Query Details
CEF Devices
Query
union isfuzzy=true withsource = TableName // Microsoft (AzureDiagnostics | where ResourceType == "AZUREFIREWALLS" ), (WindowsFirewall | summarize count() by FirewallAction ), // Barracuda GlodGen Syslog (CGFWFirewallActivity| summarize count() by DeviceName = Computer ), // CEF section (CommonSecurityLog | where DeviceVendor == "Barracuda" ), (CommonSecurityLog | where DeviceVendor == "Fortinet" | summarize count() by DeviceVendor, DeviceName = DeviceExternalID), (CommonSecurityLog | where DeviceVendor == "TestCommonEventFormat" | summarize count() by DeviceVendor, DeviceName = DeviceExternalID), (CommonSecurityLog | where DeviceVendor == "Palo Alto Networks" | where isnotempty(DeviceName) | summarize count() by DeviceVendor, DeviceName) // show devices found | summarize count() by DeviceName , DeviceVendor
Explanation
This query combines data from multiple sources and summarizes the count of devices based on their names and vendors. It includes data from AzureDiagnostics, WindowsFirewall, CGFWFirewallActivity, CommonSecurityLog (for Barracuda, Fortinet, TestCommonEventFormat, and Palo Alto Networks). The final result shows the count of devices grouped by their names and vendors.
Details
Rod Trent
Released: March 26, 2020
Tables
AzureDiagnosticsWindowsFirewallCGFWFirewallActivityCommonSecurityLog
Keywords
Devices,Intune,User
Operators
unionisfuzzywithsourcewheresummarizebyisnotempty