KQL (Kusto Query Language) Codex
Query library for Microsoft Sentinel. Organized by use case, scalable as proficiency grows.
Quick Reference
// Basic structure
TableName
| where TimeGenerated > ago(24h)
| where Column == "value"
| summarize count() by Column
| sort by count_ desc
| take 10Sections
-
Fundamentals — operators, filters, aggregation, joins
-
Authentication — sign-in logs, MFA, failed logins, conditional access
-
Email Security — phishing, BEC, Abnormal Security correlation
-
Endpoint — Defender XDR, process execution, lateral movement
-
Network — firewall logs, DNS, flow data, ISE syslog
-
Identity — AD changes, privilege escalation, account lockouts
-
Threat Hunting — IOC sweeps, anomaly detection, MITRE ATT&CK mapping
-
Incident Response — triage queries, timeline reconstruction, blast radius
-
Custom Tables — Monad ETL log sources, custom connectors
-
Workbooks & Analytics — dashboard queries, scheduled rules, alerts
Common Tables
| Table | Content |
|---|---|
|
Azure AD / Entra sign-in events |
|
Windows security events (Event IDs) |
|
Alerts from all security products |
|
Sentinel incidents |
|
Email delivery, phishing, spam |
|
Endpoint process execution (Defender) |
|
Endpoint network connections |
|
CEF syslog (firewalls, ISE, proxies) |
|
Linux syslog, network devices |
|
Azure management plane activity |
|
M365 activity (SharePoint, OneDrive, Teams) |
|
IOCs from threat feeds |
|
Custom log tables (Monad ETL output) |