Home Kusto Query Language Cheatsheet
Post
Cancel

Kusto Query Language Cheatsheet

Posted Nov 26, 2022
By R. Giger
1 min read

KQL - Kusto Query Language

Docs and Sources

DescriptionLink
Markdown Best PracticesMarkdown Best Practices
KQL QUick ReferenceMS KQL Quick Reference
VisualizationMSLearn Chart Vizualization
Defender Hunting QueriesGithub Defender Hunting Queries
Advanced Hunting SchemaMSLearn Table Schema



Most Used

OperatorDescriptionSyntax
takePrint limited Amout of RowsSigninLogs \| take 100
whereFilter on ConditionSigninLogs \| where Identity has "giger"
SigninLogs \| where Identity == "giger@contoso.com"
countCount ResultsSiginLogs \| where Country != "CH" \| count
order bySortieren nachproject Users \| order by UserPrincipalName
projectAnzeigen gewisser SpaltenSigninLogs \| project TimeGenerated, UserprincipalName, Location
extendErweitern der Tabelle um eine weitere Spalte\| extend Status = tostring(Status.failureReason)
distinctFilter duplicatesDistinct Location
summarizeResultate zählen nach Spaltennamesummarize Total = count() by <Spaltename>
letVariable definieren, Resultate abspeichernlet resultate = SigninLogs \| where Identity == "gig"
searchDurchsuchen aller Logs nach Stichwörternsearch "gig"
unionTabellen zusammenführenunion SigninLogs, AadNoninteractiveSigninlogs
isnotemptyAlle leeren Felder rausfilternExampleLogs \| where isnotempty(Spaltenname)
   



Operatoren

String Operatoren

Numerical Operatoren



Nützliche Queries

Array definieren um Werte zu filtern

1
2

let excludedAdresses = dynamic(["8.8.4.4", "8.8.8.8"]);
| where DestinationIP !in (excludedAdresses)

Herausfiltern von gewissen Resultaten

1

| where not(ResultType has_any ("10", "20"))

Resultate zeitlich begrenzen

1
2
3
4

Signinlogs | where Timegenerated > ago(1m)
Signinlogs | where Timegenerated > ago(1h)
Signinlogs | where Timegenerated > ago(1d)
Signinlogs | where Timegenerated > ago(1m)

Resultate visualisieren

MSLearn

Charttypes: Areachart, Barcahrt, Columnchart, Linechart, Piechart, Scatterchart, …

1
2
3

OfficeActivity
| summarize test = count() by Operation, bin(TimeGenerated, 4h)    #Generates 2 Axis
| render timechart      #Generates Graphics

Logins visualisieren

1
2
3
4

SigninLogs
| where Identity  has "gig"
| summarize x = count() by bin(TimeGenerated, 10m) 
| render timechart

Wert aus einer Subtabelle extrahieren

1
2
3
4
5
6
7

| extend Status = tostring(Status.failureReason)

- Aus einem Array
| extend location = (todynamic(Entities)[2]).Location.City

- Aus XML Feld
| extend parsed = parse_xml(EventData)

Externe Daten laden

1
2

let IPList = externaldata(IPAddress:string)[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv"] with (format="csv", ignoreFirstRecord=True);
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
KQL
kusto query language kql cheatsheet
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents