AV
Size: a a a
2020 April 30
as
может ли быть где-то пустая строка, а где-то NULL?
MS
join kind=rightouter вроде должно помочь
MS
только квери какой-то кривой кмк ))
AV
только квери какой-то кривой кмк ))
яж мдмщик) как умею
GL
SigninLogs
| mv-expand DeviceDetail
| extend browser = DeviceDetail["browser"]
| extend deviceId = DeviceDetail["deviceId"]
| extend displayName = DeviceDetail["displayName"]
| extend isCompliant = DeviceDetail["isCompliant"]
| extend isManaged = DeviceDetail["isManaged"]
| extend operatingSystem = DeviceDetail["operatingSystem"]
| extend trustType = DeviceDetail["trustType"]
| project TimeGenerated, ConditionalAccessStatus,tostring(isCompliant) ,tostring(isManaged) ,tostring(operatingSystem) ,tostring(trustType), CorrelationId
| mv-expand DeviceDetail
| extend browser = DeviceDetail["browser"]
| extend deviceId = DeviceDetail["deviceId"]
| extend displayName = DeviceDetail["displayName"]
| extend isCompliant = DeviceDetail["isCompliant"]
| extend isManaged = DeviceDetail["isManaged"]
| extend operatingSystem = DeviceDetail["operatingSystem"]
| extend trustType = DeviceDetail["trustType"]
| project TimeGenerated, ConditionalAccessStatus,tostring(isCompliant) ,tostring(isManaged) ,tostring(operatingSystem) ,tostring(trustType), CorrelationId
DeviceDetail это dynamic у тебя?
AV
DeviceDetail это dynamic у тебя?
да
GL
а зачем экспандишь?
GL
чтобы просто собрать в одну строчку?
AV
потому что иначе мешанина идет, а мне бы их как переменные
MS
в сентинеле есть такой пример
MS
SigninLogs
|where AppDisplayName in ('*') or '*' in ('*')
|where UserDisplayName in ('*') or '*' in ('*')
| extend ErrorCode = tostring(Status.errorCode)
| extend FailureReason = Status.failureReason
| where ErrorCode in ("50058","50140", "51006", "50059", "65001", "52004", "50055", "50144","50072", "50074", "16000","16001", "16003", "50127", "50125", "50129","50143", "81010", "81014", "81012")
| where '*' == '*' or '*' == ErrorCode
| top 200 by TimeGenerated desc
| extend TimeFromNow = now() - TimeGenerated
| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')
| project User = UserDisplayName, IPAddress, ['❌ Error Code'] = ErrorCode, ['Sign-in Time'] = TimeAgo, App = AppDisplayName, ['Error code'] = ErrorCode, ['Result type'] = ResultType, ['Result signature'] = ResultSignature, ['Result description'] = ResultDescription, ['Conditional access policies'] = ConditionalAccessPolicies, ['Conditional access status'] = ConditionalAccessStatus, ['Operating system'] = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, ['Country or region'] = LocationDetails.countryOrRegion, ['State'] = LocationDetails.state, ['City'] = LocationDetails.city, ['Time generated'] = TimeGenerated, Status, ['User principal name'] = UserPrincipalName
|where AppDisplayName in ('*') or '*' in ('*')
|where UserDisplayName in ('*') or '*' in ('*')
| extend ErrorCode = tostring(Status.errorCode)
| extend FailureReason = Status.failureReason
| where ErrorCode in ("50058","50140", "51006", "50059", "65001", "52004", "50055", "50144","50072", "50074", "16000","16001", "16003", "50127", "50125", "50129","50143", "81010", "81014", "81012")
| where '*' == '*' or '*' == ErrorCode
| top 200 by TimeGenerated desc
| extend TimeFromNow = now() - TimeGenerated
| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')
| project User = UserDisplayName, IPAddress, ['❌ Error Code'] = ErrorCode, ['Sign-in Time'] = TimeAgo, App = AppDisplayName, ['Error code'] = ErrorCode, ['Result type'] = ResultType, ['Result signature'] = ResultSignature, ['Result description'] = ResultDescription, ['Conditional access policies'] = ConditionalAccessPolicies, ['Conditional access status'] = ConditionalAccessStatus, ['Operating system'] = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, ['Country or region'] = LocationDetails.countryOrRegion, ['State'] = LocationDetails.state, ['City'] = LocationDetails.city, ['Time generated'] = TimeGenerated, Status, ['User principal name'] = UserPrincipalName
GL
SigninLogs
| evaluate bag_unpack(DeviceDetail)
| extend DeviceDetailAsString = strcat(operatingSystem," ",deviceId," ",browser)
GL
потому что иначе мешанина идет, а мне бы их как переменные
можешь так попробовать)
GL
надеюсь досутпен бэг анпек в LA
AV
SigninLogs
|where AppDisplayName in ('*') or '*' in ('*')
|where UserDisplayName in ('*') or '*' in ('*')
| extend ErrorCode = tostring(Status.errorCode)
| extend FailureReason = Status.failureReason
| where ErrorCode in ("50058","50140", "51006", "50059", "65001", "52004", "50055", "50144","50072", "50074", "16000","16001", "16003", "50127", "50125", "50129","50143", "81010", "81014", "81012")
| where '*' == '*' or '*' == ErrorCode
| top 200 by TimeGenerated desc
| extend TimeFromNow = now() - TimeGenerated
| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')
| project User = UserDisplayName, IPAddress, ['❌ Error Code'] = ErrorCode, ['Sign-in Time'] = TimeAgo, App = AppDisplayName, ['Error code'] = ErrorCode, ['Result type'] = ResultType, ['Result signature'] = ResultSignature, ['Result description'] = ResultDescription, ['Conditional access policies'] = ConditionalAccessPolicies, ['Conditional access status'] = ConditionalAccessStatus, ['Operating system'] = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, ['Country or region'] = LocationDetails.countryOrRegion, ['State'] = LocationDetails.state, ['City'] = LocationDetails.city, ['Time generated'] = TimeGenerated, Status, ['User principal name'] = UserPrincipalName
|where AppDisplayName in ('*') or '*' in ('*')
|where UserDisplayName in ('*') or '*' in ('*')
| extend ErrorCode = tostring(Status.errorCode)
| extend FailureReason = Status.failureReason
| where ErrorCode in ("50058","50140", "51006", "50059", "65001", "52004", "50055", "50144","50072", "50074", "16000","16001", "16003", "50127", "50125", "50129","50143", "81010", "81014", "81012")
| where '*' == '*' or '*' == ErrorCode
| top 200 by TimeGenerated desc
| extend TimeFromNow = now() - TimeGenerated
| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')
| project User = UserDisplayName, IPAddress, ['❌ Error Code'] = ErrorCode, ['Sign-in Time'] = TimeAgo, App = AppDisplayName, ['Error code'] = ErrorCode, ['Result type'] = ResultType, ['Result signature'] = ResultSignature, ['Result description'] = ResultDescription, ['Conditional access policies'] = ConditionalAccessPolicies, ['Conditional access status'] = ConditionalAccessStatus, ['Operating system'] = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, ['Country or region'] = LocationDetails.countryOrRegion, ['State'] = LocationDetails.state, ['City'] = LocationDetails.city, ['Time generated'] = TimeGenerated, Status, ['User principal name'] = UserPrincipalName
хм, сентинел тот же лог аналитикс. ща попробую
AV
SigninLogs
| evaluate bag_unpack(DeviceDetail)
| extend DeviceDetailAsString = strcat(operatingSystem," ",deviceId," ",browser)
и это
GL
mv-expand тебе не нужен тут