Data Aggregation

Obfuscating Results

Before we jump into a whole chapter full of queries, you should know there are ways to enable auditing of your queries. We can skip the whole “with great power comes great responsibility” admin talk here. The important thing is knowing your query might show up in the audit logs.

Those queries might contain sensitive information, such as an API key/secret or possible personally identifiable information (PII) about a user. The good news is there is a very simple way to tell KQL to obfuscate the string. Simply add h or H before the string you are trying to match. Obfuscation will not work in our Log Analytics Demo environment, but this is a good habit to get into. The audit results are displayed in Figure 2-1.

FIGURE 2.1 Query text that has been obfuscated in the audit logs

The query to obfuscate those strings is very simple:

SigninLogs
| where TimeGenerated > ago (30d)
| where ResultType == 0
| where UserDisplayName has h'mark.morowczynski'

Again, this will not work in our Log Analytics Demo environment, and none of the queries that we’ll cover in this chapter have secret info or PII, but if you are slightly modifying these and running them in your production environment, add that h or H beforehand, so the strings would be obfuscated in the audit logs.