KQL stands for "Kusto Query Language" and is a powerful language for hunting specific activities and data. Microsoft Sentinel (SOAR) and Microsoft 365 Defender (Advanced Hunting) are great examples of using KQL. However, leveraging KQL might be a bit challenging if you don't have SQL or programming background. When I started learning KQL, I had no idea how to begin as a learning process due to no programming/SQL experience. Throughout my KQL journey, I would like to share some of the best resources for learning KQL. At the same time, I would like to provide "Hunting Queries" in KQL-XDR-Hunting repository.
| # | Folder | About |
|---|---|---|
| 1 | KQL/README.md | KQL introduction & learning resource. |
| 2 | KQL/KQL-XDR-Hunting | Provide out-of-the-box KQL hunting queries - App, Email, Identity and Endpoint. |
| 3 | KQL/KQL-Effective-Use | Provide product feature based KQL and advanced KQL tips in XDR & SIEM. |
e.g. Microsoft 365 Defender portal | Advanced Hunting
This webinar is an excellent resource for those who are new to KQL in Microsoft 365 Defender. Each webinar in the series covers the fundamentals of KQL and demonstrates great use cases. As my work mainly focuses on XDR in Microsoft 365 Defender, I found these webinars particularly helpful and informative.
Webcast 1 - 4 series
- M365 Defender (MTP) webinar: Tracking the Adversary E1: KQL Fundamentals.
- M365 Defender (MTP) webinar: Tracking the Adversary E2: Joins.
- M365 Defender (MTP) webinar: Tracking the Adversary, E3: Summarizing, Pivoting, and Visualizing Data.
- M365 Defender (MTP) webinar: Tracking the Adversary E4 Let’s hunt! Applying KQL to incident tracking.
After attending the Microsoft 365 Defender Webcast, I continued to explore KQL in greater depth. For those using Microsoft Sentinel and Azure Data Explorer, these webinars can provide an excellent starting point for learning KQL.
- Azure Sentinel webinar: KQL part 1 of 3 - Learn the KQL you need for Azure Sentinel!
- Azure Sentinel webinar: KQL part 2 of 3 - KQL hands-on lab exercises!
- Azure Sentinel webinar: KQL part 3 of 3 - Optimizing Azure Sentinel KQL queries performance!
In KC7, you will learn KQL step by step. After the initial training, you will become a member of the SOC team and gain real-world hunting experience with your first case. By the end of KC7, you will be confident in your ability to hunt down suspicious activities using KQL.
Get started !! Practice Pivoting and Analysis - KC7 (kc7cyber.com)
Kusto Detective Agency is an interactive big data contest and gives you 5 missions. You will be one of the detectives in the team and deal with (find out the answer) missions by using KQL.
- Kusto Detective Agency website (https://detective.kusto.io/)
- Kusto Detective Agency short video : Kusto Detective Agency - an interactive big data contest
Welcome to the Kusto Detective agency, rookie! Be prepared to flex your investigative muscles as you use your big data skills to solve our most challenging cases. Prizes and awards are up for grabs if you are successful!
- KQL quick reference | Microsoft Learn
- String operators - Azure Data Explorer | Microsoft Learn!
- Query best practices - Azure Data Explorer | Microsoft Learn
Learn the schema tables - App, Endpoint, Identity and Email in Microsoft 365 Defender.
Also, there are a number of out-of-the-box queries.
https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/Microsoft%20365%20Defender
The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company.