azure KQL -数据提取

csga3l58  于 2022-11-17  发布在  其他
关注(0)|答案(1)|浏览(153)

如果您能帮我解答我在报告中需要解答的问题,我将不胜感激。以下是我的疑问:
安全性警示|其中ProviderName包含“IPC”
结果为:

我只需要从实体中提取AadUserId,但我不确定如何提取,因为我对KQL语言还是个新手。
如果您能给我提些建议,我将非常感激。
非常感谢您的光临。
我希望从查询中提取AadUserID。

Azure

1条答案

按热度按时间
j0pj023g

j0pj023g1#

以下是一些选项

// Sample data generation. Not part of the solution.
let SecurityAlert = datatable(ProviderName:string, Entities:dynamic)
[
    "IPC", dynamic([{"AadUserID":"Dummy"}])
];
// Solution starts here
SecurityAlert 
| where ProviderName contains "IPC"
| project tostring(Entities[0].AadUserID)

| 实体_0_AadUserID|
| - -|
| 虚拟|
Fiddle

// Sample data generation. Not part of the solution.
let SecurityAlert = datatable(ProviderName:string, Entities:dynamic)
[
    "IPC", dynamic([{"AadUserID":"Dummy"}])
];
// Solution starts here
SecurityAlert 
| where ProviderName contains "IPC"
| mv-expand Entities
| project tostring(Entities.AadUserID)
| where isnotempty(Entities_AadUserID)

| 实体_AadUserID|
| - -|
| 虚拟|
Fiddle

// Sample data generation. Not part of the solution.
let SecurityAlert = datatable(ProviderName:string, Entities:dynamic)
[
    "IPC", dynamic([{"AadUserID":"Dummy"}])
];
// Solution starts here
SecurityAlert 
| where ProviderName contains "IPC"
| mv-apply Entities on (summarize make_set(Entities.AadUserID))
| project set_Entities_AadUserID

| 设置实体AadUserID|
| - -|
| [“虚拟”]|
Fiddle

赞(0)分享  回复(0)举报  2022-11-17
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com