From 71b11299a760e365b5ca2b28028849d0df24ae2f Mon Sep 17 00:00:00 2001 From: Sandy Zeng Date: Mon, 9 May 2022 13:28:08 +0000 Subject: [PATCH] GitBook: [#14] No subject --- SUMMARY.md | 42 +++++++------- .../device-inventory/README.md | 0 .../device-inventory/device-os-version.md | 0 ...same-aad-device-id-and-intune-device-id.md | 3 - mmsmoa2022-kql-examples/readme/README.md | 2 + .../readme}/distinct.md | 3 +- .../readme}/extend.md | 2 +- .../readme}/project/README.md | 0 .../readme}/project/project-away.md | 2 - .../readme}/project/project-keep.md | 0 .../readme}/project/project-rename.md | 0 .../readme}/project/project-reorder.md | 0 .../readme}/search.md | 6 +- .../readme}/sort-by.md | 2 +- .../readme}/strcat.md | 1 - .../readme}/summarize/README.md | 3 +- .../readme}/summarize/arg_max.md | 3 +- .../readme}/summarize/count-countif.md | 0 .../readme}/summarize/dcount-dcountif.md | 0 .../readme}/summarize/take_any.md | 0 .../readme}/take.md | 3 +- .../readme}/where.md | 1 - readme-1/README.md | 57 ------------------- 23 files changed, 32 insertions(+), 98 deletions(-) rename {examples => microsoft-endpoint-manager}/device-inventory/README.md (100%) rename {examples => microsoft-endpoint-manager}/device-inventory/device-os-version.md (100%) rename {examples => microsoft-endpoint-manager}/device-inventory/same-aad-device-id-and-intune-device-id.md (99%) create mode 100644 mmsmoa2022-kql-examples/readme/README.md rename {readme-1 => mmsmoa2022-kql-examples/readme}/distinct.md (94%) rename {readme-1 => mmsmoa2022-kql-examples/readme}/extend.md (98%) rename {readme-1 => mmsmoa2022-kql-examples/readme}/project/README.md (100%) rename {readme-1 => mmsmoa2022-kql-examples/readme}/project/project-away.md (99%) rename {readme-1 => mmsmoa2022-kql-examples/readme}/project/project-keep.md (100%) rename {readme-1 => mmsmoa2022-kql-examples/readme}/project/project-rename.md (100%) rename {readme-1 => mmsmoa2022-kql-examples/readme}/project/project-reorder.md (100%) rename {readme-1 => mmsmoa2022-kql-examples/readme}/search.md (87%) rename {readme-1 => mmsmoa2022-kql-examples/readme}/sort-by.md (83%) rename {readme-1 => mmsmoa2022-kql-examples/readme}/strcat.md (99%) rename {readme-1 => mmsmoa2022-kql-examples/readme}/summarize/README.md (97%) rename {readme-1 => mmsmoa2022-kql-examples/readme}/summarize/arg_max.md (96%) rename {readme-1 => mmsmoa2022-kql-examples/readme}/summarize/count-countif.md (100%) rename {readme-1 => mmsmoa2022-kql-examples/readme}/summarize/dcount-dcountif.md (100%) rename {readme-1 => mmsmoa2022-kql-examples/readme}/summarize/take_any.md (100%) rename {readme-1 => mmsmoa2022-kql-examples/readme}/take.md (97%) rename {readme-1 => mmsmoa2022-kql-examples/readme}/where.md (99%) delete mode 100644 readme-1/README.md diff --git a/SUMMARY.md b/SUMMARY.md index 19ecdbf..ef4affe 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -1,24 +1,24 @@ # Table of contents * [Overview](README.md) -* [Zero to Hero](readme-1/README.md) - * [search](readme-1/search.md) - * [take](readme-1/take.md) - * [where](readme-1/where.md) - * [summarize](readme-1/summarize/README.md) - * [arg\_max](readme-1/summarize/arg\_max.md) - * [count, countif](readme-1/summarize/count-countif.md) - * [dcount, dcountif](readme-1/summarize/dcount-dcountif.md) - * [take\_any](readme-1/summarize/take\_any.md) - * [distinct](readme-1/distinct.md) - * [project](readme-1/project/README.md) - * [project-reorder](readme-1/project/project-reorder.md) - * [project-away](readme-1/project/project-away.md) - * [project-rename](readme-1/project/project-rename.md) - * [project-keep](readme-1/project/project-keep.md) - * [sort by](readme-1/sort-by.md) - * [extend](readme-1/extend.md) - * [strcat](readme-1/strcat.md) +* [Zero to Hero](mmsmoa2022-kql-examples/readme/README.md) + * [search](mmsmoa2022-kql-examples/readme/search.md) + * [take](mmsmoa2022-kql-examples/readme/take.md) + * [where](mmsmoa2022-kql-examples/readme/where.md) + * [summarize](mmsmoa2022-kql-examples/readme/summarize/README.md) + * [arg\_max](mmsmoa2022-kql-examples/readme/summarize/arg\_max.md) + * [count, countif](mmsmoa2022-kql-examples/readme/summarize/count-countif.md) + * [dcount, dcountif](mmsmoa2022-kql-examples/readme/summarize/dcount-dcountif.md) + * [take\_any](mmsmoa2022-kql-examples/readme/summarize/take\_any.md) + * [distinct](mmsmoa2022-kql-examples/readme/distinct.md) + * [project](mmsmoa2022-kql-examples/readme/project/README.md) + * [project-reorder](mmsmoa2022-kql-examples/readme/project/project-reorder.md) + * [project-away](mmsmoa2022-kql-examples/readme/project/project-away.md) + * [project-rename](mmsmoa2022-kql-examples/readme/project/project-rename.md) + * [project-keep](mmsmoa2022-kql-examples/readme/project/project-keep.md) + * [sort by](mmsmoa2022-kql-examples/readme/sort-by.md) + * [extend](mmsmoa2022-kql-examples/readme/extend.md) + * [strcat](mmsmoa2022-kql-examples/readme/strcat.md) * [Hero to Expert](hero-to-expert/README.md) * [let](hero-to-expert/let.md) * [join](hero-to-expert/join.md) @@ -36,6 +36,6 @@ ## 💻 Examples -* [Device Inventory](examples/device-inventory/README.md) - * [Device OS version](examples/device-inventory/device-os-version.md) - * [Same AAD Device ID and Intune Device ID](examples/device-inventory/same-aad-device-id-and-intune-device-id.md) +* [Device Inventory](microsoft-endpoint-manager/device-inventory/README.md) + * [Device OS version](microsoft-endpoint-manager/device-inventory/device-os-version.md) + * [Same AAD Device ID and Intune Device ID](microsoft-endpoint-manager/device-inventory/same-aad-device-id-and-intune-device-id.md) diff --git a/examples/device-inventory/README.md b/microsoft-endpoint-manager/device-inventory/README.md similarity index 100% rename from examples/device-inventory/README.md rename to microsoft-endpoint-manager/device-inventory/README.md diff --git a/examples/device-inventory/device-os-version.md b/microsoft-endpoint-manager/device-inventory/device-os-version.md similarity index 100% rename from examples/device-inventory/device-os-version.md rename to microsoft-endpoint-manager/device-inventory/device-os-version.md diff --git a/examples/device-inventory/same-aad-device-id-and-intune-device-id.md b/microsoft-endpoint-manager/device-inventory/same-aad-device-id-and-intune-device-id.md similarity index 99% rename from examples/device-inventory/same-aad-device-id-and-intune-device-id.md rename to microsoft-endpoint-manager/device-inventory/same-aad-device-id-and-intune-device-id.md index 65c6b24..9275a67 100644 --- a/examples/device-inventory/same-aad-device-id-and-intune-device-id.md +++ b/microsoft-endpoint-manager/device-inventory/same-aad-device-id-and-intune-device-id.md @@ -50,8 +50,6 @@ IntuneDevices ### Get a full list of devices that has multiple AAD Device ID or Intune Device ID - - ``` let deviceData = IntuneDevices | where TimeGenerated > ago(180d) //Gets all data generated in 180 days @@ -66,4 +64,3 @@ deviceData | where SerialNumber in (issueDevices) | sort by SerialNumber, EndTime ``` - diff --git a/mmsmoa2022-kql-examples/readme/README.md b/mmsmoa2022-kql-examples/readme/README.md new file mode 100644 index 0000000..6280d55 --- /dev/null +++ b/mmsmoa2022-kql-examples/readme/README.md @@ -0,0 +1,2 @@ +# Zero to Hero + diff --git a/readme-1/distinct.md b/mmsmoa2022-kql-examples/readme/distinct.md similarity index 94% rename from readme-1/distinct.md rename to mmsmoa2022-kql-examples/readme/distinct.md index 6a5cf2e..92af1c8 100644 --- a/readme-1/distinct.md +++ b/mmsmoa2022-kql-examples/readme/distinct.md @@ -1,6 +1,6 @@ # distinct -I often use distinct to look for the value that I want to use later as filters or parameters in workbooks. For example, I see IntuneDevices table has a column called ManageBy, but I have no ideas what data we have in this column. +I often use distinct to look for the value that I want to use later as filters or parameters in workbooks. For example, I see IntuneDevices table has a column called ManageBy, but I have no ideas what data we have in this column. ``` IntuneDevices @@ -20,4 +20,3 @@ IntuneDevices and ManagedBy == 'Co-managed' //filter device are Co-managed | summarize arg_max(TimeGenerated, *) by SerialNumber ``` - diff --git a/readme-1/extend.md b/mmsmoa2022-kql-examples/readme/extend.md similarity index 98% rename from readme-1/extend.md rename to mmsmoa2022-kql-examples/readme/extend.md index e194c53..b8a1cda 100644 --- a/readme-1/extend.md +++ b/mmsmoa2022-kql-examples/readme/extend.md @@ -1,6 +1,6 @@ # extend -**extend** allow us to build calculated columns of our query results and append them to the result set. You can also extend custom text as well +**extend** allow us to build calculated columns of our query results and append them to the result set. You can also extend custom text as well ### 📲 Example: calculate Intune device free storage percentage, and convert storage from MB to GB diff --git a/readme-1/project/README.md b/mmsmoa2022-kql-examples/readme/project/README.md similarity index 100% rename from readme-1/project/README.md rename to mmsmoa2022-kql-examples/readme/project/README.md diff --git a/readme-1/project/project-away.md b/mmsmoa2022-kql-examples/readme/project/project-away.md similarity index 99% rename from readme-1/project/project-away.md rename to mmsmoa2022-kql-examples/readme/project/project-away.md index 28842c4..80765b6 100644 --- a/readme-1/project/project-away.md +++ b/mmsmoa2022-kql-examples/readme/project/project-away.md @@ -1,7 +1,5 @@ # project-away - - ``` IntuneDevices | summarize arg_max(TimeGenerated, *) by SerialNumber diff --git a/readme-1/project/project-keep.md b/mmsmoa2022-kql-examples/readme/project/project-keep.md similarity index 100% rename from readme-1/project/project-keep.md rename to mmsmoa2022-kql-examples/readme/project/project-keep.md diff --git a/readme-1/project/project-rename.md b/mmsmoa2022-kql-examples/readme/project/project-rename.md similarity index 100% rename from readme-1/project/project-rename.md rename to mmsmoa2022-kql-examples/readme/project/project-rename.md diff --git a/readme-1/project/project-reorder.md b/mmsmoa2022-kql-examples/readme/project/project-reorder.md similarity index 100% rename from readme-1/project/project-reorder.md rename to mmsmoa2022-kql-examples/readme/project/project-reorder.md diff --git a/readme-1/search.md b/mmsmoa2022-kql-examples/readme/search.md similarity index 87% rename from readme-1/search.md rename to mmsmoa2022-kql-examples/readme/search.md index 0ce6e32..f3d720d 100644 --- a/readme-1/search.md +++ b/mmsmoa2022-kql-examples/readme/search.md @@ -1,18 +1,18 @@ # search -Use **search** when you know what are looking for, but don't know from where. +Use **search** when you know what are looking for, but don't know from where. For example, I know I have a device name that starts with **THINK**, I can't remember what exact name it is and I just want to see what data do I get {% hint style="info" %} -A faster way to filter the data that you are looking for is to **** use "**where".** +A faster way to filter the data that you are looking for is to \*\*\*\* use "**where".** {% endhint %} {% content-ref url="where.md" %} [where.md](where.md) {% endcontent-ref %} -### 🔍Search everything and not case sensitive +### 🔍Search everything and not case sensitive ``` search "*think*" diff --git a/readme-1/sort-by.md b/mmsmoa2022-kql-examples/readme/sort-by.md similarity index 83% rename from readme-1/sort-by.md rename to mmsmoa2022-kql-examples/readme/sort-by.md index a2c296f..9d11b64 100644 --- a/readme-1/sort-by.md +++ b/mmsmoa2022-kql-examples/readme/sort-by.md @@ -4,7 +4,7 @@ Sort the rows of the input table into order by one or more columns. Default is * ### 🦄 Example: Intune audit log for the past 7 days - Sort by TimeGenerated column in ascending order. +Sort by TimeGenerated column in ascending order. ``` IntuneAuditLogs diff --git a/readme-1/strcat.md b/mmsmoa2022-kql-examples/readme/strcat.md similarity index 99% rename from readme-1/strcat.md rename to mmsmoa2022-kql-examples/readme/strcat.md index 076ad39..a7e7c59 100644 --- a/readme-1/strcat.md +++ b/mmsmoa2022-kql-examples/readme/strcat.md @@ -3,7 +3,6 @@ ``` IntuneDevices | extend url = strcat('https://endpoint.microsoft.com/#blade/Microsoft_Intune_Devices/DeviceSettingsBlade/overview/mdmDeviceId/', DeviceId) - ``` ![](<../../.gitbook/assets/image (26).png>) diff --git a/readme-1/summarize/README.md b/mmsmoa2022-kql-examples/readme/summarize/README.md similarity index 97% rename from readme-1/summarize/README.md rename to mmsmoa2022-kql-examples/readme/summarize/README.md index 9e31512..f9179e5 100644 --- a/readme-1/summarize/README.md +++ b/mmsmoa2022-kql-examples/readme/summarize/README.md @@ -1,6 +1,6 @@ # summarize -**summarize** operator is complicated in my opinion. :smile: And often I still forgot how to use it and even got it all wrong. Because summarize is used with many aggregation funcions. Here is the full list +**summarize** operator is complicated in my opinion. :smile: And often I still forgot how to use it and even got it all wrong. Because summarize is used with many aggregation funcions. Here is the full list ### 📃[List of aggregation functions](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/summarizeoperator#list-of-aggregation-functions) @@ -41,4 +41,3 @@ | [take\_anyif()](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/take-anyif-aggfunction) | Returns a random non-empty value for the group (with predicate) | | [variance()](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/variance-aggfunction) | Returns the variance across the group | | [varianceif()](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/varianceif-aggfunction) | Returns the variance across the group (with predicate) | - diff --git a/readme-1/summarize/arg_max.md b/mmsmoa2022-kql-examples/readme/summarize/arg_max.md similarity index 96% rename from readme-1/summarize/arg_max.md rename to mmsmoa2022-kql-examples/readme/summarize/arg_max.md index b455162..708cc95 100644 --- a/readme-1/summarize/arg_max.md +++ b/mmsmoa2022-kql-examples/readme/summarize/arg_max.md @@ -3,7 +3,7 @@ Let's try useing the **IntuneDevices** table to count how many devices we have per Operating Systems {% hint style="danger" %} -This is an example of a wrong query. The bellow query is getting data that are generated for the past 7 days, returns a count of the records per summarization group by **OS** column. The problem with this query is IntuneDevices table gets all the devices' data once per day, which means there are duplicate rows. +This is an example of a wrong query. The bellow query is getting data that are generated for the past 7 days, returns a count of the records per summarization group by **OS** column. The problem with this query is IntuneDevices table gets all the devices' data once per day, which means there are duplicate rows. {% endhint %} ``` @@ -38,7 +38,6 @@ IntuneDevices and todatetime(LastContact) > ago(60d) //We need to convert LastContact to date time format | summarize arg_max(TimeGenerated, OS) by SerialNumber | summarize count() by OS - ``` ![](<../../../.gitbook/assets/image (23) (1) (1).png>) diff --git a/readme-1/summarize/count-countif.md b/mmsmoa2022-kql-examples/readme/summarize/count-countif.md similarity index 100% rename from readme-1/summarize/count-countif.md rename to mmsmoa2022-kql-examples/readme/summarize/count-countif.md diff --git a/readme-1/summarize/dcount-dcountif.md b/mmsmoa2022-kql-examples/readme/summarize/dcount-dcountif.md similarity index 100% rename from readme-1/summarize/dcount-dcountif.md rename to mmsmoa2022-kql-examples/readme/summarize/dcount-dcountif.md diff --git a/readme-1/summarize/take_any.md b/mmsmoa2022-kql-examples/readme/summarize/take_any.md similarity index 100% rename from readme-1/summarize/take_any.md rename to mmsmoa2022-kql-examples/readme/summarize/take_any.md diff --git a/readme-1/take.md b/mmsmoa2022-kql-examples/readme/take.md similarity index 97% rename from readme-1/take.md rename to mmsmoa2022-kql-examples/readme/take.md index 1230e00..c03fea1 100644 --- a/readme-1/take.md +++ b/mmsmoa2022-kql-examples/readme/take.md @@ -1,10 +1,9 @@ # take -In the previous chapter, we talked about **search**, it often returns lots of rows in the result. It's useful to use **take** to get some examples of the results but not all of them. There is no guarantee which rows it will return or if they are exact same. +In the previous chapter, we talked about **search**, it often returns lots of rows in the result. It's useful to use **take** to get some examples of the results but not all of them. There is no guarantee which rows it will return or if they are exact same. ``` IntuneDevices | search DeviceName matches regex "[A-Z]-" | take 10 ``` - diff --git a/readme-1/where.md b/mmsmoa2022-kql-examples/readme/where.md similarity index 99% rename from readme-1/where.md rename to mmsmoa2022-kql-examples/readme/where.md index 0c13a6c..956a635 100644 --- a/readme-1/where.md +++ b/mmsmoa2022-kql-examples/readme/where.md @@ -55,4 +55,3 @@ IntuneDevices IntuneDevices | search DeviceName matches regex "[A-Z]-" ``` - diff --git a/readme-1/README.md b/readme-1/README.md deleted file mode 100644 index 93e6739..0000000 --- a/readme-1/README.md +++ /dev/null @@ -1,57 +0,0 @@ -# Zero to Hero - -## Learning KQL - -In this chapter, we will show some examples that we use frequently to help you start using KQL - -If you don't have any data that you can use, you can log in to **KQL Playground** [https://aka.ms/LAdemo](https://aka.ms/LAdemo) and use that in your practics. - -Where and how did I start to learn this? Here is our list of where you can begin. - -#### Learning video - -* Pluralsight: [Kusto Query Language (KQL) from Scratch by Robert Cain](https://app.pluralsight.com/library/courses/kusto-query-language-kql-from-scratch/table-of-contents) - -#### Blogs - -* Blog: [MSEndpointMgr.com](https://msendpointmgr.com/tag/log-analytics/) -* Blog: [Become a KQL Ninja by Huy Kha](https://identityandsecuritydotcom.wordpress.com/2020/08/07/become-a-kql-ninja/) -* Blog: [Kusto King by Gianni Castaldi](https://www.kustoking.com/kusto-knight/) -* Blog: [Azure Cloud & AI Domain Blog](https://azurecloudai.blog) -* Blog: [Must Learn KQL by Rod Trent](https://aka.ms/MustLearnKQL) -* Blog: [CloudSMA by Billy York](https://www.cloudsma.com) - -#### Github - -* Github: [Microsoft 365 Defender - Resource Hub by Alex Verboon](https://github.com/alexverboon/MDATP/blob/master/README.md) -* Github: [awesome-kql-sentinel](https://github.com/reprise99/awesome-kql-sentinel) - -#### Microsoft Offical Doc - -* Microsoft Doc: [Log Analytics tutorial](https://docs.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-tutorial) -* Microsoft Doc: [Log queries in Azure Monitor](https://docs.microsoft.com/en-us/azure/azure-monitor/logs/log-query-overview) - -#### Twitter - -* Twitter: [The #365daysofkql hashtag by Matt Zorick](https://twitter.com/hashtag/365daysofkql) - -#### Community event - -* [KQL Cafe](https://kqlcafe.github.io/website/) - -### Workbook - -Azure Monitor workbook provides rich visual reports in Azure Portal and gives you a real-time and interactive experience. In addition, workbooks can query data from multiple sources within Azure, and combine all these data from different sources into a single report. - -Here is my collection of where I begin to learn to create my first workbook - -* Blog: [Azure Sentinel Workbooks 101 by Scott Muniz](https://www.drware.com/azure-sentinel-workbooks-101-with-sample-workbook/) -* Video: [How to build Azure Workbooks using logs and parameters | Azure Portal Series](https://www.youtube.com/watch?v=EC7n1Oo6D-o) -* Blog: [Azure Automation Update Management Workbook by Billy York](https://www.cloudsma.com/2019/06/azure-automation-update-management-workbook/) -* Blog: [Using Azure Monitor Workbooks to document your Azure resources by Mathieu Buisson](https://mathieubuisson.github.io/azure-workbooks-inventory-resources/) -* Microsoft Doc: [Azure Monitor Workbooks](https://docs.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-overview) -* Blog: [MSEndpointMgr.com](https://msendpointmgr.com/tag/log-analytics/) - -## License - -This software is created by [MSEndpointMgr](https://msendpointmgr.com) and it is distributed under the [MIT License](../../LICENSE/).