-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SharePoint and Onedrive Workbook Parameter UserID Lookup Fix #4245
Comments
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal. |
Related, I do not know why throughout the workbook this is used "Operations:lable" instead of "Operations:label". All the queries have the "lable" typo. This workbook is otherwise un-editing or customized apart from the users parameter fix. |
Updated SharePointAndOneDrive.json to fix #4245
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal. |
Describe the bug
Link to workbook:
https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/SharePointAndOneDrive.json
The "SharePoint and OneDrive workbook" parameter "Users" does not work when "All" operations are selected.
It appears the intended functionality is to perform a unique user ID lookup based on the operations selected via dropdown. However, when the option "all" is selected for operations the only option available for Users is "all". This is not desirable when you want to filter on a specific user ID when using "all" operations.
The KQL statement for the Users list is looking for a dynamic/array in variable "operations", but if the operations drop down is selected as "all" there are no results returned as the queries throughout the workbook use a "where all or checkbox items" logic and label for the parameter. This means the Users lookup is matching on a null variable lookup from "operations" and no user IDs are returned.
The solution I used was to check the Operations parameter for "all" and if so return a list of all users IDs.
Link to the specific line:
Azure-Sentinel/Workbooks/SharePointAndOneDrive.json
Line 104 in 2b422a9
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The expected behavior is to be able to filter by user ID even when "all" operations are selected.
Screenshots
don't have any
Desktop (please complete the following information):
Additional context
Solution:
I have tested the below and used the addition of
where '{Operations:lable}'=='All'
to get a populated user ID list even when the operations parameter is "all".KQL expanded:
JSON line:
The text was updated successfully, but these errors were encountered: