KQL query question

I have the following test query. I'm wondering if I added (TimeGenerated 24h) correctly in lines number 5 and 12? Or is it enough to have it only in line 12? Similarly, in lines 6 and 13, do I need ...

KQL

kusto

microsoft defender for endpoint

soar

KubaTom
Aug 01, 2023
CyberKing
As I can't see the entire query, it's difficult to be 100% certain, but in union if you need to perform the same operations on different tables you can remove them from individual tables and add below, like so:

union kind=inner (SigninLogs | distinct UserPrincipalName, TimeGenerated ), (OfficeActivity | distinct UserId, TimeGenerated | extend UserPrincipalName=UserId ) | where UserPrincipalName contains 'adm' | where TimeGenerated > ago(24h)

It certainly helps to keep the query more compact, but I'm not sure how this would affect the overall efficiency - in this case your union starts with 2 bigger tables and only trims them down afterwards.

KubaTom

Brass Contributor

Aug 01, 2023

CyberKing

As I can't see the entire query, it's difficult to be 100% certain, but in union if you need to perform the same operations on different tables you can remove them from individual tables and add below, like so:

union kind=inner 
(SigninLogs
| distinct UserPrincipalName, TimeGenerated
),
(OfficeActivity
| distinct UserId, TimeGenerated
| extend UserPrincipalName=UserId
)
| where UserPrincipalName contains 'adm'
| where TimeGenerated > ago(24h)

It certainly helps to keep the query more compact, but I'm not sure how this would affect the overall efficiency - in this case your union starts with 2 bigger tables and only trims them down afterwards.

CyberKing

Copper Contributor

Aug 03, 2023

thanks!

Forum Discussion

KQL query question

Resources