Scribd
Upload
15 views6 pages

KQL

The document contains examples of Kusto queries using various operators like where, extend, project, summarize, render, bin, and arg_min/arg_max to analyze security event data. It performs filtering, aggregation, grouping, ordering, renaming, rearranging columns, and rendering the results as pie charts, column charts, and time charts.

Uploaded by

Nirmal Kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
15 views6 pages

KQL

The document contains examples of Kusto queries using various operators like where, extend, project, summarize, render, bin, and arg_min/arg_max to analyze security event data. It performs filtering, aggregation, grouping, ordering, renaming, rearranging columns, and rendering the results as pie charts, column charts, and time charts.

Uploaded by

Nirmal Kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 6

let timeframe = 7d;

let discardEventID = 4688;

SecurityEvent

| where TimeGenerated > ago(timeframe)

| where EventID != discardEventID

Extend will add , append new column . case creating situation

let timeframe = 7d;

let discardEventID = 4688;

SecurityEvent

| where TimeGenerated > ago(timeframe)

| where EventID != discardEventID

|extend sevirity = case (

Level == 9,"High",

Level == 8,"High",

Level == 7,"Medium",

Level == 6,"Medium",

Level == 5,"Medium",

Level == 4,"Low",

Level == 3,"Low",

Level == 2,"Low",

Level == 1,"Low",

"Informational")

| limit 50
Order by

SecurityEvent

| where TimeGenerated > ago(7d)

| extend sevirity = case (

Level == 9,"High",

Level == 8,"High",

Level == 7,"Medium",

Level == 6,"Medium",

Level == 5,"Medium",

Level == 4,"Low",

Level == 3,"Low",

Level == 2,"Low",

Level == 1,"Low",

"Informational")

| order by sevirity asc

| limit 50

Project

Exclude the column , include the column , rearrange and rename the column

SecurityEvent

| where TimeGenerated > ago(7d)

|extend Sevirity = case (

Level == 8,"High",

Level == 7, "HIgh",

Level == 6, "Medium",

Level == 5, "Medium",

Level == 4, "Low",

Level == 3, "Low",
Level == 2, "Low",

Level == 1,"Low",

"Information"

| order by Sevirity asc

| project-rename Hostname = Computer

| project-reorder Hostname,Sevirity,CommandLine,Account

| project-keep Hostname,Sevirity,CommandLine,Account

| limit 50

Summarise

SecurityEvent

| where TimeGenerated > ago(7d) and EventID == "4688"

| extend Sevirity = case (

Level == 8, "High",

Level == 4, "Medium",

"Informational")

| project-rename Hostname = Computer

|summarize EventCount = count() by Process , Hostname

|limit 50

SecurityEvent

| where TimeGenerated > ago(7d) and EventID == "4688" and Process == "WmiPrvSE.exe"

| extend Sevirity = case (Level == 8, "High",

Level == 4, "Medium",

"Informational")

| project-rename Hostname = Computer

|summarize EventCount = count() by Process , Hostname

|limit 50
Dcount

SecurityEvent

| where EventID == 4624 and TimeGenerated < ago(20d)

|project-rename Hostname = Computer

|summarize dcount(Hostname) by Hostname

| limit 50

Arg_max and Arg_min

SecurityEvent

| where EventID == 4624 and TimeGenerated < ago(20d)

|project-rename Hostname = Computer

|summarize arg_min(Level,*) by Hostname, Task, Account

|project-reorder Hostname,Account,Level,TimeGenerated,Activity

|project-keep Hostname,Account,Level,TimeGenerated,Activity

| limit 50

Make_set

SecurityEvent

| where EventID == 4624 and TimeGenerated < ago(20d)

|project-rename Hostname = Computer

|summarize make_set(Hostname) by ProcessId

| limit 50
Render

SecurityEvent

| where EventID == 4624 and TimeGenerated < ago(20d)

|project-rename Hostname = Computer

|summarize count() by Hostname,ProcessName

| limit 50

| render piechart

Render

Perf

| where CounterName == "Free Megabytes"

| where InstanceName matches regex "C:$"

| summarize min(CounterValue) by Computer

|sort by min_CounterValue desc

|render columnchart

Bin

SecurityEvent

| where TimeGenerated < ago(14d)

|summarize count() by bin(TimeGenerated,1d)

|render timechart

let suspeciousAccount = datatable(account : string)[

@"\administrator",

@"NT AUTHORITY\SYSTEM",
@"NA\SQL10$"

];

SecurityEvent

| where Account in(suspeciousAccount)

You might also like