type": "string", "description": ''}, + "OSVersion": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SysReqIssues": {"data_type": "int", "description": ''}, + "TargetBuild": {"data_type": "string", "description": ''}, + "TargetOSVersion": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "TotalIssues": {"data_type": "int", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UninstallComment": {"data_type": "string", "description": ''}, + "UninstallReason": {"data_type": "string", "description": ''}, + "UpgradeAssessment": {"data_type": "string", "description": ''}, + "UpgradeDecision": {"data_type": "string", "description": ''}, + "UserAction": {"data_type": "string", "description": ''}, + }, + "UAComputerRank": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ComputerID": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ItemRank": {"data_type": "int", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "UADriver": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "ComputerID": {"data_type": "string", "description": ''}, + "DriverAvailability": {"data_type": "string", "description": ''}, + "DriverDate": {"data_type": "string", "description": ''}, + "DriverName": {"data_type": "string", "description": ''}, + "DriverVendor": {"data_type": "string", "description": ''}, + "DriverVersion": {"data_type": "string", "description": ''}, + "Guidance": {"data_type": "string", "description": ''}, + "HardwareID": {"data_type": "string", "description": ''}, + "HardwareName": {"data_type": "string", "description": ''}, + "HardwareType": {"data_type": "string", "description": ''}, + "Importance": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsRollup": {"data_type": "bool", "description": ''}, + "Issue": {"data_type": "string", "description": ''}, + "RollupLevel": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "TotalComputers": {"data_type": "int", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UpgradeAssessment": {"data_type": "string", "description": ''}, + "UpgradeDecision": {"data_type": "string", "description": ''}, + }, + "UADriverProblemCodes": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "ComputerID": {"data_type": "string", "description": ''}, + "DriverAvailability": {"data_type": "string", "description": ''}, + "DriverDate": {"data_type": "string", "description": ''}, + "DriverName": {"data_type": "string", "description": ''}, + "DriverVendor": {"data_type": "string", "description": ''}, + "DriverVersion": {"data_type": "string", "description": ''}, + "Guidance": {"data_type": "string", "description": ''}, + "HardwareID": {"data_type": "string", "description": ''}, + "HardwareName": {"data_type": "string", "description": ''}, + "HardwareType": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ProblemCode": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "UAFeedback": { + "AppName": {"data_type": "string", "description": ''}, + "AppVersion": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": ''}, + "Computer": {"data_type": "string", "description": ''}, + "ComputerID": {"data_type": "string", "description": ''}, + "Feedback": {"data_type": "string", "description": ''}, + "FeedbackSubmittedDate": {"data_type": "datetime", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "MicrosoftResponse": {"data_type": "string", "description": ''}, + "Sentiment": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Title": {"data_type": "string", "description": ''}, + "TotalUpvotes": {"data_type": "int", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "UAIESiteDiscovery": { + "ActiveXGuid": {"data_type": "string", "description": ''}, + "ActiveXName": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BrowserStateReason": {"data_type": "string", "description": ''}, + "Computer": {"data_type": "string", "description": ''}, + "ComputerID": {"data_type": "string", "description": ''}, + "DocMode": {"data_type": "string", "description": ''}, + "DocModeReason": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsRollup": {"data_type": "bool", "description": ''}, + "NumberOfVisits": {"data_type": "int", "description": ''}, + "SiteName": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "URL": {"data_type": "string", "description": ''}, + "Zone": {"data_type": "string", "description": ''}, + }, + "UAOfficeAddIn": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "ComputerID": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OfficeAddInDescription": {"data_type": "string", "description": ''}, + "OfficeAddInID": {"data_type": "string", "description": ''}, + "OfficeAddInName": {"data_type": "string", "description": ''}, + "OfficeProduct": {"data_type": "string", "description": ''}, + "OfficeProductVersion": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "UAProposedActionPlan": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ComputersUnblocked": {"data_type": "int", "description": ''}, + "CumulativeUnblocked": {"data_type": "int", "description": ''}, + "CumulativeUnblockedPct": {"data_type": "real", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ItemHardwareID": {"data_type": "string", "description": ''}, + "ItemLanguage": {"data_type": "string", "description": ''}, + "ItemName": {"data_type": "string", "description": ''}, + "ItemRank": {"data_type": "int", "description": ''}, + "ItemType": {"data_type": "string", "description": ''}, + "ItemVendor": {"data_type": "string", "description": ''}, + "ItemVersion": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UpgradeDecision": {"data_type": "string", "description": ''}, + }, + "UASysReqIssue": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "ComputerID": {"data_type": "string", "description": ''}, + "Guidance": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Issue": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SysReqType": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UpgradeAssessment": {"data_type": "string", "description": ''}, + }, + "UAUpgradedComputer": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "ComputerID": {"data_type": "string", "description": ''}, + "ConfigMgrClientID": {"data_type": "string", "description": ''}, + "DeploymentError": {"data_type": "string", "description": ''}, + "DeploymentErrorDetails": {"data_type": "string", "description": ''}, + "DeploymentStatus": {"data_type": "string", "description": ''}, + "HoursToUninstall": {"data_type": "int", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastScan": {"data_type": "datetime", "description": ''}, + "Manufacturer": {"data_type": "string", "description": ''}, + "Model": {"data_type": "string", "description": ''}, + "OriginBuild": {"data_type": "string", "description": ''}, + "OriginOSVersion": {"data_type": "string", "description": ''}, + "OSArchitecture": {"data_type": "string", "description": ''}, + "OSBuild": {"data_type": "string", "description": ''}, + "OSEdition": {"data_type": "string", "description": ''}, + "OSVersion": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TargetBuild": {"data_type": "string", "description": ''}, + "TargetOSVersion": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UninstallComment": {"data_type": "string", "description": ''}, + "UninstallReason": {"data_type": "string", "description": ''}, + "UserAction": {"data_type": "string", "description": ''}, + }, + "UCClient": { + "AzureADDeviceId": {"data_type": "string", "description": 'A GUID corresponding to the AAD Tenant to which the device belongs.'}, + "AzureADTenantId": {"data_type": "string", "description": "A GUID corresponding to this device's AAD Device ID."}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "City": {"data_type": "string", "description": 'The last-reported location of device (city), based on IP address.'}, + "Country": {"data_type": "string", "description": 'The last-reported location of device (country), based on IP address. Shown as country code.'}, + "DeviceFamily": {"data_type": "string", "description": 'The device family e.g. PC, Phone.'}, + "DeviceFormFactor": {"data_type": "string", "description": 'The device form factor e.g. Notebook, Desktop, Phone.'}, + "DeviceManufacturer": {"data_type": "string", "description": 'The device OEM Manufacturer e.g. Hewlett-Packard.'}, + "DeviceModel": {"data_type": "string", "description": "The device's OEM model e.g. HP7420 Workstation."}, + "DeviceName": {"data_type": "string", "description": 'The Device given name.'}, + "GlobalDeviceId": {"data_type": "string", "description": 'Microsoft internal Global Device Identifier.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsDeviceHotpatchEligible": {"data_type": "bool", "description": 'Specifies whether a device meets the necessary criteria to receive windows security updates without requiring a restart.'}, + "IsDeviceHotpatchEnrolled": {"data_type": "bool", "description": 'Indicates whether the device has been enrolled to receive windows security updates without requiring a restart.'}, + "IsDeviceVBSEnabled": {"data_type": "bool", "description": 'Whether Virtual Based Security (VBS) is enabled on the device. Enabling VBS is a prerequisite for devices to recieve windows security updates without a restart.'}, + "IsVirtual": {"data_type": "bool", "description": 'Whether device is a Virtual Device.'}, + "LastCensusScanTime": {"data_type": "datetime", "description": 'The last time this device performed a successful Census Scan, if any.'}, + "LastHotpatchEnrolledTime": {"data_type": "datetime", "description": 'The last time when device was enrolled to receive security updates without restart.'}, + "LastWUScanTime": {"data_type": "datetime", "description": 'The last time this device performed a successful WU Scan, if any.'}, + "OSArchitecture": {"data_type": "string", "description": 'The architecture of the Operating System e.g. x86.'}, + "OSBuild": {"data_type": "string", "description": "The currently-installed Windows 10 Build in the format 'Major'.'Revision'. 'Major' corresponds to which Feature Update the device is on, whereas 'Revision' corresponds to which quality update the device is on. Mappings between Feature release and Major, as well as Revision and KBs, are available aka.ms/win10releaseinfo."}, + "OSBuildNumber": {"data_type": "int", "description": 'An integer value for the revision number of the currently-installed Windows 10 OSBuild on the device.'}, + "OSEdition": {"data_type": "string", "description": 'The Windows 10 Edition or SKU.'}, + "OSFeatureUpdateComplianceStatus": {"data_type": "string", "description": 'Whether or not the device is on the latest Feature Update being Offered by WUfB DS, else NotApplicable.'}, + "OSFeatureUpdateEOSTime": {"data_type": "datetime", "description": 'The end of service date of the Feature Update currently installed on the device.'}, + "OSFeatureUpdateReleaseTime": {"data_type": "datetime", "description": 'The release date of the Feature Update currently installed on the device.'}, + "OSFeatureUpdateStatus": {"data_type": "string", "description": 'Whether or not the device is on the latest available Feature Update.'}, + "OSQualityUpdateComplianceStatus": {"data_type": "string", "description": 'Whether or not the device is on the latest Quality Update being Offered by WUfB DS, else NotApplicable.'}, + "OSQualityUpdateReleaseTime": {"data_type": "datetime", "description": 'The release date of the Quality Update currently installed on the device.'}, + "OSQualityUpdateStatus": {"data_type": "string", "description": 'Whether or not the device is on the latest available Quality Update, for its Feature Update.'}, + "OSRevisionNumber": {"data_type": "int", "description": 'An integer value for the revision number of the currently-installed Windows 10 OSBuild on the device.'}, + "OSSecurityUpdateComplianceStatus": {"data_type": "string", "description": 'Whether or not the device is on the latest Security update (QU, Classification==Security) being offered by WUfB DS, else NotApplicable.'}, + "OSSecurityUpdateStatus": {"data_type": "string", "description": 'Whether or not the device is on the latest available Security Update, for its Feature Update.'}, + "OSServicingChannel": {"data_type": "string", "description": 'The elected Windows 10 Servicing Channel of the device.'}, + "OSVersion": {"data_type": "string", "description": 'The version of Windows 10 as is organized on aka.ms/win10releaseinfo.'}, + "PrimaryDiskFreeCapacityMb": {"data_type": "int", "description": 'Free disk capacity of the primary disk in Megabytes.'}, + "SCCMClientId": {"data_type": "string", "description": 'A GUID corresponding to the SCCM Client ID on the device.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time the snapshot generated this specific record.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UpdateConnectivityLevel": {"data_type": "string", "description": 'Whether or not this device is maintaining a sufficiently cumulative and continuous connection to Windows Update so the update can progress optimally.'}, + "WUAutomaticUpdates": {"data_type": "int", "description": "CSP: AllowAutoUpdate &'AuOptions' Enables the IT admin to manage automatic update behavior to scan, download, and install updates."}, + "WUDeadlineNoAutoRestart": {"data_type": "int", "description": 'CSP:ConfigureDeadlineNoAutoReboot. Devices will not automatically restart outside of active hours until the deadline is reached, 1 - Enabled 0 (default) - Disabled'}, + "WUDODownloadMode": {"data_type": "string", "description": 'The WU DO DownloadMode configuration, brought over from Update Compliance.'}, + "WUFeatureDeadlineDays": {"data_type": "int", "description": 'CSP: ConfigureDeadlineForFeatureUpdatesThe WU Feature Update deadline configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values >0 indicate the deadline in days.'}, + "WUFeatureDeferralDays": {"data_type": "int", "description": 'CSP: DeferFeatureUpdates. The WU Feature Update Deferral configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values >0 indicate the policy setting.'}, + "WUFeatureGracePeriodDays": {"data_type": "int", "description": 'The WU grace period for feature update in days. -1 indicates not configured, 0 indicates configured and set to 0. Values greater than 0 indicate the Grace Period in days.'}, + "WUFeaturePauseEndTime": {"data_type": "datetime", "description": 'CSP:PauseFEatureUpdatesEndTime The time WU Feature Update Pause will end, if activated, else null.'}, + "WUFeaturePauseStartTime": {"data_type": "datetime", "description": 'CSP: PauseFeatureUpdatesStartTime. The time WU Feature Update Pause was activated, if activated, else null.eature Updates will be paused for 35 days from the specified start date.'}, + "WUFeaturePauseState": {"data_type": "string", "description": 'Indicates pause status of device for FU, possible values are Paused, NotPaused, NotConfigured.'}, + "WUNotificationLevel": {"data_type": "int", "description": 'CSP: UpdateNotificationLevel. This policy allows you to define what Windows Update notifications users see. 0 (default) Use the default Windows Update notifications. 1 Turn off all notifications, excluding restart warnings. 2 Turn off all notifications, including restart warnings'}, + "WUPauseUXDisabled": {"data_type": "int", "description": 'CSP: SetDisablePauseUXAccess. This policy allows the IT admin to disable the Pause Updates feature. When this policy is enabled, the user cannot access the Pause updates" feature. Supported values 0, 1.'}, + "WUQualityDeadlineDays": {"data_type": "int", "description": 'CSP: ConfigureDeadlineForQualityUpdates The WU Qualty Update deadline configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values >0 indicate the deadline in days.'}, + "WUQualityDeferralDays": {"data_type": "int", "description": 'CSP: DeferQualityUpdatesThe WU Quality Update Deferral configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values >0 indicate the policy setting.'}, + "WUQualityGracePeriodDays": {"data_type": "int", "description": 'The WU grace period for quality update in days. -1 indicates not configured, 0 indicates configured and set to 0. Values greater than 0 indicate the Grace Period in days.'}, + "WUQualityPauseEndTime": {"data_type": "datetime", "description": 'CSP:PauseQualityUpdatesEndTimeThe time WU Quality Update Pause will end, if activated, else null.'}, + "WUQualityPauseStartTime": {"data_type": "datetime", "description": 'CSP:PauseQualityUpdatesStartTime The time WU Quality Update Pause was activated; if activated; else null.'}, + "WUQualityPauseState": {"data_type": "string", "description": 'Indicates pause status of device for QU, possible values are Paused, NotPaused, NotConfigured.'}, + "WURestartNotification": {"data_type": "int", "description": 'CSP: AutoRestartRequiredNotificationDismissal. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed.The following list shows the supported values: 1 (default) = Auto Dismissal. 2 User Dismissal.'}, + "WUServiceURLConfigured": {"data_type": "string", "description": 'CSP:UpdateServiceUrl. The following list shows the supported values: Not configured. The device checks for updates from Microsoft Update. Set to a URL, such as http://abcd-srv:8530. The device checks for updates from the WSUS server at the specified URL. Not configured. The device checks for updates from Microsoft Update. Set to a URL, such as http://abcd-srv:8530. The device checks for updates from the WSUS server at the specified URL.'}, + "WUUXDisabled": {"data_type": "int", "description": 'CSP:SetDisableUXWUAccess.This policy allows the IT admin to remove access to scan Windows Update. When this policy is enabled, the user cannot access the Windows Update scan, download, and install features. Default is 0. Supported values 0, 1.'}, + }, + "UCClientReadinessStatus": { + "AzureADDeviceId": {"data_type": "string", "description": 'A GUID corresponding to the AAD tenant to which the device belongs.'}, + "AzureADTenantId": {"data_type": "string", "description": "A GUID corresponding to this device's AAD device ID."}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DeviceName": {"data_type": "string", "description": 'The Device given name.'}, + "GlobalDeviceId": {"data_type": "string", "description": 'Microsoft internal global device identifier.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OSBuild": {"data_type": "string", "description": "The currently-installed Windows 10 Build in the format 'Major'.'Revision'. 'Major' corresponds to which Feature Update the device is on, whereas 'Revision' corresponds to which quality update the device is on. Mappings between Feature release and Major, as well as Revision and KBs, are available aka.ms/win10releaseinfo."}, + "OSName": {"data_type": "string", "description": 'The version of Windows 10 as is organized on aka.ms/win10releaseinfo.'}, + "OSVersion": {"data_type": "string", "description": 'The version of Windows 10 as is organized on aka.ms/win10releaseinfo.'}, + "ReadinessExpiryTime": {"data_type": "datetime", "description": 'The time the readiness report expires.'}, + "ReadinessReason": {"data_type": "string", "description": 'Reason why the device is not capable of taking target OS and version.'}, + "ReadinessScanTime": {"data_type": "datetime", "description": 'The time the readiness generated this specific record.'}, + "ReadinessStatus": {"data_type": "string", "description": 'Whether or not the device is capable of taking target OS and version.'}, + "SCCMClientId": {"data_type": "string", "description": 'A GUID corresponding to the SCCM client ID on the device.'}, + "SetupReadinessExpiryTime": {"data_type": "datetime", "description": 'The time the readiness report expires.'}, + "SetupReadinessReason": {"data_type": "string", "description": 'Reason why the device is not capable of taking target OS and version when setup ran.'}, + "SetupReadinessStatus": {"data_type": "string", "description": 'Whether or not the device is capable of taking target OS and version when setup ran.'}, + "SetupReadinessTime": {"data_type": "datetime", "description": 'The time the readiness generated this specific record when setup ran.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TargetOSBuild": {"data_type": "string", "description": "The currently-installed Windows 10 Build in the format 'Major'.'Revision'. 'Major' corresponds to which Feature Update the device is on, whereas 'Revision' corresponds to which quality update the device is on. Mappings between Feature release and Major, as well as Revision and KBs, are available aka.ms/win10releaseinfo."}, + "TargetOSName": {"data_type": "string", "description": 'The version of Windows 10 as is organized on aka.ms/win10releaseinfo.'}, + "TargetOSVersion": {"data_type": "string", "description": 'The version of Windows 10 as is organized on aka.ms/win10releaseinfo.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time at which this event is generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "UCClientUpdateStatus": { + "AzureADDeviceId": {"data_type": "string", "description": 'A GUID corresponding to the AAD Tenant to which the device belongs.'}, + "AzureADTenantId": {"data_type": "string", "description": "A GUID corresponding to this device's AAD Device ID."}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CatalogId": {"data_type": "string", "description": 'The update catalog ID.'}, + "ClientState": {"data_type": "string", "description": 'Higher-level bucketization of ClientSubstate.'}, + "ClientSubstate": {"data_type": "string", "description": "Last-known state of this update relative to the device, from the client (the device's WDD)."}, + "ClientSubstateRank": {"data_type": "int", "description": 'Ranking of Client Substates for sequential ordering in funnel-type views. The rankings between ServiceSubstate and ClientSubstate can be used together.'}, + "ClientSubstateTime": {"data_type": "datetime", "description": 'DateTime of last Client Substate transition.'}, + "DeploymentId": {"data_type": "string", "description": 'The identifier of the Deployment that is targeting this update to this device, else empty.'}, + "DeviceName": {"data_type": "string", "description": "Device's given name."}, + "EventData": {"data_type": "string", "description": 'Json to fill with arbitrary K/V pairs. Used to populate contextual data that would otherwise be sparsely populated if elevated to a field always present in the schema.'}, + "FurthestClientSubstate": {"data_type": "string", "description": 'Furthest clientSubstate.'}, + "FurthestClientSubstateRank": {"data_type": "int", "description": 'Ranking of furthest clientSubstate.'}, + "GlobalDeviceId": {"data_type": "string", "description": 'Microsoft internal Global Device Identifier'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsHotpatchUpdate": {"data_type": "bool", "description": 'Status of whether a device is taking a windows security update without requiring a restart or not'}, + "IsUpdateHealthy": {"data_type": "bool", "description": 'True: No issues preventing this device from updating to this update have been found. False: There is something that may prevent this device from updating.'}, + "OfferReceivedTime": {"data_type": "datetime", "description": 'DateTime when device last reported entering OfferReceived, else empty.'}, + "RestartRequiredTime": {"data_type": "datetime", "description": 'DateTime when device first reported entering RebootRequired (or RebootPending), else empty.'}, + "SCCMClientId": {"data_type": "string", "description": 'A GUID corresponding to the SCCM Client ID on the device.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TargetBuild": {"data_type": "string", "description": 'The full build of the content this DeviceUpdateEvent is tracking. For Windows 10 updates, this would correspond to the full build (10.0.14393.385).'}, + "TargetBuildNumber": {"data_type": "int", "description": 'Integer of the Major portion of Build.'}, + "TargetKBNumber": {"data_type": "string", "description": 'KB Article.'}, + "TargetRevisionNumber": {"data_type": "int", "description": 'Integer or the Minor (or Revision) portion of Build.'}, + "TargetVersion": {"data_type": "string", "description": 'The target OS Version - eg, 1909.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time the snapshot generated this specific record.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UpdateCategory": {"data_type": "string", "description": 'The type of content this DeviceUpdateEvent is tracking.'}, + "UpdateClassification": {"data_type": "string", "description": 'Whether this content is an Upgrade (FU), Security (QU), NonSecurity (QU).'}, + "UpdateConnectivityLevel": {"data_type": "string", "description": 'Whether or not this device is maintaining a sufficiently cumulative and continuous connection to Windows Update so the update can progress optimally.'}, + "UpdateDisplayName": {"data_type": "string", "description": 'The long-form display name for the given update. Varies on content type (FU/QU).'}, + "UpdateHealthGroupL1": {"data_type": "string", "description": 'Grouping design to describe the current update installation\'s "health", L1 (highest-level).'}, + "UpdateHealthGroupL2": {"data_type": "string", "description": 'Second grouping, subset of L1, more detailed.'}, + "UpdateHealthGroupL3": {"data_type": "string", "description": 'Third grouping, subset of L3, more detailed.'}, + "UpdateHealthGroupRankL1": {"data_type": "int", "description": 'Integer for ranking the L1 UpdateHealthGroup.'}, + "UpdateHealthGroupRankL2": {"data_type": "int", "description": 'Integer for ranking the L2 UpdateHealthGroup.'}, + "UpdateHealthGroupRankL3": {"data_type": "int", "description": 'Integer for ranking the L3 UpdateHealthGroup.'}, + "UpdateId": {"data_type": "string", "description": 'Update ID of the targeted update.'}, + "UpdateInstalledTime": {"data_type": "datetime", "description": 'DateTime when event transitioned to UpdateInstalled, else empty.'}, + "UpdateManufacturer": {"data_type": "string", "description": 'Manufacturer of update. Microsoft for WU FU/QU, for D&F name of driver manufacturer e.g. NVIDIA.'}, + "UpdateReleaseTime": {"data_type": "datetime", "description": 'The release date of the update.'}, + "UpdateSource": {"data_type": "string", "description": 'The source of the update - UUP, MUv6, Media.'}, + }, + "UCDeviceAlert": { + "AlertClassification": {"data_type": "string", "description": 'Whether this Alert is an Error, a Warning, or Informational.'}, + "AlertData": {"data_type": "string", "description": 'An optional string formatted as a json payload containing metadata for the alert.'}, + "AlertId": {"data_type": "string", "description": 'The unique identifier of this Alert.'}, + "AlertRank": {"data_type": "int", "description": 'Integer ranking of Alert for prioritization during troubleshooting.'}, + "AlertStatus": {"data_type": "string", "description": 'Whether this Alert is Active, Resolved, or Deleted.'}, + "AlertSubtype": {"data_type": "string", "description": 'The Subtype of Alert.'}, + "AlertType": {"data_type": "string", "description": 'The type of Alert this is, ClientUpdateAlert, ServiceUpdateAlert. Indicates which fields will be present.'}, + "AzureADDeviceId": {"data_type": "string", "description": 'A GUID corresponding to the AAD Tenant to which the device belongs.'}, + "AzureADTenantId": {"data_type": "string", "description": "A GUID corresponding to this device's AAD Device ID."}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Description": {"data_type": "string", "description": 'A localized string translated from a combination of other Alert fields + language preference that describes the issue in detail.'}, + "DeviceName": {"data_type": "string", "description": "Device's given name."}, + "ErrorCode": {"data_type": "string", "description": 'The Error Code, if any, that triggered this Alert. In the case of Client-based explicit alerts, error codes can have extended error codes, which are appended to the error code with a underscore separator.'}, + "ErrorSymName": {"data_type": "string", "description": 'The symbolic name that maps to the Error Code, if any. Otherwise empty.'}, + "GlobalDeviceId": {"data_type": "string", "description": 'Microsoft internal Global Device Identifier.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Recommendation": {"data_type": "string", "description": 'A localized string translated from RecommendedAction, Message, and other fields (depending on source of Alert) that provides a recommended action.'}, + "ResolvedTime": {"data_type": "datetime", "description": 'The time this alert was resolved, else empty.'}, + "SCCMClientId": {"data_type": "string", "description": 'A GUID corresponding to the SCCM Client ID on the device.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StartTime": {"data_type": "datetime", "description": 'The time this alert was activated.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time at which this event is generated and logged.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "URL": {"data_type": "string", "description": 'An optional URL to get more in-depth information related to this alert.'}, + }, + "UCDOAggregatedStatus": { + "AzureADDeviceId": {"data_type": "string", "description": 'A GUID corresponding to the AAD tenant to which the device belongs.'}, + "AzureADTenantId": {"data_type": "string", "description": "A GUID corresponding to this device's AAD device ID."}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BWOptPercent28Days": {"data_type": "real", "description": 'Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) as a result of using delivery optimization for this device, computed on a rolling 28-day basis.'}, + "BytesFromCache": {"data_type": "long", "description": 'Total number of bytes downloaded from cache.'}, + "BytesFromCDN": {"data_type": "long", "description": 'Total number of bytes downloaded from a CDN versus a peer. This counts against bandwidth optimization.'}, + "BytesFromGroupPeers": {"data_type": "long", "description": 'Total number of bytes downloaded from group peers.'}, + "BytesFromIntPeers": {"data_type": "long", "description": 'Total number of bytes downloaded from internet peers.'}, + "BytesFromPeers": {"data_type": "long", "description": 'Total number of bytes downloaded from peers.'}, + "ContentType": {"data_type": "string", "description": 'The type of content being downloaded.'}, + "DeviceCount": {"data_type": "long", "description": 'Total count of devices.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time at which this event was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "UCDOStatus": { + "AzureADDeviceId": {"data_type": "string", "description": 'A GUID corresponding to the AAD tenant to which the device belongs.'}, + "AzureADTenantId": {"data_type": "string", "description": "A GUID corresponding to this device's AAD device ID."}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BWOptPercent28Days": {"data_type": "real", "description": 'Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) as a result of using delivery optimization for this device, computed on a rolling 28-day basis.'}, + "BWOptPercent7Days": {"data_type": "real", "description": 'Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) as a result of using delivery optimization for this device, computed on a rolling 7-day basis.'}, + "BytesFromCache": {"data_type": "long", "description": 'Total number of bytes downloaded from cache.'}, + "BytesFromCDN": {"data_type": "long", "description": 'Total number of bytes downloaded from a CDN versus a peer. This counts against bandwidth optimization.'}, + "BytesFromGroupPeers": {"data_type": "long", "description": 'Total number of bytes downloaded from group peers.'}, + "BytesFromIntPeers": {"data_type": "long", "description": 'Total number of bytes downloaded from internet peers.'}, + "BytesFromPeers": {"data_type": "long", "description": 'Total number of bytes downloaded from peers.'}, + "City": {"data_type": "string", "description": 'Approximate city device was in while downloading content, based on IP address.'}, + "ContentDownloadMode": {"data_type": "int", "description": "Device's delivery optimization download mode that was used for this content."}, + "ContentType": {"data_type": "string", "description": 'The type of content being downloaded.'}, + "Country": {"data_type": "string", "description": 'Approximate country device was in while downloading content, based on IP address.'}, + "DeviceName": {"data_type": "string", "description": "User or organization-provided device name. If this appears as '#', then you may need to configure devices to send device name."}, + "DOStatusDescription": {"data_type": "string", "description": "A short description of DO's status, if any."}, + "DownloadMode": {"data_type": "string", "description": "Device's delivery optimization download mode as configured on the device."}, + "DownloadModeSrc": {"data_type": "string", "description": 'The source of the download mode configuration.'}, + "GlobalDeviceId": {"data_type": "string", "description": 'Microsoft global device identifier. This is a identifier used by Microsoft internally.'}, + "GroupID": {"data_type": "string", "description": 'The delivery optimization group ID.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ISP": {"data_type": "string", "description": 'The internet service provider estimation.'}, + "LastCensusSeenTime": {"data_type": "datetime", "description": 'A DateTime corresponding to the last time the device sent data to Microsoft. Indicates freshness of any fields of this record.'}, + "NoPeersCount": {"data_type": "long", "description": 'The count of peers this device interacted with.'}, + "OSVersion": {"data_type": "string", "description": "The version of Windows 10. This typically is of the format of the year of the version's release, following the month. In this example, `1909` corresponds to 2019-09 (September). This maps to the `Major` portion of OSBuild."}, + "PeerEligibleTransfers": {"data_type": "long", "description": 'Total count of eligible transfers by peers.'}, + "PeeringStatus": {"data_type": "string", "description": 'The DO peering status.'}, + "PeersCannotConnectCount": {"data_type": "long", "description": 'The count of peers this device was unable to connect to.'}, + "PeersSuccessCount": {"data_type": "long", "description": 'The count of peers this device successfully connected to.'}, + "PeersUnknownCount": {"data_type": "long", "description": 'The count of peers for which there is an unknown relation.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time at which this event was generated.'}, + "TotalTimeForDownload": {"data_type": "string", "description": 'The total time it took to download the content.'}, + "TotalTransfers": {"data_type": "long", "description": 'The total count of data transfers to download this content.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "UCServiceUpdateStatus": { + "AzureADDeviceId": {"data_type": "string", "description": 'A GUID corresponding to the AAD Tenant to which the device belongs.'}, + "AzureADTenantId": {"data_type": "string", "description": "A GUID corresponding to this device's AAD Device ID"}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CatalogId": {"data_type": "string", "description": 'Catalog ID for update.'}, + "DeploymentApprovedTime": {"data_type": "datetime", "description": 'The datetime of when the update deployment was approved.'}, + "DeploymentId": {"data_type": "string", "description": 'The identifier of the Deployment that is targeting this update to this device, else empty.'}, + "DeploymentIsExpedited": {"data_type": "bool", "description": 'Whether this content is being expedited by WUfB DS.'}, + "DeploymentName": {"data_type": "string", "description": 'Friendly name of the created deployment.'}, + "DeploymentRevokeTime": {"data_type": "datetime", "description": 'The datetime of when the update deployment was Revoked.'}, + "GlobalDeviceId": {"data_type": "string", "description": 'Microsoft internal Global Device Identifier'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OfferReadyTime": {"data_type": "datetime", "description": 'DateTime of OfferReady transition. If empty, not yet been Offered.'}, + "PolicyCreatedTime": {"data_type": "datetime", "description": 'The datetime of when the policy was created.'}, + "PolicyId": {"data_type": "string", "description": 'The policy identifier targeting the update to this device.'}, + "PolicyName": {"data_type": "string", "description": 'Friendly name of the created update policy.'}, + "ProjectedOfferReadyTime": {"data_type": "datetime", "description": 'Projected time update will be Offered to device. If empty, unknown.'}, + "ServiceState": {"data_type": "string", "description": "High-level state of update's status relative to device, service-side."}, + "ServiceSubstate": {"data_type": "string", "description": "Last-known state of this update relative to the device, from the client (the device's WDD)."}, + "ServiceSubstateRank": {"data_type": "int", "description": 'Ranking of Substates for sequential ordering in funnel-type views. The rankings between ServiceSubstate and ClientSubstate can be used together.'}, + "ServiceSubstateTime": {"data_type": "datetime", "description": 'DateTime of last ServiceSubstate transition.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TargetBuild": {"data_type": "string", "description": 'The full build of the content this DeviceUpdateEvent is tracking. For Windows 10 updates, this would correspond to the full build (10.0.14393.385).'}, + "TargetVersion": {"data_type": "string", "description": 'The target OS Version - eg, 1909.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time at which this event is generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UdpateIsSystemManifest": {"data_type": "bool", "description": 'Signifies if update is a system manifest.'}, + "UpdateCategory": {"data_type": "string", "description": 'The type of content this DeviceUpdateEvent is tracking.'}, + "UpdateClassification": {"data_type": "string", "description": 'Whether this content is an Upgrade (FU), Security (QU), NonSecurity (QU).'}, + "UpdateDisplayName": {"data_type": "string", "description": 'The long-form display name for the given update. Varies on content type (FU/QU).'}, + "UpdateId": {"data_type": "string", "description": 'Update ID of the targeted update.'}, + "UpdateManufacturer": {"data_type": "string", "description": 'Manufacturer of update. Microsoft for WU FU/QU, for D&F name of driver manufacturer e.g. NVIDIA.'}, + "UpdateProvider": {"data_type": "string", "description": 'Update provider of drivers and firmware, eg. Microsoft.'}, + "UpdateRecommendedTime": {"data_type": "datetime", "description": 'The datetime of when the update was recomemnded to the device.'}, + "UpdateReleaseTime": {"data_type": "datetime", "description": "DateTime of update's release date."}, + "UpdateVersion": {"data_type": "string", "description": 'Update version of drivers and firmware.'}, + "UpdateVersionTime": {"data_type": "datetime", "description": 'Update version time of drivers and firmware.'}, + }, + "UCUpdateAlert": { + "AlertClassification": {"data_type": "string", "description": 'Whether this Alert is an Error, a Warning, or Informational.'}, + "AlertData": {"data_type": "string", "description": 'An optional string formatted as a json payload containing metadata for the alert.'}, + "AlertId": {"data_type": "string", "description": 'The unique identifier of this Alert.'}, + "AlertRank": {"data_type": "int", "description": 'Integer ranking of Alert for prioritization during troubleshooting.'}, + "AlertStatus": {"data_type": "string", "description": 'Whether this Alert is Active, Resolved, or Deleted.'}, + "AlertSubtype": {"data_type": "string", "description": 'The Subtype of Alert.'}, + "AlertType": {"data_type": "string", "description": 'The type of Alert this is, ClientUpdateAlert, ServiceUpdateAlert. Indicates which fields will be present.'}, + "AzureADDeviceId": {"data_type": "string", "description": 'A GUID corresponding to the AAD Tenant to which the device belongs.'}, + "AzureADTenantId": {"data_type": "string", "description": "A GUID corresponding to this device's AAD Device ID."}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CatalogId": {"data_type": "string", "description": 'The update catalog ID.'}, + "ClientSubstate": {"data_type": "string", "description": 'If the Alert is from the Client, the ClientSubstate at the time thie Alert was activated or updated, else Empty.'}, + "ClientSubstateRank": {"data_type": "int", "description": 'Rank of ClientSubstate.'}, + "DeploymentId": {"data_type": "string", "description": 'The identifier of the Deployment that is targeting this update to this device, else empty.'}, + "Description": {"data_type": "string", "description": 'A localized string translated from a combination of other Alert fields + language preference that describes the issue in detail.'}, + "DeviceName": {"data_type": "string", "description": "Device's given name."}, + "ErrorCode": {"data_type": "string", "description": 'The Error Code, if any, that triggered this Alert. In the case of Client-based explicit alerts, error codes can have extended error codes, which are appended to the error code with a underscore separator.'}, + "ErrorSymName": {"data_type": "string", "description": 'The symbolic name that maps to the Error Code, if any. Otherwise empty.'}, + "GlobalDeviceId": {"data_type": "string", "description": 'Microsoft internal Global Device Identifier.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Recommendation": {"data_type": "string", "description": 'A localized string translated from RecommendedAction, Message, and other fields (depending on source of Alert) that provides a recommended action.'}, + "ResolvedTime": {"data_type": "datetime", "description": 'The time this alert was resolved, else empty.'}, + "SCCMClientId": {"data_type": "string", "description": 'A GUID corresponding to the SCCM Client ID on the device.'}, + "ServiceSubstate": {"data_type": "string", "description": 'Ranking of Client Substates for sequential ordering in funnel-type views. The rankings between ServiceSubstate and ClientSubstate can be used together.'}, + "ServiceSubstateRank": {"data_type": "int", "description": 'Rank of ServiceSubstate'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StartTime": {"data_type": "datetime", "description": 'The time this alert was activated.'}, + "TargetBuild": {"data_type": "string", "description": 'The full build of the content this DeviceUpdateEvent is tracking. For Windows 10 updates, this would correspond to the full build (10.0.14393.385).'}, + "TargetVersion": {"data_type": "string", "description": 'The target OS Version - eg, 1909.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time at which this event is generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UpdateCategory": {"data_type": "string", "description": 'The type of content this DeviceUpdateEvent is tracking.'}, + "UpdateClassification": {"data_type": "string", "description": 'Whether this content is an Upgrade (FU), Security (QU), NonSecurity (QU)'}, + "UpdateId": {"data_type": "string", "description": 'Update ID of the targeted update.'}, + "URL": {"data_type": "string", "description": 'An optional URL to get more in-depth information related to this alert.'}, + }, + "Update": { + "ApprovalSource": {"data_type": "string", "description": ''}, + "Approved": {"data_type": "bool", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BulletinID": {"data_type": "string", "description": ''}, + "BulletinUrl": {"data_type": "string", "description": ''}, + "Classification": {"data_type": "string", "description": ''}, + "Computer": {"data_type": "string", "description": ''}, + "ComputerEnvironment": {"data_type": "string", "description": ''}, + "CVENumbers": {"data_type": "string", "description": ''}, + "InstallTimeAvailable": {"data_type": "bool", "description": ''}, + "InstallTimeDeviationRangeSeconds": {"data_type": "real", "description": ''}, + "InstallTimePredictionSeconds": {"data_type": "real", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "KBID": {"data_type": "string", "description": ''}, + "ManagementGroupName": {"data_type": "string", "description": ''}, + "MSRCBulletinID": {"data_type": "string", "description": ''}, + "MSRCSeverity": {"data_type": "string", "description": ''}, + "Optional": {"data_type": "bool", "description": ''}, + "OSFullName": {"data_type": "string", "description": ''}, + "OSName": {"data_type": "string", "description": ''}, + "OSType": {"data_type": "string", "description": ''}, + "OSVersion": {"data_type": "string", "description": ''}, + "PackageRepository": {"data_type": "string", "description": ''}, + "PackageSeverity": {"data_type": "string", "description": ''}, + "Product": {"data_type": "string", "description": ''}, + "ProductArch": {"data_type": "string", "description": ''}, + "ProductVersion": {"data_type": "string", "description": ''}, + "PublishedDate": {"data_type": "datetime", "description": ''}, + "RebootBehavior": {"data_type": "string", "description": ''}, + "Resource": {"data_type": "string", "description": ''}, + "ResourceGroup": {"data_type": "string", "description": ''}, + "ResourceId": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResourceProvider": {"data_type": "string", "description": ''}, + "ResourceType": {"data_type": "string", "description": ''}, + "RevisionNumber": {"data_type": "string", "description": ''}, + "SourceComputerId": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SubscriptionId": {"data_type": "string", "description": ''}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Title": {"data_type": "string", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UpdateID": {"data_type": "string", "description": ''}, + "UpdateState": {"data_type": "string", "description": ''}, + "VMUUID": {"data_type": "string", "description": ''}, + }, + "UpdateRunProgress": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "ComputerEnvironment": {"data_type": "string", "description": ''}, + "CorrelationId": {"data_type": "string", "description": ''}, + "EndTime": {"data_type": "datetime", "description": ''}, + "ErrorResult": {"data_type": "string", "description": ''}, + "InstallationStatus": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "KBID": {"data_type": "string", "description": ''}, + "ManagementGroupName": {"data_type": "string", "description": ''}, + "OSType": {"data_type": "string", "description": ''}, + "Product": {"data_type": "string", "description": ''}, + "Resource": {"data_type": "string", "description": ''}, + "ResourceGroup": {"data_type": "string", "description": ''}, + "ResourceId": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResourceProvider": {"data_type": "string", "description": ''}, + "ResourceType": {"data_type": "string", "description": ''}, + "SourceComputerId": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StartTime": {"data_type": "datetime", "description": ''}, + "SubscriptionId": {"data_type": "string", "description": ''}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "SucceededOnRetry": {"data_type": "bool", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Title": {"data_type": "string", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UpdateId": {"data_type": "string", "description": ''}, + "UpdateRunName": {"data_type": "string", "description": ''}, + "VMUUID": {"data_type": "string", "description": ''}, + }, + "UpdateSummary": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "ComputerEnvironment": {"data_type": "string", "description": ''}, + "CriticalUpdatesMissing": {"data_type": "int", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ManagementGroupName": {"data_type": "string", "description": ''}, + "NETRuntimeVersion": {"data_type": "string", "description": ''}, + "OldestMissingSecurityUpdateBucket": {"data_type": "string", "description": ''}, + "OldestMissingSecurityUpdateInDays": {"data_type": "int", "description": ''}, + "OsVersion": {"data_type": "string", "description": ''}, + "OtherUpdatesMissing": {"data_type": "int", "description": ''}, + "Resource": {"data_type": "string", "description": ''}, + "ResourceGroup": {"data_type": "string", "description": ''}, + "ResourceId": {"data_type": "string", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResourceProvider": {"data_type": "string", "description": ''}, + "ResourceType": {"data_type": "string", "description": ''}, + "RestartPending": {"data_type": "bool", "description": ''}, + "SecurityUpdatesMissing": {"data_type": "int", "description": ''}, + "SourceComputerId": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "SubscriptionId": {"data_type": "string", "description": ''}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "TotalUpdatesMissing": {"data_type": "int", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "VMUUID": {"data_type": "string", "description": ''}, + "WindowsUpdateAgentVersion": {"data_type": "string", "description": ''}, + "WindowsUpdateSetting": {"data_type": "string", "description": ''}, + "WSUSServer": {"data_type": "string", "description": ''}, + }, + "UrlClickEvents": { + "AccountUpn": {"data_type": "string", "description": 'User Principal Name of the account that clicked on the link.'}, + "ActionType": {"data_type": "string", "description": "Indicates whether the click was allowed or blocked by 'safe links' or blocked due to a tenant policy e.g., from tenant allow block list."}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "DetectionMethods": {"data_type": "string", "description": 'Detection technology which was used to identify the threat at the time of click.'}, + "IPAddress": {"data_type": "string", "description": 'Public IP address of the device from which the user clicked on the link.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsClickedThrough": {"data_type": "bool", "description": 'Indicates whether the user was able to click through to the original URL or was not allowed.'}, + "NetworkMessageId": {"data_type": "string", "description": 'The unique identifier for the email that contains the clicked link, generated by Microsoft 365.'}, + "ReportId": {"data_type": "string", "description": 'This is the unique identifier for a click event. Note that for clickthrough scenarios, report ID would have same value, and therefore it should be used to correlate a click event.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "ThreatTypes": {"data_type": "string", "description": 'Verdict at the time of click, which tells whether the URL led to malware, phish or other threats.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The date and time when the user clicked on the link. The value is identical to TimeGenerated and intended for Microsoft Defender for Endpoints queries compatibility.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Url": {"data_type": "string", "description": 'The full URL that was clicked on by the user.'}, + "UrlChain": {"data_type": "string", "description": 'For scenarios involving redirections, it includes URLs present in the redirection chain.'}, + "Workload": {"data_type": "string", "description": 'The application from which the user clicked on the link, with the values being Email, Office and Teams.'}, + }, + "Usage": { + "AvgLatencyInSeconds": {"data_type": "real", "description": 'Deprecated'}, + "BatchesCapped": {"data_type": "long", "description": 'Deprecated'}, + "BatchesOutsideSla": {"data_type": "long", "description": 'Deprecated'}, + "BatchesWithinSla": {"data_type": "long", "description": 'Deprecated'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": 'Deprecated'}, + "DataType": {"data_type": "string", "description": 'Table that usage is being reported about.'}, + "EndTime": {"data_type": "datetime", "description": 'End time of the one hour aggregation window.'}, + "IsBillable": {"data_type": "bool", "description": 'Logical flag to indicate whether we bill for this data record.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LinkedMeterId": {"data_type": "string", "description": 'Deprecated'}, + "LinkedResourceUri": {"data_type": "string", "description": 'Deprecated'}, + "MeterId": {"data_type": "string", "description": 'GUID of the meter used for billing.'}, + "Quantity": {"data_type": "real", "description": 'Size of data in Mbytes.'}, + "QuantityUnit": {"data_type": "string", "description": 'Value is alwais Mbytes.'}, + "ResourceUri": {"data_type": "string", "description": 'The URI of the workspace. This will be same for all records in this table in workspace.'}, + "Solution": {"data_type": "string", "description": 'Solution about which usage is being reported.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StartTime": {"data_type": "datetime", "description": 'Start time of the 1 hour aggregation window (same as TimeGenerated).'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was created.'}, + "TotalBatches": {"data_type": "long", "description": 'Deprecated'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "UserAccessAnalytics": { + "AADTenantId": {"data_type": "string", "description": 'Unique identifier of the Azure Tenant'}, + "AccessEndReason": {"data_type": "string", "description": "Reason why the source entity's access to the target entity was revoked"}, + "AccessEndTime": {"data_type": "datetime", "description": "Timestamp when the source entity's access to the target entity was revoked"}, + "AccessId": {"data_type": "string", "description": 'Unique identifier for the access between source and target entity'}, + "AccessLevel": {"data_type": "string", "description": 'The level of access that the source entity has to the target entity'}, + "AccessStartTime": {"data_type": "datetime", "description": 'Timestamp when the source entity was provided access to the target entity'}, + "AccessType": {"data_type": "string", "description": 'The type of access that the source entity has to the target entity'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceEntityId": {"data_type": "string", "description": 'Unique identifier of entity which has access to the target entity'}, + "SourceEntityName": {"data_type": "string", "description": 'Display name of entity which has access to the target entity'}, + "SourceEntityType": {"data_type": "string", "description": 'Type of entity which has access to the target entity'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TargetEntityId": {"data_type": "string", "description": 'Unique identifier of the entity which the source entity can access'}, + "TargetEntityName": {"data_type": "string", "description": 'Display name of the entity which the source entity can access'}, + "TargetEntityType": {"data_type": "string", "description": 'Type of the entity which the source entity can access'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp when the access analytics is calculated'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "UserPeerAnalytics": { + "AADTenantId": {"data_type": "string", "description": 'Unique identifier of the Azure Tenant'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "PeerUserId": {"data_type": "string", "description": 'Unique identifier of the peer of the primary user'}, + "PeerUserName": {"data_type": "string", "description": 'User name of the peer of the primary user'}, + "PeerUserPrincipalName": {"data_type": "string", "description": 'User principal name of the peer of the primary user'}, + "Rank": {"data_type": "int", "description": 'Rank of the peer with respect to the primary user'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp when the peer analytics is calculated'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserId": {"data_type": "string", "description": 'Unique identifier of the primary user'}, + "UserName": {"data_type": "string", "description": 'User name of the primary user'}, + "UserPrincipalName": {"data_type": "string", "description": 'User principal name of the primary user'}, + }, + "VCoreMongoRequests": { + "ActivityId": {"data_type": "string", "description": 'The unique identifier (GUID) for this Mongo (vCore) request.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientIp": {"data_type": "string", "description": 'The IP address of the client VM which issued the request.'}, + "ClusterName": {"data_type": "string", "description": 'Cluster name.'}, + "CollectionName": {"data_type": "string", "description": 'The name of the Cosmos DB container against which this request was issued.'}, + "DatabaseName": {"data_type": "string", "description": 'The name of the Cosmos DB database against which this request was issued.'}, + "DurationMs": {"data_type": "real", "description": 'The server-side execution time (in ms) for this request.'}, + "ErrorCode": {"data_type": "int", "description": 'The error code (if applicable) for this request.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The Mongo (vCore) operation that was executed.'}, + "PiiCommandText": {"data_type": "string", "description": 'Full text query for this Mongo (vCore) request.'}, + "RegionName": {"data_type": "string", "description": 'The region against which this request was issued.'}, + "RequestLength": {"data_type": "real", "description": 'The payload size (in bytes) of the request.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResponseLength": {"data_type": "real", "description": 'The payload size (in bytes) of the server response.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Timestamp (in UTC) of the Mongo (vCore) data plane request.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserAgent": {"data_type": "string", "description": 'The user agent suffix associated with the client issuing the request.'}, + "UserId": {"data_type": "string", "description": 'The user id associated with the client issuing the request.'}, + }, + "VIAudit": { + "AccountId": {"data_type": "string", "description": 'The Video Indexer account ID.'}, + "AccountName": {"data_type": "string", "description": 'The Video Indexer account name.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'The caller IP address.'}, + "Claims": {"data_type": "dynamic", "description": 'Caller claims details.'}, + "CorrelationId": {"data_type": "string", "description": 'A unique record identifier.'}, + "Description": {"data_type": "string", "description": 'The operation description.'}, + "DurationMs": {"data_type": "int", "description": 'The operation duration in milliseconds.'}, + "ExternalUserId": {"data_type": "string", "description": 'Caller external user Id.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'The Video Indexer resource location.'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation that triggered the event.'}, + "OperationVersion": {"data_type": "string", "description": 'The Video Indexer operations API version.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Signature": {"data_type": "int", "description": 'Http response signature of the operation, for example: 200, 401.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Status": {"data_type": "string", "description": 'Status of the operation, for example: Success, Failure, Warning, Informational, Partial Success.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the event was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Upn": {"data_type": "string", "description": 'Caller email.'}, + "VideoId": {"data_type": "string", "description": 'The Video Indexer video ID.'}, + "VideoIndexerResourceId": {"data_type": "string", "description": 'The Video Indexer resource ID.'}, + }, + "VIIndexing": { + "AccountId": {"data_type": "string", "description": 'Video Indexer account ID.'}, + "AccountName": {"data_type": "string", "description": 'Video Indexer account name.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'A unique record identifier.'}, + "DurationMs": {"data_type": "int", "description": 'The operation duration in milliseconds.'}, + "ErrorCode": {"data_type": "string", "description": 'The error code if the operation failed'}, + "ErrorDescription": {"data_type": "string", "description": 'The description of the error code .'}, + "ExternalUserId": {"data_type": "string", "description": 'Caller external user Id.'}, + "IndexingProperties": {"data_type": "dynamic", "description": 'Properties of the indexing operation request.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Location": {"data_type": "string", "description": 'Video Indexer resource location.'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation that triggered the event.'}, + "OperationVersion": {"data_type": "string", "description": 'Video Indexer operations API version.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Status": {"data_type": "string", "description": 'Status of the operation, for example: Success, Failure, Warning, Informational or PartialSuccess.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the event was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Upn": {"data_type": "string", "description": 'Caller email.'}, + "VideoId": {"data_type": "string", "description": 'Video Indexer video ID.'}, + "VideoIndexerResourceId": {"data_type": "string", "description": 'Video Indexer resource ID.'}, + }, + "VMBoundPort": { + "AgentId": {"data_type": "string", "description": 'Unique agent GUID for the agent reporting data on the server.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BytesReceived": {"data_type": "long", "description": 'Bytes received on the port'}, + "BytesSent": {"data_type": "long", "description": 'Bytes sent on the port'}, + "Computer": {"data_type": "string", "description": 'Name of the server'}, + "Ip": {"data_type": "string", "description": 'Port IP address. Can be wildcard IP 0.0.0.0.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsWildcardBind": {"data_type": "bool", "description": 'Specifies whether connection made as a wildcard bind request.'}, + "LinksEstablished": {"data_type": "long", "description": 'Count of links established on the port.'}, + "LinksLive": {"data_type": "long", "description": 'Count of live links at the end of the time period recorded.'}, + "LinksTerminated": {"data_type": "long", "description": 'Count of terminated links over the time periof recorded.'}, + "Machine": {"data_type": "string", "description": 'Unique identifier to the machine in the ServiceMapComputer_CL table.'}, + "Port": {"data_type": "int", "description": 'Port number.'}, + "PortId": {"data_type": "string", "description": 'Port ID.'}, + "Process": {"data_type": "string", "description": 'Identity of the process or group of processes that the port is associated with.'}, + "ProcessName": {"data_type": "string", "description": 'Unique identifier for the process in the ServiceMapProcess_CL table.'}, + "Protocol": {"data_type": "string", "description": 'The protocol. Example tcp or udp (only tcp is currently supported).'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Responses": {"data_type": "long", "description": 'Count of responses in the time period recorded.'}, + "ResponseTimeMax": {"data_type": "long", "description": 'Measurement of the maximum time between first and last byte received.'}, + "ResponseTimeMin": {"data_type": "long", "description": 'Measurement of the minimum time between first and last byte received.'}, + "ResponseTimeSum": {"data_type": "long", "description": 'Measurement of the total time between first and last byte received'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "VMComputer": { + "AgentId": {"data_type": "string", "description": 'Unique ID for the microsoft monitoring agent installed on the server.'}, + "AzureCloudServiceDeployment": {"data_type": "string", "description": 'For cloud services the deployment id of the server.'}, + "AzureCloudServiceInstanceId": {"data_type": "string", "description": 'For cloud services the instance name of the server.'}, + "AzureCloudServiceName": {"data_type": "string", "description": 'For cloud services the service name of the server.'}, + "AzureCloudServiceRoleName": {"data_type": "string", "description": 'For cloud services the role name of the server.'}, + "AzureCloudServiceRoleType": {"data_type": "string", "description": 'For cloud services the role type of the server.'}, + "AzureFaultDomain": {"data_type": "string", "description": 'The fault domain for the server. Only available for Azure VMs and VMSS instances.'}, + "AzureImageOffering": {"data_type": "string", "description": 'The description of the image used on the server. Only available for Azure VMs and VMSS instances.'}, + "AzureImagePublisher": {"data_type": "string", "description": 'The publisher of the VM image used on the server. Only available for Azure VMs and VMSS instances.'}, + "AzureImageSku": {"data_type": "string", "description": 'The sku for the VM image used on the server. Only available for Azure VMs and VMSS instances.'}, + "AzureImageVersion": {"data_type": "string", "description": 'The image version used on the server. Only available for Azure VMs and VMSS instances.'}, + "AzureLocation": {"data_type": "string", "description": 'The location of the server. Only available for Azure VMs and VMSS instances.'}, + "AzureResourceGroup": {"data_type": "string", "description": 'The resource group for the server. Only available for Azure VMs and VMSS instances.'}, + "AzureResourceName": {"data_type": "string", "description": 'The Azure name for the resource.'}, + "AzureServiceFabricClusterId": {"data_type": "string", "description": 'For service fabric clusters the cluster id of the server.'}, + "AzureServiceFabricClusterName": {"data_type": "string", "description": 'For service fabric clusters the cluster name.'}, + "AzureSize": {"data_type": "string", "description": 'The size of the Azure VM. Only available for Azure VMs and VMSS instances.'}, + "AzureSubscriptionId": {"data_type": "string", "description": 'The subscription ID of the server. Only available for Azure VMs and VMSS instances.'}, + "AzureUpdateDomain": {"data_type": "string", "description": 'The update domain of the server. Only available for Azure VMs and VMSS instances.'}, + "AzureVmId": {"data_type": "string", "description": 'The Azure ID of the server. Only available for Azure VMs and VMSS instances.'}, + "AzureVmScaleSetDeployment": {"data_type": "string", "description": 'For scale sets the deployment id of the server.'}, + "AzureVmScaleSetInstanceId": {"data_type": "string", "description": 'For scale sets the instance id of the server.'}, + "AzureVmScaleSetName": {"data_type": "string", "description": 'For scale sets the name of the scale set.'}, + "AzureVmScaleSetResourceId": {"data_type": "string", "description": 'For scale sets the resource id of the scale set.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BootTime": {"data_type": "datetime", "description": 'The boot time in UTC'}, + "Computer": {"data_type": "string", "description": 'The name of the computer.'}, + "Cpus": {"data_type": "int", "description": 'The number of CPUs'}, + "CpuSpeed": {"data_type": "int", "description": 'The CPU speed in MHz'}, + "DependencyAgentVersion": {"data_type": "string", "description": 'The version number of the dependency agent on the server.'}, + "DisplayName": {"data_type": "string", "description": 'The display name of the server.'}, + "DnsNames": {"data_type": "dynamic", "description": 'An array of DNS names'}, + "FullDisplayName": {"data_type": "string", "description": 'The full display name of the server.'}, + "HostingProvider": {"data_type": "string", "description": 'The hosting provider for the server'}, + "HostName": {"data_type": "string", "description": 'The host name of the server without domain.'}, + "HypervisorId": {"data_type": "string", "description": 'The hypervisor id of the server.'}, + "HypervisorType": {"data_type": "string", "description": 'The hypervisor type of the server.'}, + "Ipv4Addresses": {"data_type": "dynamic", "description": "A list of the server's IPv4 addresses"}, + "Ipv4DefaultGateways": {"data_type": "dynamic", "description": "A list of the server's IPv4 default gateways."}, + "Ipv4SubnetMasks": {"data_type": "dynamic", "description": "A list of the server's IPv4 subnet masks."}, + "Ipv6Addresses": {"data_type": "dynamic", "description": "A list of the server's IPv6 addresses"}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "MacAddresses": {"data_type": "dynamic", "description": "A list of the server's MAC addresses"}, + "Machine": {"data_type": "string", "description": 'AgentId with m- prepended.'}, + "OperatingSystemFamily": {"data_type": "string", "description": 'Value will be windows or linux'}, + "OperatingSystemFullName": {"data_type": "string", "description": 'The full name of the operating system'}, + "PhysicalMemoryMB": {"data_type": "long", "description": 'The physical memory in MB'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was created.'}, + "TimeZone": {"data_type": "string", "description": 'The UTC timezone offset of the server.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "VirtualizationState": {"data_type": "string", "description": 'Values will be Unknown Physical Virtual or Hypervisor'}, + "VirtualMachineHypervisorId": {"data_type": "string", "description": 'The hypervisor id of the server.'}, + "VirtualMachineNativeId": {"data_type": "string", "description": 'The native id of the server.'}, + "VirtualMachineNativeName": {"data_type": "string", "description": 'The name of the VM'}, + "VirtualMachineType": {"data_type": "string", "description": 'hyperv vmware xen and so on'}, + }, + "VMConnection": { + "AgentId": {"data_type": "string", "description": 'Unique agent GUID for the agent reporting data on the server.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BytesReceived": {"data_type": "long", "description": 'Total number of bytes that have been received during the reporting time window.'}, + "BytesSent": {"data_type": "long", "description": 'Total number of bytes that have been sent during the reporting time window.'}, + "Computer": {"data_type": "string", "description": 'Name of the server from the ServiceMapComputer_CL table.'}, + "Confidence": {"data_type": "string", "description": 'Values are 0 - 100.'}, + "ConnectionId": {"data_type": "string", "description": 'Unique Id for the connection record.'}, + "Description": {"data_type": "string", "description": 'Description of the observed threat.'}, + "DestinationIp": {"data_type": "string", "description": 'IP address of the destination.'}, + "DestinationPort": {"data_type": "int", "description": 'Port number of the destination.'}, + "Direction": {"data_type": "string", "description": 'Direction of the connection value is inbound or outbound'}, + "FirstReportedDateTime": {"data_type": "string", "description": 'The first time the provider reported the indicator.'}, + "IndicatorThreatType": {"data_type": "string", "description": 'Threat indicator detected. Possible values are Botnet C2 CryptoMining Darknet DDos MaliciousUrl Malware Phishing Proxy PUA Watchlist.'}, + "IsActive": {"data_type": "string", "description": 'The last time the indicator was seen by Interflow.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastReportedDateTime": {"data_type": "string", "description": 'Indicates indicators are deactivated with True or False value.'}, + "LinksEstablished": {"data_type": "long", "description": 'Number of physical network connections that have been established during the reporting time window.'}, + "LinksFailed": {"data_type": "long", "description": 'Number of physical network connections that have failed during the reporting time window. This information is currently available only for outbound connections.'}, + "LinksLive": {"data_type": "long", "description": 'Number of physical network connections that were open at the end of the reporting time window.'}, + "LinksTerminated": {"data_type": "long", "description": 'Number of physical network connections that have been terminated during the reporting time window.'}, + "Machine": {"data_type": "string", "description": 'FQDN of the computer.'}, + "MaliciousIp": {"data_type": "string", "description": 'Remote IP address.'}, + "Process": {"data_type": "string", "description": 'Identity of process or groups of processes initiating or accepting the connection.'}, + "ProcessName": {"data_type": "string", "description": 'Unique identifier for the process in the ServiceMapProcess_CL table.'}, + "Protocol": {"data_type": "string", "description": 'Protocol used for the connection. Only possible value is tcp.'}, + "RemoteClassification": {"data_type": "string", "description": 'A classification of the remote endpoint based on its ip and dns names and the corresponding Azure service.'}, + "RemoteCountry": {"data_type": "string", "description": 'Name of the country or region hosting RemoteIp.'}, + "RemoteDnsCanonicalNames": {"data_type": "string", "description": 'A JSON array of canonical names that came back from the DNS server. For example when using traffic manager you issue a question to foo.trafficmanage.net and get a canonical name as something.myservice.com together with an ip address.'}, + "RemoteDnsQuestions": {"data_type": "string", "description": 'A JSON array of DNS questions (lookups) that were performed on the machine and resolved to the RemoteIp listed in the record.'}, + "RemoteIp": {"data_type": "string", "description": 'The IP address of the remote end of a connection is included in the RemoteIp property. For inbound connections RemoteIp is the same as SourceIp while for outbound connections it is the same as DestinationIp.'}, + "RemoteLatitude": {"data_type": "real", "description": 'Geolocation latitude. An example would be 47.68.'}, + "RemoteLongitude": {"data_type": "real", "description": 'Geolocation longitude. An example would be -122.12.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Responses": {"data_type": "long", "description": 'Number of responses observed during the reporting time window.'}, + "ResponseTimeMax": {"data_type": "long", "description": 'Largest response time observed during the reporting time window in milliseconds. If no value the property is blank.'}, + "ResponseTimeMin": {"data_type": "long", "description": 'Smallest response time observed during the reporting time windowin milliseconds. If no value the property is blank.'}, + "ResponseTimeSum": {"data_type": "long", "description": 'Sum of all response times observed during the reporting time window in milliseconds. If no value the property is blank.'}, + "Severity": {"data_type": "int", "description": 'Possible values are 0 - 5 where 5 is the most severe and 0 is not severe at all. Default value is 3.'}, + "SourceIp": {"data_type": "string", "description": 'IP address of the source.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was created.'}, + "TLPLevel": {"data_type": "string", "description": 'Traffic Light Protocol (TLP) Level. Possible values are White Green Amber Red.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "VMProcess": { + "AgentId": {"data_type": "string", "description": 'Unique ID for the dependency agent installed on the server.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CommandLine": {"data_type": "string", "description": 'The command line'}, + "CompanyName": {"data_type": "string", "description": 'The name of the company'}, + "Computer": {"data_type": "string", "description": 'The name of the computer.'}, + "Description": {"data_type": "string", "description": 'The process description'}, + "DisplayName": {"data_type": "string", "description": 'The friendly display name of the process'}, + "ExecutableName": {"data_type": "string", "description": 'The name of the process executable'}, + "ExecutablePath": {"data_type": "string", "description": 'The path to the executable file'}, + "FileVersion": {"data_type": "string", "description": 'The file version'}, + "FirstPid": {"data_type": "int", "description": 'The first PID in the process pool'}, + "Group": {"data_type": "string", "description": 'The process group name for the process'}, + "InternalName": {"data_type": "string", "description": 'The internal name'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Machine": {"data_type": "string", "description": 'The machine name of the server.'}, + "Process": {"data_type": "string", "description": 'The name of the process.'}, + "ProductName": {"data_type": "string", "description": 'The name of the product'}, + "ProductVersion": {"data_type": "string", "description": 'The product version'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Role": {"data_type": "string", "description": 'The role of the process.'}, + "Services": {"data_type": "dynamic", "description": 'A list of services associated with the process.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StartTime": {"data_type": "datetime", "description": 'The process pool start time'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was created.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserDomain": {"data_type": "string", "description": 'The domain under which the process is executing'}, + "UserName": {"data_type": "string", "description": 'The account under which the process is executing'}, + "WorkingDirectory": {"data_type": "string", "description": 'The working directory'}, + }, + "W3CIISLog": { + "AzureDeploymentID": {"data_type": "string", "description": 'Azure deployment ID of the cloud service the log belongs to. Only populated when events are collected using Azure Diagnostics agent when data is pulled from Azure storage.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "cIP": {"data_type": "string", "description": 'IP address of the client that accessed the web server.'}, + "Computer": {"data_type": "string", "description": 'Name of the computer that the event was collected from.'}, + "Confidence": {"data_type": "string", "description": 'Only populated for IIS logs collected from Azure Cloud Services through Azure Diagnostics Extension.'}, + "csBytes": {"data_type": "long", "description": 'Number of bytes that the server received.'}, + "csCookie": {"data_type": "string", "description": 'Content of the cookie sent or received if any.'}, + "csHost": {"data_type": "string", "description": 'Host header name if any.'}, + "csMethod": {"data_type": "string", "description": 'Method of the request such as GET or POST.'}, + "csReferer": {"data_type": "string", "description": 'Site that the user last visited. This site provided a link to the current site.'}, + "csUriQuery": {"data_type": "string", "description": 'The query if any that the client was trying to perform. A Universal Resource Identifier (URI) query is necessary only for dynamic pages.'}, + "csUriStem": {"data_type": "string", "description": 'Target of the action such as a web page for example Default.htm.'}, + "csUserAgent": {"data_type": "string", "description": 'Browser type of the client.'}, + "csUserName": {"data_type": "string", "description": 'Name of the authenticated user that accessed the server. Anonymous users are indicated by a hyphen.'}, + "csVersion": {"data_type": "string", "description": 'Protocol version that the client used.'}, + "Description": {"data_type": "string", "description": 'Only populated for IIS logs collected from Azure Cloud Services (through Azure Diagnostics Extension).'}, + "FirstReportedDateTime": {"data_type": "string", "description": 'Only populated for IIS logs collected from Azure Cloud Services (through Azure Diagnostics Extension).'}, + "IndicatorThreatType": {"data_type": "string", "description": 'Only populated for IIS logs collected from Azure Cloud Services (through Azure Diagnostics Extension).'}, + "IsActive": {"data_type": "string", "description": 'Only populated for IIS logs collected from Azure Cloud Services (through Azure Diagnostics Extension).'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastReportedDateTime": {"data_type": "string", "description": 'Only populated for IIS logs collected from Azure Cloud Services (through Azure Diagnostics Extension).'}, + "MaliciousIP": {"data_type": "string", "description": 'Only populated for IIS logs collected from Azure Cloud Services (through Azure Diagnostics Extension).'}, + "ManagementGroupName": {"data_type": "string", "description": 'Name of the management group for Operations Manager agents. For other agents this is AOI-\\.'}, + "RemoteIPCountry": {"data_type": "string", "description": 'Country/region of the IP address of the client.'}, + "RemoteIPLatitude": {"data_type": "real", "description": 'Latitude of the client IP address.'}, + "RemoteIPLongitude": {"data_type": "real", "description": 'Longitude of the client IP address.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Role": {"data_type": "string", "description": 'Role instance of the cloud service the log belongs to. Only populated when events are collected using Azure Diagnostics agent and data is pulled from Azure storage.'}, + "RoleInstance": {"data_type": "string", "description": 'Role of the cloud service the log belongs to. Only populated when events are collected using Azure Diagnostics agent and data is pulled from Azure storage.'}, + "scBytes": {"data_type": "long", "description": 'Number of bytes that the server sent.'}, + "scStatus": {"data_type": "string", "description": 'HTTP status code.'}, + "scSubStatus": {"data_type": "string", "description": 'Substatus error code.'}, + "scWin32Status": {"data_type": "string", "description": 'Windows status code.'}, + "Severity": {"data_type": "int", "description": 'Only populated for IIS logs collected from Azure Cloud Services through Azure Diagnostics Extension.'}, + "sIP": {"data_type": "string", "description": 'IP address of the server on which the log file entry was generated.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "sPort": {"data_type": "int", "description": 'Server port number that is configured for the service.'}, + "sSiteName": {"data_type": "string", "description": 'Name of the IIS site.'}, + "StorageAccount": {"data_type": "string", "description": 'Only populated for IIS logs collected from Azure Cloud Services through Azure Diagnostics Extension.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time the record was created.'}, + "TimeTaken": {"data_type": "long", "description": 'Length of time to process the request in milliseconds.'}, + "TLPLevel": {"data_type": "string", "description": 'Only populated for IIS logs collected from Azure Cloud Services through Azure Diagnostics Extension.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "WaaSDeploymentStatus": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "ComputerID": {"data_type": "string", "description": ''}, + "DeferralDays": {"data_type": "int", "description": ''}, + "DeploymentError": {"data_type": "string", "description": ''}, + "DeploymentErrorCode": {"data_type": "string", "description": ''}, + "DeploymentStatus": {"data_type": "string", "description": ''}, + "DetailedStatus": {"data_type": "string", "description": ''}, + "ExpectedInstallDate": {"data_type": "datetime", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastScan": {"data_type": "datetime", "description": ''}, + "OriginBuild": {"data_type": "string", "description": ''}, + "OSBuild": {"data_type": "string", "description": ''}, + "OSRevisionNumber": {"data_type": "int", "description": ''}, + "OSServicingBranch": {"data_type": "string", "description": ''}, + "OSVersion": {"data_type": "string", "description": ''}, + "PauseState": {"data_type": "string", "description": ''}, + "RecommendedAction": {"data_type": "string", "description": ''}, + "ReleaseName": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TargetBuild": {"data_type": "string", "description": ''}, + "TargetOSRevision": {"data_type": "int", "description": ''}, + "TargetOSVersion": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UpdateCategory": {"data_type": "string", "description": ''}, + "UpdateClassification": {"data_type": "string", "description": ''}, + "UpdateReleasedDate": {"data_type": "datetime", "description": ''}, + }, + "WaaSInsiderStatus": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "ComputerID": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastScan": {"data_type": "datetime", "description": ''}, + "OSArchitecture": {"data_type": "string", "description": ''}, + "OSBuild": {"data_type": "string", "description": ''}, + "OSEdition": {"data_type": "string", "description": ''}, + "OSFamily": {"data_type": "string", "description": ''}, + "OSName": {"data_type": "string", "description": ''}, + "OSRevisionNumber": {"data_type": "int", "description": ''}, + "OSVersion": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "WaaSUpdateStatus": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "ComputerID": {"data_type": "string", "description": ''}, + "DownloadMode": {"data_type": "string", "description": ''}, + "FeatureDeferralDays": {"data_type": "int", "description": ''}, + "FeaturePauseDays": {"data_type": "int", "description": ''}, + "FeaturePauseState": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastScan": {"data_type": "datetime", "description": ''}, + "NeedAttentionStatus": {"data_type": "string", "description": ''}, + "OSArchitecture": {"data_type": "string", "description": ''}, + "OSBuild": {"data_type": "string", "description": ''}, + "OSCurrentStatus": {"data_type": "string", "description": ''}, + "OSEdition": {"data_type": "string", "description": ''}, + "OSFamily": {"data_type": "string", "description": ''}, + "OSFeatureUpdateStatus": {"data_type": "string", "description": ''}, + "OSName": {"data_type": "string", "description": ''}, + "OSQualityUpdateStatus": {"data_type": "string", "description": ''}, + "OSRevisionNumber": {"data_type": "int", "description": ''}, + "OSSecurityUpdateStatus": {"data_type": "string", "description": ''}, + "OSServicingBranch": {"data_type": "string", "description": ''}, + "OSVersion": {"data_type": "string", "description": ''}, + "QualityDeferralDays": {"data_type": "int", "description": ''}, + "QualityPauseDays": {"data_type": "int", "description": ''}, + "QualityPauseState": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "Watchlist": { + "AzureTenantId": {"data_type": "string", "description": 'The AAD tenant ID to which this Watchlist table belongs.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'The ID for correlated events.'}, + "CreatedBy": {"data_type": "dynamic", "description": 'The JSON object with the user who created the Watchlist or Watchlist item, including: Object ID, email and name.'}, + "CreatedTimeUTC": {"data_type": "datetime", "description": 'The time (UTC) when the Watchlist or Watchlist item was first created.'}, + "DefaultDuration": {"data_type": "string", "description": 'The JSON object describing the default duration to live that each item of a Watchlist should inherit on creation. The default duration has this format : P(n)Y(n)M(n)DT(n)H(n)M(n)S, where P, Y, M, DT, H, M and S are invariant. For example, P3Y6M4DT12H30M9S represents a duration of three years, six months, four days, twelve hours, thirty minutes, and nine seconds.'}, + "_DTItemId": {"data_type": "string", "description": "The Watchlist or Watchlist item unique ID. As an example, a Watchlist 'RiskyUsers' can contain Watchlist item 'Name:John Doe; email:johndoe@contoso.com'. A Watchlist item has unique ID and belongs to a Watchlist. The containing Watchlist can identified using the 'WatchlistId'."}, + "_DTItemStatus": {"data_type": "string", "description": "Was the Watchlist or Watchlist item created, updated or deleted by user. As an example, a Watchlist 'RiskyUsers' can contain Watchlist item 'Name:John Doe; email:johndoe@contoso.com'. If a Watchlist is added, the the status would be 'Created'. If the name of the Watchlist is updated from 'RiskyUsers' to 'RiskyEmployees' the status would be 'Updated'."}, + "_DTItemType": {"data_type": "string", "description": "Distinguish between a Watchlist and a Watchlist item. As an example, a Watchlist 'RiskyUsers' can contain Watchlist item 'Name:John Doe; email:johndoe@contoso.com'. A Watchlist item type will belong to a Watchlist type and the containing Watchlist can identified using the 'WatchlistId'."}, + "_DTTimestamp": {"data_type": "datetime", "description": 'The time (UTC) when the event was generated.'}, + "EntityMapping": {"data_type": "dynamic", "description": 'The JSON object with Azure Sentinel entity mapping to input columns.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastUpdatedTimeUTC": {"data_type": "datetime", "description": 'The time (UTC) when Watchlist or Watchlist item was last updated.'}, + "Notes": {"data_type": "string", "description": 'The notes provided by user.'}, + "Provider": {"data_type": "string", "description": 'The input provider of the Watchlist.'}, + "SearchKey": {"data_type": "string", "description": 'The SearchKey is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field to join in other event tables by IP address.'}, + "Source": {"data_type": "string", "description": 'The input source of the Watchlist.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Tags": {"data_type": "string", "description": 'The JSON array of tags provided by user.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of when the event was generated.'}, + "TimeToLive": {"data_type": "datetime", "description": "The time to live for a Watchlist record, expressed as a date and time of day (e.g. 2020-08-20T17:00:00.9618037Z). Its original value is inherited from Watchlist's default duration. If TimeToLive passes, the record is considered deleted. A record's duration can be extended at any time by updating the TimeToLive value."}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UpdatedBy": {"data_type": "dynamic", "description": 'The JSON object with the user who last updated the Watchlist or Watchlist item, including: Object ID, email and name.'}, + "WatchlistAlias": {"data_type": "string", "description": 'The unique string referring to the Watchlist.'}, + "WatchlistCategory": {"data_type": "string", "description": 'The Watchlist category provided by user.'}, + "WatchlistId": {"data_type": "string", "description": 'The Resource Manager Watchlist resource name.'}, + "WatchlistItem": {"data_type": "dynamic", "description": 'The JSON object with key-value pairs from the input Watchlist source.'}, + "WatchlistItemId": {"data_type": "string", "description": 'The Watchlist item unique ID.'}, + "WatchlistName": {"data_type": "string", "description": 'The display name of Watchlist.'}, + }, + "WDAVStatus": { + "ApplicationVersion": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CloudBlockLevel": {"data_type": "string", "description": ''}, + "Computer": {"data_type": "string", "description": ''}, + "ComputerID": {"data_type": "string", "description": ''}, + "DefinitionVersion": {"data_type": "string", "description": ''}, + "DetailedStatus": {"data_type": "string", "description": ''}, + "EngineVersion": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastDefinitionUpdateTime": {"data_type": "datetime", "description": ''}, + "LastScan": {"data_type": "datetime", "description": ''}, + "MoreInformation": {"data_type": "string", "description": ''}, + "OSName": {"data_type": "string", "description": ''}, + "ProtectionState": {"data_type": "string", "description": ''}, + "PuaMode": {"data_type": "string", "description": ''}, + "SampleSubmission": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UpdateStatus": {"data_type": "string", "description": ''}, + }, + "WDAVThreat": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "ComputerID": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsCloudSignature": {"data_type": "bool", "description": ''}, + "LastScan": {"data_type": "datetime", "description": ''}, + "MoreInformation": {"data_type": "string", "description": ''}, + "RemediationAction": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "ThreatAction": {"data_type": "string", "description": ''}, + "ThreatAlertLevel": {"data_type": "string", "description": ''}, + "ThreatCategory": {"data_type": "string", "description": ''}, + "ThreatEncyclopediaLink": {"data_type": "string", "description": ''}, + "ThreatError": {"data_type": "string", "description": ''}, + "ThreatFamily": {"data_type": "string", "description": ''}, + "ThreatId": {"data_type": "int", "description": ''}, + "ThreatName": {"data_type": "string", "description": ''}, + "ThreatReportId": {"data_type": "string", "description": ''}, + "ThreatStatus": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "WebPubSubConnectivity": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'The IP of the client or server connects to Web PubSub service.'}, + "ConnectionId": {"data_type": "string", "description": 'The unique identifier of the connection connected to service.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": "The level of the log. Can be 'Informational', 'Warning', 'Error' or 'Critical'."}, + "Location": {"data_type": "string", "description": 'The location of Azure Web PubSub service.'}, + "Message": {"data_type": "string", "description": 'The message of the log event. It provides details about the event.'}, + "OperationName": {"data_type": "string", "description": 'The operation of the log event. It can be used to filter the log based on a specific operation name.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the log.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserId": {"data_type": "string", "description": 'The unique identifier of the user. It is defined by the client or app server.'}, + }, + "WebPubSubHttpRequest": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'The IP of the client or server connects to Web PubSub service.'}, + "DurationMs": {"data_type": "string", "description": 'The duration in millisecond unit between the request is received and processed.'}, + "Headers": {"data_type": "string", "description": 'The additional information passed by the client and the server with an HTTP request or response.'}, + "HttpMethod": {"data_type": "string", "description": 'The HTTP method.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": "The level of the log. Can be 'Informational', 'Warning', 'Error' or 'Critical'."}, + "Location": {"data_type": "string", "description": 'The location of Azure Web PubSub service.'}, + "Message": {"data_type": "string", "description": 'The message of the log event. It provides details about the event.'}, + "OperationName": {"data_type": "string", "description": 'The operation of the log event. It can be used to filter the log based on a specific operation name.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "StatusCode": {"data_type": "string", "description": 'The Http response code.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the log.'}, + "TraceId": {"data_type": "string", "description": "The unique identifier of the invocations. It's used for tracing invocations."}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Url": {"data_type": "string", "description": 'The uniform resource locator of the request.'}, + }, + "WebPubSubMessaging": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CallerIpAddress": {"data_type": "string", "description": 'The IP of the client or server connects to Web PubSub service.'}, + "ConnectionId": {"data_type": "string", "description": 'The unique identifier of the connection connected to service.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Level": {"data_type": "string", "description": "The level of the log. Can be 'Informational', 'Warning', 'Error' or 'Critical'."}, + "Location": {"data_type": "string", "description": 'The location of Azure Web PubSub service.'}, + "Message": {"data_type": "string", "description": 'The message of the log event. It provides details about the event.'}, + "OperationName": {"data_type": "string", "description": 'The operation of the log event. It can be used to filter the log based on a specific operation name.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the log.'}, + "TraceId": {"data_type": "string", "description": "The unique identifier of the invocations. It's used for tracing invocations."}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserId": {"data_type": "string", "description": 'The unique identifier of the user. It is defined by the client or app server.'}, + }, + "Windows365AuditLogs": { + "ActivityId": {"data_type": "string", "description": 'The activity Id of the operation.'}, + "ApplicationId": {"data_type": "string", "description": 'The caller application id of the operation.'}, + "ApplicationName": {"data_type": "string", "description": 'The application name of the operation.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BuildVersion": {"data_type": "string", "description": 'The build version of the operation.'}, + "CallerExtendedProperties": {"data_type": "string", "description": 'The caller extended properties of the operation.'}, + "ComponentName": {"data_type": "string", "description": 'The component name of the operation.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OperationName": {"data_type": "string", "description": 'The name of the operation.'}, + "OtherAuditEventProperties": {"data_type": "string", "description": 'The audit event properties of the operation, include componentName, operationType, category, activityDateTime, auditEventId, correlationId, shoeboxCategory, and resources.'}, + "OtherIdentityProperties": {"data_type": "string", "description": 'The identity properties of the user, include Type, UserPermission, ApplicationDisplayName, ServicePrincipleName, UserScopeTags, RemoteTenantId, and RemoteUserId.'}, + "Pid": {"data_type": "string", "description": 'The pid of the operation.'}, + "RelatedActivityId": {"data_type": "string", "description": 'The related activity Id of the operation.'}, + "ResourceExtendedProperties": {"data_type": "string", "description": 'The resource extended properties of the operation.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Result": {"data_type": "string", "description": 'The result of the operation.'}, + "ScenarioId": {"data_type": "string", "description": 'The scenario Id of the operation.'}, + "ScenarioInstanceId": {"data_type": "string", "description": 'The scenario instance Id of the operation.'}, + "ServiceName": {"data_type": "string", "description": 'The service name of the operation.'}, + "SessionId": {"data_type": "string", "description": 'The session Id of the operation.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "Tid": {"data_type": "string", "description": 'The tid of the operation.'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time when the report was generated (UTC).'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserId": {"data_type": "string", "description": 'The user Id of the user.'}, + "UserPrincipalName": {"data_type": "string", "description": 'The user principal name of the user.'}, + }, + "WindowsClientAssessmentRecommendation": { + "ActionArea": {"data_type": "string", "description": ''}, + "ActionAreaId": {"data_type": "string", "description": ''}, + "AffectedObjectName": {"data_type": "string", "description": ''}, + "AffectedObjectType": {"data_type": "string", "description": ''}, + "AssessmentId": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "CustomData": {"data_type": "string", "description": ''}, + "Description": {"data_type": "string", "description": ''}, + "Domain": {"data_type": "string", "description": ''}, + "FocusArea": {"data_type": "string", "description": ''}, + "FocusAreaId": {"data_type": "string", "description": ''}, + "Forest": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Recommendation": {"data_type": "string", "description": ''}, + "RecommendationId": {"data_type": "string", "description": ''}, + "RecommendationResult": {"data_type": "string", "description": ''}, + "RecommendationWeight": {"data_type": "real", "description": ''}, + "Server": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Technology": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "WindowsEvent": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Channel": {"data_type": "string", "description": 'The channel to which the event was logged.'}, + "Computer": {"data_type": "string", "description": 'The name of the computer on which the event occurred.'}, + "Correlation": {"data_type": "string", "description": 'The activity identifiers that consumers can use to group related events together.'}, + "EventData": {"data_type": "dynamic", "description": 'Contains the event data parsed to dynamic type. If the parsing fails then this field will contain null and the RawEventData field will be populated.'}, + "EventID": {"data_type": "int", "description": 'The identifier that the provider used to identify the event.'}, + "EventLevel": {"data_type": "int", "description": 'Contains the severity level of the event.'}, + "EventLevelName": {"data_type": "string", "description": 'The rendered message string of the level specified in the event.'}, + "EventOriginId": {"data_type": "string", "description": 'VM ID obtained from the Azure Instance Metadata Service (IMDS).'}, + "EventRecordId": {"data_type": "string", "description": 'The record number assigned to the event when it was logged.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Keywords": {"data_type": "string", "description": 'A bitmask of the keywords defined in the event.'}, + "ManagementGroupName": {"data_type": "string", "description": 'Additional information based on the resource type.'}, + "Opcode": {"data_type": "string", "description": 'The opcode element is defined by the SystemPropertiesType complex type.'}, + "Provider": {"data_type": "string", "description": 'System Properties Type - Identifies the provider that logged the event.'}, + "RawEventData": {"data_type": "string", "description": "The raw event XML when parsing fails. It's null when parsing successful."}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "SystemProcessId": {"data_type": "int", "description": 'Identifies the process that generated the event.'}, + "SystemThreadId": {"data_type": "int", "description": 'Identifies the thread that generated the event.'}, + "SystemUserId": {"data_type": "string", "description": 'The ID of the user who is responsible for the event.'}, + "Task": {"data_type": "int", "description": 'The task defined in the event.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The time stamp when the event was generated on the computer.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "Version": {"data_type": "int", "description": "Contains the version number of the event's definition."}, + }, + "WindowsFirewall": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CommunicationDirection": {"data_type": "string", "description": ''}, + "Computer": {"data_type": "string", "description": ''}, + "Confidence": {"data_type": "string", "description": ''}, + "Description": {"data_type": "string", "description": ''}, + "DestinationIP": {"data_type": "string", "description": ''}, + "DestinationPort": {"data_type": "int", "description": ''}, + "FirewallAction": {"data_type": "string", "description": ''}, + "FirstReportedDateTime": {"data_type": "string", "description": ''}, + "FullDestinationAddress": {"data_type": "string", "description": ''}, + "IndicatorThreatType": {"data_type": "string", "description": ''}, + "Info": {"data_type": "string", "description": ''}, + "IsActive": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastReportedDateTime": {"data_type": "string", "description": ''}, + "MaliciousIP": {"data_type": "string", "description": ''}, + "MaliciousIPCountry": {"data_type": "string", "description": ''}, + "MaliciousIPLatitude": {"data_type": "real", "description": ''}, + "MaliciousIPLongitude": {"data_type": "real", "description": ''}, + "ManagementGroupName": {"data_type": "string", "description": ''}, + "Protocol": {"data_type": "string", "description": ''}, + "RemoteIP": {"data_type": "string", "description": ''}, + "RequestSizeInBytes": {"data_type": "long", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Severity": {"data_type": "int", "description": ''}, + "SourceIP": {"data_type": "string", "description": ''}, + "SourcePort": {"data_type": "int", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "TLPLevel": {"data_type": "string", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "WindowsServerAssessmentRecommendation": { + "ActionArea": {"data_type": "string", "description": ''}, + "ActionAreaId": {"data_type": "string", "description": ''}, + "AffectedObjectName": {"data_type": "string", "description": ''}, + "AffectedObjectType": {"data_type": "string", "description": ''}, + "AssessmentId": {"data_type": "string", "description": ''}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Cluster": {"data_type": "string", "description": ''}, + "Computer": {"data_type": "string", "description": ''}, + "CustomData": {"data_type": "string", "description": ''}, + "Description": {"data_type": "string", "description": ''}, + "Domain": {"data_type": "string", "description": ''}, + "FocusArea": {"data_type": "string", "description": ''}, + "FocusAreaId": {"data_type": "string", "description": ''}, + "HyperVMHost": {"data_type": "string", "description": ''}, + "IISApplication": {"data_type": "string", "description": ''}, + "IISApplicationPool": {"data_type": "string", "description": ''}, + "Ipv4Address": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "OSVersion": {"data_type": "string", "description": ''}, + "Recommendation": {"data_type": "string", "description": ''}, + "RecommendationId": {"data_type": "string", "description": ''}, + "RecommendationResult": {"data_type": "string", "description": ''}, + "RecommendationWeight": {"data_type": "real", "description": ''}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Server": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "Technology": {"data_type": "string", "description": ''}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "WebServer": {"data_type": "string", "description": ''}, + "WebSite": {"data_type": "string", "description": ''}, + }, + "WireData": { + "ApplicationProtocol": {"data_type": "string", "description": 'Type of network protocol used'}, + "ApplicationServiceName": {"data_type": "string", "description": 'Hold over field from old schema - attribute not collected'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": 'Computer name where data was collected'}, + "Confidence": {"data_type": "string", "description": 'Confidence level for Malicious IP identification. Values are 0 - 100.'}, + "Description": {"data_type": "string", "description": 'Description of the observed threat.'}, + "Direction": {"data_type": "string", "description": 'Inbound or outbound'}, + "FirstReportedDateTime": {"data_type": "string", "description": 'The first time the provider reported the threat.'}, + "IndicatorThreatType": {"data_type": "string", "description": 'Threat indicator detected is one of the following values Botnet C2 CryptoMining Darknet DDos MaliciousUrl Malware Phishing Proxy PUA Watchlist.'}, + "IPVersion": {"data_type": "string", "description": 'IP version'}, + "IsActive": {"data_type": "string", "description": 'Indicates indicators are deactivated with True or False value.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastReportedDateTime": {"data_type": "string", "description": 'The last time the indicator was seen by Interflow.'}, + "LatencyMilliseconds": {"data_type": "int", "description": 'Hold over field from old schema - attribute not collected'}, + "LatencySamplingFailureRate": {"data_type": "string", "description": 'Hold over field from old schema - attribute not collected'}, + "LatencySamplingTimeStamp": {"data_type": "datetime", "description": 'Hold over field from old schema - attribute not collected'}, + "LocalIP": {"data_type": "string", "description": 'IP address of the local computer'}, + "LocalMAC": {"data_type": "string", "description": 'Hold over field from old schema - attribute not collected'}, + "LocalPortNumber": {"data_type": "int", "description": 'Local port number'}, + "LocalSubnet": {"data_type": "string", "description": 'Subnet where data was collected'}, + "MaliciousIP": {"data_type": "string", "description": 'IP address of a known malicious source'}, + "ManagementGroupName": {"data_type": "string", "description": 'Name of the Operations Manager management group'}, + "ProcessID": {"data_type": "int", "description": 'Windows process ID'}, + "ProcessName": {"data_type": "string", "description": 'Path and file name of the process'}, + "ProtocolName": {"data_type": "string", "description": 'Name of the network protocol used'}, + "ReceivedBytes": {"data_type": "long", "description": 'Amount of bytes received'}, + "ReceivedPackets": {"data_type": "long", "description": 'Hold over field from old schema - attribute not collected'}, + "RemoteIP": {"data_type": "string", "description": 'Remote IP address used by the remote computer'}, + "RemoteIPCountry": {"data_type": "string", "description": 'Country/region of the remote IP address'}, + "RemoteIPLatitude": {"data_type": "real", "description": 'IP latitude value'}, + "RemoteIPLongitude": {"data_type": "real", "description": 'IP longitude value'}, + "RemoteMAC": {"data_type": "string", "description": 'Hold over field from old schema - attribute not collected'}, + "RemotePortNumber": {"data_type": "int", "description": 'Port number used by the remote IP address'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SentBytes": {"data_type": "long", "description": 'Number of bytes sent'}, + "SentPackets": {"data_type": "long", "description": 'Hold over field from old schema - attribute not collected'}, + "SequenceNumber": {"data_type": "long", "description": 'Hold over field from old schema - attribute not collected'}, + "SessionEndTime": {"data_type": "datetime", "description": 'End time of session'}, + "SessionID": {"data_type": "string", "description": 'A unique value that identifies communication session between two IP addresses'}, + "SessionStartTime": {"data_type": "datetime", "description": 'Start time of session'}, + "SessionState": {"data_type": "string", "description": 'Connected or disconnected'}, + "Severity": {"data_type": "int", "description": 'Suspected malware severity'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Time of the record'}, + "TLPLevel": {"data_type": "string", "description": 'Traffic Light Protocol (TLP) Level is one of the defined values White Green Amber Red.'}, + "TotalBytes": {"data_type": "long", "description": 'Total number of bytes sent during session'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "WorkloadDiagnosticLogs": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Category": {"data_type": "string", "description": 'The category of the log.'}, + "Computer": {"data_type": "string", "description": 'Name of the Computer generating the log.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Message": {"data_type": "string", "description": 'The message of the log entry.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Status": {"data_type": "string", "description": 'The status of the record. Example: Error, Warning, etc.'}, + "Tags": {"data_type": "dynamic", "description": 'Dimensions or other metatata about the record. For example may contain the Monitoring profile ID the log entry is about.'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp of when the log was generated.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "WorkloadMonitoringPerf": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Computer": {"data_type": "string", "description": ''}, + "CounterName": {"data_type": "string", "description": ''}, + "InstanceName": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsSystemDisk": {"data_type": "string", "description": ''}, + "LogicalDisk": {"data_type": "string", "description": ''}, + "MemoryInstance": {"data_type": "string", "description": ''}, + "NetworkAdapter": {"data_type": "string", "description": ''}, + "ObjectName": {"data_type": "string", "description": ''}, + "PerfCounterValue": {"data_type": "real", "description": ''}, + "PhysicalDisk": {"data_type": "string", "description": ''}, + "ProcessorInformation": {"data_type": "string", "description": ''}, + "ProcessorInstance": {"data_type": "string", "description": ''}, + "SecureChannel": {"data_type": "string", "description": ''}, + "ServiceName": {"data_type": "string", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "WUDOAggregatedStatus": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BWOptPercent28Days": {"data_type": "real", "description": ''}, + "BytesFromCDN": {"data_type": "long", "description": ''}, + "BytesFromGroupPeers": {"data_type": "long", "description": ''}, + "BytesFromIntPeers": {"data_type": "long", "description": ''}, + "BytesFromPeers": {"data_type": "long", "description": ''}, + "ContentType": {"data_type": "string", "description": ''}, + "DeviceCount": {"data_type": "int", "description": ''}, + "DownloadMode": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "WUDOStatus": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "BWOptPercent28Days": {"data_type": "real", "description": ''}, + "BWOptPercent7Days": {"data_type": "real", "description": ''}, + "BytesFromCDN": {"data_type": "long", "description": ''}, + "BytesFromGroupPeers": {"data_type": "long", "description": ''}, + "BytesFromIntPeers": {"data_type": "long", "description": ''}, + "BytesFromPeers": {"data_type": "long", "description": ''}, + "City": {"data_type": "string", "description": ''}, + "Computer": {"data_type": "string", "description": ''}, + "ComputerID": {"data_type": "string", "description": ''}, + "ContentDownloadMode": {"data_type": "int", "description": ''}, + "ContentType": {"data_type": "string", "description": ''}, + "Country": {"data_type": "string", "description": ''}, + "DOStatusDescription": {"data_type": "string", "description": ''}, + "DownloadMode": {"data_type": "string", "description": ''}, + "DownloadModeSrc": {"data_type": "string", "description": ''}, + "GroupID": {"data_type": "string", "description": ''}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ISP": {"data_type": "string", "description": ''}, + "LastScan": {"data_type": "datetime", "description": ''}, + "NoPeersCount": {"data_type": "long", "description": ''}, + "OSName": {"data_type": "string", "description": ''}, + "OSVersion": {"data_type": "string", "description": ''}, + "PeerEligibleTransfers": {"data_type": "long", "description": ''}, + "PeeringStatus": {"data_type": "string", "description": ''}, + "PeersCannotConnectCount": {"data_type": "long", "description": ''}, + "PeersSuccessCount": {"data_type": "long", "description": ''}, + "PeersUnknownCount": {"data_type": "long", "description": ''}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "TimeGenerated": {"data_type": "datetime", "description": ''}, + "TotalTimeForDownload": {"data_type": "string", "description": ''}, + "TotalTransfers": {"data_type": "long", "description": ''}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "WVDAgentHealthStatus": { + "ActiveSessions": {"data_type": "string", "description": 'The number of active sessions on the VM'}, + "AgentVersion": {"data_type": "string", "description": 'The version of the WVD Agent running on the Virtual Machine'}, + "AllowNewSessions": {"data_type": "string", "description": 'State of the AllowNewSession settings of the host pool'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "InactiveSessions": {"data_type": "string", "description": 'The number of disconnected, or logged off sessions on the VM'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "LastHeartBeat": {"data_type": "datetime", "description": 'The time recorded when there was a change in the health status'}, + "LastUpgradeTimeStamp": {"data_type": "datetime", "description": 'The time recorded when there was a change in the upgrade status'}, + "OperationName": {"data_type": "string", "description": 'The name of the operation'}, + "OSVersion": {"data_type": "string", "description": 'The version of the operating system'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SessionHostHealthCheckResult": {"data_type": "dynamic", "description": 'The set of results on health checks'}, + "SessionHostName": {"data_type": "string", "description": 'Name of the Virtual Machine'}, + "SessionHostResourceId": {"data_type": "string", "description": 'The ARM path of the session host'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "Status": {"data_type": "string", "description": 'The current status of the VM, whether its healthy or not'}, + "StatusTimeStamp": {"data_type": "datetime", "description": 'The time recorded when there was a change in the health status'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "SxSStackVersion": {"data_type": "string", "description": 'The version of the reverse connect listener running on the VM'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'Date and time when the report was generated (UTC)'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UpgradeErrorMsg": {"data_type": "string", "description": 'The version of the reverse connect listener running on the VM'}, + "UpgradeState": {"data_type": "string", "description": 'The last known state from a previous update'}, + }, + "WVDAutoscaleEvaluationPooled": { + "ActiveSessionHostCount": {"data_type": "int", "description": 'Number of session hosts accepting user connections.'}, + "ActiveSessionHostsPercent": {"data_type": "real", "description": 'Percent of session hosts in the host pool considered active by Autoscale.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ConfigCapacityThresholdPercent": {"data_type": "real", "description": 'Capacity threshold percent.'}, + "ConfigMinActiveSessionHostsPercent": {"data_type": "real", "description": 'Minimum percent of session hosts that should be active.'}, + "ConfigScheduleName": {"data_type": "string", "description": 'Name of schedule used in the evaluation.'}, + "ConfigSchedulePhase": {"data_type": "string", "description": 'Schedule phase at the time of evaluation.'}, + "CorrelationId": {"data_type": "string", "description": 'A GUID generated for this Autoscale evaluation.'}, + "ExcludedSessionHostCount": {"data_type": "int", "description": 'Number of session hosts excluded from being managed by Autoscale.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "MaxSessionLimitPerSessionHost": {"data_type": "int", "description": "The 'MaxSessionLimit' value defined on the host pool. The is the maximum number of user sessions allowed per session host."}, + "Properties": {"data_type": "dynamic", "description": 'Additional information. The fields included here may be changed in the future.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ResultType": {"data_type": "string", "description": 'Status of this evaluation event.'}, + "ScalingEvaluationStartTime": {"data_type": "datetime", "description": 'The timestamp (UTC) when the Autoscale evaluation started.'}, + "ScalingPlanResourceId": {"data_type": "string", "description": 'Resource ID of the Autoscale scaling plan.'}, + "ScalingReasonMessage": {"data_type": "string", "description": 'The actions Autoscale decided to perform and why it took those actions.'}, + "SessionCount": {"data_type": "int", "description": 'Number of user sessions, only the user sessions from session hosts which considered active by Autoscale are included.'}, + "SessionOccupancyPercent": {"data_type": "real", "description": 'Percent of session host capacity occupied by user sessions.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) this event was generated.'}, + "TotalSessionHostCount": {"data_type": "int", "description": 'Number of session hosts in the host pool.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UnhealthySessionHostCount": {"data_type": "int", "description": 'Number of session hosts in a faulty state.'}, + }, + "WVDCheckpoints": { + "ActivityType": {"data_type": "string", "description": 'The type of activity for which this checkpoint was reported.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'The correlation Id for the activity.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Name": {"data_type": "string", "description": 'The name of the checkpoint.'}, + "Parameters": {"data_type": "dynamic", "description": 'The parameters for the checkpoint.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Source": {"data_type": "string", "description": 'The component that emitted the checkpoint.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the event.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserName": {"data_type": "string", "description": 'The user name for the activity associated with the checkpoint.'}, + }, + "WVDConnectionGraphicsDataPreview": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientSkippedFramesPercentage": {"data_type": "int", "description": 'The percentage of frames dropped because of slow client decoding in the second with the highest dropped frames in the last evaluated connection time interval'}, + "CompressedFrameSizeInBytes": {"data_type": "int", "description": 'The compressed size (bytes) of the frame with highest E2E delay in the last evaluated connection time interval'}, + "CorrelationId": {"data_type": "string", "description": 'The correlation ID for the activity'}, + "DecodingTimeOnClientInMs": {"data_type": "int", "description": 'The decoding time (milliseconds) of the frame with highest E2E delay in the last evaluated connection time interval'}, + "EncodingDelayOnServerInMs": {"data_type": "int", "description": 'The encoding time (milliseconds) of the frame with highest E2E delay in the last evaluated connection time interval'}, + "EndToEndDelayInMs": {"data_type": "int", "description": 'The highest end-to-end delay (milliseconds) of the frames sent in the last evaluated connection time interval. E2E delay is the delay from the time when a frame is captured on the server until the time frame is rendered on the client'}, + "EstAvailableBandwidthKBps": {"data_type": "int", "description": 'The average of estimated network bandwidth (kilobyte per second) in the last evaluated connection time interval'}, + "EstRoundTripTimeInMs": {"data_type": "int", "description": 'The average of estimated network round trip times (milliseconds) in the last evaluated connection time interval'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "NetworkSkippedFramesPercentage": {"data_type": "int", "description": 'The percentage of frames dropped because of insufficient network bandwidth in the second with the highest dropped frames in the last evaluated connection time interval'}, + "RenderingTimeOnClientInMs": {"data_type": "int", "description": 'The rendering time (milliseconds) of the frame with highest E2E delay in the last evaluated connection time interval'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ServerSkippedFramesPercentage": {"data_type": "int", "description": 'The percentage of frames dropped because server is busy in the second with the highest dropped frames in the last evaluated connection time interval'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) when the QoE event was generated on the VM'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "WVDConnectionNetworkData": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'The correlation ID for the activity'}, + "EstAvailableBandwidthKBps": {"data_type": "int", "description": 'The average of estimated network bandwidth (kilobyte per second) in the last evaluated connection time interval'}, + "EstRoundTripTimeInMs": {"data_type": "int", "description": 'The average of estimated network round trip times (milliseconds) in the last evaluated connection time interval'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) when the network event was generated on the VM'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "WVDConnections": { + "AadTenantId": {"data_type": "string", "description": 'The AAD tenant Id of the user.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientOS": {"data_type": "string", "description": 'The OS of the client that is connecting (if available).'}, + "ClientSideIPAddress": {"data_type": "string", "description": 'The remote IP address from the client side.'}, + "ClientType": {"data_type": "string", "description": 'The type of the client that is connecting (if available).'}, + "ClientVersion": {"data_type": "string", "description": 'The version of the client that is connecting (if available).'}, + "ConnectionType": {"data_type": "string", "description": 'The type of connection - either RAIL (RemoteApp Integrated Locally) or Desktop.'}, + "CorrelationId": {"data_type": "string", "description": 'The activity Id.'}, + "GatewayRegion": {"data_type": "string", "description": 'The region of the WVD Gateway for the server side user connection.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsClientPrivateLink": {"data_type": "string", "description": 'True if the client side of this connection used a private link endpoint during orchestration.'}, + "IsSessionHostPrivateLink": {"data_type": "string", "description": 'True if the session host side of this connection used a private link endpoint during orchestration.'}, + "PredecessorConnectionId": {"data_type": "string", "description": 'The predecessor Correlation Id of the connection, if the current connection is an auto-reconnect.'}, + "ResourceAlias": {"data_type": "string", "description": 'The alias of the app that the user attempted to connect to.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SessionHostAgentVersion": {"data_type": "string", "description": 'The version of the WVD Agent running on the machine where the user connection was orchestrated.'}, + "SessionHostAzureVmId": {"data_type": "string", "description": 'The Azure VM Id of the machine where the user connection was orchestrated.'}, + "SessionHostIPAddress": {"data_type": "string", "description": 'The IP address of the machine where the user connection was orchestrated.'}, + "SessionHostJoinType": {"data_type": "string", "description": 'The type of the domain join for the Session Host - either DomainJoined, HybridAzureADJoined or AzureADJoined.'}, + "SessionHostName": {"data_type": "string", "description": 'The FQDN of the machine where the user connection was orchestrated.'}, + "SessionHostOSDescription": {"data_type": "string", "description": 'The OS SKU description of the machine where the user connection was orchestrated.'}, + "SessionHostOSVersion": {"data_type": "string", "description": 'The OS version of the machine where the user connection was orchestrated.'}, + "SessionHostPoolType": {"data_type": "string", "description": 'The type of session host pool - either SharedDesktop or PersonalDesktop.'}, + "SessionHostSessionId": {"data_type": "string", "description": 'The Session Id of WVD RDP Stack running on the machine where the user connection was orchestrated.'}, + "SessionHostSxSStackVersion": {"data_type": "string", "description": 'The version of the WVD RDP Stack running on the machine where the user connection was orchestrated.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "State": {"data_type": "string", "description": 'The state of the connection.'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the event.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UdpUse": {"data_type": "string", "description": 'Indicates whether WVD RDP Stack uses UDP protocol on current user connection.'}, + "UserName": {"data_type": "string", "description": 'The user who initiated the connection.'}, + }, + "WVDErrors": { + "ActivityType": {"data_type": "string", "description": 'The activity type for which the error happened.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "Code": {"data_type": "long", "description": 'The error code for the error.'}, + "CodeSymbolic": {"data_type": "string", "description": 'The error code symbolic representation (if available).'}, + "CorrelationId": {"data_type": "string", "description": 'The activity Id.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "Message": {"data_type": "string", "description": 'The error message.'}, + "Operation": {"data_type": "string", "description": 'The name of the operation that failed.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ServiceError": {"data_type": "bool", "description": 'Indicator whether this is a service or customer error.'}, + "Source": {"data_type": "string", "description": 'The source of the error.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the event.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserName": {"data_type": "string", "description": 'The user for which the error happened.'}, + }, + "WVDFeeds": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientOS": {"data_type": "string", "description": 'The OS of the client that is requesting the feed (if available).'}, + "ClientSideIPAddress": {"data_type": "string", "description": 'The remote IP address from the client side.'}, + "ClientType": {"data_type": "string", "description": 'The type of the client that is requesting the feed (if available).'}, + "ClientVersion": {"data_type": "string", "description": 'The version of the client that is requesting the feed (if available).'}, + "CorrelationId": {"data_type": "string", "description": 'The activity Id.'}, + "IconFail": {"data_type": "int", "description": 'The number of Icons (PNG, ICO) files that failed to be retrieved.'}, + "IconTotal": {"data_type": "int", "description": 'The total number of Icons (PNG, ICO) files that the client attempted to retrieve.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsClientPrivateLink": {"data_type": "string", "description": 'True if the client used a private link endpoint for the feed request.'}, + "RDPFail": {"data_type": "int", "description": 'The number of RDP files that failed to be retrieved.'}, + "RDPTotal": {"data_type": "int", "description": 'The total number of RDP files that the client attempted to retrieve.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the event.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserName": {"data_type": "string", "description": 'The user that initiated the feed request.'}, + }, + "WVDHostRegistrations": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "CorrelationId": {"data_type": "string", "description": 'The activity Id.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "IsSessionHostPrivateLink": {"data_type": "string", "description": 'True if the session host side of this connection used a private link endpoint during orchestration.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "SessionHostIPAddress": {"data_type": "string", "description": 'The IP address of the session host that was registered with the WVD service.'}, + "SessionHostName": {"data_type": "string", "description": 'The name of the session host that was registered with the WVD service.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the event.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + }, + "WVDManagement": { + "ArmObjectScope": {"data_type": "string", "description": 'The ARM object scope for the management request - used for session hosts, applications.'}, + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientSideIPAddress": {"data_type": "string", "description": 'The remote IP address from the client side.'}, + "CorrelationId": {"data_type": "string", "description": 'The activity Id.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ObjectsCreated": {"data_type": "int", "description": 'The number of objects that were created.'}, + "ObjectsDeleted": {"data_type": "int", "description": 'The number of objects that were deleted.'}, + "ObjectsFetched": {"data_type": "int", "description": 'The number of objects that were fetched.'}, + "ObjectsUpdated": {"data_type": "int", "description": 'The number of objects that were updated.'}, + "ProvisioningCorrelationId": {"data_type": "string", "description": 'The ID of the top-level provisioning operation. This maps to the field in WVDSessionHostManagement table called CorrelationId.'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "Route": {"data_type": "string", "description": 'The route for the management request.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the event.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UserName": {"data_type": "string", "description": 'The user that initiated the management request.'}, + }, + "WVDSessionHostManagement": { + "_BilledSize": {"data_type": "real", "description": 'The record size in bytes'}, + "ClientType": {"data_type": "string", "description": 'Information about the client that initiated the update (portal, Powershell etc.).'}, + "CorrelationId": {"data_type": "string", "description": 'The correlation ID for the activity.'}, + "FailedSessionHostCleanupPolicy": {"data_type": "string", "description": 'The policy for cleaning up session hosts that have failed provisioning.'}, + "FromInstanceCount": {"data_type": "int", "description": 'The instance count before the operation. For an update operation, FromInstanceCount and ToInstanceCount are the same value.'}, + "FromSessionHostConfigVer": {"data_type": "string", "description": 'The version of SHC before the operation (that session hosts are moving from; can be looked up with new SHC table). For a provisioning operation, it is the same as the ToSessionHostConfiguration.'}, + "_IsBillable": {"data_type": "string", "description": "Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account"}, + "ProvisioningCanaryPolicy": {"data_type": "string", "description": 'The policy for creating a test canary session host before creating the rest of the requested session hosts.'}, + "ProvisioningStatus": {"data_type": "string", "description": 'The status of the current update/provisioning operation.'}, + "ProvisioningType": {"data_type": "string", "description": 'The type of operation (provisioning, update).'}, + "_ResourceId": {"data_type": "string", "description": 'A unique identifier for the resource that the record is associated with'}, + "ScheduledDateTime": {"data_type": "string", "description": 'When the session host update is scheduled, the scheduled time.'}, + "ScheduledDateTimeZone": {"data_type": "string", "description": 'The time zone that updates and provisioning happen in.'}, + "SourceSystem": {"data_type": "string", "description": 'The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics'}, + "_SubscriptionId": {"data_type": "string", "description": 'A unique identifier for the subscription that the record is associated with'}, + "TenantId": {"data_type": "string", "description": 'The Log Analytics workspace ID'}, + "TimeGenerated": {"data_type": "datetime", "description": 'The timestamp (UTC) of the event.'}, + "ToInstanceCount": {"data_type": "int", "description": 'The instance count after the operation. For an update operation, FromInstanceCount and ToInstanceCount are the same value.'}, + "ToSessionHostConfigVer": {"data_type": "string", "description": 'The version of SHC after the operation (that session hosts are moving to; can be looked up with new SHC table). For a provisioning operation, is the same as the FromSessionHostConfiguration is.'}, + "Type": {"data_type": "string", "description": 'The name of the table'}, + "UpdateDeleteOriginalVm": {"data_type": "bool", "description": 'Property indicates whether the original VM should be deleted after the update.'}, + "UpdateMaxVmsRemoved": {"data_type": "int", "description": 'The maximum number of virtual machines that might become unavailable during the session host update operation.'}, + "UpdateMethod": {"data_type": "string", "description": 'The method that is used for the session host update operation (e.g.: VmRecreate).'}, + "UpdateStartWindowInMinutes": {"data_type": "int", "description": 'The window of allowable time for an update to start in minutes.'}, + }, +} diff --git a/sigma/pipelines/azuremonitor/transformations.py b/sigma/pipelines/azuremonitor/transformations.py new file mode 100644 index 0000000..e8fe299 --- /dev/null +++ b/sigma/pipelines/azuremonitor/transformations.py @@ -0,0 +1,19 @@ +from ..kusto_common.transformations import BaseHashesValuesTransformation + + +class SecurityEventHashesValuesTransformation(BaseHashesValuesTransformation): + """ + Transforms the FileHash (originally Hashes) field in SecurityEvent table to get rid of the hash algorithm prefix in each value. + """ + + def __init__(self): + super().__init__(valid_hash_algos=["MD5", "SHA1", "SHA256"], field_prefix="FileHash", drop_algo_prefix=True) + + +class DefaultHashesValuesTransformation(BaseHashesValuesTransformation): + """ + Transforms the Hashes field in XDR Tables to create fields for each hash algorithm. + """ + + def __init__(self): + super().__init__(valid_hash_algos=["MD5", "SHA1", "SHA256"], field_prefix="") diff --git a/sigma/pipelines/kusto_common/__init__.py b/sigma/pipelines/kusto_common/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/sigma/pipelines/kusto_common/errors.py b/sigma/pipelines/kusto_common/errors.py new file mode 100644 index 0000000..22679ef --- /dev/null +++ b/sigma/pipelines/kusto_common/errors.py @@ -0,0 +1,21 @@ +from sigma.processing.transformations import ( + DetectionItemFailureTransformation, + SigmaTransformationError, +) +from sigma.rule import SigmaDetectionItem + + +class InvalidFieldTransformation(DetectionItemFailureTransformation): + """ + Overrides the apply_detection_item() method from DetectionItemFailureTransformation to also include the field name + in the error message + """ + + def apply_detection_item(self, detection_item: SigmaDetectionItem) -> None: + field_name = detection_item.field + self.message = f"Invalid SigmaDetectionItem field name encountered: {field_name}. " + self.message + raise SigmaTransformationError(self.message) + + +class InvalidHashAlgorithmError(Exception): + pass diff --git a/sigma/pipelines/kusto_common/finalization.py b/sigma/pipelines/kusto_common/finalization.py new file mode 100644 index 0000000..c491f1a --- /dev/null +++ b/sigma/pipelines/kusto_common/finalization.py @@ -0,0 +1,31 @@ +from dataclasses import dataclass +from typing import List + +from sigma.processing.finalization import Finalizer + + +@dataclass +class QueryTableFinalizer(Finalizer): + """Finalizer for pipelines using the Kusto Query Language to add in the table name as a prefix to the query. + + The query_table is set by the SetQueryTableStateTransformation transformation that is applied to each rule at the very beginning of the pipeline; + the query table can be supplied as an argument to the pipeline, set in a previous ProcessingPipeline (which is combined into a single pipeline in sigma_cli), or is + set by the rules category or other criteria from other transformations. + + The standard finalizers append all queries together into a single query string. However, this finalizer + will keep individual queries separate and add the table name as a prefix to each query. + + A custom table name can be specified in the finalizer, otherwise the table name will be selected based on the processing pipeline's state 'query_table' key. + """ + + table_names: str = None + + def apply(self, pipeline: "sigma.processing.pipeline.ProcessingPipeline", queries: List[str]) -> List[str]: # type: ignore # noqa: F821 + for i, query in enumerate(queries): + if self.table_names: + queries[i] = f"{self.table_names}\n| where {query}" + elif "query_table" in pipeline.state: + queries[i] = f"{pipeline.state['query_table']}\n| where {query}" + else: + queries[i] = f"search {query}" + return queries diff --git a/sigma/pipelines/kusto_common/schema.py b/sigma/pipelines/kusto_common/schema.py new file mode 100644 index 0000000..226de62 --- /dev/null +++ b/sigma/pipelines/kusto_common/schema.py @@ -0,0 +1,66 @@ +from dataclasses import dataclass, field +from typing import Dict, List, Optional, Union + + +@dataclass +class FieldInfo: + data_type: str + description: str + + +@dataclass +class TableSchema: + fields: Dict[str, FieldInfo] = field(default_factory=dict) + + def get_field_type(self, field_name: str) -> Optional[str]: + field = self.fields.get(field_name) + return field.data_type if field else None + + def get_field_description(self, field_name: str) -> Optional[str]: + field = self.fields.get(field_name) + return field.description if field else None + + def get_valid_fields(self) -> List[str]: + return list(self.fields.keys()) + + +@dataclass +class BaseSchema: + tables: Dict[str, TableSchema] = field(default_factory=dict) + + def get_field_type(self, table_name: str, field_name: str) -> Optional[str]: + table = self.tables.get(table_name) + return table.get_field_type(field_name) if table else None + + def get_field_description(self, table_name: str, field_name: str) -> Optional[str]: + table = self.tables.get(table_name) + return table.get_field_description(field_name) if table else None + + def get_valid_fields(self, table_name: str) -> List[str]: + table = self.tables.get(table_name) + return table.get_valid_fields() if table else [] + + +@dataclass +class FieldMappings: + table_mappings: Dict[str, Dict[str, Union[str, List[str]]]] = field(default_factory=dict) + generic_mappings: Dict[str, str] = field(default_factory=dict) + + def get_field_mapping(self, table_name: str, sigma_field: str) -> str: + table_mapping = self.table_mappings.get(table_name, {}) + mapping = table_mapping.get(sigma_field) + if mapping: + return mapping[0] if isinstance(mapping, list) else mapping + return self.generic_mappings.get(sigma_field, sigma_field) + + +def create_schema(schema_class, tables) -> BaseSchema: + schema = schema_class() + for table_name, fields in tables.items(): + table_schema = TableSchema() + for field_name, field_info in fields.items(): + table_schema.fields[field_name] = FieldInfo( + data_type=field_info["data_type"], description=field_info["description"] + ) + schema.tables[table_name] = table_schema + return schema diff --git a/sigma/pipelines/kusto_common/transformations.py b/sigma/pipelines/kusto_common/transformations.py new file mode 100644 index 0000000..ca86b7b --- /dev/null +++ b/sigma/pipelines/kusto_common/transformations.py @@ -0,0 +1,188 @@ +from collections import defaultdict +from dataclasses import dataclass, field +from typing import Any, Dict, Iterable, List, Optional, Union + +from sigma.conditions import ConditionOR +from sigma.processing.transformations import ( + DetectionItemTransformation, + FieldMappingTransformation, + Transformation, + ValueTransformation, +) +from sigma.rule import SigmaDetection, SigmaDetectionItem +from sigma.types import SigmaString, SigmaType + +from ..kusto_common.schema import FieldMappings +from .errors import InvalidHashAlgorithmError, SigmaTransformationError + + +class DynamicFieldMappingTransformation(FieldMappingTransformation): + """ + Dynamically sets the mapping dictionary based on the pipeline state or rule's category. + + :param field_mappings: A FieldMappings schema object that contains the table_mappings and generic_mappings. + :type field_mappings: FieldMappings schema object + """ + + def __init__(self, field_mappings: FieldMappings): + super().__init__(field_mappings.generic_mappings) + self.field_mappings = field_mappings + + def set_dynamic_mapping(self, pipeline): + """ + Set the mapping dynamically based on the pipeline state 'query_table' or the rule's logsource category. + """ + + # We should always have a query_table in the pipeline state, will implement mapping based on rule category later if not + if "query_table" in pipeline.state: + query_table = pipeline.state["query_table"] + self.mapping = self.field_mappings.table_mappings.get(query_table, {}) + else: + # TODO: Implement mapping based on rule category + pass + + def apply( + self, + pipeline: "sigma.processing.pipeline.ProcessingPipeline", # noqa: F821 # type: ignore + rule: Union["SigmaRule", "SigmaCorrelationRule"], # noqa: F821 # type: ignore + ) -> None: + """Apply dynamic mapping before the field name transformations.""" + self.set_dynamic_mapping(pipeline) # Dynamically update the mapping + super().apply(pipeline, rule) # Call parent method to continue the transformation process + + +class GenericFieldMappingTransformation(FieldMappingTransformation): + """ + Transformation for applying generic field mappings after table-specific mappings. + """ + + def __init__(self, field_mappings: FieldMappings): + super().__init__(field_mappings.generic_mappings) + + def apply_detection_item( + self, detection_item: SigmaDetectionItem + ) -> Optional[Union[SigmaDetectionItem, SigmaString]]: + if detection_item.field in self.mapping: + detection_item.field = self.mapping[detection_item.field] + return detection_item + + +class BaseHashesValuesTransformation(DetectionItemTransformation): + """ + Base class for transforming the Hashes field to get rid of the hash algorithm prefix in each value and create new detection items for each hash type. + """ + + def __init__(self, valid_hash_algos: List[str], field_prefix: str = None, drop_algo_prefix: bool = False): + """ + :param valid_hash_algos: A list of valid hash algorithms that are supported by the table. + :param field_prefix: The prefix to use for the new detection items. + :param drop_algo_prefix: Whether to drop the algorithm prefix in the new field name, e.g. "FileHashSHA256" -> "FileHash". + """ + self.valid_hash_algos = valid_hash_algos + self.field_prefix = field_prefix or "" + self.drop_algo_prefix = drop_algo_prefix + + def apply_detection_item( + self, detection_item: SigmaDetectionItem + ) -> Optional[Union[SigmaDetection, SigmaDetectionItem]]: + to_return = [] + no_valid_hash_algo = True + algo_dict = defaultdict(list) # map to keep track of algos and lists of values + if not isinstance(detection_item.value, list): + detection_item.value = [detection_item.value] + for d in detection_item.value: + hash_value = d.to_plain().split("|") # sometimes if ALGO|VALUE + if len(hash_value) == 1: # and sometimes its ALGO=VALUE + hash_value = hash_value[0].split("=") + if len(hash_value) == 2: + hash_algo = ( + hash_value[0].lstrip("*").upper() + if hash_value[0].lstrip("*").upper() in self.valid_hash_algos + else "" + ) + if hash_algo: + no_valid_hash_algo = False + hash_value = hash_value[1] + else: + hash_value = hash_value[0] + if len(hash_value) == 32: # MD5 + hash_algo = "MD5" + no_valid_hash_algo = False + elif len(hash_value) == 40: # SHA1 + hash_algo = "SHA1" + no_valid_hash_algo = False + elif len(hash_value) == 64: # SHA256 + hash_algo = "SHA256" + no_valid_hash_algo = False + elif len(hash_value) == 128: # SHA512 + hash_algo = "SHA512" + no_valid_hash_algo = False + else: # Invalid algo, no fieldname for keyword search + hash_algo = "" + + field_name = self.field_prefix + if not self.drop_algo_prefix: + field_name += hash_algo + algo_dict[field_name].append(hash_value) + if no_valid_hash_algo: + raise InvalidHashAlgorithmError( + "No valid hash algo found in Hashes field. Please use one of the following: " + + ", ".join(self.valid_hash_algos) + ) + for k, v in algo_dict.items(): + if k: # Filter out invalid hash algo types + to_return.append( + SigmaDetectionItem( + field=k if k != "keyword" else None, modifiers=[], value=[SigmaString(x) for x in v] + ) + ) + return SigmaDetection(detection_items=to_return, item_linking=ConditionOR) + + +@dataclass +class SetQueryTableStateTransformation(Transformation): + """Sets rule query table in pipeline state query_table key + + :param val: The table name to set in the pipeline state. If not provided, the table name will be determined from the rule's logsource category. + :param category_to_table_mappings: A dictionary mapping logsource categories to table names. If not provided, the default category_to_table_mappings will be used. + + """ + + val: Any = None + category_to_table_mappings: Dict[str, Any] = field(default_factory=dict) + + def apply(self, pipeline: "ProcessingPipeline", rule: "SigmaRule") -> None: # type: ignore # noqa: F821 + super().apply(pipeline, rule) + if self.val: + table_name = self.val + else: + category = rule.logsource.category + table_name = self.category_to_table_mappings.get(category) + + if table_name: + if isinstance(table_name, list): + table_name = table_name[0] # Use the first table if it's a list + pipeline.state["query_table"] = table_name + else: + raise SigmaTransformationError( + f"Unable to determine table name for category: {category}, category is not yet supported by the pipeline. Please provide the 'query_table' parameter to the pipeline instead." + ) + + +## Change field value AFTER field transformations from Sysmon values to values expected in the pipelines registry table action field +class RegistryActionTypeValueTransformation(ValueTransformation): + """Custom ValueTransformation transformation. The Microsoft DeviceRegistryEvents table expect the ActionType to + be a slightly different set of values than what Sysmon specified, so this will change them to the correct value.""" + + value_mappings = { # Sysmon EventType -> DeviceRegistryEvents ActionType + "CreateKey": "RegistryKeyCreated", + "DeleteKey": ["RegistryKeyDeleted", "RegistryValueDeleted"], + "SetValue": "RegistryValueSet", + "RenameKey": ["RegistryValueSet", "RegistryKeyCreated"], + } + + def apply_value(self, field: str, val: SigmaType) -> Optional[Union[SigmaType, Iterable[SigmaType]]]: + mapped_vals = self.value_mappings.get(val.to_plain(), val.to_plain()) + if isinstance(mapped_vals, list): + return [SigmaString(v) for v in mapped_vals] + return SigmaString(mapped_vals) diff --git a/sigma/pipelines/microsoft365defender/__init__.py b/sigma/pipelines/microsoft365defender/__init__.py index 7368848..f542b61 100644 --- a/sigma/pipelines/microsoft365defender/__init__.py +++ b/sigma/pipelines/microsoft365defender/__init__.py @@ -1,4 +1,5 @@ from .microsoft365defender import microsoft_365_defender_pipeline + pipelines = { - "microsoft_365_defender_pipeline": microsoft_365_defender_pipeline, # TODO: adapt identifier to something approproiate -} \ No newline at end of file + "microsoft_365_defender_pipeline": microsoft_365_defender_pipeline, # DEPRECATED: Use microsoft_xdr_pipeline instead. +} diff --git a/sigma/pipelines/microsoft365defender/finalization.py b/sigma/pipelines/microsoft365defender/finalization.py deleted file mode 100644 index 1fbae38..0000000 --- a/sigma/pipelines/microsoft365defender/finalization.py +++ /dev/null @@ -1,32 +0,0 @@ -from dataclasses import dataclass, field -from typing import Union, List - -from sigma.processing.finalization import Finalizer - - -@dataclass -class Microsoft365DefenderTableFinalizer(Finalizer): - """Finalizer for Microsoft 365 Defender Backend to add in the table name as a prefix to the query. - - The standard finalizers append all queries together into a single query string. However, this finalizer - will keep individual queries separate and add the table name as a prefix to each query, per ordering in the - pipeline's state 'query_table' key which is appended to for each rule by set for each rule by the - SetQueryTableStateTransformation transformation. - - A custom table name can be specified in the finalizer, otherwise the table name will be selected based on the category of the rule. - """ - - table_names: Union[str, List[str]] = field(default_factory=list) - - def apply(self, pipeline: "sigma.processing.pipeline.ProcessingPipeline", queries: List[str]) -> List[str]: - if isinstance(self.table_names, str): - self.table_names = [self.table_names] * len(queries) - - for i, query in enumerate(queries): - if self.table_names: - queries[i] = f"{self.table_names[i]}\n| where {query}" - elif 'query_table' in pipeline.state: - queries[i] = f"{pipeline.state['query_table'][i]}\n| where {query}" - else: - queries[i] = f"search {query}" - return queries diff --git a/sigma/pipelines/microsoft365defender/microsoft365defender.py b/sigma/pipelines/microsoft365defender/microsoft365defender.py index ed5e2eb..cfe034e 100644 --- a/sigma/pipelines/microsoft365defender/microsoft365defender.py +++ b/sigma/pipelines/microsoft365defender/microsoft365defender.py @@ -1,606 +1,12 @@ -from typing import Union, Optional, Iterable -from collections import defaultdict +from typing import Optional -from sigma.exceptions import SigmaTransformationError -from sigma.pipelines.common import (logsource_windows_process_creation, logsource_windows_image_load, - logsource_windows_file_event, logsource_windows_file_delete, - logsource_windows_file_change, logsource_windows_file_access, - logsource_windows_file_rename, logsource_windows_registry_set, - logsource_windows_registry_add, logsource_windows_registry_delete, - logsource_windows_registry_event, logsource_windows_network_connection) -from sigma.processing.transformations import (FieldMappingTransformation, RuleFailureTransformation, - ReplaceStringTransformation, SetStateTransformation, - DetectionItemTransformation, ValueTransformation, - DetectionItemFailureTransformation, DropDetectionItemTransformation) -from sigma.processing.conditions import (IncludeFieldCondition, ExcludeFieldCondition, - DetectionItemProcessingItemAppliedCondition, LogsourceCondition) -from sigma.conditions import ConditionOR -from sigma.types import SigmaString, SigmaType -from sigma.processing.pipeline import ProcessingItem, ProcessingPipeline -from sigma.rule import SigmaDetectionItem, SigmaDetection -from .finalization import Microsoft365DefenderTableFinalizer -from .transformations import SetQueryTableStateTransformation +from sigma.processing.pipeline import ProcessingPipeline +from ..microsoftxdr import microsoft_xdr_pipeline -# CUSTOM TRANSFORMATIONS -## Custom DetectionItemTransformation to split domain and user, if applicable -class SplitDomainUserTransformation(DetectionItemTransformation): - """Custom DetectionItemTransformation transformation to split a User field into separate domain and user fields, - if applicable. This is to handle the case where the Sysmon `User` field may contain a domain AND username, and - Advanced Hunting queries separate out the domain and username into separate fields. - If a matching field_name_condition field uses the schema DOMAIN\\USER, a new SigmaDetectionItem - will be made for the Domain and put inside a SigmaDetection with the original User SigmaDetectionItem - (minus the domain) for the matching SigmaDetectionItem. - You should use this with a field_name_condition for `IncludeFieldName(['field', 'names', 'for', 'username']`)""" - - def apply_detection_item(self, detection_item: SigmaDetectionItem) -> Optional[ - Union[SigmaDetection, SigmaDetectionItem]]: - to_return = [] - if not isinstance(detection_item.value, list): # Ensure its a list, but it most likely will be - detection_item.value = list(detection_item.value) - for d in detection_item.value: - username = d.to_plain().split("\\") - username_field_mappings = { - 'AccountName': 'AccountDomain', - 'RequestAccountName': 'RequestAccountDomain', - 'InitiatingProcessAccountName': 'InitiatingProcessAccountDomain', - } - if len(username) == 2: - domain = username[0] - username = [SigmaString(username[1])] - - domain_field = username_field_mappings.get(detection_item.field, "InitiatingProcessAccountDomain") - domain_value = [SigmaString(domain)] - user_detection_item = SigmaDetectionItem(field=detection_item.field, - modifiers=[], - value=username, - ) - domain_detection_item = SigmaDetectionItem(field=domain_field, - modifiers=[], - value=domain_value) - to_return.append(SigmaDetection(detection_items=[user_detection_item, domain_detection_item])) - else: - - to_return.append(SigmaDetection([SigmaDetectionItem(field=detection_item.field, - modifiers=detection_item.modifiers, - value=username)])) - return SigmaDetection(to_return) - - -## Custom DetectionItemTransformation to regex hash algos/values in Hashes field, if applicable -class HashesValuesTransformation(DetectionItemTransformation): - """Custom DetectionItemTransformation to take a list of values in the 'Hashes' field, which are expected to be - 'algo:hash_value', and create new SigmaDetectionItems for each hash type, where the values is a list of - SigmaString hashes. If the hash type is not part of the value, it will be inferred based on length. - - Use with field_name_condition for Hashes field""" - - def apply_detection_item(self, detection_item: SigmaDetectionItem) -> Optional[ - Union[SigmaDetection, SigmaDetectionItem]]: - to_return = [] - no_valid_hash_algo = True - algo_dict = defaultdict(list) # map to keep track of algos and lists of values - if not isinstance(detection_item.value, list): - detection_item.value = [detection_item.value] - for d in detection_item.value: - hash_value = d.to_plain().split("|") # sometimes if ALGO|VALUE - if len(hash_value) == 1: # and sometimes its ALGO=VALUE - hash_value = hash_value[0].split("=") - if len(hash_value) == 2: - hash_algo = hash_value[0].lstrip("*").upper() if hash_value[0].lstrip("*").upper() in ['MD5', 'SHA1', 'SHA256'] else "" - if hash_algo: - no_valid_hash_algo = False - hash_value = hash_value[1] - else: - hash_value = hash_value[0] - if len(hash_value) == 32: # MD5 - hash_algo = 'MD5' - no_valid_hash_algo = False - elif len(hash_value) == 40: # SHA1 - hash_algo = 'SHA1' - no_valid_hash_algo = False - elif len(hash_value) == 64: # SHA256 - hash_algo = "SHA256" - no_valid_hash_algo = False - else: # Invalid algo, no fieldname for keyword search - hash_algo = '' - algo_dict[hash_algo].append(hash_value) - if no_valid_hash_algo: - raise InvalidHashAlgorithmError( - "No valid hash algo found in Hashes field. Advanced Hunting Queries do not support the " - "IMPHASH field. Ensure the detection item has at least one MD5, SHA1, or SHA265 hash field/value" - ) - for k, v in algo_dict.items(): - if k: # Filter out invalid hash algo types - to_return.append(SigmaDetectionItem(field=k if k != 'keyword' else None, - modifiers=[], - value=[SigmaString(x) for x in v])) - return SigmaDetection(detection_items=to_return, item_linking=ConditionOR) - - -## Change ActionType value AFTER field transformations from Sysmon values to DeviceRegistryEvents values -class RegistryActionTypeValueTransformation(ValueTransformation): - """Custom ValueTransformation transformation. The Microsoft DeviceRegistryEvents table expect the ActionType to - be a slightly different set of values than what Sysmon specified, so this will change them to the correct value.""" - value_mappings = { # Sysmon EventType -> DeviceRegistyEvents ActionType - 'CreateKey': 'RegistryKeyCreated', - 'DeleteKey': ['RegistryKeyDeleted', 'RegistryValueDeleted'], - 'SetValue': 'RegistryValueSet', - 'RenameKey': ['RegistryValueSet', 'RegistryKeyCreated'], - } - - def apply_value(self, field: str, val: SigmaType) -> Optional[Union[SigmaType, Iterable[SigmaType]]]: - mapped_vals = self.value_mappings.get(val.to_plain(), val.to_plain()) - if isinstance(mapped_vals, list): - return [SigmaString(v) for v in mapped_vals] - return SigmaString(mapped_vals) - - -# Extract parent process name from ParentImage after applying ParentImage field mapping -class ParentImageValueTransformation(ValueTransformation): - """Custom ValueTransformation transformation. Unfortunately, none of the table schemas have - InitiatingProcessParentFolderPath like they do InitiatingProcessFolderPath. Due to this, we cannot directly map the - Sysmon `ParentImage` field to a table field. However, InitiatingProcessParentFileName is an available field in - nearly all tables, so we will extract the process name and use that instead. - - Use this transformation BEFORE mapping ParentImage to InitiatingProcessFileName - """ - - def apply_value(self, field: str, val: SigmaType) -> Optional[Union[SigmaType, Iterable[SigmaType]]]: - parent_process_name = str(val.to_plain().split("\\")[-1].split("/")[-1]) - return SigmaString(parent_process_name) - - -class InvalidFieldTransformation(DetectionItemFailureTransformation): - """ - Overrides the apply_detection_item() method from DetectionItemFailureTransformation to also include the field name - in the error message - """ - - def apply_detection_item(self, detection_item: SigmaDetectionItem) -> None: - field_name = detection_item.field - self.message = f"Invalid SigmaDetectionItem field name encountered: {field_name}. " + self.message - raise SigmaTransformationError(self.message) - - -class InvalidHashAlgorithmError(Exception): - pass - - - -# FIELD MAPPINGS -## Field mappings from Sysmon (where applicable) fields to Advanced Hunting Query fields based on schema in tables -## See: https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide#learn-the-schema-tables -query_table_field_mappings = { - 'DeviceProcessEvents': { # process_creation, Sysmon EventID 1 -> DeviceProcessEvents table - # ProcessGuid: ?, - 'ProcessId': 'ProcessId', - 'Image': 'FolderPath', - 'FileVersion': 'ProcessVersionInfoProductVersion', - 'Description': 'ProcessVersionInfoFileDescription', - 'Product': 'ProcessVersionInfoProductName', - 'Company': 'ProcessVersionInfoCompanyName', - 'OriginalFileName': 'ProcessVersionInfoOriginalFileName', - 'CommandLine': 'ProcessCommandLine', - # CurrentDirectory: ? - 'User': 'AccountName', - # LogonGuid: ? - 'LogonId': 'LogonId', - # TerminalSessionId: ? - 'IntegrityLevel': 'ProcessIntegrityLevel', - 'sha1': 'SHA1', - 'sha256': 'SHA256', - 'md5': 'MD5', - # 'ParentProcessGuid': ?, - 'ParentProcessId': 'InitiatingProcessId', - 'ParentImage': 'InitiatingProcessFolderPath', - 'ParentCommandLine': 'InitiatingProcessCommandLine', - 'ParentUser': 'InitiatingProcessAccountName', - }, - 'DeviceImageLoadEvents': { - # 'ProcessGuid': ?, - 'ProcessId': 'InitiatingProcessId', - 'Image': 'InitiatingProcessFolderPath', # File path of the process that loaded the image - 'ImageLoaded': 'FolderPath', - 'FileVersion': 'InitiatingProcessVersionInfoProductVersion', - 'Description': 'InitiatingProcessVersionInfoFileDescription', - 'Product': 'InitiatingProcessVersionInfoProductName', - 'Company': 'InitiatingProcessVersionInfoCompanyName', - 'OriginalFileName': 'InitiatingProcessVersionInfoOriginalFileName', - # 'Hashes': ?, - 'sha1': 'SHA1', - 'sha256': 'SHA256', - 'md5': 'MD5', - # 'Signed': ? - # 'Signature': ? - # 'SignatureStatus': ? - 'User': 'InitiatingProcessAccountName' - }, - 'DeviceFileEvents': { # file_*, Sysmon EventID 11 (create), 23 (delete) -> DeviceFileEvents table - # 'ProcessGuid': ?, - 'ProcessId': 'InitiatingProcessId', - 'Image': 'InitiatingProcessFolderPath', - 'TargetFilename': 'FolderPath', - # 'CreationUtcTime': 'Timestamp', - 'User': 'RequestAccountName', - # 'Hashes': ?, - 'sha1': 'SHA1', - 'sha256': 'SHA256', - 'md5': 'MD5', - }, - 'DeviceNetworkEvents': { # network_connection, Sysmon EventID 3 -> DeviceNetworkEvents table - # 'ProcessGuid': ?, - 'ProcessId': 'InitiatingProcessId', - 'Image': 'InitiatingProcessFolderPath', - 'User': 'InitiatingProcessAccountName', - 'Protocol': 'Protocol', - # 'Initiated': ?, - # 'SourceIsIpv6': ?, - 'SourceIp': 'LocalIP', - 'SourceHostname': 'DeviceName', - 'SourcePort': 'LocalPort', - # 'SourcePortName': ?, - # 'DestinationIsIpv6': ?, - 'DestinationIp': 'RemoteIP', - 'DestinationHostname': 'RemoteUrl', - 'DestinationPort': 'RemotePort', - # 'DestinationPortName': ?, - }, - "DeviceRegistryEvents": { - # registry_*, Sysmon EventID 12 (create/delete), 13 (value set), 14 (key/value rename) -> DeviceRegistryEvents table, - 'EventType': 'ActionType', - # 'ProcessGuid': ?, - 'ProcessId': 'InitiatingProcessId', - 'Image': 'InitiatingProcessFolderPath', - 'TargetObject': 'RegistryKey', - # 'NewName': ? - 'Details': 'RegistryValueData', - 'User': 'InitiatingProcessAccountName' - } -} - -## Generic catch-all field mappings for sysmon -> microsoft 365 defender fields that appear in most tables and -## haven't been mapped already -generic_field_mappings = { - 'EventType': 'ActionType', - 'User': 'InitiatingProcessAccountName', - 'CommandLine': 'InitiatingProcessCommandLine', - 'Image': 'InitiatingProcessFolderPath', - 'SourceImage': 'InitiatingProcessFolderPath', - 'ProcessId': 'InitiatingProcessId', - 'md5': 'InitiatingProcessMD5', - 'sha1': 'InitiatingProcessSHA1', - 'sha256': 'InitiatingProcessSHA256', - 'ParentProcessId': 'InitiatingProcessParentId', - 'ParentCommandLine': 'InitiatingProcessParentCommandLine', - 'Company': 'InitiatingProcessVersionInfoCompanyName', - 'Description': 'InitiatingProcessVersionInfoFileDescription', - 'OriginalFileName': 'InitiatingProcessVersionInfoOriginalFileName', - 'Product': 'InitiatingProcessVersionInfoProductName' -} - -# VALID FIELDS PER QUERY TABLE -## Will Implement field checking later once issue with removing fields is figured out, for now it fails the pipeline -## dict of {'table_name': [list, of, valid_fields]} for each table -valid_fields_per_table = { - 'DeviceProcessEvents': ['Timestamp', 'DeviceId', 'DeviceName', 'ActionType', 'FileName', 'FolderPath', 'SHA1', - 'SHA256', 'MD5', 'FileSize', 'ProcessVersionInfoCompanyName', - 'ProcessVersionInfoProductName', 'ProcessVersionInfoProductVersion', - 'ProcessVersionInfoInternalFileName', 'ProcessVersionInfoOriginalFileName', - 'ProcessVersionInfoFileDescription', 'ProcessId', 'ProcessCommandLine', - 'ProcessIntegrityLevel', 'ProcessTokenElevation', 'ProcessCreationTime', 'AccountDomain', - 'AccountName', 'AccountSid', 'AccountUpn', 'AccountObjectId', 'LogonId', - 'InitiatingProcessAccountDomain', 'InitiatingProcessAccountName', - 'InitiatingProcessAccountSid', 'InitiatingProcessAccountUpn', - 'InitiatingProcessAccountObjectId', 'InitiatingProcessLogonId', - 'InitiatingProcessIntegrityLevel', 'InitiatingProcessTokenElevation', - 'InitiatingProcessSHA1', 'InitiatingProcessSHA256', 'InitiatingProcessMD5', - 'InitiatingProcessFileName', 'InitiatingProcessFileSize', - 'InitiatingProcessVersionInfoCompanyName', 'InitiatingProcessVersionInfoProductName', - 'InitiatingProcessVersionInfoProductVersion', - 'InitiatingProcessVersionInfoInternalFileName', - 'InitiatingProcessVersionInfoOriginalFileName', - 'InitiatingProcessVersionInfoFileDescription', 'InitiatingProcessId', - 'InitiatingProcessCommandLine', 'InitiatingProcessCreationTime', - 'InitiatingProcessFolderPath', 'InitiatingProcessParentId', - 'InitiatingProcessParentFileName', 'InitiatingProcessParentCreationTime', - 'InitiatingProcessSignerType', 'InitiatingProcessSignatureStatus', 'ReportId', - 'AppGuardContainerId', 'AdditionalFields'], - 'DeviceImageLoadEvents': ['Timestamp', 'DeviceId', 'DeviceName', 'ActionType', 'FileName', 'FolderPath', 'SHA1', - 'SHA256', 'MD5', 'FileSize', 'InitiatingProcessAccountDomain', - 'InitiatingProcessAccountName', 'InitiatingProcessAccountSid', - 'InitiatingProcessAccountUpn', 'InitiatingProcessAccountObjectId', - 'InitiatingProcessIntegrityLevel', 'InitiatingProcessTokenElevation', - 'InitiatingProcessSHA1', 'InitiatingProcessSHA256', 'InitiatingProcessMD5', - 'InitiatingProcessFileName', 'InitiatingProcessFileSize', - 'InitiatingProcessVersionInfoCompanyName', 'InitiatingProcessVersionInfoProductName', - 'InitiatingProcessVersionInfoProductVersion', - 'InitiatingProcessVersionInfoInternalFileName', - 'InitiatingProcessVersionInfoOriginalFileName', - 'InitiatingProcessVersionInfoFileDescription', 'InitiatingProcessId', - 'InitiatingProcessCommandLine', 'InitiatingProcessCreationTime', - 'InitiatingProcessFolderPath', 'InitiatingProcessParentId', - 'InitiatingProcessParentFileName', 'InitiatingProcessParentCreationTime', 'ReportId', - 'AppGuardContainerId'], - 'DeviceFileEvents': ['Timestamp', 'DeviceId', 'DeviceName', 'ActionType', 'FileName', 'FolderPath', 'SHA1', - 'SHA256', 'MD5', 'FileOriginUrl', 'FileOriginReferrerUrl', 'FileOriginIP', - 'PreviousFolderPath', 'PreviousFileName', 'FileSize', 'InitiatingProcessAccountDomain', - 'InitiatingProcessAccountName', 'InitiatingProcessAccountSid', 'InitiatingProcessAccountUpn', - 'InitiatingProcessAccountObjectId', 'InitiatingProcessMD5', 'InitiatingProcessSHA1', - 'InitiatingProcessSHA256', 'InitiatingProcessFolderPath', 'InitiatingProcessFileName', - 'InitiatingProcessFileSize', 'InitiatingProcessVersionInfoCompanyName', - 'InitiatingProcessVersionInfoProductName', 'InitiatingProcessVersionInfoProductVersion', - 'InitiatingProcessVersionInfoInternalFileName', 'InitiatingProcessVersionInfoOriginalFileName', - 'InitiatingProcessVersionInfoFileDescription', 'InitiatingProcessId', - 'InitiatingProcessCommandLine', 'InitiatingProcessCreationTime', - 'InitiatingProcessIntegrityLevel', 'InitiatingProcessTokenElevation', - 'InitiatingProcessParentId', 'InitiatingProcessParentFileName', - 'InitiatingProcessParentCreationTime', 'RequestProtocol', 'RequestSourceIP', - 'RequestSourcePort', 'RequestAccountName', 'RequestAccountDomain', 'RequestAccountSid', - 'ShareName', 'InitiatingProcessFileSize', 'SensitivityLabel', 'SensitivitySubLabel', - 'IsAzureInfoProtectionApplied', 'ReportId', 'AppGuardContainerId', 'AdditionalFields'], - 'DeviceRegistryEvents': ['Timestamp', 'DeviceId', 'DeviceName', 'ActionType', 'RegistryKey', 'RegistryValueType', - 'RegistryValueName', 'RegistryValueData', 'PreviousRegistryKey', - 'PreviousRegistryValueName', 'PreviousRegistryValueData', 'InitiatingProcessAccountDomain', - 'InitiatingProcessAccountName', 'InitiatingProcessAccountSid', - 'InitiatingProcessAccountUpn', 'InitiatingProcessAccountObjectId', 'InitiatingProcessSHA1', - 'InitiatingProcessSHA256', 'InitiatingProcessMD5', 'InitiatingProcessFileName', - 'InitiatingProcessFileSize', 'InitiatingProcessVersionInfoCompanyName', - 'InitiatingProcessVersionInfoProductName', 'InitiatingProcessVersionInfoProductVersion', - 'InitiatingProcessVersionInfoInternalFileName', - 'InitiatingProcessVersionInfoOriginalFileName', - 'InitiatingProcessVersionInfoFileDescription', 'InitiatingProcessId', - 'InitiatingProcessCommandLine', 'InitiatingProcessCreationTime', - 'InitiatingProcessFolderPath', 'InitiatingProcessParentId', - 'InitiatingProcessParentFileName', 'InitiatingProcessParentCreationTime', - 'InitiatingProcessIntegrityLevel', 'InitiatingProcessTokenElevation', 'ReportId', - 'AppGuardContainerId'], - 'DeviceNetworkEvents': ['Timestamp', 'DeviceId', 'DeviceName', 'ActionType', 'RemoteIP', 'RemotePort', 'RemoteUrl', - 'LocalIP', 'LocalPort', 'Protocol', 'LocalIPType', 'RemoteIPType', 'InitiatingProcessSHA1', - 'InitiatingProcessSHA256', 'InitiatingProcessMD5', 'InitiatingProcessFileName', - 'InitiatingProcessFileSize', 'InitiatingProcessVersionInfoCompanyName', - 'InitiatingProcessVersionInfoProductName', 'InitiatingProcessVersionInfoProductVersion', - 'InitiatingProcessVersionInfoInternalFileName', - 'InitiatingProcessVersionInfoOriginalFileName', - 'InitiatingProcessVersionInfoFileDescription', 'InitiatingProcessId', - 'InitiatingProcessCommandLine', 'InitiatingProcessCreationTime', - 'InitiatingProcessFolderPath', 'InitiatingProcessParentFileName', - 'InitiatingProcessParentId', 'InitiatingProcessParentCreationTime', - 'InitiatingProcessAccountDomain', 'InitiatingProcessAccountName', - 'InitiatingProcessAccountSid', 'InitiatingProcessAccountUpn', - 'InitiatingProcessAccountObjectId', 'InitiatingProcessIntegrityLevel', - 'InitiatingProcessTokenElevation', 'ReportId', 'AppGuardContainerId', 'AdditionalFields']} - -# Mapping from ParentImage to InitiatingProcessParentFileName. Must be used alongside of ParentImageValueTransformation -parent_image_field_mapping = {'ParentImage': 'InitiatingProcessParentFileName'} - -# OTHER MAPPINGS -## useful for creating ProcessingItems() with list comprehension - -## Query Table names -> rule categories -table_to_category_mappings = { - 'DeviceProcessEvents': ['process_creation'], - 'DeviceImageLoadEvents': ['image_load'], - 'DeviceFileEvents': ['file_access', 'file_change', 'file_delete', 'file_event', 'file_rename'], - 'DeviceRegistryEvents': ['registry_add', 'registry_delete', 'registry_event', 'registry_set'], - 'DeviceNetworkEvents': ['network_connection'] -} - -## rule categories -> RuleConditions -category_to_conditions_mappings = { - 'process_creation': logsource_windows_process_creation(), - 'image_load': logsource_windows_image_load(), - 'file_access': logsource_windows_file_access(), - 'file_change': logsource_windows_file_change(), - 'file_delete': logsource_windows_file_delete(), - 'file_event': logsource_windows_file_event(), - 'file_rename': logsource_windows_file_rename(), - 'registry_add': logsource_windows_registry_add(), - 'registry_delete': logsource_windows_registry_delete(), - 'registry_event': logsource_windows_registry_event(), - 'registry_set': logsource_windows_registry_set(), - 'network_connection': logsource_windows_network_connection() -} - -# PROCESSING_ITEMS() -## ProcessingItems to set state key 'query_table' to use in backend -## i.e. $QueryTable$ | $rest_of_query$ -query_table_proc_items = [ - ProcessingItem( - identifier=f"microsoft_365_defender_set_query_table_{table_name}", - transformation=SetQueryTableStateTransformation(table_name), - rule_conditions=[ - category_to_conditions_mappings[rule_category] for rule_category in rule_categories - ], - rule_condition_linking=any, - ) - for table_name, rule_categories in table_to_category_mappings.items() -] - -## Fieldmappings -fieldmappings_proc_items = [ - ProcessingItem( - identifier=f"microsoft_365_defender_fieldmappings_{table_name}", - transformation=FieldMappingTransformation(query_table_field_mappings[table_name]), - rule_conditions=[ - category_to_conditions_mappings[rule_category] for rule_category in rule_categories - ], - rule_condition_linking=any, - ) - for table_name, rule_categories in table_to_category_mappings.items() -] - -## Generic Fielp Mappings, keep this last -## Exclude any fields already mapped. For example, if process_creation events ProcessId has already -## been mapped to the same field name (ProcessId), we don't to remap it to InitiatingProcessId -generic_field_mappings_proc_item = [ProcessingItem( - identifier="microsoft_365_defender_fieldmappings_generic", - transformation=FieldMappingTransformation( - generic_field_mappings - ), - detection_item_conditions=[ - DetectionItemProcessingItemAppliedCondition(f"microsoft_365_defender_fieldmappings_{table_name}") - for table_name in table_to_category_mappings.keys() - ], - detection_item_condition_linking=any, - detection_item_condition_negation=True, -) -] - -## Field Value Replacements ProcessingItems -replacement_proc_items = [ - # Sysmon uses abbreviations in RegistryKey values, replace with full key names as the DeviceRegistryEvents schema - # expects them to be - # Note: Ensure this comes AFTER field mapping renames, as we're specifying DeviceRegistryEvent fields - # - # Do this one first, or else the HKLM only one will replace HKLM and mess up the regex - ProcessingItem( - identifier="microsoft_365_defender_registry_key_replace_currentcontrolset", - transformation=ReplaceStringTransformation(regex=r"(?i)(^HKLM\\SYSTEM\\CurrentControlSet)", - replacement=r"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001"), - field_name_conditions=[IncludeFieldCondition(['RegistryKey', 'PreviousRegistryKey'])] - ), - ProcessingItem( - identifier="microsoft_365_defender_registry_key_replace_hklm", - transformation=ReplaceStringTransformation(regex=r"(?i)(^HKLM)", - replacement=r"HKEY_LOCAL_MACHINE"), - field_name_conditions=[IncludeFieldCondition(['RegistryKey', 'PreviousRegistryKey'])] - ), - ProcessingItem( - identifier="microsoft_365_defender_registry_key_replace_hku", - transformation=ReplaceStringTransformation(regex=r"(?i)(^HKU)", - replacement=r"HKEY_USERS"), - field_name_conditions=[IncludeFieldCondition(['RegistryKey', 'PreviousRegistryKey'])] - ), - ProcessingItem( - identifier="microsoft_365_defender_registry_key_replace_hkcr", - transformation=ReplaceStringTransformation(regex=r"(?i)(^HKCR)", - replacement=r"HKEY_LOCAL_MACHINE\\CLASSES"), - field_name_conditions=[IncludeFieldCondition(['RegistryKey', 'PreviousRegistryKey'])] - ), - ProcessingItem( - identifier="microsoft_365_defender_registry_actiontype_value", - transformation=RegistryActionTypeValueTransformation(), - field_name_conditions=[IncludeFieldCondition(['ActionType'])] - ), - # Extract Domain from Username fields - ProcessingItem( - identifier="microsoft_365_defender_domain_username_extract", - transformation=SplitDomainUserTransformation(), - field_name_conditions=[IncludeFieldCondition(["AccountName", "InitiatingProcessAccountName"])] - ), - ProcessingItem( - identifier="microsoft_365_defender_hashes_field_values", - transformation=HashesValuesTransformation(), - field_name_conditions=[IncludeFieldCondition(['Hashes'])] - ), - # Processing item to essentially ignore initiated field - ProcessingItem( - identifier="microsoft_365_defender_network_initiated_field", - transformation=DropDetectionItemTransformation(), - field_name_conditions=[IncludeFieldCondition(['Initiated'])], - rule_conditions=[LogsourceCondition(category='network_connection')], - ) -] - -# ParentImage -> InitiatingProcessParentFileName -parent_image_proc_items = [ - # First apply fieldmapping from ParentImage to InitiatingProcessParentFileName for non process-creation rules - ProcessingItem( - identifier="microsoft_365_defender_parent_image_fieldmapping", - transformation=FieldMappingTransformation(parent_image_field_mapping), - rule_conditions=[ - # Exclude process_creation events, there's direct field mapping in this schema table - LogsourceCondition(category='process_creation') - ], - rule_condition_negation=True - ), - # Second, extract the parent process name from the full path - ProcessingItem( - identifier="microsoft_365_defender_parent_image_name_value", - transformation=ParentImageValueTransformation(), - field_name_conditions=[ - IncludeFieldCondition(["InitiatingProcessParentFileName"]), - ], - rule_conditions=[ - # Exclude process_creation events, there's direct field mapping in this schema table - LogsourceCondition(category='process_creation') - ], - rule_condition_negation=True - ) - -] - -## Exceptions/Errors ProcessingItems -rule_error_proc_items = [ - # Category Not Supported - ProcessingItem( - identifier="microsoft_365_defender_unsupported_rule_category", - rule_condition_linking=any, - transformation=RuleFailureTransformation( - "Rule category not yet supported by the Microsoft 365 Defender Sigma backend." - ), - rule_condition_negation=True, - rule_conditions=[x for x in category_to_conditions_mappings.values()], - )] - -field_error_proc_items = [ - # Invalid fields per category - ProcessingItem( - identifier=f"microsoft_365_defender_unsupported_fields_{table_name}", - transformation=InvalidFieldTransformation( - f"Please use valid fields for the {table_name} table, or the following fields that have keymappings in this " - f"pipeline:\n" - # Combine field mappings for table and generic field mappings dicts, get the unique keys, add the Hashes field, sort it - f"{', '.join(sorted(set({**query_table_field_mappings[table_name], **generic_field_mappings}.keys()).union({'Hashes'})))}" - ), - field_name_conditions=[ - ExcludeFieldCondition(fields=table_fields + list(generic_field_mappings.keys()) + ['Hashes'])], - rule_conditions=[ - category_to_conditions_mappings[rule_category] - for rule_category in table_to_category_mappings[table_name] - ], - rule_condition_linking=any, - ) - for table_name, table_fields in valid_fields_per_table.items() -] - - -def microsoft_365_defender_pipeline(transform_parent_image: Optional[bool] = True, query_table: Optional[str] = None) -> ProcessingPipeline: - """Pipeline for transformations for SigmaRules to use in the Microsoft 365 Defender Backend - Field mappings based on documentation found here: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-language?view=o365-worldwide - - :param query_table: If specified, the table name will be used in the finalizer, otherwise the table name will be selected based on the category of the rule. - :type query_table: Optional[str] - :param transform_parent_image: If True, the ParentImage field will be mapped to InitiatingProcessParentFileName, and - the parent process name in the ParentImage will be extracted and used. This is because the Microsoft 365 Defender - table schema does not contain a InitiatingProcessParentFolderPath field like it does for InitiatingProcessFolderPath. - i.e. ParentImage: C:\\Windows\\System32\\whoami.exe -> InitiatingProcessParentFileName: whoami.exe. - Defaults to True - :type transform_parent_image: Optional[bool] - - :return: ProcessingPipeline for Microsoft 365 Defender Backend - :rtype: ProcessingPipeline - """ - - pipeline_items = [ - *query_table_proc_items, - *fieldmappings_proc_items, - *generic_field_mappings_proc_item, - *replacement_proc_items, - *rule_error_proc_items, - *field_error_proc_items, - ] - - if transform_parent_image: - pipeline_items[4:4] = parent_image_proc_items - - return ProcessingPipeline( - name="Generic Log Sources to Windows 365 Defender Transformation", - priority=10, - items=pipeline_items, - allowed_backends=frozenset(["kusto"]), - finalizers=[Microsoft365DefenderTableFinalizer(table_names=query_table)] - ) +def microsoft_365_defender_pipeline( + transform_parent_image: Optional[bool] = True, query_table: Optional[str] = None +) -> ProcessingPipeline: + """DEPRECATED: Use microsoft_xdr_pipeline instead.""" + return microsoft_xdr_pipeline(transform_parent_image, query_table) diff --git a/sigma/pipelines/microsoft365defender/transformations.py b/sigma/pipelines/microsoft365defender/transformations.py deleted file mode 100644 index 9b8f779..0000000 --- a/sigma/pipelines/microsoft365defender/transformations.py +++ /dev/null @@ -1,14 +0,0 @@ -from sigma.processing.transformations import Transformation -from dataclasses import dataclass -from typing import Any - - -@dataclass -class SetQueryTableStateTransformation(Transformation): - """Appends rule query table to pipeline state query_table key""" - - val: Any = None - - def apply(self, pipeline: "sigma.processing.pipeline.Proces", rule: "sigma.rule.SigmaRule") -> None: - super().apply(pipeline, rule) - pipeline.state['query_table'] = pipeline.state.get('query_table', []) + [self.val] diff --git a/sigma/pipelines/microsoftxdr/__init__.py b/sigma/pipelines/microsoftxdr/__init__.py new file mode 100644 index 0000000..5167ab3 --- /dev/null +++ b/sigma/pipelines/microsoftxdr/__init__.py @@ -0,0 +1,5 @@ +from .microsoftxdr import microsoft_xdr_pipeline + +pipelines = { + "microsoft_xdr_pipeline": microsoft_xdr_pipeline, +} diff --git a/sigma/pipelines/microsoftxdr/mappings.py b/sigma/pipelines/microsoftxdr/mappings.py new file mode 100644 index 0000000..ed1d6a3 --- /dev/null +++ b/sigma/pipelines/microsoftxdr/mappings.py @@ -0,0 +1,159 @@ +from sigma.pipelines.common import ( + logsource_windows_file_access, + logsource_windows_file_change, + logsource_windows_file_delete, + logsource_windows_file_event, + logsource_windows_file_rename, + logsource_windows_image_load, + logsource_windows_network_connection, + logsource_windows_process_creation, + logsource_windows_registry_add, + logsource_windows_registry_delete, + logsource_windows_registry_event, + logsource_windows_registry_set, +) +from sigma.pipelines.kusto_common.schema import FieldMappings + +## Rule Categories -> Query Table Names +CATEGORY_TO_TABLE_MAPPINGS = { + "process_creation": "DeviceProcessEvents", + "image_load": "DeviceImageLoadEvents", + "file_access": "DeviceFileEvents", + "file_change": "DeviceFileEvents", + "file_delete": "DeviceFileEvents", + "file_event": "DeviceFileEvents", + "file_rename": "DeviceFileEvents", + "registry_add": "DeviceRegistryEvents", + "registry_delete": "DeviceRegistryEvents", + "registry_event": "DeviceRegistryEvents", + "registry_set": "DeviceRegistryEvents", + "network_connection": "DeviceNetworkEvents", +} + +## Rule Categories -> RuleConditions +CATEGORY_TO_CONDITIONS_MAPPINGS = { + "process_creation": logsource_windows_process_creation(), + "image_load": logsource_windows_image_load(), + "file_access": logsource_windows_file_access(), + "file_change": logsource_windows_file_change(), + "file_delete": logsource_windows_file_delete(), + "file_event": logsource_windows_file_event(), + "file_rename": logsource_windows_file_rename(), + "registry_add": logsource_windows_registry_add(), + "registry_delete": logsource_windows_registry_delete(), + "registry_event": logsource_windows_registry_event(), + "registry_set": logsource_windows_registry_set(), + "network_connection": logsource_windows_network_connection(), +} + + +class MicrosoftXDRFieldMappings(FieldMappings): + pass + + +MICROSOFT_XDR_FIELD_MAPPINGS = MicrosoftXDRFieldMappings( + table_mappings={ + "DeviceProcessEvents": { # process_creation, Sysmon EventID 1 -> DeviceProcessEvents table + # ProcessGuid: ?, + "ProcessId": "ProcessId", + "Image": "FolderPath", + "FileVersion": "ProcessVersionInfoProductVersion", + "Description": "ProcessVersionInfoFileDescription", + "Product": "ProcessVersionInfoProductName", + "Company": "ProcessVersionInfoCompanyName", + "OriginalFileName": "ProcessVersionInfoOriginalFileName", + "CommandLine": "ProcessCommandLine", + # CurrentDirectory: ? + "User": "AccountName", + # LogonGuid: ? + "LogonId": "LogonId", + # TerminalSessionId: ? + "IntegrityLevel": "ProcessIntegrityLevel", + "sha1": "SHA1", + "sha256": "SHA256", + "md5": "MD5", + # 'ParentProcessGuid': ?, + "ParentProcessId": "InitiatingProcessId", + "ParentImage": "InitiatingProcessFolderPath", + "ParentCommandLine": "InitiatingProcessCommandLine", + "ParentUser": "InitiatingProcessAccountName", + }, + "DeviceImageLoadEvents": { + # 'ProcessGuid': ?, + "ProcessId": "InitiatingProcessId", + "Image": "InitiatingProcessFolderPath", # File path of the process that loaded the image + "ImageLoaded": "FolderPath", + "FileVersion": "InitiatingProcessVersionInfoProductVersion", + "Description": "InitiatingProcessVersionInfoFileDescription", + "Product": "InitiatingProcessVersionInfoProductName", + "Company": "InitiatingProcessVersionInfoCompanyName", + "OriginalFileName": "InitiatingProcessVersionInfoOriginalFileName", + # 'Hashes': ?, + "sha1": "SHA1", + "sha256": "SHA256", + "md5": "MD5", + # 'Signed': ? + # 'Signature': ? + # 'SignatureStatus': ? + "User": "InitiatingProcessAccountName", + }, + "DeviceFileEvents": { # file_*, Sysmon EventID 11 (create), 23 (delete) -> DeviceFileEvents table + # 'ProcessGuid': ?, + "ProcessId": "InitiatingProcessId", + "Image": "InitiatingProcessFolderPath", + "TargetFilename": "FolderPath", + # 'CreationUtcTime': 'Timestamp', + "User": "RequestAccountName", + # 'Hashes': ?, + "sha1": "SHA1", + "sha256": "SHA256", + "md5": "MD5", + }, + "DeviceNetworkEvents": { # network_connection, Sysmon EventID 3 -> DeviceNetworkEvents table + # 'ProcessGuid': ?, + "ProcessId": "InitiatingProcessId", + "Image": "InitiatingProcessFolderPath", + "User": "InitiatingProcessAccountName", + "Protocol": "Protocol", + # 'Initiated': ?, + # 'SourceIsIpv6': ?, + "SourceIp": "LocalIP", + "SourceHostname": "DeviceName", + "SourcePort": "LocalPort", + # 'SourcePortName': ?, + # 'DestinationIsIpv6': ?, + "DestinationIp": "RemoteIP", + "DestinationHostname": "RemoteUrl", + "DestinationPort": "RemotePort", + # 'DestinationPortName': ?, + }, + "DeviceRegistryEvents": { + # registry_*, Sysmon EventID 12 (create/delete), 13 (value set), 14 (key/value rename) -> DeviceRegistryEvents table, + "EventType": "ActionType", + # 'ProcessGuid': ?, + "ProcessId": "InitiatingProcessId", + "Image": "InitiatingProcessFolderPath", + "TargetObject": "RegistryKey", + # 'NewName': ? + "Details": "RegistryValueData", + "User": "InitiatingProcessAccountName", + }, + }, + generic_mappings={ + "EventType": "ActionType", + "User": "InitiatingProcessAccountName", + "CommandLine": "InitiatingProcessCommandLine", + "Image": "InitiatingProcessFolderPath", + "SourceImage": "InitiatingProcessFolderPath", + "ProcessId": "InitiatingProcessId", + "md5": "InitiatingProcessMD5", + "sha1": "InitiatingProcessSHA1", + "sha256": "InitiatingProcessSHA256", + "ParentProcessId": "InitiatingProcessParentId", + "ParentCommandLine": "InitiatingProcessParentCommandLine", + "Company": "InitiatingProcessVersionInfoCompanyName", + "Description": "InitiatingProcessVersionInfoFileDescription", + "OriginalFileName": "InitiatingProcessVersionInfoOriginalFileName", + "Product": "InitiatingProcessVersionInfoProductName", + }, +) diff --git a/sigma/pipelines/microsoftxdr/microsoftxdr.py b/sigma/pipelines/microsoftxdr/microsoftxdr.py new file mode 100644 index 0000000..d96665f --- /dev/null +++ b/sigma/pipelines/microsoftxdr/microsoftxdr.py @@ -0,0 +1,257 @@ +from typing import Optional + +from sigma.processing.conditions import ( + DetectionItemProcessingItemAppliedCondition, + ExcludeFieldCondition, + IncludeFieldCondition, + LogsourceCondition, + RuleProcessingItemAppliedCondition, + RuleProcessingStateCondition, +) +from sigma.processing.pipeline import ProcessingItem, ProcessingPipeline +from sigma.processing.transformations import ( + DropDetectionItemTransformation, + FieldMappingTransformation, + ReplaceStringTransformation, + RuleFailureTransformation, +) + +from ..kusto_common.errors import InvalidFieldTransformation +from ..kusto_common.finalization import QueryTableFinalizer +from ..kusto_common.schema import create_schema +from ..kusto_common.transformations import ( + DynamicFieldMappingTransformation, + GenericFieldMappingTransformation, + RegistryActionTypeValueTransformation, + SetQueryTableStateTransformation, +) +from .mappings import ( + CATEGORY_TO_TABLE_MAPPINGS, + MICROSOFT_XDR_FIELD_MAPPINGS, +) +from .schema import MicrosoftXDRSchema +from .tables import MICROSOFT_XDR_TABLES +from .transformations import ( + ParentImageValueTransformation, + SplitDomainUserTransformation, + XDRHashesValuesTransformation, +) + +MICROSOFT_XDR_SCHEMA = create_schema(MicrosoftXDRSchema, MICROSOFT_XDR_TABLES) + +# Mapping from ParentImage to InitiatingProcessParentFileName. Must be used alongside of ParentImageValueTransformation +parent_image_field_mapping = {"ParentImage": "InitiatingProcessParentFileName"} + + +## Fieldmappings +fieldmappings_proc_item = ProcessingItem( + identifier="microsoft_xdr_table_fieldmappings", + transformation=DynamicFieldMappingTransformation(MICROSOFT_XDR_FIELD_MAPPINGS), +) + +## Generic Field Mappings, keep this last +## Exclude any fields already mapped, e.g. if a table mapping has been applied. +# This will fix the case where ProcessId is usually mapped to InitiatingProcessId, EXCEPT for the DeviceProcessEvent table where it stays as ProcessId. +# So we can map ProcessId to ProcessId in the DeviceProcessEvents table mapping, and prevent the generic mapping to InitiatingProcessId from being applied +# by adding a detection item condition that the table field mappings have been applied + +generic_field_mappings_proc_item = ProcessingItem( + identifier="microsoft_xdr_generic_fieldmappings", + transformation=GenericFieldMappingTransformation(MICROSOFT_XDR_FIELD_MAPPINGS), + detection_item_conditions=[DetectionItemProcessingItemAppliedCondition("microsoft_xdr_table_fieldmappings")], + detection_item_condition_linking=any, + detection_item_condition_negation=True, +) + + +## Field Value Replacements ProcessingItems +replacement_proc_items = [ + # Sysmon uses abbreviations in RegistryKey values, replace with full key names as the DeviceRegistryEvents schema + # expects them to be + # Note: Ensure this comes AFTER field mapping renames, as we're specifying DeviceRegistryEvent fields + # + # Do this one first, or else the HKLM only one will replace HKLM and mess up the regex + ProcessingItem( + identifier="microsoft_xdr_registry_key_replace_currentcontrolset", + transformation=ReplaceStringTransformation( + regex=r"(?i)(^HKLM\\SYSTEM\\CurrentControlSet)", + replacement=r"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001", + ), + field_name_conditions=[IncludeFieldCondition(["RegistryKey", "PreviousRegistryKey"])], + ), + ProcessingItem( + identifier="microsoft_xdr_registry_key_replace_hklm", + transformation=ReplaceStringTransformation(regex=r"(?i)(^HKLM)", replacement=r"HKEY_LOCAL_MACHINE"), + field_name_conditions=[IncludeFieldCondition(["RegistryKey", "PreviousRegistryKey"])], + ), + ProcessingItem( + identifier="microsoft_xdr_registry_key_replace_hku", + transformation=ReplaceStringTransformation(regex=r"(?i)(^HKU)", replacement=r"HKEY_USERS"), + field_name_conditions=[IncludeFieldCondition(["RegistryKey", "PreviousRegistryKey"])], + ), + ProcessingItem( + identifier="microsoft_xdr_registry_key_replace_hkcr", + transformation=ReplaceStringTransformation(regex=r"(?i)(^HKCR)", replacement=r"HKEY_LOCAL_MACHINE\\CLASSES"), + field_name_conditions=[IncludeFieldCondition(["RegistryKey", "PreviousRegistryKey"])], + ), + ProcessingItem( + identifier="microsoft_xdr_registry_actiontype_value", + transformation=RegistryActionTypeValueTransformation(), + field_name_conditions=[IncludeFieldCondition(["ActionType"])], + ), + # Extract Domain from Username fields + ProcessingItem( + identifier="microsoft_xdr_domain_username_extract", + transformation=SplitDomainUserTransformation(), + field_name_conditions=[IncludeFieldCondition(["AccountName", "InitiatingProcessAccountName"])], + ), + ProcessingItem( + identifier="microsoft_xdr_hashes_field_values", + transformation=XDRHashesValuesTransformation(), + field_name_conditions=[IncludeFieldCondition(["Hashes"])], + ), + # Processing item to essentially ignore initiated field + ProcessingItem( + identifier="microsoft_xdr_network_initiated_field", + transformation=DropDetectionItemTransformation(), + field_name_conditions=[IncludeFieldCondition(["Initiated"])], + rule_conditions=[LogsourceCondition(category="network_connection")], + ), +] + +# ParentImage -> InitiatingProcessParentFileName +parent_image_proc_items = [ + # First apply fieldmapping from ParentImage to InitiatingProcessParentFileName for non process-creation rules + ProcessingItem( + identifier="microsoft_xdr_parent_image_fieldmapping", + transformation=FieldMappingTransformation(parent_image_field_mapping), + rule_conditions=[ + # Exclude process_creation events, there's direct field mapping in this schema table + LogsourceCondition(category="process_creation") + ], + rule_condition_negation=True, + ), + # Second, extract the parent process name from the full path + ProcessingItem( + identifier="microsoft_xdr_parent_image_name_value", + transformation=ParentImageValueTransformation(), + field_name_conditions=[ + IncludeFieldCondition(["InitiatingProcessParentFileName"]), + ], + rule_conditions=[ + # Exclude process_creation events, there's direct field mapping in this schema table + LogsourceCondition(category="process_creation") + ], + rule_condition_negation=True, + ), +] + +# Exceptions/Errors ProcessingItems +# Catch-all for when the query table is not set, meaning the rule could not be mapped to a table or the table name was not set +rule_error_proc_items = [ + # Category Not Supported or Query Table Not Set + ProcessingItem( + identifier="microsoft_xdr_unsupported_rule_category_or_missing_query_table", + transformation=RuleFailureTransformation( + "Rule category not yet supported by the Microsoft XDR pipeline or query_table is not set." + ), + rule_conditions=[ + RuleProcessingItemAppliedCondition("microsoft_xdr_set_query_table"), + RuleProcessingStateCondition("query_table", None), + ], + rule_condition_linking=all, + ) +] + + +def get_valid_fields(table_name): + return ( + list(MICROSOFT_XDR_SCHEMA.tables[table_name].fields.keys()) + + list(MICROSOFT_XDR_FIELD_MAPPINGS.table_mappings.get(table_name, {}).keys()) + + list(MICROSOFT_XDR_FIELD_MAPPINGS.generic_mappings.keys()) + + ["Hashes"] + ) + + +field_error_proc_items = [] + +for table_name in MICROSOFT_XDR_SCHEMA.tables.keys(): + valid_fields = get_valid_fields(table_name) + + field_error_proc_items.append( + ProcessingItem( + identifier=f"microsoft_xdr_unsupported_fields_{table_name}", + transformation=InvalidFieldTransformation( + f"Please use valid fields for the {table_name} table, or the following fields that have keymappings in this " + f"pipeline:\n{', '.join(sorted(set(valid_fields)))}" + ), + field_name_conditions=[ExcludeFieldCondition(fields=valid_fields)], + rule_conditions=[ + RuleProcessingItemAppliedCondition("microsoft_xdr_set_query_table"), + RuleProcessingStateCondition("query_table", table_name), + ], + rule_condition_linking=all, + ) + ) + +# Add a catch-all error for custom table names +field_error_proc_items.append( + ProcessingItem( + identifier="microsoft_xdr_unsupported_fields_custom", + transformation=InvalidFieldTransformation( + "Invalid field name for the custom table. Please ensure you're using valid fields for your custom table." + ), + field_name_conditions=[ + ExcludeFieldCondition(fields=list(MICROSOFT_XDR_FIELD_MAPPINGS.generic_mappings.keys()) + ["Hashes"]) + ], + rule_conditions=[ + RuleProcessingItemAppliedCondition("microsoft_xdr_set_query_table"), + RuleProcessingStateCondition("query_table", None), + ], + rule_condition_linking=all, + ) +) + + +def microsoft_xdr_pipeline( + transform_parent_image: Optional[bool] = True, query_table: Optional[str] = None +) -> ProcessingPipeline: + """Pipeline for transformations for SigmaRules to use in the Kusto Query Language backend. + Field mappings based on documentation found here: + https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-language?view=o365-worldwide + + :param query_table: If specified, the table name will be used in the finalizer, otherwise the table name will be selected based on the category of the rule. + :type query_table: Optional[str] + :param transform_parent_image: If True, the ParentImage field will be mapped to InitiatingProcessParentFileName, and + the parent process name in the ParentImage will be extracted and used. This is because the Microsoft 365 Defender + table schema does not contain a InitiatingProcessParentFolderPath field like it does for InitiatingProcessFolderPath. + i.e. ParentImage: C:\\Windows\\System32\\whoami.exe -> InitiatingProcessParentFileName: whoami.exe. + Defaults to True + :type transform_parent_image: Optional[bool] + + :return: ProcessingPipeline for Microsoft 365 Defender Backend + :rtype: ProcessingPipeline + """ + + pipeline_items = [ + ProcessingItem( + identifier="microsoft_xdr_set_query_table", + transformation=SetQueryTableStateTransformation(query_table, CATEGORY_TO_TABLE_MAPPINGS), + ), + fieldmappings_proc_item, + generic_field_mappings_proc_item, + *replacement_proc_items, + *rule_error_proc_items, + *field_error_proc_items, + ] + + if transform_parent_image: + pipeline_items[4:4] = parent_image_proc_items + + return ProcessingPipeline( + name="Generic Log Sources to Windows XDR tables and fields", + priority=10, + items=pipeline_items, + allowed_backends=frozenset(["kusto"]), + finalizers=[QueryTableFinalizer()], + ) diff --git a/sigma/pipelines/microsoftxdr/schema.py b/sigma/pipelines/microsoftxdr/schema.py new file mode 100644 index 0000000..7834b78 --- /dev/null +++ b/sigma/pipelines/microsoftxdr/schema.py @@ -0,0 +1,13 @@ +from dataclasses import dataclass + +from sigma.pipelines.kusto_common.schema import BaseSchema, FieldMappings + + +@dataclass +class MicrosoftXDRSchema(BaseSchema): + pass + + +@dataclass +class MicrosoftXDRFieldMappings(FieldMappings): + pass diff --git a/sigma/pipelines/microsoft365defender/tables.py b/sigma/pipelines/microsoftxdr/tables.py similarity index 99% rename from sigma/pipelines/microsoft365defender/tables.py rename to sigma/pipelines/microsoftxdr/tables.py index bf331ce..be4b362 100644 --- a/sigma/pipelines/microsoft365defender/tables.py +++ b/sigma/pipelines/microsoftxdr/tables.py @@ -1,7 +1,7 @@ # This file is auto-generated. Do not edit manually. # Last updated: 2024-09-12 19:59:53 UTC -MICROSOFT365DEFENDER_TABLES = { +MICROSOFT_XDR_TABLES = { "AADSignInEventsBeta": { "Timestamp": {"data_type": "datetime", "description": 'Date and time when the record was generated'}, "Application": {"data_type": "string", "description": 'Application that performed the recorded action'}, diff --git a/sigma/pipelines/microsoftxdr/transformations.py b/sigma/pipelines/microsoftxdr/transformations.py new file mode 100644 index 0000000..8a13ee5 --- /dev/null +++ b/sigma/pipelines/microsoftxdr/transformations.py @@ -0,0 +1,85 @@ +from typing import Iterable, Optional, Union + +from sigma.processing.transformations import ( + DetectionItemTransformation, + ValueTransformation, +) +from sigma.rule import SigmaDetection, SigmaDetectionItem, SigmaString +from sigma.types import SigmaType + +from ..kusto_common.transformations import BaseHashesValuesTransformation + + +## Custom DetectionItemTransformation to split domain and user, if applicable +class SplitDomainUserTransformation(DetectionItemTransformation): + """Custom DetectionItemTransformation transformation to split a User field into separate domain and user fields, + if applicable. This is to handle the case where the Sysmon `User` field may contain a domain AND username, and + Advanced Hunting queries separate out the domain and username into separate fields. + If a matching field_name_condition field uses the schema DOMAIN\\USER, a new SigmaDetectionItem + will be made for the Domain and put inside a SigmaDetection with the original User SigmaDetectionItem + (minus the domain) for the matching SigmaDetectionItem. + + You should use this with a field_name_condition for `IncludeFieldName(['field', 'names', 'for', 'username']`)""" + + def apply_detection_item( + self, detection_item: SigmaDetectionItem + ) -> Optional[Union[SigmaDetection, SigmaDetectionItem]]: + to_return = [] + if not isinstance(detection_item.value, list): # Ensure its a list, but it most likely will be + detection_item.value = list(detection_item.value) + for d in detection_item.value: + username = d.to_plain().split("\\") + username_field_mappings = { + "AccountName": "AccountDomain", + "RequestAccountName": "RequestAccountDomain", + "InitiatingProcessAccountName": "InitiatingProcessAccountDomain", + } + if len(username) == 2: + domain = username[0] + username = [SigmaString(username[1])] + + domain_field = username_field_mappings.get(detection_item.field, "InitiatingProcessAccountDomain") + domain_value = [SigmaString(domain)] + user_detection_item = SigmaDetectionItem( + field=detection_item.field, + modifiers=[], + value=username, + ) + domain_detection_item = SigmaDetectionItem(field=domain_field, modifiers=[], value=domain_value) + to_return.append(SigmaDetection(detection_items=[user_detection_item, domain_detection_item])) + else: + + to_return.append( + SigmaDetection( + [ + SigmaDetectionItem( + field=detection_item.field, modifiers=detection_item.modifiers, value=username + ) + ] + ) + ) + return SigmaDetection(to_return) + + +# Extract parent process name from ParentImage after applying ParentImage field mapping +class ParentImageValueTransformation(ValueTransformation): + """Custom ValueTransformation transformation. Unfortunately, none of the table schemas have + InitiatingProcessParentFolderPath like they do InitiatingProcessFolderPath. Due to this, we cannot directly map the + Sysmon `ParentImage` field to a table field. However, InitiatingProcessParentFileName is an available field in + nearly all tables, so we will extract the process name and use that instead. + + Use this transformation BEFORE mapping ParentImage to InitiatingProcessFileName + """ + + def apply_value(self, field: str, val: SigmaType) -> Optional[Union[SigmaType, Iterable[SigmaType]]]: + parent_process_name = str(val.to_plain().split("\\")[-1].split("/")[-1]) + return SigmaString(parent_process_name) + + +class XDRHashesValuesTransformation(BaseHashesValuesTransformation): + """ + Transforms the Hashes field in XDR Tables to create fields for each hash algorithm. + """ + + def __init__(self): + super().__init__(valid_hash_algos=["MD5", "SHA1", "SHA256"], field_prefix="") diff --git a/sigma/pipelines/sentinelasim/mappings.py b/sigma/pipelines/sentinelasim/mappings.py new file mode 100644 index 0000000..983429a --- /dev/null +++ b/sigma/pipelines/sentinelasim/mappings.py @@ -0,0 +1,354 @@ +from sigma.pipelines.common import ( + logsource_windows_file_access, + logsource_windows_file_change, + logsource_windows_file_delete, + logsource_windows_file_event, + logsource_windows_file_rename, + logsource_windows_network_connection, + logsource_windows_process_creation, + logsource_windows_registry_add, + logsource_windows_registry_delete, + logsource_windows_registry_event, + logsource_windows_registry_set, +) +from sigma.pipelines.kusto_common.schema import FieldMappings + +# from .schema import MicrosoftXDRFieldMappings +from .tables import SENTINEL_ASIM_TABLES + +# Get table names from the tables.py file +table_names = list(SENTINEL_ASIM_TABLES.keys()) + + +# Rule Categories -> Query Table Names +# Use the table names from the tables.py file by looking for relevant terms in the table names +CATEGORY_TO_TABLE_MAPPINGS = { + "process_creation": next((table for table in table_names if "process" in table.lower()), "imProcessCreate"), + # "image_load": next((table for table in table_names if 'image' in table.lower()), None), + "file_access": next((table for table in table_names if "file" in table.lower()), "imFileEvent"), + "file_change": next((table for table in table_names if "file" in table.lower()), "imFileEvent"), + "file_delete": next((table for table in table_names if "file" in table.lower()), "imFileEvent"), + "file_event": next((table for table in table_names if "file" in table.lower()), "imFileEvent"), + "file_rename": next((table for table in table_names if "file" in table.lower()), "imFileEvent"), + "registry_add": next((table for table in table_names if "registry" in table.lower()), "imRegistry"), + "registry_delete": next((table for table in table_names if "registry" in table.lower()), "imRegistry"), + "registry_event": next((table for table in table_names if "registry" in table.lower()), "imRegistry"), + "registry_set": next((table for table in table_names if "registry" in table.lower()), "imRegistry"), + "network_connection": next((table for table in table_names if "network" in table.lower()), "imNetworkSession"), + "proxy": next((table for table in table_names if "web" in table.lower()), "imWebSession"), + "webserver": next((table for table in table_names if "web" in table.lower()), "imWebSession"), +} + +## Rule Categories -> RuleConditions +CATEGORY_TO_CONDITIONS_MAPPINGS = { + "process_creation": logsource_windows_process_creation(), + # "image_load": logsource_windows_image_load(), + "file_access": logsource_windows_file_access(), + "file_change": logsource_windows_file_change(), + "file_delete": logsource_windows_file_delete(), + "file_event": logsource_windows_file_event(), + "file_rename": logsource_windows_file_rename(), + "registry_add": logsource_windows_registry_add(), + "registry_delete": logsource_windows_registry_delete(), + "registry_event": logsource_windows_registry_event(), + "registry_set": logsource_windows_registry_set(), + "network_connection": logsource_windows_network_connection(), +} + + +class SentinelASIMFieldMappings(FieldMappings): + pass + + +SENTINEL_ASIM_FIELD_MAPPINGS = SentinelASIMFieldMappings( + table_mappings={ + "imAuditEvent": { + "CommandLine": "Operation", + "User": "ActorUsername", + "TargetFilename": "Object", + "Image": "ActingAppName", + "SourceIP": "SrcIpAddr", + "DestinationIP": "TargetIpAddr", + "DestinationHostname": "TargetHostname", + "EventType": "EventType", + "TargetObject": "Object", + "NewValue": "NewValue", + "OldValue": "OldValue", + "type": "ObjectType", + "SourceHostname": "SrcHostname", + "TargetUsername": "TargetUsername", + "ProcessName": "ActingAppName", + "ProcessId": "ActingAppId", + "LogonId": "ActorSessionId", + "TargetLogonId": "TargetSessionId", + "SubjectUserName": "ActorUsername", + "ObjectName": "Object", + "ObjectType": "ObjectType", + "NewProcessName": "ActingAppName", + "Status": "EventResultDetails", + "IpAddress": ["SrcIpAddr", "TargetIpAddr"], + "SourcePort": "SrcPortNumber", + "DestinationPort": "TargetPortNumber", + "Protocol": "LogonProtocol", + }, + "imAuthentication": { + "User": ["ActorUsername", "TargetUsername"], # Alias field, can map to either + "SourceHostname": "SrcHostname", + "DestinationHostname": "TargetHostname", + "SourceIP": "SrcIpAddr", + "DestinationIP": "TargetIpAddr", + "SourcePort": "SrcPortNumber", + "DestinationPort": "TargetPortNumber", + "Status": "EventResultDetails", + "IpAddress": ["SrcIpAddr", "TargetIpAddr"], # Can map to either source or target IP + "SubjectUserName": "ActorUsername", + "WorkstationName": "SrcHostname", # This is an approximation + "ComputerName": ["SrcHostname", "TargetHostname"], # Can map to either source or target hostname + "AuthenticationPackageName": "LogonProtocol", + "LogonProcessName": "LogonMethod", + "TargetUserSid": "TargetUserId", + "TargetDomainName": "TargetDomain", + "TargetOutboundDomainName": "TargetDomain", + "ElevatedToken": "EventType", # This could map to "Elevate" in EventType + "TargetUserPrincipalName": "TargetUsername", # This is an approximation + "SubjectDomainName": "ActorScope", + "SubjectUserSid": "ActorUserId", + "SubjectLogonId": "ActorSessionId", + "IpPort": ["SrcPortNumber", "TargetPortNumber"], # Can map to either source or target port + "LmPackageName": "LogonProtocol", # This is an approximation + "userAgent": "HttpUserAgent", + # Common fields with specific relevance to this table + "DvcHostname": ["SrcHostname", "TargetHostname"], # Can map to either source or target hostname + "DvcIpAddr": ["SrcIpAddr", "TargetIpAddr"], # Can map to either source or target IP + "DvcDomain": ["SrcDomain", "TargetDomain"], # Can map to either source or target domain + "DvcDomainType": ["SrcDomainType", "TargetDomainType"], # Can map to either source or target domain type + "DvcFQDN": ["SrcFQDN", "TargetFQDN"], # Can map to either source or target FQDN + "DvcId": ["SrcDvcId", "TargetDvcId"], # Can map to either source or target device ID + "DvcIdType": ["SrcDvcIdType", "TargetDvcIdType"], # Can map to either source or target device ID type + "DvcDescription": ["SrcDescription", "TargetDescription"], # Can map to either source or target description + "DvcOs": ["SrcDvcOs", "TargetDvcOs"], # Can map to either source or target OS + }, + "_Im_Dns": { + "SourceIP": "SrcIpAddr", + "DestinationIP": "DstIpAddr", + "SourceHostname": "SrcHostname", + "DestinationHostname": "DstHostname", + "SourcePort": "SrcPortNumber", + "DestinationPort": "DstPortNumber", + "IpAddress": ["SrcIpAddr", "DstIpAddr"], # Can map to either source or target IP + "ProcessName": "SrcProcessName", + "ProcessId": "SrcProcessId", + "User": "SrcUsername", + "ComputerName": ["SrcHostname", "DstHostname"], # Can map to either source or target hostname + "Image": "SrcProcessName", + "QueryName": "DnsQuery", + "QueryStatus": "EventResultDetails", + "QueryResults": "DnsResponseName", + "Protocol": "NetworkProtocol", + "c-useragent": "HttpUserAgent", + "userAgent": "HttpUserAgent", + "Category": "UrlCategory", + "Status": "EventResultDetails", + "Product": "EventProduct", + "Company": "EventVendor", + }, + "imFileEvent": { + "SourceIP": "SrcIpAddr", + "DestinationIP": "DstIpAddr", + "SourceHostname": "SrcHostname", + "DestinationHostname": "DstHostname", + "SourcePort": "SrcPortNumber", + "User": "ActorUsername", + "TargetFilename": "TargetFileName", + "Image": "TargetFilePath", + "ParentImage": "ActingProcessName", + "CommandLine": "ActingProcessCommandLine", + "ParentCommandLine": "ActingProcessCommandLine", + "ProcessName": "ActingProcessName", + "ProcessId": "ActingProcessId", + "ParentProcessName": "ActingProcessName", + "ParentProcessId": "ActingProcessId", + "LogonId": "ActorSessionId", + "TargetObject": "TargetFilePath", + "Details": "TargetFilePath", + "SubjectUserName": "ActorUsername", + "ObjectName": "TargetFilePath", + "OldFilePath": "SrcFilePath", + "NewFilePath": "TargetFilePath", + "OldFileName": "SrcFileName", + "NewFileName": "TargetFileName", + "c-uri": "TargetUrl", + "c-useragent": "HttpUserAgent", + "cs-method": "NetworkApplicationProtocol", + "userAgent": "HttpUserAgent", + "Category": "ThreatCategory", + "OperationName": "EventType", + "ProcessGuid": "ActingProcessGuid", + "CreationUtcTime": "TargetFileCreationTime", + }, + "imNetworkSession": { + "SourceIP": "SrcIpAddr", + "DestinationIP": "DstIpAddr", + "DestinationIp": "DstIpAddr", + "SourceHostname": "SrcHostname", + "DestinationHostname": "DstHostname", + "SourcePort": "SrcPortNumber", + "DestinationPort": "DstPortNumber", + "SourceMAC": "SrcMacAddr", + "DestinationMAC": "DstMacAddr", + "Protocol": "NetworkProtocol", + "NetworkProtocol": "NetworkApplicationProtocol", + "User": ["SrcUsername", "DstUsername"], + "Image": ["SrcProcessName", "DstProcessName"], + "ProcessName": ["SrcProcessName", "DstProcessName"], + "ProcessId": ["SrcProcessId", "DstProcessId"], + "ProcessGuid": ["SrcProcessGuid", "DstProcessGuid"], + "LogonId": ["SrcUserId", "DstUserId"], + "SourceUserName": "SrcUsername", + "DestinationUserName": "DstUsername", + "SourceImage": "SrcProcessName", + "DestinationImage": "DstProcessName", + "SourceProcessGUID": "SrcProcessGuid", + "DestinationProcessGUID": "DstProcessGuid", + "SourceProcessId": "SrcProcessId", + "DestinationProcessId": "DstProcessId", + "SourceThreadId": "SrcProcessId", + "DestinationThreadId": "DstProcessId", + "SourceIsIpv6": "NetworkProtocolVersion", + "DestinationIsIpv6": "NetworkProtocolVersion", + "Initiated": "NetworkDirection", + "SourcePortName": "SrcAppName", + "DestinationPortName": "DstAppName", + "State": "EventSubType", + "IpProtocol": "NetworkProtocol", + "BytesReceived": "DstBytes", + "BytesSent": "SrcBytes", + "PacketsReceived": "DstPackets", + "PacketsSent": "SrcPackets", + "c-uri": "TargetUrl", + "c-useragent": "HttpUserAgent", + "cs-method": "NetworkApplicationProtocol", + "cs-version": "NetworkProtocolVersion", + "cs-Cookie": "HttpUserAgent", + "cs-Referrer": "HttpUserAgent", + "sc-status": "EventResultDetails", + "userAgent": "HttpUserAgent", + "Category": "ThreatCategory", + "OperationName": "EventType", + "Action": "DvcAction", + "RuleName": "NetworkRuleName", + }, + "imProcessCreate": { # process_creation, Sysmon EventID 1 -> imProcessCreate table + "Image": "TargetProcessName", + "ParentImage": ["ParentProcessName", "ActingProcessName"], + "CommandLine": "TargetProcessCommandLine", + "ParentCommandLine": "ActingProcessCommandLine", + "User": "TargetUsername", + "LogonGuid": "TargetUserSessionGuid", + "LogonId": "TargetUserSessionId", + "SourceImage": "ActingProcessName", + "TargetImage": "TargetProcessName", + "SourceUser": "ActorUsername", + "TargetUser": "TargetUsername", + "SourceProcessId": "ActingProcessId", + "TargetProcessId": "TargetProcessId", + "SourceProcessGUID": "ActingProcessGuid", + "TargetProcessGUID": "TargetProcessGuid", + "ProcessId": "TargetProcessId", + "ProcessGuid": "TargetProcessGuid", + "ParentProcessId": ["ParentProcessId", "ActingProcessId"], + "ParentProcessGuid": ["ParentProcessGuid", "ActingProcessGuid"], + "ParentUser": "ActorUsername", + "IntegrityLevel": "TargetProcessIntegrityLevel", + "ParentProcessName": "ParentProcessName", + "CurrentDirectory": "TargetProcessCurrentDirectory", + "OriginalFileName": ["TargetProcessFileOriginalName", "TargetProcessFilename"], + "Description": "TargetProcessFileDescription", + "Product": "TargetProcessFileProduct", + "Company": "TargetProcessFileCompany", + "FileVersion": "TargetProcessFileVersion", + "GrantedAccess": "TargetProcessTokenElevation", + "CallTrace": "TargetProcessInjectedAddress", + "ParentIntegrityLevel": "ParentProcessIntegrityLevel", + "TerminalSessionId": "TargetUserSessionId", + "sha1": "TargetProcessSHA1", + "sha256": "TargetProcessSHA256", + "md5": "TargetProcessMD5", + "ProcessVersionInfoOriginalFileName": "TargetProcessFileVersion", + "ProcessVersionInfoFileDescription": "TargetProcessFileDescription", + "ProcessIntegrityLevel": "TargetProcessIntegrityLevel", + "InitiatingProcessFolderPath": "ActingProcessName", + "InitiatingProcessCommandLine": "ActingProcessCommandLine", + }, + "imRegistry": { + "Image": "ActingProcessName", + "ParentImage": "ParentProcessName", + "User": "ActorUsername", + "TargetObject": "RegistryKey", + "Details": "RegistryValueData", + "EventType": "EventType", + "ProcessId": "ActingProcessId", + "ProcessGuid": "ActingProcessGuid", + "ParentProcessId": "ParentProcessId", + "ParentProcessGuid": "ParentProcessGuid", + "ObjectName": "RegistryKey", + "ObjectValueName": "RegistryValue", + "ObjectType": "RegistryValueType", + "ObjectValue": "RegistryValueData", + "OldName": "RegistryPreviousKey", + "NewName": "RegistryKey", + "OldValueType": "RegistryPreviousValueType", + "NewValueType": "RegistryValueType", + "OldValue": "RegistryPreviousValueData", + "NewValue": "RegistryValueData", + "ProcessName": "ActingProcessName", + "SubjectUserName": "ActorUsername", + "SubjectUserSid": "ActorUserId", + "SubjectDomainName": "ActorScope", + "SubjectLogonId": "ActorSessionId", + }, + "imWebSession": { + "c-uri": "Url", + "c-uri-query": "Url", + "c-useragent": "HttpUserAgent", + "cs-method": "HttpRequestMethod", + "cs-version": "HttpVersion", + "cs-host": "HttpHost", + "cs-Referrer": "HttpReferrer", + "sc-status": "HttpStatusCode", + "cs-User-Agent": "HttpUserAgent", + "r-dns": "HttpHost", + "request": "Url", + "request_body": "Url", + "request_method": "HttpRequestMethod", + "request_url": "Url", + "request_url_query": "Url", + "response_status_code": "HttpStatusCode", + "url_category": "UrlCategory", + "url_original": "UrlOriginal", + "http_request_time": "HttpRequestTime", + "http_response_time": "HttpResponseTime", + "http_content_type": "HttpContentType", + "http_user_agent": "HttpUserAgent", + "http_referrer": "HttpReferrer", + "x_forwarded_for": "HttpRequestXff", + "file_name": "FileName", + "file_hash": ["FileMD5", "FileSHA1", "FileSHA256", "FileSHA512"], + "file_size": "FileSize", + "file_type": "FileContentType", + }, + }, + generic_mappings={ + "EventID": "EventOriginalType", + "EventType": "EventType", + "Product": "EventProduct", + "Vendor": "EventVendor", + "DeviceName": "DvcHostname", + "DeviceHostname": "DvcHostname", + "Computer": "DvcHostname", + "Hostname": "DvcHostname", + "IpAddress": "DvcIpAddr", + "SourceSystem": "EventProduct", + "TimeGenerated": "EventStartTime", + }, +) diff --git a/sigma/pipelines/sentinelasim/schema.py b/sigma/pipelines/sentinelasim/schema.py new file mode 100644 index 0000000..6b379dc --- /dev/null +++ b/sigma/pipelines/sentinelasim/schema.py @@ -0,0 +1,13 @@ +from dataclasses import dataclass + +from sigma.pipelines.kusto_common.schema import BaseSchema, FieldMappings + + +@dataclass +class SentinelASIMSchema(BaseSchema): + pass + + +@dataclass +class SentinelASIMFieldMappings(FieldMappings): + pass diff --git a/sigma/pipelines/sentinelasim/sentinelasim.py b/sigma/pipelines/sentinelasim/sentinelasim.py index 6b45545..c34421e 100644 --- a/sigma/pipelines/sentinelasim/sentinelasim.py +++ b/sigma/pipelines/sentinelasim/sentinelasim.py @@ -1,354 +1,64 @@ -from typing import Union, Optional, Iterable -from collections import defaultdict - -from sigma.exceptions import SigmaTransformationError -from sigma.pipelines.common import (logsource_windows_process_creation, logsource_windows_image_load, - logsource_windows_file_event, logsource_windows_file_delete, - logsource_windows_file_change, logsource_windows_file_access, - logsource_windows_file_rename, logsource_windows_registry_set, - logsource_windows_registry_add, logsource_windows_registry_delete, - logsource_windows_registry_event, logsource_windows_network_connection) -from sigma.processing.transformations import (FieldMappingTransformation, RuleFailureTransformation, - ReplaceStringTransformation, SetStateTransformation, - DetectionItemTransformation, ValueTransformation, - DetectionItemFailureTransformation, DropDetectionItemTransformation) -from sigma.processing.conditions import (IncludeFieldCondition, ExcludeFieldCondition, - DetectionItemProcessingItemAppliedCondition, LogsourceCondition) -from sigma.conditions import ConditionOR -from sigma.types import SigmaString, SigmaType +from typing import Optional + +from sigma.processing.conditions import ( + DetectionItemProcessingItemAppliedCondition, + ExcludeFieldCondition, + IncludeFieldCondition, + LogsourceCondition, + RuleProcessingItemAppliedCondition, + RuleProcessingStateCondition, +) from sigma.processing.pipeline import ProcessingItem, ProcessingPipeline -from sigma.rule import SigmaDetectionItem, SigmaDetection +from sigma.processing.transformations import ( + DropDetectionItemTransformation, + ReplaceStringTransformation, + RuleFailureTransformation, +) -from sigma.pipelines.microsoft365defender.microsoft365defender import ( - SplitDomainUserTransformation, - HashesValuesTransformation, +from ..kusto_common.errors import InvalidFieldTransformation +from ..kusto_common.finalization import QueryTableFinalizer +from ..kusto_common.schema import create_schema +from ..kusto_common.transformations import ( + DynamicFieldMappingTransformation, + GenericFieldMappingTransformation, RegistryActionTypeValueTransformation, - ParentImageValueTransformation, - InvalidFieldTransformation, + SetQueryTableStateTransformation, +) +from .mappings import ( + CATEGORY_TO_TABLE_MAPPINGS, + SENTINEL_ASIM_FIELD_MAPPINGS, +) +from .schema import SentinelASIMSchema +from .tables import SENTINEL_ASIM_TABLES +from .transformations import ( + FileEventHashesValuesTransformation, + ProcessCreateHashesValuesTransformation, + WebSessionHashesValuesTransformation, ) -from sigma.pipelines.microsoft365defender.finalization import Microsoft365DefenderTableFinalizer -from sigma.pipelines.microsoft365defender.transformations import SetQueryTableStateTransformation - - -process_events_table = 'imProcessCreate' -registry_events_table = 'imRegistry' -file_events_table = 'imFileEvent' - -# FIELD MAPPINGS -## Field mappings from Sysmon (where applicable) fields to Advanced Hunting Query fields based on schema in tables -## See: https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide#learn-the-schema-tables -query_table_field_mappings = { - process_events_table: { # process_creation, Sysmon EventID 1 -> DeviceProcessEvents table - 'ProcessGuid': 'TargetProcessGuid', - 'ProcessId': 'TargetProcessId', - 'Image': 'TargetProcessName', - 'FileVersion': 'TargetProcessFileVersion', - 'Description': 'TargetProcessFileDescription', - 'Product': 'TargetProcessFileProduct', - 'Company': 'TargetProcessFileCompany', - 'OriginalFileName': 'TargetProcessFilename', - 'CommandLine': 'TargetProcessCommandLine', - 'CurrentDirectory': 'TargetProcessCurrentDirectory', - 'User': 'TargetUsername', - 'LogonGuid': 'TargetUserSessionGuid', - 'LogonId': 'TargetUsername', - 'TerminalSessionId': 'TargetUserSessionId', - 'IntegrityLevel': 'TargetProcessIntegrityLevel', - 'sha1': 'TargetProcessSHA1', - 'sha256': 'TargetProcessSHA256', - 'md5': 'TargetProcessMD5', - 'ParentProcessGuid': 'ActingProcessGuid', - 'ParentProcessId': 'ActingProcessId', - 'ParentImage': 'ActingProcessName', - 'ParentCommandLine': 'ActingProcessCommandLine', - 'ParentUser': 'ActorUsername', - 'ProcessVersionInfoOriginalFileName':'TargetProcessFileVersion', - 'ProcessVersionInfoFileDescription':'TargetProcessFileDescription', - 'ProcessIntegrityLevel': 'TargetProcessIntegrityLevel', - 'InitiatingProcessFolderPath': 'ActingProcessName', - 'InitiatingProcessCommandLine': 'ActingProcessCommandLine', - }, - 'DeviceImageLoadEvents': { - # 'ProcessGuid': ?, - 'ProcessId': 'InitiatingProcessId', - 'Image': 'InitiatingProcessFolderPath', # File path of the process that loaded the image - 'ImageLoaded': 'FolderPath', - 'FileVersion': 'InitiatingProcessVersionInfoProductVersion', - 'Description': 'InitiatingProcessVersionInfoFileDescription', - 'Product': 'InitiatingProcessVersionInfoProductName', - 'Company': 'InitiatingProcessVersionInfoCompanyName', - 'OriginalFileName': 'InitiatingProcessVersionInfoOriginalFileName', - # 'Hashes': ?, - 'sha1': 'SHA1', - 'sha256': 'SHA256', - 'md5': 'MD5', - # 'Signed': ? - # 'Signature': ? - # 'SignatureStatus': ? - 'User': 'InitiatingProcessAccountName' - }, - file_events_table: { # file_*, Sysmon EventID 11 (create), 23 (delete) -> DeviceFileEvents table - 'ProcessGuid': 'ActingProcessGuid', - 'ProcessId': 'ActingProcessId', - 'Image': 'ActingProcessName', - 'TargetFilename': 'TargetFileName', - 'CreationUtcTime': 'TargetFileCreationTime', - 'User': 'ActorUsername', - # 'Hashes': ?, - # 'sha1': 'SHA1', - # 'sha256': 'SHA256', - # 'md5': 'MD5', - }, - 'DeviceNetworkEvents': { # network_connection, Sysmon EventID 3 -> DeviceNetworkEvents table - # 'ProcessGuid': ?, - 'ProcessId': 'InitiatingProcessId', - 'Image': 'InitiatingProcessFolderPath', - 'User': 'InitiatingProcessAccountName', - 'Protocol': 'Protocol', - # 'Initiated': ?, - # 'SourceIsIpv6': ?, - 'SourceIp': 'LocalIP', - 'SourceHostname': 'DeviceName', - 'SourcePort': 'LocalPort', - # 'SourcePortName': ?, - # 'DestinationIsIpv6': ?, - 'DestinationIp': 'RemoteIP', - 'DestinationHostname': 'RemoteUrl', - 'DestinationPort': 'RemotePort', - # 'DestinationPortName': ?, - }, - registry_events_table: { - # registry_*, Sysmon EventID 12 (create/delete), 13 (value set), 14 (key/value rename) -> DeviceRegistryEvents table, - 'EventType': 'EventType', - 'ProcessGuid': 'ActingProcessGuid', - 'ProcessId': 'ActingProcessId', - 'Image': 'ActingProcessName', - 'TargetObject': 'RegistryKey', - # 'NewName': ? - 'Details': 'RegistryValueData', - 'User': 'ActorUsername' - } -} - -## Generic catch-all field mappings for sysmon -> microsoft 365 defender fields that appear in most tables and -## haven't been mapped already -generic_field_mappings = { - 'EventType': 'EventType', - 'User': 'TargetUsername', - 'CommandLine': 'TargetProcessCommandLine', - 'Image': 'TargetProcessName', - 'SourceImage': 'TargetProcessName', - 'ProcessId': 'TargetProcessId', - 'md5': 'TargetProcessMD5', - #'sha1': 'InitiatingProcessSHA1', - 'sha256': 'TargetProcessSHA256', - 'ParentProcessId': 'ActingProcessId', - 'ParentCommandLine': 'ActingProcessCommandLine', - 'Company': 'TargetProcessFileCompany', - 'Description': 'TargetProcessFileDescription', - 'OriginalFileName': 'TargetProcessName', - 'Product': 'TargetProcessFileProduct', - 'Timestamp': 'TimeGenerated', - 'FolderPath': 'TargetProcessName', - 'ProcessCommandLine': 'TargetProcessCommandLine', -} - -# VALID FIELDS PER QUERY TABLE -## Will Implement field checking later once issue with removing fields is figured out, for now it fails the pipeline -## dict of {'table_name': [list, of, valid_fields]} for each table -valid_fields_per_table = { - process_events_table: [ - "TimeGenerated", - "TargetProcessGuid", - "TargetProcessId", - "TargetProcessName", - "TargetProcessFileVersion", - "TargetProcessFileDescription", - "TargetProcessFileProduct", - "CommandLine", - "User", - "TargetUserSessionGuid", - "TargetProcessIntegrityLevel", - "ActingProcessGuid", - "ActingProcessId", - "ActingProcessName", - "ActingProcessCommandLine", - "ActorUsername", - "TargetProcessSHA256", - "TargetProcessIMPHASH", - "TargetProcessMD5", - "EventType", - "EventStartTime", - "EventEndTime", - "EventCount", - "EventVendor", - "EventSchemaVersion", - "EventSchema", - "EventProduct", - "EventResult", - "DvcOs", - "TargetUserSessionId", - "TargetUsernameType", - "TargetUsername", - "TargetProcessCommandLine", - "TargetProcessCurrentDirectory", - "ActorUsernameType", - "EventOriginalType", - "Process", - "Dvc", - "Hash", - "DvcHostname", - "EventSourceName", - "TargetProcessFileCompany", - "TargetProcessFilename", - "HashType", - "Channel", - "Task", - "SourceComputerId", - "EventOriginId", - "TimeCollected" - ], - 'DeviceImageLoadEvents': ['Timestamp', 'DeviceId', 'DeviceName', 'ActionType', 'FileName', 'FolderPath', 'SHA1', - 'SHA256', 'MD5', 'FileSize', 'InitiatingProcessAccountDomain', - 'InitiatingProcessAccountName', 'InitiatingProcessAccountSid', - 'InitiatingProcessAccountUpn', 'InitiatingProcessAccountObjectId', - 'InitiatingProcessIntegrityLevel', 'InitiatingProcessTokenElevation', - 'InitiatingProcessSHA1', 'InitiatingProcessSHA256', 'InitiatingProcessMD5', - 'InitiatingProcessFileName', 'InitiatingProcessFileSize', - 'InitiatingProcessVersionInfoCompanyName', 'InitiatingProcessVersionInfoProductName', - 'InitiatingProcessVersionInfoProductVersion', - 'InitiatingProcessVersionInfoInternalFileName', - 'InitiatingProcessVersionInfoOriginalFileName', - 'InitiatingProcessVersionInfoFileDescription', 'InitiatingProcessId', - 'InitiatingProcessCommandLine', 'InitiatingProcessCreationTime', - 'InitiatingProcessFolderPath', 'InitiatingProcessParentId', - 'InitiatingProcessParentFileName', 'InitiatingProcessParentCreationTime', 'ReportId', - 'AppGuardContainerId'], - file_events_table: ['Timestamp', 'DeviceId', 'DeviceName', 'ActionType', 'FileName', 'FolderPath', 'SHA1', - 'SHA256', 'MD5', 'FileOriginUrl', 'FileOriginReferrerUrl', 'FileOriginIP', - 'PreviousFolderPath', 'PreviousFileName', 'FileSize', 'InitiatingProcessAccountDomain', - 'InitiatingProcessAccountName', 'InitiatingProcessAccountSid', 'InitiatingProcessAccountUpn', - 'InitiatingProcessAccountObjectId', 'InitiatingProcessMD5', 'InitiatingProcessSHA1', - 'InitiatingProcessSHA256', 'InitiatingProcessFolderPath', 'InitiatingProcessFileName', - 'InitiatingProcessFileSize', 'InitiatingProcessVersionInfoCompanyName', - 'InitiatingProcessVersionInfoProductName', 'InitiatingProcessVersionInfoProductVersion', - 'InitiatingProcessVersionInfoInternalFileName', 'InitiatingProcessVersionInfoOriginalFileName', - 'InitiatingProcessVersionInfoFileDescription', 'InitiatingProcessId', - 'InitiatingProcessCommandLine', 'InitiatingProcessCreationTime', - 'InitiatingProcessIntegrityLevel', 'InitiatingProcessTokenElevation', - 'InitiatingProcessParentId', 'InitiatingProcessParentFileName', - 'InitiatingProcessParentCreationTime', 'RequestProtocol', 'RequestSourceIP', - 'RequestSourcePort', 'RequestAccountName', 'RequestAccountDomain', 'RequestAccountSid', - 'ShareName', 'InitiatingProcessFileSize', 'SensitivityLabel', 'SensitivitySubLabel', - 'IsAzureInfoProtectionApplied', 'ReportId', 'AppGuardContainerId', 'AdditionalFields'], - registry_events_table: ['Timestamp', 'DeviceId', 'DeviceName', 'ActionType', 'RegistryKey', 'RegistryValueType', - 'RegistryValueName', 'RegistryValueData', 'PreviousRegistryKey', - 'PreviousRegistryValueName', 'PreviousRegistryValueData', 'InitiatingProcessAccountDomain', - 'InitiatingProcessAccountName', 'InitiatingProcessAccountSid', - 'InitiatingProcessAccountUpn', 'InitiatingProcessAccountObjectId', 'InitiatingProcessSHA1', - 'InitiatingProcessSHA256', 'InitiatingProcessMD5', 'InitiatingProcessFileName', - 'InitiatingProcessFileSize', 'InitiatingProcessVersionInfoCompanyName', - 'InitiatingProcessVersionInfoProductName', 'InitiatingProcessVersionInfoProductVersion', - 'InitiatingProcessVersionInfoInternalFileName', - 'InitiatingProcessVersionInfoOriginalFileName', - 'InitiatingProcessVersionInfoFileDescription', 'InitiatingProcessId', - 'InitiatingProcessCommandLine', 'InitiatingProcessCreationTime', - 'InitiatingProcessFolderPath', 'InitiatingProcessParentId', - 'InitiatingProcessParentFileName', 'InitiatingProcessParentCreationTime', - 'InitiatingProcessIntegrityLevel', 'InitiatingProcessTokenElevation', 'ReportId', - 'AppGuardContainerId'], - 'DeviceNetworkEvents': ['Timestamp', 'DeviceId', 'DeviceName', 'ActionType', 'RemoteIP', 'RemotePort', 'RemoteUrl', - 'LocalIP', 'LocalPort', 'Protocol', 'LocalIPType', 'RemoteIPType', 'InitiatingProcessSHA1', - 'InitiatingProcessSHA256', 'InitiatingProcessMD5', 'InitiatingProcessFileName', - 'InitiatingProcessFileSize', 'InitiatingProcessVersionInfoCompanyName', - 'InitiatingProcessVersionInfoProductName', 'InitiatingProcessVersionInfoProductVersion', - 'InitiatingProcessVersionInfoInternalFileName', - 'InitiatingProcessVersionInfoOriginalFileName', - 'InitiatingProcessVersionInfoFileDescription', 'InitiatingProcessId', - 'InitiatingProcessCommandLine', 'InitiatingProcessCreationTime', - 'InitiatingProcessFolderPath', 'InitiatingProcessParentFileName', - 'InitiatingProcessParentId', 'InitiatingProcessParentCreationTime', - 'InitiatingProcessAccountDomain', 'InitiatingProcessAccountName', - 'InitiatingProcessAccountSid', 'InitiatingProcessAccountUpn', - 'InitiatingProcessAccountObjectId', 'InitiatingProcessIntegrityLevel', - 'InitiatingProcessTokenElevation', 'ReportId', 'AppGuardContainerId', 'AdditionalFields']} - -# Mapping from ParentImage to InitiatingProcessParentFileName. Must be used alongside of ParentImageValueTransformation -parent_image_field_mapping = {'ParentImage': 'InitiatingProcessParentFileName'} - -# OTHER MAPPINGS -## useful for creating ProcessingItems() with list comprehension - -## Query Table names -> rule categories -table_to_category_mappings = { - process_events_table: ['process_creation'], - 'DeviceImageLoadEvents': ['image_load'], - file_events_table: ['file_access', 'file_change', 'file_delete', 'file_event', 'file_rename'], - registry_events_table: ['registry_add', 'registry_delete', 'registry_event', 'registry_set'], - 'DeviceNetworkEvents': ['network_connection'] -} +SENTINEL_ASIM_SCHEMA = create_schema(SentinelASIMSchema, SENTINEL_ASIM_TABLES) -## rule categories -> RuleConditions -category_to_conditions_mappings = { - 'process_creation': logsource_windows_process_creation(), - 'image_load': logsource_windows_image_load(), - 'file_access': logsource_windows_file_access(), - 'file_change': logsource_windows_file_change(), - 'file_delete': logsource_windows_file_delete(), - 'file_event': logsource_windows_file_event(), - 'file_rename': logsource_windows_file_rename(), - 'registry_add': logsource_windows_registry_add(), - 'registry_delete': logsource_windows_registry_delete(), - 'registry_event': logsource_windows_registry_event(), - 'registry_set': logsource_windows_registry_set(), - 'network_connection': logsource_windows_network_connection() -} - -# PROCESSING_ITEMS() -## ProcessingItems to set state key 'query_table' to use in backend -## i.e. $QueryTable$ | $rest_of_query$ -query_table_proc_items = [ - ProcessingItem( - identifier=f"microsoft_365_defender_set_query_table_{table_name}", - transformation=SetQueryTableStateTransformation(table_name), - rule_conditions=[ - category_to_conditions_mappings[rule_category] for rule_category in rule_categories - ], - rule_condition_linking=any, - ) - for table_name, rule_categories in table_to_category_mappings.items() -] ## Fieldmappings -fieldmappings_proc_items = [ - ProcessingItem( - identifier=f"microsoft_365_defender_fieldmappings_{table_name}", - transformation=FieldMappingTransformation(query_table_field_mappings[table_name]), - rule_conditions=[ - category_to_conditions_mappings[rule_category] for rule_category in rule_categories - ], - rule_condition_linking=any, - ) - for table_name, rule_categories in table_to_category_mappings.items() -] +fieldmappings_proc_item = ProcessingItem( + identifier="sentinel_asim_table_fieldmappings", + transformation=DynamicFieldMappingTransformation(SENTINEL_ASIM_FIELD_MAPPINGS), +) -## Generic Fielp Mappings, keep this last -## Exclude any fields already mapped. For example, if process_creation events ProcessId has already -## been mapped to the same field name (ProcessId), we don't to remap it to InitiatingProcessId -generic_field_mappings_proc_item = [ProcessingItem( - identifier="microsoft_365_defender_fieldmappings_generic", - transformation=FieldMappingTransformation( - generic_field_mappings - ), - detection_item_conditions=[ - DetectionItemProcessingItemAppliedCondition(f"microsoft_365_defender_fieldmappings_{table_name}") - for table_name in table_to_category_mappings.keys() - ], +## Generic Field Mappings, keep this last +## Exclude any fields already mapped, e.g. if a table mapping has been applied. +# This will fix the case where ProcessId is usually mapped to InitiatingProcessId, EXCEPT for the DeviceProcessEvent table where it stays as ProcessId. +# So we can map ProcessId to ProcessId in the DeviceProcessEvents table mapping, and prevent the generic mapping to InitiatingProcessId from being applied +# by adding a detection item condition that the table field mappings have been applied + +generic_field_mappings_proc_item = ProcessingItem( + identifier="sentinel_asim_generic_fieldmappings", + transformation=GenericFieldMappingTransformation(SENTINEL_ASIM_FIELD_MAPPINGS), + detection_item_conditions=[DetectionItemProcessingItemAppliedCondition("sentinel_asim_table_fieldmappings")], detection_item_condition_linking=any, detection_item_condition_negation=True, ) -] + ## Field Value Replacements ProcessingItems replacement_proc_items = [ @@ -358,147 +68,156 @@ # # Do this one first, or else the HKLM only one will replace HKLM and mess up the regex ProcessingItem( - identifier="microsoft_365_defender_registry_key_replace_currentcontrolset", - transformation=ReplaceStringTransformation(regex=r"(?i)(^HKLM\\SYSTEM\\CurrentControlSet)", - replacement=r"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001"), - field_name_conditions=[IncludeFieldCondition(['RegistryKey', 'PreviousRegistryKey'])] + identifier="sentinel_asim_registry_key_replace_currentcontrolset", + transformation=ReplaceStringTransformation( + regex=r"(?i)(^HKLM\\SYSTEM\\CurrentControlSet)", + replacement=r"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001", + ), + field_name_conditions=[IncludeFieldCondition(["RegistryKey", "PreviousRegistryKey"])], ), ProcessingItem( - identifier="microsoft_365_defender_registry_key_replace_hklm", - transformation=ReplaceStringTransformation(regex=r"(?i)(^HKLM)", - replacement=r"HKEY_LOCAL_MACHINE"), - field_name_conditions=[IncludeFieldCondition(['RegistryKey', 'PreviousRegistryKey'])] + identifier="sentinel_asim_registry_key_replace_hklm", + transformation=ReplaceStringTransformation(regex=r"(?i)(^HKLM)", replacement=r"HKEY_LOCAL_MACHINE"), + field_name_conditions=[IncludeFieldCondition(["RegistryKey", "RegistryPreviousKey"])], ), ProcessingItem( - identifier="microsoft_365_defender_registry_key_replace_hku", - transformation=ReplaceStringTransformation(regex=r"(?i)(^HKU)", - replacement=r"HKEY_USERS"), - field_name_conditions=[IncludeFieldCondition(['RegistryKey', 'PreviousRegistryKey'])] + identifier="sentinel_asim_registry_key_replace_hku", + transformation=ReplaceStringTransformation(regex=r"(?i)(^HKU)", replacement=r"HKEY_USERS"), + field_name_conditions=[IncludeFieldCondition(["RegistryKey", "RegistryPreviousKey"])], ), ProcessingItem( - identifier="microsoft_365_defender_registry_key_replace_hkcr", - transformation=ReplaceStringTransformation(regex=r"(?i)(^HKCR)", - replacement=r"HKEY_LOCAL_MACHINE\\CLASSES"), - field_name_conditions=[IncludeFieldCondition(['RegistryKey', 'PreviousRegistryKey'])] + identifier="sentinel_asim_registry_key_replace_hkcr", + transformation=ReplaceStringTransformation(regex=r"(?i)(^HKCR)", replacement=r"HKEY_LOCAL_MACHINE\\CLASSES"), + field_name_conditions=[IncludeFieldCondition(["RegistryKey", "RegistryPreviousKey"])], ), ProcessingItem( - identifier="microsoft_365_defender_registry_actiontype_value", + identifier="sentinel_asim_registry_actiontype_value", transformation=RegistryActionTypeValueTransformation(), - field_name_conditions=[IncludeFieldCondition(['ActionType'])] + field_name_conditions=[IncludeFieldCondition(["EventType"])], + ), + # Processing item to transform the Hashes field in the SecurityEvent table to get rid of the hash algorithm prefix in each value + ProcessingItem( + identifier="sentinel_asim_processcreate_hashes_field_values", + transformation=ProcessCreateHashesValuesTransformation(), + field_name_conditions=[IncludeFieldCondition(["Hashes"])], + rule_conditions=[RuleProcessingStateCondition("query_table", "imProcessCreate")], ), - # Extract Domain from Username fields ProcessingItem( - identifier="microsoft_365_defender_domain_username_extract", - transformation=SplitDomainUserTransformation(), - field_name_conditions=[IncludeFieldCondition(["AccountName", "InitiatingProcessAccountName"])] + identifier="sentinel_asim_fileevent_hashes_field_values", + transformation=FileEventHashesValuesTransformation(), + field_name_conditions=[IncludeFieldCondition(["Hashes"])], + rule_conditions=[RuleProcessingStateCondition("query_table", "imFileEvent")], ), ProcessingItem( - identifier="microsoft_365_defender_hashes_field_values", - transformation=HashesValuesTransformation(), - field_name_conditions=[IncludeFieldCondition(['Hashes'])] + identifier="sentinel_asim_webrequest_hashes_field_values", + transformation=WebSessionHashesValuesTransformation(), + field_name_conditions=[IncludeFieldCondition(["Hashes"])], + rule_conditions=[RuleProcessingStateCondition("query_table", "imWebSession")], ), # Processing item to essentially ignore initiated field ProcessingItem( - identifier="microsoft_365_defender_network_initiated_field", + identifier="sentinel_asim_network_initiated_field", transformation=DropDetectionItemTransformation(), - field_name_conditions=[IncludeFieldCondition(['Initiated'])], - rule_conditions=[LogsourceCondition(category='network_connection')], - ) + field_name_conditions=[IncludeFieldCondition(["Initiated"])], + rule_conditions=[LogsourceCondition(category="network_connection")], + ), ] -# ParentImage -> InitiatingProcessParentFileName -parent_image_proc_items = [ - # First apply fieldmapping from ParentImage to InitiatingProcessParentFileName for non process-creation rules - ProcessingItem( - identifier="microsoft_365_defender_parent_image_fieldmapping", - transformation=FieldMappingTransformation(parent_image_field_mapping), - rule_conditions=[ - # Exclude process_creation events, there's direct field mapping in this schema table - LogsourceCondition(category='process_creation') - ], - rule_condition_negation=True - ), - # Second, extract the parent process name from the full path +# Exceptions/Errors ProcessingItems +# Catch-all for when the query table is not set, meaning the rule could not be mapped to a table or the table name was not set +rule_error_proc_items = [ + # Category Not Supported or Query Table Not Set ProcessingItem( - identifier="microsoft_365_defender_parent_image_name_value", - transformation=ParentImageValueTransformation(), - field_name_conditions=[ - IncludeFieldCondition(["InitiatingProcessParentFileName"]), - ], + identifier="sentinel_asim_unsupported_rule_category_or_missing_query_table", + transformation=RuleFailureTransformation( + "Rule category not yet supported by the Sentinel ASIM pipeline or query_table is not set." + ), rule_conditions=[ - # Exclude process_creation events, there's direct field mapping in this schema table - LogsourceCondition(category='process_creation') + RuleProcessingItemAppliedCondition("sentinel_asim_set_query_table"), + RuleProcessingStateCondition("query_table", None), ], - rule_condition_negation=True + rule_condition_linking=all, ) - ] -## Exceptions/Errors ProcessingItems -rule_error_proc_items = [ - # Category Not Supported - ProcessingItem( - identifier="microsoft_365_defender_unsupported_rule_category", - rule_condition_linking=any, - transformation=RuleFailureTransformation( - "Rule category not yet supported by the Microsoft 365 Defender Sigma backend." - ), - rule_condition_negation=True, - rule_conditions=[x for x in category_to_conditions_mappings.values()], - )] -field_error_proc_items = [ - # Invalid fields per category +def get_valid_fields(table_name): + return ( + list(SENTINEL_ASIM_SCHEMA.tables[table_name].fields.keys()) + + list(SENTINEL_ASIM_FIELD_MAPPINGS.table_mappings.get(table_name, {}).keys()) + + list(SENTINEL_ASIM_FIELD_MAPPINGS.generic_mappings.keys()) + + ["Hashes"] + ) + + +field_error_proc_items = [] + +for table_name in SENTINEL_ASIM_SCHEMA.tables.keys(): + valid_fields = get_valid_fields(table_name) + + field_error_proc_items.append( + ProcessingItem( + identifier=f"sentinel_asim_unsupported_fields_{table_name}", + transformation=InvalidFieldTransformation( + f"Please use valid fields for the {table_name} table, or the following fields that have fieldmappings in this " + f"pipeline:\n{', '.join(sorted(set(valid_fields)))}" + ), + field_name_conditions=[ExcludeFieldCondition(fields=valid_fields)], + rule_conditions=[ + RuleProcessingItemAppliedCondition("sentinel_asim_set_query_table"), + RuleProcessingStateCondition("query_table", table_name), + ], + rule_condition_linking=all, + ) + ) + +# Add a catch-all error for custom table names +field_error_proc_items.append( ProcessingItem( - identifier=f"microsoft_365_defender_unsupported_fields_{table_name}", + identifier="sentinel_asim_unsupported_fields_custom", transformation=InvalidFieldTransformation( - f"Please use valid fields for the {table_name} table, or the following fields that have keymappings in this " - f"pipeline:\n" - # Combine field mappings for table and generic field mappings dicts, get the unique keys, add the Hashes field, sort it - f"{', '.join(sorted(set({**query_table_field_mappings[table_name], **generic_field_mappings}.keys()).union({'Hashes'})))}" + "Invalid field name for the custom table. Please ensure you're using valid fields for your custom table." ), field_name_conditions=[ - ExcludeFieldCondition(fields=table_fields + list(generic_field_mappings.keys()) + ['Hashes'])], + ExcludeFieldCondition(fields=list(SENTINEL_ASIM_FIELD_MAPPINGS.generic_mappings.keys()) + ["Hashes"]) + ], rule_conditions=[ - category_to_conditions_mappings[rule_category] - for rule_category in table_to_category_mappings[table_name] + RuleProcessingItemAppliedCondition("sentinel_asim_set_query_table"), + RuleProcessingStateCondition("query_table", None), ], - rule_condition_linking=any, + rule_condition_linking=all, ) - for table_name, table_fields in valid_fields_per_table.items() -] +) -def sentinel_asim_pipeline(transform_parent_image: Optional[bool] = True, query_table: Optional[str] = None) -> ProcessingPipeline: - """Pipeline for transformations for SigmaRules to use with the Sentinel ASIM Functions +def sentinel_asim_pipeline( + transform_parent_image: Optional[bool] = True, query_table: Optional[str] = None +) -> ProcessingPipeline: + """Pipeline for transformations for SigmaRules to use in the Kusto Query Language backend. - :param transform_parent_image: If True, the ParentImage field will be mapped to InitiatingProcessParentFileName, and - the parent process name in the ParentImage will be extracted and used. This is because the Microsoft 365 Defender - table schema does not contain a InitiatingProcessParentFolderPath field like it does for InitiatingProcessFolderPath. - i.e. ParentImage: C:\\Windows\\System32\\whoami.exe -> InitiatingProcessParentFileName: whoami.exe. - Defaults to True - :type transform_parent_image: Optional[bool] + :param query_table: If specified, the table name will be used in the finalizer, otherwise the table name will be selected based on the category of the rule. + :type query_table: Optional[str] - :return: ProcessingPipeline for Microsoft 365 Defender Backend + :return: ProcessingPipeline for Microsoft Sentinel ASIM :rtype: ProcessingPipeline """ pipeline_items = [ - *query_table_proc_items, - *fieldmappings_proc_items, - *generic_field_mappings_proc_item, + ProcessingItem( + identifier="sentinel_asim_set_query_table", + transformation=SetQueryTableStateTransformation(query_table, CATEGORY_TO_TABLE_MAPPINGS), + ), + fieldmappings_proc_item, + generic_field_mappings_proc_item, *replacement_proc_items, *rule_error_proc_items, *field_error_proc_items, ] - if transform_parent_image: - pipeline_items[4:4] = parent_image_proc_items - return ProcessingPipeline( - name="Generic Log Sources to Windows 365 ASIM Transformation", + name="Generic Log Sources to Sentinel ASIM tables and fields", priority=10, items=pipeline_items, allowed_backends=frozenset(["kusto"]), - finalizers=[Microsoft365DefenderTableFinalizer(table_names=query_table)] + finalizers=[QueryTableFinalizer()], ) diff --git a/sigma/pipelines/sentinelasim/tables.py b/sigma/pipelines/sentinelasim/tables.py new file mode 100644 index 0000000..ef6b3c8 --- /dev/null +++ b/sigma/pipelines/sentinelasim/tables.py @@ -0,0 +1,720 @@ +# This file is auto-generated. Do not edit manually. +# Last updated: 2024-09-23 19:27:00 UTC + +SENTINEL_ASIM_TABLES = { + "imAuditEvent": { + "EventType": {"data_type": "Enumerated", "description": 'Describes the operation audited by the event using a normalized value. Use EventSubType to provide further details, which the normalized value does not convey, and Operation. to store the operation as reported by the reporting device. For Audit Event records, the allowed values are: - Set- Read- Create- Delete- Execute- Install- Clear- Enable- Disable- Other Audit events represent a large variety of operations, and the Other value enables mapping operations that have no corresponding EventType. However, the use of Other limits the usability of the event and should be avoided if possible.', "class": "Mandatory"}, + "EventSubType": {"data_type": "String", "description": 'Provides further details, which the normalized value in EventType does not convey.', "class": "Optional"}, + "EventSchema": {"data_type": "String", "description": 'The name of the schema documented here is AuditEvent.', "class": "Mandatory"}, + "EventSchemaVersion": {"data_type": "String", "description": 'The version of the schema. The version of the schema documented here is 0.1.', "class": "Mandatory"}, + "Operation": {"data_type": "String", "description": 'The operation audited as reported by the reporting device.', "class": "Mandatory"}, + "Object": {"data_type": "String", "description": 'The name of the object on which the operation identified by EventType is performed.', "class": "Mandatory"}, + "ObjectType": {"data_type": "Enumerated", "description": 'The type of Object. Allowed values are:- Cloud Resource- Configuration Atom- Policy Rule - Other', "class": "Mandatory"}, + "OldValue": {"data_type": "String", "description": 'The old value of Object prior to the operation, if applicable.', "class": "Optional"}, + "NewValue": {"data_type": "String", "description": 'The new value of Object after the operation was performed, if applicable.', "class": "Optional"}, + "Value": {"data_type": "", "description": 'Alias to NewValue', "class": "Alias"}, + "ValueType": {"data_type": "Enumerated", "description": 'The type of the old and new values. Allowed values are- Other', "class": "Conditional"}, + "ActorUserId": {"data_type": "String", "description": 'A machine-readable, alphanumeric, unique representation of the Actor. For more information, and for alternative fields for other IDs, see The User entity. Example: S-1-12-1-4141952679-1282074057-627758481-2916039507', "class": "Optional"}, + "ActorScope": {"data_type": "String", "description": 'The scope, such as Microsoft Entra Domain Name, in which ActorUserId and ActorUsername are defined. or more information and list of allowed values, see UserScope in the Schema Overview article.', "class": "Optional"}, + "ActorScopeId": {"data_type": "String", "description": 'The scope ID, such as Microsoft Entra Directory ID, in which ActorUserId and ActorUsername are defined. for more information and list of allowed values, see UserScopeId in the Schema Overview article.', "class": "Optional"}, + "ActorUserIdType": {"data_type": "UserIdType", "description": 'The type of the ID stored in the ActorUserId field. For more information and list of allowed values, see UserIdType in the Schema Overview article.', "class": "Conditional"}, + "ActorUsername": {"data_type": "Username", "description": 'The Actor’s username, including domain information when available. For more information, see The User entity.Example: AlbertE', "class": "Recommended"}, + "User": {"data_type": "", "description": 'Alias to ActorUsername', "class": "Alias"}, + "ActorUsernameType": {"data_type": "UsernameType", "description": 'Specifies the type of the user name stored in the ActorUsername field. For more information, and list of allowed values, see UsernameType in the Schema Overview article. Example: Windows', "class": "Conditional"}, + "ActorUserType": {"data_type": "UserType", "description": 'The type of the Actor. For more information, and list of allowed values, see UserType in the Schema Overview article.For example: Guest', "class": "Optional"}, + "ActorOriginalUserType": {"data_type": "UserType", "description": 'The user type as reported by the reporting device.', "class": "Optional"}, + "ActorSessionId": {"data_type": "String", "description": 'The unique ID of the sign-in session of the Actor. Example: 102pTUgC3p8RIqHvzxLCHnFlg', "class": "Optional"}, + "TargetAppId": {"data_type": "String", "description": 'The ID of the application to which the event applies, including a process, browser, or service. Example: 89162', "class": "Optional"}, + "TargetAppName": {"data_type": "String", "description": 'The name of the application to which event applies, including a service, a URL, or a SaaS application. Example: Exchange 365', "class": "Optional"}, + "Application": {"data_type": "", "description": 'Alias to TargetAppName', "class": "Alias"}, + "TargetAppType": {"data_type": "AppType", "description": 'The type of the application authorizing on behalf of the Actor. For more information, and allowed list of values, see AppType in the Schema Overview article.', "class": "Optional"}, + "TargetUrl": {"data_type": "URL", "description": 'The URL associated with the target application. Example: https://console.aws.amazon.com/console/home?fromtb=true&hashArgs=%23&isauthcode=true&nc2=h_ct&src=header-signin&state=hashArgsFromTB_us-east-1_7596bc16c83d260b', "class": "Optional"}, + "Dst": {"data_type": "String", "description": 'A unique identifier of the authentication target. This field may alias the TargerDvcId, TargetHostname, TargetIpAddr, TargetAppId, or TargetAppName fields. Example: 192.168.12.1', "class": "Alias"}, + "TargetHostname": {"data_type": "Hostname", "description": 'The target device hostname, excluding domain information.Example: DESKTOP-1282V4D', "class": "Recommended"}, + "TargetDomain": {"data_type": "String", "description": 'The domain of the target device.Example: Contoso', "class": "Recommended"}, + "TargetDomainType": {"data_type": "Enumerated", "description": 'The type of TargetDomain. For a list of allowed values and further information, refer to DomainType in the Schema Overview article.Required if TargetDomain is used.', "class": "Conditional"}, + "TargetFQDN": {"data_type": "String", "description": 'The target device hostname, including domain information when available. Example: Contoso\\DESKTOP-1282V4D Note: This field supports both traditional FQDN format and Windows domain\\hostname format. The TargetDomainType reflects the format used.', "class": "Optional"}, + "TargetDescription": {"data_type": "String", "description": 'A descriptive text associated with the device. For example: Primary Domain Controller.', "class": "Optional"}, + "TargetDvcId": {"data_type": "String", "description": 'The ID of the target device. If multiple IDs are available, use the most important one, and store the others in the fields TargetDvc. Example: ac7e9755-8eae-4ffc-8a02-50ed7a2216c3', "class": "Optional"}, + "TargetDvcScopeId": {"data_type": "String", "description": 'The cloud platform scope ID the device belongs to. TargetDvcScopeId map to a subscription ID on Azure and to an account ID on AWS.', "class": "Optional"}, + "TargetDvcScope": {"data_type": "String", "description": 'The cloud platform scope the device belongs to. TargetDvcScope map to a subscription ID on Azure and to an account ID on AWS.', "class": "Optional"}, + "TargetDvcIdType": {"data_type": "Enumerated", "description": 'The type of TargetDvcId. For a list of allowed values and further information, refer to DvcIdType in the Schema Overview article. Required if TargetDeviceId is used.', "class": "Conditional"}, + "TargetDeviceType": {"data_type": "Enumerated", "description": 'The type of the target device. For a list of allowed values and further information, refer to DeviceType in the Schema Overview article.', "class": "Optional"}, + "TargetIpAddr": {"data_type": "IP Address", "description": 'The IP address of the target device. Example: 2.2.2.2', "class": "Optional"}, + "TargetDvcOs": {"data_type": "String", "description": 'The OS of the target device. Example: Windows 10', "class": "Optional"}, + "TargetPortNumber": {"data_type": "Integer", "description": 'The port of the target device.', "class": "Optional"}, + "ActingAppId": {"data_type": "String", "description": 'The ID of the application that initiated the activity reported, including a process, browser, or service. For example: 0x12ae8', "class": "Optional"}, + "ActiveAppName": {"data_type": "String", "description": 'The name of the application that initiated the activity reported, including a service, a URL, or a SaaS application. For example: C:\\Windows\\System32\\svchost.exe', "class": "Optional"}, + "ActingAppType": {"data_type": "AppType", "description": 'The type of acting application. For more information, and allowed list of values, see AppType in the Schema Overview article.', "class": "Optional"}, + "HttpUserAgent": {"data_type": "String", "description": "When authentication is performed over HTTP or HTTPS, this field's value is the user_agent HTTP header provided by the acting application when performing the authentication.For example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1", "class": "Optional"}, + "Src": {"data_type": "String", "description": 'A unique identifier of the source device. This field might alias the SrcDvcId, SrcHostname, or SrcIpAddr fields. Example: 192.168.12.1', "class": "Alias"}, + "SrcIpAddr": {"data_type": "IP address", "description": 'The IP address from which the connection or session originated. Example: 77.138.103.108', "class": "Recommended"}, + "IpAddr": {"data_type": "", "description": 'Alias to SrcIpAddr, or to TargetIpAddr if SrcIpAddr is not provided.', "class": "Alias"}, + "SrcPortNumber": {"data_type": "Integer", "description": 'The IP port from which the connection originated. Might not be relevant for a session comprising multiple connections.Example: 2335', "class": "Optional"}, + "SrcHostname": {"data_type": "Hostname", "description": 'The source device hostname, excluding domain information. If no device name is available, store the relevant IP address in this field.Example: DESKTOP-1282V4D', "class": "Recommended"}, + "SrcDomain": {"data_type": "String", "description": 'The domain of the source device.Example: Contoso', "class": "Recommended"}, + "SrcDomainType": {"data_type": "DomainType", "description": 'The type of SrcDomain. For a list of allowed values and further information, refer to DomainType in the Schema Overview article.Required if SrcDomain is used.', "class": "Conditional"}, + "SrcFQDN": {"data_type": "String", "description": 'The source device hostname, including domain information when available. Note: This field supports both traditional FQDN format and Windows domain\\hostname format. The SrcDomainType field reflects the format used. Example: Contoso\\DESKTOP-1282V4D', "class": "Optional"}, + "SrcDescription": {"data_type": "String", "description": 'A descriptive text associated with the device. For example: Primary Domain Controller.', "class": "Optional"}, + "SrcDvcId": {"data_type": "String", "description": 'The ID of the source device. If multiple IDs are available, use the most important one, and store the others in the fields SrcDvc.Example: ac7e9755-8eae-4ffc-8a02-50ed7a2216c3', "class": "Optional"}, + "SrcDvcScopeId": {"data_type": "String", "description": 'The cloud platform scope ID the device belongs to. SrcDvcScopeId map to a subscription ID on Azure and to an account ID on AWS.', "class": "Optional"}, + "SrcDvcScope": {"data_type": "String", "description": 'The cloud platform scope the device belongs to. SrcDvcScope map to a subscription ID on Azure and to an account ID on AWS.', "class": "Optional"}, + "SrcDvcIdType": {"data_type": "DvcIdType", "description": 'The type of SrcDvcId. For a list of allowed values and further information, refer to DvcIdType in the Schema Overview article. Note: This field is required if SrcDvcId is used.', "class": "Conditional"}, + "SrcDeviceType": {"data_type": "DeviceType", "description": 'The type of the source device. For a list of allowed values and further information, refer to DeviceType in the Schema Overview article.', "class": "Optional"}, + "SrcSubscriptionId": {"data_type": "String", "description": 'The cloud platform subscription ID the source device belongs to. SrcSubscriptionId map to a subscription ID on Azure and to an account ID on AWS.', "class": "Optional"}, + "SrcGeoCountry": {"data_type": "Country", "description": 'The country associated with the source IP address.Example: USA', "class": "Optional"}, + "SrcGeoRegion": {"data_type": "Region", "description": 'The region within a country associated with the source IP address.Example: Vermont', "class": "Optional"}, + "SrcGeoCity": {"data_type": "City", "description": 'The city associated with the source IP address.Example: Burlington', "class": "Optional"}, + "SrcGeoLatitude": {"data_type": "Latitude", "description": 'The latitude of the geographical coordinate associated with the source IP address.Example: 44.475833', "class": "Optional"}, + "SrcGeoLongitude": {"data_type": "Longitude", "description": 'The longitude of the geographical coordinate associated with the source IP address.Example: 73.211944', "class": "Optional"}, + "RuleName": {"data_type": "String", "description": 'The name or ID of the rule by associated with the inspection results.', "class": "Optional"}, + "RuleNumber": {"data_type": "Integer", "description": 'The number of the rule associated with the inspection results.', "class": "Optional"}, + "Rule": {"data_type": "String", "description": 'Either the value of RuleName or the value of RuleNumber. If the value of RuleNumber is used, the type should be converted to string.', "class": "Alias"}, + "ThreatId": {"data_type": "String", "description": 'The ID of the threat or malware identified in the audit activity.', "class": "Optional"}, + "ThreatName": {"data_type": "String", "description": 'The name of the threat or malware identified in the audit activity.', "class": "Optional"}, + "ThreatCategory": {"data_type": "String", "description": 'The category of the threat or malware identified in audit file activity.', "class": "Optional"}, + "ThreatRiskLevel": {"data_type": "Integer", "description": 'The risk level associated with the identified threat. The level should be a number between 0 and 100.Note: The value might be provided in the source record by using a different scale, which should be normalized to this scale. The original value should be stored in ThreatRiskLevelOriginal.', "class": "Optional"}, + "ThreatOriginalRiskLevel": {"data_type": "String", "description": 'The risk level as reported by the reporting device.', "class": "Optional"}, + "ThreatConfidence": {"data_type": "Integer", "description": 'The confidence level of the threat identified, normalized to a value between 0 and a 100.', "class": "Optional"}, + "ThreatOriginalConfidence": {"data_type": "String", "description": 'The original confidence level of the threat identified, as reported by the reporting device.', "class": "Optional"}, + "ThreatIsActive": {"data_type": "Boolean", "description": 'True if the threat identified is considered an active threat.', "class": "Optional"}, + "ThreatFirstReportedTime": {"data_type": "datetime", "description": 'The first time the IP address or domain were identified as a threat.', "class": "Optional"}, + "ThreatLastReportedTime": {"data_type": "datetime", "description": 'The last time the IP address or domain were identified as a threat.', "class": "Optional"}, + "ThreatIpAddr": {"data_type": "IP Address", "description": 'An IP address for which a threat was identified. The field ThreatField contains the name of the field ThreatIpAddr represents.', "class": "Optional"}, + "ThreatField": {"data_type": "Enumerated", "description": 'The field for which a threat was identified. The value is either SrcIpAddr or TargetIpAddr.', "class": "Optional"}, + }, + "imAuthentication": { + "EventType": {"data_type": "Enumerated", "description": 'Describes the operation reported by the record. For Authentication records, supported values include: - Logon - Logoff- Elevate', "class": "Mandatory"}, + "EventResultDetails": {"data_type": "String", "description": 'The details associated with the event result. This field is typically populated when the result is a failure.Allowed values include: - No such user or password. This value should be used also when the original event reports that there is no such user, without reference to a password. - No such user - Incorrect password - Incorrect key-\tAccount expired-\tPassword expired-\tUser locked-\tUser disabled - Logon violates policy. This value should be used when the original event reports, for example: MFA required, logon outside of working hours, conditional access restrictions, or too frequent attempts.-\tSession expired-\tOtherThe value may be provided in the source record using different terms, which should be normalized to these values. The original value should be stored in the field EventOriginalResultDetails', "class": "Recommended"}, + "EventSubType": {"data_type": "String", "description": 'The sign-in type. Allowed values include: - System - Interactive - RemoteInteractive - Service - RemoteService - Remote - Use when the type of remote sign-in is unknown. - AssumeRole - Typically used when the event type is Elevate. The value may be provided in the source record using different terms, which should be normalized to these values. The original value should be stored in the field EventOriginalSubType.', "class": "Optional"}, + "EventSchemaVersion": {"data_type": "String", "description": 'The version of the schema. The version of the schema documented here is 0.1.3', "class": "Mandatory"}, + "EventSchema": {"data_type": "String", "description": 'The name of the schema documented here is Authentication.', "class": "Mandatory"}, + "Dvc fields": {"data_type": "-", "description": 'For authentication events, device fields refer to the system reporting the event.', "class": "-"}, + "LogonMethod": {"data_type": "String", "description": 'The method used to perform authentication. Examples: Username & Password, PKI', "class": "Optional"}, + "LogonProtocol": {"data_type": "String", "description": 'The protocol used to perform authentication. Example: NTLM', "class": "Optional"}, + "ActorUserId": {"data_type": "String", "description": 'A machine-readable, alphanumeric, unique representation of the Actor. For more information, and for alternative fields for additional IDs, see The User entity. Example: S-1-12-1-4141952679-1282074057-627758481-2916039507', "class": "Optional"}, + "ActorScope": {"data_type": "String", "description": 'The scope, such as Microsoft Entra tenant, in which ActorUserId and ActorUsername are defined. or more information and list of allowed values, see UserScope in the Schema Overview article.', "class": "Optional"}, + "ActorScopeId": {"data_type": "String", "description": 'The scope ID, such as Microsoft Entra Directory ID, in which ActorUserId and ActorUsername are defined. for more information and list of allowed values, see UserScopeId in the Schema Overview article.', "class": "Optional"}, + "ActorUserIdType": {"data_type": "UserIdType", "description": 'The type of the ID stored in the ActorUserId field. For more information and list of allowed values, see UserIdType in the Schema Overview article.', "class": "Conditional"}, + "ActorUsername": {"data_type": "Username", "description": 'The Actor’s username, including domain information when available. For more information, see The User entity.Example: AlbertE', "class": "Optional"}, + "ActorUsernameType": {"data_type": "UsernameType", "description": 'Specifies the type of the user name stored in the ActorUsername field. For more information, and list of allowed values, see UsernameType in the Schema Overview article. Example: Windows', "class": "Conditional"}, + "ActorUserType": {"data_type": "UserType", "description": 'The type of the Actor. For more information, and list of allowed values, see UserType in the Schema Overview article.For example: Guest', "class": "Optional"}, + "ActorOriginalUserType": {"data_type": "UserType", "description": 'The user type as reported by the reporting device.', "class": "Optional"}, + "ActorSessionId": {"data_type": "String", "description": 'The unique ID of the sign-in session of the Actor. Example: 102pTUgC3p8RIqHvzxLCHnFlg', "class": "Optional"}, + "ActingAppId": {"data_type": "String", "description": 'The ID of the application authorizing on behalf of the actor, including a process, browser, or service. For example: 0x12ae8', "class": "Optional"}, + "ActingAppName": {"data_type": "String", "description": 'The name of the application authorizing on behalf of the actor, including a process, browser, or service. For example: C:\\Windows\\System32\\svchost.exe', "class": "Optional"}, + "ActingAppType": {"data_type": "AppType", "description": 'The type of acting application. For more information, and allowed list of values, see AppType in the Schema Overview article.', "class": "Optional"}, + "HttpUserAgent": {"data_type": "String", "description": "When authentication is performed over HTTP or HTTPS, this field's value is the user_agent HTTP header provided by the acting application when performing the authentication.For example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1", "class": "Optional"}, + "TargetUserId": {"data_type": "UserId", "description": 'A machine-readable, alphanumeric, unique representation of the target user. For more information, and for alternative fields for additional IDs, see The User entity. Example: 00urjk4znu3BcncfY0h7', "class": "Optional"}, + "TargetUserScope": {"data_type": "String", "description": 'The scope, such as Microsoft Entra tenant, in which TargetUserId and TargetUsername are defined. or more information and list of allowed values, see UserScope in the Schema Overview article.', "class": "Optional"}, + "TargetUserScopeId": {"data_type": "String", "description": 'The scope ID, such as Microsoft Entra Directory ID, in which TargetUserId and TargetUsername are defined. for more information and list of allowed values, see UserScopeId in the Schema Overview article.', "class": "Optional"}, + "TargetUserIdType": {"data_type": "UserIdType", "description": 'The type of the user ID stored in the TargetUserId field. For more information and list of allowed values, see UserIdType in the Schema Overview article. Example: SID', "class": "Conditional"}, + "TargetUsername": {"data_type": "Username", "description": 'The target user username, including domain information when available. For more information, see The User entity. Example: MarieC', "class": "Optional"}, + "TargetUsernameType": {"data_type": "UsernameType", "description": 'Specifies the type of the username stored in the TargetUsername field. For more information and list of allowed values, see UsernameType in the Schema Overview article.', "class": "Conditional"}, + "TargetUserType": {"data_type": "UserType", "description": 'The type of the Target user. For more information, and list of allowed values, see UserType in the Schema Overview article. For example: Member', "class": "Optional"}, + "TargetSessionId": {"data_type": "String", "description": 'The sign-in session identifier of the TargetUser on the source device.', "class": "Optional"}, + "TargetOriginalUserType": {"data_type": "UserType", "description": 'The user type as reported by the reporting device.', "class": "Optional"}, + "User": {"data_type": "Username", "description": 'Alias to the TargetUsername or to the TargetUserId if TargetUsername is not defined. Example: CONTOSO\\dadmin', "class": "Alias"}, + "Src": {"data_type": "String", "description": 'A unique identifier of the source device. This field may alias the SrcDvcId, SrcHostname, or SrcIpAddr fields. Example: 192.168.12.1', "class": "Recommended"}, + "SrcDvcId": {"data_type": "String", "description": 'The ID of the source device. If multiple IDs are available, use the most important one, and store the others in the fields SrcDvc.Example: ac7e9755-8eae-4ffc-8a02-50ed7a2216c3', "class": "Optional"}, + "SrcDvcScopeId": {"data_type": "String", "description": 'The cloud platform scope ID the device belongs to. SrcDvcScopeId map to a subscription ID on Azure and to an account ID on AWS.', "class": "Optional"}, + "SrcDvcScope": {"data_type": "String", "description": 'The cloud platform scope the device belongs to. SrcDvcScope map to a subscription ID on Azure and to an account ID on AWS.', "class": "Optional"}, + "SrcDvcIdType": {"data_type": "DvcIdType", "description": 'The type of SrcDvcId. For a list of allowed values and further information refer to DvcIdType in the Schema Overview article. Note: This field is required if SrcDvcId is used.', "class": "Conditional"}, + "SrcDeviceType": {"data_type": "DeviceType", "description": 'The type of the source device. For a list of allowed values and further information refer to DeviceType in the Schema Overview article.', "class": "Optional"}, + "SrcHostname": {"data_type": "Hostname", "description": 'The source device hostname, excluding domain information. If no device name is available, store the relevant IP address in this field. Example: DESKTOP-1282V4D', "class": "Recommended"}, + "SrcDomain": {"data_type": "String", "description": 'The domain of the source device.Example: Contoso', "class": "Recommended"}, + "SrcDomainType": {"data_type": "DomainType", "description": 'The type of SrcDomain. For a list of allowed values and further information refer to DomainType in the Schema Overview article.Required if SrcDomain is used.', "class": "Conditional"}, + "SrcFQDN": {"data_type": "String", "description": 'The source device hostname, including domain information when available. Note: This field supports both traditional FQDN format and Windows domain\\hostname format. The SrcDomainType field reflects the format used. Example: Contoso\\DESKTOP-1282V4D', "class": "Optional"}, + "SrcDescription": {"data_type": "String", "description": 'A descriptive text associated with the device. For example: Primary Domain Controller.', "class": "Optional"}, + "SrcIpAddr": {"data_type": "IP Address", "description": 'The IP address of the source device. Example: 2.2.2.2', "class": "Optional"}, + "SrcPortNumber": {"data_type": "Integer", "description": 'The IP port from which the connection originated.Example: 2335', "class": "Optional"}, + "SrcDvcOs": {"data_type": "String", "description": 'The OS of the source device. Example: Windows 10', "class": "Optional"}, + "IpAddr": {"data_type": "", "description": 'Alias to SrcIpAddr', "class": "Alias"}, + "SrcIsp": {"data_type": "String", "description": 'The Internet Service Provider (ISP) used by the source device to connect to the internet. Example: corpconnect', "class": "Optional"}, + "SrcGeoCountry": {"data_type": "Country", "description": 'Example: Canada For more information, see Logical types.', "class": "Optional"}, + "SrcGeoCity": {"data_type": "City", "description": 'Example: Montreal For more information, see Logical types.', "class": "Optional"}, + "SrcGeoRegion": {"data_type": "Region", "description": 'Example: Quebec For more information, see Logical types.', "class": "Optional"}, + "SrcGeoLongtitude": {"data_type": "Longitude", "description": 'Example: -73.614830 For more information, see Logical types.', "class": "Optional"}, + "SrcGeoLatitude": {"data_type": "Latitude", "description": 'Example: 45.505918 For more information, see Logical types.', "class": "Optional"}, + "SrcRiskLevel": {"data_type": "Integer", "description": 'The risk level associated with the source. The value should be adjusted to a range of 0 to 100, with 0 for benign and 100 for a high risk.Example: 90', "class": "Optional"}, + "SrcOriginalRiskLevel": {"data_type": "Integer", "description": 'The risk level associated with the source, as reported by the reporting device. Example: Suspicious', "class": "Optional"}, + "TargetAppId": {"data_type": "String", "description": 'The ID of the application to which the authorization is required, often assigned by the reporting device. Example: 89162', "class": "Optional"}, + "TargetAppName": {"data_type": "String", "description": 'The name of the application to which the authorization is required, including a service, a URL, or a SaaS application. Example: Saleforce', "class": "Optional"}, + "TargetAppType": {"data_type": "AppType", "description": 'The type of the application authorizing on behalf of the Actor. For more information, and allowed list of values, see AppType in the Schema Overview article.', "class": "Optional"}, + "TargetUrl": {"data_type": "URL", "description": 'The URL associated with the target application. Example: https://console.aws.amazon.com/console/home?fromtb=true&hashArgs=%23&isauthcode=true&nc2=h_ct&src=header-signin&state=hashArgsFromTB_us-east-1_7596bc16c83d260b', "class": "Optional"}, + "LogonTarget": {"data_type": "", "description": 'Alias to either TargetAppName, TargetUrl, or TargetHostname, whichever field best describes the authentication target.', "class": "Alias"}, + "Dst": {"data_type": "String", "description": 'A unique identifier of the authentication target. This field may alias the TargerDvcId, TargetHostname, TargetIpAddr, TargetAppId, or TargetAppName fields. Example: 192.168.12.1', "class": "Alias"}, + "TargetHostname": {"data_type": "Hostname", "description": 'The target device hostname, excluding domain information.Example: DESKTOP-1282V4D', "class": "Recommended"}, + "TargetDomain": {"data_type": "String", "description": 'The domain of the target device.Example: Contoso', "class": "Recommended"}, + "TargetDomainType": {"data_type": "Enumerated", "description": 'The type of TargetDomain. For a list of allowed values and further information refer to DomainType in the Schema Overview article.Required if TargetDomain is used.', "class": "Conditional"}, + "TargetFQDN": {"data_type": "String", "description": 'The target device hostname, including domain information when available. Example: Contoso\\DESKTOP-1282V4D Note: This field supports both traditional FQDN format and Windows domain\\hostname format. The TargetDomainType reflects the format used.', "class": "Optional"}, + "TargetDescription": {"data_type": "String", "description": 'A descriptive text associated with the device. For example: Primary Domain Controller.', "class": "Optional"}, + "TargetDvcId": {"data_type": "String", "description": 'The ID of the target device. If multiple IDs are available, use the most important one, and store the others in the fields TargetDvc. Example: ac7e9755-8eae-4ffc-8a02-50ed7a2216c3', "class": "Optional"}, + "TargetDvcScopeId": {"data_type": "String", "description": 'The cloud platform scope ID the device belongs to. TargetDvcScopeId map to a subscription ID on Azure and to an account ID on AWS.', "class": "Optional"}, + "TargerDvcScope": {"data_type": "String", "description": 'The cloud platform scope the device belongs to. TargetDvcScope map to a subscription ID on Azure and to an account ID on AWS.', "class": "Optional"}, + "TargetDvcIdType": {"data_type": "Enumerated", "description": 'The type of TargetDvcId. For a list of allowed values and further information refer to DvcIdType in the Schema Overview article. Required if TargetDeviceId is used.', "class": "Conditional"}, + "TargetDeviceType": {"data_type": "Enumerated", "description": 'The type of the target device. For a list of allowed values and further information refer to DeviceType in the Schema Overview article.', "class": "Optional"}, + "TargetIpAddr": {"data_type": "IP Address", "description": 'The IP address of the target device. Example: 2.2.2.2', "class": "Optional"}, + "TargetDvcOs": {"data_type": "String", "description": 'The OS of the target device. Example: Windows 10', "class": "Optional"}, + "TargetPortNumber": {"data_type": "Integer", "description": 'The port of the target device.', "class": "Optional"}, + "TargetGeoCountry": {"data_type": "Country", "description": 'The country associated with the target IP address.Example: USA', "class": "Optional"}, + "TargetGeoRegion": {"data_type": "Region", "description": 'The region associated with the target IP address.Example: Vermont', "class": "Optional"}, + "TargetGeoCity": {"data_type": "City", "description": 'The city associated with the target IP address.Example: Burlington', "class": "Optional"}, + "TargetGeoLatitude": {"data_type": "Latitude", "description": 'The latitude of the geographical coordinate associated with the target IP address.Example: 44.475833', "class": "Optional"}, + "TargetGeoLongitude": {"data_type": "Longitude", "description": 'The longitude of the geographical coordinate associated with the target IP address.Example: 73.211944', "class": "Optional"}, + "TargetRiskLevel": {"data_type": "Integer", "description": 'The risk level associated with the target. The value should be adjusted to a range of 0 to 100, with 0 for benign and 100 for a high risk.Example: 90', "class": "Optional"}, + "TargetOriginalRiskLevel": {"data_type": "Integer", "description": 'The risk level associated with the target, as reported by the reporting device. Example: Suspicious', "class": "Optional"}, + "RuleName": {"data_type": "String", "description": 'The name or ID of the rule by associated with the inspection results.', "class": "Optional"}, + "RuleNumber": {"data_type": "Integer", "description": 'The number of the rule associated with the inspection results.', "class": "Optional"}, + "Rule": {"data_type": "String", "description": 'Either the value of RuleName or the value of RuleNumber. If the value of RuleNumber is used, the type should be converted to string.', "class": "Alias"}, + "ThreatId": {"data_type": "String", "description": 'The ID of the threat or malware identified in the audit activity.', "class": "Optional"}, + "ThreatName": {"data_type": "String", "description": 'The name of the threat or malware identified in the audit activity.', "class": "Optional"}, + "ThreatCategory": {"data_type": "String", "description": 'The category of the threat or malware identified in audit file activity.', "class": "Optional"}, + "ThreatRiskLevel": {"data_type": "Integer", "description": 'The risk level associated with the identified threat. The level should be a number between 0 and 100.Note: The value might be provided in the source record by using a different scale, which should be normalized to this scale. The original value should be stored in ThreatRiskLevelOriginal.', "class": "Optional"}, + "ThreatOriginalRiskLevel": {"data_type": "String", "description": 'The risk level as reported by the reporting device.', "class": "Optional"}, + "ThreatConfidence": {"data_type": "Integer", "description": 'The confidence level of the threat identified, normalized to a value between 0 and a 100.', "class": "Optional"}, + "ThreatOriginalConfidence": {"data_type": "String", "description": 'The original confidence level of the threat identified, as reported by the reporting device.', "class": "Optional"}, + "ThreatIsActive": {"data_type": "Boolean", "description": 'True if the threat identified is considered an active threat.', "class": "Optional"}, + "ThreatFirstReportedTime": {"data_type": "datetime", "description": 'The first time the IP address or domain were identified as a threat.', "class": "Optional"}, + "ThreatLastReportedTime": {"data_type": "datetime", "description": 'The last time the IP address or domain were identified as a threat.', "class": "Optional"}, + "ThreatIpAddr": {"data_type": "IP Address", "description": 'An IP address for which a threat was identified. The field ThreatField contains the name of the field ThreatIpAddr represents.', "class": "Optional"}, + "ThreatField": {"data_type": "Enumerated", "description": 'The field for which a threat was identified. The value is either SrcIpAddr or TargetIpAddr.', "class": "Optional"}, + }, + "_Im_Dns": { + "EventType": {"data_type": "Enumerated", "description": 'Indicates the operation reported by the record. For DNS records, this value would be the DNS op code. Example: Query', "class": "Mandatory"}, + "EventSubType": {"data_type": "Enumerated", "description": 'Either request or response. For most sources, only the responses are logged, and therefore the value is often response.', "class": "Optional"}, + "EventResultDetails": {"data_type": "Enumerated", "description": "For DNS events, this field provides the DNS response code. Notes:- IANA doesn't define the case for the values, so analytics must normalize the case. - If the source provides only a numerical response code and not a response code name, the parser must include a lookup table to enrich with this value. - If this record represents a request and not a response, set to NA. Example: NXDOMAIN", "class": "Mandatory"}, + "EventSchemaVersion": {"data_type": "String", "description": 'The version of the schema documented here is 0.1.7.', "class": "Mandatory"}, + "EventSchema": {"data_type": "String", "description": 'The name of the schema documented here is Dns.', "class": "Mandatory"}, + "Dvc fields": {"data_type": "-", "description": 'For DNS events, device fields refer to the system that reports the DNS event.', "class": "-"}, + "Src": {"data_type": "String", "description": 'A unique identifier of the source device. This field can alias the SrcDvcId, SrcHostname, or SrcIpAddr fields. Example: 192.168.12.1', "class": "Alias"}, + "SrcIpAddr": {"data_type": "IP Address", "description": 'The IP address of the client that sent the DNS request. For a recursive DNS request, this value would typically be the reporting device, and in most cases set to 127.0.0.1. Example: 192.168.12.1', "class": "Recommended"}, + "SrcPortNumber": {"data_type": "Integer", "description": 'Source port of the DNS query.Example: 54312', "class": "Optional"}, + "IpAddr": {"data_type": "", "description": 'Alias to SrcIpAddr', "class": "Alias"}, + "SrcGeoCountry": {"data_type": "Country", "description": 'The country associated with the source IP address.Example: USA', "class": "Optional"}, + "SrcGeoRegion": {"data_type": "Region", "description": 'The region associated with the source IP address.Example: Vermont', "class": "Optional"}, + "SrcGeoCity": {"data_type": "City", "description": 'The city associated with the source IP address.Example: Burlington', "class": "Optional"}, + "SrcGeoLatitude": {"data_type": "Latitude", "description": 'The latitude of the geographical coordinate associated with the source IP address.Example: 44.475833', "class": "Optional"}, + "SrcGeoLongitude": {"data_type": "Longitude", "description": 'The longitude of the geographical coordinate associated with the source IP address.Example: 73.211944', "class": "Optional"}, + "SrcRiskLevel": {"data_type": "Integer", "description": 'The risk level associated with the source. The value should be adjusted to a range of 0 to 100, with 0 for benign and 100 for a high risk.Example: 90', "class": "Optional"}, + "SrcOriginalRiskLevel": {"data_type": "Integer", "description": 'The risk level associated with the source, as reported by the reporting device. Example: Suspicious', "class": "Optional"}, + "SrcHostname": {"data_type": "String", "description": 'The source device hostname, excluding domain information.Example: DESKTOP-1282V4D', "class": "Recommended"}, + "Hostname": {"data_type": "", "description": 'Alias to SrcHostname', "class": "Alias"}, + "SrcDomain": {"data_type": "String", "description": 'The domain of the source device.Example: Contoso', "class": "Recommended"}, + "SrcDomainType": {"data_type": "Enumerated", "description": 'The type of SrcDomain, if known. Possible values include:- Windows (such as: contoso)- FQDN (such as: microsoft.com)Required if SrcDomain is used.', "class": "Conditional"}, + "SrcFQDN": {"data_type": "String", "description": 'The source device hostname, including domain information when available. Note: This field supports both traditional FQDN format and Windows domain\\hostname format. The SrcDomainType field reflects the format used. Example: Contoso\\DESKTOP-1282V4D', "class": "Optional"}, + "SrcDvcId": {"data_type": "String", "description": 'The ID of the source device as reported in the record.For example: ac7e9755-8eae-4ffc-8a02-50ed7a2216c3', "class": "Optional"}, + "SrcDvcScopeId": {"data_type": "String", "description": 'The cloud platform scope ID the device belongs to. SrcDvcScopeId map to a subscription ID on Azure and to an account ID on AWS.', "class": "Optional"}, + "SrcDvcScope": {"data_type": "String", "description": 'The cloud platform scope the device belongs to. SrcDvcScope map to a subscription ID on Azure and to an account ID on AWS.', "class": "Optional"}, + "SrcDvcIdType": {"data_type": "Enumerated", "description": 'The type of SrcDvcId, if known. Possible values include: - AzureResourceId- MDEidIf multiple IDs are available, use the first one from the list, and store the others in the SrcDvcAzureResourceId and SrcDvcMDEid, respectively.Note: This field is required if SrcDvcId is used.', "class": "Conditional"}, + "SrcDeviceType": {"data_type": "Enumerated", "description": 'The type of the source device. Possible values include:- Computer- Mobile Device- IOT Device- Other', "class": "Optional"}, + "SrcDescription": {"data_type": "String", "description": 'A descriptive text associated with the device. For example: Primary Domain Controller.', "class": "Optional"}, + "SrcUserId": {"data_type": "String", "description": 'A machine-readable, alphanumeric, unique representation of the source user. For more information, and for alternative fields for additional IDs, see The User entity. Example: S-1-12-1-4141952679-1282074057-627758481-2916039507', "class": "Optional"}, + "SrcUserScope": {"data_type": "String", "description": 'The scope, such as Microsoft Entra tenant, in which SrcUserId and SrcUsername are defined. or more information and list of allowed values, see UserScope in the Schema Overview article.', "class": "Optional"}, + "SrcUserScopeId": {"data_type": "String", "description": 'The scope ID, such as Microsoft Entra Directory ID, in which SrcUserId and SrcUsername are defined. for more information and list of allowed values, see UserScopeId in the Schema Overview article.', "class": "Optional"}, + "SrcUserIdType": {"data_type": "UserIdType", "description": 'The type of the ID stored in the SrcUserId field. For more information and list of allowed values, see UserIdType in the Schema Overview article.', "class": "Conditional"}, + "SrcUsername": {"data_type": "Username", "description": 'The source username, including domain information when available. For more information, see The User entity.Example: AlbertE', "class": "Optional"}, + "SrcUsernameType": {"data_type": "UsernameType", "description": 'Specifies the type of the user name stored in the SrcUsername field. For more information, and list of allowed values, see UsernameType in the Schema Overview article. Example: Windows', "class": "Conditional"}, + "User": {"data_type": "", "description": 'Alias to SrcUsername', "class": "Alias"}, + "SrcUserType": {"data_type": "UserType", "description": 'The type of the source user. For more information, and list of allowed values, see UserType in the Schema Overview article.For example: Guest', "class": "Optional"}, + "SrcUserSessionId": {"data_type": "String", "description": 'The unique ID of the sign-in session of the Actor. Example: 102pTUgC3p8RIqHvzxLCHnFlg', "class": "Optional"}, + "SrcOriginalUserType": {"data_type": "String", "description": 'The original source user type, if provided by the source.', "class": "Optional"}, + "SrcProcessName": {"data_type": "String", "description": 'The file name of the process that initiated the DNS request. This name is typically considered to be the process name. Example: C:\\Windows\\explorer.exe', "class": "Optional"}, + "Process": {"data_type": "", "description": 'Alias to the SrcProcessName Example: C:\\Windows\\System32\\rundll32.exe', "class": "Alias"}, + "SrcProcessId": {"data_type": "String", "description": 'The process ID (PID) of the process that initiated the DNS request.Example: 48610176 Note: The type is defined as string to support varying systems, but on Windows and Linux this value must be numeric. If you are using a Windows or Linux machine and used a different type, make sure to convert the values. For example, if you used a hexadecimal value, convert it to a decimal value.', "class": "Optional"}, + "SrcProcessGuid": {"data_type": "String", "description": 'A generated unique identifier (GUID) of the process that initiated the DNS request. Example: EF3BD0BD-2B74-60C5-AF5C-010000001E00', "class": "Optional"}, + "Dst": {"data_type": "String", "description": 'A unique identifier of the server that received the DNS request. This field may alias the DstDvcId, DstHostname, or DstIpAddr fields. Example: 192.168.12.1', "class": "Alias"}, + "DstIpAddr": {"data_type": "IP Address", "description": 'The IP address of the server that received the DNS request. For a regular DNS request, this value would typically be the reporting device, and in most cases set to 127.0.0.1.Example: 127.0.0.1', "class": "Optional"}, + "DstGeoCountry": {"data_type": "Country", "description": 'The country associated with the destination IP address. For more information, see Logical types.Example: USA', "class": "Optional"}, + "DstGeoRegion": {"data_type": "Region", "description": 'The region, or state, associated with the destination IP address. For more information, see Logical types.Example: Vermont', "class": "Optional"}, + "DstGeoCity": {"data_type": "City", "description": 'The city associated with the destination IP address. For more information, see Logical types.Example: Burlington', "class": "Optional"}, + "DstGeoLatitude": {"data_type": "Latitude", "description": 'The latitude of the geographical coordinate associated with the destination IP address. For more information, see Logical types.Example: 44.475833', "class": "Optional"}, + "DstGeoLongitude": {"data_type": "Longitude", "description": 'The longitude of the geographical coordinate associated with the destination IP address. For more information, see Logical types.Example: 73.211944', "class": "Optional"}, + "DstRiskLevel": {"data_type": "Integer", "description": 'The risk level associated with the destination. The value should be adjusted to a range of 0 to 100, which 0 being benign and 100 being a high risk.Example: 90', "class": "Optional"}, + "DstOriginalRiskLevel": {"data_type": "Integer", "description": 'The risk level associated with the destination, as reported by the reporting device. Example: Malicious', "class": "Optional"}, + "DstPortNumber": {"data_type": "Integer", "description": 'Destination Port number.Example: 53', "class": "Optional"}, + "DstHostname": {"data_type": "String", "description": 'The destination device hostname, excluding domain information. If no device name is available, store the relevant IP address in this field.Example: DESKTOP-1282V4DNote: This value is mandatory if DstIpAddr is specified.', "class": "Optional"}, + "DstDomain": {"data_type": "String", "description": 'The domain of the destination device.Example: Contoso', "class": "Optional"}, + "DstDomainType": {"data_type": "Enumerated", "description": 'The type of DstDomain, if known. Possible values include:- Windows (contoso\\mypc)- FQDN (learn.microsoft.com)Required if DstDomain is used.', "class": "Conditional"}, + "DstFQDN": {"data_type": "String", "description": 'The destination device hostname, including domain information when available. Example: Contoso\\DESKTOP-1282V4D Note: This field supports both traditional FQDN format and Windows domain\\hostname format. The DstDomainType reflects the format used.', "class": "Optional"}, + "DstDvcId": {"data_type": "String", "description": 'The ID of the destination device as reported in the record.Example: ac7e9755-8eae-4ffc-8a02-50ed7a2216c3', "class": "Optional"}, + "DstDvcScopeId": {"data_type": "String", "description": 'The cloud platform scope ID the device belongs to. DstDvcScopeId map to a subscription ID on Azure and to an account ID on AWS.', "class": "Optional"}, + "DstDvcScope": {"data_type": "String", "description": 'The cloud platform scope the device belongs to. DstDvcScope map to a subscription ID on Azure and to an account ID on AWS.', "class": "Optional"}, + "DstDvcIdType": {"data_type": "Enumerated", "description": 'The type of DstDvcId, if known. Possible values include: - AzureResourceId- MDEidIfIf multiple IDs are available, use the first one from the list above, and store the others in the DstDvcAzureResourceId or DstDvcMDEid fields, respectively.Required if DstDeviceId is used.', "class": "Conditional"}, + "DstDeviceType": {"data_type": "Enumerated", "description": 'The type of the destination device. Possible values include:- Computer- Mobile Device- IOT Device- Other', "class": "Optional"}, + "DstDescription": {"data_type": "String", "description": 'A descriptive text associated with the device. For example: Primary Domain Controller.', "class": "Optional"}, + "DnsQuery": {"data_type": "String", "description": "The domain that the request tries to resolve. Notes: - Some sources send valid FQDN queries in a different format. For example, in the DNS protocol itself, the query includes a dot (.) at the end, which must be removed.- While the DNS protocol limits the type of value in this field to an FQDN, most DNS servers allow any value, and this field is therefore not limited to FQDN values only. Most notably, DNS tunneling attacks may use invalid FQDN values in the query field.- While the DNS protocol allows for multiple queries in a single request, this scenario is rare, if it's found at all. If the request has multiple queries, store the first one in this field, and then and optionally keep the rest in the AdditionalFields field.Example: www.malicious.com", "class": "Mandatory"}, + "Domain": {"data_type": "", "description": 'Alias to DnsQuery.', "class": "Alias"}, + "DnsQueryType": {"data_type": "Integer", "description": 'The DNS Resource Record Type codes. Example: 28', "class": "Optional"}, + "DnsQueryTypeName": {"data_type": "Enumerated", "description": "The DNS Resource Record Type names. Notes: - IANA doesn't define the case for the values, so analytics must normalize the case as needed.- The value ANY is supported for the response code 255. - The value TYPExxxx is supported for unmapped response codes, where xxxx is the numerical value of the response code, as reported by the BIND DNS server. -If the source provides only a numerical query type code and not a query type name, the parser must include a lookup table to enrich with this value.Example: AAAA", "class": "Recommended"}, + "DnsResponseName": {"data_type": "String", "description": "The content of the response, as included in the record. The DNS response data is inconsistent across reporting devices, is complex to parse, and has less value for source-agnostic analytics. Therefore the information model doesn't require parsing and normalization, and Microsoft Sentinel uses an auxiliary function to provide response information. For more information, see Handling DNS response.", "class": "Optional"}, + "DnsResponseCodeName": {"data_type": "", "description": 'Alias to EventResultDetails', "class": "Alias"}, + "DnsResponseCode": {"data_type": "Integer", "description": 'The DNS numerical response code. Example: 3', "class": "Optional"}, + "TransactionIdHex": {"data_type": "String", "description": 'The DNS query unique ID as assigned by the DNS client, in hexadecimal format. Note that this value is part of the DNS protocol and different from DnsSessionId, the network layer session ID, typically assigned by the reporting device.', "class": "Recommended"}, + "NetworkProtocol": {"data_type": "Enumerated", "description": 'The transport protocol used by the network resolution event. The value can be UDP or TCP, and is most commonly set to UDP for DNS. Example: UDP', "class": "Optional"}, + "NetworkProtocolVersion": {"data_type": "Enumerated", "description": 'The version of NetworkProtocol. When using it to distinguish between IP version, use the values IPv4 and IPv6.', "class": "Optional"}, + "DnsQueryClass": {"data_type": "Integer", "description": 'The DNS class ID. In practice, only the IN class (ID 1) is used, and therefore this field is less valuable.', "class": "Optional"}, + "DnsQueryClassName": {"data_type": "String", "description": 'The DNS class name. In practice, only the IN class (ID 1) is used, and therefore this field is less valuable.Example: IN', "class": "Optional"}, + "DnsFlags": {"data_type": "String", "description": 'The flags field, as provided by the reporting device. If flag information is provided in multiple fields, concatenate them with comma as a separator. Since DNS flags are complex to parse and are less often used by analytics, parsing, and normalization aren\'t required. Microsoft Sentinel can use an auxiliary function to provide flags information. For more information, see Handling DNS response. Example: ["DR"]', "class": "Optional"}, + "DnsNetworkDuration": {"data_type": "Integer", "description": 'The amount of time, in milliseconds, for the completion of DNS request.Example: 1500', "class": "Optional"}, + "Duration": {"data_type": "", "description": 'Alias to DnsNetworkDuration', "class": "Alias"}, + "DnsFlagsAuthenticated": {"data_type": "Boolean", "description": 'The DNS AD flag, which is related to DNSSEC, indicates in a response that all data included in the answer and authority sections of the response have been verified by the server according to the policies of that server. For more information, see RFC 3655 Section 6.1 for more information.', "class": "Optional"}, + "DnsFlagsAuthoritative": {"data_type": "Boolean", "description": 'The DNS AA flag indicates whether the response from the server was authoritative', "class": "Optional"}, + "DnsFlagsCheckingDisabled": {"data_type": "Boolean", "description": 'The DNS CD flag, which is related to DNSSEC, indicates in a query that non-verified data is acceptable to the system sending the query. For more information, see RFC 3655 Section 6.1 for more information.', "class": "Optional"}, + "DnsFlagsRecursionAvailable": {"data_type": "Boolean", "description": 'The DNS RA flag indicates in a response that that server supports recursive queries.', "class": "Optional"}, + "DnsFlagsRecursionDesired": {"data_type": "Boolean", "description": 'The DNS RD flag indicates in a request that that client would like the server to use recursive queries.', "class": "Optional"}, + "DnsFlagsTruncated": {"data_type": "Boolean", "description": 'The DNS TC flag indicates that a response was truncated as it exceeded the maximum response size.', "class": "Optional"}, + "DnsFlagsZ": {"data_type": "Boolean", "description": 'The DNS Z flag is a deprecated DNS flag, which might be reported by older DNS systems.', "class": "Optional"}, + "DnsSessionId": {"data_type": "string", "description": 'The DNS session identifier as reported by the reporting device. This value is different from TransactionIdHex, the DNS query unique ID as assigned by the DNS client.Example: EB4BFA28-2EAD-4EF7-BC8A-51DF4FDF5B55', "class": "Optional"}, + "SessionId": {"data_type": "", "description": 'Alias to DnsSessionId', "class": "Alias"}, + "DnsResponseIpCountry": {"data_type": "Country", "description": 'The country associated with one of the IP addresses in the DNS response. For more information, see Logical types.Example: USA', "class": "Optional"}, + "DnsResponseIpRegion": {"data_type": "Region", "description": 'The region, or state, associated with one of the IP addresses in the DNS response. For more information, see Logical types.Example: Vermont', "class": "Optional"}, + "DnsResponseIpCity": {"data_type": "City", "description": 'The city associated with one of the IP addresses in the DNS response. For more information, see Logical types.Example: Burlington', "class": "Optional"}, + "DnsResponseIpLatitude": {"data_type": "Latitude", "description": 'The latitude of the geographical coordinate associated with one of the IP addresses in the DNS response. For more information, see Logical types.Example: 44.475833', "class": "Optional"}, + "DnsResponseIpLongitude": {"data_type": "Longitude", "description": 'The longitude of the geographical coordinate associated with one of the IP addresses in the DNS response. For more information, see Logical types.Example: 73.211944', "class": "Optional"}, + "UrlCategory": {"data_type": "String", "description": "A DNS event source may also look up the category of the requested Domains. The field is called UrlCategory to align with the Microsoft Sentinel network schema. DomainCategory is added as an alias that's fitting to DNS. Example: Educational \\\\ Phishing", "class": "Optional"}, + "DomainCategory": {"data_type": "", "description": 'Alias to UrlCategory.', "class": "Alias"}, + "NetworkRuleName": {"data_type": "String", "description": 'The name or ID of the rule which identified the threat. Example: AnyAnyDrop', "class": "Optional"}, + "NetworkRuleNumber": {"data_type": "Integer", "description": 'The number of the rule which identified the threat.Example: 23', "class": "Optional"}, + "Rule": {"data_type": "String", "description": 'Either the value of NetworkRuleName or the value of NetworkRuleNumber. If the value of NetworkRuleNumber is used, the type should be converted to string.', "class": "Alias"}, + "ThreatId": {"data_type": "String", "description": 'The ID of the threat or malware identified in the network session.Example: Tr.124', "class": "Optional"}, + "ThreatCategory": {"data_type": "String", "description": 'If a DNS event source also provides DNS security, it may also evaluate the DNS event. For example, it can search for the IP address or domain in a threat intelligence database, and assign the domain or IP address with a Threat Category.', "class": "Optional"}, + "ThreatIpAddr": {"data_type": "IP Address", "description": 'An IP address for which a threat was identified. The field ThreatField contains the name of the field ThreatIpAddr represents. If a threat is identified in the Domain field, this field should be empty.', "class": "Optional"}, + "ThreatField": {"data_type": "Enumerated", "description": 'The field for which a threat was identified. The value is either SrcIpAddr, DstIpAddr, Domain, or DnsResponseName.', "class": "Conditional"}, + "ThreatName": {"data_type": "String", "description": 'The name of the threat identified, as reported by the reporting device.', "class": "Optional"}, + "ThreatConfidence": {"data_type": "Integer", "description": 'The confidence level of the threat identified, normalized to a value between 0 and a 100.', "class": "Optional"}, + "ThreatOriginalConfidence": {"data_type": "String", "description": 'The original confidence level of the threat identified, as reported by the reporting device.', "class": "Optional"}, + "ThreatRiskLevel": {"data_type": "Integer", "description": 'The risk level associated with the threat identified, normalized to a value between 0 and a 100.', "class": "Optional"}, + "ThreatOriginalRiskLevel": {"data_type": "String", "description": 'The original risk level associated with the threat identified, as reported by the reporting device.', "class": "Optional"}, + "ThreatIsActive": {"data_type": "Boolean", "description": 'True if the threat identified is considered an active threat.', "class": "Optional"}, + "ThreatFirstReportedTime": {"data_type": "datetime", "description": 'The first time the IP address or domain were identified as a threat.', "class": "Optional"}, + "ThreatLastReportedTime": {"data_type": "datetime", "description": 'The last time the IP address or domain were identified as a threat.', "class": "Optional"}, + }, + "imFileEvent": { + "EventType": {"data_type": "Enumerated", "description": 'Describes the operation reported by the record. Supported values include: - FileAccessed- FileCreated- FileModified- FileDeleted- FileRenamed- FileCopied- FileMoved- FolderCreated- FolderDeleted- FolderMoved- FolderModified- FileCreatedOrModified', "class": "Mandatory"}, + "EventSubType": {"data_type": "Enumerated", "description": 'Describes details about the operation reported in EventType. Supported values per event type include:- FileCreated - Upload, Checkin- FileModified - Checkin- FileCreatedOrModified - Checkin - FileAccessed - Download, Preview, Checkout, Extended- FileDeleted - Recycled, Versions, Site', "class": "Optional"}, + "EventSchema": {"data_type": "String", "description": 'The name of the schema documented here is FileEvent.', "class": "Mandatory"}, + "EventSchemaVersion": {"data_type": "String", "description": 'The version of the schema. The version of the schema documented here is 0.2.1', "class": "Mandatory"}, + "Dvc fields": {"data_type": "-", "description": 'For File activity events, device fields refer to the system on which the file activity occurred.', "class": "-"}, + "TargetFileCreationTime": {"data_type": "Date/Time", "description": 'The time at which the target file was created.', "class": "Optional"}, + "TargetFileDirectory": {"data_type": "String", "description": 'The target file folder or location. This field should be similar to the TargetFilePath field, without the final element. Note: A parser can provide this value if the value available in the log source and does not need to be extracted from the full path.', "class": "Optional"}, + "TargetFileExtension": {"data_type": "String", "description": 'The target file extension.Note: A parser can provide this value if the value available in the log source and does not need to be extracted from the full path.', "class": "Optional"}, + "TargetFileMimeType": {"data_type": "Enumerated", "description": 'The Mime, or Media, type of the target file. Allowed values are listed in the IANA Media Types repository.', "class": "Optional"}, + "TargetFileName": {"data_type": "String", "description": 'The name of the target file, without a path or a location, but with an extension if relevant. This field should be similar to the final element in the TargetFilePath field.', "class": "Recommended"}, + "FileName": {"data_type": "", "description": 'Alias to the TargetFileName field.', "class": "Alias"}, + "TargetFilePath": {"data_type": "String", "description": 'The full, normalized path of the target file, including the folder or location, the file name, and the extension. For more information, see Path structure. Note: If the record does not include folder or location information, store the filename only here. Example: C:\\Windows\\System32\\notepad.exe', "class": "Mandatory"}, + "TargetFilePathType": {"data_type": "Enumerated", "description": 'The type of TargetFilePath. For more information, see Path structure.', "class": "Mandatory"}, + "FilePath": {"data_type": "", "description": 'Alias to the TargetFilePath field.', "class": "Alias"}, + "TargetFileMD5": {"data_type": "MD5", "description": 'The MD5 hash of the target file. Example: 75a599802f1fa166cdadb360960b1dd0', "class": "Optional"}, + "TargetFileSHA1": {"data_type": "SHA1", "description": 'The SHA-1 hash of the target file. Example: d55c5a4df19b46db8c54c801c4665d3338acdab0', "class": "Optional"}, + "TargetFileSHA256": {"data_type": "SHA256", "description": 'The SHA-256 hash of the target file. Example: e81bb824c4a09a811af17deae22f22dd2e1ec8cbb00b22629d2899f7c68da274', "class": "Optional"}, + "TargetFileSHA512": {"data_type": "SHA512", "description": 'The SHA-512 hash of the source file.', "class": "Optional"}, + "Hash": {"data_type": "", "description": 'Alias to the best available Target File hash.', "class": "Alias"}, + "HashType": {"data_type": "String", "description": 'The type of hash stored in the HASH alias field, allowed values are MD5, SHA, SHA256, SHA512 and IMPHASH. Mandatory if Hash is populated.', "class": "Recommended"}, + "TargetFileSize": {"data_type": "Long", "description": 'The size of the target file in bytes.', "class": "Optional"}, + "SrcFileCreationTime": {"data_type": "Date/Time", "description": 'The time at which the source file was created.', "class": "Optional"}, + "SrcFileDirectory": {"data_type": "String", "description": 'The source file folder or location. This field should be similar to the SrcFilePath field, without the final element. Note: A parser can provide this value if the value is available in the log source, and does not need to be extracted from the full path.', "class": "Optional"}, + "SrcFileExtension": {"data_type": "String", "description": 'The source file extension. Note: A parser can provide this value the value is available in the log source, and does not need to be extracted from the full path.', "class": "Optional"}, + "SrcFileMimeType": {"data_type": "Enumerated", "description": 'The Mime or Media type of the source file. Supported values are listed in the IANA Media Types repository.', "class": "Optional"}, + "SrcFileName": {"data_type": "String", "description": 'The name of the source file, without a path or a location, but with an extension if relevant. This field should be similar to the last element in the SrcFilePath field.', "class": "Recommended"}, + "SrcFilePath": {"data_type": "String", "description": 'The full, normalized path of the source file, including the folder or location, the file name, and the extension. For more information, see Path structure.Example: /etc/init.d/networking', "class": "Recommended"}, + "SrcFilePathType": {"data_type": "Enumerated", "description": 'The type of SrcFilePath. For more information, see Path structure.', "class": "Recommended"}, + "SrcFileMD5": {"data_type": "MD5", "description": 'The MD5 hash of the source file. Example: 75a599802f1fa166cdadb360960b1dd0', "class": "Optional"}, + "SrcFileSHA1": {"data_type": "SHA1", "description": 'The SHA-1 hash of the source file.Example:d55c5a4df19b46db8c54c801c4665d3338acdab0', "class": "Optional"}, + "SrcFileSHA256": {"data_type": "SHA256", "description": 'The SHA-256 hash of the source file. Example: e81bb824c4a09a811af17deae22f22dd2e1ec8cbb00b22629d2899f7c68da274', "class": "Optional"}, + "SrcFileSHA512": {"data_type": "SHA512", "description": 'The SHA-512 hash of the source file.', "class": "Optional"}, + "SrcFileSize": {"data_type": "Long", "description": 'The size of the source file in bytes.', "class": "Optional"}, + "ActorUserId": {"data_type": "String", "description": 'A machine-readable, alphanumeric, unique representation of the Actor. For the supported format for different ID types, refer to the User entity. Example: S-1-12', "class": "Recommended"}, + "ActorScope": {"data_type": "String", "description": 'The scope, such as Microsoft Entra tenant, in which ActorUserId and ActorUsername are defined. or more information and list of allowed values, see UserScope in the Schema Overview article.', "class": "Optional"}, + "ActorScopeId": {"data_type": "String", "description": 'The scope ID, such as Microsoft Entra Directory ID, in which ActorUserId and ActorUsername are defined. or more information and list of allowed values, see UserScopeId in the Schema Overview article.', "class": "Optional"}, + "ActorUserIdType": {"data_type": "String", "description": 'The type of the ID stored in the ActorUserId field. For a list of allowed values and further information, refer to UserIdType in the Schema Overview article.', "class": "Conditional"}, + "ActorUsername": {"data_type": "String", "description": "The Actor username, including domain information when available. For the supported format for different ID types, refer to the User entity. Use the simple form only if domain information isn't available.Store the Username type in the ActorUsernameType field. If other username formats are available, store them in the fields ActorUsername.Example: AlbertE", "class": "Mandatory"}, + "User": {"data_type": "", "description": 'Alias to the ActorUsername field. Example: CONTOSO\\dadmin', "class": "Alias"}, + "ActorUsernameType": {"data_type": "Enumerated", "description": 'Specifies the type of the user name stored in the ActorUsername field. For a list of allowed values and further information, refer to UsernameType in the Schema Overview article.Example: Windows', "class": "Conditional"}, + "ActorSessionId": {"data_type": "String", "description": 'The unique ID of the login session of the Actor. Example: 999Note: The type is defined as string to support varying systems, but on Windows this value must be numeric. If you are using a Windows machine and used a different type, make sure to convert the values. For example, if you used a hexadecimal value, convert it to a decimal value.', "class": "Optional"}, + "ActorUserType": {"data_type": "UserType", "description": 'The type of Actor. For a list of allowed values and further information, refer to UserType in the Schema Overview article. Note: The value might be provided in the source record by using different terms, which should be normalized to these values. Store the original value in the ActorOriginalUserType field.', "class": "Optional"}, + "ActorOriginalUserType": {"data_type": "String", "description": 'The original destination user type, if provided by the reporting device.', "class": "Optional"}, + "ActingProcessCommandLine": {"data_type": "String", "description": 'The command line used to run the acting process. Example: "choco.exe" -v', "class": "Optional"}, + "ActingProcessName": {"data_type": "string", "description": "The name of the acting process. This name is commonly derived from the image or executable file that's used to define the initial code and data that's mapped into the process' virtual address space.Example: C:\\Windows\\explorer.exe", "class": "Optional"}, + "Process": {"data_type": "", "description": 'Alias to ActingProcessName', "class": "Alias"}, + "ActingProcessId": {"data_type": "String", "description": 'The process ID (PID) of the acting process.Example: 48610176 Note: The type is defined as string to support varying systems, but on Windows and Linux this value must be numeric. If you are using a Windows or Linux machine and used a different type, make sure to convert the values. For example, if you used a hexadecimal value, convert it to a decimal value.', "class": "Optional"}, + "ActingProcessGuid": {"data_type": "string", "description": 'A generated unique identifier (GUID) of the acting process. Enables identifying the process across systems. Example: EF3BD0BD-2B74-60C5-AF5C-010000001E00', "class": "Optional"}, + "SrcIpAddr": {"data_type": "IP Address", "description": 'When the operation is initiated by a remote system, the IP address of this system.Example: 185.175.35.214', "class": "Recommended"}, + "IpAddr": {"data_type": "", "description": 'Alias to SrcIpAddr', "class": "Alias"}, + "Src": {"data_type": "", "description": 'Alias to SrcIpAddr', "class": "Alias"}, + "SrcPortNumber": {"data_type": "Integer", "description": 'When the operation is initiated by a remote system, the port number from which the connection was initiated.Example: 2335', "class": "Optional"}, + "SrcHostname": {"data_type": "Hostname", "description": 'The source device hostname, excluding domain information. If no device name is available, store the relevant IP address in this field.Example: DESKTOP-1282V4D', "class": "Recommended"}, + "SrcDomain": {"data_type": "String", "description": 'The domain of the source device.Example: Contoso', "class": "Recommended"}, + "SrcDomainType": {"data_type": "DomainType", "description": 'The type of SrcDomain. For a list of allowed values and further information, refer to DomainType in the Schema Overview article.Required if SrcDomain is used.', "class": "Conditional"}, + "SrcFQDN": {"data_type": "String", "description": 'The source device hostname, including domain information when available. Note: This field supports both traditional FQDN format and Windows domain\\hostname format. The SrcDomainType field reflects the format used. Example: Contoso\\DESKTOP-1282V4D', "class": "Optional"}, + "SrcDescription": {"data_type": "String", "description": 'A descriptive text associated with the device. For example: Primary Domain Controller.', "class": "Optional"}, + "SrcDvcId": {"data_type": "String", "description": 'The ID of the source device. If multiple IDs are available, use the most important one, and store the others in the fields SrcDvc.Example: ac7e9755-8eae-4ffc-8a02-50ed7a2216c3', "class": "Optional"}, + "SrcDvcScopeId": {"data_type": "String", "description": 'The cloud platform scope ID the device belongs to. SrcDvcScopeId map to a subscription ID on Azure and to an account ID on AWS.', "class": "Optional"}, + "SrcDvcScope": {"data_type": "String", "description": 'The cloud platform scope the device belongs to. SrcDvcScope map to a subscription ID on Azure and to an account ID on AWS.', "class": "Optional"}, + "SrcDvcIdType": {"data_type": "DvcIdType", "description": 'The type of SrcDvcId. For a list of allowed values and further information, refer to DvcIdType in the Schema Overview article. Note: This field is required if SrcDvcId is used.', "class": "Conditional"}, + "SrcDeviceType": {"data_type": "DeviceType", "description": 'The type of the source device. For a list of allowed values and further information, refer to DeviceType in the Schema Overview article.', "class": "Optional"}, + "SrcSubscriptionId": {"data_type": "String", "description": 'The cloud platform subscription ID the source device belongs to. SrcSubscriptionId map to a subscription ID on Azure and to an account ID on AWS.', "class": "Optional"}, + "SrcGeoCountry": {"data_type": "Country", "description": 'The country associated with the source IP address.Example: USA', "class": "Optional"}, + "SrcGeoRegion": {"data_type": "Region", "description": 'The region associated with the source IP address.Example: Vermont', "class": "Optional"}, + "SrcGeoCity": {"data_type": "City", "description": 'The city associated with the source IP address.Example: Burlington', "class": "Optional"}, + "SrcGeoLatitude": {"data_type": "Latitude", "description": 'The latitude of the geographical coordinate associated with the source IP address.Example: 44.475833', "class": "Optional"}, + "SrcGeoLongitude": {"data_type": "Longitude", "description": 'The longitude of the geographical coordinate associated with the source IP address.Example: 73.211944', "class": "Optional"}, + "HttpUserAgent": {"data_type": "String", "description": 'When the operation is initiated by a remote system using HTTP or HTTPS, the user agent used.For example:Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135Safari/537.36 Edge/12.246', "class": "Optional"}, + "NetworkApplicationProtocol": {"data_type": "String", "description": 'When the operation is initiated by a remote system, this value is the application layer protocol used in the OSI model. While this field is not enumerated, and any value is accepted, preferable values include: HTTP, HTTPS, SMB,FTP, and SSHExample: SMB', "class": "Optional"}, + "TargetAppName": {"data_type": "String", "description": 'The name of the destination application.Example: Facebook', "class": "Optional"}, + "Application": {"data_type": "", "description": 'Alias to TargetAppName.', "class": "Alias"}, + "TargetAppId": {"data_type": "String", "description": 'The ID of the destination application, as reported by the reporting device.', "class": "Optional"}, + "TargetAppType": {"data_type": "AppType", "description": 'The type of the destination application. For a list of allowed values and further information, refer to AppType in the Schema Overview article.This field is mandatory if TargetAppName or TargetAppId are used.', "class": "Optional"}, + "TargetUrl": {"data_type": "String", "description": 'When the operation is initiated using HTTP or HTTPS, the URL used. Example: https://onedrive.live.com/?authkey=...', "class": "Optional"}, + "Url": {"data_type": "", "description": 'Alias to TargetUrl', "class": "Alias"}, + "RuleName": {"data_type": "String", "description": 'The name or ID of the rule by associated with the inspection results.', "class": "Optional"}, + "RuleNumber": {"data_type": "Integer", "description": 'The number of the rule associated with the inspection results.', "class": "Optional"}, + "Rule": {"data_type": "String", "description": 'Either the value of kRuleName or the value of RuleNumber. If the value of RuleNumber is used, the type should be converted to string.', "class": "Conditional"}, + "ThreatId": {"data_type": "String", "description": 'The ID of the threat or malware identified in the file activity.', "class": "Optional"}, + "ThreatName": {"data_type": "String", "description": 'The name of the threat or malware identified in the file activity.Example: EICAR Test File', "class": "Optional"}, + "ThreatCategory": {"data_type": "String", "description": 'The category of the threat or malware identified in the file activity.Example: Trojan', "class": "Optional"}, + "ThreatRiskLevel": {"data_type": "Integer", "description": 'The risk level associated with the identified threat. The level should be a number between 0 and 100.Note: The value might be provided in the source record by using a different scale, which should be normalized to this scale. The original value should be stored in ThreatRiskLevelOriginal.', "class": "Optional"}, + "ThreatOriginalRiskLevel": {"data_type": "String", "description": 'The risk level as reported by the reporting device.', "class": "Optional"}, + "ThreatFilePath": {"data_type": "String", "description": 'A file path for which a threat was identified. The field ThreatField contains the name of the field ThreatFilePath represents.', "class": "Optional"}, + "ThreatField": {"data_type": "Enumerated", "description": 'The field for which a threat was identified. The value is either SrcFilePath or DstFilePath.', "class": "Optional"}, + "ThreatConfidence": {"data_type": "Integer", "description": 'The confidence level of the threat identified, normalized to a value between 0 and a 100.', "class": "Optional"}, + "ThreatOriginalConfidence": {"data_type": "String", "description": 'The original confidence level of the threat identified, as reported by the reporting device.', "class": "Optional"}, + "ThreatIsActive": {"data_type": "Boolean", "description": 'True if the threat identified is considered an active threat.', "class": "Optional"}, + "ThreatFirstReportedTime": {"data_type": "datetime", "description": 'The first time the IP address or domain were identified as a threat.', "class": "Optional"}, + "ThreatLastReportedTime": {"data_type": "datetime", "description": 'The last time the IP address or domain were identified as a threat.', "class": "Optional"}, + }, + "imNetworkSession": { + "EventCount": {"data_type": "Integer", "description": 'Netflow sources support aggregation, and the EventCount field should be set to the value of the Netflow FLOWS field. For other sources, the value is typically set to 1.', "class": "Mandatory"}, + "EventType": {"data_type": "Enumerated", "description": 'Describes the scenario reported by the record. For Network Session records, the allowed values are: - EndpointNetworkSession - NetworkSession - L2NetworkSession- IDS - FlowFor more information on event types, refer to the schema overview', "class": "Mandatory"}, + "EventSubType": {"data_type": "String", "description": 'Additional description of the event type, if applicable. For Network Session records, supported values include:- Start- EndThis is field is not relevant for Flow events.', "class": "Optional"}, + "EventResult": {"data_type": "Enumerated", "description": 'If the source device does not provide an event result, EventResult should be based on the value of DvcAction. If DvcAction is Deny, Drop, Drop ICMP, Reset, Reset Source, or Reset Destination, EventResult should be Failure. Otherwise, EventResult should be Success.', "class": "Mandatory"}, + "EventResultDetails": {"data_type": "Enumerated", "description": 'Reason or details for the result reported in the EventResult field. Supported values are: - Failover - Invalid TCP - Invalid Tunnel - Maximum Retry - Reset - Routing issue - Simulation - Terminated - Timeout - Transient error - Unknown - NA.The original, source specific, value is stored in the EventOriginalResultDetails field.', "class": "Recommended"}, + "EventSchema": {"data_type": "String", "description": 'The name of the schema documented here is NetworkSession.', "class": "Mandatory"}, + "EventSchemaVersion": {"data_type": "String", "description": 'The version of the schema. The version of the schema documented here is 0.2.6.', "class": "Mandatory"}, + "DvcAction": {"data_type": "Enumerated", "description": 'The action taken on the network session. Supported values are:- Allow- Deny- Drop- Drop ICMP- Reset- Reset Source- Reset Destination- Encrypt- Decrypt- VPNrouteNote: The value might be provided in the source record by using different terms, which should be normalized to these values. The original value should be stored in the DvcOriginalAction field.Example: drop', "class": "Recommended"}, + "EventSeverity": {"data_type": "Enumerated", "description": 'If the source device does not provide an event severity, EventSeverity should be based on the value of DvcAction. If DvcAction is Deny, Drop, Drop ICMP, Reset, Reset Source, or Reset Destination, EventSeverity should be Low. Otherwise, EventSeverity should be Informational.', "class": "Optional"}, + "DvcInterface": {"data_type": "", "description": 'The DvcInterface field should alias either the DvcInboundInterface or the DvcOutboundInterface fields.', "class": ""}, + "Dvc fields": {"data_type": "", "description": 'For Network Session events, device fields refer to the system reporting the Network Session event.', "class": ""}, + "NetworkApplicationProtocol": {"data_type": "String", "description": 'The application layer protocol used by the connection or session. The value should be in all uppercase.Example: FTP', "class": "Optional"}, + "NetworkProtocol": {"data_type": "Enumerated", "description": 'The IP protocol used by the connection or session as listed in IANA protocol assignment, which is typically TCP, UDP, or ICMP.Example: TCP', "class": "Optional"}, + "NetworkProtocolVersion": {"data_type": "Enumerated", "description": 'The version of NetworkProtocol. When using it to distinguish between IP version, use the values IPv4 and IPv6.', "class": "Optional"}, + "NetworkDirection": {"data_type": "Enumerated", "description": "The direction of the connection or session: - For the EventType NetworkSession, Flow or L2NetworkSession, NetworkDirection represents the direction relative to the organization or cloud environment boundary. Supported values are Inbound, Outbound, Local (to the organization), External (to the organization) or NA (Not Applicable). - For the EventType EndpointNetworkSession, NetworkDirection represents the direction relative to the endpoint. Supported values are Inbound, Outbound, Local (to the system), Listen or NA (Not Applicable). The Listen value indicates that a device has started accepting network connections but isn't actually, necessarily, connected.", "class": "Optional"}, + "NetworkDuration": {"data_type": "Integer", "description": 'The amount of time, in milliseconds, for the completion of the network session or connection.Example: 1500', "class": "Optional"}, + "Duration": {"data_type": "", "description": 'Alias to NetworkDuration.', "class": "Alias"}, + "NetworkIcmpType": {"data_type": "String", "description": 'For an ICMP message, ICMP type name associated with the numerical value, as described in RFC 2780 for IPv4 network connections, or in RFC 4443 for IPv6 network connections.Example: Destination Unreachable for NetworkIcmpCode 3', "class": "Optional"}, + "NetworkIcmpCode": {"data_type": "Integer", "description": 'For an ICMP message, the ICMP code number as described in RFC 2780 for IPv4 network connections, or in RFC 4443 for IPv6 network connections.', "class": "Optional"}, + "NetworkConnectionHistory": {"data_type": "String", "description": 'TCP flags and other potential IP header information.', "class": "Optional"}, + "DstBytes": {"data_type": "Long", "description": 'The number of bytes sent from the destination to the source for the connection or session. If the event is aggregated, DstBytes should be the sum over all aggregated sessions.Example: 32455', "class": "Recommended"}, + "SrcBytes": {"data_type": "Long", "description": 'The number of bytes sent from the source to the destination for the connection or session. If the event is aggregated, SrcBytes should be the sum over all aggregated sessions.Example: 46536', "class": "Recommended"}, + "NetworkBytes": {"data_type": "Long", "description": 'Number of bytes sent in both directions. If both BytesReceived and BytesSent exist, BytesTotal should equal their sum. If the event is aggregated, NetworkBytes should be the sum over all aggregated sessions.Example: 78991', "class": "Optional"}, + "DstPackets": {"data_type": "Long", "description": 'The number of packets sent from the destination to the source for the connection or session. The meaning of a packet is defined by the reporting device. If the event is aggregated, DstPackets should be the sum over all aggregated sessions.Example: 446', "class": "Optional"}, + "SrcPackets": {"data_type": "Long", "description": 'The number of packets sent from the source to the destination for the connection or session. The meaning of a packet is defined by the reporting device. If the event is aggregated, SrcPackets should be the sum over all aggregated sessions.Example: 6478', "class": "Optional"}, + "NetworkPackets": {"data_type": "Long", "description": 'The number of packets sent in both directions. If both PacketsReceived and PacketsSent exist, BytesTotal should equal their sum. The meaning of a packet is defined by the reporting device. If the event is aggregated, NetworkPackets should be the sum over all aggregated sessions.Example: 6924', "class": "Optional"}, + "NetworkSessionId": {"data_type": "string", "description": 'The session identifier as reported by the reporting device. Example: 172\\_12\\_53\\_32\\_4322\\_\\_123\\_64\\_207\\_1\\_80', "class": "Optional"}, + "SessionId": {"data_type": "String", "description": 'Alias to NetworkSessionId.', "class": "Alias"}, + "TcpFlagsAck": {"data_type": "Boolean", "description": 'The TCP ACK Flag reported. The acknowledgment flag is used to acknowledge the successful receipt of a packet. As we can see from the diagram above, the receiver sends an ACK and a SYN in the second step of the three way handshake process to tell the sender that it received its initial packet.', "class": "Optional"}, + "TcpFlagsFin": {"data_type": "Boolean", "description": 'The TCP FIN Flag reported. The finished flag means there is no more data from the sender. Therefore, it is used in the last packet sent from the sender.', "class": "Optional"}, + "TcpFlagsSyn": {"data_type": "Boolean", "description": 'The TCP SYN Flag reported. The synchronization flag is used as a first step in establishing a three way handshake between two hosts. Only the first packet from both the sender and receiver should have this flag set.', "class": "Optional"}, + "TcpFlagsUrg": {"data_type": "Boolean", "description": 'The TCP URG Flag reported. The urgent flag is used to notify the receiver to process the urgent packets before processing all other packets. The receiver will be notified when all known urgent data has been received. See RFC 6093 for more details.', "class": "Optional"}, + "TcpFlagsPsh": {"data_type": "Boolean", "description": 'The TCP PSH Flag reported. The push flag is similar to the URG flag and tells the receiver to process these packets as they are received instead of buffering them.', "class": "Optional"}, + "TcpFlagsRst": {"data_type": "Boolean", "description": 'The TCP RST Flag reported. The reset flag gets sent from the receiver to the sender when a packet is sent to a particular host that was not expecting it.', "class": "Optional"}, + "TcpFlagsEce": {"data_type": "Boolean", "description": 'The TCP ECE Flag reported. This flag is responsible for indicating if the TCP peer is ECN capable. See RFC 3168 for more details.', "class": "Optional"}, + "TcpFlagsCwr": {"data_type": "Boolean", "description": 'The TCP CWR Flag reported. The congestion window reduced flag is used by the sending host to indicate it received a packet with the ECE flag set. See RFC 3168 for more details.', "class": "Optional"}, + "TcpFlagsNs": {"data_type": "Boolean", "description": 'The TCP NS Flag reported. The nonce sum flag is still an experimental flag used to help protect against accidental malicious concealment of packets from the sender. See RFC 3540 for more details', "class": "Optional"}, + "Dst": {"data_type": "Alias", "description": 'A unique identifier of the server receiving the DNS request. This field might alias the DstDvcId, DstHostname, or DstIpAddr fields. Example: 192.168.12.1', "class": "Recommended"}, + "DstIpAddr": {"data_type": "IP address", "description": 'The IP address of the connection or session destination. If the session uses network address translation, DstIpAddr is the publicly visible address, and not the original address of the source, which is stored in DstNatIpAddrExample: 2001:db8::ff00:42:8329Note: This value is mandatory if DstHostname is specified.', "class": "Recommended"}, + "DstPortNumber": {"data_type": "Integer", "description": 'The destination IP port.Example: 443', "class": "Optional"}, + "DstHostname": {"data_type": "Hostname", "description": 'The destination device hostname, excluding domain information. If no device name is available, store the relevant IP address in this field.Example: DESKTOP-1282V4D', "class": "Recommended"}, + "DstDomain": {"data_type": "String", "description": 'The domain of the destination device.Example: Contoso', "class": "Recommended"}, + "DstDomainType": {"data_type": "Enumerated", "description": 'The type of DstDomain. For a list of allowed values and further information, refer to DomainType in the Schema Overview article.Required if DstDomain is used.', "class": "Conditional"}, + "DstFQDN": {"data_type": "String", "description": 'The destination device hostname, including domain information when available. Example: Contoso\\DESKTOP-1282V4D Note: This field supports both traditional FQDN format and Windows domain\\hostname format. The DstDomainType reflects the format used.', "class": "Optional"}, + "DstDvcId": {"data_type": "String", "description": 'The ID of the destination device. If multiple IDs are available, use the most important one, and store the others in the fields DstDvc. Example: ac7e9755-8eae-4ffc-8a02-50ed7a2216c3', "class": "Optional"}, + "DstDvcScopeId": {"data_type": "String", "description": 'The cloud platform scope ID the device belongs to. DstDvcScopeId map to a subscription ID on Azure and to an account ID on AWS.', "class": "Optional"}, + "DstDvcScope": {"data_type": "String", "description": 'The cloud platform scope the device belongs to. DstDvcScope map to a subscription ID on Azure and to an account ID on AWS.', "class": "Optional"}, + "DstDvcIdType": {"data_type": "Enumerated", "description": 'The type of DstDvcId. For a list of allowed values and further information, refer to DvcIdType in the Schema Overview article. Required if DstDeviceId is used.', "class": "Conditional"}, + "DstDeviceType": {"data_type": "Enumerated", "description": 'The type of the destination device. For a list of allowed values and further information, refer to DeviceType in the Schema Overview article.', "class": "Optional"}, + "DstZone": {"data_type": "String", "description": 'The network zone of the destination, as defined by the reporting device.Example: Dmz', "class": "Optional"}, + "DstInterfaceName": {"data_type": "String", "description": 'The network interface used for the connection or session by the destination device.Example: Microsoft Hyper-V Network Adapter', "class": "Optional"}, + "DstInterfaceGuid": {"data_type": "String", "description": 'The GUID of the network interface used on the destination device.Example:46ad544b-eaf0-47ef-827c-266030f545a6', "class": "Optional"}, + "DstMacAddr": {"data_type": "String", "description": 'The MAC address of the network interface used for the connection or session by the destination device.Example: 06:10:9f:eb:8f:14', "class": "Optional"}, + "DstVlanId": {"data_type": "String", "description": 'The VLAN ID related to the destination device.Example: 130', "class": "Optional"}, + "OuterVlanId": {"data_type": "Alias", "description": "Alias to DstVlanId. In many cases, the VLAN can't be determined as a source or a destination but is characterized as inner or outer. This alias to signifies that DstVlanId should be used when the VLAN is characterized as outer.", "class": "Optional"}, + "DstSubscriptionId": {"data_type": "String", "description": 'The cloud platform subscription ID the destination device belongs to. DstSubscriptionId map to a subscription ID on Azure and to an account ID on AWS.', "class": "Optional"}, + "DstGeoCountry": {"data_type": "Country", "description": 'The country associated with the destination IP address. For more information, see Logical types.Example: USA', "class": "Optional"}, + "DstGeoRegion": {"data_type": "Region", "description": 'The region, or state, associated with the destination IP address. For more information, see Logical types.Example: Vermont', "class": "Optional"}, + "DstGeoCity": {"data_type": "City", "description": 'The city associated with the destination IP address. For more information, see Logical types.Example: Burlington', "class": "Optional"}, + "DstGeoLatitude": {"data_type": "Latitude", "description": 'The latitude of the geographical coordinate associated with the destination IP address. For more information, see Logical types.Example: 44.475833', "class": "Optional"}, + "DstGeoLongitude": {"data_type": "Longitude", "description": 'The longitude of the geographical coordinate associated with the destination IP address. For more information, see Logical types.Example: 73.211944', "class": "Optional"}, + "DstUserId": {"data_type": "String", "description": 'A machine-readable, alphanumeric, unique representation of the destination user. For the supported format for different ID types, refer to the User entity. Example: S-1-12', "class": "Optional"}, + "DstUserScope": {"data_type": "String", "description": 'The scope, such as Microsoft Entra tenant, in which DstUserId and DstUsername are defined. or more information and list of allowed values, see UserScope in the Schema Overview article.', "class": "Optional"}, + "DstUserScopeId": {"data_type": "String", "description": 'The scope ID, such as Microsoft Entra Directory ID, in which DstUserId and DstUsername are defined. for more information and list of allowed values, see UserScopeId in the Schema Overview article.', "class": "Optional"}, + "DstUserIdType": {"data_type": "UserIdType", "description": 'The type of the ID stored in the DstUserId field. For a list of allowed values and further information, refer to UserIdType in the Schema Overview article.', "class": "Conditional"}, + "DstUsername": {"data_type": "String", "description": "The destination username, including domain information when available. For the supported format for different ID types, refer to the User entity. Use the simple form only if domain information isn't available.Store the Username type in the DstUsernameType field. If other username formats are available, store them in the fields DstUsername.Example: AlbertE", "class": "Optional"}, + "User": {"data_type": "", "description": 'Alias to DstUsername.', "class": "Alias"}, + "DstUsernameType": {"data_type": "UsernameType", "description": 'Specifies the type of the username stored in the DstUsername field. For a list of allowed values and further information, refer to UsernameType in the Schema Overview article.Example: Windows', "class": "Conditional"}, + "DstUserType": {"data_type": "UserType", "description": 'The type of destination user. For a list of allowed values and further information, refer to UserType in the Schema Overview article. Note: The value might be provided in the source record by using different terms, which should be normalized to these values. Store the original value in the DstOriginalUserType field.', "class": "Optional"}, + "DstOriginalUserType": {"data_type": "String", "description": 'The original destination user type, if provided by the source.', "class": "Optional"}, + "DstAppName": {"data_type": "String", "description": 'The name of the destination application.Example: Facebook', "class": "Optional"}, + "DstAppId": {"data_type": "String", "description": 'The ID of the destination application, as reported by the reporting device.If DstAppType is Process, DstAppId and DstProcessId should have the same value.Example: 124', "class": "Optional"}, + "DstAppType": {"data_type": "AppType", "description": 'The type of the destination application. For a list of allowed values and further information, refer to AppType in the Schema Overview article.This field is mandatory if DstAppName or DstAppId are used.', "class": "Optional"}, + "DstProcessName": {"data_type": "String", "description": 'The file name of the process that terminated the network session. This name is typically considered to be the process name. Example: C:\\Windows\\explorer.exe', "class": "Optional"}, + "Process": {"data_type": "", "description": 'Alias to the DstProcessName Example: C:\\Windows\\System32\\rundll32.exe', "class": "Alias"}, + "DstProcessId": {"data_type": "String", "description": 'The process ID (PID) of the process that terminated the network session.Example: 48610176 Note: The type is defined as string to support varying systems, but on Windows and Linux this value must be numeric. If you are using a Windows or Linux machine and used a different type, make sure to convert the values. For example, if you used a hexadecimal value, convert it to a decimal value.', "class": "Optional"}, + "DstProcessGuid": {"data_type": "String", "description": 'A generated unique identifier (GUID) of the process that terminated the network session. Example: EF3BD0BD-2B74-60C5-AF5C-010000001E00', "class": "Optional"}, + "Src": {"data_type": "", "description": 'A unique identifier of the source device. This field might alias the SrcDvcId, SrcHostname, or SrcIpAddr fields. Example: 192.168.12.1', "class": "Alias"}, + "SrcIpAddr": {"data_type": "IP address", "description": 'The IP address from which the connection or session originated. This value is mandatory if SrcHostname is specified. If the session uses network address translation, SrcIpAddr is the publicly visible address, and not the original address of the source, which is stored in SrcNatIpAddrExample: 77.138.103.108', "class": "Recommended"}, + "SrcPortNumber": {"data_type": "Integer", "description": 'The IP port from which the connection originated. Might not be relevant for a session comprising multiple connections.Example: 2335', "class": "Optional"}, + "SrcHostname": {"data_type": "Hostname", "description": 'The source device hostname, excluding domain information. If no device name is available, store the relevant IP address in this field.Example: DESKTOP-1282V4D', "class": "Recommended"}, + "SrcDomain": {"data_type": "String", "description": 'The domain of the source device.Example: Contoso', "class": "Recommended"}, + "SrcDomainType": {"data_type": "DomainType", "description": 'The type of SrcDomain. For a list of allowed values and further information, refer to DomainType in the Schema Overview article.Required if SrcDomain is used.', "class": "Conditional"}, + "SrcFQDN": {"data_type": "String", "description": 'The source device hostname, including domain information when available. Note: This field supports both traditional FQDN format and Windows domain\\hostname format. The SrcDomainType field reflects the format used. Example: Contoso\\DESKTOP-1282V4D', "class": "Optional"}, + "SrcDvcId": {"data_type": "String", "description": 'The ID of the source device. If multiple IDs are available, use the most important one, and store the others in the fields SrcDvc.Example: ac7e9755-8eae-4ffc-8a02-50ed7a2216c3', "class": "Optional"}, + "SrcDvcScopeId": {"data_type": "String", "description": 'The cloud platform scope ID the device belongs to. SrcDvcScopeId map to a subscription ID on Azure and to an account ID on AWS.', "class": "Optional"}, + "SrcDvcScope": {"data_type": "String", "description": 'The cloud platform scope the device belongs to. SrcDvcScope map to a subscription ID on Azure and to an account ID on AWS.', "class": "Optional"}, + "SrcDvcIdType": {"data_type": "DvcIdType", "description": 'The type of SrcDvcId. For a list of allowed values and further information, refer to DvcIdType in the Schema Overview article. Note: This field is required if SrcDvcId is used.', "class": "Conditional"}, + "SrcDeviceType": {"data_type": "DeviceType", "description": 'The type of the source device. For a list of allowed values and further information, refer to DeviceType in the Schema Overview article.', "class": "Optional"}, + "SrcZone": {"data_type": "String", "description": 'The network zone of the source, as defined by the reporting device.Example: Internet', "class": "Optional"}, + "SrcInterfaceName": {"data_type": "String", "description": 'The network interface used for the connection or session by the source device. Example: eth01', "class": "Optional"}, + "SrcInterfaceGuid": {"data_type": "String", "description": 'The GUID of the network interface used on the source device.Example:46ad544b-eaf0-47ef-827c-266030f545a6', "class": "Optional"}, + "SrcMacAddr": {"data_type": "String", "description": 'The MAC address of the network interface from which the connection or session originated.Example: 06:10:9f:eb:8f:14', "class": "Optional"}, + "SrcVlanId": {"data_type": "String", "description": 'The VLAN ID related to the source device.Example: 130', "class": "Optional"}, + "InnerVlanId": {"data_type": "Alias", "description": "Alias to SrcVlanId. In many cases, the VLAN can't be determined as a source or a destination but is characterized as inner or outer. This alias to signifies that SrcVlanId should be used when the VLAN is characterized as inner.", "class": "Optional"}, + "SrcSubscriptionId": {"data_type": "String", "description": 'The cloud platform subscription ID the source device belongs to. SrcSubscriptionId map to a subscription ID on Azure and to an account ID on AWS.', "class": "Optional"}, + "SrcGeoCountry": {"data_type": "Country", "description": 'The country associated with the source IP address.Example: USA', "class": "Optional"}, + "SrcGeoRegion": {"data_type": "Region", "description": 'The region associated with the source IP address.Example: Vermont', "class": "Optional"}, + "SrcGeoCity": {"data_type": "City", "description": 'The city associated with the source IP address.Example: Burlington', "class": "Optional"}, + "SrcGeoLatitude": {"data_type": "Latitude", "description": 'The latitude of the geographical coordinate associated with the source IP address.Example: 44.475833', "class": "Optional"}, + "SrcGeoLongitude": {"data_type": "Longitude", "description": 'The longitude of the geographical coordinate associated with the source IP address.Example: 73.211944', "class": "Optional"}, + "SrcUserId": {"data_type": "String", "description": 'A machine-readable, alphanumeric, unique representation of the source user. For the supported format for different ID types, refer to the User entity. Example: S-1-12', "class": "Optional"}, + "SrcUserScope": {"data_type": "String", "description": 'The scope, such as Microsoft Entra tenant, in which SrcUserId and SrcUsername are defined. or more information and list of allowed values, see UserScope in the Schema Overview article.', "class": "Optional"}, + "SrcUserScopeId": {"data_type": "String", "description": 'The scope ID, such as Microsoft Entra Directory ID, in which SrcUserId and SrcUsername are defined. for more information and list of allowed values, see UserScopeId in the Schema Overview article.', "class": "Optional"}, + "SrcUserIdType": {"data_type": "UserIdType", "description": 'The type of the ID stored in the SrcUserId field. For a list of allowed values and further information, refer to UserIdType in the Schema Overview article.', "class": "Conditional"}, + "SrcUsername": {"data_type": "String", "description": "The source username, including domain information when available. For the supported format for different ID types, refer to the User entity. Use the simple form only if domain information isn't available.Store the Username type in the SrcUsernameType field. If other username formats are available, store them in the fields SrcUsername.Example: AlbertE", "class": "Optional"}, + "SrcUsernameType": {"data_type": "UsernameType", "description": 'Specifies the type of the username stored in the SrcUsername field. For a list of allowed values and further information, refer to UsernameType in the Schema Overview article.Example: Windows', "class": "Conditional"}, + "SrcUserType": {"data_type": "UserType", "description": 'The type of source user. For a list of allowed values and further information, refer to UserType in the Schema Overview article. Note: The value might be provided in the source record by using different terms, which should be normalized to these values. Store the original value in the SrcOriginalUserType field.', "class": "Optional"}, + "SrcOriginalUserType": {"data_type": "String", "description": 'The original destination user type, if provided by the reporting device.', "class": "Optional"}, + "SrcAppName": {"data_type": "String", "description": 'The name of the source application. Example: filezilla.exe', "class": "Optional"}, + "SrcAppId": {"data_type": "String", "description": 'The ID of the source application, as reported by the reporting device. If SrcAppType is Process, SrcAppId and SrcProcessId should have the same value.Example: 124', "class": "Optional"}, + "SrcAppType": {"data_type": "AppType", "description": 'The type of the source application. For a list of allowed values and further information, refer to AppType in the Schema Overview article.This field is mandatory if SrcAppName or SrcAppId are used.', "class": "Optional"}, + "SrcProcessName": {"data_type": "String", "description": 'The file name of the process that initiated the network session. This name is typically considered to be the process name. Example: C:\\Windows\\explorer.exe', "class": "Optional"}, + "SrcProcessId": {"data_type": "String", "description": 'The process ID (PID) of the process that initiated the network session.Example: 48610176 Note: The type is defined as string to support varying systems, but on Windows and Linux this value must be numeric. If you are using a Windows or Linux machine and used a different type, make sure to convert the values. For example, if you used a hexadecimal value, convert it to a decimal value.', "class": "Optional"}, + "SrcProcessGuid": {"data_type": "String", "description": 'A generated unique identifier (GUID) of the process that initiated the network session. Example: EF3BD0BD-2B74-60C5-AF5C-010000001E00', "class": "Optional"}, + "Hostname": {"data_type": "", "description": '- If the event type is NetworkSession, Flow or L2NetworkSession, Hostname is an alias to DstHostname. - If the event type is EndpointNetworkSession, Hostname is an alias to RemoteHostname, which can alias either DstHostname or SrcHostName, depending on NetworkDirection', "class": "Alias"}, + "IpAddr": {"data_type": "", "description": '- If the event type is NetworkSession, Flow or L2NetworkSession, IpAddr is an alias to SrcIpAddr. - If the event type is EndpointNetworkSession, IpAddr is an alias to LocalIpAddr, which can alias either SrcIpAddr or DstIpAddr, depending on NetworkDirection.', "class": "Alias"}, + "DstNatIpAddr": {"data_type": "IP address", "description": 'The DstNatIpAddr represents either of: - The original address of the destination device if network address translation was used. - The IP address used by the intermediary device for communication with the source.Example: 2::1', "class": "Optional"}, + "DstNatPortNumber": {"data_type": "Integer", "description": 'If reported by an intermediary NAT device, the port used by the NAT device for communication with the source.Example: 443', "class": "Optional"}, + "SrcNatIpAddr": {"data_type": "IP address", "description": 'The SrcNatIpAddr represents either of: - The original address of the source device if network address translation was used. - The IP address used by the intermediary device for communication with the destination.Example: 4.3.2.1', "class": "Optional"}, + "SrcNatPortNumber": {"data_type": "Integer", "description": 'If reported by an intermediary NAT device, the port used by the NAT device for communication with the destination.Example: 345', "class": "Optional"}, + "DvcInboundInterface": {"data_type": "String", "description": 'If reported by an intermediary device, the network interface used by the NAT device for the connection to the source device.Example: eth0', "class": "Optional"}, + "DvcOutboundInterface": {"data_type": "String", "description": 'If reported by an intermediary device, the network interface used by the NAT device for the connection to the destination device.Example: Ethernet adapter Ethernet 4e', "class": "Optional"}, + "NetworkRuleName": {"data_type": "String", "description": 'The name or ID of the rule by which DvcAction was decided upon. Example: AnyAnyDrop', "class": "Optional"}, + "NetworkRuleNumber": {"data_type": "Integer", "description": 'The number of the rule by which DvcAction was decided upon.Example: 23', "class": "Optional"}, + "Rule": {"data_type": "String", "description": 'Either the value of NetworkRuleName or the value of NetworkRuleNumber. If the value of NetworkRuleNumber is used, the type should be converted to string.', "class": "Alias"}, + "ThreatId": {"data_type": "String", "description": 'The ID of the threat or malware identified in the network session.Example: Tr.124', "class": "Optional"}, + "ThreatName": {"data_type": "String", "description": 'The name of the threat or malware identified in the network session.Example: EICAR Test File', "class": "Optional"}, + "ThreatCategory": {"data_type": "String", "description": 'The category of the threat or malware identified in the network session.Example: Trojan', "class": "Optional"}, + "ThreatRiskLevel": {"data_type": "Integer", "description": 'The risk level associated with the session. The level should be a number between 0 and 100.Note: The value might be provided in the source record by using a different scale, which should be normalized to this scale. The original value should be stored in ThreatRiskLevelOriginal.', "class": "Optional"}, + "ThreatOriginalRiskLevel": {"data_type": "String", "description": 'The risk level as reported by the reporting device.', "class": "Optional"}, + "ThreatIpAddr": {"data_type": "IP Address", "description": 'An IP address for which a threat was identified. The field ThreatField contains the name of the field ThreatIpAddr represents.', "class": "Optional"}, + "ThreatField": {"data_type": "Enumerated", "description": 'The field for which a threat was identified. The value is either SrcIpAddr or DstIpAddr.', "class": "Conditional"}, + "ThreatConfidence": {"data_type": "Integer", "description": 'The confidence level of the threat identified, normalized to a value between 0 and a 100.', "class": "Optional"}, + "ThreatOriginalConfidence": {"data_type": "String", "description": 'The original confidence level of the threat identified, as reported by the reporting device.', "class": "Optional"}, + "ThreatIsActive": {"data_type": "Boolean", "description": 'True if the threat identified is considered an active threat.', "class": "Optional"}, + "ThreatFirstReportedTime": {"data_type": "datetime", "description": 'The first time the IP address or domain were identified as a threat.', "class": "Optional"}, + "ThreatLastReportedTime": {"data_type": "datetime", "description": 'The last time the IP address or domain were identified as a threat.', "class": "Optional"}, + }, + "imProcessCreate": { + "EventType": {"data_type": "Enumerated", "description": 'Describes the operation reported by the record. For Process records, supported values include: - ProcessCreated - ProcessTerminated', "class": "Mandatory"}, + "EventSchemaVersion": {"data_type": "String", "description": 'The version of the schema. The version of the schema documented here is 0.1.4', "class": "Mandatory"}, + "EventSchema": {"data_type": "String", "description": 'The name of the schema documented here is ProcessEvent.', "class": "Optional"}, + "Dvc fields": {"data_type": "", "description": 'For process activity events, device fields refer to the system on which the process was executed.', "class": ""}, + "User": {"data_type": "", "description": 'Alias to the TargetUsername. Example: CONTOSO\\dadmin', "class": "Alias"}, + "Process": {"data_type": "", "description": 'Alias to the TargetProcessName Example: C:\\Windows\\System32\\rundll32.exe', "class": "Alias"}, + "CommandLine": {"data_type": "", "description": 'Alias to TargetProcessCommandLine', "class": "Alias"}, + "Hash": {"data_type": "", "description": 'Alias to the best available hash for the target process.', "class": "Alias"}, + "ActorUserId": {"data_type": "String", "description": 'A machine-readable, alphanumeric, unique representation of the Actor. For the supported format for different ID types, refer to the User entity. Example: S-1-12', "class": "Recommended"}, + "ActorUserIdType": {"data_type": "String", "description": 'The type of the ID stored in the ActorUserId field. For a list of allowed values and further information refer to UserIdType in the Schema Overview article.', "class": "Conditional"}, + "ActorScope": {"data_type": "String", "description": 'The scope, such as Microsoft Entra tenant, in which ActorUserId and ActorUsername are defined. or more information and list of allowed values, see UserScope in the Schema Overview article.', "class": "Optional"}, + "ActorUsername": {"data_type": "String", "description": "The Actor username, including domain information when available. For the supported format for different ID types, refer to the User entity. Use the simple form only if domain information isn't available.Store the Username type in the ActorUsernameType field. If other username formats are available, store them in the fields ActorUsername.Example: AlbertE", "class": "Mandatory"}, + "ActorUsernameType": {"data_type": "Enumerated", "description": 'Specifies the type of the user name stored in the ActorUsername field. For a list of allowed values and further information refer to UsernameType in the Schema Overview article.Example: Windows', "class": "Conditional"}, + "ActorSessionId": {"data_type": "String", "description": 'The unique ID of the login session of the Actor. Example: 999Note: The type is defined as string to support varying systems, but on Windows this value must be numeric. If you are using a Windows machine and used a different type, make sure to convert the values. For example, if you used a hexadecimal value, convert it to a decimal value.', "class": "Optional"}, + "ActorUserType": {"data_type": "UserType", "description": 'The type of Actor. For a list of allowed values and further information refer to UserType in the Schema Overview article. Note: The value might be provided in the source record by using different terms, which should be normalized to these values. Store the original value in the ActorOriginalUserType field.', "class": "Optional"}, + "ActorOriginalUserType": {"data_type": "String", "description": 'The original destination user type, if provided by the reporting device.', "class": "Optional"}, + "ActingProcessCommandLine": {"data_type": "String", "description": 'The command line used to run the acting process. Example: "choco.exe" -v', "class": "Optional"}, + "ActingProcessName": {"data_type": "string", "description": "The name of the acting process. This name is commonly derived from the image or executable file that's used to define the initial code and data that's mapped into the process' virtual address space.Example: C:\\Windows\\explorer.exe", "class": "Optional"}, + "ActingProcessFileCompany": {"data_type": "String", "description": 'The company that created the acting process image file. Example: Microsoft', "class": "Optional"}, + "ActingProcessFileDescription": {"data_type": "String", "description": 'The description embedded in the version information of the acting process image file. Example: Notepad++ : a free (GPL) source code editor', "class": "Optional"}, + "ActingProcessFileProduct": {"data_type": "String", "description": 'The product name from the version information in the acting process image file. Example: Notepad++', "class": "Optional"}, + "ActingProcessFileVersion": {"data_type": "String", "description": 'The product version from the version information of the acting process image file. Example: 7.9.5.0', "class": "Optional"}, + "ActingProcessFileInternalName": {"data_type": "String", "description": 'The product internal file name from the version information of the acting process image file.', "class": "Optional"}, + "ActingProcessFileOriginalName": {"data_type": "String", "description": 'The product original file name from the version information of the acting process image file. Example: Notepad++.exe', "class": "Optional"}, + "ActingProcessIsHidden": {"data_type": "Boolean", "description": 'An indication of whether the acting process is in hidden mode.', "class": "Optional"}, + "ActingProcessInjectedAddress": {"data_type": "String", "description": 'The memory address in which the responsible acting process is stored.', "class": "Optional"}, + "ActingProcessId": {"data_type": "String", "description": 'The process ID (PID) of the acting process.Example: 48610176 Note: The type is defined as string to support varying systems, but on Windows and Linux this value must be numeric. If you are using a Windows or Linux machine and used a different type, make sure to convert the values. For example, if you used a hexadecimal value, convert it to a decimal value.', "class": "Mandatory"}, + "ActingProcessGuid": {"data_type": "string", "description": 'A generated unique identifier (GUID) of the acting process. Enables identifying the process across systems. Example: EF3BD0BD-2B74-60C5-AF5C-010000001E00', "class": "Optional"}, + "ActingProcessIntegrityLevel": {"data_type": "String", "description": 'Every process has an integrity level that is represented in its token. Integrity levels determine the process level of protection or access. Windows defines the following integrity levels: low, medium, high, and system. Standard users receive a medium integrity level and elevated users receive a high integrity level. For more information, see Mandatory Integrity Control - Win32 apps.', "class": "Optional"}, + "ActingProcessMD5": {"data_type": "String", "description": 'The MD5 hash of the acting process image file. Example: 75a599802f1fa166cdadb360960b1dd0', "class": "Optional"}, + "ActingProcessSHA1": {"data_type": "SHA1", "description": 'The SHA-1 hash of the acting process image file. Example: d55c5a4df19b46db8c54c801c4665d3338acdab0', "class": "Optional"}, + "ActingProcessSHA256": {"data_type": "SHA256", "description": 'The SHA-256 hash of the acting process image file. Example: e81bb824c4a09a811af17deae22f22dd2e1ec8cbb00b22629d2899f7c68da274', "class": "Optional"}, + "ActingProcessSHA512": {"data_type": "SHA521", "description": 'The SHA-512 hash of the acting process image file.', "class": "Optional"}, + "ActingProcessIMPHASH": {"data_type": "String", "description": 'The Import Hash of all the library DLLs that are used by the acting process.', "class": "Optional"}, + "ActingProcessCreationTime": {"data_type": "DateTime", "description": 'The date and time when the acting process was started.', "class": "Optional"}, + "ActingProcessTokenElevation": {"data_type": "String", "description": 'A token indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the acting process. Example: None', "class": "Optional"}, + "ActingProcessFileSize": {"data_type": "Long", "description": 'The size of the file that ran the acting process.', "class": "Optional"}, + "ParentProcessName": {"data_type": "string", "description": "The name of the parent process. This name is commonly derived from the image or executable file that's used to define the initial code and data that's mapped into the process' virtual address space.Example: C:\\Windows\\explorer.exe", "class": "Optional"}, + "ParentProcessFileCompany": {"data_type": "String", "description": 'The name of the company that created the parent process image file. Example: Microsoft', "class": "Optional"}, + "ParentProcessFileDescription": {"data_type": "String", "description": 'The description from the version information in the parent process image file. Example: Notepad++ : a free (GPL) source code editor', "class": "Optional"}, + "ParentProcessFileProduct": {"data_type": "String", "description": 'The product name from the version information in parent process image file. Example: Notepad++', "class": "Optional"}, + "ParentProcessFileVersion": {"data_type": "String", "description": 'The product version from the version information in parent process image file. Example: 7.9.5.0', "class": "Optional"}, + "ParentProcessIsHidden": {"data_type": "Boolean", "description": 'An indication of whether the parent process is in hidden mode.', "class": "Optional"}, + "ParentProcessInjectedAddress": {"data_type": "String", "description": 'The memory address in which the responsible parent process is stored.', "class": "Optional"}, + "ParentProcessId": {"data_type": "String", "description": 'The process ID (PID) of the parent process. Example: 48610176', "class": "Recommended"}, + "ParentProcessGuid": {"data_type": "String", "description": 'A generated unique identifier (GUID) of the parent process. Enables identifying the process across systems. Example: EF3BD0BD-2B74-60C5-AF5C-010000001E00', "class": "Optional"}, + "ParentProcessIntegrityLevel": {"data_type": "String", "description": 'Every process has an integrity level that is represented in its token. Integrity levels determine the process level of protection or access. Windows defines the following integrity levels: low, medium, high, and system. Standard users receive a medium integrity level and elevated users receive a high integrity level. For more information, see Mandatory Integrity Control - Win32 apps.', "class": "Optional"}, + "ParentProcessMD5": {"data_type": "MD5", "description": 'The MD5 hash of the parent process image file. Example: 75a599802f1fa166cdadb360960b1dd0', "class": "Optional"}, + "ParentProcessSHA1": {"data_type": "SHA1", "description": 'The SHA-1 hash of the parent process image file. Example: d55c5a4df19b46db8c54c801c4665d3338acdab0', "class": "Optional"}, + "ParentProcessSHA256": {"data_type": "SHA256", "description": 'The SHA-256 hash of the parent process image file. Example: e81bb824c4a09a811af17deae22f22dd2e1ec8cbb00b22629d2899f7c68da274', "class": "Optional"}, + "ParentProcessSHA512": {"data_type": "SHA512", "description": 'The SHA-512 hash of the parent process image file.', "class": "Optional"}, + "ParentProcessIMPHASH": {"data_type": "String", "description": 'The Import Hash of all the library DLLs that are used by the parent process.', "class": "Optional"}, + "ParentProcessTokenElevation": {"data_type": "String", "description": 'A token indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the parent process. Example: None', "class": "Optional"}, + "ParentProcessCreationTime": {"data_type": "DateTime", "description": 'The date and time when the parent process was started.', "class": "Optional"}, + "TargetUsername": {"data_type": "String", "description": "The target username, including domain information when available. For the supported format for different ID types, refer to the User entity. Use the simple form only if domain information isn't available.Store the Username type in the TargetUsernameType field. If other username formats are available, store them in the fields TargetUsername.Example: AlbertE", "class": "Mandatory for process create events."}, + "TargetUsernameType": {"data_type": "Enumerated", "description": 'Specifies the type of the user name stored in the TargetUsername field. For a list of allowed values and further information refer to UsernameType in the Schema Overview article.Example: Windows', "class": "Conditional"}, + "TargetUserId": {"data_type": "String", "description": 'A machine-readable, alphanumeric, unique representation of the target user. For the supported format for different ID types, refer to the User entity. Example: S-1-12', "class": "Recommended"}, + "TargetUserIdType": {"data_type": "String", "description": 'The type of the ID stored in the TargetUserId field. For a list of allowed values and further information refer to UserIdType in the Schema Overview article.', "class": "Conditional"}, + "TargetUserSessionId": {"data_type": "String", "description": "The unique ID of the target user's login session. Example: 999 Note: The type is defined as string to support varying systems, but on Windows this value must be numeric. If you are using a Windows or Linux machine and used a different type, make sure to convert the values. For example, if you used a hexadecimal value, convert it to a decimal value.", "class": "Optional"}, + "TargetUserType": {"data_type": "UserType", "description": 'The type of Actor. For a list of allowed values and further information refer to UserType in the Schema Overview article. Note: The value might be provided in the source record by using different terms, which should be normalized to these values. Store the original value in the TargetOriginalUserType field.', "class": "Optional"}, + "TargetOriginalUserType": {"data_type": "String", "description": 'The original destination user type, if provided by the reporting device.', "class": "Optional"}, + "TargetProcessName": {"data_type": "string", "description": "The name of the target process. This name is commonly derived from the image or executable file that's used to define the initial code and data that's mapped into the process' virtual address space. Example: C:\\Windows\\explorer.exe", "class": "Mandatory"}, + "TargetProcessFileCompany": {"data_type": "String", "description": 'The name of the company that created the target process image file. Example: Microsoft', "class": "Optional"}, + "TargetProcessFileDescription": {"data_type": "String", "description": 'The description from the version information in the target process image file. Example: Notepad++ : a free (GPL) source code editor', "class": "Optional"}, + "TargetProcessFileProduct": {"data_type": "String", "description": 'The product name from the version information in target process image file. Example: Notepad++', "class": "Optional"}, + "TargetProcessFileSize": {"data_type": "String", "description": 'Size of the file that ran the process responsible for the event.', "class": "Optional"}, + "TargetProcessFileVersion": {"data_type": "String", "description": 'The product version from the version information in the target process image file. Example: 7.9.5.0', "class": "Optional"}, + "TargetProcessFileInternalName": {"data_type": "String", "description": 'The product internal file name from the version information of the image file of the target process.', "class": "Optional"}, + "TargetProcessFileOriginalName": {"data_type": "String", "description": 'The product original file name from the version information of the image file of the target process.', "class": "Optional"}, + "TargetProcessIsHidden": {"data_type": "Boolean", "description": 'An indication of whether the target process is in hidden mode.', "class": "Optional"}, + "TargetProcessInjectedAddress": {"data_type": "String", "description": 'The memory address in which the responsible target process is stored.', "class": "Optional"}, + "TargetProcessMD5": {"data_type": "MD5", "description": 'The MD5 hash of the target process image file. Example: 75a599802f1fa166cdadb360960b1dd0', "class": "Optional"}, + "TargetProcessSHA1": {"data_type": "SHA1", "description": 'The SHA-1 hash of the target process image file. Example: d55c5a4df19b46db8c54c801c4665d3338acdab0', "class": "Optional"}, + "TargetProcessSHA256": {"data_type": "SHA256", "description": 'The SHA-256 hash of the target process image file. Example: e81bb824c4a09a811af17deae22f22dd2e1ec8cbb00b22629d2899f7c68da274', "class": "Optional"}, + "TargetProcessSHA512": {"data_type": "SHA512", "description": 'The SHA-512 hash of the target process image file.', "class": "Optional"}, + "TargetProcessIMPHASH": {"data_type": "String", "description": 'The Import Hash of all the library DLLs that are used by the target process.', "class": "Optional"}, + "HashType": {"data_type": "String", "description": 'The type of hash stored in the HASH alias field, allowed values are MD5, SHA, SHA256, SHA512 and IMPHASH.', "class": "Recommended"}, + "TargetProcessCommandLine": {"data_type": "String", "description": 'The command line used to run the target process. Example: "choco.exe" -v', "class": "Mandatory"}, + "TargetProcessCurrentDirectory": {"data_type": "String", "description": 'The current directory in which the target process is executed. Example: c:\\windows\\system32', "class": "Optional"}, + "TargetProcessCreationTime": {"data_type": "DateTime", "description": 'The product version from the version information of the target process image file.', "class": "Recommended"}, + "TargetProcessId": {"data_type": "String", "description": 'The process ID (PID) of the target process. Example: 48610176Note: The type is defined as string to support varying systems, but on Windows and Linux this value must be numeric. If you are using a Windows or Linux machine and used a different type, make sure to convert the values. For example, if you used a hexadecimal value, convert it to a decimal value.', "class": "Mandatory"}, + "TargetProcessGuid": {"data_type": "String", "description": 'A generated unique identifier (GUID) of the target process. Enables identifying the process across systems. Example: EF3BD0BD-2B74-60C5-AF5C-010000001E00', "class": "Optional"}, + "TargetProcessIntegrityLevel": {"data_type": "String", "description": 'Every process has an integrity level that is represented in its token. Integrity levels determine the process level of protection or access. Windows defines the following integrity levels: low, medium, high, and system. Standard users receive a medium integrity level and elevated users receive a high integrity level. For more information, see Mandatory Integrity Control - Win32 apps.', "class": "Optional"}, + "TargetProcessTokenElevation": {"data_type": "String", "description": 'Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that was created or terminated. Example: None', "class": "Optional"}, + "TargetProcessStatusCode": {"data_type": "String", "description": 'The exit code returned by the target process when terminated. This field is valid only for process termination events. For consistency, the field type is string, even if value provided by the operating system is numeric.', "class": "Optional"}, + }, + "imRegistry": { + "EventType": {"data_type": "Enumerated", "description": 'Describes the operation reported by the record. For Registry records, supported values include: - RegistryKeyCreated - RegistryKeyDeleted- RegistryKeyRenamed - RegistryValueDeleted - RegistryValueSet', "class": "Mandatory"}, + "EventSchemaVersion": {"data_type": "String", "description": 'The version of the schema. The version of the schema documented here is 0.1.2', "class": "Mandatory"}, + "EventSchema": {"data_type": "String", "description": 'The name of the schema documented here is RegistryEvent.', "class": "Optional"}, + "Dvc fields": {"data_type": "", "description": 'For registry activity events, device fields refer to the system on which the registry activity occurred.', "class": ""}, + "RegistryKey": {"data_type": "String", "description": 'The registry key associated with the operation, normalized to standard root key naming conventions. For more information, see Root Keys.Registry keys are similar to folders in file systems. For example: HKEY_LOCAL_MACHINE\\SOFTWARE\\MTG', "class": "Mandatory"}, + "RegistryValue": {"data_type": "String", "description": 'The registry value associated with the operation. Registry values are similar to files in file systems. For example: Path', "class": "Recommended"}, + "RegistryValueType": {"data_type": "String", "description": 'The type of registry value, normalized to standard form. For more information, see Value Types.For example: Reg_Expand_Sz', "class": "Recommended"}, + "RegistryValueData": {"data_type": "String", "description": 'The data stored in the registry value. Example: C:\\Windows\\system32;C:\\Windows;', "class": "Recommended"}, + "RegistryPreviousKey": {"data_type": "String", "description": 'For operations that modify the registry, the original registry key, normalized to standard root key naming. For more information, see Root Keys. Note: If the operation changed other fields, such as the value, but the key remains the same, the RegistryPreviousKey will have the same value as RegistryKey.Example: HKEY_LOCAL_MACHINE\\SOFTWARE\\MTG', "class": "Recommended"}, + "RegistryPreviousValue": {"data_type": "String", "description": 'For operations that modify the registry, the original value type, normalized to the standard form. For more information, see Value Types. If the type was not changed, this field has the same value as the RegistryValueType field. Example: Path', "class": "Recommended"}, + "RegistryPreviousValueType": {"data_type": "String", "description": 'For operations that modify the registry, the original value type. If the type was not changed, this field will have the same value as the RegistryValueType field, normalized to the standard form. For more information, see Value types.Example: Reg_Expand_Sz', "class": "Recommended"}, + "RegistryPreviousValueData": {"data_type": "String", "description": 'The original registry data, for operations that modify the registry. Example: C:\\Windows\\system32;C:\\Windows;', "class": "Recommended"}, + "User": {"data_type": "", "description": 'Alias to the ActorUsername field. Example: CONTOSO\\ dadmin', "class": "Alias"}, + "Process": {"data_type": "", "description": 'Alias to the ActingProcessName field.Example: C:\\Windows\\System32\\rundll32.exe', "class": "Alias"}, + "ActorUsername": {"data_type": "String", "description": 'The user name of the user who initiated the event. Example: CONTOSO\\WIN-GG82ULGC9GO$', "class": "Mandatory"}, + "ActorUsernameType": {"data_type": "Enumerated", "description": 'Specifies the type of the user name stored in the ActorUsername field. For more information, see The User entity. Example: Windows', "class": "Conditional"}, + "ActorUserId": {"data_type": "String", "description": 'A unique ID of the Actor. The specific ID depends on the system generating the event. For more information, see The User entity. Example: S-1-5-18', "class": "Recommended"}, + "ActorScope": {"data_type": "String", "description": 'The scope, such as Microsoft Entra tenant, in which ActorUserId and ActorUsername are defined. or more information and list of allowed values, see UserScope in the Schema Overview article.', "class": "Optional"}, + "ActorUserIdType": {"data_type": "String", "description": 'The type of the ID stored in the ActorUserId field. For more information, see The User entity. Example: SID', "class": "Recommended"}, + "ActorSessionId": {"data_type": "String", "description": 'The unique ID of the login session of the Actor. Example: 999Note: The type is defined as string to support varying systems, but on Windows this value must be numeric. If you are using a Windows machine and the source sends a different type, make sure to convert the value. For example, if source sends a hexadecimal value, convert it to a decimal value.', "class": "Conditional"}, + "ActingProcessName": {"data_type": "String", "description": 'The file name of the acting process image file. This name is typically considered to be the process name. Example: C:\\Windows\\explorer.exe', "class": "Optional"}, + "ActingProcessId": {"data_type": "String", "description": 'The process ID (PID) of the acting process.Example: 48610176 Note: The type is defined as string to support varying systems, but on Windows and Linux this value must be numeric. If you are using a Windows or Linux machine and used a different type, make sure to convert the values. For example, if you used a hexadecimal value, convert it to a decimal value.', "class": "Mandatory"}, + "ActingProcessGuid": {"data_type": "String", "description": 'A generated unique identifier (GUID) of the acting process. Example: EF3BD0BD-2B74-60C5-AF5C-010000001E00', "class": "Optional"}, + "ParentProcessName": {"data_type": "String", "description": 'The file name of the parent process image file. This value is typically considered to be the process name. Example: C:\\Windows\\explorer.exe', "class": "Optional"}, + "ParentProcessId": {"data_type": "String", "description": 'The process ID (PID) of the parent process. Example: 48610176', "class": "Mandatory"}, + "ParentProcessGuid": {"data_type": "String", "description": 'A generated unique identifier (GUID) of the parent process. Example: EF3BD0BD-2B74-60C5-AF5C-010000001E00', "class": "Optional"}, + }, + "imWebSession": { + "EventType": {"data_type": "Enumerated", "description": 'Describes the operation reported by the record. Allowed values are: - HTTPsession: Denotes a network session used for HTTP or HTTPS, typically reported by an intermediary device, such as a proxy or a Web security gateway. - WebServerSession: Denotes an HTTP request reported by a web server. Such an event typically has less network related information. The URL reported should not include a schema and a server name, but only the path and parameters part of the URL. - ApiRequest: Denotes an HTTP request reported associated with an API call, typically reported by an application server. Such an event typically has less network related information. When reported by the application server, the URL reported should not include a schema and a server name, but only the path and parameters part of the URL.', "class": "Mandatory"}, + "EventResult": {"data_type": "Enumerated", "description": 'Describes the event result, normalized to one of the following values: - Success - Partial - Failure - NA (not applicable) For an HTTP session, Success is defined as a status code lower than 400, and Failure is defined as a status code higher than 400. For a list of HTTP status codes, refer to W3 Org.The source may provide only a value for the EventResultDetails field, which must be analyzed to get the EventResult value.', "class": "Mandatory"}, + "EventResultDetails": {"data_type": "String", "description": 'The HTTP status code.Note: The value may be provided in the source record using different terms, which should be normalized to these values. The original value should be stored in the EventOriginalResultDetails field.', "class": "Recommended"}, + "EventSchema": {"data_type": "String", "description": 'The name of the schema documented here is WebSession.', "class": "Mandatory"}, + "EventSchemaVersion": {"data_type": "String", "description": 'The version of the schema. The version of the schema documented here is 0.2.6', "class": "Mandatory"}, + "Dvc fields": {"data_type": "", "description": 'For Web Session events, device fields refer to the system reporting the Web Session event. This is typically an intermediary device for HTTPSession events, and the destination web or application server for WebServerSession and ApiRequest events.', "class": ""}, + "Url": {"data_type": "String", "description": 'The HTTP request URL, including parameters. For HTTPSession events, the URL may include the schema and should include the server name. For WebServerSession and for ApiRequest the URL would typically not include the schema and server, which can be found in the NetworkApplicationProtocol and DstFQDN fields respectively. Example: https://contoso.com/fo/?k=v&q=u#f', "class": "Mandatory"}, + "UrlCategory": {"data_type": "String", "description": 'The defined grouping of a URL or the domain part of the URL. The category is commonly provided by web security gateways and is based on the content of the site the URL points to.Example: search engines, adult, news, advertising, and parked domains.', "class": "Optional"}, + "UrlOriginal": {"data_type": "String", "description": 'The original value of the URL, when the URL was modified by the reporting device and both values are provided.', "class": "Optional"}, + "HttpVersion": {"data_type": "String", "description": 'The HTTP Request Version.Example: 2.0', "class": "Optional"}, + "HttpRequestMethod": {"data_type": "Enumerated", "description": 'The HTTP Method. The values are as defined in RFC 7231 and RFC 5789, and include GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, and PATCH.Example: GET', "class": "Recommended"}, + "HttpStatusCode": {"data_type": "", "description": 'The HTTP Status Code. Alias to EventResultDetails.', "class": "Alias"}, + "HttpContentType": {"data_type": "String", "description": 'The HTTP Response content type header. Note: The HttpContentType field may include both the content format and extra parameters, such as the encoding used to get the actual format. Example: text/html; charset=ISO-8859-4', "class": "Optional"}, + "HttpContentFormat": {"data_type": "String", "description": 'The content format part of the HttpContentType Example: text/html', "class": "Optional"}, + "HttpReferrer": {"data_type": "String", "description": 'The HTTP referrer header.Note: ASIM, in sync with OSSEM, uses the correct spelling for referrer, and not the original HTTP header spelling.Example: https://developer.mozilla.org/docs', "class": "Optional"}, + "HttpUserAgent": {"data_type": "String", "description": 'The HTTP user agent header.Example: Mozilla/5.0 (Windows NT 10.0; WOW64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/83.0.4103.97 Safari/537.36', "class": "Optional"}, + "UserAgent": {"data_type": "", "description": 'Alias to HttpUserAgent', "class": "Alias"}, + "HttpRequestXff": {"data_type": "IP Address", "description": 'The HTTP X-Forwarded-For header.Example: 120.12.41.1', "class": "Optional"}, + "HttpRequestTime": {"data_type": "Integer", "description": 'The amount of time, in milliseconds, it took to send the request to the server, if applicable.Example: 700', "class": "Optional"}, + "HttpResponseTime": {"data_type": "Integer", "description": 'The amount of time, in milliseconds, it took to receive a response in the server, if applicable.Example: 800', "class": "Optional"}, + "HttpHost": {"data_type": "String", "description": 'The virtual web server the HTTP request has targeted. This value is typically based on the HTTP Host header.', "class": "Optional"}, + "FileName": {"data_type": "String", "description": 'For HTTP uploads, the name of the uploaded file.', "class": "Optional"}, + "FileMD5": {"data_type": "MD5", "description": 'For HTTP uploads, the MD5 hash of the uploaded file.Example: 75a599802f1fa166cdadb360960b1dd0', "class": "Optional"}, + "FileSHA1": {"data_type": "SHA1", "description": 'For HTTP uploads, the SHA1 hash of the uploaded file.Example:d55c5a4df19b46db8c54c801c4665d3338acdab0', "class": "Optional"}, + "FileSHA256": {"data_type": "SHA256", "description": 'For HTTP uploads, the SHA256 hash of the uploaded file.Example:e81bb824c4a09a811af17deae22f22dd2e1ec8cbb00b22629d2899f7c68da274', "class": "Optional"}, + "FileSHA512": {"data_type": "SHA512", "description": 'For HTTP uploads, the SHA512 hash of the uploaded file.', "class": "Optional"}, + "Hash": {"data_type": "", "description": 'Alias to the available Hash field.', "class": "Alias"}, + "FileHashType": {"data_type": "Enumerated", "description": 'The type of the hash in the Hash field. Possible values include: MD5, SHA1, SHA256, and SHA512.', "class": "Optional"}, + "FileSize": {"data_type": "Long", "description": 'For HTTP uploads, the size in bytes of the uploaded file.', "class": "Optional"}, + "FileContentType": {"data_type": "String", "description": 'For HTTP uploads, the content type of the uploaded file.', "class": "Optional"}, + }, +} +SENTINEL_ASIM_COMMON_FIELDS = { + "COMMON": { + "EventMessage": {"data_type": "String", "description": 'A general message or description, either included in or generated from the record.', "class": "Optional"}, + "EventCount": {"data_type": "Integer", "description": 'The number of events described by the record. This value is used when the source supports aggregation, and a single record might represent multiple events. For other sources, set to 1.', "class": "Mandatory"}, + "EventStartTime": {"data_type": "Date/time", "description": 'The time in which the event started. If the source supports aggregation and the record represents multiple events, the time that the first event was generated. If not provided by the source record, this field aliases the TimeGenerated field.', "class": "Mandatory"}, + "EventEndTime": {"data_type": "Date/time", "description": 'The time in which the event ended. If the source supports aggregation and the record represents multiple events, the time that the last event was generated. If not provided by the source record, this field aliases the TimeGenerated field.', "class": "Mandatory"}, + "EventType": {"data_type": "Enumerated", "description": 'Describes the operation reported by the record. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the EventOriginalType field.', "class": "Mandatory"}, + "EventSubType": {"data_type": "Enumerated", "description": 'Describes a subdivision of the operation reported in the EventType field. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the EventOriginalSubType field.', "class": "Optional"}, + "EventResult": {"data_type": "Enumerated", "description": 'One of the following values: Success, Partial, Failure, NA (Not Applicable). The value might be provided in the source record by using different terms, which should be normalized to these values. Alternatively, the source might provide only the EventResultDetails field, which should be analyzed to derive the EventResult value.Example: Success', "class": "Mandatory"}, + "EventResultDetails": {"data_type": "Enumerated", "description": 'Reason or details for the result reported in the EventResult field. Each schema documents the list of values valid for this field. The original, source specific, value is stored in the EventOriginalResultDetails field.Example: NXDOMAIN', "class": "Recommended"}, + "EventUid": {"data_type": "String", "description": 'The unique ID of the record, as assigned by Microsoft Sentinel. This field is typically mapped to the _ItemId Log Analytics field.', "class": "Recommended"}, + "EventOriginalUid": {"data_type": "String", "description": 'A unique ID of the original record, if provided by the source.Example: 69f37748-ddcd-4331-bf0f-b137f1ea83b', "class": "Optional"}, + "EventOriginalType": {"data_type": "String", "description": 'The original event type or ID, if provided by the source. For example, this field is used to store the original Windows event ID. This value is used to derive EventType, which should have only one of the values documented for each schema.Example: 4624', "class": "Optional"}, + "EventOriginalSubType": {"data_type": "String", "description": 'The original event subtype or ID, if provided by the source. For example, this field is used to store the original Windows logon type. This value is used to derive EventSubType, which should have only one of the values documented for each schema.Example: 2', "class": "Optional"}, + "EventOriginalResultDetails": {"data_type": "String", "description": 'The original result details provided by the source. This value is used to derive EventResultDetails, which should have only one of the values documented for each schema.', "class": "Optional"}, + "EventSeverity": {"data_type": "Enumerated", "description": 'The severity of the event. Valid values are: Informational, Low, Medium, or High.', "class": "Recommended"}, + "EventOriginalSeverity": {"data_type": "String", "description": 'The original severity as provided by the reporting device. This value is used to derive EventSeverity.', "class": "Optional"}, + "EventProduct": {"data_type": "String", "description": 'The product generating the event. The value should be one of the values listed in Vendors and Products.Example: Sysmon', "class": "Mandatory"}, + "EventProductVersion": {"data_type": "String", "description": 'The version of the product generating the event. Example: 12.1', "class": "Optional"}, + "EventVendor": {"data_type": "String", "description": 'The vendor of the product generating the event. The value should be one of the values listed in Vendors and Products.Example: Microsoft', "class": "Mandatory"}, + "EventSchema": {"data_type": "String", "description": 'The schema the event is normalized to. Each schema documents its schema name.', "class": "Mandatory"}, + "EventSchemaVersion": {"data_type": "String", "description": 'The version of the schema. Each schema documents its current version.', "class": "Mandatory"}, + "EventReportUrl": {"data_type": "String", "description": 'A URL provided in the event for a resource that provides more information about the event.', "class": "Optional"}, + "EventOwner": {"data_type": "String", "description": 'The owner of the event, which is usually the department or subsidiary in which it was generated.', "class": "Optional"}, + "Dvc": {"data_type": "String", "description": 'A unique identifier of the device on which the event occurred or which reported the event, depending on the schema. This field might alias the DvcFQDN, DvcId, DvcHostname, or DvcIpAddr fields. For cloud sources, for which there is no apparent device, use the same value as the Event Product field.', "class": "Alias"}, + "DvcIpAddr": {"data_type": "IP address", "description": 'The IP address of the device on which the event occurred or which reported the event, depending on the schema. Example: 45.21.42.12', "class": "Recommended"}, + "DvcHostname": {"data_type": "Hostname", "description": 'The hostname of the device on which the event occurred or which reported the event, depending on the schema. Example: ContosoDc', "class": "Recommended"}, + "DvcDomain": {"data_type": "String", "description": 'The domain of the device on which the event occurred or which reported the event, depending on the schema.Example: Contoso', "class": "Recommended"}, + "DvcDomainType": {"data_type": "Enumerated", "description": 'The type of DvcDomain. For a list of allowed values and further information, refer to DomainType.Note: This field is required if the DvcDomain field is used.', "class": "Conditional"}, + "DvcFQDN": {"data_type": "String", "description": 'The hostname of the device on which the event occurred or which reported the event, depending on the schema. Example: Contoso\\DESKTOP-1282V4DNote: This field supports both traditional FQDN format and Windows domain\\hostname format. The DvcDomainType field reflects the format used.', "class": "Optional"}, + "DvcDescription": {"data_type": "String", "description": 'A descriptive text associated with the device. For example: Primary Domain Controller.', "class": "Optional"}, + "DvcId": {"data_type": "String", "description": 'The unique ID of the device on which the event occurred or which reported the event, depending on the schema. Example: 41502da5-21b7-48ec-81c9-baeea8d7d669', "class": "Optional"}, + "DvcIdType": {"data_type": "Enumerated", "description": 'The type of DvcId. For a list of allowed values and further information, refer to DvcIdType.- MDEidIf multiple IDs are available, use the first one from the list, and store the others by using the field names DvcAzureResourceId and DvcMDEid, respectively.Note: This field is required if the DvcId field is used.', "class": "Conditional"}, + "DvcMacAddr": {"data_type": "MAC", "description": 'The MAC address of the device on which the event occurred or which reported the event. Example: 00:1B:44:11:3A:B7', "class": "Optional"}, + "DvcZone": {"data_type": "String", "description": 'The network on which the event occurred or which reported the event, depending on the schema. The zone is defined by the reporting device.Example: Dmz', "class": "Optional"}, + "DvcOs": {"data_type": "String", "description": 'The operating system running on the device on which the event occurred or which reported the event. Example: Windows', "class": "Optional"}, + "DvcOsVersion": {"data_type": "String", "description": 'The version of the operating system on the device on which the event occurred or which reported the event. Example: 10', "class": "Optional"}, + "DvcAction": {"data_type": "String", "description": 'For reporting security systems, the action taken by the system, if applicable. Example: Blocked', "class": "Recommended"}, + "DvcOriginalAction": {"data_type": "String", "description": 'The original DvcAction as provided by the reporting device.', "class": "Optional"}, + "DvcInterface": {"data_type": "String", "description": 'The network interface on which data was captured. This field is typically relevant to network related activity, which is captured by an intermediate or tap device.', "class": "Optional"}, + "DvcScopeId": {"data_type": "String", "description": 'The cloud platform scope ID the device belongs to. DvcScopeId map to a subscription ID on Azure and to an account ID on AWS.', "class": "Optional"}, + "DvcScope": {"data_type": "String", "description": 'The cloud platform scope the device belongs to. DvcScope map to a subscription ID on Azure and to an account ID on AWS.', "class": "Optional"}, + "AdditionalFields": {"data_type": "Dynamic", "description": 'If your source provides additional information worth preserving, either keep it with the original field names or create the dynamic AdditionalFields field, and add to it the extra information as key/value pairs.', "class": "Optional"}, + "ASimMatchingIpAddr": {"data_type": "String", "description": 'When a parser uses the ipaddr_has_any_prefix filtering parameters, this field is set with the one of the values SrcIpAddr, DstIpAddr, or Both to reflect the matching fields or fields.', "class": "Recommended"}, + "ASimMatchingHostname": {"data_type": "String", "description": 'When a parser uses the hostname_has_any filtering parameters, this field is set with the one of the values SrcHostname, DstHostname, or Both to reflect the matching fields or fields.', "class": "Recommended"}, + }, +} diff --git a/sigma/pipelines/sentinelasim/transformations.py b/sigma/pipelines/sentinelasim/transformations.py new file mode 100644 index 0000000..e8fb726 --- /dev/null +++ b/sigma/pipelines/sentinelasim/transformations.py @@ -0,0 +1,28 @@ +from ..kusto_common.transformations import BaseHashesValuesTransformation + + +class ProcessCreateHashesValuesTransformation(BaseHashesValuesTransformation): + """ + Transforms the Hashes field in imProcessCreate table to get rid of the hash algorithm prefix in each value. + """ + + def __init__(self): + super().__init__(valid_hash_algos=["MD5", "SHA1", "SHA256", "SHA512", "IMPHASH"], field_prefix="TargetProcess") + + +class FileEventHashesValuesTransformation(BaseHashesValuesTransformation): + """ + Transforms the Hashes field in imFileEvent table to get rid of the hash algorithm prefix in each value. + """ + + def __init__(self): + super().__init__(valid_hash_algos=["MD5", "SHA1", "SHA256", "SHA512"], field_prefix="TargetFile") + + +class WebSessionHashesValuesTransformation(BaseHashesValuesTransformation): + """ + Transforms the Hashes field in imWebSession table to get rid of the hash algorithm prefix in each value. + """ + + def __init__(self): + super().__init__(valid_hash_algos=["MD5", "SHA1", "SHA256", "SHA512"], field_prefix="File") diff --git a/tests/test_backend_kusto.py b/tests/test_backend_kusto.py index 0811a0f..8d6928f 100644 --- a/tests/test_backend_kusto.py +++ b/tests/test_backend_kusto.py @@ -10,7 +10,7 @@ def microsoft365defender_backend(): return KustoBackend(processing_pipeline=microsoft_365_defender_pipeline()) -def test_microsoft365defender_and_expression(microsoft365defender_backend: KustoBackend): +def test_kusto_and_expression(microsoft365defender_backend: KustoBackend): assert microsoft365defender_backend.convert( SigmaCollection.from_yaml(""" title: Test @@ -27,7 +27,7 @@ def test_microsoft365defender_and_expression(microsoft365defender_backend: Kusto ) == ['DeviceProcessEvents\n| where ProcessCommandLine =~ "valueA" and AccountName =~ "valueB"'] -def test_microsoft365defender_or_expression(microsoft365defender_backend: KustoBackend): +def test_kusto_or_expression(microsoft365defender_backend: KustoBackend): assert microsoft365defender_backend.convert( SigmaCollection.from_yaml(""" title: Test @@ -45,7 +45,7 @@ def test_microsoft365defender_or_expression(microsoft365defender_backend: KustoB ) == ['DeviceProcessEvents\n| where ProcessCommandLine =~ "valueA" or AccountName =~ "valueB"'] -def test_microsoft365defender_and_or_expression(microsoft365defender_backend: KustoBackend): +def test_kusto_and_or_expression(microsoft365defender_backend: KustoBackend): assert microsoft365defender_backend.convert( SigmaCollection.from_yaml(""" title: Test @@ -67,7 +67,7 @@ def test_microsoft365defender_and_or_expression(microsoft365defender_backend: Ku '(ProcessId in~ ("valueB1", "valueB2"))'] -def test_microsoft365defender_or_and_expression(microsoft365defender_backend: KustoBackend): +def test_kusto_or_and_expression(microsoft365defender_backend: KustoBackend): assert microsoft365defender_backend.convert( SigmaCollection.from_yaml(""" title: Test @@ -88,7 +88,7 @@ def test_microsoft365defender_or_and_expression(microsoft365defender_backend: Ku '(ProcessCommandLine =~ "valueA2" and ProcessId =~ "valueB2")'] -def test_microsoft365defender_in_expression(microsoft365defender_backend: KustoBackend): +def test_kusto_in_expression(microsoft365defender_backend: KustoBackend): assert microsoft365defender_backend.convert( SigmaCollection.from_yaml(""" title: Test @@ -108,7 +108,7 @@ def test_microsoft365defender_in_expression(microsoft365defender_backend: KustoB 'ProcessCommandLine startswith "valueC"'] -def test_microsoft365defender_regex_query(microsoft365defender_backend: KustoBackend): +def test_kusto_regex_query(microsoft365defender_backend: KustoBackend): assert microsoft365defender_backend.convert( SigmaCollection.from_yaml(""" title: Test @@ -125,7 +125,7 @@ def test_microsoft365defender_regex_query(microsoft365defender_backend: KustoBac ) == ['DeviceProcessEvents\n| where ProcessCommandLine matches regex "foo.*bar" and ProcessId =~ "foo"'] -def test_microsoft365defender_cidr_query(microsoft365defender_backend: KustoBackend): +def test_kusto_cidr_query(microsoft365defender_backend: KustoBackend): assert microsoft365defender_backend.convert( SigmaCollection.from_yaml(""" title: Test @@ -141,7 +141,7 @@ def test_microsoft365defender_cidr_query(microsoft365defender_backend: KustoBack ) == ['DeviceNetworkEvents\n| where ipv4_is_in_range(LocalIP, "192.168.0.0/16")'] -def test_microsoft365defender_negation_basic(microsoft365defender_backend: KustoBackend): +def test_kusto_negation_basic(microsoft365defender_backend: KustoBackend): assert microsoft365defender_backend.convert( SigmaCollection.from_yaml(r""" title: Test @@ -165,7 +165,7 @@ def test_microsoft365defender_negation_basic(microsoft365defender_backend: Kusto '(not(ProcessCommandLine =~ "notthis"))'] -def test_microsoft365defender_negation_contains(microsoft365defender_backend: KustoBackend): +def test_kusto_negation_contains(microsoft365defender_backend: KustoBackend): assert microsoft365defender_backend.convert( SigmaCollection.from_yaml(r""" title: Test @@ -189,7 +189,7 @@ def test_microsoft365defender_negation_contains(microsoft365defender_backend: Ku '(not(ProcessCommandLine contains "notthis"))'] -def test_microsoft365defender_grouping(microsoft365defender_backend: KustoBackend): +def test_kusto_grouping(microsoft365defender_backend: KustoBackend): assert microsoft365defender_backend.convert( SigmaCollection.from_yaml(r""" title: Net connection logic test @@ -212,7 +212,7 @@ def test_microsoft365defender_grouping(microsoft365defender_backend: KustoBacken '"pastebin.com" or RemoteUrl contains "anothersite.com")'] -def test_microsoft365defender_escape_cmdline_slash(microsoft365defender_backend: KustoBackend): +def test_kusto_escape_cmdline_slash(microsoft365defender_backend: KustoBackend): assert microsoft365defender_backend.convert( SigmaCollection.from_yaml(r""" title: Delete All Scheduled Tasks @@ -247,7 +247,7 @@ def test_microsoft365defender_escape_cmdline_slash(microsoft365defender_backend: 'ProcessCommandLine contains " /f")'] -def test_microsoft365defender_cmdline_filters(microsoft365defender_backend: KustoBackend): +def test_kusto_cmdline_filters(microsoft365defender_backend: KustoBackend): assert microsoft365defender_backend.convert( SigmaCollection.from_yaml( r""" @@ -295,3 +295,4 @@ def test_microsoft365defender_cmdline_filters(microsoft365defender_backend: Kust 'action=allow \\"program=" and ProcessCommandLine contains ":\\\\Program Files\\\\Dropbox\\\\Client\\\\Dropbox.exe\\" ' 'enable=yes profile=Any"))))' ] + \ No newline at end of file diff --git a/tests/test_pipelines_azuremonitor.py b/tests/test_pipelines_azuremonitor.py new file mode 100644 index 0000000..31264e5 --- /dev/null +++ b/tests/test_pipelines_azuremonitor.py @@ -0,0 +1,238 @@ +import pytest + +from sigma.backends.kusto import KustoBackend +from sigma.collection import SigmaCollection +from sigma.exceptions import SigmaTransformationError +from sigma.pipelines.azuremonitor import azure_monitor_pipeline + + +def test_azure_monitor_process_creation_field_mapping(): + assert ( + KustoBackend(processing_pipeline=azure_monitor_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test Process Creation + status: test + logsource: + category: process_creation + product: windows + detection: + sel: + Image: C:\\Windows\\System32\\cmd.exe + CommandLine: whoami + User: SYSTEM + ProcessId: 1234 + condition: sel + """ + ) + ) + == [ + 'SecurityEvent\n| where NewProcessName =~ "C:\\\\Windows\\\\System32\\\\cmd.exe" and CommandLine =~ "whoami" and SubjectUserName =~ "SYSTEM" and NewProcessId == 1234' + ] + ) + + +def test_azure_monitor_network_connection_field_mapping(): + assert ( + KustoBackend(processing_pipeline=azure_monitor_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test Network Connection + status: test + logsource: + category: network_connection + product: windows + detection: + sel: + DestinationIp: 8.8.8.8 + DestinationPort: 53 + SourcePort: 12345 + condition: sel + """ + ) + ) + == ['SecurityEvent\n| where DestinationIp =~ "8.8.8.8" and DestinationPort == 53 and SourcePort == 12345'] + ) + + +def test_azure_monitor_registry_event_field_mapping(): + assert ( + KustoBackend(processing_pipeline=azure_monitor_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test Registry Event + status: test + logsource: + category: registry_event + product: windows + detection: + sel: + EventID: 13 + TargetObject: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run + condition: sel + """ + ) + ) + == [ + 'SecurityEvent\n| where EventID == 13 and ObjectName =~ "HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run"' + ] + ) + + +def test_azure_monitor_file_event_field_mapping(): + assert ( + KustoBackend(processing_pipeline=azure_monitor_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test File Event + status: test + logsource: + category: file_event + product: windows + detection: + sel: + TargetFilename: C:\\suspicious\\file.exe + Image: C:\\Windows\\System32\\cmd.exe + condition: sel + """ + ) + ) + == [ + 'SecurityEvent\n| where ObjectName =~ "C:\\\\suspicious\\\\file.exe" and NewProcessName =~ "C:\\\\Windows\\\\System32\\\\cmd.exe"' + ] + ) + + +def test_azure_monitor_hashes_transformation(): + assert ( + KustoBackend(processing_pipeline=azure_monitor_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test Hashes + status: test + logsource: + category: process_creation + product: windows + detection: + sel: + Hashes: + - md5=1234567890abcdef1234567890abcdef + - sha1=1234567890abcdef1234567890abcdef12345678 + - sha256=1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef + condition: sel + """ + ) + ) + == [ + 'SecurityEvent\n| where FileHash in~ ("1234567890abcdef1234567890abcdef", "1234567890abcdef1234567890abcdef12345678", "1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef")' + ] + ) + + +def test_azure_monitor_registry_key_replacement(): + assert ( + KustoBackend(processing_pipeline=azure_monitor_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test Registry Key Replacement + status: test + logsource: + category: registry_event + product: windows + detection: + sel: + TargetObject: + - HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run + - HKU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run + - HKCR\\Software\\Microsoft\\Windows\\CurrentVersion\\Run + condition: sel + """ + ) + ) + == [ + 'SecurityEvent\n| where ObjectName in~ ("HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run", "HKEY_USERS\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run", "HKEY_LOCAL_MACHINE\\\\CLASSES\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run")' + ] + ) + + +def test_azure_monitor_unsupported_category(): + with pytest.raises(SigmaTransformationError, match="Unable to determine table name for category"): + KustoBackend(processing_pipeline=azure_monitor_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test Unsupported Category + status: test + logsource: + category: unsupported_category + product: windows + detection: + sel: + Field: value + condition: sel + """ + ) + ) + + +def test_azure_monitor_invalid_field(): + with pytest.raises( + SigmaTransformationError, match="Invalid SigmaDetectionItem field name encountered.*SecurityEvent" + ): + KustoBackend(processing_pipeline=azure_monitor_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test Invalid Field + status: test + logsource: + category: process_creation + product: windows + detection: + sel: + InvalidField: value + condition: sel + """ + ) + ) + + +def test_azure_monitor_custom_query_table(): + assert ( + KustoBackend(processing_pipeline=azure_monitor_pipeline(query_table="CustomTable")).convert( + SigmaCollection.from_yaml( + """ + title: Test Custom Query Table + status: test + logsource: + category: process_creation + product: windows + detection: + sel: + CommandLine: whoami + condition: sel + """ + ) + ) + == ['CustomTable\n| where CommandLine =~ "whoami"'] + ) + + +def test_azure_monitor_pipeline_custom_table_invalid_category(): + """Tests to ensure custom table names override category table name mappings and field name mappings""" + assert ( + KustoBackend(processing_pipeline=azure_monitor_pipeline(query_table="SecurityEvent")).convert( + SigmaCollection.from_yaml( + """ + title: Test + status: test + logsource: + product: windows + category: blah + detection: + sel: + Image: actuallyafileevent.exe + condition: sel + """ + ) + ) + == ["SecurityEvent\n| " 'where NewProcessName =~ "actuallyafileevent.exe"'] + ) diff --git a/tests/test_pipelines_microsoft365defender.py b/tests/test_pipelines_microsoft365defender.py deleted file mode 100644 index 5a79b04..0000000 --- a/tests/test_pipelines_microsoft365defender.py +++ /dev/null @@ -1,716 +0,0 @@ -import pytest -from sigma.exceptions import SigmaTransformationError -from sigma.pipelines.microsoft365defender.microsoft365defender import InvalidHashAlgorithmError - -from sigma.backends.kusto import KustoBackend -from sigma.collection import SigmaCollection -from sigma.pipelines.microsoft365defender import microsoft_365_defender_pipeline - - -def test_microsoft_365_defender_username_transformation(): - """Tests splitting username up into different fields if it includes a domain""" - assert KustoBackend(processing_pipeline=microsoft_365_defender_pipeline()).convert( - SigmaCollection.from_yaml(""" - title: Test - status: test - logsource: - category: process_creation - product: windows - detection: - sel1: - CommandLine: command1 - AccountName: username1 - sel2: - CommandLine: command2 - AccountName: domain2\\username2 - sel3: - CommandLine: command3 - InitiatingProcessAccountName: - - username3 - - domain4\\username4 - sel4: - AccountName: username5 - condition: any of sel* - """) - ) == ['DeviceProcessEvents\n| ' - 'where (ProcessCommandLine =~ "command1" and AccountName =~ "username1") or ' - '(ProcessCommandLine =~ "command2" and (AccountName =~ "username2" and AccountDomain =~ "domain2")) or ' - '(ProcessCommandLine =~ "command3" and (InitiatingProcessAccountName =~ "username3" or ' - '(InitiatingProcessAccountName =~ "username4" and InitiatingProcessAccountDomain =~ "domain4"))) or ' - 'AccountName =~ "username5"'] - - -def test_microsoft_365_defender_hashes_values_transformation(): - """Test for getting hash algo/value from Hashes field and creating new detection items from them""" - assert KustoBackend(processing_pipeline=microsoft_365_defender_pipeline()).convert( - SigmaCollection.from_yaml(""" - title: Test - status: test - logsource: - category: process_creation - product: windows - detection: - sel1: - Hashes: - - md5|e708864855f3bb69c4d9a213b9108b9f - - sha1|00ea1da4192a2030f9ae023de3b3143ed647bbab - - sha256|6bbb0da1891646e58eb3e6a63af3a6fc3c8eb5a0d44824cba581d2e14a0450cf - sel2: - Hashes: - - 0b49939d6415354c950b142a0b1e696a - - 4b2b79b6f371ca18f1216461cffeaddf6848a50e - - 8f16f88cfa1cf0d17c75403aa9614d806ebc00419763e0ecac3860decbcd9988 - - invalidhashvalue - condition: any of sel* - """) - ) == ['DeviceProcessEvents\n' - '| where (MD5 =~ "e708864855f3bb69c4d9a213b9108b9f" or SHA1 =~ "00ea1da4192a2030f9ae023de3b3143ed647bbab" ' - 'or SHA256 =~ "6bbb0da1891646e58eb3e6a63af3a6fc3c8eb5a0d44824cba581d2e14a0450cf") or ' - '(MD5 =~ "0b49939d6415354c950b142a0b1e696a" or SHA1 =~ "4b2b79b6f371ca18f1216461cffeaddf6848a50e" or ' - 'SHA256 =~ "8f16f88cfa1cf0d17c75403aa9614d806ebc00419763e0ecac3860decbcd9988")'] - - -def test_microsoft_365_defender_process_creation_simple(): - assert KustoBackend(processing_pipeline=microsoft_365_defender_pipeline()).convert( - SigmaCollection.from_yaml(""" - title: Test - status: test - logsource: - category: process_creation - product: windows - detection: - sel: - CommandLine: val1 - Image: val2 - condition: sel - """) - ) == ['DeviceProcessEvents\n| where ProcessCommandLine =~ "val1" and FolderPath =~ "val2"'] - - -def test_microsoft_365_defender_image_load_simple(): - assert KustoBackend(processing_pipeline=microsoft_365_defender_pipeline()).convert( - SigmaCollection.from_yaml(""" - title: Test - status: test - logsource: - category: image_load - product: windows - detection: - sel: - ImageLoaded: val1 - sha1: val2 - condition: sel - """) - ) == ['DeviceImageLoadEvents\n| where FolderPath =~ "val1" and SHA1 =~ "val2"'] - - -def test_microsoft_365_defender_file_access_simple(): - assert KustoBackend(processing_pipeline=microsoft_365_defender_pipeline()).convert( - SigmaCollection.from_yaml(""" - title: Test - status: test - logsource: - category: file_access - product: windows - detection: - sel: - TargetFilename: val1 - Image: val2 - condition: sel - """) - ) == ['DeviceFileEvents\n| where FolderPath =~ "val1" and InitiatingProcessFolderPath =~ "val2"'] - - -def test_microsoft_365_defender_file_change_simple(): - assert KustoBackend(processing_pipeline=microsoft_365_defender_pipeline()).convert( - SigmaCollection.from_yaml(""" - title: Test - status: test - logsource: - category: file_change - product: windows - detection: - sel: - TargetFilename: val1 - Image: val2 - condition: sel - """) - ) == ['DeviceFileEvents\n| where FolderPath =~ "val1" and InitiatingProcessFolderPath =~ "val2"'] - - -def test_microsoft_365_defender_file_delete_simple(): - assert KustoBackend(processing_pipeline=microsoft_365_defender_pipeline()).convert( - SigmaCollection.from_yaml(""" - title: Test - status: test - logsource: - category: file_delete - product: windows - detection: - sel: - TargetFilename: val1 - Image: val2 - condition: sel - """) - ) == ['DeviceFileEvents\n| where FolderPath =~ "val1" and InitiatingProcessFolderPath =~ "val2"'] - - -def test_microsoft_365_defender_file_event_simple(): - assert KustoBackend(processing_pipeline=microsoft_365_defender_pipeline()).convert( - SigmaCollection.from_yaml(""" - title: Test - status: test - logsource: - category: file_change - product: windows - detection: - sel: - TargetFilename: val1 - Image: val2 - condition: sel - """) - ) == ['DeviceFileEvents\n| where FolderPath =~ "val1" and InitiatingProcessFolderPath =~ "val2"'] - - -def test_microsoft_365_defender_file_rename_simple(): - assert KustoBackend(processing_pipeline=microsoft_365_defender_pipeline()).convert( - SigmaCollection.from_yaml(""" - title: Test - status: test - logsource: - category: file_rename - product: windows - detection: - sel: - TargetFilename: val1 - Image: val2 - condition: sel - """) - ) == ['DeviceFileEvents\n| where FolderPath =~ "val1" and InitiatingProcessFolderPath =~ "val2"'] - - -def test_microsoft_365_defender_registry_add_simple(): - assert KustoBackend(processing_pipeline=microsoft_365_defender_pipeline()).convert( - SigmaCollection.from_yaml(""" - title: Test - status: test - logsource: - category: registry_add - product: windows - detection: - sel: - Image: val1 - TargetObject: val2 - condition: sel - """) - ) == ['DeviceRegistryEvents\n| where InitiatingProcessFolderPath =~ "val1" and RegistryKey =~ "val2"'] - - -def test_microsoft_365_defender_registry_delete_simple(): - assert KustoBackend(processing_pipeline=microsoft_365_defender_pipeline()).convert( - SigmaCollection.from_yaml(""" - title: Test - status: test - logsource: - category: registry_delete - product: windows - detection: - sel: - Image: val1 - TargetObject: val2 - condition: sel - """) - ) == ['DeviceRegistryEvents\n| where InitiatingProcessFolderPath =~ "val1" and RegistryKey =~ "val2"'] - - -def test_microsoft_365_defender_registry_event_simple(): - assert KustoBackend(processing_pipeline=microsoft_365_defender_pipeline()).convert( - SigmaCollection.from_yaml(""" - title: Test - status: test - logsource: - category: registry_event - product: windows - detection: - sel: - Image: val1 - TargetObject: val2 - condition: sel - """) - ) == ['DeviceRegistryEvents\n| where InitiatingProcessFolderPath =~ "val1" and RegistryKey =~ "val2"'] - - -def test_microsoft_365_defender_registry_set_simple(): - assert KustoBackend(processing_pipeline=microsoft_365_defender_pipeline()).convert( - SigmaCollection.from_yaml(""" - title: Test - status: test - logsource: - category: registry_set - product: windows - detection: - sel: - Image: val1 - TargetObject: val2 - condition: sel - """) - ) == ['DeviceRegistryEvents\n| where InitiatingProcessFolderPath =~ "val1" and RegistryKey =~ "val2"'] - - -def test_microsoft_365_defender_process_creation_field_mapping(): - assert KustoBackend(processing_pipeline=microsoft_365_defender_pipeline()).convert( - SigmaCollection.from_yaml(""" - title: Test - status: test - logsource: - category: process_creation - product: windows - detection: - sel: - Image: C:\\Path\\to\\notmalware.exe - FileVersion: 1 - Description: A Description - Product: pySigma - Company: AttackIQ - OriginalFileName: malware.exe - ProcessId: 2 - CommandLine: definitely not malware - User: heyitsmeyourbrother - IntegrityLevel: 1 - sha1: a123123123 - sha256: a123123123 - md5: a123123123 - ParentProcessId: 1 - ParentImage: C:\\Windows\\Temp\\freemoney.pdf - ParentCommandLine: freemoney.pdf test exe please ignore - ParentUser: heyitsmeyourparent - - condition: sel - """) - ) == ['DeviceProcessEvents\n| ' - 'where FolderPath =~ "C:\\\\Path\\\\to\\\\notmalware.exe" and ' - 'ProcessVersionInfoProductVersion == 1 and ' - 'ProcessVersionInfoFileDescription =~ "A Description" and ' - 'ProcessVersionInfoProductName =~ "pySigma" and ' - 'ProcessVersionInfoCompanyName =~ "AttackIQ" and ' - 'ProcessVersionInfoOriginalFileName =~ "malware.exe" and ' - 'ProcessId == 2 and ' - 'ProcessCommandLine =~ "definitely not malware" and ' - 'AccountName =~ "heyitsmeyourbrother" and ' - 'ProcessIntegrityLevel == 1 and ' - 'SHA1 =~ "a123123123" and ' - 'SHA256 =~ "a123123123" and ' - 'MD5 =~ "a123123123" and ' - 'InitiatingProcessId == 1 and ' - 'InitiatingProcessFolderPath =~ "C:\\\\Windows\\\\Temp\\\\freemoney.pdf" and ' - 'InitiatingProcessCommandLine =~ "freemoney.pdf test exe please ignore" and ' - 'InitiatingProcessAccountName =~ "heyitsmeyourparent"'] - - -def test_microsoft_365_defender_image_load_field_mapping(): - assert KustoBackend(processing_pipeline=microsoft_365_defender_pipeline()).convert( - SigmaCollection.from_yaml(""" - title: Test - status: test - logsource: - category: image_load - product: windows - detection: - sel: - ProcessId: 1 - Image: C:\\Temp\\notmalware.exe - ImageLoaded: C:\\Temp\\definitelynotmalware.exe - FileVersion: 1 - Description: A Description - Product: A Product - Company: AttackIQ - OriginalFileName: freemoney.pdf.exe - md5: e708864855f3bb69c4d9a213b9108b9f - sha1: 00ea1da4192a2030f9ae023de3b3143ed647bbab - sha256: 6bbb0da1891646e58eb3e6a63af3a6fc3c8eb5a0d44824cba581d2e14a0450cf - User: username - - condition: sel - """) - ) == ['DeviceImageLoadEvents\n| ' - 'where InitiatingProcessId == 1 and InitiatingProcessFolderPath =~ "C:\\\\Temp\\\\notmalware.exe" and ' - 'FolderPath =~ "C:\\\\Temp\\\\definitelynotmalware.exe" and InitiatingProcessVersionInfoProductVersion == 1 ' - 'and InitiatingProcessVersionInfoFileDescription =~ "A Description" and ' - 'InitiatingProcessVersionInfoProductName =~ "A Product" and ' - 'InitiatingProcessVersionInfoCompanyName =~ "AttackIQ" and ' - 'InitiatingProcessVersionInfoOriginalFileName =~ "freemoney.pdf.exe" and ' - 'MD5 =~ "e708864855f3bb69c4d9a213b9108b9f" and SHA1 =~ "00ea1da4192a2030f9ae023de3b3143ed647bbab" and ' - 'SHA256 =~ "6bbb0da1891646e58eb3e6a63af3a6fc3c8eb5a0d44824cba581d2e14a0450cf" and ' - 'InitiatingProcessAccountName =~ "username"'] - - -def test_microsoft_365_defender_file_event_field_mapping(): - assert KustoBackend(processing_pipeline=microsoft_365_defender_pipeline()).convert( - SigmaCollection.from_yaml(""" - title: Test - status: test - logsource: - category: file_event - product: windows - detection: - sel: - ProcessId: 1 - Image: C:\\Path\\To\\process.exe - TargetFilename: C:\\Temp\\passwords.txt - User: username - md5: e708864855f3bb69c4d9a213b9108b9f - sha1: 00ea1da4192a2030f9ae023de3b3143ed647bbab - sha256: 6bbb0da1891646e58eb3e6a63af3a6fc3c8eb5a0d44824cba581d2e14a0450cf - - condition: sel - """) - ) == ['DeviceFileEvents\n| ' - 'where InitiatingProcessId == 1 and InitiatingProcessFolderPath =~ "C:\\\\Path\\\\To\\\\process.exe" and ' - 'FolderPath =~ "C:\\\\Temp\\\\passwords.txt" and RequestAccountName =~ "username" and ' - 'MD5 =~ "e708864855f3bb69c4d9a213b9108b9f" and SHA1 =~ "00ea1da4192a2030f9ae023de3b3143ed647bbab" and ' - 'SHA256 =~ "6bbb0da1891646e58eb3e6a63af3a6fc3c8eb5a0d44824cba581d2e14a0450cf"'] - - -def test_microsoft_365_defender_registry_event_field_mapping(): - assert KustoBackend(processing_pipeline=microsoft_365_defender_pipeline()).convert( - SigmaCollection.from_yaml(""" - title: Test - status: test - logsource: - category: registry_set - product: windows - detection: - sel: - EventType: CreateKey - ProcessId: 1 - Image: C:\\Temp\\reg.exe - TargetObject: HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TrustedInstaller - Details: attackiq - User: username - condition: sel - """) - ) == ['DeviceRegistryEvents\n| ' - 'where ActionType =~ "RegistryKeyCreated" and InitiatingProcessId == 1 and ' - 'InitiatingProcessFolderPath =~ "C:\\\\Temp\\\\reg.exe" and ' - 'RegistryKey =~ "HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\services\\\\TrustedInstaller" and ' - 'RegistryValueData =~ "attackiq" and InitiatingProcessAccountName =~ "username"'] - - -def test_microsoft_365_defender_network_connection_field_mapping(): - assert KustoBackend(processing_pipeline=microsoft_365_defender_pipeline()).convert( - SigmaCollection.from_yaml(""" - title: Test - status: test - logsource: - category: network_connection - product: windows - detection: - sel: - ProcessId: 1 - Image: C:\\Temp\\notcobaltstrike.exe - User: admin - Protocol: TCP - SourceIp: 127.0.0.1 - SourcePort: 12345 - DestinationIp: 1.2.3.4 - DestinationPort: 50050 - DestinationHostname: notanatp.net - condition: sel - """) - ) == ['DeviceNetworkEvents\n| ' - 'where InitiatingProcessId == 1 and ' - 'InitiatingProcessFolderPath =~ "C:\\\\Temp\\\\notcobaltstrike.exe" and ' - 'InitiatingProcessAccountName =~ "admin" and Protocol =~ "TCP" and LocalIP =~ "127.0.0.1" and ' - 'LocalPort == 12345 and RemoteIP =~ "1.2.3.4" and RemotePort == 50050 and ' - 'RemoteUrl =~ "notanatp.net"'] - - -def test_microsoft_365_defender_network_connection_cidr(): - assert KustoBackend(processing_pipeline=microsoft_365_defender_pipeline()).convert( - SigmaCollection.from_yaml(""" - title: Test - status: test - logsource: - category: network_connection - product: windows - detection: - sel: - SourceIp|cidr: '10.10.0.0/24' - DestinationIp|cidr: '10.11.0.0/24' - condition: sel - """) - ) == ['DeviceNetworkEvents\n| ' - 'where ipv4_is_in_range(LocalIP, "10.10.0.0/24") and ipv4_is_in_range(RemoteIP, "10.11.0.0/24")'] - - -def test_microsoft_365_defender_pipeline_registrykey_replacements(): - assert KustoBackend(processing_pipeline=microsoft_365_defender_pipeline()).convert( - SigmaCollection.from_yaml(""" - title: Test - status: test - logsource: - category: registry_event - product: windows - detection: - sel1: - RegistryKey: HKLM\\TestKey1 - PreviousRegistryKey: HKLM\\TestKey1 - sel2: - RegistryKey: HKU\\TestKey2 - PreviousRegistryKey: HKU\\TestKey2 - sel3: - RegistryKey: HKLM\\System\\CurrentControlSet\\TestKey3 - PreviousRegistryKey: HKLM\\System\\CurrentControlSet\\TestKey3 - sel4: - RegistryKey: hkcr\\TestKey4 - PreviousRegistryKey: hkcr\\TestKey4 - condition: any of sel* - """) - ) == [ - 'DeviceRegistryEvents\n| where (RegistryKey =~ "HKEY_LOCAL_MACHINE\\\\TestKey1" and ' - 'PreviousRegistryKey =~ "HKEY_LOCAL_MACHINE\\\\TestKey1") or ' - '(RegistryKey =~ "HKEY_USERS\\\\TestKey2" and PreviousRegistryKey =~ "HKEY_USERS\\\\TestKey2") or ' - '(RegistryKey =~ "HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet001\\\\TestKey3" and PreviousRegistryKey =~ "HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet001\\\\TestKey3") or ' - '(RegistryKey =~ "HKEY_LOCAL_MACHINE\\\\CLASSES\\\\TestKey4" and PreviousRegistryKey =~ "HKEY_LOCAL_MACHINE\\\\CLASSES\\\\TestKey4")'] - - -def test_microsoft_365_defender_pipeline_registry_actiontype_replacements(): - assert KustoBackend(processing_pipeline=microsoft_365_defender_pipeline()).convert( - SigmaCollection.from_yaml(""" - title: Test - status: test - logsource: - category: registry_event - product: windows - detection: - sel1: - ActionType: CreateKey - sel2: - ActionType: DeleteKey - sel3: - ActionType: SetValue - sel4: - ActionType: RenameKey - condition: any of sel* - """) - ) == [ - 'DeviceRegistryEvents\n| ' - 'where ActionType =~ "RegistryKeyCreated" or ' - '(ActionType in~ ("RegistryKeyDeleted", "RegistryValueDeleted")) or ' - 'ActionType =~ "RegistryValueSet" or ' - '(ActionType in~ ("RegistryValueSet", "RegistryKeyCreated"))'] - - -def test_microsoft_365_defender_pipeline_valid_hash_in_list(): - assert KustoBackend(processing_pipeline=microsoft_365_defender_pipeline()).convert( - SigmaCollection.from_yaml(""" - title: test - status: test - logsource: - category: process_creation - product: windows - detection: - sel: - Hashes: - - MD5=6444f8a34e99b8f7d9647de66aabe516 - - IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f - - IMPHASH=1a6cca4d5460b1710a12dea39e4a592c - condition: sel - """) - ) == [ 'DeviceProcessEvents\n| ' - 'where MD5 =~ "6444f8a34e99b8f7d9647de66aabe516"'] - - - -def test_microsoft_365_defender_pipeline_generic_field(): - """Tests""" - assert KustoBackend(processing_pipeline=microsoft_365_defender_pipeline()).convert( - SigmaCollection.from_yaml(""" - title: Test - status: test - logsource: - category: file_event - product: windows - detection: - sel1: - CommandLine: whoami - ProcessId: 1 - condition: any of sel* - """) - ) == [ - 'DeviceFileEvents\n| ' - 'where InitiatingProcessCommandLine =~ "whoami" and InitiatingProcessId == 1'] - - -def test_microsoft_365_defender_pipeline_parent_image(): - """Tests ParentImage for non-process-creation rules""" - assert KustoBackend(processing_pipeline=microsoft_365_defender_pipeline()).convert( - SigmaCollection.from_yaml(""" - title: Test - status: test - logsource: - category: file_event - product: windows - detection: - sel1: - Image: C:\\Windows\\System32\\whoami.exe - ParentImage: C:\\Windows\\System32\\cmd.exe - condition: any of sel* - """) - ) == [ - 'DeviceFileEvents\n| ' - 'where InitiatingProcessFolderPath =~ "C:\\\\Windows\\\\System32\\\\whoami.exe" and ' - 'InitiatingProcessParentFileName =~ "cmd.exe"'] - - -def test_microsoft_365_defender_pipeline_parent_image_false(): - """Tests passing transfer_parent_image=False to the pipeline""" - with pytest.raises(SigmaTransformationError, - match="Invalid SigmaDetectionItem field name encountered.*DeviceFileEvents"): - KustoBackend(processing_pipeline=microsoft_365_defender_pipeline(transform_parent_image=False)).convert( - SigmaCollection.from_yaml(""" - title: Test - status: test - logsource: - category: file_event - product: windows - detection: - sel1: - Image: C:\\Windows\\System32\\whoami.exe - ParentImage: C:\\Windows\\System32\\cmd.exe - condition: any of sel* - """) - ) - - -def test_microsoft_365_defender_pipeline_unsupported_rule_type(): - with pytest.raises(SigmaTransformationError, - match="Rule category not yet supported by the Microsoft 365 Defender Sigma backend."): - KustoBackend(processing_pipeline=microsoft_365_defender_pipeline()).convert( - SigmaCollection.from_yaml(""" - title: test - status: test - logsource: - category: invalid_category - product: invalid_product - detection: - sel: - field: whatever - condition: sel - """) - ) - - -def test_microsoft_365_defender_pipeline_unsupported_field_process_creation(): - with pytest.raises(SigmaTransformationError, - match="Invalid SigmaDetectionItem field name encountered.*DeviceProcessEvents"): - KustoBackend(processing_pipeline=microsoft_365_defender_pipeline()).convert( - SigmaCollection.from_yaml(""" - title: test - status: test - logsource: - category: process_creation - product: windows - detection: - sel: - CommandLine: whatever - InvalidField: forever - condition: sel - """) - ) - - -def test_microsoft_365_defender_pipeline_unsupported_field_file_event(): - with pytest.raises(SigmaTransformationError, - match="Invalid SigmaDetectionItem field name encountered.*DeviceFileEvents"): - KustoBackend(processing_pipeline=microsoft_365_defender_pipeline()).convert( - SigmaCollection.from_yaml(""" - title: test - status: test - logsource: - category: file_access - product: windows - detection: - sel: - FileName: whatever - InvalidField: forever - condition: sel - """) - ) - - -def test_microsoft_365_defender_pipeline_unsupported_field_image_load(): - with pytest.raises(SigmaTransformationError, - match="Invalid SigmaDetectionItem field name encountered.*DeviceImageLoadEvents"): - KustoBackend(processing_pipeline=microsoft_365_defender_pipeline()).convert( - SigmaCollection.from_yaml(""" - title: test - status: test - logsource: - category: image_load - product: windows - detection: - sel: - CommandLine: whatever - InvalidField: forever - condition: sel - """) - ) - - -def test_microsoft_365_defender_pipeline_unsupported_field_registry_event(): - with pytest.raises(SigmaTransformationError, - match="Invalid SigmaDetectionItem field name encountered.*DeviceRegistryEvents"): - KustoBackend(processing_pipeline=microsoft_365_defender_pipeline()).convert( - SigmaCollection.from_yaml(""" - title: test - status: test - logsource: - category: registry_add - product: windows - detection: - sel: - CommandLine: whatever - InvalidField: forever - condition: sel - """) - ) - - -def test_microsoft_365_defender_pipeline_unsupported_field_network_connection(): - with pytest.raises(SigmaTransformationError, - match="Invalid SigmaDetectionItem field name encountered.*DeviceNetworkEvents"): - KustoBackend(processing_pipeline=microsoft_365_defender_pipeline()).convert( - SigmaCollection.from_yaml(""" - title: test - status: test - logsource: - category: network_connection - product: windows - detection: - sel: - CommandLine: whatever - InvalidField: forever - condition: sel - """) - ) - -def test_microsoft_365_defender_pipeline_no_valid_hashes(): - with pytest.raises(InvalidHashAlgorithmError): - KustoBackend(processing_pipeline=microsoft_365_defender_pipeline()).convert( - SigmaCollection.from_yaml(""" - title: test - status: test - logsource: - category: network_connection - product: windows - detection: - sel: - Hashes: - - IMPHASH=6444f8a34e99b8f7d9647de66aabe516 - - IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f - - IMPHASH=1a6cca4d5460b1710a12dea39e4a592c - condition: sel - """) - ) - diff --git a/tests/test_pipelines_microsoftxdr.py b/tests/test_pipelines_microsoftxdr.py new file mode 100644 index 0000000..8e6a6c3 --- /dev/null +++ b/tests/test_pipelines_microsoftxdr.py @@ -0,0 +1,940 @@ +import pytest + +from sigma.backends.kusto import KustoBackend +from sigma.collection import SigmaCollection +from sigma.exceptions import SigmaTransformationError +from sigma.pipelines.kusto_common.errors import InvalidHashAlgorithmError +from sigma.pipelines.microsoft365defender import microsoft_365_defender_pipeline +from sigma.pipelines.microsoftxdr import microsoft_xdr_pipeline + + +def test_microsoft_xdr_pipeline_alias(): + assert microsoft_xdr_pipeline() == microsoft_365_defender_pipeline() + + +def test_microsoft_xdr_username_transformation(): + """Tests splitting username up into different fields if it includes a domain""" + assert ( + KustoBackend(processing_pipeline=microsoft_xdr_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test + status: test + logsource: + category: process_creation + product: windows + detection: + sel1: + CommandLine: command1 + AccountName: username1 + sel2: + CommandLine: command2 + AccountName: domain2\\username2 + sel3: + CommandLine: command3 + InitiatingProcessAccountName: + - username3 + - domain4\\username4 + sel4: + AccountName: username5 + condition: any of sel* + """ + ) + ) + == [ + "DeviceProcessEvents\n| " + 'where (ProcessCommandLine =~ "command1" and AccountName =~ "username1") or ' + '(ProcessCommandLine =~ "command2" and (AccountName =~ "username2" and AccountDomain =~ "domain2")) or ' + '(ProcessCommandLine =~ "command3" and (InitiatingProcessAccountName =~ "username3" or ' + '(InitiatingProcessAccountName =~ "username4" and InitiatingProcessAccountDomain =~ "domain4"))) or ' + 'AccountName =~ "username5"' + ] + ) + + +def test_microsoft_xdr_hashes_values_transformation(): + """Test for getting hash algo/value from Hashes field and creating new detection items from them""" + assert ( + KustoBackend(processing_pipeline=microsoft_xdr_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test + status: test + logsource: + category: process_creation + product: windows + detection: + sel1: + Hashes: + - md5|e708864855f3bb69c4d9a213b9108b9f + - sha1|00ea1da4192a2030f9ae023de3b3143ed647bbab + - sha256|6bbb0da1891646e58eb3e6a63af3a6fc3c8eb5a0d44824cba581d2e14a0450cf + sel2: + Hashes: + - 0b49939d6415354c950b142a0b1e696a + - 4b2b79b6f371ca18f1216461cffeaddf6848a50e + - 8f16f88cfa1cf0d17c75403aa9614d806ebc00419763e0ecac3860decbcd9988 + - invalidhashvalue + condition: any of sel* + """ + ) + ) + == [ + "DeviceProcessEvents\n" + '| where (MD5 =~ "e708864855f3bb69c4d9a213b9108b9f" or SHA1 =~ "00ea1da4192a2030f9ae023de3b3143ed647bbab" ' + 'or SHA256 =~ "6bbb0da1891646e58eb3e6a63af3a6fc3c8eb5a0d44824cba581d2e14a0450cf") or ' + '(MD5 =~ "0b49939d6415354c950b142a0b1e696a" or SHA1 =~ "4b2b79b6f371ca18f1216461cffeaddf6848a50e" or ' + 'SHA256 =~ "8f16f88cfa1cf0d17c75403aa9614d806ebc00419763e0ecac3860decbcd9988")' + ] + ) + + +def test_microsoft_xdr_process_creation_simple(): + assert ( + KustoBackend(processing_pipeline=microsoft_xdr_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test + status: test + logsource: + category: process_creation + product: windows + detection: + sel: + CommandLine: val1 + Image: val2 + condition: sel + """ + ) + ) + == ['DeviceProcessEvents\n| where ProcessCommandLine =~ "val1" and FolderPath =~ "val2"'] + ) + + +def test_microsoft_xdr_image_load_simple(): + assert ( + KustoBackend(processing_pipeline=microsoft_xdr_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test + status: test + logsource: + category: image_load + product: windows + detection: + sel: + ImageLoaded: val1 + sha1: val2 + condition: sel + """ + ) + ) + == ['DeviceImageLoadEvents\n| where FolderPath =~ "val1" and SHA1 =~ "val2"'] + ) + + +def test_microsoft_xdr_file_access_simple(): + assert ( + KustoBackend(processing_pipeline=microsoft_xdr_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test + status: test + logsource: + category: file_access + product: windows + detection: + sel: + TargetFilename: val1 + Image: val2 + condition: sel + """ + ) + ) + == ['DeviceFileEvents\n| where FolderPath =~ "val1" and InitiatingProcessFolderPath =~ "val2"'] + ) + + +def test_microsoft_xdr_file_change_simple(): + assert ( + KustoBackend(processing_pipeline=microsoft_xdr_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test + status: test + logsource: + category: file_change + product: windows + detection: + sel: + TargetFilename: val1 + Image: val2 + condition: sel + """ + ) + ) + == ['DeviceFileEvents\n| where FolderPath =~ "val1" and InitiatingProcessFolderPath =~ "val2"'] + ) + + +def test_microsoft_xdr_file_delete_simple(): + assert ( + KustoBackend(processing_pipeline=microsoft_xdr_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test + status: test + logsource: + category: file_delete + product: windows + detection: + sel: + TargetFilename: val1 + Image: val2 + condition: sel + """ + ) + ) + == ['DeviceFileEvents\n| where FolderPath =~ "val1" and InitiatingProcessFolderPath =~ "val2"'] + ) + + +def test_microsoft_xdr_file_event_simple(): + assert ( + KustoBackend(processing_pipeline=microsoft_xdr_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test + status: test + logsource: + category: file_change + product: windows + detection: + sel: + TargetFilename: val1 + Image: val2 + condition: sel + """ + ) + ) + == ['DeviceFileEvents\n| where FolderPath =~ "val1" and InitiatingProcessFolderPath =~ "val2"'] + ) + + +def test_microsoft_xdr_file_rename_simple(): + assert ( + KustoBackend(processing_pipeline=microsoft_xdr_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test + status: test + logsource: + category: file_rename + product: windows + detection: + sel: + TargetFilename: val1 + Image: val2 + condition: sel + """ + ) + ) + == ['DeviceFileEvents\n| where FolderPath =~ "val1" and InitiatingProcessFolderPath =~ "val2"'] + ) + + +def test_microsoft_xdr_registry_add_simple(): + assert ( + KustoBackend(processing_pipeline=microsoft_xdr_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test + status: test + logsource: + category: registry_add + product: windows + detection: + sel: + Image: val1 + TargetObject: val2 + condition: sel + """ + ) + ) + == ['DeviceRegistryEvents\n| where InitiatingProcessFolderPath =~ "val1" and RegistryKey =~ "val2"'] + ) + + +def test_microsoft_xdr_registry_delete_simple(): + assert ( + KustoBackend(processing_pipeline=microsoft_xdr_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test + status: test + logsource: + category: registry_delete + product: windows + detection: + sel: + Image: val1 + TargetObject: val2 + condition: sel + """ + ) + ) + == ['DeviceRegistryEvents\n| where InitiatingProcessFolderPath =~ "val1" and RegistryKey =~ "val2"'] + ) + + +def test_microsoft_xdr_registry_event_simple(): + assert ( + KustoBackend(processing_pipeline=microsoft_xdr_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test + status: test + logsource: + category: registry_event + product: windows + detection: + sel: + Image: val1 + TargetObject: val2 + condition: sel + """ + ) + ) + == ['DeviceRegistryEvents\n| where InitiatingProcessFolderPath =~ "val1" and RegistryKey =~ "val2"'] + ) + + +def test_microsoft_xdr_registry_set_simple(): + assert ( + KustoBackend(processing_pipeline=microsoft_xdr_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test + status: test + logsource: + category: registry_set + product: windows + detection: + sel: + Image: val1 + TargetObject: val2 + condition: sel + """ + ) + ) + == ['DeviceRegistryEvents\n| where InitiatingProcessFolderPath =~ "val1" and RegistryKey =~ "val2"'] + ) + + +def test_microsoft_xdr_process_creation_field_mapping(): + assert ( + KustoBackend(processing_pipeline=microsoft_xdr_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test + status: test + logsource: + category: process_creation + product: windows + detection: + sel: + Image: C:\\Path\\to\\notmalware.exe + FileVersion: 1 + Description: A Description + Product: pySigma + Company: AttackIQ + OriginalFileName: malware.exe + ProcessId: 2 + CommandLine: definitely not malware + User: heyitsmeyourbrother + IntegrityLevel: 1 + sha1: a123123123 + sha256: a123123123 + md5: a123123123 + ParentProcessId: 1 + ParentImage: C:\\Windows\\Temp\\freemoney.pdf + ParentCommandLine: freemoney.pdf test exe please ignore + ParentUser: heyitsmeyourparent + + condition: sel + """ + ) + ) + == [ + "DeviceProcessEvents\n| " + 'where FolderPath =~ "C:\\\\Path\\\\to\\\\notmalware.exe" and ' + "ProcessVersionInfoProductVersion == 1 and " + 'ProcessVersionInfoFileDescription =~ "A Description" and ' + 'ProcessVersionInfoProductName =~ "pySigma" and ' + 'ProcessVersionInfoCompanyName =~ "AttackIQ" and ' + 'ProcessVersionInfoOriginalFileName =~ "malware.exe" and ' + "ProcessId == 2 and " + 'ProcessCommandLine =~ "definitely not malware" and ' + 'AccountName =~ "heyitsmeyourbrother" and ' + "ProcessIntegrityLevel == 1 and " + 'SHA1 =~ "a123123123" and ' + 'SHA256 =~ "a123123123" and ' + 'MD5 =~ "a123123123" and ' + "InitiatingProcessId == 1 and " + 'InitiatingProcessFolderPath =~ "C:\\\\Windows\\\\Temp\\\\freemoney.pdf" and ' + 'InitiatingProcessCommandLine =~ "freemoney.pdf test exe please ignore" and ' + 'InitiatingProcessAccountName =~ "heyitsmeyourparent"' + ] + ) + + +def test_microsoft_xdr_image_load_field_mapping(): + assert ( + KustoBackend(processing_pipeline=microsoft_xdr_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test + status: test + logsource: + category: image_load + product: windows + detection: + sel: + ProcessId: 1 + Image: C:\\Temp\\notmalware.exe + ImageLoaded: C:\\Temp\\definitelynotmalware.exe + FileVersion: 1 + Description: A Description + Product: A Product + Company: AttackIQ + OriginalFileName: freemoney.pdf.exe + md5: e708864855f3bb69c4d9a213b9108b9f + sha1: 00ea1da4192a2030f9ae023de3b3143ed647bbab + sha256: 6bbb0da1891646e58eb3e6a63af3a6fc3c8eb5a0d44824cba581d2e14a0450cf + User: username + + condition: sel + """ + ) + ) + == [ + "DeviceImageLoadEvents\n| " + 'where InitiatingProcessId == 1 and InitiatingProcessFolderPath =~ "C:\\\\Temp\\\\notmalware.exe" and ' + 'FolderPath =~ "C:\\\\Temp\\\\definitelynotmalware.exe" and InitiatingProcessVersionInfoProductVersion == 1 ' + 'and InitiatingProcessVersionInfoFileDescription =~ "A Description" and ' + 'InitiatingProcessVersionInfoProductName =~ "A Product" and ' + 'InitiatingProcessVersionInfoCompanyName =~ "AttackIQ" and ' + 'InitiatingProcessVersionInfoOriginalFileName =~ "freemoney.pdf.exe" and ' + 'MD5 =~ "e708864855f3bb69c4d9a213b9108b9f" and SHA1 =~ "00ea1da4192a2030f9ae023de3b3143ed647bbab" and ' + 'SHA256 =~ "6bbb0da1891646e58eb3e6a63af3a6fc3c8eb5a0d44824cba581d2e14a0450cf" and ' + 'InitiatingProcessAccountName =~ "username"' + ] + ) + + +def test_microsoft_xdr_file_event_field_mapping(): + assert ( + KustoBackend(processing_pipeline=microsoft_xdr_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test + status: test + logsource: + category: file_event + product: windows + detection: + sel: + ProcessId: 1 + Image: C:\\Path\\To\\process.exe + TargetFilename: C:\\Temp\\passwords.txt + User: username + md5: e708864855f3bb69c4d9a213b9108b9f + sha1: 00ea1da4192a2030f9ae023de3b3143ed647bbab + sha256: 6bbb0da1891646e58eb3e6a63af3a6fc3c8eb5a0d44824cba581d2e14a0450cf + + condition: sel + """ + ) + ) + == [ + "DeviceFileEvents\n| " + 'where InitiatingProcessId == 1 and InitiatingProcessFolderPath =~ "C:\\\\Path\\\\To\\\\process.exe" and ' + 'FolderPath =~ "C:\\\\Temp\\\\passwords.txt" and RequestAccountName =~ "username" and ' + 'MD5 =~ "e708864855f3bb69c4d9a213b9108b9f" and SHA1 =~ "00ea1da4192a2030f9ae023de3b3143ed647bbab" and ' + 'SHA256 =~ "6bbb0da1891646e58eb3e6a63af3a6fc3c8eb5a0d44824cba581d2e14a0450cf"' + ] + ) + + +def test_microsoft_xdr_registry_event_field_mapping(): + assert ( + KustoBackend(processing_pipeline=microsoft_xdr_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test + status: test + logsource: + category: registry_set + product: windows + detection: + sel: + EventType: CreateKey + ProcessId: 1 + Image: C:\\Temp\\reg.exe + TargetObject: HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TrustedInstaller + Details: attackiq + User: username + condition: sel + """ + ) + ) + == [ + "DeviceRegistryEvents\n| " + 'where ActionType =~ "RegistryKeyCreated" and InitiatingProcessId == 1 and ' + 'InitiatingProcessFolderPath =~ "C:\\\\Temp\\\\reg.exe" and ' + 'RegistryKey =~ "HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\services\\\\TrustedInstaller" and ' + 'RegistryValueData =~ "attackiq" and InitiatingProcessAccountName =~ "username"' + ] + ) + + +def test_microsoft_xdr_network_connection_field_mapping(): + assert ( + KustoBackend(processing_pipeline=microsoft_xdr_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test + status: test + logsource: + category: network_connection + product: windows + detection: + sel: + ProcessId: 1 + Image: C:\\Temp\\notcobaltstrike.exe + User: admin + Protocol: TCP + SourceIp: 127.0.0.1 + SourcePort: 12345 + DestinationIp: 1.2.3.4 + DestinationPort: 50050 + DestinationHostname: notanatp.net + condition: sel + """ + ) + ) + == [ + "DeviceNetworkEvents\n| " + "where InitiatingProcessId == 1 and " + 'InitiatingProcessFolderPath =~ "C:\\\\Temp\\\\notcobaltstrike.exe" and ' + 'InitiatingProcessAccountName =~ "admin" and Protocol =~ "TCP" and LocalIP =~ "127.0.0.1" and ' + 'LocalPort == 12345 and RemoteIP =~ "1.2.3.4" and RemotePort == 50050 and ' + 'RemoteUrl =~ "notanatp.net"' + ] + ) + + +def test_microsoft_xdr_network_connection_cidr(): + assert ( + KustoBackend(processing_pipeline=microsoft_xdr_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test + status: test + logsource: + category: network_connection + product: windows + detection: + sel: + SourceIp|cidr: '10.10.0.0/24' + DestinationIp|cidr: '10.11.0.0/24' + condition: sel + """ + ) + ) + == [ + "DeviceNetworkEvents\n| " + 'where ipv4_is_in_range(LocalIP, "10.10.0.0/24") and ipv4_is_in_range(RemoteIP, "10.11.0.0/24")' + ] + ) + + +def test_microsoft_xdr_pipeline_registrykey_replacements(): + assert ( + KustoBackend(processing_pipeline=microsoft_xdr_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test + status: test + logsource: + category: registry_event + product: windows + detection: + sel1: + RegistryKey: HKLM\\TestKey1 + PreviousRegistryKey: HKLM\\TestKey1 + sel2: + RegistryKey: HKU\\TestKey2 + PreviousRegistryKey: HKU\\TestKey2 + sel3: + RegistryKey: HKLM\\System\\CurrentControlSet\\TestKey3 + PreviousRegistryKey: HKLM\\System\\CurrentControlSet\\TestKey3 + sel4: + RegistryKey: hkcr\\TestKey4 + PreviousRegistryKey: hkcr\\TestKey4 + condition: any of sel* + """ + ) + ) + == [ + 'DeviceRegistryEvents\n| where (RegistryKey =~ "HKEY_LOCAL_MACHINE\\\\TestKey1" and ' + 'PreviousRegistryKey =~ "HKEY_LOCAL_MACHINE\\\\TestKey1") or ' + '(RegistryKey =~ "HKEY_USERS\\\\TestKey2" and PreviousRegistryKey =~ "HKEY_USERS\\\\TestKey2") or ' + '(RegistryKey =~ "HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet001\\\\TestKey3" and PreviousRegistryKey =~ "HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet001\\\\TestKey3") or ' + '(RegistryKey =~ "HKEY_LOCAL_MACHINE\\\\CLASSES\\\\TestKey4" and PreviousRegistryKey =~ "HKEY_LOCAL_MACHINE\\\\CLASSES\\\\TestKey4")' + ] + ) + + +def test_microsoft_xdr_pipeline_registry_actiontype_replacements(): + assert ( + KustoBackend(processing_pipeline=microsoft_xdr_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test + status: test + logsource: + category: registry_event + product: windows + detection: + sel1: + ActionType: CreateKey + sel2: + ActionType: DeleteKey + sel3: + ActionType: SetValue + sel4: + ActionType: RenameKey + condition: any of sel* + """ + ) + ) + == [ + "DeviceRegistryEvents\n| " + 'where ActionType =~ "RegistryKeyCreated" or ' + '(ActionType in~ ("RegistryKeyDeleted", "RegistryValueDeleted")) or ' + 'ActionType =~ "RegistryValueSet" or ' + '(ActionType in~ ("RegistryValueSet", "RegistryKeyCreated"))' + ] + ) + + +def test_microsoft_xdr_pipeline_valid_hash_in_list(): + assert ( + KustoBackend(processing_pipeline=microsoft_xdr_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: test + status: test + logsource: + category: process_creation + product: windows + detection: + sel: + Hashes: + - MD5=6444f8a34e99b8f7d9647de66aabe516 + - IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f + - IMPHASH=1a6cca4d5460b1710a12dea39e4a592c + condition: sel + """ + ) + ) + == ["DeviceProcessEvents\n| " 'where MD5 =~ "6444f8a34e99b8f7d9647de66aabe516"'] + ) + + +def test_microsoft_xdr_pipeline_generic_field(): + """Tests""" + assert ( + KustoBackend(processing_pipeline=microsoft_xdr_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test + status: test + logsource: + category: file_event + product: windows + detection: + sel1: + CommandLine: whoami + ProcessId: 1 + condition: any of sel* + """ + ) + ) + == ["DeviceFileEvents\n| " 'where InitiatingProcessCommandLine =~ "whoami" and InitiatingProcessId == 1'] + ) + + +def test_microsoft_xdr_pipeline_parent_image(): + """Tests ParentImage for non-process-creation rules""" + assert ( + KustoBackend(processing_pipeline=microsoft_xdr_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test + status: test + logsource: + category: file_event + product: windows + detection: + sel1: + Image: C:\\Windows\\System32\\whoami.exe + ParentImage: C:\\Windows\\System32\\cmd.exe + condition: any of sel* + """ + ) + ) + == [ + "DeviceFileEvents\n| " + 'where InitiatingProcessFolderPath =~ "C:\\\\Windows\\\\System32\\\\whoami.exe" and ' + 'InitiatingProcessParentFileName =~ "cmd.exe"' + ] + ) + + +def test_microsoft_xdr_pipeline_parent_image_false(): + """Tests passing transfer_parent_image=False to the pipeline""" + with pytest.raises( + SigmaTransformationError, match="Invalid SigmaDetectionItem field name encountered.*DeviceFileEvents" + ): + KustoBackend(processing_pipeline=microsoft_xdr_pipeline(transform_parent_image=False)).convert( + SigmaCollection.from_yaml( + """ + title: Test + status: test + logsource: + category: file_event + product: windows + detection: + sel1: + Image: C:\\Windows\\System32\\whoami.exe + ParentImage: C:\\Windows\\System32\\cmd.exe + condition: any of sel* + """ + ) + ) + + +def test_microsoft_xdr_pipeline_unsupported_rule_type(): + with pytest.raises(SigmaTransformationError, match="Unable to determine table name for category"): + KustoBackend(processing_pipeline=microsoft_xdr_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: test + status: test + logsource: + category: invalid_category + product: invalid_product + detection: + sel: + field: whatever + condition: sel + """ + ) + ) + + +def test_microsoft_xdr_pipeline_unsupported_field_process_creation(): + with pytest.raises( + SigmaTransformationError, match="Invalid SigmaDetectionItem field name encountered.*DeviceProcessEvents" + ): + KustoBackend(processing_pipeline=microsoft_xdr_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: test + status: test + logsource: + category: process_creation + product: windows + detection: + sel: + CommandLine: whatever + InvalidField: forever + condition: sel + """ + ) + ) + + +def test_microsoft_xdr_pipeline_unsupported_field_file_event(): + with pytest.raises( + SigmaTransformationError, match="Invalid SigmaDetectionItem field name encountered.*DeviceFileEvents" + ): + KustoBackend(processing_pipeline=microsoft_xdr_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: test + status: test + logsource: + category: file_access + product: windows + detection: + sel: + FileName: whatever + InvalidField: forever + condition: sel + """ + ) + ) + + +def test_microsoft_xdr_pipeline_unsupported_field_image_load(): + with pytest.raises( + SigmaTransformationError, match="Invalid SigmaDetectionItem field name encountered.*DeviceImageLoadEvents" + ): + KustoBackend(processing_pipeline=microsoft_xdr_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: test + status: test + logsource: + category: image_load + product: windows + detection: + sel: + CommandLine: whatever + InvalidField: forever + condition: sel + """ + ) + ) + + +def test_microsoft_xdr_pipeline_unsupported_field_registry_event(): + with pytest.raises( + SigmaTransformationError, match="Invalid SigmaDetectionItem field name encountered.*DeviceRegistryEvents" + ): + KustoBackend(processing_pipeline=microsoft_xdr_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: test + status: test + logsource: + category: registry_add + product: windows + detection: + sel: + CommandLine: whatever + InvalidField: forever + condition: sel + """ + ) + ) + + +def test_microsoft_xdr_pipeline_unsupported_field_network_connection(): + with pytest.raises( + SigmaTransformationError, match="Invalid SigmaDetectionItem field name encountered.*DeviceNetworkEvents" + ): + KustoBackend(processing_pipeline=microsoft_xdr_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: test + status: test + logsource: + category: network_connection + product: windows + detection: + sel: + CommandLine: whatever + InvalidField: forever + condition: sel + """ + ) + ) + + +def test_microsoft_xdr_pipeline_no_valid_hashes(): + with pytest.raises(InvalidHashAlgorithmError): + KustoBackend(processing_pipeline=microsoft_xdr_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: test + status: test + logsource: + category: network_connection + product: windows + detection: + sel: + Hashes: + - IMPHASH=6444f8a34e99b8f7d9647de66aabe516 + - IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f + - IMPHASH=1a6cca4d5460b1710a12dea39e4a592c + condition: sel + """ + ) + ) + + +def test_microsoft_xdr_pipeline_custom_table(): + """Tests to ensure custom table names override category table name mappings and field name mappings""" + assert ( + KustoBackend(processing_pipeline=microsoft_xdr_pipeline(query_table="DeviceFileEvents")).convert( + SigmaCollection.from_yaml( + """ + title: Test + status: test + logsource: + category: process_creation + product: windows + detection: + sel: + Image: actuallyafileevent.exe + condition: sel + """ + ) + ) + == ["DeviceFileEvents\n| " 'where InitiatingProcessFolderPath =~ "actuallyafileevent.exe"'] + ) + + +def test_microsoft_xdr_pipeline_custom_table_invalid_category(): + """Tests to ensure custom table names override category table name mappings and field name mappings""" + assert ( + KustoBackend(processing_pipeline=microsoft_xdr_pipeline(query_table="DeviceFileEvents")).convert( + SigmaCollection.from_yaml( + """ + title: Test + status: test + logsource: + product: windows + detection: + sel: + Image: actuallyafileevent.exe + condition: sel + """ + ) + ) + == ["DeviceFileEvents\n| " 'where InitiatingProcessFolderPath =~ "actuallyafileevent.exe"'] + ) + + +def test_microsoft_xdr_pipeline_custom_table_invalid_category_no_table(): + """Tests to ensure custom table names override category table name mappings and field name mappings""" + with pytest.raises(SigmaTransformationError, match="Unable to determine table name for category"): + KustoBackend(processing_pipeline=microsoft_xdr_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test + status: test + logsource: + product: windows + detection: + sel: + Image: actuallyafileevent.exe + condition: sel + """ + ) + ) + \ No newline at end of file diff --git a/tests/test_pipelines_sentinelasim.py b/tests/test_pipelines_sentinelasim.py index 03dbfa4..6be3997 100644 --- a/tests/test_pipelines_sentinelasim.py +++ b/tests/test_pipelines_sentinelasim.py @@ -1,26 +1,237 @@ import pytest -from sigma.exceptions import SigmaTransformationError -from sigma.pipelines.microsoft365defender.microsoft365defender import InvalidHashAlgorithmError from sigma.backends.kusto import KustoBackend from sigma.collection import SigmaCollection +from sigma.exceptions import SigmaTransformationError from sigma.pipelines.sentinelasim import sentinel_asim_pipeline -def test_sentinel_asim_basic_conversion(): - """Tests splitting username up into different fields if it includes a domain""" - assert KustoBackend(processing_pipeline=sentinel_asim_pipeline()).convert( - SigmaCollection.from_yaml(""" - title: Test +def test_sentinel_asim_process_creation_field_mapping(): + assert ( + KustoBackend(processing_pipeline=sentinel_asim_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test Process Creation status: test logsource: category: process_creation product: windows detection: - sel1: - CommandLine: command1 - condition: any of sel* - """) - ) == ['imProcessCreate\n| ' - 'where TargetProcessCommandLine =~ "command1"'] - \ No newline at end of file + sel: + Image: C:\\Windows\\System32\\cmd.exe + CommandLine: whoami + User: SYSTEM + ProcessId: 1234 + condition: sel + """ + ) + ) + == [ + 'imProcessCreate\n| where TargetProcessName =~ "C:\\\\Windows\\\\System32\\\\cmd.exe" and TargetProcessCommandLine =~ "whoami" and TargetUsername =~ "SYSTEM" and TargetProcessId == 1234' + ] + ) + + +def test_sentinel_asim_network_connection_field_mapping(): + assert ( + KustoBackend(processing_pipeline=sentinel_asim_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test Network Connection + status: test + logsource: + category: network_connection + product: windows + detection: + sel: + DestinationIp: 8.8.8.8 + DestinationPort: 53 + Protocol: udp + condition: sel + """ + ) + ) + == ['imNetworkSession\n| where DstIpAddr =~ "8.8.8.8" and DstPortNumber == 53 and NetworkProtocol =~ "udp"'] + ) + + +def test_sentinel_asim_registry_event_field_mapping(): + assert ( + KustoBackend(processing_pipeline=sentinel_asim_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test Registry Event + status: test + logsource: + category: registry_event + product: windows + detection: + sel: + TargetObject: HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run + EventType: SetValue + condition: sel + """ + ) + ) + == [ + 'imRegistry\n| where RegistryKey =~ "HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run" and EventType =~ "RegistryValueSet"' + ] + ) + + +def test_sentinel_asim_custom_table(): + assert ( + KustoBackend(processing_pipeline=sentinel_asim_pipeline(query_table="imFileEvent")).convert( + SigmaCollection.from_yaml( + """ + title: Test Custom Table + status: test + logsource: + category: process_creation + product: windows + detection: + sel: + Image: malware.exe + condition: sel + """ + ) + ) + == ['imFileEvent\n| where TargetFilePath =~ "malware.exe"'] + ) + + +def test_sentinel_asim_unsupported_field(): + with pytest.raises( + SigmaTransformationError, match="Invalid SigmaDetectionItem field name encountered: UnsupportedField" + ): + KustoBackend(processing_pipeline=sentinel_asim_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test Unsupported Field + status: test + logsource: + category: process_creation + product: windows + detection: + sel: + UnsupportedField: value + condition: sel + """ + ) + ) + + +def test_sentinel_asim_file_event(): + assert ( + KustoBackend(processing_pipeline=sentinel_asim_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test File Event + status: test + logsource: + category: file_event + product: windows + detection: + sel: + Image: C:\\Windows\\explorer.exe + condition: sel + """ + ) + ) + == ['imFileEvent\n| where TargetFilePath =~ "C:\\\\Windows\\\\explorer.exe"'] + ) + + +def test_sentinel_asim_pipeline_custom_table_invalid_category(): + assert ( + KustoBackend(processing_pipeline=sentinel_asim_pipeline(query_table="imFileEvent")).convert( + SigmaCollection.from_yaml( + """ + title: Test Custom Table + status: test + logsource: + category: blah + product: windows + detection: + sel: + Image: malware.exe + condition: sel + """ + ) + ) + == ['imFileEvent\n| where TargetFilePath =~ "malware.exe"'] + ) + + +def test_sentinel_asim_processcreate_hashes_field_values(): + assert ( + KustoBackend(processing_pipeline=sentinel_asim_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test ProcessCreate Hashes Field Values + status: test + logsource: + category: process_creation + product: windows + detection: + sel: + Hashes: + - md5=1234567890abcdef1234567890abcdef + - sha1=1234567890abcdef1234567890abcdef12345678 + - sha256=1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef + - imphash=1234567890abcdef1234567890abcdef + - sha512=1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef + condition: sel + """ + ) + ) + == [ + 'imProcessCreate\n| where TargetProcessMD5 =~ "1234567890abcdef1234567890abcdef" or TargetProcessSHA1 =~ "1234567890abcdef1234567890abcdef12345678" or TargetProcessSHA256 =~ "1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef" or TargetProcessIMPHASH =~ "1234567890abcdef1234567890abcdef" or TargetProcessSHA512 =~ "1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef"' + ] + ) + +def test_sentinel_asim_fileevent_hashes_field_values(): + assert ( + KustoBackend(processing_pipeline=sentinel_asim_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test FileEvent Hashes Field Values + status: test + logsource: + category: file_event + product: windows + detection: + sel: + Hashes: + - md5=1234567890abcdef1234567890abcdef + - sha1=1234567890abcdef1234567890abcdef12345678 + - sha256=1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef + condition: sel + """ + ) + ) + == ['imFileEvent\n| where TargetFileMD5 =~ "1234567890abcdef1234567890abcdef" or TargetFileSHA1 =~ "1234567890abcdef1234567890abcdef12345678" or TargetFileSHA256 =~ "1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef"'] + ) + +def test_sentinel_asim_webrequest_hashes_field_values(): + assert ( + KustoBackend(processing_pipeline=sentinel_asim_pipeline()).convert( + SigmaCollection.from_yaml( + """ + title: Test WebRequest Hashes Field Values + status: test + logsource: + category: proxy + product: windows + detection: + sel: + Hashes: + - md5=1234567890abcdef1234567890abcdef + - sha1=1234567890abcdef1234567890abcdef12345678 + - sha256=1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef + condition: sel + """ + ) + ) + == ['imWebSession\n| where FileMD5 =~ "1234567890abcdef1234567890abcdef" or FileSHA1 =~ "1234567890abcdef1234567890abcdef12345678" or FileSHA256 =~ "1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef"'] + ) diff --git a/utils/get_azure_monitor_schema_tables.py b/utils/get_azure_monitor_schema_tables.py new file mode 100644 index 0000000..c08c08c --- /dev/null +++ b/utils/get_azure_monitor_schema_tables.py @@ -0,0 +1,127 @@ +import base64 +import os +import re +from datetime import datetime, timezone +from typing import Dict, List + +import requests +from dotenv import load_dotenv + +load_dotenv() + +# GitHub API configuration +GITHUB_API_KEY = os.getenv("GITHUB_API_KEY") +BASE_URL = "https://api.github.com/repos/MicrosoftDocs/azure-reference-other/contents/azure-monitor-ref/tables" +HEADERS = {"Accept": "application/vnd.github.v3+json"} +if GITHUB_API_KEY: + HEADERS["Authorization"] = f"token {GITHUB_API_KEY}" + +OUTPUT_FILE = "sigma/pipelines/azuremonitor/tables.py" + + +def fetch_content(file_name: str = None) -> str: + """Fetch the file content from GitHub and decode it.""" + url = BASE_URL + if file_name: + url = f"{BASE_URL}/{file_name}" + response = requests.get(url, headers=HEADERS) + if response.ok: + try: + json_content = response.json() + if isinstance(json_content, dict) and "content" in json_content: + return base64.b64decode(json_content["content"]).decode("utf-8") + else: + return response.json() + except ValueError: + return response.text + print(f"Failed to retrieve content for {file_name}: {response.reason}") + return None + + +def extract_table_urls(json_content: dict) -> List[str]: + """Extract table URLs from the json content.""" + return [entry["name"] for entry in json_content] + + +def extract_table_schema(content: str, table_name: str = None) -> dict: + """Extract table schema from markdown content.""" + match = re.search( + r"\|\s*Column\s*\|\s*Type\s*\|\s*Description\s*\|\n\|[-\s|]*\n((?:\|.*\|$\n?)+)", content, re.MULTILINE + ) + if not match: + match = re.search( + r"\|Column\|Type\|Description\|[\r\n]+\|---\|---\|---\|[\n\r]+(.*?)(?=\n##|\Z)", content, re.DOTALL + ) + if not match: + print(f"Field table not found in {table_name}") + return {} + + schema_data = {} + for row in match.group(1).strip().split("\n"): + columns = [col.strip() for col in row.strip().strip("|").split("|")] + if len(columns) >= 2: + schema_data[columns[0]] = {"data_type": columns[1], "description": columns[2] if len(columns) > 2 else ""} + if not schema_data: + print(f"Table schema could not be parsed from {table_name}") + return schema_data + + +def process_table(file_path: str) -> dict: + """Process a table file and extract the schema.""" + print(f"Processing table: {file_path}") + content = fetch_content(file_path) + if not content: + return {} + # Try to get table name from header after --- + table_name = re.search(r"^title:.*-\s*(.+)$", content, re.MULTILINE) + if not table_name: + # Try to get table name from top text between --- + table_name = re.search(r"^ms\.custom\:\s+(.+)", content, re.MULTILINE) + table_name = table_name.group(1).strip() if table_name else None + if not table_name: + print(f"Table name not found in {file_path}") + return {} + return {table_name: extract_table_schema(content, table_name)} + + +def write_schema(output_file: str, schema_tables: Dict[str, dict]): + """Write the schema tables to a Python file.""" + with open(output_file, "w") as f: + f.write("# This file is auto-generated. Do not edit manually.\n") + f.write(f"# Last updated: {datetime.now(timezone.utc).strftime('%Y-%m-%d %H:%M:%S')} UTC\n\n") + f.write("AZURE_MONITOR_TABLES = {\n") + for table, fields in schema_tables.items(): + f.write(f' "{table}": {{\n') + for field, info in fields.items(): + f.write( + f' "{field.strip("`")}": {{"data_type": "{info["data_type"].strip("`")}", "description": {repr(info["description"])}}},\n' + ) + f.write(" },\n") + f.write("}\n") + + +def get_all_includes_tables() -> dict: + tables_list = fetch_content("includes") + if not tables_list: + return {} + table_urls = ["includes/" + url for url in extract_table_urls(tables_list) if url.endswith(".md")] + return {table: schema for url in table_urls for table, schema in process_table(url).items() if schema} + + +def get_all_tables() -> dict: + """Retrieve all tables from the TOC and process them.""" + tables_list = fetch_content() + if not tables_list: + return {} + table_urls = [x for x in extract_table_urls(tables_list) if x.endswith(".md")] + return {table: schema for url in table_urls for table, schema in process_table(url).items() if schema} + + +if __name__ == "__main__": + if not GITHUB_API_KEY: + print("Warning: GITHUB_API_KEY not set. You may encounter rate limiting.") + tables = get_all_tables() + tables_includes = get_all_includes_tables() + tables.update(tables_includes) + write_schema(OUTPUT_FILE, tables) + print(f"Schema written to {OUTPUT_FILE}") diff --git a/utils/get_microsoft_xdr_schema_tables.py b/utils/get_microsoft_xdr_schema_tables.py index de30e6c..ef3b611 100644 --- a/utils/get_microsoft_xdr_schema_tables.py +++ b/utils/get_microsoft_xdr_schema_tables.py @@ -1,10 +1,11 @@ +import base64 +import os +import re from datetime import datetime, timezone +from typing import Dict, List + import requests -import base64 import yaml -from typing import List, Dict -import re -import os from dotenv import load_dotenv load_dotenv() @@ -16,7 +17,7 @@ if GITHUB_API_KEY: HEADERS["Authorization"] = f"token {GITHUB_API_KEY}" -OUTPUT_FILE = "sigma/pipelines/microsoft365defender/tables.py" +OUTPUT_FILE = "sigma/pipelines/microsoftxdr/tables.py" def fetch_content(file_name: str) -> str: @@ -74,7 +75,7 @@ def write_schema(output_file: str, schema_tables: Dict[str, dict]): with open(output_file, "w") as f: f.write("# This file is auto-generated. Do not edit manually.\n") f.write(f"# Last updated: {datetime.now(timezone.utc).strftime('%Y-%m-%d %H:%M:%S')} UTC\n\n") - f.write("MICROSOFT365DEFENDER_TABLES = {\n") + f.write("MICROSOFT_XDR_TABLES = {\n") for table, fields in schema_tables.items(): f.write(f' "{table}": {{\n') for field, info in fields.items(): diff --git a/utils/get_sentinel_asim_schema_tables.py b/utils/get_sentinel_asim_schema_tables.py new file mode 100644 index 0000000..2581dab --- /dev/null +++ b/utils/get_sentinel_asim_schema_tables.py @@ -0,0 +1,190 @@ +import re +from datetime import datetime, timezone +from typing import Dict, List, Optional, Tuple + +import requests +from bs4 import BeautifulSoup + +BASE_URL = "https://learn.microsoft.com/en-us/azure/sentinel" +OUTPUT_FILE = "sigma/pipelines/sentinelasim/tables.py" + +# TODO: Fix common field schema not writing to file + + +def get_request(url: str) -> requests.Response: + """ + Sends a GET request to the specified URL and returns the response. + + :param url: The URL to send the GET request to. + :return: The response from the GET request. + """ + response = requests.get(url) + response.raise_for_status() + + return response + + +def extract_asim_schema_hrefs(items: List[dict]) -> List[str]: + """Extracts hrefs for ASIM schemas from the JSON data.""" + for item in items: + if item.get("toc_title") == "Reference": + return extract_asim_schemas(item.get("children", [])) + return [] + + +def extract_asim_schemas(items: List[dict]) -> List[str]: + """Finds the ASIM schemas section and returns the relevant hrefs.""" + for item in items: + if item.get("toc_title").lower() == "advanced security information model (asim)": + return find_schema_hrefs(item.get("children", [])) + return [] + + +def find_schema_hrefs(items: List[dict]) -> List[str]: + """Extracts the schema hrefs, excluding legacy schemas.""" + hrefs = [] + for item in items: + if item.get("toc_title").lower() == "asim schemas": + for schema in item.get("children", []): + if schema.get("toc_title") != "Legacy network normalization schema": + hrefs.append(schema.get("href")) + return hrefs + + +def get_sentinel_asim_schema_tables() -> List[str]: + """Fetches the ASIM schema table hrefs from Azure Sentinel documentation.""" + url = f"{BASE_URL}/toc.json" + response = requests.get(url) + response.raise_for_status() # Ensures proper error handling + data = response.json() + return extract_asim_schema_hrefs(data.get("items", [])) + + +def extract_table_name_and_fields(url: str) -> Dict[str, List[Dict[str, str]]]: + """ + Extracts the table name and field schema from a Sentinel ASIM schema page. + + :param url: Full URL of the schema page. + :return: A dictionary with the table name and a list of field schemas. + """ + response = get_request(url) + soup = BeautifulSoup(response.content, "html.parser") + + table_name = extract_table_name(soup) + if table_name is None: + print(f"No ASIM table found for {url}. Skipping...") + return None + + field_data = extract_field_data(soup) + + return {table_name: field_data} + + +def extract_table_name(soup: BeautifulSoup) -> Optional[str]: + """ + Extracts the table name from the BeautifulSoup object. + + :param soup: BeautifulSoup object of the schema page. + :return: The extracted table name or None if not found. + """ + def extract_from_code(): + code_element = soup.find("code", class_="lang-kql") + if not code_element: + return None + table_name = code_element.text.strip().split()[0] + return extract_table_name_from_string(table_name) + + def extract_from_text(): + whole_text = soup.get_text() + match = re.search(r"(?i)im(\w+)??", whole_text) + return f"im{match.group(1)}" if match else None + + def extract_table_name_from_string(text): + match = re.search(r"(?i)(im|_im_)(\w+)", text) + return f"{match.group(1)}{match.group(2)}" if match else None + + return extract_from_code() or extract_from_text() + + +def extract_field_data(soup: BeautifulSoup) -> List[Dict[str, str]]: + """ + Extracts field data from a Sentinel ASIM schema page. + + :param soup: BeautifulSoup object of the schema page. + :return: A list of dictionaries with the field name and type. + """ + #schema_details_section = soup.find(id="schema-details") + field_data = {} + + # Loop through all tables in the section and its subsections + tables = soup.find_all("table") + for table in tables: + # Each table has columns: Field, Class, Type, Description + headers = [th.text.strip() for th in table.find_all("th")] + if "Field" in headers and "Class" in headers: + # Parse each row of the table + for row in table.find_all("tr")[1:]: # Skip header row + cols = [td.text.strip() for td in row.find_all("td")] + if len(cols) == 4: # Ensure we have all four columns + field_data[cols[0]] = {"class": cols[1], "data_type": cols[2], "description": cols[3]} + return field_data + + +def get_common_field_data() -> List[Dict[str, str]]: + """ + Extracts common field data from a Sentinel ASIM schema page. + + :return: A list of dictionaries with the field name and type. + """ + full_url = f"{BASE_URL}/normalization-common-fields" + response = get_request(full_url) + soup = BeautifulSoup(response.content, "html.parser") + common_field_info = extract_field_data(soup) + + return common_field_info + + +def write_schema(output_file: str, schema_tables: Dict[str, dict], common_field_data: Dict[str, dict]): + """Write the schema tables to a Python file.""" + with open(output_file, "w") as f: + f.write("# This file is auto-generated. Do not edit manually.\n") + f.write(f"# Last updated: {datetime.now(timezone.utc).strftime('%Y-%m-%d %H:%M:%S')} UTC\n\n") + f.write("SENTINEL_ASIM_TABLES = {\n") + for table, fields in schema_tables.items(): + f.write(f' "{table}": {{\n') + for field, info in fields.items(): + f.write( + f' "{field.strip("`")}": {{"data_type": "{info["data_type"].strip("`")}", "description": {repr(info["description"])}, "class": "{info["class"].strip("`")}"}},\n' + ) + f.write(" },\n") + f.write("}\n") + f.write("SENTINEL_ASIM_COMMON_FIELDS = {\n") + f.write(f' "COMMON": {{\n') + for field, info in common_field_data.items(): + f.write( + f' "{field.strip("`")}": {{"data_type": "{info["data_type"].strip("`")}", "description": {repr(info["description"])}, "class": "{info["class"].strip("`")}"}},\n' + ) + f.write(" },\n") + f.write("}\n") + + +def process_asim_schemas() -> Tuple[Dict[str, dict], Dict[str, dict]]: + """Processes all ASIM schemas and extracts table names and field schemas.""" + tables = get_sentinel_asim_schema_tables() + schema_data = {} + common_field_data = get_common_field_data() + + for href in tables: + full_url = f"{BASE_URL}/{href}" + print(f"Processing {full_url}...") + if schema_info := extract_table_name_and_fields(full_url): + schema_data.update(schema_info) + + return schema_data, common_field_data + + +if __name__ == "__main__": + schema_data, common_field_data = process_asim_schemas() + write_schema(OUTPUT_FILE, schema_data, common_field_data) + print(f"Schema written to {OUTPUT_FILE}") + \ No newline at end of file