I want to correlate between two different source categories,
But It didn't worked for me. Am i'm doing right?
I just want to correlate it on "EmailAccount" account field (when the same email account exists in both logs it will be appear.)
(_sourcecategory="*/Prod" OR _sourceCategory="/*/production") "Add owner to group" or "FileDownloaded"
| json field=_raw "SourceFileExtension" as A nodrop
| json field=_raw "UserId" as EmailAccount nodrop
| json field=_raw "ClientIP" as IP_Address nodrop
| where Workload="OneDrive"
| where Operation="FileDownloaded" OR operationName="Add owner to group"
| json field=_raw "properties.targetResources.modifiedProperties.newValue" as TargetGroup nodrop
| json field=_raw "properties.targetResources.userPrincipalName" as TargetUser nodrop
| json field=_raw "properties.initiatedBy.user.userPrincipalName" as EmailAccount nodrop
| transaction on EmailAccount with states IP_Address,EmailAccount,A,TargetGroup,TargetUser in step
Please sign in to leave a comment.