I'm trying to figure out how to write a KQL query that pulls data from both Microsoft Purview and Defender between two specific dates. It seems straightforward, like using `where timestamp {TimeRange:start} AND {TimeRange:end}`, but it doesn't quite work that way. Any suggestions on how to correctly format this query?
4 Answers
It looks like you had a common misunderstanding with the syntax! Instead of using `where timestamp {TimeRange:start} AND {TimeRange:end}`, you should compare the timestamp like this: `where timestamp > {TimeRange:start} AND timestamp < {TimeRange:end}`. That should work better for getting the results you need.
Honestly, this seems pretty simple once you get the hang of it. Don't overthink it!
What suggestions did copilot give you for this query?
If you're using Purview, the GUI can help a lot by converting your input into KQL. It’s a great way to learn the correct syntax while you’re figuring things out.
It recommended some irrelevant fields like `kind:sharepoint`, which was frustrating because that's not even applicable in Purview KQL.