DEVHIDE
Login Or Sign up

KQL diferent tables

72 Views Asked by At

Hello guys this might be simple, but I'm trying to pull information from unrelated tables to create a rule that triggers when any of these two conditions are met. 

Joining this two:

union SigninLogs, 
| where * contains "user"

SecurityEvent
|  where EventID == 4722

I tried, but the way I did it will only display the sign-ins or the event ID. I require it to bring the two different tables of information. Could someone point me in the right direction on this? 

Is there a solution on how this join should be done?

kql azure-sentinel
Original Q&A
1

There are 1 best solutions below

0
Jahnavi On

Use below KQL query in sentinel workspace to combine two different tables according to your requirement.

union SigninLogs, SecurityEvent
| extend EventType = iif(EventID == 4722, 'SecurityEvent', 'SigninLogs')
| where * contains "user" or EventID == 4722

enter image description here

Related Questions in KQL

Related Questions in AZURE-SENTINEL

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.