Useful resources for working with Kusto Query Language in Microsoft Sentinel

Note

Azure Sentinel is now called Microsoft Sentinel, and we’ll be updating these pages in the coming weeks. Learn more about recent Microsoft security enhancements.

Microsoft Sentinel uses Azure Monitor's Log Analytics environment and the Kusto Query Language (KQL) to build the queries that undergird much of Sentinel's functionality, from analytics rules to workbooks to hunting. This article lists resources that can help you skill up in working with Kusto Query Language, which will give you more tools to work with Microsoft Sentinel, whether as a security engineer or analyst.

Microsoft Docs and Learn

Microsoft Sentinel documentation

• Kusto Query Language in Microsoft Sentinel

Azure Monitor documentation

• Tutorial: Use Kusto queries
• Get started with KQL queries
• Query best practices

Reference guides

• KQL quick reference guide
• SQL to Kusto cheat sheet
• Splunk to Kusto Query Language map

Microsoft Sentinel Learn modules

• Write your first query with Kusto Query Language
• Learning path SC-200: Create queries for Microsoft Sentinel using Kusto Query Language (KQL)

Other resources

Microsoft TechCommunity blogs

• Advanced KQL Framework Workbook - Empowering you to become KQL-savvy (includes webinar)
• Using KQL functions to speed up analysis in Azure Sentinel (advanced level)
• Ofer Shezaf's blog series on correlation rules using KQL operators:
  • Azure Sentinel correlation rules: Active Lists out, make_list() in: the AAD/AWS correlation example
  • Azure Sentinel correlation rules: the join KQL operator
  • Implementing Lookups in Azure Sentinel
  • Approximate, partial and combined lookups in Azure Sentinel

Training and skilling resources

• Rod Trent's Must Learn KQL series
• Pluralsight training: Kusto Query Language from Scratch
• Log Analytics demo environment

Next steps

Get certified!

Read customer use case stories