1

我正在处理一个查询,我需要其中包含“Compromised”消息的日志,然后我希望它返回前面的 5 个“拒绝”日志。刚接触 KQL,只是不了解操作员,因此感谢您的帮助!

当前查询:

| sort by TimeGenerated
| where SourceIP == "555.555.555.555"
| where TimeGenerated between (datetime(10/20/2021, 16:25:41.750).. datetime(10/20/2021, 16:35:41.750))
| where AdditionalExtensions has "Compromised" or DeviceAction == "deny"

理想情况下,在我的脑海中会是这样的:

需要查询:

| sort by TimeGenerated
| where SourceIP == "555.555.555.555"
| where AdditionalExtensions has "Compromised"  
| \\show preceding 5 logs that have DeviceAction = "deny"

谢谢!

4

2 回答 2

0

这是你如何做到的:

let N = 5; // Number of records before/after records for which Cond is true
YourTable
| extend Cond = (SourceIP == "555.555.555.555") and (AdditionalExtensions has "Compromised") and (DeviceAction == "deny") // The predicate to "identify" relevant records
| sort by TimeGenerated asc
| extend rn = row_number(0, Cond)
| extend nxt = next(rn, N), prv = prev(rn, N)
| where nxt < N or (rn <= N and isnotnull(prv)) or Cond
| project-away rn, nxt, prv, Cond

请注意,排序是在之后而不是之前完成的extend- 这是更优化的(总是最好将排序尽可能地向下推)。

(@RoyO 提供)

于 2021-10-31T06:14:36.137 回答
0

您可以使用 prev() 函数

于 2021-10-30T17:20:44.973 回答