Forum Discussion
Advanced Hunting
Trying to run this query for advanced hunting but getting the below syntax error.
Can anyone help with this query? Also does anyone know a good resource to use for learning the Kusto language used for these queries?
Bosanac89 hi,
TimeGenerated is an operator available in Sentinel (Log Analytics), in Defender XDR, you have to use Timestamp. So, the following query should be fine:
AlertInfo | where isnotempty(AttackTechniques) | mvexpand todynamic(AttackTechniques) to typeof(string) | where AttackTechniques has "Storm-1575" | where Timestamp > ago(90d) | summarize AlertCount = dcount(AlertId) by AttackTechniques | sort by AlertCount descIf I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like
3 Replies
I keep getting this error on all cloudappevent queries: I noticed it 3 days ago:
Semantic errorError message - between(): argument #1 - invalid data type: stringHow to resolve - Fix semantic errors in your querytechtalk_nu and how is this related to the specific discussion
?
Bosanac89 hi,
TimeGenerated is an operator available in Sentinel (Log Analytics), in Defender XDR, you have to use Timestamp. So, the following query should be fine:
AlertInfo | where isnotempty(AttackTechniques) | mvexpand todynamic(AttackTechniques) to typeof(string) | where AttackTechniques has "Storm-1575" | where Timestamp > ago(90d) | summarize AlertCount = dcount(AlertId) by AttackTechniques | sort by AlertCount descIf I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like
