Monday, July 7, 2025

Build+Break+Secure

Where Every Failure Becomes A Manual

Build+Break+Secure

Where Every Failure Becomes A Manual

+ SECUREKusto Query LanguageMicrosoft Sentinel

List Total Events By Table

Wayne Andes 54 Views 0 Comments 2 min read

Description

This KQL query returns a table that shows the number of events for each data table that occurred in the last 30 days. This can returns information about the TotalEvents in all your Sentinel tables. Since you probably ingest more in Sentinel than you know, this query can result in discovering ‘new’ data sources to investigate.

Query

Microsoft Sentinel
Kusto
let TimeFrame = 30d;
union *
| where TimeGenerated > startofday(ago(TimeFrame))
| summarize TotalEvents = count() by Type
| sort by TotalEvents asc

You May Also Like

List On-boarded Devices in Intune and Microsoft Defender for Endpoint

Wayne Andes 0

List Data Connector Changed From Success To Failed State

Wayne Andes 0

Identify Log Ingestion Delays by Device in CommonSecurityLog with KQL

Wayne Andes 0

Leave a Reply

Your email address will not be published. Required fields are marked *