Forum Discussion

quinzy's avatar
quinzy
Copper Contributor
Dec 14, 2020
Solved

hyphen minus in string search

We have a query to find out what firefox extensions are installed on our clients,
somehow the filename cannot be search on hyphen minus , if we run the query he did not recognized it. I think it is about the string , but other does not work 😞 how to handle this in the query 

// Copyright 2020 Quinzy 🙂
//https://www.systemlookup.com/lists.php?list=13
//"product | info | source | category | browser | Approval","Filename",,
let KnownExtensions = datatable(ShareName:string, FileName:string)
[
"Google Container | Prevent Google from tracking you around the web. The Google Container extension helps you take control and isolate your web activity from Google. | https://www.systemlookup.com/FF_Extensions/8587-contain_google_xpi.html | Anonymizer | Firefox | TBD","@contain-google.xpi",
"SetupVPN Lifetime Free VPN | Unblock any blocked website in your country, school or company. | https://www.systemlookup.com/FF_Extensions/8485-setupvpncom_xpi.html | Anonymizer | Firefox | Block","@setupvpncom.xpi",
"Kee - Password Manager | Save time, sign in easily to websites and avoid the hassle of forgotten password resets. | https://www.systemlookup.com/FF_Extensions/8724-Tab_Session_Manager_sienori_xpi.html | Security | Firefox | Allow","Tab-Session-Manager@sienori.xpi",

];
DeviceFileEvents
| where ActionType == "FileCreated" and (FolderPath endswith ".xpi") and FolderPath notcontains "Temp"
| summarize count() by FileName, DeviceName
| join kind = leftouter (KnownExtensions | project FileName = tolower(FileName), ShareName) on FileName
| project ShareName,FileName, DeviceName
| extend CounterPathArea = split(ShareName, "|")
| extend BrowserExtensionName = CounterPathArea [0]
| extend Description = CounterPathArea [1]
| extend BrowserExtensionId = FileName
| extend Source = CounterPathArea [2]
| extend Category = CounterPathArea [3]
| extend Browser = CounterPathArea [4]
| extend Hostname = DeviceName
| extend Approval = CounterPathArea [5]
| project-away ShareName, CounterPathArea, FileName , DeviceName
| sort by BrowserExtensionId asc
 

 

 

  • shoando's avatar
    shoando
    Dec 15, 2020

    You are using a left-outer join, so the browser extension name for records that don't hit the filename will be blank.

    https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/joinoperator?pivots=azuredataexplorer#left-outer-join-flavor

3 Replies

  • shoando's avatar
    shoando
    Brass Contributor
    Dec 15, 2020

    You are using a left-outer join, so the browser extension name for records that don't hit the filename will be blank.

    https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/joinoperator?pivots=azuredataexplorer#left-outer-join-flavor

      • quinzy's avatar
        quinzy
        Copper Contributor
        Dec 16, 2020

        fullouter get it, but seems he takes now not the other double,

        is suggest to somehow to remove the hyphen minus and than search on it

        or is there a better alternative then full outer

Resources