Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Kusto Query Language (KQL) ====== * #azure #sentinel * [[azure:qnd:KQL for Resource Graph Explorer]] * [[https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/sqlcheatsheet]] * [[https://github.com/reprise99/Sentinel-Queries]] ====== Queries ====== Select records where a column does **not** contain any of the listed substrings <code> SecurityEvent | where not(Computer has_any ("mgmt", "imagine")) </code> Alternate form that works for a single substring match <code> SecurityEvent | where not(Computer contains "mgmt") </code> <code> SecurityEvent | where Computer !contains "mgmt" </code> ==== List All Tables ==== <code> union withsource = table * | summarize count() by table | sort by count_ desc </code> ==== summarize ==== Get a count of records based on summarizing a specified column <code> Event | where not(Computer has_any ("mgmt", "imagine")) | summarize count() by Computer </code> Get unique values from the specified column <code> SecurityEvent | distinct Computer </code> ==== Windows Events Aggregated ==== <code> SecurityEvent | summarize count() by tostring(EventID), Activity, Computer | order by count_ desc </code> ==== Palo Alto firewall logs ==== * Aggregating on ApplicationProtocol * Example of aggregating and sorting <code> CommonSecurityLog | summarize count() by ApplicationProtocol | order by count_ desc </code> <code> CommonSecurityLog | summarize Count=count() by ApplicationProtocol | order by Count desc </code> ====== Related ====== * [[:azure_sentinel|Azure Sentinel]] qnd/azure/kusto_query_language_kql.txt Last modified: 2022/08/25 15:46by mgupton