Skip to content

Instantly share code, notes, and snippets.

@jlaundry

jlaundry/Custom-CommonSecurityLogStream.json

Last active December 12, 2025 22:56
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save jlaundry/a37c0d1d8929ad103517c3efff61f7a1 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save jlaundry/a37c0d1d8929ad103517c3efff61f7a1 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Custom-CommonSecurityLogStream.json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.2.0.0",
"parameters": {
"dataCollectionRuleName": {
"type": "string",
"metadata": {
"description": "Specifies the name of the Data Collection Rule to create."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Specifies the location in which to create the Data Collection Rule."
}
},
"workspaceResourceId": {
"type": "string",
"metadata": {
"description": "Specifies the Azure resource ID of the Log Analytics workspace to use."
}
},
"endpointResourceId": {
"type": "string",
"metadata": {
"description": "Specifies the Azure resource ID of the Data Collection Endpoint to use."
}
}
},
"resources": [
{
"type": "Microsoft.Insights/dataCollectionRules",
"apiVersion": "2021-09-01-preview",
"name": "[parameters('dataCollectionRuleName')]",
"location": "[parameters('location')]",
"properties": {
"dataCollectionEndpointId": "[parameters('endpointResourceId')]",
"streamDeclarations": {
"Custom-ASimDhcpEventLogs": {
"columns": [
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "DvcHostname",
"type": "string"
},
{
"name": "DvcInterface",
"type": "string"
},
{
"name": "DvcIpAddr",
"type": "string"
},
{
"name": "EventType",
"type": "string"
},
{
"name": "SrcHostname",
"type": "string"
},
{
"name": "SrcIpAddr",
"type": "string"
},
{
"name": "SrcMacAddr",
"type": "string"
}
]
},
"Custom-ASimDnsActivityLogs": {
"columns": [
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "EventStartTime",
"type": "datetime"
},
{
"name": "EventEndTime",
"type": "datetime"
},
{
"name": "DnsSessionId",
"type": "string"
},
{
"name": "DnsQuery",
"type": "string"
},
{
"name": "DnsQueryTypeName",
"type": "string"
},
{
"name": "DnsResponseName",
"type": "string"
},
{
"name": "SrcIpAddr",
"type": "string"
},
{
"name": "SrcPortNumber",
"type": "int"
}
]
},
"Custom-CommonSecurityLog": {
"columns": [
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "CommunicationDirection",
"type": "string"
},
{
"name": "Computer",
"type": "string"
},
{
"name": "DestinationIP",
"type": "string"
},
{
"name": "DestinationMACAddress",
"type": "string"
},
{
"name": "DestinationPort",
"type": "int"
},
{
"name": "DeviceAction",
"type": "string"
},
{
"name": "DeviceCustomString1",
"type": "string"
},
{
"name": "DeviceInboundInterface",
"type": "string"
},
{
"name": "DeviceOutboundInterface",
"type": "string"
},
{
"name": "ProcessName",
"type": "string"
},
{
"name": "Protocol",
"type": "string"
},
{
"name": "ReceiptTime",
"type": "string"
},
{
"name": "ReceivedBytes",
"type": "long"
},
{
"name": "SourceIP",
"type": "string"
},
{
"name": "SourceMACAddress",
"type": "string"
},
{
"name": "SourcePort",
"type": "int"
},
{
"name": "Message",
"type": "string"
}
]
},
"Custom-Syslog": {
"columns": [
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "Computer",
"type": "string"
},
{
"name": "Facility",
"type": "string"
},
{
"name": "HostIP",
"type": "string"
},
{
"name": "HostName",
"type": "string"
},
{
"name": "ProcessID",
"type": "int"
},
{
"name": "ProcessName",
"type": "string"
},
{
"name": "SeverityLevel",
"type": "string"
},
{
"name": "SyslogMessage",
"type": "string"
}
]
}
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "[parameters('workspaceResourceId')]",
"name": "clv2ws1"
}
]
},
"dataFlows": [
{
"streams": [
"Custom-ASimDhcpEventLogs"
],
"destinations": [
"clv2ws1"
],
"transformKql": "source",
"outputStream": "Microsoft-ASimDhcpEventLogs"
},
{
"streams": [
"Custom-ASimDnsActivityLogs"
],
"destinations": [
"clv2ws1"
],
"transformKql": "source",
"outputStream": "Microsoft-ASimDnsActivityLogs"
},
{
"streams": [
"Custom-CommonSecurityLog"
],
"destinations": [
"clv2ws1"
],
"transformKql": "source",
"outputStream": "Microsoft-CommonSecurityLog"
},
{
"streams": [
"Custom-Syslog"
],
"destinations": [
"clv2ws1"
],
"transformKql": "source",
"outputStream": "Microsoft-Syslog"
}
]
}
}
],
"outputs": {
"dataCollectionRuleId": {
"type": "string",
"value": "[resourceId('Microsoft.Insights/dataCollectionRules', parameters('dataCollectionRuleName'))]"
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment