Forum Discussion

Bosanac89's avatar
Bosanac89
Copper Contributor
Nov 16, 2023
Solved

Advanced Hunting

Trying to run this query for advanced hunting but getting the below syntax error.    Can anyone help with this query? Also does anyone know a good resource to use for learning the Kusto language us...
automation
investigation
microsoft defender for endpoint
microsoft defender for office 365
threat hunting
  • cyb3rmik3's avatar
    cyb3rmik3
    Nov 17, 2023

    Bosanac89 hi,

     

    TimeGenerated is an operator available in Sentinel (Log Analytics), in Defender XDR, you have to use Timestamp. So, the following query should be fine:

    AlertInfo
| where isnotempty(AttackTechniques)
| mvexpand todynamic(AttackTechniques) to typeof(string)
| where AttackTechniques has "Storm-1575"
| where Timestamp > ago(90d)
| summarize AlertCount = dcount(AlertId) by AttackTechniques
| sort by AlertCount desc

     

    If I have answered your question, please mark your post as Solved

    If you like my response, please consider giving it a like

techtalk_nu's avatar
techtalk_nu
Copper Contributor
Nov 19, 2023

I keep getting this error on all cloudappevent queries: I noticed it 3 days ago: 

Semantic error
Error message - between(): argument #1 - invalid data type: string
How to resolve - Fix semantic errors in your query

  • cyb3rmik3's avatar
    cyb3rmik3
    MVP
    Nov 19, 2023

    techtalk_nu and how is this related to the specific discussion :sad:?

Resources