Thursday, December 16, 2021

Advanced KQL Framework Workbook - Empowering you to become KQL-savvy

Kusto Query Language (KQL) is the language used in Microsoft Sentinel to perform search, analysis, write detection rules and visualise data in Workbooks. The language is also widely used in Azure with services such as Application Insights, Azure Monitor Logs, Azure Resource Graph and Azure Data Explorer use KQL to query data.

 

Just like learning any other languages, it takes time and effort to master a new language, but you could increase your learning efficiency with the right  method and resource(s).

 

Imagine when you need to perform a task with KQL, wouldn’t it be great if:-

  • You have an extensive list of KQL samples at your fingertips for reference?
  • You can get a list of KQL operators that are needed for your task?
  • You can find use-cases similar to the task you wish to perform?
  • You can get some hands-on practice by running  sample queries in real time, using your own data or a public demo environment without the need to navigate between multiple resources?

If you are excited about the above ideas, The Advanced KQL for Microsoft Sentinel Workbook is the answers.

 

 

The idea

 

The concept of this workbook is simple, it is aimed improve your KQL proficiency by taking a use-case driven approach. The layout of the Workbook is being designed in the following manner to align with the concept.

 

Category

  • Overview
  • Tasks (I want to):
    • Operators to be used
    • Sample queries
    • Sample use cases
    • Examples of where it's being used in Microsoft Sentinel

 

You will be presented with a Category list, which is a summary of KQL topics related to Microsoft Sentinel such as finding anomalies, using Watchlist data, create KQL functions and many more.

 

Below each category is a list of common tasks a user would perform. Each task includes KQL operators to be used, sample queries and use cases for references. You can execute the sample queries within the workbook to view the results in real time.

 

In addition, you will be presented with a list of existing content found in Microsoft Sentinel (Analytics Rules, Hunting Queries, Workbooks and etc) specific to the KQL operators. This will help you relate the common use-cases of KQL with their real life application in the product.

 

Why a Workbook?

 

Our goal is to provide an interactive and seamless learning experience. This workbook allows you to run sample queries on the fly without the need to navigate back and forth across learning materials and Microsoft Sentinel portal. In addition, you could use data from your own environment or a public demo environment ‘LADemo’ (subject to the availability of data types).

 

Besides that, it provides flexibility to add and extend the content according to your requirements. For example, not only can it be used as a self-paced learning resource but vendors or MSSP can also use it to deliver KQL training. Moreover, the workbook is easy to share and can be deployed as code.

 

 

How to use it

 

KQLWorkbook.gif

 

 

First, choose from a list of categories that best aligns with  the outcome  you trying to achieve.

Next, you will be presented with a list of common tasks associated with the chosen category. In each task you will find operators to be used, sample queries, use cases and examples of where it’s being used in Microsoft Sentinel.

 

The workbook allows you to execute the KQL sample queries in real time either with your own data or "LA Demo" - a public demo environment without the need to navigate away from the Workbook.You will find all the related sample queries in a single Log Search page to save you the hassle of launching multiple pages. Remove the line break as per instruction to separate the KQL queries.

(Note: It’s best to run the sample queries using your own data as “LA Demo” is not a Microsoft Sentinel enabled workspace. Hence, not all data sources found in the sample queries are available in “LA Demo” )

 

What if you need to do a quick search on which category contains the operators or use-cases that you interested? Click on “Table of Contents” to get a summary of what’s covered in the workbook and your can use “Find” (Ctr + F) feature in your web browser to search for what you need.

 

Want to learn more about how to use this workbook to solve your KQL challenges? Check out the webinar below:

 

 

 

Get started 

You will find “Advance KQL for Microsoft Sentinel" workbook under Templates in the Workbooks menu. Give it a try today as we hope this will help to increase your KQL proficiency.

WorkbookTemplate.png

 

Got any suggestions on how to improve this workbook or any content that we should add to it?

Feel free to click submit your feedback to send your feedback straight to us.

 

This workbook is brought to you by Jeremy Tan, Innocent Wafula and Prateek Taneja.

Posted at https://sl.advdat.com/3p1C7uD