I teach a couple KQL courses focused on Azure Sentinel – one beginner and one more advanced. The beginner course (level 100-200), coupled with our KQL docs (aka.ms/KQLDocs), is usually enough though to get customers on the right path to learning the Kusto Query Language.
Whenever I deliver an Azure Sentinel workshop, it’s the moment that attendees realize that KQL is the basis for most everything in Sentinel that the product becomes a real thing to them. It’s that “light bulb” moment. I can see a physical, facial change in their approach to Azure Sentinel as their mind finally wraps around the fact that they need to learn KQL. As an instructor, it’s that moment that you feel good knowing you’ve accomplished your task. Once the workshop then switches to hands-on activities working with KQL examples, I catch most attendees spending the rest of the week writing new queries while I’m trying to talk about other things or they’ll arrive early before the start of a new workshop day to show me queries they produced overnight on their own time.
The user interface in Azure Sentinel is enough for some customers. An analyst can literally never touch KQL except to push buttons and have the queries run themselves to produce data results and alerts. However, to function as a serious Sentinel analyst, there has be some modicum of understanding. My goal for teaching KQL is to enable learning of the query language so that the customer can at least read line-by-line to understand that the results the queries produce are accurate and actionable for hunting and investigations. But, KQL is addicting and I know it. I spend a lot of idle time myself just writing KQL as a downtime, relaxing activity. By enabling a customer to understand just a tiny bit, that’s usually enough to flood them with interest to do some self-learning.
If you’re interested in setting off on this same journey or would like additional resources to continue your KQL learning, take a look through the following resources.
- Visual Studio Code: https://code.visualstudio.com/ – Visual Studio Code is a streamlined code editor with support for development operations like debugging, task running, and version control.
- KQL add-on for Visual Studio Code: aka.ms/KQLPack
- Kusto.Explorer tool: aka.ms/KustoTool – Kusto.Explorer is a rich desktop application that allows you to explore your data using Kusto query language.
- Azure Data Studio: GitHub Download link – Azure Data Studio runs on Windows, macOS, and Linux.
- Kqlmagic extension in Azure Data Studio: Download link -Kqlmagic is a command that extends the capabilities of the Python kernel in Azure Data Studio notebooks.
- Azure Sentinel Book: (MS Press: aka.ms/ASMSPressBook)
- Azure Sentinel Book: (Packt: aka.ms/ASPacktBook) – this book, in particular, has an entire chapter on KQL
- Kusto Query Internals – Azure Sentinel Reference: https://getshitsecured.com/2020/04/28/kusto-query-internals-azure-sentinel-reference/ – this download (PDF) reference from @DebugPrivilege is 9 chapters of KQL awesome.
- Hunting TTPs with Azure Sentinel: https://getshitsecured.com/2020/05/15/hunting-ttps-with-azure-sentinel/ – also from @DebugPrivilege, this provides good Hunting guidance with KQL.
- Kusto Query Language (KQL) from Scratch: (Pluralsight) https://www.pluralsight.com/courses/kusto-query-language-kql-from-scratch
- Recon your Azure resources with Kusto Query Language (KQL): (YouTube) https://youtu.be/DuWBLsgqhaI
Playgrounds with Demo Data
Log Analytics demo: aka.ms/LADemo – requires a valid Azure portal login but contains security focused data.
Data Explorer: aka.ms/KQLDataExplorer – the data here is not security related but gives you another good resource for honing your skills
Know of any other good resources? Anything that has helped you that would help others? Let me know. I’m always looking for additional resources to pass along to my workshop attendees.