KQL query environments
Now that you're aware of KQL, let's look at the different query environments where you can use KQL in Microsoft products.
The environments we describe in this unit are Azure Data Explorer, Real-Time Intelligence in Microsoft Fabric, Azure Monitor, Microsoft Sentinel, Azure Resource Graph, Microsoft Defender XDR, and Configuration Manager.
Azure Data Explorer
Azure Data Explorer is a fully managed, high-performance, big-data analytics platform that makes it easy to analyze high volumes of data in near real time. The Azure Data Explorer toolbox gives you an end-to-end solution for data ingestion, query, visualization, and management.
Azure Data Explorer makes it simple to extract key insights, spot patterns and trends, and create forecasting models. It uses Machine Learning and analyzes structured, semistructured, and unstructured data across time series. Azure Data Explorer is scalable, secure, robust, and enterprise-ready, and is useful for log analytics, time-series analytics, IoT, and general-purpose exploratory analytics.
KQL was developed for Azure Data Explorer and can be used in various environments, including the web UI, Kusto CLI, and the Kusto.Explorer desktop app. You can find the full query language documentation set at KQL overview.
For more product information, see What is Azure Data Explorer?
Real-Time Intelligence in Microsoft Fabric
Microsoft Fabric is an all-in-one analytics solution for enterprises that covers everything from data movement to data science, near-real-time analytics, and business intelligence. It offers a comprehensive suite of services, including a data lake, data engineering, and data integration, all in one place. Real-Time Intelligence is a fully managed big-data analytics platform optimized for streaming and time-series data. Real-Time Intelligence contains what we can think of as the SaaS version of Azure Data Explorer. Specifically, you can use KQL in KQL Queryset to run queries, view, and customize query results on data from a KQL database. You can also save queries for later use, or share with others to collaborate on data exploration.
For more information, see Query data in a KQL Queryset.
For more product information, see What is Real-Time Intelligence in Fabric?
Azure Monitor
Azure Monitor collects, analyzes, and responds to telemetry from your Azure, multicloud, and on-premises environments to help maximize the availability and performance of your applications and services. Azure Monitor correlates data from multiple sources, including metrics, logs, traces, and changes, and provides a set of tools for analyzing, visualizing, and responding to the data. These tools include insights, alerts, autoscale, and automated artificial intelligence for IT operations (AIOps) capabilities.
The Log Analytics tool in the Azure portal lets you edit and run log queries against data in the Azure Monitor Logs store.
Azure Monitor uses the same KQL as Azure Data Explorer, with some minor differences. For reference, see Language differences.
For more product information, see Azure Monitor overview.
Microsoft Sentinel
Microsoft Sentinel is a scalable, cloud-native solution that provides security information and event management (SIEM), as well as security orchestration, automation, and response (SOAR). Many features in Microsoft Sentinel use KQL. Proficiency with KQL is valuable when using Microsoft Sentinel's hunting search-and-query tools to proactively and reactively hunt for security threats across your organization's data sources. For more information, see Threat hunting in Microsoft Sentinel.
But that's just a start. Microsoft Sentinel uses KQL for alerts, workbook visualizations, parsers, and transforming data. Because Microsoft Sentinel is built on top of the Azure Monitor service and uses Azure Monitor's Log Analytics workspaces to store all of its data, Microsoft Sentinel also provides a Logs view for direct table queries to find connections in the data.
For more product information, see What is Microsoft Sentinel?
Azure Resource Graph
Azure Resource Graph is an Azure service designed to extend Azure Resource Management. It allows you to effectively govern your environment by providing efficient and performant resource exploration with the ability to query at scale across a given set of subscriptions. With Azure Resource Graph, you can access the properties resource providers return without needing to make individual calls to each resource provider.
Azure Resource Graph supports a subset of KQL data types, scalar functions, scalar operators, and aggregation functions. Resource Graph supports specific tabular operators, some of which have different behaviors. We summarize this behavior in Supported KQL language elements.
For more product information, see What is Azure Resource Graph?
Microsoft Defender XDR
Microsoft Defender XDR is a unified pre- and post-breach enterprise defense suite that provides integrated protection against sophisticated attacks. It natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications. Your security operations team receives an alert within the Microsoft Defender portal whenever a malicious or suspicious activity or artifact is detected. However, it's not enough to respond to attacks as they occur. For extended, multiphase attacks such as ransomware, you must proactively search for the evidence of an attack in progress and take action to stop it before it completes.
Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats. For more information, see Proactively hunt for threats with advanced hunting in Microsoft Defender XDR.
For more product information, see What is Microsoft Defender XDR?
Configuration Manager
Configuration Manager is part of the Microsoft Intune family of products, which provides a large centralized store of device data that customers use for reporting purposes. CMPivot is an in-console utility that provides access to real-time state of devices in your environment.
CMPivot uses a subset of the KQL to search terms, identify trends, analyze patterns, and provide many other data-driven insights. For more information, see CMPivot queries.
For more product information, see What is Configuration Manager?