Apr 28 2023 04:01 PM
Hey!
I hope you're doing well
I've been pulling my hair out over some what I think might be impossible, or tricky KQL (but then again - I could be missing something). I have a report that does a comparison of the last 30 days, and last 60 days of alerts received via. Sentinel. The query I've been using to get two tables individually was the below;
SecurityIncident
| where CreatedTime > ago(30d)
// the comparison uses | where CreatedTime < ago(30d) | where CreatedTime > ago(60d)
| summarize count(), arg_max(TimeGenerated,*) by IncidentNumber
| sort by IncidentNumber desc
| summarize count() by bin(TimeGenerated,1d)
When put into "chart view", this does emit the correct values and works fine - but combining the two into a comparison as such, from what I can tell, seems impossible. I've also tried to leverage PowerBI to do this too but again, have spent hours looking into it and can't figure out how to do it.
Has anyone managed to do this before, or could anyone give me any advice to achieve something that would look like the below?
Any help would be appreciated as always 🙂
May 01 2023 05:36 AM
May 02 2023 05:25 AM