RE: KQL query for event types per table used by Microsoft Sentinel (and connected Data Connectors)

Brass Contributor

So with a base KQL query of:


union withsource= table * there a way to query each table in Microsoft Sentinel and identify each EVENT type used within it?

So listed as...

Table 1...
...event type 1 (count)
...event type 2 (count)
Table 2...
...event type 1 (count)
...event type 2 (count)


1 Reply
By "Event Type" are you referring to the EventID or something else? Maybe just a count of rows in each Table? A screenshot of teh data you are referring to would help. Thanks