This week I released a cheat sheet for the Kusto Query Language (KQL), which you can find on my GitHub page: kql_cheat_sheet.pdf. When I started with KQL to analyse security events, the primary resources for me to get started were the official KQL documentation from Microsoft and the Pluralsight course from Robert Cain. Something was missing: a cheat sheet. So, I created one. I hope this cheat sheet will help others in using KQL. If you have additions or remarks, please contact me.
WHAT IS KQL AND WHERE IS IT USED?
KQL is an open source language created by Microsoft to query big data sets stored in the Azure cloud. These queries can also be used in alerting rules. Some examples of services/products hosted in Azure that make use of KQL are:
- Azure Data Explorer
- Log Analytics
- Sentinel (this is Microsoft’s cloud SIEM solution that makes use of a Log Analytics workspace as its backend)
- Microsoft Defender ATP