Azure Sentinel Workbooks (Dashboad) - distinct when chosen from the drop down

Alon Keilin 141 Reputation points
2022-08-22T07:41:09.063+00:00

Hi team,

I am preparing a dashboard that is built from 2 filters: the name of the application and the name of the user. 

Is there a way to make it so when I select a user it will "distinct" all the applications related to that user? 

And when I choose an application, will it make a "distinct" for all users who use the application?

233379-dashboard.jpg

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,716 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
990 questions
0 comments
Accepted answer
  1. Clive Watson 5,716 Reputation points MVP
    2022-08-22T08:41:47.05+00:00

    You can use Distinct https://learn.microsoft.com/en-gb/azure/data-explorer/kusto/query/distinctoperator

    so add a last line, like

    | distinct ApplicationName

    However in your case you may need to summarize the resuklts

    | summarize by ApplicationName, UserPrincipalName

    https://learn.microsoft.com/en-gb/azure/data-explorer/kusto/query/summarizeoperator

    Also check that {UserName:lable} is correct, :label is the normal spelling - some workbook templates had this incorrect and the copies of those were also wrong . 

    SigninLogs  
| summarize make_set( AppDisplayName) by UserPrincipalName  
| where UserPrincipalName == '{ name of the user from User drop down}'  
| mv-expand set_AppDisplayName  
| project set_AppDisplayName
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest