KUSTO

Start building KQL to enable and visualize our data.

How do I get started?

KUSTO is a query language used to query large amounts of data quickly and efficiently. It is used in several other Microsoft products like Azure Data Explorer, Azure Log Analytics service, Azure Sentinel, and Azure Monitor. Also, list out the data, and visualize it with charts. From monitoring data and logs to resource metadata, it’s difficult to review and validate thousands of records at a time. The KUSTO can handle and help us with this kind of IT operations overhead. KQL statements will only do read-only operations and return the results. KQL is case-sensitive, so we must write everything in that case.

There are three types of query statements.

1.?????? Tabular

2.?????? Let

3.?????? Set

Tabular: List out the entire data table as query results. If we have added any additional operator (like |), then the data will be filtered further and rearranged. The query order is always important to get results.

Let: set a variable name equal to an expression, function, or views.

Set: Used to set a query option for the duration of the query.

SQL vs. KQL: If we are familiar with SQL and want to explore KQL, use this link for a comparison and cheat sheet: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/sqlcheatsheet

Use this link: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/best-practices for best practices.

Use this link: https://aka.ms/LADemo for the Log Analytics demo, and run KQL inside.

?Kusto Cheat Sheet to Build KQL:?

KUSTO Statements 1:

SecurityEvent

| where TimeGenerated >= ago(1d)?

KUSTO Statement 2: