/
create_table_with_securityevent_schema.ps1
237 lines (233 loc) · 10.1 KB
/
create_table_with_securityevent_schema.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
$tableParams = @'
{
"properties": {
"schema": {
"name": "BasicSecurityEvent_CL",
"columns": [
{"name":"TimeGenerated","type":"datetime"},
{"name":"SourceSystem","type":"string"},
{"name":"Account","type":"string"},
{"name":"AccountType","type":"string"},
{"name":"Computer","type":"string"},
{"name":"EventSourceName","type":"string"},
{"name":"Channel","type":"string"},
{"name":"Task","type":"int"},
{"name":"Level","type":"string"},
{"name":"EventData","type":"string"},
{"name":"EventID","type":"int"},
{"name":"Activity","type":"string"},
{"name":"SourceComputerId","type":"guid"},
{"name":"EventOriginId","type":"string"},
{"name":"MG","type":"guid"},
{"name":"TimeCollected","type":"datetime"},
{"name":"ManagementGroupName","type":"string"},
{"name":"AccessList","type":"string"},
{"name":"AccessMask","type":"string"},
{"name":"AccessReason","type":"string"},
{"name":"AccountDomain","type":"string"},
{"name":"AccountExpires","type":"string"},
{"name":"AccountName","type":"string"},
{"name":"AccountSessionIdentifier","type":"string"},
{"name":"AdditionalInfo","type":"string"},
{"name":"AdditionalInfo2","type":"string"},
{"name":"AllowedToDelegateTo","type":"string"},
{"name":"Attributes","type":"string"},
{"name":"AuditPolicyChanges","type":"string"},
{"name":"AuditsDiscarded","type":"int"},
{"name":"AuthenticationLevel","type":"int"},
{"name":"AuthenticationPackageName","type":"string"},
{"name":"AuthenticationProvider","type":"string"},
{"name":"AuthenticationServer","type":"string"},
{"name":"AuthenticationService","type":"int"},
{"name":"AuthenticationType","type":"string"},
{"name":"CACertificateHash","type":"string"},
{"name":"CalledStationID","type":"string"},
{"name":"CallerProcessId","type":"string"},
{"name":"CallerProcessName","type":"string"},
{"name":"CallingStationID","type":"string"},
{"name":"CAPublicKeyHash","type":"string"},
{"name":"CategoryId","type":"string"},
{"name":"CertificateDatabaseHash","type":"string"},
{"name":"ClassId","type":"string"},
{"name":"ClassName","type":"string"},
{"name":"ClientAddress","type":"string"},
{"name":"ClientIPAddress","type":"string"},
{"name":"ClientName","type":"string"},
{"name":"CommandLine","type":"string"},
{"name":"CompatibleIds","type":"string"},
{"name":"DCDNSName","type":"string"},
{"name":"DeviceDescription","type":"string"},
{"name":"DeviceId","type":"string"},
{"name":"DisplayName","type":"string"},
{"name":"Disposition","type":"string"},
{"name":"DomainBehaviorVersion","type":"string"},
{"name":"DomainName","type":"string"},
{"name":"DomainPolicyChanged","type":"string"},
{"name":"DomainSid","type":"string"},
{"name":"EAPType","type":"string"},
{"name":"ElevatedToken","type":"string"},
{"name":"ErrorCode","type":"int"},
{"name":"ExtendedQuarantineState","type":"string"},
{"name":"FailureReason","type":"string"},
{"name":"FileHash","type":"string"},
{"name":"FilePath","type":"string"},
{"name":"FilePathNoUser","type":"string"},
{"name":"ForceLogoff","type":"string"},
{"name":"Fqbn","type":"string"},
{"name":"FullyQualifiedSubjectMachineName","type":"string"},
{"name":"FullyQualifiedSubjectUserName","type":"string"},
{"name":"GroupMembership","type":"string"},
{"name":"HandleId","type":"string"},
{"name":"HardwareIds","type":"string"},
{"name":"HomeDirectory","type":"string"},
{"name":"HomePath","type":"string"},
{"name":"ImpersonationLevel","type":"string"},
{"name":"InterfaceUuid","type":"guid"},
{"name":"IpAddress","type":"string"},
{"name":"IpPort","type":"string"},
{"name":"KeyLength","type":"int"},
{"name":"LmPackageName","type":"string"},
{"name":"LocationInformation","type":"string"},
{"name":"LockoutDuration","type":"string"},
{"name":"LockoutObservationWindow","type":"string"},
{"name":"LockoutThreshold","type":"string"},
{"name":"LoggingResult","type":"string"},
{"name":"LogonGuid","type":"guid"},
{"name":"LogonHours","type":"string"},
{"name":"LogonID","type":"string"},
{"name":"LogonProcessName","type":"string"},
{"name":"LogonType","type":"int"},
{"name":"LogonTypeName","type":"string"},
{"name":"MachineAccountQuota","type":"string"},
{"name":"MachineInventory","type":"string"},
{"name":"MachineLogon","type":"string"},
{"name":"MandatoryLabel","type":"string"},
{"name":"MaxPasswordAge","type":"string"},
{"name":"MemberName","type":"string"},
{"name":"MemberSid","type":"string"},
{"name":"MinPasswordAge","type":"string"},
{"name":"MinPasswordLength","type":"string"},
{"name":"MixedDomainMode","type":"string"},
{"name":"NASIdentifier","type":"string"},
{"name":"NASIPv4Address","type":"string"},
{"name":"NASIPv6Address","type":"string"},
{"name":"NASPort","type":"string"},
{"name":"NASPortType","type":"string"},
{"name":"NetworkPolicyName","type":"string"},
{"name":"NewDate","type":"string"},
{"name":"NewMaxUsers","type":"string"},
{"name":"NewProcessId","type":"string"},
{"name":"NewProcessName","type":"string"},
{"name":"NewRemark","type":"string"},
{"name":"NewShareFlags","type":"string"},
{"name":"NewTime","type":"string"},
{"name":"NewUacValue","type":"string"},
{"name":"NewValue","type":"string"},
{"name":"NewValueType","type":"string"},
{"name":"ObjectName","type":"string"},
{"name":"ObjectServer","type":"string"},
{"name":"ObjectType","type":"string"},
{"name":"ObjectValueName","type":"string"},
{"name":"OemInformation","type":"string"},
{"name":"OldMaxUsers","type":"string"},
{"name":"OldRemark","type":"string"},
{"name":"OldShareFlags","type":"string"},
{"name":"OldUacValue","type":"string"},
{"name":"OldValue","type":"string"},
{"name":"OldValueType","type":"string"},
{"name":"OperationType","type":"string"},
{"name":"PackageName","type":"string"},
{"name":"ParentProcessName","type":"string"},
{"name":"PasswordHistoryLength","type":"string"},
{"name":"PasswordLastSet","type":"string"},
{"name":"PasswordProperties","type":"string"},
{"name":"PreviousDate","type":"string"},
{"name":"PreviousTime","type":"string"},
{"name":"PrimaryGroupId","type":"string"},
{"name":"PrivateKeyUsageCount","type":"string"},
{"name":"PrivilegeList","type":"string"},
{"name":"Process","type":"string"},
{"name":"ProcessId","type":"string"},
{"name":"ProcessName","type":"string"},
{"name":"Properties","type":"string"},
{"name":"ProfilePath","type":"string"},
{"name":"ProtocolSequence","type":"string"},
{"name":"ProxyPolicyName","type":"string"},
{"name":"QuarantineHelpURL","type":"string"},
{"name":"QuarantineSessionID","type":"string"},
{"name":"QuarantineSessionIdentifier","type":"string"},
{"name":"QuarantineState","type":"string"},
{"name":"QuarantineSystemHealthResult","type":"string"},
{"name":"RelativeTargetName","type":"string"},
{"name":"RemoteIpAddress","type":"string"},
{"name":"RemotePort","type":"string"},
{"name":"Requester","type":"string"},
{"name":"RequestId","type":"string"},
{"name":"RestrictedAdminMode","type":"string"},
{"name":"RowsDeleted","type":"string"},
{"name":"SamAccountName","type":"string"},
{"name":"ScriptPath","type":"string"},
{"name":"SecurityDescriptor","type":"string"},
{"name":"ServiceAccount","type":"string"},
{"name":"ServiceFileName","type":"string"},
{"name":"ServiceName","type":"string"},
{"name":"ServiceStartType","type":"int"},
{"name":"ServiceType","type":"string"},
{"name":"SessionName","type":"string"},
{"name":"ShareLocalPath","type":"string"},
{"name":"ShareName","type":"string"},
{"name":"SidHistory","type":"string"},
{"name":"Status","type":"string"},
{"name":"SubjectAccount","type":"string"},
{"name":"SubcategoryGuid","type":"guid"},
{"name":"SubcategoryId","type":"string"},
{"name":"Subject","type":"string"},
{"name":"SubjectDomainName","type":"string"},
{"name":"SubjectKeyIdentifier","type":"string"},
{"name":"SubjectLogonId","type":"string"},
{"name":"SubjectMachineName","type":"string"},
{"name":"SubjectMachineSID","type":"string"},
{"name":"SubjectUserName","type":"string"},
{"name":"SubjectUserSid","type":"string"},
{"name":"SubStatus","type":"string"},
{"name":"TableId","type":"string"},
{"name":"TargetAccount","type":"string"},
{"name":"TargetDomainName","type":"string"},
{"name":"TargetInfo","type":"string"},
{"name":"TargetLinkedLogonId","type":"string"},
{"name":"TargetLogonGuid","type":"guid"},
{"name":"TargetLogonId","type":"string"},
{"name":"TargetOutboundDomainName","type":"string"},
{"name":"TargetOutboundUserName","type":"string"},
{"name":"TargetServerName","type":"string"},
{"name":"TargetSid","type":"string"},
{"name":"TargetUser","type":"string"},
{"name":"TargetUserName","type":"string"},
{"name":"TargetUserSid","type":"string"},
{"name":"TemplateContent","type":"string"},
{"name":"TemplateDSObjectFQDN","type":"string"},
{"name":"TemplateInternalName","type":"string"},
{"name":"TemplateOID","type":"string"},
{"name":"TemplateSchemaVersion","type":"string"},
{"name":"TemplateVersion","type":"string"},
{"name":"TokenElevationType","type":"string"},
{"name":"TransmittedServices","type":"string"},
{"name":"UserAccountControl","type":"string"},
{"name":"UserParameters","type":"string"},
{"name":"UserPrincipalName","type":"string"},
{"name":"UserWorkstations","type":"string"},
{"name":"VirtualAccount","type":"string"},
{"name":"VendorIds","type":"string"},
{"name":"Workstation","type":"string"},
{"name":"WorkstationName","type":"string"},
{"name":"PartitionKey","type":"string"},
{"name":"RowKey","type":"string"},
{"name":"StorageAccount","type":"string"},
{"name":"AzureDeploymentID","type":"string"},
{"name":"AzureTableName","type":"string"}
]
}
}
}
'@
Invoke-AzRestMethod -Path "(your sentinel path)/tables/BasicSecurityEvent_CL?api-version=2021-12-01-preview" -Method PUT -payload $tableParams