marcusbakker / kql Goto Github PK
View Code? Open in Web Editor NEWKusto Query Language
Home Page: https://www.mbsecure.nl/blog/2019/12/kql-cheat-sheet
Kusto Query Language
Home Page: https://www.mbsecure.nl/blog/2019/12/kql-cheat-sheet
Hi Marcus,
Thanks for putting this KQL cheatsheet together. This is a very good handy reference for KQL users.
I do have a suggestion on example in the join section where SecurityAlert example provided to extract Process entity. SecurityAlert table can have multiple entities in single rows and hence joining/extracting can be trivial with simple json extraction. One of the way, we are addressing it using below query where we expand the multi-value array into separate rows and then match it with relevant entity in the join. This may be a bit complex for new KQL user but can be included with mv-expand operator explanation in the cheatsheet if you feel appropriate.
Example query for parsing Process entities with ProcessId and CommandLine details can look like below.
SecurityAlert
| extend EntitiesDynamicArray=parse_json(Entities) | mvexpand EntitiesDynamicArray
| extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type)
| where Entitytype == "process"
| extend ProcessId = tostring(parse_json(EntitiesDynamicArray).ProcessId), CommandLine = tostring(parse_json(EntitiesDynamicArray).CommandLine)
Other example Queries based on SecurityAlert Entity parsing and later joining in Azure Sentinel Github:
I think it is worth mentioning in that section to
Use time filters first. Kusto is highly optimized to utilize time filters.
Hi. Big thanks for the cheat sheet! It is awesome!
One minor problem is:
Can we replace contains
with has
, because contains
is considerably heavier operator than has
, and in most cases has
would work fine?
I think it's possible to just show by example what has
does and what contains
does, like in docs: https://docs.microsoft.com/en-us/azure/kusto/query/datatypes-string-operators
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.