User Profile

SuryaJ

Microsoft

Joined 4 years ago

11 Posts10 Likes1 Solution

View All Badges

User Widgets

Recent Discussions

Re: Kusto Query: Clipboard access during RDP session
Can you paste some records for reference here from DeviceLogonEvents table? Does this table have DLL call information in a column?
Apr 17, 2023 Place Azure Data Explorer
2.5KViews
0likes
1Comment
Re: Kusto Query for Network Security Group
venu15 Taking the reference of logs format from here - https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview#log-format There are 3 parameters in the logs that can help us check if the traffic was allowed or denied So, KQL query for this check will be like below: nsgLogs // | where sourceIP== '10.226.16.165' and destinationIP== '159.123.12.3' // If you need IP filter | extend trafficDecision = iif(TrafficDecision == 'A', 'Allowed', 'Denied') | project sourceIP, destinationIP, trafficDecision
Apr 11, 2023 Place Azure Data Explorer
2.9KViews
0likes
0Comments
Re: Is there a bug in the make-series function or am I usingit wrong ?
Frederik-Gheysels While the start of time is inclusive, end of time is non inclusive. You created make-series on Timestamp column which has min value of 2023-03-29T00:00:00 but in your KQL query, you used 2023-03-29T08:38:03.6817196Z. so 12 and 7841 will not be included in the output. Your second query is correct since it included time less than the min timestamp in your table and a little more than the max timestamp.
Mar 31, 2023 Place Azure Data Explorer
688Views
0likes
0Comments
Re: Trying to get the unique values of "newValue" and "oldValue" in AuditLogs using Kusto
The query I gave was just an example. You can translate this to your data. For Example, I used co1.displayname=="conditional" which you can replace with category == "policy". This is not a literal query but the structure should help with your case. 1. Use mv-expand on oldvalue and newvalue 2. Use make_set 3. Use set_difference
Mar 27, 2023 Place Azure Data Explorer
2KViews
0likes
0Comments
Re: Trying to get the unique values of "newValue" and "oldValue" in AuditLogs using Kusto
Hi mikey365 , Can you try this ? : let device_mappings = datatable(col1:dynamic) [dynamic({"displayName":"conditional","oldvalue":{"id":"123","Name":"Surya","dept":"maths"},"newvalue":{"id":"123","Name":"Surya","dept":"science"}})]; device_mappings | where col1.displayName=="conditional" | extend oldvalue=col1.oldvalue, newvalue=col1.newvalue | mv-expand oldvalue, newvalue // to explode old and new values to multiple records | summarize make_set(oldvalue), make_set(newvalue) // for use in set_difference | project newValues= set_difference(set_newvalue,set_oldvalue) // compares new and old values and gets the New/changed key value pair The output of this will be the changed value only:
Mar 27, 2023 Place Azure Data Explorer
2KViews
0likes
2Comments
Re: How to use multiple sliding_window_counts in a single query
ankasani , you can try something like this let Start = startofday(ago(60d)); let End = startofday(now()); let MAUwindow=30d; //MAU 30d, WAU 7d, DAU 1d let WAUwindow=7d; let DAUwindow=1d; let bin = 1d; let filteredEvents= materialize (customEvents | where timestamp >= Start and timestamp <= End | project user_Id, timestamp); let MAUcounts=filteredEvents | evaluate sliding_window_counts(user_Id, timestamp, Start, End, MAUwindow, bin) | project timestamp, mau=Dcount; let WAUcounts=filteredEvents | evaluate sliding_window_counts(user_Id, timestamp, Start, End, WAUwindow, bin) | project timestamp, wau=Dcount; let DAUcounts=filteredEvents | evaluate sliding_window_counts(user_Id, timestamp, Start, End, DAUwindow, bin) | project timestamp, dau=Dcount; MAUcounts | join kind=inner WAUcounts on timestamp | join kind=inner DAUcounts on timestamp | project timestamp, mau, wau, dau | render timechart with (ysplit=panels)
Mar 16, 2023 Place Azure Data Explorer
826Views
0likes
1Comment

Recent Blog Articles