我是KQL的新手,在尝试在Azure Sentinel中格式化数据时遇到了问题。
我有一个关于我感兴趣的栏目的查询:电子邮件和IP。
如果我运行类似summarize count() by Email, IP的程序,我几乎可以得到我想要的东西,但在某些情况下,电子邮件值将是相同的,但可能来自不同的IP。
有没有一种方法可以格式化输出,使其显示电子邮件值,然后在下面列出与电子邮件相关的所有IP计数值?
您可以轻松地为每个电子邮件创建一组IP(唯一值(
// Data sample generation. Not part of the solution.
let t = range i from 1 to 30 step 1 | extend Email = strcat("email_", tostring(toint(rand(3))), "@", dynamic(["gmail", "outlook", "hotmail"])[toint(rand(3))], ".com"), IP = strcat_delim(".", tostring(toint(rand(256))), tostring(toint(rand(256))), tostring(toint(rand(256))), tostring(toint(rand(256))));
// Solution starts here
t
| summarize make_set(IP) by Email
| 电子邮件 | set_IP |
|---|---|
| email_0@outlook.com | ["22.0.72.237","32.17234.224","84.232.201.220","181.161.231.252","121.190.204.101"] |
| email_1@gmail.com | ["187.58.44.239","95.117.156.141","16.2245.100.138"] |
| email_2@outlook.com | ["154.46.54.212","178.139.208.204","204.197.11.160","160.96.246.141","173.141.1415","100.35.29.216"] |
| email_0@gmail.com | ["230.16.241.147","173.164.14.236","95.194.124.236","186.101.39.234"] |
| email_1@hotmail.com | ["19.2214.101.122","168.72.148.236"] |
| email_2@hotmail.com | ["136.190.117.24","113.147.42.218","224.220.103.201"] |
| email_0@hotmail.com | ["126.176108.237","201.222.155.151"] |
| email_2@gmail.com | ["132.67.147.234","2.10.157.210"] |
| email_1@outlook.com | ["6.173.214.26","18.169.68.195","87.141.157.8"] |