Forum Discussion
hyphen minus in string search
We have a query to find out what firefox extensions are installed on our clients,
somehow the filename cannot be search on hyphen minus , if we run the query he did not recognized it. I think it is about the string , but other does not work 😞 how to handle this in the query
// Copyright 2020 Quinzy 🙂
// Copyright 2020 Quinzy 🙂
//"product | info | source | category | browser | Approval","Filename",,
let KnownExtensions = datatable(ShareName:string, FileName:string)
[
"Google Container | Prevent Google from tracking you around the web. The Google Container extension helps you take control and isolate your web activity from Google. | https://www.systemlookup.com/FF_Extensions/8587-contain_google_xpi.html | Anonymizer | Firefox | TBD","@contain-google.xpi",
"SetupVPN Lifetime Free VPN | Unblock any blocked website in your country, school or company. | https://www.systemlookup.com/FF_Extensions/8485-setupvpncom_xpi.html | Anonymizer | Firefox | Block","@setupvpncom.xpi",
"Kee - Password Manager | Save time, sign in easily to websites and avoid the hassle of forgotten password resets. | https://www.systemlookup.com/FF_Extensions/8724-Tab_Session_Manager_sienori_xpi.html | Security | Firefox | Allow","Tab-Session-Manager@sienori.xpi",
];
DeviceFileEvents
| where ActionType == "FileCreated" and (FolderPath endswith ".xpi") and FolderPath notcontains "Temp"
| summarize count() by FileName, DeviceName
| join kind = leftouter (KnownExtensions | project FileName = tolower(FileName), ShareName) on FileName
| project ShareName,FileName, DeviceName
| extend CounterPathArea = split(ShareName, "|")
| extend BrowserExtensionName = CounterPathArea [0]
| extend Description = CounterPathArea [1]
| extend BrowserExtensionId = FileName
| extend Source = CounterPathArea [2]
| extend Category = CounterPathArea [3]
| extend Browser = CounterPathArea [4]
| extend Hostname = DeviceName
| extend Approval = CounterPathArea [5]
| project-away ShareName, CounterPathArea, FileName , DeviceName
| sort by BrowserExtensionId asc
You are using a left-outer join, so the browser extension name for records that don't hit the filename will be blank.
You are using a left-outer join, so the browser extension name for records that don't hit the filename will be blank.
