Forum Discussion
Solved
Comparing Arrays in KQL
Hello Community, I am trying to create Azure Sentinel rule in KQL, The rule is based on data OfficeActivity table : Rule logic: Whenever a user is using a new user agent, that wasn't previously us...
DavidSho ,
Without getting into the details of agent/client, you can compare the arrays using the set_intersect function, which returns distinct array values that appear in all given arrays.
To simplify, I use in the below example only a subset of the arrays you've published, and the output in this case is ["RavenPoint 7.0.0.45159"] :
print arr = set_intersect( dynamic(["Microsoft Office Excel/16.0.12527.20260 (Windows/10.0; Desktop x64; en-IE; Desktop app; HP/HP EliteBook Folio 1040 G3)","RavenPoint 7.0.0.45159","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36","MSWAC"]), dynamic(["RavenPoint 7.0.0.45159","Microsoft Office Excel/16.0.12624.20424 (Windows/10.0; Desktop x64; en-IE; Desktop app; HP/HP EliteBook Folio 1040 G3)"]))HTH,
Noa
Noa Kuperberg
Microsoft
MicrosoftDavidSho ,
Without getting into the details of agent/client, you can compare the arrays using the set_intersect function, which returns distinct array values that appear in all given arrays.
To simplify, I use in the below example only a subset of the arrays you've published, and the output in this case is ["RavenPoint 7.0.0.45159"] :
print arr = set_intersect(
dynamic(["Microsoft Office Excel/16.0.12527.20260 (Windows/10.0; Desktop x64; en-IE; Desktop app; HP/HP EliteBook Folio 1040 G3)","RavenPoint 7.0.0.45159","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36","MSWAC"]),
dynamic(["RavenPoint 7.0.0.45159","Microsoft Office Excel/16.0.12624.20424 (Windows/10.0; Desktop x64; en-IE; Desktop app; HP/HP EliteBook Folio 1040 G3)"]))
HTH,
Noa