Take the below query as an example SigninLogs |whereTimeGenerated >ago(14d) |whereUserPrincipalName =="reprise_99@testdomain.com"|whereResultType =="0"|whereAppDisplayName =="Microsoft Teams"|projectTimeGenerated, Location, IPAddress, UserAgent ...
you need to know the names of all of the tables used in Sentinel’s workspace. These are needed to specify where you’re getting data from, with modifiers to take only a set number of rows and to limit how much data is returned. ...
let TopHashtags = Tweets | summarize Count = count() by Hashtags | order by Count desc | take 10; TopHashtags | project Hashtags In this example, there are two query statements. The first statement creates a variable called TopHashtags that holds the top 10 hashtags. The second statement...
Take the below query as an exampleSigninLogs | where TimeGenerated > ago(14d) | where UserPrincipalName == "reprise_99@testdomain.com" | where ResultType == "0" | where AppDisplayName == "Microsoft Teams" | project TimeGenerated, Location, IPAddress, UserAgent...