KQL Search

//Parser for Duo data sent to a custom table and join to identity info to correlate legacy usernames with userprincipalname
let id=
    IdentityInfo
    | where TimeGenerated > ago(21d)
    | summarize arg_max(TimeGenerated, *) by AccountUPN
    | extend DuoUserName = AccountName
    | project AccountUPN, DuoUserName;
DuoLogs_CL
| where TimeGenerated > ago(1d)
| extend logs = split(SyslogMessage_s, "|")
| extend vendor = logs[1]
| extend app = logs[2]
| extend version = logs[3]
| extend event = logs[4]
| extend msg = (logs[5])
| where event == "authentication"
| extend DuoTime = EventTime_t
| extend DuoApplication = extract("cs1=(.*?) c", 1, SyslogMessage_s)
| extend DuoIPAddr = extract("src=(.*?) c", 1, SyslogMessage_s)
| extend DuoMethod = extract("cs3=(.*?) o", 1, SyslogMessage_s)
| extend DuoOutcome = extract("outcome=(.*?) r", 1, SyslogMessage_s)
| parse SyslogMessage_s with * "duser=" DuoUserName
| join kind=inner id on DuoUserName
| project
    DuoTime,
    DuoUserName,
    AccountUPN,
    DuoIPAddr,
    DuoApplication,
    DuoOutcome,
    DuoMethod
| sort by DuoTime desc