KQL Search

Query Details

Strcat

Query

Using KQL Strcat

let new_URL = "domain.com";
SecurityIncident
| where TimeGenerated >= ago(90d)
| where Severity == 'High'
| where Title has "Suspicious"
| extend Updated_URL = strcat("https://portal.azure.com/", new_URL, "/", IncidentName)
| project Updated_URL

Explanation

This query uses KQL's strcat function to create a new URL by combining a fixed string "https://portal.azure.com/" with a variable string "domain.com" and the IncidentName. It then filters SecurityIncident records that occurred within the last 90 days, have a severity of 'High', and have a title containing the word "Suspicious". Finally, it projects the newly created Updated_URL field.

Details

Rod Trent

Released: December 5, 2023

Tables

SecurityIncident

Keywords

Devices,Intune,User

Operators

agowhereextendstrcatproject

KQL Search

Strcat

Query

Explanation

Details

Actions