Fixing test failures
Fixing to match latest validatio tests: - Agent Id as string - removing brackets[notation] with dot.notation
This commit is contained in:
Yaron
GitHub
Родитель
a30836570e
Коммит
b64ab56007
|
|
@ -55,6 +55,6 @@ query: |
|
||||||
| parse Computer with Host_NTDomain '\\' *
|
| parse Computer with Host_NTDomain '\\' *
|
||||||
| extend Host_HostName = tostring(split(Computer,'.')[0]),
|
| extend Host_HostName = tostring(split(Computer,'.')[0]),
|
||||||
Host_DnsDomain = strcat_array(array_slice(split(Computer,'.'),1,256),'.'), Host_OMSAgentID=toguid(SourceComputerId), Host_AzureID = _ResourceId
|
Host_DnsDomain = strcat_array(array_slice(split(Computer,'.'),1,256),'.'), Host_OMSAgentID=toguid(SourceComputerId), Host_AzureID = _ResourceId
|
||||||
| project-away Computer, Account
|
| project-away Computer, Account, _ResourceId, SourceComputerId
|
||||||
};
|
};
|
||||||
MostFailedLogins('<Name>','<NTDomain>','<UPNSuffix>')
|
MostFailedLogins('<Name>','<NTDomain>','<UPNSuffix>')
|
||||||
|
|
|
||||||
|
|
@ -30,11 +30,11 @@ query: |
|
||||||
| where Entities has "account"
|
| where Entities has "account"
|
||||||
| where Entities has_any (PeerNames) or Entities has_any (PeerIds)
|
| where Entities has_any (PeerNames) or Entities has_any (PeerIds)
|
||||||
| mvexpand todynamic(Entities)
|
| mvexpand todynamic(Entities)
|
||||||
| where tostring(Entities ["Type"]) =="account"
|
| where tostring(parsejson(Entities).Type) =="account"
|
||||||
| where tostring(Entities ["Name"]) has_any (PeerNames) or tostring(Entities ["AadUserId"]) has_any (PeerIds)
|
| where tostring(parsejson(Entities).Name) has_any (PeerNames) or tostring(parsejson(Entities).AadUserId) has_any (PeerIds)
|
||||||
| summarize Account_Aux_AlertCount = count()
|
| summarize Account_Aux_AlertCount = count()
|
||||||
by Account_Name=tolower(tostring(Entities["Name"]))
|
by Account_Name=tolower(tostring(parsejson(Entities).Name))
|
||||||
, Account_UPNSuffix=tolower(tostring(Entities["UPNSuffix"]));
|
, Account_UPNSuffix=tolower(tostring(parsejson(Entities).UPNSuffix));
|
||||||
PeersWithSecAlert
|
PeersWithSecAlert
|
||||||
| join kind=innerunique
|
| join kind=innerunique
|
||||||
Peers
|
Peers
|
||||||
|
|
|
||||||
|
|
@ -27,7 +27,7 @@ query: |
|
||||||
| where tolower(Account) contains tolower(v_Account_Name)
|
| where tolower(Account) contains tolower(v_Account_Name)
|
||||||
| extend info = pack('EventID', EventID, 'Account', Account, 'LogonTypeName', LogonTypeName, 'SubStatus', SubStatus, 'AccountType', AccountType, 'WorkstationName', WorkstationName, 'IpAddress', IpAddress)
|
| extend info = pack('EventID', EventID, 'Account', Account, 'LogonTypeName', LogonTypeName, 'SubStatus', SubStatus, 'AccountType', AccountType, 'WorkstationName', WorkstationName, 'IpAddress', IpAddress)
|
||||||
| summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by Computer, SourceComputerId, _ResourceId
|
| summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by Computer, SourceComputerId, _ResourceId
|
||||||
| project min_TimeGenerated, max_TimeGenerated, Computer, Host_Aux_info, Host_OMSAgentID=toguid(SourceComputerId), Host_AzureID=_ResourceId
|
| project min_TimeGenerated, max_TimeGenerated, Computer, Host_Aux_info, Host_OMSAgentID=SourceComputerId, Host_AzureID=_ResourceId
|
||||||
| project-rename Host_UnstructuredName=Computer, Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime=max_TimeGenerated
|
| project-rename Host_UnstructuredName=Computer, Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime=max_TimeGenerated
|
||||||
| top 10 by Host_Aux_StartTime asc nulls last
|
| top 10 by Host_Aux_StartTime asc nulls last
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -20,7 +20,7 @@ query: |
|
||||||
let GetFilesHost = (v_File_Name:string){
|
let GetFilesHost = (v_File_Name:string){
|
||||||
SecurityEvent
|
SecurityEvent
|
||||||
| where CommandLine contains v_File_Name or ServiceFileName contains v_File_Name or ServiceName contains v_File_Name
|
| where CommandLine contains v_File_Name or ServiceFileName contains v_File_Name or ServiceName contains v_File_Name
|
||||||
| summarize min(TimeGenerated), max(TimeGenerated) by Computer, Host_OMSAgentID=toguid(SourceComputerId), Host_AzureID = _ResourceId
|
| summarize min(TimeGenerated), max(TimeGenerated) by Computer, Host_OMSAgentID=SourceComputerId, Host_AzureID = _ResourceId
|
||||||
| project min_TimeGenerated, max_TimeGenerated, Computer, Host_OMSAgentID, Host_AzureID
|
| project min_TimeGenerated, max_TimeGenerated, Computer, Host_OMSAgentID, Host_AzureID
|
||||||
| project-rename Host_UnstructuredName=Computer, Host_Aux_min_TimeGenerated=min_TimeGenerated, Host_Aux_max_TimeGenerated=max_TimeGenerated
|
| project-rename Host_UnstructuredName=Computer, Host_Aux_min_TimeGenerated=min_TimeGenerated, Host_Aux_max_TimeGenerated=max_TimeGenerated
|
||||||
| top 10 by Host_Aux_min_TimeGenerated desc nulls last
|
| top 10 by Host_Aux_min_TimeGenerated desc nulls last
|
||||||
|
|
|
||||||
|
|
@ -27,7 +27,7 @@ query: |
|
||||||
| where NewProcessName has v_Process_ImageFile_FullPath
|
| where NewProcessName has v_Process_ImageFile_FullPath
|
||||||
| extend info = pack('Account', Account, 'NewProcessName', NewProcessName, 'CommandLine', CommandLine)
|
| extend info = pack('Account', Account, 'NewProcessName', NewProcessName, 'CommandLine', CommandLine)
|
||||||
| summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by Computer, SourceComputerId, _ResourceId
|
| summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by Computer, SourceComputerId, _ResourceId
|
||||||
| project min_TimeGenerated, max_TimeGenerated, Computer, Host_Aux_info, Host_OMSAgentID=toguid(SourceComputerId)
|
| project min_TimeGenerated, max_TimeGenerated, Computer, Host_Aux_info, Host_OMSAgentID=SourceComputerId
|
||||||
| top 10 by min_TimeGenerated asc nulls last
|
| top 10 by min_TimeGenerated asc nulls last
|
||||||
| project-rename Host_UnstructuredName=Computer, Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime=max_TimeGenerated
|
| project-rename Host_UnstructuredName=Computer, Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime=max_TimeGenerated
|
||||||
};
|
};
|
||||||
|
|
|
||||||
Загрузка…
Ссылка в новой задаче