Saturday, May 17, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Kusto Query LanguageMicrosoft Defender for EndpointMicrosoft SentinelSECURE

Visualize Daily Events For Each Table

Wayne Andes 4 min read

Description

In MDE or Sentinel there are plenty of tables that generate logs, in order to determine which tables ingest the most logs the queries below can be used. The TimeRange variable can be used to select the time range for your visualization.

Mainly important for Sentinel users is to get insight into the amount of traffic ingested, this KQL query can help you to determine which tables ingest most data. The reference below can be used to get more information about cost management in Sentinel.

Query

Microsoft Defender For Endpoint
Kusto
let TimeRange = 10d;
search *
| where Timestamp > ago(TimeRange)
| project Timestamp, $table
| summarize Events = count() by $table, bin(Timestamp, 1d)
| render linechart  with (title="Total Daily Events")

Microsoft Sentinel
Kusto
let TimeRange = 10d;
search *
| where Timestamp > ago(TimeRange)
| project Timestamp, $table
| summarize Events = count() by $table, bin(Timestamp, 1d)
| render columnchart with (title="Total Daily Events", kind=stacked)

References

You May Also Like

List All Role Additions

Wayne Andes

Detect Anomalous Group Policy Discovery

Wayne Andes

List Malicious DNS Name Detected Based On Threat Intelligence Indicators By Fortinet

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *