The Definitive Guide to KQL: Using Kusto Query Language for operations, defending, and threat hunting

The Definitive Guide to KQL: Using Kusto Query Language for operations, defending, and threat hunting

by Mark Morowczynski, Rod Trent, Matthew Zorich
Released June 2024
Publisher(s): Microsoft Press
ISBN: 9780138293482

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Turn the avalanche of raw data from Azure Data Explorer, Azure Monitor, Microsoft Sentinel, and other Microsoft data platforms into actionable intelligence with KQL (Kusto Query Language). Experts in information security and analysis guide you through what it takes to automate your approach to risk assessment and remediation, speeding up detection time while reducing manual work using KQL. This accessible and practical guidedesigned for a broad range of people with varying experience in KQLwill quickly make KQL second nature for information security.

Solve real problems with Kusto Query Language and build your competitive advantage:

  • Learn the fundamentals of KQLwhat it is and where it is used

  • Examine the anatomy of a KQL query

  • Understand why data summation and aggregation is important

  • See examples of data summation, including count, countif, and dcount

  • Learn the benefits of moving from raw data ingestion to a more automated approach for security operations

  • Unlock how to write efficient and effective queries

  • Work with advanced KQL operators, advanced data strings, and multivalued strings

  • Explore KQL for day-to-day admin tasks, performance, and troubleshooting

  • Use KQL across Azure, including app services and function apps

  • Delve into defending and threat hunting using KQL

  • Recognize indicators of compromise and anomaly detection

  • Learn to access and contribute to hunting queries via GitHub and workbooks via Microsoft Entra ID

Table of contents

  1. Cover Page
  2. Title Page
  3. Copyright Page
  4. Dedication
  5. Contents at a Glance
  6. Contents
  7. Acknowledgments
  8. About the Authors
  9. Foreword
  10. Introduction
    1. Organization of This Book
    2. Who Should Read This Book?
    3. Conventions and Features in This Book
    4. System Requirements
    5. GitHub Repo
    6. Errata, Updates, and Book Support
    7. Stay in Touch
  11. Chapter 1. Introduction and Fundamentals
    1. Why You Need to Learn KQL
    2. How to Use This Book
    3. Setting Up the Environment
    4. Fundamental Concepts
    5. Searching and Filtering
    6. Data Manipulation
    7. Time Operators
    8. Just Enough User Interface
    9. Miscellaneous Fundamentals
    10. Summary
  12. Chapter 2. Data Aggregation
    1. We Are Dealing with a Lot of Data Here
    2. Obfuscating Results
    3. Distinct and Count
    4. Min, Max, Average, and Sum
    5. Bins, Percentages, and Percentiles
    6. Lists and Sets
    7. Visualizing Data with the Render Operator
    8. Aggregation Functions Usage in Other Operators
    9. Summary
  13. Chapter 3. Unlocking Insights with Advanced KQL Operators
    1. Using KQL Variables in KQL
    2. Working with Default Values in Functions
    3. Best Practices for Using Variables in KQL
    4. Uniting Queries with KQL Unions
    5. union Operator versus join Operator
    6. Best Practices and Performance Optimization
    7. Joining Data
    8. The externaldata Operator
    9. Query IP Ranges Using KQL
    10. Using the ipv4_is_private() Function
    11. Getting Geolocation from an IP Address Using KQL
    12. Working with Multivalued Strings in KQL
    13. base64_decode_tostring() Function
    14. Working with JSON
    15. Time-Series Analysis
    16. Regular Expressions in KQL
    17. bin() Function
    18. Understanding Functions in Kusto Query Language
    19. Materialize Function
  14. Chapter 4. Operational Excellence with KQL
    1. Getting Started with KQL
    2. Advanced Hunting with KQL
    3. Common Security Challenges in the Cloud
    4. Hands-on Training: Mastering KQL
    5. Advancing Your KQL Skills
    6. Enabling Diagnostic Settings in Azure
    7. Enabling Diagnostic Settings in Azure Services
    8. Using KQL for Microsoft Intune for Diagnostics and Compliance
    9. Using KQL Queries for Advanced Hunting in Microsoft Defender
    10. Using KQL to Create Powerful Azure Monitor Workbooks
    11. Enhancing Data Management and Efficiency
    12. Best Practices for Optimizing Query Performance
    13. Summary
  15. Chapter 5. KQL for Cybersecurity—Defending and Threat Hunting
    1. Why KQL for Security?
    2. Cybersecurity-Focused Operators
    3. User Compromise in Microsoft 365
    4. Phishing Attacks
    5. Firewall Log Parsing
    6. Auditing Security Posture
    7. Microsoft Entra ID (Azure Active Directory) Compromise
    8. Ransomware Tactics, Techniques, and Procedures
    9. Summary
  16. Chapter 6. Advanced KQL Cybersecurity Use Cases and Operators
    1. mv-expand and mv-apply
    2. Joins
    3. let and Nested lets
    4. iff()
    5. case()
    6. coalesce()
    7. More Parsing Operators
    8. regex
    9. Advanced Time
    10. Time-series Analysis
    11. Geolocation
    12. IP Address Queries
    13. base64_decode_tostring()
    14. toscalar()
    15. evaluate pivot()
    16. Functions
    17. Contributing to the KQL Community
    18. Summary
  17. Index
  18. Code Snippets

Product information

  • Title: The Definitive Guide to KQL: Using Kusto Query Language for operations, defending, and threat hunting
  • Author(s): Mark Morowczynski, Rod Trent, Matthew Zorich
  • Release date: June 2024
  • Publisher(s): Microsoft Press
  • ISBN: 9780138293482