qnd:azure:kusto_query_language_kql

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
qnd:azure:kusto_query_language_kql [2021/11/12 17:24] mguptonqnd:azure:kusto_query_language_kql [2022/08/25 15:46] (current) – [Kusto Query Language (KQL)] mgupton
Line 1: Line 1:
 ====== Kusto Query Language (KQL) ====== ====== Kusto Query Language (KQL) ======
   * #azure #sentinel   * #azure #sentinel
 +  * [[azure:qnd:KQL for Resource Graph Explorer]]
   * [[https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/sqlcheatsheet]]   * [[https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/sqlcheatsheet]]
   * [[https://github.com/reprise99/Sentinel-Queries]]   * [[https://github.com/reprise99/Sentinel-Queries]]
Line 21: Line 22:
 SecurityEvent SecurityEvent
 | where Computer !contains "mgmt" | where Computer !contains "mgmt"
 +</code>
 +
 +==== List All Tables ====
 +
 +<code>
 +union withsource = table *
 +| summarize count() by table
 +| sort by count_ desc
 </code> </code>
  
Line 40: Line 49:
  
  
-=== Palo Alto firewall logs ===+ 
 + 
 +==== Windows Events Aggregated ==== 
 +<code> 
 +SecurityEvent 
 +| summarize count() by tostring(EventID), Activity, Computer 
 +| order by count_ desc 
 +</code> 
 + 
 + 
 +==== Palo Alto firewall logs ====
   * Aggregating on ApplicationProtocol   * Aggregating on ApplicationProtocol
   * Example of aggregating and sorting   * Example of aggregating and sorting
Line 55: Line 74:
 | order by Count desc | order by Count desc
 </code> </code>
 +
 +====== Related ======
 +  * [[:azure_sentinel|Azure Sentinel]]
 +
  
  • qnd/azure/kusto_query_language_kql.1636737879.txt.gz
  • Last modified: 2021/11/12 17:24
  • by mgupton