09 February 2025

🏭🗒️Microsoft Fabric: Kusto Query Language (KQL) [Notes]

Disclaimer: This is work in progress intended to consolidate information from various sources for learning purposes. For the latest information please consult the documentation (see the links below)! 

Last updated: 9-Feb-2025

[Microsoft Fabric] Kusto Query Language (KQL)

  • {def} a read-only request to process query language [1]
    • designed for data exploration and summarization [1]
      • very similar to SQL
        • the explain command can be used to transform SQL into KQL code
          • ⇐ not all the SQL syntax can be translated
    • statements are sequenced being executed in the order of their arrangement
      • funnel like processing where data is piped from one operator to the next
        • data is filtered, rearranged or summarized at each step and then fed into the following step
        • statements are sequenced by a pipe (|)
    • returns data in a tabular or graph format
    • designed and developed to take advantage of cloud computing through clustering and scaling compute [2]
      • ideal engine to power fast, real-time dashboards
    • case-sensitive in general 
    • named after the undersea pioneer Jacques Cousteau [2]
    • operation sequence
      • filter data
      • aggregate data
      • order data
      • modify column output
  • supports standard data types 
    • string
      • a sequence of zero or more Unicode characters
      • characters are encoded in UTF-8.
    • int 
      • 32-bit whole-number integer
    • long
      • signed 64-bit whole-number integer
    • real (aka double)
      • 64-bit decimal-based number 
      • and provides high precision with decimal points.
    • decimal
      • a 128-bit decimal number
      • provides the highest precision of decimal points
      • {recommendation} if precision is not needed, use the real type instead [2]
    • bool 
      • a boolean value that can be a true (1), false (0), or null
    • datetime 
      • represents a date in the UTC zone
    • timespan 
      • represents a time interval
        •  days, hours, minutes, seconds, milliseconds, microseconds, tick
      • if no time frame is specified, it will default to day
    • dynamic
      • a special data type that can take 
        • any value from the other data types
        • arrays
        • a {name = value} property bag
    • guid
      • a 128-bit globally unique value
  • statement types
    • tabular expression statement
    • let statement
      • used to 
        • set variable names equal to an expression
        • create views
      • ⇐ used mostly to 
        • help break complex expressions into multiple parts, each represented by a variable
        • sett constants outside the query to aid in readability
    • set statement
      • used to set the query duration
  • {tool}Microsoft Santinel 
    • {def} a cloud native SIEM and SOAR that provides cyberthreat detection, investigation, response, and proactive hunting, with a bird's-eye view across your enterprise [3]
  • {tool} Kusto Explorer
    • {def} user-friendly interface to query and analyze data with KQL [4]
  • {tool} Azure Data Studio 
    • {def} lightweight, cross-platform data management and development tool for data professionals [5]

References:
[1] Microsoft (2024) Real-time Analytics: End-to-End Workshop
[2] Mark Morowczynski et al (2024) The Definitive Guide to KQL: Using Kusto Query Language for Operations, Defending, and Threat Hunting
[3] Microsoft Learn (2024) Azure: What is Microsoft Sentinel [link]
[4] Microsoft Learn (2024) Kusto: Kusto.Explorer installation and user interface [link]
[5] Microsoft Learn (2024) SQL: What is Azure Data Studio? [link]

Acronyms:
KQL - Kusto Query Language (
SIEM - security information and event management
SOAR - security orchestration, automation, and response
SQL - Structured Query Language
UTC - Universal Time Coordinated

No comments:

Related Posts Plugin for WordPress, Blogger...

About Me

My photo
Koeln, NRW, Germany
IT Professional with more than 24 years experience in IT in the area of full life-cycle of Web/Desktop/Database Applications Development, Software Engineering, Consultancy, Data Management, Data Quality, Data Migrations, Reporting, ERP implementations & support, Team/Project/IT Management, etc.