A security analyst is using KQL in Microsoft Sentinel to hunt for potential data exfiltration by a user who has been sending unusually large amounts of data to an external IP address. Which KQL operator should the analyst use to identify the top source IP addresses and total bytes sent over the last 7 days?
Trap 1: ..
Filters large sends but does not aggregate per IP, so it does not identify the top source IPs by total bytes.
Trap 2: ..
Counts events per IP, not sum of bytes.
Trap 3: ..
Only sorts individual rows, not aggregated totals per IP.
- A
... | where SentBytes > 1000000 | project SourceIP, SentBytes
Why wrong: Filters large sends but does not aggregate per IP, so it does not identify the top source IPs by total bytes.
- B
... | extend TotalBytes=SentBytes | summarize count() by SourceIP
Why wrong: Counts events per IP, not sum of bytes.
- C
... | project SourceIP, SentBytes | sort by SentBytes desc
Why wrong: Only sorts individual rows, not aggregated totals per IP.
- D
... | summarize TotalBytes=sum(SentBytes) by SourceIP | top 10 by TotalBytes desc
Correctly uses summarize with sum and top to find top source IPs by total sent bytes.