Must Learn KQL Part 1: Tools and Resources

This post is part of an ongoing series to educate about the simplicity and power of the Kusto Query Language (KQL). If you’d like the 90-second post-commercial recap that seems to be a standard part of every TV show these days…

The full series index (including code and queries) is located here:

The book version (pdf) of this series is located here:

The book will be updated when each new part in this series is released.

After hearing that our customers’ largest barrier to using things like Defender, Microsoft Sentinel and even reporting for Intune is KQL, the query language, that was a wake-up call for me. And, of course, (if you know me) I want to do something about it. KQL is a beautifully simple query language to learn. And, believe me – if I can learn it, there’s no question that you can learn it. I feel bad that there’s just not enough knowledge around it because I’ve taken for granted that everyone already had the proper resources to become proficient. But, that’s not the case.

Internally, plans are being developed now to make KQL learning a bigger focus and you’ll see new education around this query language start to take shape in various areas on the Microsoft properties and elsewhere. So, that’s good news for everyone.

There’s bits and pieces already scattered about the Internet, but they are seemingly now difficult to identify and locate.

So, as a first step in a series that I’ll be writing called “Must Learn KQL“, I want to supply some good resources that can be used to accomplish the other things I’ll talk about going forward. Some of these I use everyday. Some I use only when the need arises, but they’re valuable nonetheless. This is a working document, so expect updates over time. This is not a definitive list by any means, so if you have other resources not listed here that you find valuable and believe others would benefit, let me know and I’ll add them in.

Stay tuned as I map out this series. Of course, since my area of forte at Microsoft is security, the series will be security focused. So, the knowledge you gain will help you with our security platforms but also anything data centric that utilizes KQL.

One last tidbit of a tip… I use Microsoft Edge’s Collections feature quite a bit. This is an extremely useful tool for capturing and grouping topics. If you find any of the links below valuable, I suggest using Edge Collections so you can always come back to them later.


The code repository for this series (GitHub)

Kusto Query Language Reference Guide

Azure Monitor Logs table reference

Marcus Bakker’s Kusto Query Language (KQL) – cheat sheet

SQL to Kusto cheat sheet

Splunk to Kusto Query Language map

Kusto Query Language in Microsoft Sentinel

Useful resources for working with Kusto Query Language in Microsoft Sentinel

Practice Environments

Write your first query with Kusto Query Language (Learn module)

KQL Playground – only need a valid Microsoft account to access.

Data Explorer – not security focused. Contains things like geographical data and weather patterns. Exercises for this can be found in the Learn Azure Sentinel book below.

Actual Books

Learn Azure Sentinel: Integrate Azure security with artificial intelligence to build secure cloud systems – this book uses Data Explorer (see above) for hands-on exercises.

Microsoft Sentinel in Action: Architect, design, implement, and operate Microsoft Sentinel as the core of your security solutions – this book is the next edition of the one just above and also used Data Explorer for hands-on examples.


Kusto.Explorer – a rich desktop application that enables you to explore your data using the Kusto Query Language in an easy-to-use user interface.

Kusto CLI – a command-line utility that is used to send requests to Kusto, and display the results.

Visual Studio Code with the Kusto extensions pack

Real-Time KQL – eliminates the need to ingest data first before querying by processing event streams with KQL queries as events arrive, in real-time

getschema operator – As I noted in Part 5 of this series: this is the Rosetta stone of KQL operators. When used, getschema displays the Column Name, Column Ordinal, Data Type, and Column Type for a table. This is important information for filtering data. Part 5 talks about this.

Blogs, Websites, and Social

#MustLearnKQL – the official Twitter hashtag of this series

The #KQL hashtag on Twitter

The #365daysofkql hashtag on Twitter

Kusto King

The KQL Cafe = podcast and community


TeachJing’s KQL Tutorial Series

Recon your Azure resources with Kusto Query Language (KQL)

How to start with KQL?

Azure Sentinel webinar: KQL part 1 of 3 – Learn the KQL you need for Azure Sentinel

Azure Sentinel webinar: KQL part 2 of 3 – KQL hands-on lab exercises

Azure Sentinel webinar: KQL part 3 of 3 – Optimizing Azure Sentinel KQL queries performance

Querying Azure Log Analytics (with KQL)

GitHub Query Examples

My GitHub repo for Microsoft Sentinel KQL

The official Microsoft Sentinel repo

Wortell’s KQL queries

Clive Watson’s KQL queries and workbooks

Matt Zorich’s (the originator of the #365daysofkql Twitter hashtag) KQL queries


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Bi-Weekly Defender for Cloud Newsletter]