Kusto Query language 101

  • Kusto Fundamentals: provides some key information about this query language
  • Searching and Presentation: provides queries to search for data and to present data in a structured way so that an analyst can derive information easily.
  • Analytics and Charting: introduces the power of creating analytics, summarizing events, and visualizing data.

Kusto Fundamentals

Kusto query language is organized in a SQL-alike hierarchy including databases, tables, and columns, which makes its syntax also a bit SQL-query alike.

StormEvents --> table name "StormEvent", Start of Statement 1
--> subsequence processing after pipe
| where StartTime > datetime(2007-01-14 00:11:00)
; --> end of statement 1
StormEvents --> start of statement 2
| where EndTime < datetime(2007-01-14 8:30:00)
source: https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/logicaloperators

Search and Presentation

source: https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/searchoperator?pivots=azuredataexplorer
StormEvents| where StartTime > ago(24h)
StormEvents| distinct EventType,State --> deduplicate returned values based on EventType and State columns

Analytics and Charting


The article has provided some common operators that a security analyst could apply to enhance his investigation. However, the sections above don’t mean to be an exhausting list, but its main goal is to lay a foundation to start with. It is highly recommended to check the official documentation page if you need to understand an operator or look for a new operator that can processing data as your need.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tho Le

Tho Le


Senior Cyber Security Analyst — For the secure world