This post is part of an ongoing series to educate about the simplicity and power of the Kusto Query Language (KQL). If you’d like the 90-second post-commercial recap that seems to be a standard part of every TV show these days…
The full series index (including code and queries) is located here:
The book version (pdf) of this series is located here:
The book will be updated when each new part in this series is released.
After hearing that our customers’ largest barrier to using things like Defender, Microsoft Sentinel and even reporting for Intune is KQL, the query language, that was a wake-up call for me. And, of course, (if you know me) I want to do something about it. KQL is a beautifully simple query language to learn. And, believe me – if I can learn it, there’s no question that you can learn it. I feel bad that there’s just not enough knowledge around it because I’ve taken for granted that everyone already had the proper resources to become proficient. But, that’s not the case.
Internally, plans are being developed now to make KQL learning a bigger focus and you’ll see new education around this query language start to take shape in various areas on the Microsoft properties and elsewhere. So, that’s good news for everyone.
There’s bits and pieces already scattered about the Internet, but they are seemingly now difficult to identify and locate.
So, as a first step in a series that I’ll be writing called “Must Learn KQL“, I want to supply some good resources that can be used to accomplish the other things I’ll talk about going forward. Some of these I use everyday. Some I use only when the need arises, but they’re valuable nonetheless. This is a working document, so expect updates over time. This is not a definitive list by any means, so if you have other resources not listed here that you find valuable and believe others would benefit, let me know and I’ll add them in.
Stay tuned as I map out this series. Of course, since my area of forte at Microsoft is security, the series will be security focused. So, the knowledge you gain will help you with our security platforms but also anything data centric that utilizes KQL.
One last tidbit of a tip… I use Microsoft Edge’s Collections feature quite a bit. This is an extremely useful tool for capturing and grouping topics. If you find any of the links below valuable, I suggest using Edge Collections so you can always come back to them later.
KQL Playground – only need a valid Microsoft account to access.
Data Explorer – not security focused. Contains things like geographical data and weather patterns. Exercises for this can be found in the Learn Azure Sentinel book below.
Learn Azure Sentinel: Integrate Azure security with artificial intelligence to build secure cloud systems – this book uses Data Explorer (see above) for hands-on exercises.
Microsoft Sentinel in Action: Architect, design, implement, and operate Microsoft Sentinel as the core of your security solutions – this book is the next edition of the one just above and also used Data Explorer for hands-on examples.
Kusto.Explorer – a rich desktop application that enables you to explore your data using the Kusto Query Language in an easy-to-use user interface.
Kusto CLI – a command-line utility that is used to send requests to Kusto, and display the results.
Real-Time KQL – eliminates the need to ingest data first before querying by processing event streams with KQL queries as events arrive, in real-time
getschema operator – As I noted in Part 5 of this series: this is the Rosetta stone of KQL operators. When used, getschema displays the Column Name, Column Ordinal, Data Type, and Column Type for a table. This is important information for filtering data. Part 5 talks about this.
Blogs, Websites, and Social
#MustLearnKQL – the official Twitter hashtag of this series
The KQL Cafe = podcast and community
GitHub Query Examples
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Bi-Weekly Defender for Cloud Newsletter]