#!/bin/bash # Define subscription ID, resource group, and location SUBSCRIPTION_ID="your-subscription-id" # Replace with your actual subscription ID RESOURCE_GROUP="your-resource-group" # Replace with your actual resource group name LOCATION="location" # Replace with your actual location (e.g., eastus) # Define workspace and DCR names WORKSPACE_NAME="workspace-name" # Replace with your actual log workspace name DCR_NAME="dcr" TABLE_NAME="barracuda_CL" API_VERSION="2025-02-01" # Define the JSON payload for the PUT request to update the table schema JSON_PAYLOAD='{ "location": "'"$LOCATION"'", "properties": { "schema": { "name": "'"$TABLE_NAME"'", "columns": [ {"name": "Action_s", "type": "string"}, {"name": "AdminName_s", "type": "string"}, {"name": "AdminRole_s", "type": "string"}, {"name": "AppId_s", "type": "string"}, {"name": "AttackDetails_s", "type": "string"}, {"name": "AttackGroup_s", "type": "string"}, {"name": "AuthenticatedUser_s", "type": "string"}, {"name": "BytesReceived_d", "type": "string"}, {"name": "BytesSent_d", "type": "string"}, {"name": "CacheHit_d", "type": "string"}, {"name": "CertificateUser_s", "type": "string"}, {"name": "ChangeType_s", "type": "string"}, {"name": "ClientIP_s", "type": "string"}, {"name": "ClientPort_d", "type": "string"}, {"name": "ClientType_s", "type": "string"}, {"name": "CommandName_s", "type": "string"}, {"name": "Cookie_s", "type": "string"}, {"name": "CustomHeader1_s", "type": "string"}, {"name": "CustomHeader2_s", "type": "string"}, {"name": "CustomHeader3_s", "type": "string"}, {"name": "FilePath", "type": "string"}, {"name": "FollowUpAction_s", "type": "string"}, {"name": "host", "type": "string"}, {"name": "host_s", "type": "string"}, {"name": "HTTPStatus_s", "type": "string"}, {"name": "LoginID_s", "type": "string"}, {"name": "LoginIP_s", "type": "string"}, {"name": "LoginPort_d", "type": "string"}, {"name": "LogType_s", "type": "string"}, {"name": "Method_s", "type": "string"}, {"name": "NewValue_s", "type": "string"}, {"name": "ObjectName_s", "type": "string"}, {"name": "ObjectType_s", "type": "string"}, {"name": "OldValue_s", "type": "string"}, {"name": "ProfileMatched_s", "type": "string"}, {"name": "Protected_s", "type": "string"}, {"name": "Protocol_s", "type": "string"}, {"name": "ProtocolVersion_s", "type": "string"}, {"name": "ProxyIP_s", "type": "string"}, {"name": "ProxyPort_d", "type": "string"}, {"name": "QueryString_s", "type": "string"}, {"name": "Referer_s", "type": "string"}, {"name": "ResponseType_s", "type": "string"}, {"name": "RuleID_s", "type": "string"}, {"name": "RuleType_s", "type": "string"}, {"name": "ServerIP_s", "type": "string"}, {"name": "ServerPort_d", "type": "string"}, {"name": "ServerTime_d", "type": "string"}, {"name": "ServiceIP_s", "type": "string"}, {"name": "ServicePort_d", "type": "string"}, {"name": "SessionID_s", "type": "string"}, {"name": "TimeGenerated", "type": "datetime"}, {"name": "TimeTaken_d", "type": "string"}, {"name": "TransactionID_d", "type": "string"}, {"name": "UnitName_s", "type": "string"}, {"name": "URL_s", "type": "string"}, {"name": "UserAgent_s", "type": "string"}, {"name": "Variable_s", "type": "string"}, {"name": "WAF_Serial_s", "type": "string"}, {"name": "WFMatched_s", "type": "string"}, {"name": "DeviceReceiptTime_s", "type": "string"}, {"name": "DeviceVendor_s", "type": "string"}, ] }, "retentionInDays": 45, "totalRetentionInDays": 70 } }' # Make the POST request to migrate the Custom table(classic) OMS based to AMA based az rest --method POST --url "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourcegroups/$RESOURCE_GROUP/providers/Microsoft.OperationalInsights/workspaces/$WORKSPACE_NAME/tables/$TABLE_NAME/migrate?api-version=2021-12-01-preview" # Make the PUT request to update the table schema az rest --method PUT --url "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.OperationalInsights/workspaces/$WORKSPACE_NAME/tables/$TABLE_NAME?api-version=$API_VERSION" --body "$JSON_PAYLOAD" echo "Table migration, schema update completed." # Define the workspace resource ID WORKSPACE_RESOURCE_ID="/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.OperationalInsights/workspaces/$WORKSPACE_NAME" # Define the JSON payload for the PUT request to create the DCR JSON_PAYLOAD='{ "location": "'"$LOCATION"'", "properties": { "streamDeclarations": { "Custom-Json-barracuda_CL": { "columns": [ { "name": "TimeGenerated", "type": "datetime" }, { "name": "RawData", "type": "string" }, { "name": "Computer", "type": "string" }, { "name": "FilePath", "type": "string" }, { "name": "host", "type": "string" }, { "name": "LogType_s", "type": "string" }, { "name": "ServiceIP_s", "type": "string" }, { "name": "AuthenticatedUser_s", "type": "string" }, { "name": "BytesReceived_d", "type": "string" }, { "name": "BytesSent_d", "type": "string" }, { "name": "CertificateUser_s", "type": "string" }, { "name": "ClientIP_s", "type": "string" }, { "name": "ClientPort_d", "type": "string" }, { "name": "host_s", "type": "string" }, { "name": "HTTPStatus_s", "type": "string" }, { "name": "LoginID_s", "type": "string" }, { "name": "Method_s", "type": "string" }, { "name": "Protocol_s", "type": "string" }, { "name": "Referer_s", "type": "string" }, { "name": "Cookie_s", "type": "string" }, { "name": "ServerIP_s", "type": "string" }, { "name": "ServerPort_d", "type": "string" }, { "name": "URL_s", "type": "string" }, { "name": "UserAgent_s", "type": "string" }, { "name": "UnitName_s", "type": "string" }, { "name": "ClientType_s", "type": "string" }, { "name": "Protected_s", "type": "string" }, { "name": "ProxyIP_s", "type": "string" }, { "name": "ProfileMatched_s", "type": "string" }, { "name": "WFMatched_s", "type": "string" }, { "name": "ServicePort_d", "type": "string" }, { "name": "CacheHit_d", "type": "string" }, { "name": "ProxyPort_d", "type": "string" }, { "name": "ServerTime_d", "type": "string" }, { "name": "TimeTaken_d", "type": "string" }, { "name": "ProtocolVersion_s", "type": "string" }, { "name": "CustomHeader1_s", "type": "string" }, { "name": "CustomHeader2_s", "type": "string" }, { "name": "CustomHeader3_s", "type": "string" }, { "name": "ResponseType_s", "type": "string" }, { "name": "SessionID_s", "type": "string" }, { "name": "AppId_s", "type": "string" }, { "name": "Action_s", "type": "string" }, { "name": "AttackDetails_s", "type": "string" }, { "name": "RuleID_s", "type": "string" }, { "name": "FollowUpAction_s", "type": "string" }, { "name": "RuleType_s", "type": "string" }, { "name": "AttackGroup_s", "type": "string" }, { "name": "ObjectName_s", "type": "string" }, { "name": "ObjectType_s", "type": "string" }, { "name": "AdminName_s", "type": "string" }, { "name": "CommandName_s", "type": "string" }, { "name": "LoginIP_s", "type": "string" }, { "name": "LoginPort_d", "type": "string" }, { "name": "ChangeType_s", "type": "string" }, { "name": "TransactionID_d", "type": "string" }, { "name": "NewValue_s", "type": "string" }, { "name": "OldValue_s", "type": "string" }, { "name": "Variable_s", "type": "string" }, { "name": "WAF_Serial_s", "type": "string" }, { "name": "AdminRole_s", "type": "string" }, { "name": "QueryString_s", "type": "string" }, { "name": "DeviceReceiptTime_s", "type": "string" }, { "name": "DeviceVendor_s", "type": "string" } ] } }, "dataSources": { "performanceCounters": [ { "streams": [ "Microsoft-Perf" ], "samplingFrequencyInSeconds": 60, "counterSpecifiers": [ "\\Processor Information(_Total)\\% Processor Time", "\\Processor Information(_Total)\\% Privileged Time", "\\Processor Information(_Total)\\% User Time", "\\Processor Information(_Total)\\Processor Frequency", "\\System\\Processes", "\\Process(_Total)\\Thread Count", "\\Process(_Total)\\Handle Count", "\\System\\System Up Time", "\\System\\Context Switches/sec", "\\System\\Processor Queue Length", "\\Memory\\% Committed Bytes In Use", "\\Memory\\Available Bytes", "\\Memory\\Committed Bytes", "\\Memory\\Cache Bytes", "\\Memory\\Pool Paged Bytes", "\\Memory\\Pool Nonpaged Bytes", "\\Memory\\Pages/sec", "\\Memory\\Page Faults/sec", "\\Process(_Total)\\Working Set", "\\Process(_Total)\\Working Set - Private", "\\LogicalDisk(_Total)\\% Disk Time", "\\LogicalDisk(_Total)\\% Disk Read Time", "\\LogicalDisk(_Total)\\% Disk Write Time", "\\LogicalDisk(_Total)\\% Idle Time", "\\LogicalDisk(_Total)\\Disk Bytes/sec", "\\LogicalDisk(_Total)\\Disk Read Bytes/sec", "\\LogicalDisk(_Total)\\Disk Write Bytes/sec", "\\LogicalDisk(_Total)\\Disk Transfers/sec", "\\LogicalDisk(_Total)\\Disk Reads/sec", "\\LogicalDisk(_Total)\\Disk Writes/sec", "\\LogicalDisk(_Total)\\Avg. Disk sec/Transfer", "\\LogicalDisk(_Total)\\Avg. Disk sec/Read", "\\LogicalDisk(_Total)\\Avg. Disk sec/Write", "\\LogicalDisk(_Total)\\Avg. Disk Queue Length", "\\LogicalDisk(_Total)\\Avg. Disk Read Queue Length", "\\LogicalDisk(_Total)\\Avg. Disk Write Queue Length", "\\LogicalDisk(_Total)\\% Free Space", "\\LogicalDisk(_Total)\\Free Megabytes", "\\Network Interface(*)\\Bytes Total/sec", "\\Network Interface(*)\\Bytes Sent/sec", "\\Network Interface(*)\\Bytes Received/sec", "\\Network Interface(*)\\Packets/sec", "\\Network Interface(*)\\Packets Sent/sec", "\\Network Interface(*)\\Packets Received/sec", "\\Network Interface(*)\\Packets Outbound Errors", "\\Network Interface(*)\\Packets Received Errors", "Processor(*)\\% Processor Time", "Processor(*)\\% Idle Time", "Processor(*)\\% User Time", "Processor(*)\\% Nice Time", "Processor(*)\\% Privileged Time", "Processor(*)\\% IO Wait Time", "Processor(*)\\% Interrupt Time", "Memory(*)\\Available MBytes Memory", "Memory(*)\\% Available Memory", "Memory(*)\\Used Memory MBytes", "Memory(*)\\% Used Memory", "Memory(*)\\Pages/sec", "Memory(*)\\Page Reads/sec", "Memory(*)\\Page Writes/sec", "Memory(*)\\Available MBytes Swap", "Memory(*)\\% Available Swap Space", "Memory(*)\\Used MBytes Swap Space", "Memory(*)\\% Used Swap Space", "Process(*)\\Pct User Time", "Process(*)\\Pct Privileged Time", "Process(*)\\Used Memory", "Process(*)\\Virtual Shared Memory", "Logical Disk(*)\\% Free Inodes", "Logical Disk(*)\\% Used Inodes", "Logical Disk(*)\\Free Megabytes", "Logical Disk(*)\\% Free Space", "Logical Disk(*)\\% Used Space", "Logical Disk(*)\\Logical Disk Bytes/sec", "Logical Disk(*)\\Disk Read Bytes/sec", "Logical Disk(*)\\Disk Write Bytes/sec", "Logical Disk(*)\\Disk Transfers/sec", "Logical Disk(*)\\Disk Reads/sec", "Logical Disk(*)\\Disk Writes/sec", "Network(*)\\Total Bytes Transmitted", "Network(*)\\Total Bytes Received", "Network(*)\\Total Bytes", "Network(*)\\Total Packets Transmitted", "Network(*)\\Total Packets Received", "Network(*)\\Total Rx Errors", "Network(*)\\Total Tx Errors", "Network(*)\\Total Collisions", "System(*)\\Uptime", "System(*)\\Load1", "System(*)\\Load5", "System(*)\\Load15", "System(*)\\Users", "System(*)\\Unique Users", "System(*)\\CPUs" ], "name": "perfCounterDataSource60" } ], "logFiles": [ { "streams": [ "Custom-Json-barracuda_CL" ], "filePatterns": [ "/mail/log/ama/ama_custom_waf_logs.json" ], "format": "json", "name": "Custom-Json-barracuda_CL" } ] }, "destinations": { "logAnalytics": [ { "workspaceResourceId": "'"$WORKSPACE_RESOURCE_ID"'", "name": "'"$WORKSPACE_NAME"'" } ] }, "dataFlows": [ { "streams": [ "Microsoft-Perf" ], "destinations": [ "'"$WORKSPACE_NAME"'" ], "transformKql": "source", "outputStream": "Microsoft-Perf" }, { "streams": [ "Custom-Json-barracuda_CL" ], "destinations": [ "'"$WORKSPACE_NAME"'" ], "transformKql": "source | extend TimeGenerated = now()", "outputStream": "Custom-barracuda_CL" } ] } }' # Make the PUT request to create the DCR az rest --method PUT --url "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Insights/dataCollectionRules/$DCR_NAME?api-version=2023-03-11" --body "$JSON_PAYLOAD" echo "DCR creation completed."