====== Kusto Query Language (KQL) ======
  * #azure #sentinel
  * [[azure:qnd:KQL for Resource Graph Explorer]]
  * [[https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/sqlcheatsheet]]
  * [[https://github.com/reprise99/Sentinel-Queries]]

====== Queries ======

Select records where a column does **not** contain any of the listed substrings
<code>
SecurityEvent
| where not(Computer has_any ("mgmt", "imagine"))
</code>

Alternate form that works for a single substring match
<code>
SecurityEvent
| where not(Computer contains "mgmt")
</code>

<code>
SecurityEvent
| where Computer !contains "mgmt"
</code>

==== List All Tables ====

<code>
union withsource = table *
| summarize count() by table
| sort by count_ desc
</code>

==== summarize ====

Get a count of records based on summarizing a specified column
<code>
Event
| where not(Computer has_any ("mgmt", "imagine"))
| summarize count() by Computer
</code>


Get unique values from the specified column
<code>
SecurityEvent
| distinct Computer
</code>




==== Windows Events Aggregated ====
<code>
SecurityEvent
| summarize count() by tostring(EventID), Activity, Computer
| order by count_ desc
</code>


==== Palo Alto firewall logs ====
  * Aggregating on ApplicationProtocol
  * Example of aggregating and sorting

<code>
CommonSecurityLog
| summarize count() by ApplicationProtocol
| order by count_ desc
</code>

<code>
CommonSecurityLog
| summarize Count=count() by ApplicationProtocol
| order by Count desc
</code>

====== Related ======
  * [[:azure_sentinel|Azure Sentinel]]