Forum Discussion
Solved
Advanced Hunting
Trying to run this query for advanced hunting but getting the below syntax error. Can anyone help with this query? Also does anyone know a good resource to use for learning the Kusto language us...
Bosanac89 hi,
TimeGenerated is an operator available in Sentinel (Log Analytics), in Defender XDR, you have to use Timestamp. So, the following query should be fine:
AlertInfo | where isnotempty(AttackTechniques) | mvexpand todynamic(AttackTechniques) to typeof(string) | where AttackTechniques has "Storm-1575" | where Timestamp > ago(90d) | summarize AlertCount = dcount(AlertId) by AttackTechniques | sort by AlertCount descIf I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like
Bosanac89 hi,
TimeGenerated is an operator available in Sentinel (Log Analytics), in Defender XDR, you have to use Timestamp. So, the following query should be fine:
AlertInfo
| where isnotempty(AttackTechniques)
| mvexpand todynamic(AttackTechniques) to typeof(string)
| where AttackTechniques has "Storm-1575"
| where Timestamp > ago(90d)
| summarize AlertCount = dcount(AlertId) by AttackTechniques
| sort by AlertCount desc
If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like