casting Syslog ProcessId to string to match V3
This commit is contained in:
Yaron Fruchtmann
Родитель
e0e4e2ce18
Коммит
80c153ae5c
|
|
@ -26,8 +26,8 @@ query: |
|
||||||
| summarize Process_Aux_Min_SessionStartTime=min(SessionStartTime), count(), IP_Aux_info = makeset(info) by ProcessName , LocalIP, ProcessID
|
| summarize Process_Aux_Min_SessionStartTime=min(SessionStartTime), count(), IP_Aux_info = makeset(info) by ProcessName , LocalIP, ProcessID
|
||||||
| extend Process_Aux_info = IP_Aux_info
|
| extend Process_Aux_info = IP_Aux_info
|
||||||
| top 10 by count_ asc
|
| top 10 by count_ asc
|
||||||
| project Process_Aux_Min_SessionStartTime, ProcessName , LocalIP, ProcessID, IP_Aux_info, Process_Aux_info
|
| project Process_Aux_Min_SessionStartTime, ProcessName , LocalIP, IP_Aux_info, Process_Aux_info, Process_ProcessId=tostring(ProcessID)
|
||||||
| project-rename IP_Address=LocalIP, Process_ImageFile_FullPath=ProcessName, Process_ProcessId=ProcessID
|
| project-rename IP_Address=LocalIP, Process_ImageFile_FullPath=ProcessName
|
||||||
};
|
};
|
||||||
// change <HostName> value below
|
// change <HostName> value below
|
||||||
GetWireDataInboundWithHost('<HostName>')
|
GetWireDataInboundWithHost('<HostName>')
|
||||||
|
|
|
||||||
|
|
@ -26,8 +26,8 @@ query: |
|
||||||
| summarize Process_Aux_Min_SessionStartTime=min(SessionStartTime), count(), IP_Aux_info = makeset(info) by ProcessName, RemoteIP, ProcessID
|
| summarize Process_Aux_Min_SessionStartTime=min(SessionStartTime), count(), IP_Aux_info = makeset(info) by ProcessName, RemoteIP, ProcessID
|
||||||
| extend Process_Aux_info = IP_Aux_info
|
| extend Process_Aux_info = IP_Aux_info
|
||||||
| top 10 by count_ asc
|
| top 10 by count_ asc
|
||||||
| project Process_Aux_Min_SessionStartTime, ProcessName, RemoteIP, ProcessID, IP_Aux_info, Process_Aux_info
|
| project Process_Aux_Min_SessionStartTime, ProcessName, RemoteIP, IP_Aux_info, Process_Aux_info, Process_ProcessId=tostring(ProcessID)
|
||||||
| project-rename IP_Address=RemoteIP, Process_ImageFile_FullPath=ProcessName, Process_ProcessId=ProcessID
|
| project-rename IP_Address=RemoteIP, Process_ImageFile_FullPath=ProcessName
|
||||||
};
|
};
|
||||||
// change <HostName> value below
|
// change <HostName> value below
|
||||||
GetWireDataOutboundWithHost('<HostName>')
|
GetWireDataOutboundWithHost('<HostName>')
|
||||||
|
|
|
||||||
|
|
@ -24,7 +24,7 @@ query: |
|
||||||
| extend info = pack('HostName', HostName, 'HostIP', HostIP)
|
| extend info = pack('HostName', HostName, 'HostIP', HostIP)
|
||||||
| summarize Process_Aux_StartTime=min(EventTime), Process_Aux_EndTime=max(EventTime), count(), Process_Aux_info = makeset(info) by Computer, ProcessName, ProcessID
|
| summarize Process_Aux_StartTime=min(EventTime), Process_Aux_EndTime=max(EventTime), count(), Process_Aux_info = makeset(info) by Computer, ProcessName, ProcessID
|
||||||
| top 10 by count_ asc nulls last
|
| top 10 by count_ asc nulls last
|
||||||
| project Process_Aux_StartTime, Process_Aux_EndTime, Process_Host_UnstructuredName=Computer, Process_ProcessId=ProcessID, Process_ImageFile_FullPath=ProcessName, Process_Aux_info
|
| project Process_Aux_StartTime, Process_Aux_EndTime, Process_Host_UnstructuredName=Computer, Process_ProcessId=tostring(ProcessID), Process_ImageFile_FullPath=ProcessName, Process_Aux_info
|
||||||
};
|
};
|
||||||
// change <HostName> value below
|
// change <HostName> value below
|
||||||
GetSysLogEventsOnHost('<HostName>')
|
GetSysLogEventsOnHost('<HostName>')
|
||||||
|
|
|
||||||
|
|
@ -27,8 +27,8 @@ query: |
|
||||||
| summarize Process_Aux_EarliestSessionStartTime=min(SessionStartTime), count(), IP_Aux_info = makeset(info) by Computer, ProcessName , LocalIP, ProcessID
|
| summarize Process_Aux_EarliestSessionStartTime=min(SessionStartTime), count(), IP_Aux_info = makeset(info) by Computer, ProcessName , LocalIP, ProcessID
|
||||||
| extend Process_Aux_info = IP_Aux_info, Host_Aux_info = IP_Aux_info
|
| extend Process_Aux_info = IP_Aux_info, Host_Aux_info = IP_Aux_info
|
||||||
| top 10 by count_ asc
|
| top 10 by count_ asc
|
||||||
| project Process_Aux_EarliestSessionStartTime, Computer, ProcessName , LocalIP, ProcessID, IP_Aux_info, Process_Aux_info, Host_Aux_info
|
| project Process_Aux_EarliestSessionStartTime, Computer, ProcessName , LocalIP, Process_ProcessId=tostring(ProcessID), IP_Aux_info, Process_Aux_info, Host_Aux_info
|
||||||
| project-rename IP_Address=LocalIP, Process_ImageFile_FullPath=ProcessName, Host_UnstructuredName=Computer, Process_ProcessId=ProcessID
|
| project-rename IP_Address=LocalIP, Process_ImageFile_FullPath=ProcessName, Host_UnstructuredName=Computer
|
||||||
};
|
};
|
||||||
// change <Address> value below
|
// change <Address> value below
|
||||||
GetWireDataInboundWithIp('<Address>')
|
GetWireDataInboundWithIp('<Address>')
|
||||||
|
|
|
||||||
|
|
@ -27,8 +27,8 @@ query: |
|
||||||
| summarize count(), IP_Aux_info = makeset(info) by Computer, ProcessName, RemoteIP, ProcessID
|
| summarize count(), IP_Aux_info = makeset(info) by Computer, ProcessName, RemoteIP, ProcessID
|
||||||
| extend Process_Aux_info = IP_Aux_info, Host_Aux_info = IP_Aux_info
|
| extend Process_Aux_info = IP_Aux_info, Host_Aux_info = IP_Aux_info
|
||||||
| top 10 by count_ asc
|
| top 10 by count_ asc
|
||||||
| project Computer, ProcessName, RemoteIP, ProcessID, IP_Aux_info, Process_Aux_info, Host_Aux_info
|
| project Computer, ProcessName, RemoteIP, Process_ProcessId=tostring(ProcessID), IP_Aux_info, Process_Aux_info, Host_Aux_info
|
||||||
| project-rename IP_Address=RemoteIP, Process_ImageFile_FullPath=ProcessName, Host_UnstructuredName=Computer, Process_ProcessId=ProcessID
|
| project-rename IP_Address=RemoteIP, Process_ImageFile_FullPath=ProcessName, Host_UnstructuredName=Computer
|
||||||
};
|
};
|
||||||
// change <Address> value below
|
// change <Address> value below
|
||||||
GetWireDataOutboundWithIp('<Address>')
|
GetWireDataOutboundWithIp('<Address>')
|
||||||
|
|
|
||||||
Загрузка…
Ссылка в новой задаче