Useful resources for working with Kusto Query Language in Microsoft Sentinel

Microsoft Sentinel uses Azure Monitor's Log Analytics environment and the Kusto Query Language (KQL) to build the queries that undergird much of its functionality, from analytics rules to workbooks to hunting. This article lists resources that can help you skill-up in working with Kusto Query Language, giving you more tools to work with Microsoft Sentinel, whether as a security engineer or analyst.

Microsoft technical resources

Microsoft Sentinel documentation

• Kusto Query Language in Microsoft Sentinel

Kusto documentation

• Kusto Query Language learning resources
• Tutorial: Learn common operators
• Tutorial: Use aggregation functions
• Tutorial: Join data from multiple tables
• Get started with KQL queries (Azure Monitor documentation)
• Best practices for Kusto Query Language queries

Reference guides

• KQL quick reference guide
• SQL to Kusto cheat sheet
• Splunk to Kusto Query Language map

Microsoft Sentinel Learn modules

• Write your first query with Kusto Query Language
• Learning path SC-200: Create queries for Microsoft Sentinel using Kusto Query Language (KQL)

Other resources

Microsoft TechCommunity blogs

• Advanced KQL Framework Workbook - Empowering you to become KQL-savvy (includes webinar)
• Using KQL functions to speed up analysis in Azure Sentinel (advanced level)
• Ofer Shezaf's blog series on correlation rules using KQL operators:
  • Azure Sentinel correlation rules: Active Lists out, make_list() in: the AAD/AWS correlation example
  • Azure Sentinel correlation rules: the join KQL operator
  • Implementing Lookups in Azure Sentinel
  • Approximate, partial, and combined lookups in Azure Sentinel

Training and skilling resources

• Rod Trent's Must Learn KQL series
• Pluralsight training: Kusto Query Language from Scratch
• Log Analytics demo environment

Next steps

Get certified!

Read customer use case stories