qnd:azure:kusto_query_language_kql

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
qnd:azure:kusto_query_language_kql [2021/10/05 18:21] mguptonqnd:azure:kusto_query_language_kql [2022/08/25 15:46] (current) – [Kusto Query Language (KQL)] mgupton
Line 1: Line 1:
 ====== Kusto Query Language (KQL) ====== ====== Kusto Query Language (KQL) ======
   * #azure #sentinel   * #azure #sentinel
 +  * [[azure:qnd:KQL for Resource Graph Explorer]]
   * [[https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/sqlcheatsheet]]   * [[https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/sqlcheatsheet]]
 +  * [[https://github.com/reprise99/Sentinel-Queries]]
  
 ====== Queries ====== ====== Queries ======
Line 20: Line 22:
 SecurityEvent SecurityEvent
 | where Computer !contains "mgmt" | where Computer !contains "mgmt"
 +</code>
 +
 +==== List All Tables ====
 +
 +<code>
 +union withsource = table *
 +| summarize count() by table
 +| sort by count_ desc
 </code> </code>
  
Line 32: Line 42:
  
  
 +Get unique values from the specified column
 <code> <code>
 SecurityEvent SecurityEvent
 | distinct Computer | distinct Computer
 </code> </code>
 +
 +
 +
 +
 +==== Windows Events Aggregated ====
 +<code>
 +SecurityEvent
 +| summarize count() by tostring(EventID), Activity, Computer
 +| order by count_ desc
 +</code>
 +
 +
 +==== Palo Alto firewall logs ====
 +  * Aggregating on ApplicationProtocol
 +  * Example of aggregating and sorting
 +
 +<code>
 +CommonSecurityLog
 +| summarize count() by ApplicationProtocol
 +| order by count_ desc
 +</code>
 +
 +<code>
 +CommonSecurityLog
 +| summarize Count=count() by ApplicationProtocol
 +| order by Count desc
 +</code>
 +
 +====== Related ======
 +  * [[:azure_sentinel|Azure Sentinel]]
 +
 +
  • qnd/azure/kusto_query_language_kql.1633458082.txt.gz
  • Last modified: 2021/10/05 18:21
  • by mgupton