How to Get the KQL Query Created by the New 365 Defender Query Builder

Hopefully, you didn’t miss the latest news that the new KQL Query Builder for 365 Defender is in public preview. If you did miss it, check out: Hunt in Microsoft 365 Defender without KQL!

KQL Query Builder

This is exciting news and something that customers have asked for to match similar functionality of competitive products. Still based on KQL, this feature allows anyone to choose the search criteria and then have the feature build and execute the KQL in the background.

Does this mean you shouldn’t learn KQL? Nope. KQL is still just as necessary a skill as learning and knowing PowerShell. It’s awesome that we’ve taken steps to make it easier and less resource demanding, but knowledge of the Kusto Query Language is crucial.

Haven’t started learning KQL yet? We have plenty of resources to get started, but thousands of folks have found great success starting with the Must Learn KQL series: https://aka.ms/MustLearnKQL

But good news! Even when using the new KQL Query Builder you can still get at the KQL query that is powering the search results. So, the new Query Builder also becomes a KQL learning tool! Here’s how to get the query.

As shown in the following image, after building the query in the Advanced Hunting blade in the 365 Defender console, choose the Edit in KQL button at the far right of the interface and switch-o, change-o the query is revealed.

Get the KQL query

=========================

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Learn KQL with the Must Learn KQL series and book]

Author