Translate Splunk query to Sentinel

Question

Is there a good source/site to translate Splunk queries into Kusto/Sentinel? I've managed to get the first part but it's the second part that is the challenge. This is what I'm looking to translate:

| stats dc(id.resp_h) as "#Dest",dc(id.resp_p) as "#Port" by id.orig_h | sort "#Dest","#Port" desc

I've tried uncoder.io but it didn't translate, just say translate temporarily unavailable.

The search is counting the unique number of destinations a source tries to access.

Thanks, Joe

garybushey · Answer

j0ebeer&nbsp;You can start here:&nbsp;&nbsp;https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/splunk-cheat-sheet&nbsp;

prashtechtalk · Answer

I use this.. a good starter https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/splunk-cheat-sheet

pemontto · Answer

j0ebeer&nbsp;this specific example translate trivially. Here's a modified version for the&nbsp;CommonSecurityLog table:&nbsp;CommonSecurityLog
| summarize ["#Src"] = dcount(SourceIP), ["#Ports"] = dcount(DestinationPort) by DestinationIP
| order by ['#Src'], ['#Ports'] desc&nbsp;

Forum Discussion

Translate Splunk query to Sentinel

3 Replies

Resources