Shabarinath
Reputation: 144
KQL Query for creating domain list from UserPrincipalName
is there a way for building a list of unique user domains in a delimited format from sentinel signin logs? Signin logs has user principal name and can be extended to split the domain name as below.
extend UserDomains = split(UserPrincipalName,'@')[1]
Upvotes: 0
Views: 1237
Answers (1)
Avnera
Reputation: 7618
You can use the make_set() aggregation function, for example:
T
| extend UserDomains = split(UserPrincipalName,'@')[1]
| summarize UserDomains = make_set(UserDomains)
Upvotes: 1
Related Questions
- How to list users from all Identity Domains in Oracle Cloud Infrastructure?
- Can i convert a string into a KQL command?
- KQL Query to filter values based on condition
- Kusto Query Assistance - Azure Sign In Logs
- Grouping by Username in MS Sentinel
- Azure Sentinel Kusto query table with data from another query
- Split KQL array into multiple columns
- Kusto KQL query to Extend multiple entities
- Kusto query, join tables to display computer domain
- Get all domains for a tenant through REST API