我正在处理一个查询,我需要其中包含“Compromised”消息的日志,然后我希望它返回前面的 5 个“拒绝”日志。刚接触 KQL,只是不了解操作员,因此感谢您的帮助!
当前查询:
| sort by TimeGenerated
| where SourceIP == "555.555.555.555"
| where TimeGenerated between (datetime(10/20/2021, 16:25:41.750).. datetime(10/20/2021, 16:35:41.750))
| where AdditionalExtensions has "Compromised" or DeviceAction == "deny"
理想情况下,在我的脑海中会是这样的:
需要查询:
| sort by TimeGenerated
| where SourceIP == "555.555.555.555"
| where AdditionalExtensions has "Compromised"
| \\show preceding 5 logs that have DeviceAction = "deny"
谢谢!