Kusto
113 TopicsHow to remove string quotes and other things from the parsed syslog message
Hello Sentinel Community, We are ingesting Azure database for Postgresql logs into the log analytical workspace and tried to retrieve the values from the Postgresql log Message coulumn. However, we are getting the values in double quotes and comma from the retrieved values. Below is the sample Pstgresql Message log: Message: 2025-01-22 09:53:35 UTC-6790c01f.259e-FATAL: no pg_hba.conf entry for host "10.150.48.4", user "email address removed for privacy reasons", database "prodxxxx0424", no encryption We used below KQL query and parse kind (mentione below) to get the values of host, user, and database but we got the values like below with double quotes and comma. How to get the values without double quotes. AzureDiagnostics | where Category == "PostgreSQLLogs" | where errorLevel_s == "FATAL" | where Message contains "no pg_hba.conf entry" | parse kind=relaxed Message with * "host" Source_IP "user" UserName "database" DatabaseName Received Values: Thanks, Yugandhar.15Views0likes2CommentsCannot access aka.ms/lademo
Hello team, I am Nikolas. I am learning KQL for Microsoft Sentinel. As far as I know, we can access the aka.ms/lademo for demo data. However I cannot access the demo. I tried using VPN, access page from many other devices with different IP address different account. But it does not work. Can you help to confirm if this link is still accessible. I can access the resource last week, but not this week. I am looking forward to hearing from you.Solved160Views1like2CommentsSentinel query KQL with variables
Hello! I need to use variables as parameters of functions in Sentinel Logs. I have: let t = "Syslog"; let name = "my-Sentinel"; let id = "abc123"; Well, if do this, it works fine: table("Syslog") table(t) workspace("my-Sentinel").table("Syslog") workspace("my-Sentinel").Syslog But i need to work this: worskpace(name).table(t) or let x=strcat("workspace('", name, "')"); let y=strcat("table('", t, "')"); x.y In general seems that the function workspace() doesent work with a variable as parameter, but the function table() if alone it works: workspace("my-Sentinel") -> YES workspace(n) -> NO table("Syslog") -> OK table(t) -> OK Any idea how to make it works? In particulary to do this: workspace(name).table(t) Thanks!!!312Views0likes2CommentsSplunk eventstats equivalent in kql?
is there an equivalent eventstats command in kql similar to splunk? If not, is there a way to achieve same result in kql? eventstats command generates summary statistics from fields in your events and saves those statistics into a new field. The eventstats command places the generated statistics in new field that is added to the original raw events.47Views0likes1CommentKQL Queries
Hi team, Please help me write a KQL query which reflects the devices which are missing windows security patches, the condition i want to apply here is, i need the device's sensor health="Active" and Onboarding status="Onboarded". right now i am using " DeviceTvmSoftwareVulnerabilities | where RecommendedSecurityUpdate endswith "August 2024 security updates" | where DeviceName contains "xyz" | summarize by DeviceId, DeviceName, RecommendedSecurityUpdate, OSPlatform " Please help me out! Thanks in advance! 🙂581Views0likes3Commentswatchlist with contains
Hi Team, can someone help me. I have a list of dynamic Dns domain and performing KQL with _Im_Dns table. I have created watchlist of domain and apply to _Im_Dns table. So i am getting the result if exact match in DnsQuery column. Like in my watchlist if microsoft.com is dynamic domain then it getting result only when DnsQuery column has microsoft.com. But my concern is that i want to get result if DnsQuery column has xyz.microsoft.com.Abc. let DynamicDns = _GetWatchlist('dynamic_dns') | project SearchKey; _Im_Dns | where DnsQuery in~ (DynamicDns) My watchlist have 30k+ dynamic DNS. Kindly suggest us.394Views0likes1CommentKQL extend command does not seems to work in workbook
Hi all, I have an issue with the extend command in a custom workboook. The following KQL query parses Palo Alto Logs and to extract specific field (like PanOSSourceUserName, etc) and creating new column (same name). CommonSecurityLog | where DeviceProduct == "PAN-OS" | where DeviceEventClassID == "GLOBALPROTECT" | extend PanOSSourceUserName=extract("PanOSSourceUserName=([A-Z,a-z.]+@+[A-Z,a-z.]+)",0,AdditionalExtensions) | extend PanOSSourceRegion=extract("PanOSSourceRegion=([A-Z,a-z.]+)",0,AdditionalExtensions) | extend PanOSPublicIPv4=extract("PanOSPublicIPv4=([0-9.]+)",0,AdditionalExtensions) | project-away ExtID, LogSeverity, Activity When I run this KQL query again the log (Sentinel Dashboard-> General -> Logs), I got the expected result. If I edit a Workbook (then Add query), and run the same KQL query, the new column (like PanOSSourceUserName, etc) are not created ! Is it normal ?? Any idea ? Regards, HASolved532Views0likes2CommentsSentinel Log Sources or asset list Information
In Sentinel as like any other SIEM, how do we get the complete list of log sources which are integrated along with some required fields like Device Vendor, Device Product, Host name/Computer, IP address. Is there any workbook or KQL which provides this information.509Views0likes1Comment