Member-only story
Hands-on Introduction to Microsoft KQL
Getting started with KQL Queries
Kusto Query Language was developed by Microsoft and is used primarily and beyond the Microsoft Ecosystem. It's a powerful toolset that analyses large-scale data efficiently. The query uses schema entities. This means they are organized in a hierarchy system similar to SQLs: databases, tables, and columns.
Kusto Query Language (KQL) Syntax
Basic KQL query examples that can be used in any KQL-supported platform
The below KQL queries are performed in Microsoft Sentinel > Logs in Azure Portal.
- Simple Query - Retrieve all records from a Table
Explanation: This will return all rows from the specified (CloudAppEvents) table.
2. Querying a Table with order by and sortOperator
Explanation: This query sorts the security event logs from this Table with TimeGenerated Column rows to appear in descending order. This is limited to only 10 Security event logs. This means the most recent 10 security-event logs from the SecurityEvent Table will be displayed in the result.
Explanation: In this Syslog table(UNIX-like OS), the query identifies issues per host in order of severity. The output will sort the logs first with hostnames in ascending order, followed by the SeverityLevel in ascending order and lastly, the time generated in descending order which means the most recent time will appear first.
Both sort and order by are used to arrange the results of a query in a specific order. They are interchangeable and have the same syntax and functionality.
