XDRInternals.Format.ps1xml
|
<?xml version="1.0" encoding="utf-8" ?> <Configuration> <ViewDefinitions> <View> <Name>XdrEndpointDevice</Name> <ViewSelectedBy> <TypeName>XdrEndpointDevice</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader> <Label>ComputerDnsName</Label> </TableColumnHeader> <TableColumnHeader> <Label>LastIpAddress</Label> </TableColumnHeader> <TableColumnHeader> <Label>RiskScore</Label> </TableColumnHeader> <TableColumnHeader> <Label>CriticalityLevel</Label> </TableColumnHeader> <TableColumnHeader> <Label>ExposureScore</Label> </TableColumnHeader> <TableColumnHeader> <Label>DeviceType</Label> </TableColumnHeader> <TableColumnHeader> <Label>Domain</Label> </TableColumnHeader> <TableColumnHeader> <Label>ManagedBy</Label> </TableColumnHeader> <TableColumnHeader> <Label>HealthStatus</Label> </TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem> <PropertyName>ComputerDnsName</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>LastIpAddress</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>RiskScore</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>CriticalityLevel</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>ExposureScore</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>DeviceType</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>Domain</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>ManagedBy</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>HealthStatus</PropertyName> </TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <View> <Name>XdrIdentityIdentity</Name> <ViewSelectedBy> <TypeName>XdrIdentityIdentity</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader> <Label>Display name</Label> <Width>25</Width> </TableColumnHeader> <TableColumnHeader> <Label>SID</Label> <Width>47</Width> </TableColumnHeader> <TableColumnHeader> <Label>Domain</Label> <Width>20</Width> </TableColumnHeader> <TableColumnHeader> <Label>Type</Label> <Width>15</Width> </TableColumnHeader> <TableColumnHeader> <Label>Object ID</Label> <Width>36</Width> </TableColumnHeader> <TableColumnHeader> <Label>Identity providers</Label> <Width>25</Width> </TableColumnHeader> <TableColumnHeader> <Label>Identity environment</Label> <Width>20</Width> </TableColumnHeader> <TableColumnHeader> <Label>UPN</Label> <Width>30</Width> </TableColumnHeader> <TableColumnHeader> <Label>Tags</Label> <Width>20</Width> </TableColumnHeader> <TableColumnHeader> <Label>Created time</Label> <Width>20</Width> </TableColumnHeader> <TableColumnHeader> <Label>Criticality level</Label> <Width>17</Width> </TableColumnHeader> <TableColumnHeader> <Label>Account status</Label> <Width>15</Width> </TableColumnHeader> <TableColumnHeader> <Label>Last updated</Label> <Width>20</Width> </TableColumnHeader> <TableColumnHeader> <Label>Entra ID risk level</Label> <Width>20</Width> </TableColumnHeader> <TableColumnHeader> <Label>Entra ID risk level update time</Label> <Width>32</Width> </TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem> <PropertyName>displayName</PropertyName> </TableColumnItem> <TableColumnItem> <ScriptBlock>$_.ids.sid</ScriptBlock> </TableColumnItem> <TableColumnItem> <ScriptBlock>$_.ids.accountDomain</ScriptBlock> </TableColumnItem> <TableColumnItem> <PropertyName>type</PropertyName> </TableColumnItem> <TableColumnItem> <ScriptBlock>$_.ids.aad</ScriptBlock> </TableColumnItem> <TableColumnItem> <ScriptBlock>($_.identityProviders | ForEach-Object { if ($_ -eq 'AzureActiveDirectory') { 'EntraID' } else { $_ } }) -join ', '</ScriptBlock> </TableColumnItem> <TableColumnItem> <PropertyName>source</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>userPrincipalName</PropertyName> </TableColumnItem> <TableColumnItem> <ScriptBlock>$_.tags -join ', '</ScriptBlock> </TableColumnItem> <TableColumnItem> <PropertyName>created</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>criticalityLevel</PropertyName> </TableColumnItem> <TableColumnItem> <ScriptBlock> $status = $_.status if ($status) { # Convert to CamelCase $status.Substring(0,1).ToUpper() + $status.Substring(1).ToLower() } </ScriptBlock> </TableColumnItem> <TableColumnItem> <PropertyName>updateTime</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>riskLevel</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>riskLastUpdateTime</PropertyName> </TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <View> <Name>XdrEndpointDeviceActionResult</Name> <ViewSelectedBy> <TypeName>XdrEndpointDeviceActionResult</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader> <Label>Type</Label> </TableColumnHeader> <TableColumnHeader> <Label>DeviceId</Label> </TableColumnHeader> <TableColumnHeader> <Label>Status</Label> </TableColumnHeader> <TableColumnHeader> <Label>Id</Label> </TableColumnHeader> <TableColumnHeader> <Label>RequestorComment</Label> </TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem> <PropertyName>Type</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>DeviceId</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>Status</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>Id</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>RequestorComment</PropertyName> </TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <View> <Name>XdrIdentityUser</Name> <ViewSelectedBy> <TypeName>XdrIdentityUser</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader> <Label>DisplayName</Label> <Width>25</Width> </TableColumnHeader> <TableColumnHeader> <Label>UPN</Label> <Width>30</Width> </TableColumnHeader> <TableColumnHeader> <Label>Status</Label> <Width>10</Width> </TableColumnHeader> <TableColumnHeader> <Label>RiskLevel</Label> <Width>10</Width> </TableColumnHeader> <TableColumnHeader> <Label>Source</Label> <Width>20</Width> </TableColumnHeader> <TableColumnHeader> <Label>Type</Label> <Width>15</Width> </TableColumnHeader> <TableColumnHeader> <Label>AadId</Label> <Width>36</Width> </TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem> <PropertyName>displayName</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>userPrincipalName</PropertyName> </TableColumnItem> <TableColumnItem> <ScriptBlock> $status = $_.status if ($status) { $status.Substring(0,1).ToUpper() + $status.Substring(1).ToLower() } </ScriptBlock> </TableColumnItem> <TableColumnItem> <PropertyName>riskLevel</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>source</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>type</PropertyName> </TableColumnItem> <TableColumnItem> <ScriptBlock>$_.ids.aad</ScriptBlock> </TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <View> <Name>XdrEndpointDeviceLiveResponseCommand</Name> <ViewSelectedBy> <TypeName>XdrEndpointDeviceLiveResponseCommand</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader> <Label>Timestamp</Label> <Width>24</Width> </TableColumnHeader> <TableColumnHeader> <Label>DeviceName</Label> <Width>28</Width> </TableColumnHeader> <TableColumnHeader> <Label>Command</Label> <Width>24</Width> </TableColumnHeader> <TableColumnHeader> <Label>Status</Label> <Width>10</Width> </TableColumnHeader> <TableColumnHeader> <Label>Duration</Label> <Width>10</Width> </TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem> <PropertyName>Timestamp</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>DeviceName</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>raw_command_line</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>StatusText</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>duration_seconds</PropertyName> </TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <View> <Name>XdrEndpointDeviceLiveResponseProcessRow</Name> <ViewSelectedBy> <TypeName>XdrEndpointDeviceLiveResponseProcessRow</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader><Label>DeviceName</Label><Width>28</Width></TableColumnHeader> <TableColumnHeader><Label>Name</Label><Width>32</Width></TableColumnHeader> <TableColumnHeader><Label>Pid</Label><Width>8</Width></TableColumnHeader> <TableColumnHeader><Label>UserName</Label><Width>28</Width></TableColumnHeader> <TableColumnHeader><Label>Status</Label><Width>14</Width></TableColumnHeader> <TableColumnHeader><Label>MemoryKB</Label><Width>12</Width></TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem><PropertyName>DeviceName</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>Name</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>Pid</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>UserName</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>ProcessStatus</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>MemoryKB</PropertyName></TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <View> <Name>XdrEndpointDeviceLiveResponseServiceRow</Name> <ViewSelectedBy> <TypeName>XdrEndpointDeviceLiveResponseServiceRow</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader><Label>DeviceName</Label><Width>28</Width></TableColumnHeader> <TableColumnHeader><Label>DisplayName</Label><Width>34</Width></TableColumnHeader> <TableColumnHeader><Label>ServiceName</Label><Width>24</Width></TableColumnHeader> <TableColumnHeader><Label>State</Label><Width>18</Width></TableColumnHeader> <TableColumnHeader><Label>StartType</Label><Width>18</Width></TableColumnHeader> <TableColumnHeader><Label>StartName</Label><Width>26</Width></TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem><PropertyName>DeviceName</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>DisplayName</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>ServiceName</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>CurrentState</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>StartType</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>StartName</PropertyName></TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <View> <Name>XdrEndpointDeviceLiveResponseDriverRow</Name> <ViewSelectedBy> <TypeName>XdrEndpointDeviceLiveResponseDriverRow</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader><Label>DeviceName</Label><Width>28</Width></TableColumnHeader> <TableColumnHeader><Label>DriverName</Label><Width>26</Width></TableColumnHeader> <TableColumnHeader><Label>ServiceName</Label><Width>22</Width></TableColumnHeader> <TableColumnHeader><Label>State</Label><Width>18</Width></TableColumnHeader> <TableColumnHeader><Label>Loaded</Label><Width>8</Width></TableColumnHeader> <TableColumnHeader><Label>Path</Label><Width>46</Width></TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem><PropertyName>DeviceName</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>DriverName</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>ServiceName</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>ServiceState</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>DriverLoaded</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>Path</PropertyName></TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <View> <Name>XdrEndpointDeviceLiveResponseConnectionRow</Name> <ViewSelectedBy> <TypeName>XdrEndpointDeviceLiveResponseConnectionRow</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader><Label>DeviceName</Label><Width>28</Width></TableColumnHeader> <TableColumnHeader><Label>Process</Label><Width>24</Width></TableColumnHeader> <TableColumnHeader><Label>Pid</Label><Width>8</Width></TableColumnHeader> <TableColumnHeader><Label>LocalEndpoint</Label><Width>22</Width></TableColumnHeader> <TableColumnHeader><Label>RemoteEndpoint</Label><Width>22</Width></TableColumnHeader> <TableColumnHeader><Label>State</Label><Width>12</Width></TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem><PropertyName>DeviceName</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>ProcessName</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>Pid</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>LocalEndpoint</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>RemoteEndpoint</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>ConnectionState</PropertyName></TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <View> <Name>XdrEndpointDeviceLiveResponseScheduledTaskRow</Name> <ViewSelectedBy> <TypeName>XdrEndpointDeviceLiveResponseScheduledTaskRow</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader><Label>DeviceName</Label><Width>28</Width></TableColumnHeader> <TableColumnHeader><Label>TaskId</Label><Width>48</Width></TableColumnHeader> <TableColumnHeader><Label>Enabled</Label><Width>8</Width></TableColumnHeader> <TableColumnHeader><Label>Principal</Label><Width>28</Width></TableColumnHeader> <TableColumnHeader><Label>Action</Label><Width>44</Width></TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem><PropertyName>DeviceName</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>TaskId</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>IsEnabled</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>Principal</PropertyName></TableColumnItem> <TableColumnItem><ScriptBlock>if ($_.Arguments) { '{0} {1}' -f $_.ActionPath, $_.Arguments } else { $_.ActionPath }</ScriptBlock></TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <View> <Name>XdrEndpointDeviceLiveResponseStartupFolderRow</Name> <ViewSelectedBy> <TypeName>XdrEndpointDeviceLiveResponseStartupFolderRow</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader><Label>DeviceName</Label><Width>28</Width></TableColumnHeader> <TableColumnHeader><Label>FilePath</Label><Width>54</Width></TableColumnHeader> <TableColumnHeader><Label>ExecutablePath</Label><Width>54</Width></TableColumnHeader> <TableColumnHeader><Label>Category</Label><Width>18</Width></TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem><PropertyName>DeviceName</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>FilePath</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>ExecutablePath</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>Category</PropertyName></TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <View> <Name>XdrEndpointDeviceLiveResponseDirectoryRow</Name> <ViewSelectedBy> <TypeName>XdrEndpointDeviceLiveResponseDirectoryRow</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader><Label>DeviceName</Label><Width>28</Width></TableColumnHeader> <TableColumnHeader><Label>Path</Label><Width>46</Width></TableColumnHeader> <TableColumnHeader><Label>Type</Label><Width>10</Width></TableColumnHeader> <TableColumnHeader><Label>Size</Label><Width>12</Width></TableColumnHeader> <TableColumnHeader><Label>Modified</Label><Width>22</Width></TableColumnHeader> <TableColumnHeader><Label>Hidden</Label><Width>8</Width></TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem><PropertyName>DeviceName</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>Path</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>ItemType</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>Size</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>Modified</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>Hidden</PropertyName></TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <View> <Name>XdrEndpointDeviceLiveResponsePersistenceRow</Name> <ViewSelectedBy> <TypeName>XdrEndpointDeviceLiveResponsePersistenceRow</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader><Label>DeviceName</Label><Width>28</Width></TableColumnHeader> <TableColumnHeader><Label>Category</Label><Width>16</Width></TableColumnHeader> <TableColumnHeader><Label>Name</Label><Width>38</Width></TableColumnHeader> <TableColumnHeader><Label>Path</Label><Width>42</Width></TableColumnHeader> <TableColumnHeader><Label>Target</Label><Width>42</Width></TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem><PropertyName>DeviceName</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>Category</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>Name</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>Path</PropertyName></TableColumnItem> <TableColumnItem><ScriptBlock>if ($_.Target) { $_.Target } elseif ($_.Value) { $_.Value } else { $_.CommandLine }</ScriptBlock></TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <View> <Name>XdrIdentityUserTimelineEvent</Name> <ViewSelectedBy> <TypeName>XdrIdentityUserTimelineEvent</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader> <Label>Timestamp</Label> <Width>24</Width> </TableColumnHeader> <TableColumnHeader> <Label>ActionType</Label> <Width>30</Width> </TableColumnHeader> <TableColumnHeader> <Label>Application</Label> <Width>25</Width> </TableColumnHeader> <TableColumnHeader> <Label>SourceTable</Label> <Width>20</Width> </TableColumnHeader> <TableColumnHeader> <Label>DeviceName</Label> <Width>25</Width> </TableColumnHeader> <TableColumnHeader> <Label>Ip</Label> <Width>15</Width> </TableColumnHeader> <TableColumnHeader> <Label>Location</Label> <Width>15</Width> </TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem> <PropertyName>Timestamp</PropertyName> </TableColumnItem> <TableColumnItem> <ScriptBlock>if ($_.ActionType) { $_.ActionType } elseif ($_.Type) { $_.Type } elseif ($_.EventType) { $_.EventType }</ScriptBlock> </TableColumnItem> <TableColumnItem> <PropertyName>Application</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>SourceTable</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>DeviceName</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>Ip</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>Location</PropertyName> </TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <View> <Name>XdrEndpointDeviceLiveResponseTableRow</Name> <ViewSelectedBy> <TypeName>XdrEndpointDeviceLiveResponseTableRow</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader> <Label>DeviceName</Label> <Width>28</Width> </TableColumnHeader> <TableColumnHeader> <Label>Command</Label> <Width>18</Width> </TableColumnHeader> <TableColumnHeader> <Label>Status</Label> <Width>10</Width> </TableColumnHeader> <TableColumnHeader> <Label>Summary</Label> <Width>60</Width> </TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem> <PropertyName>DeviceName</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>Command</PropertyName> </TableColumnItem> <TableColumnItem> <PropertyName>StatusText</PropertyName> </TableColumnItem> <TableColumnItem> <ScriptBlock> $excluded = @('Timestamp', 'DeviceName', 'DeviceId', 'ShortDeviceId', 'Command', 'Status', 'StatusText', 'DurationSeconds', 'SessionId', 'OutputIndex') @($_.PSObject.Properties | Where-Object { $_.Name -notin $excluded -and $null -ne $_.Value -and "$($_.Value)" -ne '' } | Select-Object -First 3 | ForEach-Object { '{0}={1}' -f $_.Name, $_.Value }) -join '; ' </ScriptBlock> </TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <View> <Name>XdrCloudAppsActivity</Name> <ViewSelectedBy> <TypeName>XdrCloudAppsActivity</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader><Label>Time</Label><Width>24</Width></TableColumnHeader> <TableColumnHeader><Label>User</Label><Width>30</Width></TableColumnHeader> <TableColumnHeader><Label>App</Label><Width>28</Width></TableColumnHeader> <TableColumnHeader><Label>Activity</Label><Width>34</Width></TableColumnHeader> <TableColumnHeader><Label>IP</Label><Width>16</Width></TableColumnHeader> <TableColumnHeader><Label>Location</Label><Width>18</Width></TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem><ScriptBlock>if ($_.date) { $_.date } elseif ($_.timestamp) { $ts = [long]$_.timestamp; if ($ts -ge 1000000000000) { [DateTimeOffset]::FromUnixTimeMilliseconds($ts).UtcDateTime } else { [DateTimeOffset]::FromUnixTimeSeconds($ts).UtcDateTime } }</ScriptBlock></TableColumnItem> <TableColumnItem><ScriptBlock>if ($_.userName) { $_.userName } elseif ($_.user) { $_.user } elseif ($_.account) { $_.account }</ScriptBlock></TableColumnItem> <TableColumnItem><ScriptBlock>if ($_.appName) { $_.appName } elseif ($_.app) { $_.app } elseif ($_.service) { $_.service }</ScriptBlock></TableColumnItem> <TableColumnItem><ScriptBlock>if ($_.activityType) { $_.activityType } elseif ($_.eventType) { $_.eventType } elseif ($_.action) { $_.action }</ScriptBlock></TableColumnItem> <TableColumnItem><ScriptBlock>if ($_.ipAddress) { $_.ipAddress } elseif ($_.ip) { $_.ip }</ScriptBlock></TableColumnItem> <TableColumnItem><ScriptBlock>if ($_.location) { $_.location } elseif ($_.country) { $_.country }</ScriptBlock></TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <View> <Name>XdrCloudAppsDiscoveryDeanonymizedUser</Name> <ViewSelectedBy> <TypeName>XdrCloudAppsDiscoveryDeanonymizedUser</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader><Label>Masked</Label><Width>32</Width></TableColumnHeader> <TableColumnHeader><Label>Resolved</Label><Width>42</Width></TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem><ScriptBlock>if ($_.username) { $_.username } elseif ($_.maskedUserName) { $_.maskedUserName } elseif ($_.anonymizedUserName) { $_.anonymizedUserName } elseif ($_.anonymizedUsername) { $_.anonymizedUsername }</ScriptBlock></TableColumnItem> <TableColumnItem><ScriptBlock>if ($_.userPrincipalName) { $_.userPrincipalName } elseif ($_.resolvedUserName) { $_.resolvedUserName } elseif ($_.resolvedUsername) { $_.resolvedUsername } elseif ($_.displayName) { $_.displayName } elseif ($_.name) { $_.name }</ScriptBlock></TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <View> <Name>XdrCloudAppsApp</Name> <ViewSelectedBy> <TypeName>XdrCloudAppsDiscoveredApp</TypeName> <TypeName>XdrCloudAppsAppCatalog</TypeName> <TypeName>XdrCloudAppsOAuthApp</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader><Label>Name</Label><Width>34</Width></TableColumnHeader> <TableColumnHeader><Label>Category</Label><Width>24</Width></TableColumnHeader> <TableColumnHeader><Label>Score</Label><Width>8</Width></TableColumnHeader> <TableColumnHeader><Label>Users</Label><Width>10</Width></TableColumnHeader> <TableColumnHeader><Label>Traffic</Label><Width>14</Width></TableColumnHeader> <TableColumnHeader><Label>Stream</Label><Width>24</Width></TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem><ScriptBlock>if ($_.name) { $_.name } elseif ($_.appName) { $_.appName } elseif ($_.displayName) { $_.displayName }</ScriptBlock></TableColumnItem> <TableColumnItem><ScriptBlock>if ($_.category) { $_.category } elseif ($_.appCategory) { $_.appCategory }</ScriptBlock></TableColumnItem> <TableColumnItem><ScriptBlock>if ($_.score) { $_.score } elseif ($_.riskScore) { $_.riskScore }</ScriptBlock></TableColumnItem> <TableColumnItem><ScriptBlock>if ($_.users) { $_.users } elseif ($_.usersCount) { $_.usersCount }</ScriptBlock></TableColumnItem> <TableColumnItem><ScriptBlock>if ($_.traffic) { $_.traffic } elseif ($_.totalBytes) { $_.totalBytes }</ScriptBlock></TableColumnItem> <TableColumnItem><PropertyName>SourceStreamName</PropertyName></TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <View> <Name>XdrCloudAppsPolicy</Name> <ViewSelectedBy> <TypeName>XdrCloudAppsPolicy</TypeName> <TypeName>XdrCloudAppsPolicyFile</TypeName> <TypeName>XdrCloudAppsPolicyOAuth</TypeName> <TypeName>XdrCloudAppsPolicyDiscovery</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader><Label>Name</Label><Width>34</Width></TableColumnHeader> <TableColumnHeader><Label>Type</Label><Width>20</Width></TableColumnHeader> <TableColumnHeader><Label>Severity</Label><Width>10</Width></TableColumnHeader> <TableColumnHeader><Label>Enabled</Label><Width>8</Width></TableColumnHeader> <TableColumnHeader><Label>Alerts</Label><Width>8</Width></TableColumnHeader> <TableColumnHeader><Label>Id</Label><Width>30</Width></TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem><PropertyName>name</PropertyName></TableColumnItem> <TableColumnItem><ScriptBlock>if ($_.policyType) { $_.policyType } elseif ($_.type) { $_.type }</ScriptBlock></TableColumnItem> <TableColumnItem><PropertyName>severity</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>enabled</PropertyName></TableColumnItem> <TableColumnItem><PropertyName>alertsEnabled</PropertyName></TableColumnItem> <TableColumnItem><ScriptBlock>if ($_._id) { $_._id } elseif ($_.id) { $_.id }</ScriptBlock></TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> <View> <Name>XdrCloudAppsConfiguration</Name> <ViewSelectedBy> <TypeName>XdrCloudAppsConfigurationDiscoveryStream</TypeName> <TypeName>XdrCloudAppsConfigurationApiToken</TypeName> <TypeName>XdrCloudAppsConfigurationConnector</TypeName> <TypeName>XdrCloudAppsConfigurationSubnet</TypeName> <TypeName>XdrCloudAppsConfigurationUserTag</TypeName> <TypeName>XdrCloudAppsGovernanceSummary</TypeName> </ViewSelectedBy> <TableControl> <TableHeaders> <TableColumnHeader><Label>Name</Label><Width>34</Width></TableColumnHeader> <TableColumnHeader><Label>Status</Label><Width>16</Width></TableColumnHeader> <TableColumnHeader><Label>Type</Label><Width>18</Width></TableColumnHeader> <TableColumnHeader><Label>Id</Label><Width>32</Width></TableColumnHeader> <TableColumnHeader><Label>Updated</Label><Width>24</Width></TableColumnHeader> </TableHeaders> <TableRowEntries> <TableRowEntry> <TableColumnItems> <TableColumnItem><ScriptBlock>if ($_.displayName) { $_.displayName } elseif ($_.name) { $_.name } elseif ($_.TotalApps) { "App Governance" }</ScriptBlock></TableColumnItem> <TableColumnItem><ScriptBlock>if ($_.status) { $_.status } elseif ($_.isEnabled) { $_.isEnabled } elseif ($null -ne $_.IsOnboarded) { $_.IsOnboarded }</ScriptBlock></TableColumnItem> <TableColumnItem><ScriptBlock>if ($_.type) { $_.type } elseif ($_.kind) { $_.kind } elseif ($_.policyType) { $_.policyType }</ScriptBlock></TableColumnItem> <TableColumnItem><ScriptBlock>if ($_._id) { $_._id } elseif ($_.id) { $_.id }</ScriptBlock></TableColumnItem> <TableColumnItem><ScriptBlock>if ($_.updateTime) { $_.updateTime } elseif ($_.lastModified) { $_.lastModified } elseif ($_.created) { $_.created }</ScriptBlock></TableColumnItem> </TableColumnItems> </TableRowEntry> </TableRowEntries> </TableControl> </View> </ViewDefinitions> </Configuration> |