Kusto Query Language is the language you will use to work with and manipulate data in Microsoft Sentinel. The logs you feed into your workspace aren't worth much if you can't analyze them and get the important information hidden in all that data. Kusto Query Language has not only the power and flexibility to get that information, but the simplicity to help you get started quickly. If you have a background in scripting or working with databases, a lot of the content of this article will feel very familiar. If not, don't worry, as the intuitive nature of the language quickly enables you to start writing your own queries and driving value for your organization.
Search Keywords in Tables
search in (CommonSecurityLog) "172.17.20.10"
search in (Syslog) "172.17.20.10"
CommonSecurityLog
| where DeviceVendor contains "Palo Alto Networks"
| where DeviceCustomString6 contains "LogForward"
| where Computer !contains "10"
| summarize count() by Computer
| summarize count() by Activity
Count Logs in a Table
Check Last 5 logs
Showing last 7 days log trending
Check certain table's raw logs in last 1 hour:
Which Windows machine is sending logs through Azure Monitor Agemt?
Check Subscription ID
Price Related
Check Table Sizes and if Billable
Calculate Cost Per Table
Videos
References
- https://learn.microsoft.com/en-us/azure/sentinel/kusto-overview
Via http://blog.51sec.org/2024/04/azure-sentinel-log-query-scripts.html