airlock_exechistories.kql

Syslog
| where Computer == "airlock_server"
|extend DeviceVendor = tostring(split(SyslogMessage,"|")[1])
    , DeviceProduct = tostring(split(SyslogMessage,"|")[2])
    , DeviceVersion = tostring(split(SyslogMessage,"|")[3])
    , DeviceEventClassID = tostring(split(SyslogMessage,"|")[4])
    , DeviceEventName = tostring(split(SyslogMessage,"|")[5])
    , DeviceSeverity = tostring(split(SyslogMessage,"|")[6])
    , CefEvent = tostring(split(SyslogMessage,"|")[7])
| where DeviceEventName == "FileActivityMessage"
// KQL is stupid and I had to rename the datetime field because parse-kv didn't like 
// having a data type name as a field name. So I have renamed it with the below statement
| extend CefEvent = replace_string(CefEvent, "datetime", "eventstarttime")
| parse-kv CefEvent as (event:string
    , eventstarttime:datetime
    , hostname:string
    , username:string
    , path:string
    , filename:string
    , md5:string
    , sha1:string
    , publisher:string
    , parentgroup:string
    , group:string
    , execution_type:string
    , parentprocess:string
    , commandline:string
) with  (pair_delimiter=' ', kv_delimiter='=', greedy=true)
| extend EventSchema = "ProcessEvent"
    , EventSchemaVersion = "0.1.4"
    , EventType = case(execution_type == "Untrusted Execution [Audit]", "ProcessCreated"
        , execution_type == "Untrusted Execution [OTP]", "ProcessCreated"
        , "Other"
    )
| project-rename DvcHostname = hostname
    , EventProduct = DeviceProduct
    , EventVendor = DeviceVendor
    , DvcVersion = DeviceVersion
    , TargetUserName = username
    , Operation = execution_type
    , EventStartTime = eventstarttime
    , TargetProcessName = filename
    , TargetProcessFolderPath = path
    , TargetProcessMD5 = md5
    , TargetProcessSHA1 = sha1
    , TargetProcessCommandLine = commandline
    , TargetProcessPulisher = publisher
    , VendorGroup = group
    , VendorParentGroup = parentgroup
    , ParentProcessName = parentprocess
| extend Dvc = DvcHostname
    , User = TargetUserName
    , Hash = TargetProcessSHA1
    , HashType = "SHA"
| project-away Device*
    , CefEvent
    , SyslogMessage
    , Facility
    , HostName
    , HostIP
    , SeverityLevel
    , Process*
    , Type
    , event
    , TenantId
    , SourceSystem
    , EventTime
    , EventProduct
| project-reorder EventStartTime
    , DvcHostname
    , Operation
    , Target*
    , ParentProcessName
    , VendorGroup
    , VendorParentGroup