In the high-stakes environment of a SOC, time is critical. Yet, analysts often face a dual challenge: understanding the nuances of evolving threats while mastering the tools and languages required to analyze them. KQL, while powerful, is unforgiving of errors—a...
| project-away UserPrincipalName1,AppDisplayName1,ResultDescription1 Jonhed Thankyou for reply. If i want to add some more field in alert like IPAddress, Location etc.. so where i ahve to edit. could you please edit so i will update again accordingly....
As you start working more with queries, you might find that you have more information than you need on your subjects (that is, too many columns in your table). Or you might need more information than you have (that is, you need to add a new column that contains the res...
Filter/Search/ConditionFind relevant data by filtering or searching whereFilters on a specific predicateT | where Predicate where contains/hasContains: Looks for any substring match Has: Looks for a specific word (better performance)T | where col1 contains/has "[search term]" ...
This scenario involves a factory manager who wants to find out why equipment isn't working well and who is responsible for fixing it. The manager decides to use a graph that combines the asset graph of the production floor and the maintenance staff hierarchy which changes every day....
We want to use KQL to create accurate and efficient queries to find threats, detections, patterns and anomalies from within our larger data set. The Anatomy of a KQL Query Take the below query as an example SigninLogs |whereTimeGenerated >ago(14d) |whereUserPrincipalName =="reprise_99@test...
If you’ve not read my introductory post in this series, I’d advise you to do so now. It describes the user interface in detail. You’ll find it athttps://arcanecode.com/2022/04/11/fun-with-kql-the-kusto-query-language/.
If you’ve not read my introductory post in this series, I’d advise you to do so now. It describes the user interface in detail. You’ll find it athttps://arcanecode.com/2022/04/11/fun-with-kql-the-kusto-query-language/.
To search for a value in a specific field, prefix the value with the name of the field. For example, you could enterstatus:200to find all of the entries that contain the value200in thestatusfield. To search for a range of values, you can use the bracketed range syntax,[START_VALUE ...
This will find any SigninLogs where the application display name has the word Teams in it, that could include "Microsoft Teams" and "Microsoft Teams Web Client", both satisfy the query.If you are searching for multiple words you can use has_any or has_all....