Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Translate Splunk query to Sentinel

Copper Contributor

Is there a good source/site to translate Splunk queries into Kusto/Sentinel?  I've managed to get the first part but it's the second part that is the challenge.  This is what I'm looking to translate:

 

| stats dc(id.resp_h) as "#Dest",dc(id.resp_p) as "#Port" by id.orig_h | sort "#Dest","#Port" desc

 

I've tried uncoder.io but it didn't translate, just say translate temporarily unavailable.

 

The search is counting the unique number of destinations a source tries to access.

Thanks, Joe

3 Replies

@j0ebeer this specific example translate trivially. Here's a modified version for the CommonSecurityLog table:

 

CommonSecurityLog
| summarize ["#Src"] = dcount(SourceIP), ["#Ports"] = dcount(DestinationPort) by DestinationIP
| order by ['#Src'], ['#Ports'] desc