Security News > 2023 > January > How to use Microsoft KQL for SIEM insight

How to use Microsoft KQL for SIEM insight
2023-01-27 18:05

KQL is an interesting hybrid of scripting and query tools, so it's familiar to anyone who's used Python for data science or SQL for working with databases.

It's designed to work against tables of data, with the ability to create variables and constants that can help control the flow of a set of KQL statements.

A good way to think of a KQL query is as a pipeline: It involves first getting data, then filtering it, before summarizing and sorting, and finally selecting the results you need.

Getting the order of filters right is the key to building effective KQL. The pipeline used to execute KQL connects filters in series, so you want to make sure you filter data at the start of a query, minimizing the amount of data passed to subsequent stages.

These are needed to specify where you're getting data from, with modifiers to take only a set number of rows and to limit how much data is returned.

Columns can be renamed as needed and can even be the product of KQL functions - for example summing data or using the maximum and minimum values for the data.


News URL

https://www.techrepublic.com/article/kql-ms-sentinel/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 365 50 1369 2819 161 4399