You can use `explain` to translate #SQL to #KQL #Kusto.

SQL forever! :)

https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/sqlcheatsheet

KQL-MISP

"This folder is a KQL MISP implementation. The goal of this folder is to share queries which implement MISP feeds which can be used for detection, threat hunting or enrichment of incidents. No additional infrastructure or sources are needed besides an environment in which you can run KQL. This implementation can be used in Sentinel, Defender For Endpoint and other Log Analytics sources that fit your needs."

🔗 https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/tree/main/MISP

#cti #kql #threatintel

Ok, it looks like we finally narrowed it down. The actual query was a such

let m = dynamic(["malapp1","malapp2"]);
OfficeActivity
| where Operation == "FileMalwareDetected"
and SourceFileName in (m)

This would fail every time as "m is not a known table, variable, or function"

BUT

if I switched it to

|where SourceFileName in (m) and Operation == "FileMalwareDetected"

then the query works fine. We spent hours troubleshooting this. At least it wasn't a semicolon.

#MSSentinel #KQL

I need some help from anyone using #MSSentinel or #KQL or #KustoQueryLanguage

In Sentinel, I'm creating the below query, but being told the variable I'm assigning isn't the name of a known function table or variable. I don't need insight on a different way to write the statement, just to understand why it won't work.

`let names = dynamic(["Admin1","Admin2"]);
AuditLogs
|where Principal in (names)`

The same query works in LogAnalytics without issue. I'm losing my mind.

#Article: #microsoftazure feature and updates announcements (January 2023) #features #security #secops #vm #networking #itops #iaas #paas #kql #siterecovery #cosmosdb https://tinyurl.com/mry3sup5

The latest A Daily Dose of PowerShell! https://paper.li/doctordns/1580827252?edition_id=367d0570-95ac-11ed-98b5-fa163eed9ef2 Thanks to @OverSecurity@twitter.com @tdlogger@twitter.com @kfalconspb@twitter.com #infosec #kql

RT @maarten_goet@twitter.com

I am truly amazed by #ChatGPT. Here's an example of #MicrosoftSentinel & #KQL 👇🏻

🐦🔗: https://twitter.com/maarten_goet/status/1600872481698746371

omg it works! My #kdl #KQL engine works beautifully!

So to summarize:

a > b 👉🏻 any child "b" of node "a"
a >> b 👉🏻 any descendant "b" of node "a"
a + b 👉🏻 any "b" that immediately follows an "a" node under the same parent
a ++ b 👉🏻 any "b" anywhere after "a" under the same parent.

I've also got multiple parallel selectors working (with the `,` operator, just like CSS), and some magic around the toplevel `scope()` selector that lets you do things like `scope() > a` to make sure you're selecting only direct children of the *current* document/node you're querying from.

Whew. It's been a couple of days but this was really fun! 💯 would parse again.

Oh and it has all the nice error reporting you would expect from a tool that uses #miette 😉

#rust #rustlang

A #KQL implementation built right into kdl-rs is Coming Soon™️ to a crates.io near you!

I spent some time actually _using_ kdl-rs this weekend on a project, and realized the whole experience would be *massively* improved if I actually had access to KQL (and extractors), so I switched gears from a $newproject and went back to this.

It's basically CSS selectors, but for #kdl!

#rust #rustlang

If you do anything in #Azure (or #M365 or elsewhere) with #Kusto Query Language (#KQL) and you like solving puzzles I can thoroughly recommend the Kusto Detective Agency. https://detective.kusto.io/
I solved the 5th case this morning, some great challenges here.

Im #Bergpark #Lohberg traut sich die Frühlingssonne wieder raus . So lässt sich Mittagspause aushalten! @montanimmo @stadt_dinslaken #dinslaken #kreativquartierlohberg #kql #quartiersentwicklung #zeche #industriekulturpic.twitter.com/7MqpnnJIw6 - https://twitter.com/Text_im_Pott/status/1117753668714078208