代码语言:txt 复制 // 定义参数 declare @startDate datetime declare @endDate datetime // 赋值参数 set @startDate = datetime(2022-01-01) set @endDate = datetime(2022-01-31) // 使用参数进行查询 TableName | where Timestamp between (@startDate .. @endDate) | summarize count() 在上面的示...
graph | graph-match (tag)-[hasParent*1..5]->(asset)<-[operates]-(operator)-[reportsTo*1..5]->(topManager)wheretag.label=="tag"andtobool(tag.properties.hasAnomaly)andstartofday(todatetime(operates.properties.timestamp)) ==datetime(2023-01-24)andtopManager.label=="employee"projecttagWit...
DeviceProcessEvents|whereTimestamp>=ago(3d)|whereInitiatingProcessFileName matches regex@'(?i).*atbroker\.exe.*|.*bash\.exe.*|.*bitsadmin\.exe.*|.*certutil\.exe.*|.*cmdkey\.exe.*|.*cmstp\.exe.*|.*control\.exe.*|.*csc\.exe.*|.*cscript\.exe.*|.*dfsvc\.exe.*|.*disks...
graph | graph-match (tag)-[hasParent*1..5]->(asset)<-[operates]-(operator)-[reportsTo*1..5]->(topManager)wheretag.label=="tag"andtobool(tag.properties.hasAnomaly)andstartofday(todatetime(operates.properties.timestamp)) ==datetime(2023-01-24)andtopManager.label=="employee"projecttagWit...
Due to the 10,000 row limit within KQL, we are working with running scan for just specific time ranges. Query: IdentityLogonEvents | where LogonType == "Failed logon" and isnotempty(AccountName) | project LogonTime = Timestamp, LogonType, Application, FailureReason, AccountName, Ac...
{"@timestamp"=>{"type"=>"date"}, "@version"=>{"type"=>"keyword"}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}} [2019-03-04T15:...
Thermostats | summarize MinDate=min(EnqueuedTimeUTC), MaxDate=max(EnqueuedTimeUTC), MinIngest=min(ingestion_time()) // There should be a little over 30K rows in this table Thermostats | count //What is the average temp every 1 min for the month of January? Thermostats ...
Returns the time offset relative to the time the query executes DeviceNetworkEvents | where Timestamp > ago(1d) project Selects the columns to include in the order specified DeviceNetworkEvents | where Timestamp > ago(1d) | where DeviceName has "ComputerName" | project Timestamp, ActionType...
correlation_timestamp long Correlation Timestamp. created_by_id int Created By Analytics Id created_by_type int Created By Analytics Type. 'NONE'=1,'SEARCH_BASED_RULE'=2,'REALTIME_RULE'=3,'BEHAVIORAL_RULE'=4 created_by_version int Created By Analytics Version. credibility int Credibility. da...
anomaly_timestamp长整型异常时间戳记。 生物制造商字符串端点 BIOS 制造商。 生物版字符串端点 BIOS 版本。 correlation_description字符串关联描述。 关联标识字符串以字符串表示的相关唯一标识。 correlation_source字符串关联源。 correlation_timestamp长整型关联时间戳记。