cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Detection Rule based on Kusto Query

dmarquesgn
Iron Contributor

‎Oct 04 2022 12:08 AM

‎Oct 04 2022 12:08 AM

Detection Rule based on Kusto Query

Hi,

I'm new to KQL and trying now to write a query to find Windows Servers that are known to Defender and which are not Onboarded. I've got my query ready and working, which is like this:

DeviceInfo
| where OnboardingStatus contains "Can be onboarded" and MachineGroup contains "Windows Server"
| where Timestamp > ago(1d)
| summarize count() by DeviceName, OSDistribution, OnboardingStatus, DeviceId
| order by DeviceName

And this is fine as it returns 1 ocurrence of each server which is not onboarded. But if I go to "Create detection rule", I got the message that I miss the "Timestamp" and "ReportId".

The problem is if I had those to the query, then instead of having 1 ocurrence of each server I have a lot of them, because the table has a lot of those records on different times.

Is there a way to add the necessary "Timestamp" and "ReportId" and keep it displaying just 1 ocurrence of each server, for example, the last one?
Thanks

Labels:
2,385 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by dmarquesgn (Iron Contributor)
MichaelJMelone

‎Oct 04 2022 01:09 PM - edited ‎Oct 04 2022 01:56 PM

‎Oct 04 2022 01:09 PM - edited ‎Oct 04 2022 01:56 PM

Solution

Re: Detection Rule based on Kusto Query

Hello @dmarquesgn ,

The best way to accomplish this would be to use either the arg_max() or arg_min() operator. Both of these operators bring back a single row and as many columns as you want when the specified value is maximized. In your case you would want to minimize the Timestamp column to find the first time it was seen.

 Try this:

 

 

DeviceInfo
| where OnboardingStatus contains "Can be onboarded" and MachineGroup contains "Windows Server"
| summarize arg_min(Timestamp, DeviceName, OSDistribution, OnboardingStatus, ReportId) by DeviceId

 

 

1 Like
Reply
dmarquesgn

‎Oct 09 2022 08:33 AM

‎Oct 09 2022 08:33 AM

Re: Detection Rule based on Kusto Query

Thanks Michael, that was what I needed.
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by dmarquesgn (Iron Contributor)
MichaelJMelone

‎Oct 04 2022 01:09 PM - edited ‎Oct 04 2022 01:56 PM

‎Oct 04 2022 01:09 PM - edited ‎Oct 04 2022 01:56 PM

Solution

Re: Detection Rule based on Kusto Query

Hello @dmarquesgn ,

The best way to accomplish this would be to use either the arg_max() or arg_min() operator. Both of these operators bring back a single row and as many columns as you want when the specified value is maximized. In your case you would want to minimize the Timestamp column to find the first time it was seen.

 Try this:

 

 

DeviceInfo
| where OnboardingStatus contains "Can be onboarded" and MachineGroup contains "Windows Server"
| summarize arg_min(Timestamp, DeviceName, OSDistribution, OnboardingStatus, ReportId) by DeviceId

 

 

View solution in original post

1 Like
Reply