KQL Search

Query Details

HomeAI ToolsDevice Query

Missing Dlp Rule Match Entities In Cloud App Events

Query

// Previously there were DlpRuleMatch and User entities in AlertEntityGenerated events for each DLP alert, this happened when the Microsoft Purview classic portal was retired
let query_period = 30d;
CloudAppEvents
| where Timestamp > ago(query_period)
| where ActionType == "AlertTriggered"
| where tostring(RawEventData["Category"]) == "DataLossPrevention"
| extend
    AlertId = tostring(RawEventData["AlertId"]),
    Data = todynamic(tostring(RawEventData["Data"]))
| extend
    Workload = tostring(Data["wl"])
| project
    Timestamp,
    AlertId,
    Workload
| lookup kind=leftouter (
    CloudAppEvents
    | where Timestamp > ago(query_period)
    | where ActionType == "AlertEntityGenerated"
    | extend
        AlertId = tostring(RawEventData["AlertId"]),
        EntityType = tostring(RawEventData["EntityType"])
    | summarize Entities = tostring(array_sort_asc(make_set(EntityType))) by AlertId
    ) on AlertId
| summarize count() by bin(Timestamp, 1h), Entities, Workload
| sort by Timestamp desc

Explanation

This KQL (Kusto Query Language) query is designed to analyze data loss prevention (DLP) alerts over the past 30 days. Here's a simplified breakdown of what the query does:

  1. Define the Time Period: The query looks at events from the last 30 days.

  2. Filter for DLP Alerts: It selects events from the CloudAppEvents table where the action type is "AlertTriggered" and the category is "DataLossPrevention".

  3. Extract Relevant Information: For each of these events, it extracts the alert ID and workload information.

  4. Join with Entity Data: The query performs a left outer join with another set of events where the action type is "AlertEntityGenerated". This is done to gather additional information about the entities (like DlpRuleMatch and User) associated with each alert.

  5. Summarize Data: It summarizes the data by counting the number of alerts, grouping them by hour, the types of entities involved, and the workload.

  6. Sort Results: Finally, it sorts the summarized results in descending order based on the timestamp.

In essence, this query helps in understanding the frequency and context of DLP alerts, including the types of entities involved, over a specified period.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: November 15, 2024

Tables

CloudAppEvents

Keywords

CloudAppEventsAlertTriggeredDataLossPreventionAlertIdWorkloadAlertEntityGeneratedEntityTypeEntities

Operators

letwhereago==tostringextendtodynamicprojectlookupkind=leftoutersummarizearray_sort_ascmake_setoncountbinsort bydesc

Actions