Cette requête permet de :
- Corréler les logs réseau GSA et MDE pour identifier les connexions communes.
- Extraire les détails HTTP des événements MDE.
- Nettoyer et structurer les données pour une analyse ou visualisation plus claire.
let gsa_events = NetworkAccessTraffic
// Join DeviceInfo to get MDE DeviceID
| join kind=inner (
DeviceInfo
| distinct DeviceId, AadDeviceId
) on $left.DeviceId == $right.AadDeviceId
// Remove Entra Device ID from GSA logs
| project-away DeviceId
// Rename MDE Device ID to DeviceId column
| project-rename DeviceId = DeviceId1;
// Get all MDE network events
DeviceNetworkEvents
// Get HTTP details if HTTP connection is logged
| extend HttpStatus = toint(todynamic(AdditionalFields).status_code),
BytesIn = toint(todynamic(AdditionalFields).response_body_len),
BytesOut = toint(todynamic(AdditionalFields).request_body_len),
HttpMethod = tostring(todynamic(AdditionalFields).method),
UrlHostname = tostring(todynamic(AdditionalFields).host),
UrlPath = tostring(todynamic(AdditionalFields).uri),
UserAgent = tostring(todynamic(AdditionalFields).user_agent),
HttpVersion = tostring(todynamic(AdditionalFields).version)
// Join GSA logs
| join kind=inner gsa_events on
DeviceId,
$left.RemoteUrl == $right.DestinationFqdn,
$left.RemotePort == $right.DestinationPort,
$left.Protocol == $right.TransportProtocol,
$left.InitiatingProcessFileName == $right.InitiatingProcessName
| project-rename TimeGeneratedGsa = TimeGenerated1, TimestampMde = Timestamp
| project-away Type, TenantId, TimeGenerated, TenantId1, Type1, DeviceId1, AadDeviceId
Laisser un commentaire