KQL Search

Query Details

HomeAI ToolsDevice Query

Data New Tables Found

Query

//Detect when new tables have been written to in the last week compared to the last 90 days

//Data connector required for this query - query will automatically union any data you have

let existingtables=
    union withsource=_TableName *
    | where TimeGenerated > ago(90d) and TimeGenerated < ago(7d)
    | distinct Type;
let newtables=
    union withsource=_TableName *
    | where TimeGenerated > ago(7d)
    | summarize ['First Log Received'] = min(TimeGenerated) by Type
    | project Type, ['First Log Received'];
existingtables
| join kind=rightanti newtables on Type

Explanation

This query is used to detect new tables that have been written to in the last week compared to the last 90 days. It uses a data connector to automatically combine any available data.

The query first identifies the existing tables by selecting those that have been written to in the last 90 days but not in the last 7 days. It then selects the new tables by choosing those that have been written to in the last 7 days.

Finally, it joins the existing tables with the new tables to identify any tables that are in the existing tables but not in the new tables.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

existingtables

Keywords

Devices,Intune,User

Operators

unionwithsourcewhereagodistinctletsummarizebyprojectjoinkindrightanti

Actions