I’ve been digging into KQL for a quite some time, and I often get the question if I could help someone out with building a KQL query.
This has motivated me to release a first edition of KQL Internals, which has received a lot of positive feedback from the community.
KQL Internals is a guidance that I’ve made to help people getting started with the language itself. It contains hands-on examples and explains different things in multiple steps. This includes on how different operators and functions work, and so on.
However, I’ve also received some feedback from people that wanted me to cover certain operators and functions that I didn’t include in the first edition, so that has motivated me to work on a second edition.
- What is new in the second edition of KQL Internals?
The following operators have been included in the second edition.
The following (scalar) functions have been added.
There is a chapter that contains a list of operators and functions that will be discussed. This will help you to search quickly for a certain operator or function based on it’s chapter.
Let’s say that you want to know more about the search operator. You can now filter on the chapter number, so you don’t need to scroll through the entire document. In our case, we would have to filter on 1.4.2 to get to the page that explains the search operator.
The last update is that I have included is the Advanced Hunting section of Microsoft Defender ATP (MDATP).
This chapter is based on different use-cases and how you can write a KQL query for it in MDATP.
Advanced Hunting provides great capabilities to perform Threat Hunting, but not only TH. You can use it as well to write your own custom-rules in MDATP.
Here is an example of a KQL query in MDATP, which will look if someone disabled Pre-Authentication on account in Active Directory.
- Why should you learn KQL?
Kusto Query Language (KQL) is the query language that is used in Azure Sentinel, which sits on top of Log Analytics. If you’re into Azure Sentinel, it would be very helpful to understand KQL. Because this allows you to write your own queries to perform TH or build your own custom-rules to detect certain activities in your Cloud environment for example.
KQL is also used in Advanced Hunting section of Defender ATP. If you only use an ”out-of-the-box” MDATP. You are missing something, which is the Threat Hunting part. MDATP provides great logging for the following examples, but not limited to: LDAP queries, WMI activities, network events, process creations, and much more.
If you like my work and you want to buy me a coffee as a token of appreciation. You can do it here: https://www.buymeacoffee.com/DebugPrivilege
You can download the second edition of KQL Internals here: