This week I released a cheat sheet for the Kusto Query Language (KQL), which you can find on my GitHub page: kql_cheat_sheet.pdf. When I started with KQL to analyse security events, the primary resources for me to get started were the official KQL documentation from Microsoft and the Pluralsight course from Robert Cain. Something was missing: a cheat sheet. So, I created one. I hope this cheat sheet will help others in using KQL. If you have additions or remarks, please contact me.

WHAT IS KQL AND WHERE IS IT USED?

KQL is an open source language created by Microsoft to query big data sets stored in the Azure cloud. These queries can also be used in alerting rules. Some examples of services/products hosted in Azure that make use of KQL are:

  • Azure Data Explorer
  • Log Analytics
  • Sentinel (this is Microsoft’s cloud SIEM solution that makes use of a Log Analytics workspace as its backend)
  • Microsoft Defender ATP

 

post author image

Over admin

Matthijs is director bij PwC’s Forensic Technology Solutions. Zijn specialismen zijn threat intelligence en incident response. Daarnaast creëert hij cybersecurity awareness bij bedrijven door het inzetten van de Game of Threats die door PwC is...

Meer over admin

    Leave A Comment