SOLVED

hyphen minus in string search

%3CLINGO-SUB%20id%3D%22lingo-sub-1985200%22%20slang%3D%22en-US%22%3Ehyphen%20minus%20in%20string%20search%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1985200%22%20slang%3D%22en-US%22%3E%3CDIV%3E%3CSPAN%3EWe%20have%20a%20query%20to%20find%20out%20what%20firefox%20extensions%20are%20installed%20on%20our%20clients%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3Esomehow%20the%20filename%20cannot%20be%20search%20on%20hyphen%20minus%20%2C%20if%20we%20run%20the%20query%20he%20did%20not%20recognized%20it.%20I%20think%20it%20is%20about%20the%20string%20%2C%20but%20other%20does%20not%20work%20%3A(%3C%2Fimg%3E%20how%20to%20handle%20this%20in%20the%20query%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%2F%2F%20Copyright%202020%20Quinzy%20%3A)%3C%2Fimg%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%2F%2F%3CA%20href%3D%22https%3A%2F%2Fwww.systemlookup.com%2Flists.php%3Flist%3D13%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fwww.systemlookup.com%2Flists.php%3Flist%3D13%3C%2FA%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%2F%2F%22product%20%7C%20info%20%7C%20source%20%7C%20category%20%7C%20browser%20%7C%20Approval%22%2C%22Filename%22%2C%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3Elet%20KnownExtensions%20%3D%20datatable(ShareName%3Astring%2C%20%3CSTRONG%3EFileName%3Astring%3C%2FSTRONG%3E)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%5B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E%22Google%20Container%20%7C%20Prevent%20Google%20from%20tracking%20you%20around%20the%20web.%20The%20Google%20Container%20extension%20helps%20you%20take%20control%20and%20isolate%20your%20web%20activity%20from%20Google.%20%7C%20%3CA%20href%3D%22https%3A%2F%2Fwww.systemlookup.com%2FFF_Extensions%2F8587-contain_google_xpi.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fwww.systemlookup.com%2FFF_Extensions%2F8587-contain_google_xpi.html%3C%2FA%3E%20%7C%20Anonymizer%20%7C%20Firefox%20%7C%20TBD%22%2C%22%40contain-google.xpi%22%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E%22SetupVPN%20Lifetime%20Free%20VPN%20%7C%20Unblock%20any%20blocked%20website%20in%20your%20country%2C%20school%20or%20company.%20%7C%20%3CA%20href%3D%22https%3A%2F%2Fwww.systemlookup.com%2FFF_Extensions%2F8485-setupvpncom_xpi.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fwww.systemlookup.com%2FFF_Extensions%2F8485-setupvpncom_xpi.html%3C%2FA%3E%20%7C%20Anonymizer%20%7C%20Firefox%20%7C%20Block%22%2C%22%40setupvpncom.xpi%22%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%3CSPAN%3E%22Kee%20-%20Password%20Manager%20%7C%20Save%20time%2C%20sign%20in%20easily%20to%20websites%20and%20avoid%20the%20hassle%20of%20forgotten%20password%20resets.%20%7C%20%3CA%20href%3D%22https%3A%2F%2Fwww.systemlookup.com%2FFF_Extensions%2F8724-Tab_Session_Manager_sienori_xpi.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fwww.systemlookup.com%2FFF_Extensions%2F8724-Tab_Session_Manager_sienori_xpi.html%3C%2FA%3E%20%7C%20Security%20%7C%20Firefox%20%7C%20Allow%22%2C%22%3CSTRONG%3ETab-Session-Manager%40sienori.xpi%3C%2FSTRONG%3E%22%2C%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E%5D%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EDeviceFileEvents%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20where%20ActionType%20%3D%3D%20%22FileCreated%22%20and%20(FolderPath%20endswith%20%22.xpi%22)%20and%20FolderPath%20notcontains%20%22Temp%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20summarize%20count()%20by%20FileName%2C%20DeviceName%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20join%20kind%20%3D%20leftouter%20(KnownExtensions%20%7C%20project%20FileName%20%3D%20tolower(FileName)%2C%20ShareName)%20on%20FileName%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20project%20ShareName%2CFileName%2C%20DeviceName%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20extend%20CounterPathArea%20%3D%20split(ShareName%2C%20%22%7C%22)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20extend%20BrowserExtensionName%20%3D%20CounterPathArea%20%5B0%5D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20extend%20Description%20%3D%20CounterPathArea%20%5B1%5D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20extend%20BrowserExtensionId%20%3D%20FileName%20%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20extend%20Source%20%3D%20CounterPathArea%20%5B2%5D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20extend%20Category%20%3D%20CounterPathArea%20%5B3%5D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20extend%20Browser%20%3D%20CounterPathArea%20%5B4%5D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20extend%20Hostname%20%3D%20DeviceName%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20extend%20Approval%20%3D%20CounterPathArea%20%5B5%5D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20project-away%20ShareName%2C%20CounterPathArea%2C%20FileName%20%2C%20DeviceName%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%3CSPAN%3E%3CSPAN%3E%7C%20sort%20by%20BrowserExtensionId%20asc%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CSPAN%3E%3CSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Advanced%20hunting%20-result.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F240160iAFACDCF8BB352F9C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Advanced%20hunting%20-result.png%22%20alt%3D%22Advanced%20hunting%20-result.png%22%20%2F%3E%3C%2FSPAN%3E%26nbsp%3B%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1988109%22%20slang%3D%22en-US%22%3ERe%3A%20hyphen%20minus%20in%20string%20search%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1988109%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F474594%22%20target%3D%22_blank%22%3E%40shoando%3C%2FA%3E%26nbsp%3Bok%20thanks%20for%20feedback%20!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor
We have a query to find out what firefox extensions are installed on our clients,
somehow the filename cannot be search on hyphen minus , if we run the query he did not recognized it. I think it is about the string , but other does not work :( how to handle this in the query 

// Copyright 2020 Quinzy :)
//"product | info | source | category | browser | Approval","Filename",,
let KnownExtensions = datatable(ShareName:string, FileName:string)
[
"Google Container | Prevent Google from tracking you around the web. The Google Container extension helps you take control and isolate your web activity from Google. | https://www.systemlookup.com/FF_Extensions/8587-contain_google_xpi.html | Anonymizer | Firefox | TBD","@contain-google.xpi",
"SetupVPN Lifetime Free VPN | Unblock any blocked website in your country, school or company. | https://www.systemlookup.com/FF_Extensions/8485-setupvpncom_xpi.html | Anonymizer | Firefox | Block","@setupvpncom.xpi",
"Kee - Password Manager | Save time, sign in easily to websites and avoid the hassle of forgotten password resets. | https://www.systemlookup.com/FF_Extensions/8724-Tab_Session_Manager_sienori_xpi.html | Security | Firefox | Allow","Tab-Session-Manager@sienori.xpi",

];
DeviceFileEvents
| where ActionType == "FileCreated" and (FolderPath endswith ".xpi") and FolderPath notcontains "Temp"
| summarize count() by FileName, DeviceName
| join kind = leftouter (KnownExtensions | project FileName = tolower(FileName), ShareName) on FileName
| project ShareName,FileName, DeviceName
| extend CounterPathArea = split(ShareName, "|")
| extend BrowserExtensionName = CounterPathArea [0]
| extend Description = CounterPathArea [1]
| extend BrowserExtensionId = FileName
| extend Source = CounterPathArea [2]
| extend Category = CounterPathArea [3]
| extend Browser = CounterPathArea [4]
| extend Hostname = DeviceName
| extend Approval = CounterPathArea [5]
| project-away ShareName, CounterPathArea, FileName , DeviceName
| sort by BrowserExtensionId asc
 

 

Advanced hunting -result.png 

3 Replies
best response confirmed by quinzy (Occasional Contributor)
Solution

You are using a left-outer join, so the browser extension name for records that don't hit the filename will be blank.

join operator - Azure Data Explorer | Microsoft Docs

@shoando ok thanks for feedback !

fullouter get it, but seems he takes now not the other double,

is suggest to somehow to remove the hyphen minus and than search on it

or is there a better alternative then full outer