Название: The Definitive Guide to KQL: Using Kusto Query Language for operations, defending, and threat hunting (Early Release) Автор: Mark Morowczynski, Rod Trent, Matthew Zorich Издательство: Microsoft Press/Pearson Education Год: 2024 Страниц: 496 Язык: английский Формат: epub Размер: 58.4 MB
KQL is a powerful query language that helps analyze a large volume of structured, semi structured, and unstructured data. KQL has inbuilt operators and functions that lets a user analyze data to find trends, patterns, anomalies, create forecasting, and machine learning. KQL underpins a variety of Microsoft cloud products - Microsoft Sentinel, Azure Data Explorer, Microsoft 365 Advanced Hunting, Azure Resource Graph, Azure Monitor and more. KQL has similarities with SQL language as well. KQL allows to write data queries and control commands for the database and the database tables.
The modern IT professional must learn various technologies; you will limit your career if you don’t learn them. You will forever rely on someone with that skill; even worse, you will be left behind. The Kusto Query Language, or KQL, is one of those foundational technologies for IT professionals, security team members, and really anyone who is leveraging the Microsoft Azure platform. If you want to turn data into insights and action, you’ll need to use KQL. What do we mean by that? There is a tremendous amount of data being generated by your Azure resources. Your users and applications log into Microsoft Entra ID (formerly Azure Active Directory) around the clock. Also, you might be running an application using Azure App Service that Azure Front Door is protecting while you are hosting a fleet of Windows Servers in Azure IaaS (Infrastructure as a Service).
Where KQL Is Used? KQL is used everywhere in Azure! More than 150 services—including applications, IaaS workloads, infrastructure, and the Azure platform itself—can send their data to Azure Monitor. And we can query all of it with KQL. You can even add custom log sources from other clouds or on-premises. We will highlight the following types of Azure data sources throughout this book:
A world of data is waiting to be investigated, and more data sources are being added daily! KQL will help you answer similar questions in our example above and explore the depths of your data. KQL is also the foundational language for Microsoft Sentinel, a cloud-native security information and event management (SIEM) and security orchestration, automation, and response (SOAR). You’ll be able to create interactive workbooks and correlate alerts to incidents. Though this book doesn’t focus on Sentinel specifically, in Chapter 5, “Security and Threat Hunting,” we’ll show some of the most useful queries for common security scenarios.
Chapter 1: Introduction and Fundamentals Chapter 2: Data Aggregation Chapter 3: Unlocking Insights with Advanced KQL Operators Chapter 4: Operational Excellence with KQL Chapter 5: KQL for Cybersecurity—Defending and Threat Hunting Chapter 6: Advanced KQL Cybersecurity Use Cases and Operators
Скачать The Definitive Guide to KQL (Early Release)