Forum Discussion
Cloud App Security data in Azure Sentinel logs
McasShadowItReporting
| where TimeGenerated > ago(30d)
| where StreamName has "Global view"
//| where AppTags has "sanctioned"
| project App_Tag = column_ifexists("AppTags", ""), App_Name = column_ifexists("AppName", "")
| summarize Count = toint(dcount(App_Name)) by App_Tag
I don'f have this Table but wouldn't you just let the summarize by use the App-Tag or App_name to get a count (are you sure you need dcount() rather than count() ?).
My test is this - where the count is all occurrences of the app name BY the app_tag.
Usage
| project App_Tag = column_ifexists("DataType", ""), App_Name = column_ifexists("Solution", "")
| summarize Count_ = toint(count(App_Name)) by App_Tag
| top 5 by Count_ desc
| App_Tag | Count_ |
|---|---|
| Operation | 46 |
| SecurityEvent | 37 |
| Syslog | 37 |
| StorageBlobLogs | 37 |
| InsightsMetrics | 37 |
Thanks for the help. I did end up using dcount() rather than count() to get the correct count. Since the AppTags is dynamic, the AppName can be in multiple AppTags. Example: Sanctioned and Microsoft or Sanctioned and Vendor, I would like to know the unique app that would be sanctioned.
Current Code:
McasShadowItReporting | where TimeGenerated > ago(30d) | where StreamName has "Global view" | project App_Tag = column_ifexists("AppTags", ""), App_Name = column_ifexists("AppName", "") | summarize Count = toint(dcount(App_Name)) by tostring(App_Tag) | top 6 by Count descResult:
App_Tag
Count
["Unknown Use"]
4,333
[]
2,596
["sanctioned","Vendor"]
107
["unsanctioned"]
102
["sanctioned"]
50
["sanctioned","Microsoft"]
49
Within the Cloud App Security GUI, I'm able to get the number of apps that have the App Tag of Sanctioned even if the App is tagged as something else.
