Using Let Statements

Learn how to properly use let to assign queries, dynamic content, and more to variables

Let Statement

The let statement is a utility query used to declare variables based on expressions or functions. It can be used for further analysis since the variables can be reused. It enables you to break up a complex expression into multiple parts. By using the let statement, security administrators can create a temporary variable within a query to store the output of an expression.

let VariableName = Expression;

• let: The keyword indicating the start of the let statement.

• VariableName: Name of the variable defined.

• Expression: The expression used to define the variable’s value.

Examples

Defining a Threshold

The below query sets a threshold value of 1000. It then selects the performance table where the CounterValue is greater than this threshold and returns the result in ascending order.

let threshold = 1000;
Perf
| where CounterValue > threshold
| order by CounterValue asc

Declaring Multiple Variables

Here, we query the SecurityEvent table based on the time offset in this example, finding the security events for the past 14 days and exempting event ID 4688.

let timeOffset = 7d;
let discardEventID = 4688;
SecurityEvent
| where TimeGenerated > ago(timeOffset * 2) and EventID != discardEventID

Declaring a Variable With Dynamic Values

This example query creates a dynamic array called EventIDs containing specific event IDs 4624 and 4625. It then filters the SecurityEvent table only to include those with an Event ID that matches one of the values in the EventIDs array and sorts the output by the time generated.

let eventIDs = dynamic([4624, 4625]);
SecurityEvent
| where EventID in (eventIDs)
| sort by TimeGenerated