Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

hyphen minus in string search

Copper Contributor
We have a query to find out what firefox extensions are installed on our clients,
somehow the filename cannot be search on hyphen minus , if we run the query he did not recognized it. I think it is about the string , but other does not work :( how to handle this in the query 

// Copyright 2020 Quinzy :)
//"product | info | source | category | browser | Approval","Filename",,
let KnownExtensions = datatable(ShareName:string, FileName:string)
[
"Google Container | Prevent Google from tracking you around the web. The Google Container extension helps you take control and isolate your web activity from Google. | https://www.systemlookup.com/FF_Extensions/8587-contain_google_xpi.html | Anonymizer | Firefox | TBD","@contain-google.xpi",
"SetupVPN Lifetime Free VPN | Unblock any blocked website in your country, school or company. | https://www.systemlookup.com/FF_Extensions/8485-setupvpncom_xpi.html | Anonymizer | Firefox | Block","@setupvpncom.xpi",
"Kee - Password Manager | Save time, sign in easily to websites and avoid the hassle of forgotten password resets. | https://www.systemlookup.com/FF_Extensions/8724-Tab_Session_Manager_sienori_xpi.html | Security | Firefox | Allow","Tab-Session-Manager@sienori.xpi",

];
DeviceFileEvents
| where ActionType == "FileCreated" and (FolderPath endswith ".xpi") and FolderPath notcontains "Temp"
| summarize count() by FileName, DeviceName
| join kind = leftouter (KnownExtensions | project FileName = tolower(FileName), ShareName) on FileName
| project ShareName,FileName, DeviceName
| extend CounterPathArea = split(ShareName, "|")
| extend BrowserExtensionName = CounterPathArea [0]
| extend Description = CounterPathArea [1]
| extend BrowserExtensionId = FileName
| extend Source = CounterPathArea [2]
| extend Category = CounterPathArea [3]
| extend Browser = CounterPathArea [4]
| extend Hostname = DeviceName
| extend Approval = CounterPathArea [5]
| project-away ShareName, CounterPathArea, FileName , DeviceName
| sort by BrowserExtensionId asc
 

 

Advanced hunting -result.png 

3 Replies
best response confirmed by quinzy (Copper Contributor)
Solution

You are using a left-outer join, so the browser extension name for records that don't hit the filename will be blank.

join operator - Azure Data Explorer | Microsoft Docs

@shoando ok thanks for feedback !

fullouter get it, but seems he takes now not the other double,

is suggest to somehow to remove the hyphen minus and than search on it

or is there a better alternative then full outer

1 best response

Accepted Solutions
best response confirmed by quinzy (Copper Contributor)
Solution

You are using a left-outer join, so the browser extension name for records that don't hit the filename will be blank.

join operator - Azure Data Explorer | Microsoft Docs

View solution in original post