The Definitive Guide to KQL: Using Kusto Query Language for Operations, Defending and Threat Hunting
This repo contains data samples and the queries used throughout the Microsoft Press book The Definitive Guide to KQL: Using Kusto Query Language for Operations, Defending and Threat Hunting
The queries in this repo follow along chronologically with those found throughout the book and are designed for you to be able to easily copy and paste them into your environment.
For some queries and examples, the scenarios in the book may be purely hypothetical, and use fictional names like eric.lang@tailspintoys.com, to understand the results you get from those queries in your environment, you can just substitute in your own account or users you manage.
Some queries leverage the datatable operator to create log data dynamically as you run the queries, and some use the externaldata operator to access sample data held in this repo itself.
There is also a chance that a typo made its way into one of the queries in the book, we have tried our best to test them repeatedly but these things happen, if so, we will update the repo here. Also, in order to format the queries in the book and fit them into the pages some additional line breaks were added so it is easier to copy and paste the queries from here, rather than the eBook/PDF itself.
This repo is completely open sourced by-design, and people who didn't buy the book can also access it. Of course we would love for you to purchase the book if you can! If not and a query here saves you some time, or detects something bad in your environment, then that is just as a big win for us as authors as selling copies of a book.
Mark Morowczynski is a Principal Product Manager on the Security Customer Experience Engineering (CxE) team at Microsoft. He spends most of his time working with customers on their deployments in the Identity and Access Management (IAM) and information security space. He's spoken at various industry events such as Black Hat, Defcon Blue Team Village, Blue Team Con, Microsoft Ignite, several BSides and SANS Security Summits to name a few. He has a BS in Computer Science and a MS in Computer Information and Network Security as well as an MBA from DePaul University. He also has a MS in Information Security Engineering from the SANS Technology Institute. He can be found online on Mastodon @markmorow@infosec.exchange or his website.
Find Mark on:
Rod Trent is a Senior Program Manager for Microsoft focused on Cybersecurity and AI. He has spoken many times at many conferences over the past 30-some years and has written several books (including the more recent Must Learn series that includes Must Learn KQL) and thousands of articles. He is a husband, dad, and first-time grandfather. In his spare time (if such a thing does truly exist), you can regularly find him simultaneously watching Six Million Dollar Man TV show episodes and writing KQL queries.Rod can be found on LinkedIn and X (formerly Twitter) @rodtrent.
Find Rod on:
Matthew Zorich is born and raised in Australia and works for the Microsoft GHOST team, who provide threat hunting oversight to many areas of Microsoft. Prior to that he worked for the Microsoft Detection and Response Team (DART) and dealt with some of the most complex and largest scale cyber security compromises on the planet. Before joining Microsoft as a full-time employee, he was a Microsoft MVP, ran a blog focused on Microsoft Sentinel and contributed hundreds of open-source KQL queries to the community. He is a die-hard sports fan, especially NBA and cricket.
Find Matt on:
Corissa Koopmans is a Senior Product Manager for Microsoft Entra ID Protection. She has a double masters in International Management and Finance, but it was her love for data that brought her to Microsoft. Corissa enjoys working on features in the Identity and Access Management space, incorporating customer feedback into identity protection products and of course, writing KQL queries to uncover valuable insights.
Find Corissa on: