Differences

This shows you the differences between two versions of the page.

--- qnd:azure:kusto_query_language_kql [2021/10/04 14:17] – created mgupton
+++ qnd:azure:kusto_query_language_kql [2022/08/25 15:46] (current) – [Kusto Query Language (KQL)] mgupton
@@ Line 1: / Line 1: @@
 ====== Kusto Query Language (KQL) ======
+  * #azure #sentinel
+  * [[azure:qnd:KQL for Resource Graph Explorer]]
+  * [[https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/sqlcheatsheet]]
+  * [[https://github.com/reprise99/Sentinel-Queries]]
 ====== Queries ======
@@ Line 8: / Line 12: @@
 | where not(Computer has_any ("mgmt", "imagine"))
 </code>
+Alternate form that works for a single substring match
+<code>
+SecurityEvent
+| where not(Computer contains "mgmt")
+</code>
+<code>
+SecurityEvent
+| where Computer !contains "mgmt"
+</code>
+==== List All Tables ====
+<code>
+union withsource = table *
+| summarize count() by table
+| sort by count_ desc
+</code>
+==== summarize ====
+Get a count of records based on summarizing a specified column
+<code>
+Event
+| where not(Computer has_any ("mgmt", "imagine"))
+| summarize count() by Computer
+</code>
+Get unique values from the specified column
+<code>
+SecurityEvent
+| distinct Computer
+</code>
+==== Windows Events Aggregated ====
+<code>
+SecurityEvent
+| summarize count() by tostring(EventID), Activity, Computer
+| order by count_ desc
+</code>
+==== Palo Alto firewall logs ====
+  * Aggregating on ApplicationProtocol
+  * Example of aggregating and sorting
+<code>
+CommonSecurityLog
+| summarize count() by ApplicationProtocol
+| order by count_ desc
+</code>
+<code>
+CommonSecurityLog
+| summarize Count=count() by ApplicationProtocol
+| order by Count desc
+</code>
+====== Related ======
+  * [[:azure_sentinel|Azure Sentinel]]