Update data in Kusto (via KQL queries) - KC7-Foundation/kc7 GitHub Wiki

.update table Employees delete D append A with(whatif=true) <|
let D = Employees
| where name == "Jessica Primm";
let A = D
| extend name = "Jessica Rabbit";

// Update name in employees (actually name the change)
.update table Employees delete D append A <|
let D = Employees
| where name == "Jessica Primm";
let A = D
| extend name = "Jessica Rabbit";


.update table Email delete D append A with(whatif=true) <|
let D = Email
| where recipient == "[email protected]";
let A = D
| extend recipient = "[email protected]";

// replace recipient
.update table Email delete D append A  <|
let D = Email
| where recipient == "[email protected]";
let A = D
| extend recipient = "[email protected]";

// replace sender
.update table Email delete D append A  <|
let D = Email
| where sender == "[email protected]";
let A = D
| extend sender = "[email protected]"
| extend  reply_to = "[email protected]";

// update timestamp in PassiveDns
.update table PassiveDns delete D append A  <|
let D = PassiveDns
| where domain == "greenprojectnews.net"
| where ip == "239.72.6.37"
| limit 1;
let A = D
| extend timestamp = datetime_add('minute', -10, timestamp);


.update table FileCreationEvents delete D append A  <|
let D = FileCreationEvents
| where sha256 == "5d41402abc4b2a76b9719d911017c593";
let A = D
| extend sha256 = "c470e4672f9632c01ee5b3c57e031d6fe0ece1815b49ab6690ba65bcd2153bef";