User Profile

ashishrajsrivastava

MCT

Joined Sep 12, 2018

5 Posts5 LikesLikes received

View All Badges

User Widgets

Recent Discussions

Re: How to compare a array values in a column against another array from a watchlist in Kusto
Trying exactly this. Does not throw a terminal error but does not show valid results either. Trying to tweak it further.
Feb 16, 2022 Place Microsoft Sentinel
4.7KViews
0likes
0Comments
Re: How to compare a array values in a column against another array from a watchlist in Kusto
Let me try this, I do remember trying union but not sure if I did finish till the comparison.
Feb 15, 2022 Place Microsoft Sentinel
5KViews
0likes
2Comments
How to compare a array values in a column against another array from a watchlist in Kusto
I am getting results with a column named IPAddresses having values in array. I want to compare each value in this array to a list (another array from a watch list). I have been trying to make use of mv-apply but with no success, can any guide me in this. Here is my code snippet: let timeframe = ago(3h); let threshold = 2; let ZSwatchlist = (_GetWatchlist('zscaler') | project SearchKey); let zarray = (ZSwatchlist | summarize zlist = make_list(SearchKey)); let users = (imAuthentication | where TargetUserType != 'ServicePrincipal' | where TimeGenerated > timeframe | where EventType == 'Logon' and EventResult == 'Success' | where isnotempty(SrcGeoCountry) | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct), Countries = make_set(SrcGeoCountry), IPAddresses = make_set(SrcDvcIpAddr) , NumOfCountries = dcount(SrcGeoCountry) by TargetUserId, TargetUsername, TargetUserType); users | mv-apply ipscaler=toscalar(IPAddresses) to typeof(string) on( where not(ipv4_is_in_range(IPAddresses,zarray)) )
Feb 15, 2022 Place Microsoft Sentinel
Azure Sentinel
5.2KViews
0likes
4Comments
Re: Azure Sentinel Automation (Preview) - Issue with Permission assignment
In my scenario i am using analytical rule and runbook both in primary tenant. I have contributor level permissions on resource group containing sentinel and logic apps, rg containing runbook is already allowed permission to run runbook from Sentinel Setting runbook permissions. When I try to run the runbook from incident alerts I am getting Missing Permissions to view playbook runs. We are using Lighthouse but here we are not doing anything cross tenant in terms of Sentinel. I have Sentinel Contributor role on the Lighthouse level as well.
Dec 09, 2021 Place Microsoft Sentinel
11KViews
0likes
0Comments

Groups

Developer User Group Leaders Hub

The place where user group leaders who want to be in the know -- on the latest & greatest from Microsoft Dev Tools, Azure, and AI topics -- come together to discuss, learn, share best practices, and get weekly updates.

Recent Blog Articles

No content to show