Microsoft Sentinel : KQL search query with examples
Search operator
To search for all logs that contain a particular keyword. This is useful when you are unsure about a table.
search “keyword”
And, or combining with the search operator.
search “admin” and “login”
search “admin” and (“login” or “logout”)
To search only on particular tables.
search in (SigninLogs ,SecurityEvent) "failed"
Typically the search is case insensitive. To Search with case sensitive, use
search kind=case_sensitive “admin”
Lets try another case sensitive search,
Return no result as in...
To search for all logs that contain a particular keyword. This is useful when you are unsure about a table.
search “keyword”
And, or combining with the search operator.
search “admin” and “login”
search “admin” and (“login” or “logout”)
To search only on particular tables.
search in (SigninLogs ,SecurityEvent) "failed"
Typically the search is case insensitive. To Search with case sensitive, use
search kind=case_sensitive “admin”
Lets try another case sensitive search,
Return no result as in...
No comments have been added yet.
