Initial commit: KQL ↔ SDL PowerQuery proof of equivalence

pq/05_daily_network_traffic_per_source.pq

@@ -0,0 +1,32 @@
+// Rule: 05_daily_network_traffic_per_source
+// Daily baseline of bytes & peers per source IP
+//
+// Source KQL: see ../kql/05_daily_network_traffic_per_source.kql
+//
+// HOW TO RUN
+//   curl POST {sdl}/api/powerQuery with this body, OR paste in
+//   the SDL console. Set startTime = '2h' (or wider) so the API
+//   scans the freshly-ingested epochs that contain the events.
+//
+// Time anchor at export: NOW = 2026-05-31T20:10:05+00:00
+// Recent-window cutoff:  2026-05-31T18:10:05+00:00
+//   (`ts_epoch_ms` below is that cutoff expressed in ms.
+//   Re-run harness/export_rules.py to refresh after regenerating
+//   sample_data/events.jsonl.)
+//
+// Fields referenced: CommonSecurityLog, Count, DestinationIP, DeviceVendor, DistinctDestinationIps, NoofBytesReceived, NoofBytesTransferred, RECENT_MS, ReceivedBytes, SentBytes…
+//
+// EDITING NOTE
+//   Every line that starts with `|` is a pipeline stage. Each `|`
+//   is REQUIRED. If you delete one (e.g. while changing a literal
+//   on the same line as a stage), SDL re-parses the keyword that
+//   follows as a search term and rejects the query with errors
+//   like `'estimate_distinct' is a grouping function`.
+
+event_type='CommonSecurityLog'
+| filter ts_epoch_ms >= 1780251005000
+| group Count = count(),
+        DistinctDestinationIps = estimate_distinct(DestinationIP),
+        NoofBytesTransferred = sum(SentBytes),
+        NoofBytesReceived = sum(ReceivedBytes)
+    by SourceIP, DeviceVendor