Security News > 2023 > January > How to use Microsoft KQL for SIEM insight
KQL is an interesting hybrid of scripting and query tools, so it's familiar to anyone who's used Python for data science or SQL for working with databases.
It's designed to work against tables of data, with the ability to create variables and constants that can help control the flow of a set of KQL statements.
A good way to think of a KQL query is as a pipeline: It involves first getting data, then filtering it, before summarizing and sorting, and finally selecting the results you need.
Getting the order of filters right is the key to building effective KQL. The pipeline used to execute KQL connects filters in series, so you want to make sure you filter data at the start of a query, minimizing the amount of data passed to subsequent stages.
These are needed to specify where you're getting data from, with modifiers to take only a set number of rows and to limit how much data is returned.
Columns can be renamed as needed and can even be the product of KQL functions - for example summing data or using the maximum and minimum values for the data.