Source Rob Trend incredible work
The code repository for this series (GitHub)
Kusto Query Language Reference Guide
Azure Monitor Logs table reference
Marcus Bakker’s Kusto Query Language (KQL) – cheat sheet
Splunk to Kusto Query Language map
Kusto Query Language in Microsoft Sentinel
Useful resources for working with Kusto Query Language in Microsoft Sentinel
Write your first query with Kusto Query Language (Learn module)
KQL Playground – only need a valid Microsoft account to access.
Data Explorer – not security focused. Contains things like geographical data and weather patterns. Exercises for this can be found in the Learn Azure Sentinel book below.
Learn Azure Sentinel: Integrate Azure security with artificial intelligence to build secure cloud systems – this book uses Data Explorer (see above) for hands-on exercises.
Azure Sentinel in Action: Architect, design, implement, and operate Azure Sentinel as the core of your security solutions – this book is the next edition of the one just above and also used Data Explorer for hands-on examples.
Kusto.Explorer – a rich desktop application that enables you to explore your data using the Kusto Query Language in an easy-to-use user interface.
Kusto CLI – a command-line utility that is used to send requests to Kusto, and display the results.
Visual Studio Code with the Kusto extensions pack
Real-Time KQL – eliminates the need to ingest data first before querying by processing event streams with KQL queries as events arrive, in real-time
getschema operator – As I noted in Part 5 of this series: this is the Rosetta stone of KQL operators. When used, getschema displays the Column Name, Column Ordinal, Data Type, and Column Type for a table. This is important information for filtering data. Part 5 talks about this.
#MustLearnKQL – the official Twitter hashtag of this series
The #365daysofkql hashtag on Twitter
The KQL Cafe = podcast and community
Matt Zorich’s curated list of KQL learning resources
TeachJing’s KQL Tutorial Series
Recon your Azure resources with Kusto Query Language (KQL)
Azure Sentinel webinar: KQL part 1 of 3 – Learn the KQL you need for Azure Sentinel
Azure Sentinel webinar: KQL part 2 of 3 – KQL hands-on lab exercises
Azure Sentinel webinar: KQL part 3 of 3 – Optimizing Azure Sentinel KQL queries performance
Querying Azure Log Analytics (with KQL)
My GitHub repo for Microsoft Sentinel KQL
The official Microsoft Sentinel repo
Clive Watson’s KQL queries and workbooks
Matt Zorich’s (the originator of the #365daysofkql Twitter hashtag) KQL queries