Learn KQL for Microsoft Sentinel
What you'll learn
- Learn KQL basics for Microsoft Sentinel
- Know the most used operators
- Learn to build your first query
- Learn to evaluate your KQL results
Explore related topics
Course content
- Introduction0:51
- Start your KQL with Search7:42
- Project the required columns8:39
- Extend your query to build columns on the fly6:00
- Use distinct to find unique values3:46
- Use count for a quick output2:29
- Apply where condition to filter better4:47
- Filter your data set with TimeGeneated8:12
- Corelate multiple datasets with joins8:34
- Summarize your data to get an overview3:14
- Apply make_list to summarize all values4:51
? Used in conjunction with the summarize operator
➡️ SigninLogs | summarize make_list(UserPrincipalName)
? can be used only with the expression
➡️ SigninLogs | summarize make_list(UserPrincipalName)
? can be used only with the expression with respect to columns
➡️ SigninLogs | summarize make_list(UserPrincipalName) by ResultType
? can be used only with the expression with respect to multiple columns
➡️ SigninLogs | summarize make_list(UserPrincipalName) by ResultType, AppDisplayName
? can be used only with the expression with respect to multiple columns and function
➡️ SigninLogs | summarize make_list(UserPrincipalName) by ResultType, bin(TimeGenerated,1h)
? groups a list of values
➡️ SigninLogs | summarize make_list(UserPrincipalName,1) by ResultType, bin(TimeGenerated,1h)
? count of groups can be controlled but default is 1048576.
- Apply make_set to summarize unique values4:41
? Used in conjunction with the summarize operator
➡️ SigninLogs | summarize make_set(UserPrincipalName)
? can be used only with the expression
➡️ SigninLogs | summarize make_set(UserPrincipalName)
? can be used only with the expression with respect to columns
➡️ SigninLogs | summarize make_set(UserPrincipalName) by ResultType
? can be used only with the expression with respect to multiple columns
➡️ SigninLogs | summarize make_set(UserPrincipalName) by ResultType, AppDisplayName
? can be used only with the expression with respect to multiple columns and function
➡️ SigninLogs | summarize make_set(UserPrincipalName) by ResultType, bin(TimeGenerated,1h)
? groups the unique values
➡️ SigninLogs | summarize make_set(UserPrincipalName,1) by ResultType, bin(TimeGenerated,1h)
? count can be controlled but default is 1048576.
- Save your query7:11
- Save your query as function5:46
- Apply visual on a Dataset7:41
- Brute force in SignInLogs5:48
Requirements
- Familiarity of KQL for Microsoft Sentinel
Description
Welcome to KQL for Microsoft Sentinel.
KQL is a simple query language used across multiple products like
Azure Log Analytics
Microsoft Sentinel
Azure Resource Graph
to read & write structured & unstructured data.
Course Structure
In this course we will focus on leveraging KQL for Microsoft Sentinel.
This will walk you though a basic understanding of KQL
Quick Start
Go for a quick result
Filter for better results
Leverage the joins
Summarize for perspective
Save & Reuse
Apply the visual
Build the use case
Each section has subsections for easy understanding of the topics.
A quick start happens with searching a particular phrase -> projecting the necessary columns -> extending the additional columns needed.
Now, to get a quick result we do distinct to find unique values -> use count -> get the top for display a limited set of result.
To Filter better result Apply where condition -> Apply TimeGeneated filter
Leverage the joins by learning about different kinds of joins
Summarize for perspective by Summarize -> make_list -> make_set
Once done save & reuse by saving as query or function.
Apply the visual for better visibility.
Start building you use case now with an example.
Outcome at completion
After you successfully complete this course you will be able to build your own KQL query from scratch to end.
Whom is this course for
Either you are new to Microsoft Sentinel , Log Analytics or KQL or you are already working in SOC on a regular basis, this course is for you.
Who this course is for:
- Data Scientists
