Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Tools/IntrotoKQL
История
..
Datasets
README.md
all_exercises.json

README.md

Summary

Welcome to the Intro to KQL workbook. This workbook has been developed to assist new and existing users learn and grow in the Kusto Query Language (KQL). The goal of this workbook is to introduce the most commonly used KQL operators that are relevant to Microsoft Sentinel. By the end of the workbook, your knowledge will be at a 200 level.

This workbook will be a living resource in that it will continue to be improved over time based on feedback, requests, and newly introduced scenarios. The version of this workbook is currently V1.1.

Structure

This workbook is comprised of multiple tabs. Each tab contains several key items:

  • Operator: choose an operator to study.
  • Exercise: choose an exercise to practice.
  • Data type: corresponds to the data table that is being used in the exercise.
  • Answer: decide if you would like to to see the answer.
  • Summary: details about the operator that has been selected.
  • Example: samples of how a real query would look like with the selected operator.
  • When to use: advice around when the selected operator is used with Microsoft Sentinel.

Exercise Space

The exericse area is made up of 6 main items:

  • Question: selected exercise to perform.
  • Answer space: location where you will enter your answer.
  • Expected answer: the expected answer that you are attempting to achieve.
  • Your answer: the results from the query you have written.
  • Answer Checker: lists if the answer you have entered is correct or not.

Workflow

  1. Select a tab to navigate.
  2. Choose an operator to practice.
  3. Select an exercise to attempt.
  4. Enter your answer and confirm if it is correct. If not, reference documentation and content until correct.
  5. Move on to another operator or attempt other exercises for that operator.

Helpful Links

KQL Public Documentation: https://docs.microsoft.com/azure/data-explorer/kusto/query/

Pluralsight KQL Course: https://www.pluralsight.com/courses/kusto-query-language-kql-from-scratch

KQL CheatSheet: https://techcommunity.microsoft.com/t5/azure-data-explorer-blog/azure-data-explorer-kql-cheat-sheets/ba-p/1057404

Log Analytics Demo Environment: https://aka.ms/lademo

Microsoft Sentinel Compiled Level 400 Training: https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/become-a-microsoft-sentinel-ninja-the-complete-level-400/ba-p/1246310