KQL-如何排除Sentinel中不返回日志的函数?

时间:2019-08-02 20:22:33

标签: azure kql kusto-query-language

我正在编写一个查询,该查询计算用户在过去30天内登录了多少台计算机。我需要在过去30天内的每个EACH中每天记录每个用户登录到不同计算机的次数,以便从日志中获取准确的每日平均值,然后将其与阈值进行比较以检测异常。

我的问题是,如果用户的30天中只有1天没有返回日志,而其他29天则返回了查询,则查询将排除用户在我表中的所有结果。我希望能够说些类似的话,如果没有结果(是否为null?iff?),请跳过这一天继续进行操作,或者将表值设置为blanks / 0,这样当我执行avg时,它只会将0添加到平均。

最终表应返回TargetUserNameAvg(每天/ 30的总和,不包括当日)。

此处的代码显示了所有的测试天数,并且只显示了10天而不是30天以缩短测试时间。

现在,它将正确显示过去30天内拥有日志的用户,但是如果用户甚至没有一天的日志,则将从最终结果中排除他们。

let Event=(){SecurityEvent | where EventID == 4624 or EventID==528};
let d1=(){Event | where TimeGenerated between(ago(2d) .. ago(1d))| summarize DT1=dcount(WorkstationName) by TargetUserName};
let d2=(){Event | where TimeGenerated between(ago(3d) .. ago(2d)) | summarize DT2=dcount(WorkstationName) by TargetUserName};
let d3=(){Event | where TimeGenerated between(ago(4d) .. ago(3d)) | summarize DT3=dcount(WorkstationName) by TargetUserName};
let d4=(){Event | where TimeGenerated between(ago(5d) .. ago(4d)) | summarize DT4=dcount(WorkstationName) by TargetUserName};
let d5=(){Event | where TimeGenerated between(ago(6d) .. ago(5d)) | summarize DT5=dcount(WorkstationName) by TargetUserName};
let d6=(){Event | where TimeGenerated between(ago(7d) .. ago(6d)) | summarize DT6=dcount(WorkstationName) by TargetUserName};
let d7=(){Event | where TimeGenerated between(ago(8d) .. ago(7d)) | summarize DT7=dcount(WorkstationName) by TargetUserName};
let d8=(){Event | where TimeGenerated between(ago(9d) .. ago(8d)) | summarize DT8=dcount(WorkstationName) by TargetUserName};
let d9=(){Event | where TimeGenerated between(ago(10d) .. ago(9d)) | summarize DT9=dcount(WorkstationName) by TargetUserName};
let d10=(){Event | where TimeGenerated between(ago(11d) .. ago(10d)) | summarize DT10=dcount(WorkstationName) by TargetUserName};
d1 | join (d2) on TargetUserName | join (d3) on TargetUserName | join (d4) on TargetUserName | join (d5) on TargetUserName | join (d6) on TargetUserName | join (d7) on TargetUserName | join (d8) on TargetUserName | join (d9) on TargetUserName | join (d10) on TargetUserName | extend Avg = ((DT1+DT2+DT3+DT4+DT5+DT6+DT7+DT8+DT9+DT10)/10) | summarize by TargetUserName, Avg, DT1, DT2, DT3, DT4, DT5, DT6, DT7, DT8, DT9, DT10

1 个答案:

答案 0 :(得分:0)

尝试使用连接种类=外部。

这样,当没有匹配项时,您仍然会获得前几天的行。

相关问题
最新问题