Professional Documents
Culture Documents
SC 200t00a Enu Powerpoint 05
SC 200t00a Enu Powerpoint 05
SC 200t00a Enu Powerpoint 05
Microsoft Security
Operations Analyst
Author name
Date
3 Filter searches based on event time, severity, domain, and other relevant data using KQL
A KQL query is a read-only request to process data and return results. The request is stated in
plain text, using a data-flow model designed to make the syntax easy to read, write, and
automate.
© Copyright Microsoft Corporation. All rights reserved.
Use the table reference
The most common kind of query statement is a tabular expression statement, which means both its
input and output consist of tables or tabular datasets.
Tabular statements contain zero or more operators, each of which starts with a tabular input and
returns a tabular output. Operators are sequenced by a | (pipe). Data flows, or is piped, from one
operator to the next. The data is filtered or manipulated at each step and then fed into the following
step.
SecurityEvent
SecurityAlert
SecurityEvent
| where TimeGenerated > ago(1h) and EventID == "4624"
SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == 4624
| where AccountType =~ "user"
let LowActivityAccounts =
SecurityEvent
| summarize cnt = count() by Account
| where cnt < 1000;
LowActivityAccounts | where Account contains “sql"
SecurityEvent
Operator Description
| where TimeGenerated > ago(1h)
project Select the columns to include, | where ProcessName != "" and Process !
rename or drop, and insert = ""
new computed columns.
| extend StartDir =
project-away Select what columns from the substring(ProcessName,0,
input to exclude from the string_size(ProcessName)-
output. string_size(Process))
project-keep Select what columns from the | order by StartDir desc, Process asc
input to keep in the output. | project-away ProcessName
project- Select the columns to rename
rename in the resulting output.
SecurityEvent
| where Computer == "SQL10.na.contosohotels.com"
| summarize arg_min(TimeGenerated,*) by Computer
SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == "4624"
| summarize make_set(Account) by Computer
areachart
SecurityEvent
| where TimeGenerated > ago(1h)
barchart | summarize count() by
bin(TimeGenerated, 1m)
columnchart
| render timechart
piechart
scatterchart
timechart
1 Create queries using unions to merge results from multiple tables using KQL
SecurityEvent
| union SigninLogs
| summarize count()
| project count_
SecurityEvent
| union (SigninLogs | summarize count()| project count_)
union App*
| summarize count() by Type
Extract function:
print extract("x=([0-9.]+)", 1, "hello x=45.6|wo") == "45.6"
SecurityEvent
| where EventID == 4672 and AccountType == 'User'
| extend Account_Name = extract(@"^(.*\\)?([^@]*)(@.*)?$", 2,
tolower(Account))
| summarize LoginCount = count() by Account_Name
| where Account_Name != ""
| where LoginCount < 10
Parse function:
let Traces = datatable(EventText:string)
[
"Event: NotifySliceRelease (resourceName=PipelineScheduler, totalSlices=27,
sliceNumber=23, lockTime=02/17/2016 08:40:01, releaseTime=02/17/2016 08:40:01,
previousLockTime=02/17/2016 08:39:01)"
];
Traces
| parse EventText with * "resourceName=" resourceName ", totalSlices="
totalSlices:long * "sliceNumber=" sliceNumber:long * "lockTime=" lockTime ",
releaseTime=" releaseTime:date "," * "previousLockTime=" previousLockTime:date ")" *
| project resourceName, totalSlices, sliceNumber, lockTime, releaseTime,
previousLockTime
SigninLogs
| extend AuthDetails = parse_json(AuthenticationDetails)
| extend AuthMethod = AuthDetails[0].authenticationMethod
| extend AuthResult = AuthDetails[0].["authenticationStepResultDetail"]
| project AuthMethod, AuthResult, AuthDetails
@"https://storageaccount.blob.core.windows.net/storagecontainer/users.txt"
h@"?...SAS..." // Secret token needed to access the blob
]))
| ...
PrivLogins
© Copyright Microsoft Corporation. All rights reserved. © Copyright Microsoft Corporation. All rights reserved.
Learning Path Recap
In this learning path, we covered: