SC-200T00A

Microsoft Security
Operations Analyst
Author name
Date

© Copyright Microsoft Corporation. All rights reserved.

Learning Path 5:
Create queries for Microsoft Sentinel
using Kusto Query Language (KQL)

© Copyright Microsoft Corporation. All rights reserved.

Agenda

• Construct KQL statements for Microsoft Sentinel

• Analyze query results using KQL

• Build multi-table statements using KQL

• Work with string data in using KQL statements

© Copyright Microsoft Corporation. All rights reserved.

Construct KQL statements
for Microsoft Sentinel

© Copyright Microsoft Corporation. All rights reserved.

Introduction
After completing this module, you will be able to:

1 Construct KQL statements

2 Search log files for security events using KQL

3 Filter searches based on event time, severity, domain, and other relevant data using KQL

© Copyright Microsoft Corporation. All rights reserved.

The Kusto Query Language statement structure

A KQL query is a read-only request to process data and return results. The request is stated in
plain text, using a data-flow model designed to make the syntax easy to read, write, and
automate.
© Copyright Microsoft Corporation. All rights reserved.
Use the table reference
The most common kind of query statement is a tabular expression statement, which means both its
input and output consist of tables or tabular datasets.

Tabular statements contain zero or more operators, each of which starts with a tabular input and
returns a tabular output. Operators are sequenced by a | (pipe). Data flows, or is piped, from one
operator to the next. The data is filtered or manipulated at each step and then fed into the following
step.

SecurityEvent
SecurityAlert

© Copyright Microsoft Corporation. All rights reserved.

Use the search operator
search “new"

search in (SecurityEvent,App*) “new"

© Copyright Microsoft Corporation. All rights reserved.

Use the where operator
SecurityEvent
| where TimeGenerated > ago(1h)

SecurityEvent
| where TimeGenerated > ago(1h) and EventID == "4624"

SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == 4624
| where AccountType =~ "user"

SecurityEvent | where EventID in (4624, 4625)

© Copyright Microsoft Corporation. All rights reserved.

Use the let statement Declare and reuse variables\dynamic tables or lists

let timeOffset = 1h;

let discardEventId = 4688;
SecurityEvent
| where TimeGenerated > ago(timeOffset*2) and TimeGenerated <
ago(timeOffset)
| where EventID != discardEventId

let LowActivityAccounts =
SecurityEvent
| summarize cnt = count() by Account
| where cnt < 1000;
LowActivityAccounts | where Account contains “sql"

© Copyright Microsoft Corporation. All rights reserved.

Use the extend operator
SecurityEvent
| where TimeGenerated > ago(1h)
| where ProcessName != "" and Process != ""
| extend StartDir = substring(ProcessName,0, string_size(ProcessName)-
string_size(Process))

© Copyright Microsoft Corporation. All rights reserved.

Use the order by operator
SecurityEvent
| where TimeGenerated > ago(1h)
| where ProcessName != "" and Process != ""
| extend StartDir = substring(ProcessName,0, string_size(ProcessName)-
string_size(Process))
| order by StartDir desc, Process asc

© Copyright Microsoft Corporation. All rights reserved.

Use the project SecurityEvent
operators | project Computer, Account

Operator Description
project Select the columns to include,
rename or drop, and insert
new computed columns.
project-away Select what columns from the
input to exclude from the
output.
project-keep Select what columns from the
input to keep in the output.
project- Select the columns to rename
rename in the resulting output.
SecurityEvent
| where TimeGenerated > ago(1h)
| where ProcessName != "" and Process !
= ""
| extend StartDir =
substring(ProcessName,0,
string_size(ProcessName)-
string_size(Process))
| order by StartDir desc, Process asc
| project-away ProcessName

project- Set the column order in the

reorder resulting output.
© Copyright Microsoft Corporation. All rights reserved.
Analyze query results using
KQL

© Copyright Microsoft Corporation. All rights reserved.

Introduction
After completing this module, you will be able to:

1 Summarize data using KQL statements

2 Render visualizations using KQL statements

© Copyright Microsoft Corporation. All rights reserved.

Use the summarize SecurityEvent

operator | where TimeGenerated > ago(1h)

| summarize dcount(IpAddress)

Function(s) Description let timeframe = 30d;

Returns a count of the records let threshold = 1;
count(), countif()
per summarization group
SigninLogs
Returns an estimate for the | where TimeGenerated >= ago(timeframe)
dcount(), number of distinct values taken
dcountif() by a scalar expression in the | where ResultDescription has "Invalid
summary group. password"
Calculates the average of Expr | summarize applicationCount =
avg(), avgif()
across the group. dcount(AppDisplayName) by
Returns the maximum value
UserPrincipalName, IPAddress
Max(), maxif()
across the group. | where applicationCount >= threshold
Calculates the sum of Expr
sum(), sumif()
across the group.

© Copyright Microsoft Corporation. All rights reserved.

Use the summarize operator to filter results
SecurityEvent
| where Computer == "SQL10.na.contosohotels.com"
| summarize arg_max(TimeGenerated,*) by Computer

SecurityEvent
| where Computer == "SQL10.na.contosohotels.com"
| summarize arg_min(TimeGenerated,*) by Computer

© Copyright Microsoft Corporation. All rights reserved.

Use the summarize operator to prepare data
SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == "4624"
| summarize make_list(Account) by Computer

SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == "4624"
| summarize make_set(Account) by Computer

© Copyright Microsoft Corporation. All rights reserved.

Use the render operator SecurityEvent
to create visualizations | where TimeGenerated > ago(1h)
| summarize count() by Account
| render barchart
Visualizations

areachart
SecurityEvent
| where TimeGenerated > ago(1h)
barchart | summarize count() by
bin(TimeGenerated, 1m)
columnchart
| render timechart
piechart

scatterchart

timechart

© Copyright Microsoft Corporation. All rights reserved.

Build multi-table statements
using KQL

© Copyright Microsoft Corporation. All rights reserved.

Introduction
After completing this module, you will be able to:

1 Create queries using unions to merge results from multiple tables using KQL

2 Merge two tables with the join operator using KQL

© Copyright Microsoft Corporation. All rights reserved.

Use the union operator
SecurityEvent | union SigninLogs

SecurityEvent
| union SigninLogs
| summarize count()
| project count_

SecurityEvent
| union (SigninLogs | summarize count()| project count_)

union App*
| summarize count() by Type

© Copyright Microsoft Corporation. All rights reserved.

Use the join operator
SecurityEvent
| where EventID == "4624"
| summarize LogOnCount=count() by EventID, Account
| project LogOnCount, Account
| join kind = inner (
SecurityEvent
| where EventID == "4634"
| summarize LogOffCount=count() by EventID, Account
| project LogOffCount, Account
) on Account

© Copyright Microsoft Corporation. All rights reserved.

Use the join operator (continued)***
When joining tables, you use
Join flavors to determine the
joining behavior. It is essential
to understand the impact of
records on the left and right
side based on the join flavor.

© Copyright Microsoft Corporation. All rights reserved.

Work with string data
using KQL statements

© Copyright Microsoft Corporation. All rights reserved.

Introduction
After completing this module, you will be able to:

1 Extract data from unstructured string fields using KQL

2 Extract data from structured string data using KQL

3 Create Functions using KQL

© Copyright Microsoft Corporation. All rights reserved.

Extract data from unstructured string fields

Extract function:
print extract("x=([0-9.]+)", 1, "hello x=45.6|wo") == "45.6"

SecurityEvent
| where EventID == 4672 and AccountType == 'User'
| extend Account_Name = extract(@"^(.*\\)?([^@]*)(@.*)?$", 2,
tolower(Account))
| summarize LoginCount = count() by Account_Name
| where Account_Name != ""
| where LoginCount < 10

© Copyright Microsoft Corporation. All rights reserved.

Extract data from unstructured string fields (continued)

Parse function:
let Traces = datatable(EventText:string)
[
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27,
sliceNumber=23, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01,
previousLockTime=02/17/2016 08:39:01)"
];

Traces
| parse EventText with * "resourceName=" resourceName ", totalSlices="
totalSlices:long * "sliceNumber=" sliceNumber:long * "lockTime=" lockTime ",
releaseTime=" releaseTime:date "," * "previousLockTime=" previousLockTime:date ")" *
| project resourceName, totalSlices, sliceNumber, lockTime, releaseTime,
previousLockTime

© Copyright Microsoft Corporation. All rights reserved.

Extract data from structured string data

Parse dynamic fields:

SigninLogs
| extend OS = DeviceDetail.operatingSystem

Work with JSON data:

SigninLogs
| extend AuthDetails = parse_json(AuthenticationDetails)
| extend AuthMethod = AuthDetails[0].authenticationMethod
| extend AuthResult = AuthDetails[0].["authenticationStepResultDetail"]
| project AuthMethod, AuthResult, AuthDetails

© Copyright Microsoft Corporation. All rights reserved.

Integrate external data
Users
| where UserID in ((externaldata (UserID:string) [

@"https://storageaccount.blob.core.windows.net/storagecontainer/users.txt"
h@"?...SAS..." // Secret token needed to access the blob
]))
| ...

© Copyright Microsoft Corporation. All rights reserved.

Create Parsers using functions
SecurityEvent
| where EventID == 4672 and AccountType == 'User'

// Save the query as a function named PrivLogins

PrivLogins

© Copyright Microsoft Corporation. All rights reserved.

Module 5, Lab 01 – Create
queries for Microsoft
Sentinel using Kusto Query
Language (KQL)

© Copyright Microsoft Corporation. All rights reserved.

Lab Exercises for Learning Path 5

Create queries for Microsoft Sentinel using Kusto Query

Language (KQL)

© Copyright Microsoft Corporation. All rights reserved. © Copyright Microsoft Corporation. All rights reserved.
Learning Path Recap
In this learning path, we covered:

•KQL Statements: Construct KQL statements for Microsoft Sentinel

•KQL Operators: Use KQL operators such as summarize, render, union, join, and extend
•KQL Data Extraction: Extract data from unstructured and structured string fields using KQL
•KQL Functions: Create functions and parsers using KQL
•KQL Lab: Lab exercises to create queries for Microsoft Sentinel using KQL

© Copyright Microsoft Corporation. All rights reserved.

© Copyright Microsoft Corporation. All rights reserved.