KQL Search

Query Details

Total Events By Table

Query

# Total Events by Table

## Query Information

#### Description
This query returns a table that shows the number of events for each data table that occurred in the last 30 days. This can returns information about the totalevens in all your Sentinel tables. Since you probably ingest more in Sentinel than you know, this query can result in discovering 'new' data sources to investigate.

## Sentinel
```KQL
let TimeFrame = 30d
union *
| where TimeGenerated > startofday(ago(TimeFrame))
| summarize TotalEvents = count() by Type
| sort by TotalEvents asc  
```

Explanation

This query retrieves the total number of events for each data table in the last 30 days. It helps identify new data sources to investigate by showing the total events in all Sentinel tables. The query uses the KQL language and sorts the results in ascending order based on the total number of events.

Details

Bert-Jan Pals

Released: January 30, 2024

Tables

union

Keywords

Events,Table,Sentinel

Operators

unionwheresummarizesort by

KQL Search

Total Events By Table

Query

Explanation

Details

Actions