Mirrors/marcredhat-kql
1
0
Fork 0
mirror of https://github.com/marcredhat/kql synced 2026-06-09 05:27:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

Initial commit: KQL ↔ SDL PowerQuery proof of equivalence

Browse Source
This commit is contained in:
marc
2026-06-01 09:57:14 +02:00
commit 23cbaa9c08
91 changed files with 5966 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
reports/probe_after_run2.log
+42
View File
@@ -0,0 +1,42 @@
/Users/marc.chisinevski/.venvs/azcli/lib/python3.9/site-packages/urllib3/__init__.py:35: NotOpenSSLWarning: urllib3 v2 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with 'LibreSSL 2.8.3'. See: https://github.com/urllib3/urllib3/issues/3020
warnings.warn(
[sdl_client] session = kql-proof-64b584b2-b3db-4478-be7c-995df8785351
Latest proof_run_id from log: run-5abed53e35
================================================================================
# any event for this run
q: proof_run_id='run-5abed53e35' | group n=count()
status=success matching=445.0 took=3.6s
{'n': 445}
================================================================================
# by event_type for this run
q: proof_run_id='run-5abed53e35' | group n=count() by event_type
status=success matching=445.0 took=2.5s
{'event_type': 'AuditLogs', 'n': 12}
{'event_type': 'AzureActivity', 'n': 6}
{'event_type': 'CommonSecurityLog', 'n': 84}
{'event_type': 'DeviceFileEvents', 'n': 9}
{'event_type': 'OfficeActivity', 'n': 203}
{'event_type': 'SecurityEvent', 'n': 61}
{'event_type': 'SigninLogs', 'n': 69}
{'event_type': 'ThreatIntelIndicators', 'n': 1}
================================================================================
# all kql-proof logfile (any run)
q: logfile contains 'kql-proof' | group n=count() by event_type
status=success matching=1351.0 took=2.1s
{'event_type': 'AuditLogs', 'n': 36}
{'event_type': 'AzureActivity', 'n': 19}
{'event_type': 'CommonSecurityLog', 'n': 265}
{'event_type': 'DeviceFileEvents', 'n': 27}
{'event_type': 'OfficeActivity', 'n': 610}
{'event_type': 'SecurityEvent', 'n': 184}
{'event_type': 'SigninLogs', 'n': 207}
{'event_type': 'ThreatIntelIndicators', 'n': 3}
================================================================================
# rule 1 raw query that errors
q: proof_run_id='run-5abed53e35' event_type='SigninLogs' | filter ts_epoch_ms >= 0 | group LocationCount = estimate_distinct(Location), LocationList = group_unique_values(Location), LogonCount = count() by UserPrincipalName, AppDisplayName | filter LocationCount >= 3
status=error/client/badParam matching=None took=0.7s
ERROR: {"message": "invalid query: Unknown function 'group_unique_values'", "status": "error/client/badParam"}