Welcome to the first blog post in the series becoming a Kusto Knight. Besides blogging about the latest and greatest detections I also want to help you to learn and understand the basics of the Kusto query language.
Where did it all start?
The Kusto Query Language is publicly available since 2016, in the form of a public preview in Application Insights Analytics. According to the blog post of Brian Harry, it was an internal project which existed back in 2014.
What does it do?
Microsoft created a read-only query language to query big data in for example Application Insights Analytics. Since its launch, Microsoft has implemented the Kusto Query Language many products and services to query enormous amounts of data. While it is a powerful language it is also easily readable. And due to its readability, it can make complex queries simple.
Where do we use it?
The list is endless but here is a good start.
- Azure Data Explorer: Big Data Analytics
- Azure Log Analytics: Azure Logs and many more
- Azure Sentinel: Detections and hunting in Microsoft’s cloud native SIEM
- CMPivot: Realtime querying of Configuration Manager Data
- Jupyter Notebooks: Use KQL like the heroes of the MSTIC team
- Microsoft 365 Security: Detections and hunting in the Microsoft Security Stack
- Microsoft Defender for Endpoint: Detections and hunting in the Defender AV and EDR data
- Power BI: Create dashboards based on your hunting queries
While the language is the same in all the tools the implementation can differ a bit. For the operators there are two streams, there is the Azure Data Explorer service, which is the more feature-rich variant, and then there is the Azure Monitor service, which has fewer features but is used in more products. There are some more slight differences you will notice during the usage of Kusto, for example in Log Analytics we use the TimeGenerated, while in Microsoft Defender for Endpoint we use Timestamp.
Before we get into too much detail let us start with entity names. All entities must have a unique name. which may contain letters, digits, underscores, dots, and dashes. If you choose to use underscores, dots, and dashes you must quote them. In the following ways:
- [“Instance Name”]
Now the last one did not contain any special characters, but it is a keyword and therefore it must also be in quotes. Besides quoting there are also some other rules. Entity names are case sensitive and there is a limit of 1024 characters.
Now that we know where the Kusto Query Language comes from, what it is/does, and what entities are, we can now continue to the next blog post about clusters, databases, tables, and columns.