❕This article has not been completed yet. However, it may already contain helpful Information and therefore it has been published at this stage

KQL OPERATOR: WHERE

Description:

The where operator in Kusto Query Language (KQL) is used to filter data based on specific criteria. For a security analyst working with Microsoft Defender for Endpoint (MDE), this operator is essential for identifying and analysing specific events or patterns in the data.

Use-Cases (leveraging the DeviceNetworkEvents Table):

#1 Basic usage:

This command 👇 filters all network events where the remote IP is "192.168.50.1"

DeviceNetworkEvents | where RemoteIP == '192.168.50.1'

#2 Search for specific action types:

With this 👇, the analyst receives all network events where the action was 'HttpConnectionInspected'.

 DeviceNetworkEvents 
| where ActionType == "HttpConnectionInspected"

WHEN TO USE IT:

to identify and analyse specific events or patterns
in combination with other operators to create complex queries.

THINGS TO KEEP IN MIND:

The where operator can affect performance, especially with large amounts of data. It is advisable to make the query as specific as possible.

References:

Use the where operator - Training | Microsoft Learn

Use the where operator

wwlpublishMicrosoft LearnCalifornia Consumer Privacy Act (CCPA) Opt-Out Icon

where operator - Kusto

Learn how to use the where operator to filter a table to the subset of rows that satisfy a predicate.

shsagirMicrosoft LearnCalifornia Consumer Privacy Act (CCPA) Opt-Out IconCalifornia Consumer Privacy Act (CCPA) Opt-Out Icon

DeviceNetworkEvents table in the advanced hunting schema - Microsoft Defender XDR

Learn about network connection events you can query from the DeviceNetworkEvents table of the advanced hunting schema

schmurkyMicrosoft LearnCalifornia Consumer Privacy Act (CCPA) Opt-Out IconCalifornia Consumer Privacy Act (CCPA) Opt-Out Icon