Book description
Turn the avalanche of raw data from Azure Data Explorer, Azure Monitor, Microsoft Sentinel, and other Microsoft data platforms into actionable intelligence with KQL (Kusto Query Language). Experts in information security and analysis guide you through what it takes to automate your approach to risk assessment and remediation, speeding up detection time while reducing manual work using KQL. This accessible and practical guidedesigned for a broad range of people with varying experience in KQLwill quickly make KQL second nature for information security.
Solve real problems with Kusto Query Language and build your competitive advantage:
Learn the fundamentals of KQLwhat it is and where it is used
Examine the anatomy of a KQL query
Understand why data summation and aggregation is important
See examples of data summation, including count, countif, and dcount
Learn the benefits of moving from raw data ingestion to a more automated approach for security operations
Unlock how to write efficient and effective queries
Work with advanced KQL operators, advanced data strings, and multivalued strings
Explore KQL for day-to-day admin tasks, performance, and troubleshooting
Use KQL across Azure, including app services and function apps
Delve into defending and threat hunting using KQL
Recognize indicators of compromise and anomaly detection
Learn to access and contribute to hunting queries via GitHub and workbooks via Microsoft Entra ID
Table of contents
- Cover Page
- Title Page
- Copyright Page
- Dedication
- Contents at a Glance
- Contents
- Acknowledgments
- About the Authors
- Foreword
- Introduction
- Chapter 1. Introduction and Fundamentals
- Chapter 2. Data Aggregation
-
Chapter 3. Unlocking Insights with Advanced KQL Operators
- Using KQL Variables in KQL
- Working with Default Values in Functions
- Best Practices for Using Variables in KQL
- Uniting Queries with KQL Unions
- union Operator versus join Operator
- Best Practices and Performance Optimization
- Joining Data
- The externaldata Operator
- Query IP Ranges Using KQL
- Using the ipv4_is_private() Function
- Getting Geolocation from an IP Address Using KQL
- Working with Multivalued Strings in KQL
- base64_decode_tostring() Function
- Working with JSON
- Time-Series Analysis
- Regular Expressions in KQL
- bin() Function
- Understanding Functions in Kusto Query Language
- Materialize Function
-
Chapter 4. Operational Excellence with KQL
- Getting Started with KQL
- Advanced Hunting with KQL
- Common Security Challenges in the Cloud
- Hands-on Training: Mastering KQL
- Advancing Your KQL Skills
- Enabling Diagnostic Settings in Azure
- Enabling Diagnostic Settings in Azure Services
- Using KQL for Microsoft Intune for Diagnostics and Compliance
- Using KQL Queries for Advanced Hunting in Microsoft Defender
- Using KQL to Create Powerful Azure Monitor Workbooks
- Enhancing Data Management and Efficiency
- Best Practices for Optimizing Query Performance
- Summary
- Chapter 5. KQL for Cybersecurity—Defending and Threat Hunting
- Chapter 6. Advanced KQL Cybersecurity Use Cases and Operators
- Index
- Code Snippets
Product information
- Title: The Definitive Guide to KQL: Using Kusto Query Language for operations, defending, and threat hunting
- Author(s):
- Release date: June 2024
- Publisher(s): Microsoft Press
- ISBN: 9780138293482
You might also like
video
SC-200: Microsoft Security Operations Analyst
The Microsoft security operations analyst works with organizational stakeholders to secure the organization’s information technology systems. …
book
Threat Hunting with Elastic Stack
Learn advanced threat analysis techniques in practice by implementing Elastic Stack security features Key Features Get …
book
Practical Threat Intelligence and Data-Driven Threat Hunting
Get to grips with cyber threat intelligence and data-driven threat hunting while exploring expert tips and …
book
Exam Ref SC-200 Microsoft Security Operations Analyst
Prepare for Microsoft Exam SC-200 and help demonstrate your real-world mastery of skills and knowledge required …