In recent years Kusto Query Language (KQL) has gotten a more and ever increasing place in the cyber security world. The language offers a powerful arsenal of functions and capabilities that can be leveraged for SOC operations, incident investigation, threat hunting, and detection engineering. In this blog, we explore several KQL functions. We will uncover how security teams can use KQL to get insight into new query possibilities. Whether you use KQL in 365 Defender, Sentinel or Azure Data Explorer, all the functions can be used in all of the places regardless of where your logs are stored.

This blog is dedicated to providing some of the KQL security sources that I use regularly. Those sources can be really helpful to learn KQL, but also to improve your detection coverage in Defender For Endpoint (Advanced Hunting) or Sentinel (Analytics Rules)! Most of you know that I have my Github repository where I share KQL queries, even though I share some queries I also leverage a lot of other great community sources!