KQL Fundamentals – Count

Level: Beginner | Reading time: 5 minutes

Let’s continue our series on KQL with a focus on Cyber Security. Let’s talk today about how to use the Count operator. Other posts can be seen in our KQL category.

The Count operator is used to return a count of summarized or total records. It basically returns the number of rows of a searched result.

Use case example. Let’s look at the Perf table. It shows us the list below.

Now, I want to count the results returned using the count operator.

Let’s check an example with the SecurityEvent table for security events.

We can create a more specific filter like the one below, where I’m searching for the SecurityEvent table, for events that occurred more than 1h ago and adding the Computer column filtering by a specific server (containing the name Windows2019) and the EventSourceName that contains AppLocker in the name.

To count and know how many events occurred, let’s use the count operator.

Simple and easy! One more operator for you to use on a daily basis.

Thank you!

Tiago Souza

Tiago Souza

Security Technical Specialist
Cyber Security Technical Specialist at Microsoft | Cloud Security & Threat Protection | Blog content creator at CyberGeeks.Cloud - https://linktr.ee/tiagovf