User Profile

Metzinger35

Copper Contributor

Joined Apr 03, 2020

5 Posts1 Solution

View All Badges

User Widgets

Recent Discussions

Cloud App Security data in Azure Sentinel logs
Hello, I'm trying to pull AppTags from Cloud App Security from the Azure Sentinel logs using the McasShadowItReporting table to create a Power BI report so that these metrics can be available to people when they want it. I'm trying to pull the data of apps that are considered as sanctioned, unsanctioned, unknown, and a few custom tags that has bee created. I'm having an issue with the kusto language of trying to pull all that data with one query. I'm able to get the information for one, but when I try to pull the other app tags, that is where I run into problems and the numbers get combined instead of individual count of the applications for the app tag. The code I have below is what works for looking for Sanctioned, but when I try to get sanctioned and unsanctioned, it combines them together. Any help would be greatly appreciated McasShadowItReporting | where TimeGenerated > ago(30d) | where StreamName has "Global view" | where AppTags has "sanctioned" | project App_Tag = column_ifexists("AppTags", ""), App_Name = column_ifexists("AppName", "") | summarize Count = toint(dcount(App_Name)) by tostring(App_Tag ="Sanctioned")
Apr 08, 2022 Place Azure Observability
azure monitor
2.5KViews
0likes
2Comments
AIP Scanner Status report
Hello, I'm looking to create some kind of report for the AIP scanner as its scanning share directories. It would be nice to know when it starts to scan a directory and when it the scanner has completed the directory. It would be nice to have it include all the directories and then give the status if it has completed scanning. Is this possible with AIP and log analytics? I have been looking into this and haven't made it too far. Any help would be greatly appreciated.
Apr 08, 2022 Place Azure Observability
Azure Log Analytics
azure monitor
1.3KViews
0likes
1Comment
AIP Log Analytics
Hi, I'm trying to create a query for Azure Information Protection that will generate a report for the number of classification labels applied during the day that includes the application name and label type. Example: Classification Label Label Type Application Type Amount Public New Label Outlook 10 Internal Upgrade Label Word 15 Currently what I have: InformationProtectionLogs_CL | where Activity_s == "NewLabel" | where ApplicationName_s == "Word" or ApplicationName_s == "Outlook" | where LabelName_s == "Highly Confidential QA" or LabelName_s == "Confidential QA" or LabelName_s == "Internal QA" or LabelName_s == "Public QA" | project Label_Name = columnifexists("LabelName_s",""), Application_Name = columnifexists("ApplicationName_s",""), Label_Type = columnifexists("Activity_s", "NewLabel") | summarize New_Labels = count(Label_Type) by Label_Name | sort by New_Labels desc Any help is greatly appreciated.
Solved
Apr 08, 2022 Place Azure Observability
AIP
azure monitor
2.1KViews
0likes
2Comments
Re: Cloud App Security data in Azure Sentinel logs
CliveWatson Thanks for the help. I did end up using dcount() rather than count() to get the correct count. Since the AppTags is dynamic, the AppName can be in multiple AppTags. Example: Sanctioned and Microsoft or Sanctioned and Vendor, I would like to know the unique app that would be sanctioned. Current Code: McasShadowItReporting | where TimeGenerated > ago(30d) | where StreamName has "Global view" | project App_Tag = column_ifexists("AppTags", ""), App_Name = column_ifexists("AppName", "") | summarize Count = toint(dcount(App_Name)) by tostring(App_Tag) | top 6 by Count desc Result: App_Tag Count ["Unknown Use"] 4,333 [] 2,596 ["sanctioned","Vendor"] 107 ["unsanctioned"] 102 ["sanctioned"] 50 ["sanctioned","Microsoft"] 49 Within the Cloud App Security GUI, I'm able to get the number of apps that have the App Tag of Sanctioned even if the App is tagged as something else.
Oct 22, 2021 Place Azure Observability
2.2KViews
0likes
0Comments
Re: AIP Log Analytics
CliveWatson Thanks for all the help, that works. I even added time generated column combining all labels that was classified during specific days. InformationProtectionLogs_CL | where Activity_s == "NewLabel" or Activity_s == "UpgradeLabel" or Activity_s == "RemoveLabel" or Activity_s == "DowngradeLabel" | where ApplicationName_s == "AIP scanner" or ApplicationName_s == "Excel" or ApplicationName_s == "Microsoft Cloud App Security" or ApplicationName_s == "Outlook" or ApplicationName_s == "PowerPoint" or ApplicationName_s == "Word" | where LabelName_s in ("Highly Confidential QA","Confidential QA","Internal QA","Public QA") | project Label_Name = columnifexists("LabelName_s",""), Application_Name = columnifexists("ApplicationName_s",""), Activity = columnifexists("Activity_s", "NewLabel"), format_datetime(TimeGenerated, 'MM-dd-yyyy') | summarize Count = toint(count(Label_Name)) by Label_Name, Application_Name, Activity, TimeGenerated Results: Label_Name Application_Name Activity TimeGenerated Count Highly Confidential QA Microsoft Cloud App Security NewLabel 3/23/2020 2 Highly Confidential QA Outlook NewLabel 3/23/2020 1
Apr 08, 2020 Place Azure Observability
2KViews
0likes
0Comments

Recent Blog Articles

No content to show