• #azure #sentinel
• KQL for Resource Graph Explorer
• https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/sqlcheatsheet
• https://github.com/reprise99/Sentinel-Queries

Select records where a column does not contain any of the listed substrings

SecurityEvent
| where not(Computer has_any ("mgmt", "imagine"))

Alternate form that works for a single substring match

SecurityEvent
| where not(Computer contains "mgmt")

SecurityEvent
| where Computer !contains "mgmt"

union withsource = table *
| summarize count() by table
| sort by count_ desc

Get a count of records based on summarizing a specified column

Event
| where not(Computer has_any ("mgmt", "imagine"))
| summarize count() by Computer

Get unique values from the specified column

SecurityEvent
| distinct Computer

SecurityEvent
| summarize count() by tostring(EventID), Activity, Computer
| order by count_ desc

• Aggregating on ApplicationProtocol
• Example of aggregating and sorting

CommonSecurityLog
| summarize count() by ApplicationProtocol
| order by count_ desc

CommonSecurityLog
| summarize Count=count() by ApplicationProtocol
| order by Count desc

• Azure Sentinel