KQL - Basics for SOC - Analysts #4 - Distinct

by Thomas Bründl

❕This article has not been completed yet. However, it may already contain   helpful Information and therefore it has been published at this stage

KQL OPERATOR: DISTINCT

Description:

The distinct operator in Kusto Query Language (KQL) is used to extract unique values from one or more columns. For a security analyst working with Microsoft Defender for Endpoint (MDE), this operator allows the identification of unique patterns or indicators in the data.

Use-Cases (leveraging the DeviceNetworkEvents Table):

#1 Basic usage:

This command 👇 returns all unique RemoteIP addresses from the DeviceNetworkEvents table.

DeviceNetworkEvents 
| distinct RemoteIP

#2  Combination of columns:

This 👇 provides the analyst with a list of all unique combinations of RemoteIP and ActionType.

DeviceNetworkEvents 
| distinct RemoteIP, ActionType

WHEN TO USE IT:

  • to identify unique patterns or indicators in the data.
  • to eliminate redundancies in the data and simplify the analysis.

THINGS TO KEEP IN MIND

  • When using the distinct operator on multiple columns, a combination of the values in these columns is considered as unique.

References:

distinct operator - Kusto
Learn how to use the distinct operator to create a table with the distinct combination of the columns of the input table.
shsagirMicrosoft LearnCalifornia Consumer Privacy Act (CCPA) Opt-Out IconCalifornia Consumer Privacy Act (CCPA) Opt-Out Icon
DeviceNetworkEvents table in the advanced hunting schema - Microsoft Defender XDR
Learn about network connection events you can query from the DeviceNetworkEvents table of the advanced hunting schema
schmurkyMicrosoft LearnCalifornia Consumer Privacy Act (CCPA) Opt-Out IconCalifornia Consumer Privacy Act (CCPA) Opt-Out Icon