Azure KQL
- 1 minINTRODUCTION
Kusto Query Language (KQL) is used to log information on services running in Azure. KQL is a read-only request used to process data and return results. It is important to know how to be able to use Kusto in order to retrieve, consolidate, and analyze data in Azure. Below you will find a quick guide on how to execute a KQL statement. Here are some commonly used query examples for reference.
A couple of things:
- KQL consists of seuence of query statements, delimited by a semincolon. Atleast 1 statement = 1 tabluar expresssion statement. A tabular expression statement formats the data arranged as a table of cloumns and rows.
- KQL is case-senstive.
OVERVIEW
- Go to Azure Portal. Authenticate.
- Go to your Log Analytics Workspace.
- Select Logs under General.
- Run the following command to check for computers with unhealthy latency (or, go here and choose another query you'd like to run):
- If successful, you will see Completed under Results.
NetworkMonitoring | where LatencyHealthState <> "Healthy" | where Computer != "" | distinct Computer
Conclusion
From here, you can do a number of other things, such as: add a new alert rule to the query or export the query results to a .csv. You can even modify your query to render a barchat or graph with its output. If your company has a multi-cloud environment and you are using Azure Sentinel to tie these environments together, KQL is a need-to-know. With a strong KQL foundation in a multi-cloud environment you will have the ability query logs from a different cloud without leaving the Azure console (i.e., query AWS Cloudwatch logs). So, as you can see, understanding how to use KQL is essential when it comes to navigative data in Azure; even more so if you a have multi-cloud environment with a Azure Sentinel setup.
Tip: if you are looking for an AV Endpoint Solution, Sophos integrates well with Azure Sentiel queries.