Автор: Mark Morowczynski, Rod Trent, Matthew Zorich
Издательство: Microsoft Press/Pearson Education
Год: 2024
Страниц: 478
Язык: английский
Формат: pdf (true)
Размер: 19.1 MB
Turn the avalanche of raw data from Azure Data Explorer, Azure Monitor, Microsoft Sentinel, and other Microsoft data platforms into actionable intelligence with KQL (Kusto Query Language). Experts in information security and analysis guide you through what it takes to automate your approach to risk assessment and remediation, speeding up detection time while reducing manual work using KQL. This accessible and practical guidedesigned for a broad range of people with varying experience in KQLwill quickly make KQL second nature for information security.
KQL is a powerful query language that helps analyze a large volume of structured, semi structured, and unstructured data. KQL has inbuilt operators and functions that lets a user analyze data to find trends, patterns, anomalies, create forecasting, and machine learning. KQL underpins a variety of Microsoft cloud products - Microsoft Sentinel, Azure Data Explorer, Microsoft 365 Advanced Hunting, Azure Resource Graph, Azure Monitor and more. KQL has similarities with SQL language as well. KQL allows to write data queries and control commands for the database and the database tables.
One solution is KQL—Kusto Query Language—a powerful and expressive language that enables the querying and manipulation of large volumes of data in Azure Data Explorer, Azure Monitor, Azure Sentinel, and other Microsoft data platforms. KQL can help perform complex queries, apply advanced functions, and leverage operators to transform data into meaningful information. KQL can also help visualize data, create dashboards, and automate workflows.
Where KQL Is Used? KQL is used everywhere in Azure! More than 150 services—including applications, IaaS workloads, infrastructure, and the Azure platform itself—can send their data to Azure Monitor. And we can query all of it with KQL. You can even add custom log sources from other clouds or on-premises.
KQL is critical for a modern cybersecurity team. It allows defenders to detect and respond to threats, anomalies, and incidents in near real-time. Whether a beginner or an expert, this book will teach everything readers need to know about KQL, including the fundamentals of the language, such as its syntax, functions, and operators. Readers will also learn how to write e ficient and e ecti e ueries and manipulate and trans orm data.
In the later chapters, this book covers common security investigations using KQL and recommendations on leveraging KQL queries before these incidents occur. Readers will see these queries are just the beginning of what is possible with KQL. In the concluding chapter, the authors offer perspective on contributing their own KQL queries to the community, supporting the “team sport” of security.
Solve real problems with Kusto Query Language and build your competitive advantage:
• Learn the fundamentals of KQLwhat it is and where it is used
• Examine the anatomy of a KQL query
• Understand why data summation and aggregation is important
• See examples of data summation, including count, countif, and dcount
• Learn the benefits of moving from raw data ingestion to a more automated approach for security operations
• Unlock how to write efficient and effective queries
• Work with advanced KQL operators, advanced data strings, and multivalued strings
• Explore KQL for day-to-day admin tasks, performance, and troubleshooting
• Use KQL across Azure, including app services and function apps
• Delve into defending and threat hunting using KQL
• Recognize indicators of compromise and anomaly detection
• Learn to access and contribute to hunting queries via GitHub and workbooks via Microsoft Entra ID
Скачать The Definitive Guide to KQL: Using Kusto Query Language for operations, defending, and threat hunting