RE: KQL query for event types per table used by Microsoft Sentinel (and connected Data Connectors)

Iron Contributor

So with a base KQL query of:

 

union withsource= table *

 

...is there a way to query each table in Microsoft Sentinel and identify each EVENT type used within it?

So listed as...


Table 1...
...event type 1 (count)
...event type 2 (count)
Table 2...
...event type 1 (count)
...event type 2 (count)


etc...

1 Reply
By "Event Type" are you referring to the EventID or something else? Maybe just a count of rows in each Table? A screenshot of teh data you are referring to would help. Thanks