I would like to have the prefix of the machine name stored. Then the variable values are displayed together as a graph. The right thing, what should I do?

Question

I would like to have the prefix of the machine name stored. Then the variable values are displayed together as a graph. The right thing, what should I do?

Koonnamchok Klongkaew 20

let Thailand = "Thailand";
let Myanmar = "Myanmar";

let ThailandEvents = 
    DeviceEvents
    | where ActionType contains "UsbDriveMounted"
    | where DeviceName contains ".xxxx.com"
    | where (DeviceName startswith "art" or DeviceName startswith "xx" or DeviceName startswith "xx" or DeviceName startswith "xx" or DeviceName startswith "xx" or DeviceName startswith "xx" or DeviceName startswith "xx" or DeviceName startswith "xx" or DeviceName startswith "xx" or DeviceName startswith "xx" or DeviceName startswith "xx" or DeviceName startswith "th") and Thailand in (Thailand)
    | where DeviceName !contains "desktop" or DeviceName !contains "laptop"
    | extend ParsedFields = parse_json(AdditionalFields)
    | project Timestamp, ProductName = tostring(ParsedFields.ProductName), SerialNumber = tostring(ParsedFields.SerialNumber), Manufacturer = tostring(ParsedFields.Manufacturer), DriveLetter = tostring(ParsedFields.DriveLetter), LoggedOnUsers = tostring(ParsedFields.LoggedOnUsers), DeviceName, ActionType, MachineGroup;

let MyanmarEvents = 
    DeviceEvents
    | where ActionType contains "UsbDriveMounted"
    | where DeviceName contains ".xxxx.com"
    | where (DeviceName startswith "rgn" or DeviceName startswith "rn" or DeviceName startswith "xx" or DeviceName startswith "xx" or DeviceName startswith "xx" or DeviceName startswith "xx" or DeviceName startswith "zoc" or DeviceName startswith "xx") and Myanmar in (Myanmar)
    | where DeviceName !contains "desktop" or DeviceName !contains "laptop"
    | extend ParsedFields = parse_json(AdditionalFields)
    | project Timestamp, ProductName = tostring(ParsedFields.ProductName), SerialNumber = tostring(ParsedFields.SerialNumber), Manufacturer = tostring(ParsedFields.Manufacturer), DriveLetter = tostring(ParsedFields.DriveLetter), LoggedOnUsers = tostring(ParsedFields.LoggedOnUsers), DeviceName, ActionType, MachineGroup;

union ThailandEvents, MyanmarEvents
| summarize dcount(Manufacturer) by Thailand, Myanmar, 
| | render  piechart

Answer 1

Here's how you might adjust your script, assuming that you add a Country column in each of your let statements:

let Thailand = "Thailand";
let Myanmar = "Myanmar";

let ThailandEvents = 
    DeviceEvents
    // Your previous filters...
    | extend Country = Thailand
    | project Timestamp, Country, ProductName = tostring(ParsedFields.ProductName), SerialNumber = tostring(ParsedFields.SerialNumber), Manufacturer = tostring(ParsedFields.Manufacturer), DriveLetter = tostring(ParsedFields.DriveLetter), LoggedOnUsers = tostring(ParsedFields.LoggedOnUsers), DeviceName, ActionType, MachineGroup;

let MyanmarEvents = 
    DeviceEvents
    // Your previous filters...
    | extend Country = Myanmar
    | project Timestamp, Country, ProductName = tostring(ParsedFields.ProductName), SerialNumber = tostring(ParsedFields.SerialNumber), Manufacturer = tostring(ParsedFields.Manufacturer), DriveLetter = tostring(ParsedFields.DriveLetter), LoggedOnUsers = tostring(ParsedFields.LoggedOnUsers), DeviceName, ActionType, MachineGroup;

union ThailandEvents, MyanmarEvents
| summarize dcount(Manufacturer) by Country
| render piechart

Koonnamchok Klongkaew 20 Reputation points

2023-05-16T02:48:33.33+00:00

Thank you. We will try it first to see if it can solve the problem.

Answer 2

Clive Watson 2,641 MVP

To save you having to define each country, do you have a Table that contains it? Most people have SigninLogs (if running this from Sentinel), so an example of using that would be


DeviceEvents
| extend ParsedFields = parse_json(AdditionalFields)
| distinct DeviceName, Manufacturer = tostring(ParsedFields.Manufacturer)
| join kind=inner
(
    SigninLogs
    | extend DeviceName = tolower(tostring(DeviceDetail.displayName)) 
    | where isnotempty( DeviceName)
) on DeviceName
| project DeviceName, Location, LocationDetails, Manufacturer
| summarize dcount_=dcount(Manufacturer), make_set(Manufacturer) by Location
| order by dcount_ desc

Koonnamchok Klongkaew 20 Reputation points

2023-05-16T02:48:22.1733333+00:00

Thank you. We will try it first to see if it can solve the problem.
Koonnamchok Klongkaew 20 Reputation points

2023-05-16T03:22:41.9933333+00:00

I tried running your KQL but the USB pluggability is a lot less than MDE's report.

Koonnamchok Klongkaew 20

As for Location, I want to get the name in front of the device. Most of them use VPN. May not match the report. Can you help me?

Clive Watson 2,641 Reputation points MVP

2023-05-16T08:05:33.8866667+00:00
Do you mean like this, where I use strcat() to put the Location then a dash '-' then the DeviceName?

e.g. UK-afakeName

| summarize dcount_=dcount(Manufacturer), make_set(Manufacturer) by Location, DeviceName, NewDeviceName=strcat(Location,'-',DeviceName)

I would like to have the prefix of the machine name stored. Then the variable values are displayed together as a graph. The right thing, what should I do?

2 answers

Activity

I would like to have the prefix of the machine name stored. Then the variable values ​​are displayed together as a graph. The right thing, what should I do?

2 answers

Activity

I would like to have the prefix of the machine name stored. Then the variable values are displayed together as a graph. The right thing, what should I do?