{"id":306,"date":"2025-09-16T13:44:24","date_gmt":"2025-09-16T12:44:24","guid":{"rendered":"https:\/\/cyber-resilience.mobi\/?p=306"},"modified":"2025-09-16T13:44:24","modified_gmt":"2025-09-16T12:44:24","slug":"gsa-mde","status":"publish","type":"post","link":"https:\/\/cyber-resilience.mobi\/?p=306","title":{"rendered":"GSA &amp; MDE"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Cette requ\u00eate permet de :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Corr\u00e9ler les logs r\u00e9seau GSA et MDE<\/strong>\u00a0pour identifier les connexions communes.<\/li>\n\n\n\n<li><strong>Extraire les d\u00e9tails HTTP<\/strong>\u00a0des \u00e9v\u00e9nements MDE.<\/li>\n\n\n\n<li><strong>Nettoyer et structurer<\/strong>\u00a0les donn\u00e9es pour une analyse ou visualisation plus claire.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>let gsa_events = NetworkAccessTraffic\n    \/\/ Join DeviceInfo to get MDE DeviceID\n    | join kind=inner ( \n        DeviceInfo\n        | distinct DeviceId, AadDeviceId\n    ) on $left.DeviceId == $right.AadDeviceId\n    \/\/ Remove Entra Device ID from GSA logs\n    | project-away DeviceId\n    \/\/ Rename MDE Device ID to DeviceId column\n    | project-rename DeviceId = DeviceId1;\n\/\/ Get all MDE network events\nDeviceNetworkEvents\n\/\/ Get HTTP details if HTTP connection is logged\n| extend HttpStatus = toint(todynamic(AdditionalFields).status_code),\n    BytesIn = toint(todynamic(AdditionalFields).response_body_len),\n    BytesOut = toint(todynamic(AdditionalFields).request_body_len),\n    HttpMethod = tostring(todynamic(AdditionalFields).method),\n    UrlHostname = tostring(todynamic(AdditionalFields).host),\n    UrlPath = tostring(todynamic(AdditionalFields).uri),\n    UserAgent = tostring(todynamic(AdditionalFields).user_agent),\n    HttpVersion = tostring(todynamic(AdditionalFields).version)\n\/\/ Join GSA logs\n| join kind=inner gsa_events on \n    DeviceId,\n    $left.RemoteUrl == $right.DestinationFqdn,\n    $left.RemotePort == $right.DestinationPort,\n    $left.Protocol == $right.TransportProtocol,\n    $left.InitiatingProcessFileName == $right.InitiatingProcessName\n| project-rename TimeGeneratedGsa = TimeGenerated1, TimestampMde = Timestamp\n| project-away Type, TenantId, TimeGenerated, TenantId1, Type1, DeviceId1, AadDeviceId<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Cette requ\u00eate permet de :<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[18],"class_list":["post-306","post","type-post","status-publish","format-standard","hentry","category-kql-sentinel","tag-kql"],"_links":{"self":[{"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/posts\/306","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=306"}],"version-history":[{"count":1,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/posts\/306\/revisions"}],"predecessor-version":[{"id":307,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/posts\/306\/revisions\/307"}],"wp:attachment":[{"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=306"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=306"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=306"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}