☁️
CTHFM: Azure
  • Welcome
  • Getting Started
    • Account Setup
      • Account Creation Instructions
  • Azure Fundamentals
    • Azure Fundamentals Overview
      • Azure Documentation
      • Azure Entra
      • Azure Hierarchy
      • Identities
      • Azure Entra Roles
      • Azure RBAC
      • Azure Licensing Overview
        • Azure Entra ID Premium Licenses Comparison
      • Azure Shared Responsibility Model
      • Azure Frameworks
      • Azure Security Services
      • Conditional Access Policies
        • How Conditional Access Policies Work
        • Benefits of Conditional Access
        • Best Practices for Conditional Access
        • Conditions for Conditional Access
        • Conditional Access Controls
        • Sign-In Risk and Identity Protection
        • Conditional Access Session Control
        • Name Locations IP Location
      • Azure Quotas
      • Azure Tokens
        • Access Tokens
        • ID Tokens
        • Refresh Tokens
          • Invalidate Refresh Tokens
        • Primary Refresh Tokens
        • Continuous Access Evaluation (CAE)
        • Token Protection: Conditional Access (Public Preview)
  • Azure CLI
    • Introduction to Azure CLI
    • Installing Azure CLI
    • CLI Commands
    • Resource Group Management
    • Creating and Managing Resources with Azure CLI
    • Managing IAM
    • Azure CLI Automation
    • Monitoring and Troubleshooting in Azure CLI
    • Azure CLI Overview
      • Azure CLI: Linux
      • Azure CLI: Windows
      • Azure CLI: MacOS
  • KQL
    • KQL Overview
      • KQL Introduction
      • Data Types
      • Quick Reference
      • Render
      • Basic Queries
  • Powershell
    • PowerShell for Azure
      • Powershell Documentation
      • Powershell Basics
      • Understanding Powershell Variables
      • Understanding Cmdlets
      • Powershell Console & ISE
      • Powershell: Entra Module
        • Module Reference & Getting Started
      • Powershell: Azure Module
        • Installation Instructions
        • Powershell Azure CLI: Windows
        • Powershell Azure CLI: Linux
        • Powershell Azure CLI: MacOS
        • Example Azure Cmdlets
  • Bicep
    • Bicep File Structure
    • Variable Types
  • Azure Logging References
    • Logging
      • Log Retention Strategies
      • Azure Log Types
      • Azure Activity Logs
        • Administrative Event Schema
        • Service Health Notification Schema
        • Resource Health
        • Alert Category
        • Autoscale
        • Security
        • Recommendation
        • Policy
      • Entra ID Logging
        • Identity Based Logs
          • Audit Logs
          • Sign-In Logs
            • AADNonInteractiveUserSignInLogs
            • AADManagedIdentitySignInLogs
            • AADServicePrincipalSignInLogs
            • First Party Sign-In Activity
          • Provisioning Logs (AADProvisioningLogs)
          • Microsoft Graph Activity
          • Identity Protection
            • Risk Detections
            • AADRiskyServicePrincipals
            • AADRiskyUsers
            • AADUserRiskEvents
            • AADServicePrincipalRiskEvents
        • Additional Entra ID Logs
      • Azure Key Vault
        • Azure Key Vault Logging Overview
      • Network Watcher
        • RBAC Permissions
        • Flow Log Types
          • NSG Flow Log Schema
          • VNET Flow Log Schema
        • Enabling Logs
          • NSG Flow Logs
          • VNET Flow Logs
        • Packet Capture
          • Packet Capture: VM
          • Packet Capture: Scale Sets
      • Compute Resources
        • Azure Monitor Agent
        • VM Insights
          • VM Insights Tables
      • Storage Accounts
        • Storage Account Logging
          • File
            • Enable StorageFileLogs
            • StorageFileLogs
          • Blob
            • Enable Blob Logging
            • StorageBlobLogs
          • Queue
            • Enable Queue Logging
            • StorageQueueLogs Table
          • Table
            • Enable Table Logging
            • StorageTableLogs Table
      • Azure App Service
        • Log Types
        • Enabling Logging
      • Azure Monitor
        • Resource Logs
          • Resource Log Top Level Documentation
        • Log Analytics Workspace
          • Setup
        • Workbooks
        • Dashboards
        • Alerts
        • Azure Monitor Documentation
      • Defender for Cloud
      • Intune
      • Sysmon
      • Purview Audit Log Schema
      • Kubernetes Audit Log (AKS)
  • Threat Hunting
    • Threat Hunting in Azure
      • Threat Hunting Introduction
      • Threat Hunting Process
        • Hypothesis Generation
        • Investigation
        • Identification
        • Resolution & Follow Up
      • Pyramid of Pain
      • Azure Threat Hunting Ideas
      • Hands On Threat Hunting Examples
      • OSINT Feeds
  • Sigma
    • Sigma Rule Structure
  • Microsoft Defender TI
    • Microsoft Defender Threat Intelligence
      • Data Sets
      • Reputational Scoring
      • Analyst Insights
      • Microsoft Defender TI: Copilot Integration
  • MITRE Att&ck
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Data Sources
      • MITRE Att&ck Mitigations
      • MITRE Att&ck: Azure
        • MITRE Att&CK: Azure Security Control Mapping
  • Microsoft Resources
    • Microsoft Incident Response Ninja Hub
    • Microsoft Defender XDR Ninja Hub
  • Azure Threat Research Matrix (ATRM)
  • Security Research & Resources
    • Azure Goat
    • Azure Security Research
      • Azure Related CVEs
  • Defender XDR
    • Defender XDR Overview
    • Defender XDR Licensing
    • Defender XDR Default Retention
    • Defender XDR Advanced Hunting Table Schemas
    • Automated Response Requirements
    • Supported Response Actions
  • Azure Sentinel
    • Sentinel Overview
    • Azure Sentinel Deployments
    • Supported Data
    • Workbook, Playbook, Notebook Comparison
    • Sentinel Workbooks
    • Entities
    • User and Entity Behavior Analytics
    • Anomaly Detection
    • Mult-Stage Attack Detection
    • Sentinel: Az CLI
  • Microsoft Defender
    • Microsoft Defender for Cloud References
    • Defender for Cloud: Az CLI
  • Azure Policy
    • Azure Policy
    • Azure Policy Components
    • Azure Policy Rules
    • Scope Azure Policy
    • Policy Assignments
    • Policy Effect
    • Initiative Definition
    • Policy Parameters
    • Remediation Task Structure
    • Use Cases for Azure Policy
    • Azure Policy: Az CLI
  • Intune
    • Intune Overview
    • Intune Licensing
    • Intune API Permission Scopes
    • Intune Sample Script Resources
  • Intune Logging
    • Configure Logging
    • Logging Schema References
    • Intune Queries and Resources
  • Windows Host Security
    • Windows System Architecture and OS Fundamentals
    • SysInternals
    • Basic vs Advanced Security Auditing
    • Sysmon
  • Adversary Emulation
    • AzureHound
    • AADInternals
      • Install
    • RoadTools
      • Install
    • Oh365UserFinder
    • GraphRunner
  • Incident Response
    • Incident Response
      • Azure IR Program Development Cheat Sheet
      • Azure IR Playbooks (MS Guidance)
      • Ransomware (MS Guidance)
  • Automation
    • Automation Overview
    • Logic Apps
      • How Logic Apps Work
      • Logic App Types
      • Triggers
      • Connectors
      • Conditional Logic and Control Flow
      • APIs in Logic Apps
      • Handling Large Workflows with Stateful Logic Apps
      • External Service Integration
      • Securing, Managing, and Scaling Azure Logic Apps
      • Logic Apps: Az CLI
  • Packet Analysis
    • Wireshark Cheatsheet
    • TShark Cheatsheet
    • TCPDUMP Cheatsheet
    • Protocol Analysis Basics
    • HTTP Response Code Cheatsheet
    • RFC Protocol Mappings
    • PCAP Acquisition
  • Detection Lab
    • Detection Lab Introduction
    • Account Creation Instructions
    • Enable MFA Within Azure Tenant
    • Create an Azure Admin With Cloud Shell
    • Setup and Install Instructions
  • VSCode and Code Setup
  • Deploying Code
  • Enabling Logs for Log Analytics Workspace
  • Logging Into Windows VM
  • Verifying Logs in Log Analytics Workspace
  • Creating Detections: Azure Monitor
  • Cost Management: Billing Alarms
Powered by GitBook
On this page
  1. KQL
  2. KQL Overview

Quick Reference

A majority of the commands that you will need to be familiar with are captured here in the quick reference guide below.

Operator/Function
Description
Syntax

Filter/Search/Condition

Find relevant data by filtering or searching

Filters on a specific predicate

T | where Predicate

Contains: Looks for any substring match Has: Looks for a specific word (better performance)

T | where col1 contains/has "[search term]"

Searches all columns in the table for the value

[TabularSource |] search [kind=CaseSensitivity] [in (TableSources)] SearchPredicate

Returns the specified number of records. Use to test a query Note: take and limit are synonyms.

T | take NumberOfRows

Adds a condition statement, similar to if/then/elseif in other systems.

case(predicate_1, then_1, predicate_2, then_2, predicate_3, then_3, else)

Produces a table with the distinct combination of the provided columns of the input table

distinct [ColumnName], [ColumnName]

Date/Time

Operations that use date and time functions

Returns the time offset relative to the time the query executes. For example, ago(1h) is one hour before the current clock's reading.

ago(a_timespan)

format_datetime(datetime , format)

Rounds all values in a timeframe and groups them

bin(value,roundTo)

Create/Remove Columns

Add or remove columns in a table

Outputs a single row with one or more scalar expressions

print [ColumnName =] ScalarExpression [',' ...]

Selects the columns to include in the order specified

T | project ColumnName [= Expression] [, ...] Or T | project [ColumnName | (ColumnName[,]) =] Expression [, ...]

Selects the columns to exclude from the output

T | project-away ColumnNameOrPattern [, ...]

Selects the columns to keep in the output

T | project-keep ColumnNameOrPattern [, ...]

Renames columns in the result output

T | project-rename new_column_name = column_name

Reorders columns in the result output

T | project-reorder Col2, Col1, Col* asc

Creates a calculated column and adds it to the result set

T | extend [ColumnName | (ColumnName[, ...]) =] Expression [, ...]

Sort and Aggregate Dataset

Restructure the data by sorting or grouping them in meaningful ways

Sort the rows of the input table by one or more columns in ascending or descending order

T | sort by expression1 [asc|desc], expression2 [asc|desc], …

Returns the first N rows of the dataset when the dataset is sorted using by

T | top numberOfRows by expression [asc|desc] [nulls first|last]

Groups the rows according to the by group columns, and calculates aggregations over each group

T | summarize [[Column =] Aggregation [, ...]] [by [Column =] GroupExpression [, ...]]

Counts records in the input table (for example, T) This operator is shorthand for summarize count()

T | count

Merges the rows of two tables to form a new table by matching values of the specified column(s) from each table. Supports a full range of join types: fullouter, inner, innerunique, leftanti, leftantisemi, leftouter, leftsemi, rightanti, rightantisemi, rightouter, rightsemi

LeftTable | join [JoinParameters] ( RightTable ) on Attributes

Takes two or more tables and returns all their rows

[T1] | union [T2], [T3], …

Generates a table with an arithmetic series of values

range columnName from start to stop step step

Format Data

Restructure the data to output in a useful way

Extends the columns of a fact table with values looked-up in a dimension table

T1 | lookup [kind = (leftouter|inner)] ( T2 ) on Attributes

Turns dynamic arrays into rows (multi-value expansion)

T | mv-expand Column

Evaluates a string expression and parses its value into one or more calculated columns. Use for structuring unstructured data.

T | parse [kind=regex [flags=regex_flags] |simple|relaxed] Expression with * (StringConstant ColumnName [: ColumnType]) *...

Creates series of specified aggregated values along a specified axis

T | make-series [MakeSeriesParamters] [Column =] Aggregation [default = DefaultValue] [, ...] on AxisColumn from start to end step step [by [Column =] GroupExpression [, ...]]

Binds a name to expressions that can refer to its bound value. Values can be lambda expressions to create query-defined functions as part of the query. Use let to create expressions over tables whose results look like a new table.

let Name = ScalarExpression | TabularExpression | FunctionDefinitionExpression

General

Miscellaneous operations and function

Runs the function on the table that it receives as input.

T | invoke function([param1, param2])

Evaluates query language extensions (plugins)

[T |] evaluate [ evaluateParameters ] PluginName ( [PluginArg1 [, PluginArg2]... )

Visualization

Operations that display the data in a graphical format

Renders results as a graphical output

T | render Visualization [with (PropertyName = PropertyValue [, ...] )]

Last updated 8 months ago

Returns data in .

where
where contains/has
search
take
case
distinct
ago
format_datetime
various date formats
bin
print
project
project-away
project-keep
project-rename
project-reorder
extend
sort operator
top
summarize
count
join
union
range
lookup
mv-expand
parse
make-series
let
invoke
evaluate pluginName
render
KQL quick reference - KustoMicrosoftLearn
Logo