Get Hands-On KQL Practice with this Microsoft Sentinel Workbook

Thank you to Steve Faehl, Jing Nghik, and Sreedhar_Ande  for co-authoring this solution. Thank you as well to the many Microsoft employees who assisted with testing this workbook and by providing feedback for change.

 

Looking to start the new year with KQL? Looking for a hands-on method to do so? Look no further with this interactive KQL learning workbook in Microsoft Sentinel!

 

The Kusto Query Language (KQL) is the driving language for using Microsoft Sentinel. Though similar to SQL, new users must still learn and practice the language. To assist in accelerating learning the language, an interactive learning workbook has been created. This current version will assist new or existing users gain a 100-200 level understanding of the language while also providing hands-on experience that will assist them with hitting the ground running when executing real world queries. 

 

This workbook is made up of several parts:

• Demo data - Sample data is provided so that users who may not have data in their environments can still use the workbook to learn.
• Documentation - Direct links to guides, official documents, and other documents detailing KQL.
• Tabs - Categorized tabs that group operators together based on action.
• Exercises - Handwritten exercises that are meant to challenge the user and get them to practice the operator that they just learned. For some operators, the complexity goes up when attempting more exercises.
• Query space - Section that allows the user to write KQL that will be run against the demo data. Though the space does not include intellisense, it still simulates what a user would use when performing a query.
• Expected answer - Results that the user should see when they are done running their query.
• Your answer - Results returned from the query that was entered in the query space.
• Checker - Function that checks to make sure that the results expected are the same as the results that the user got.

Workflow:

When a user enters the workbook, they will need to choose a tab that houses the operators that can be practiced. Once a tab is selected, the operators will be listed with the related exercises and content. 

 

 

Once the exercise is selected, the user can reference the documentation or a summary of the operator. The summary includes examples and when to use the operator in a query. 

 

Once a user feels ready to practice the operator, they can go to the query space and attempt the exercise. As the user types, the query will be performed against the data and results will be returned. If the answer is correct, the user can attempt another exercise for the operator (if there is one provided) or they can move onto another operator. If the answer is incorrect, the user can attempt the exercise again or reveal the answer to learn more.

 

This process is repeated throughout the workbook. Once the user completes the workbook, they should have a level 200 understanding of KQL and how to use it in a query. To supplement this workbook, the Advanced KQL Framework workbook is linked as well as the Azure Log Analytics demo workspace. The Advanced KQL workbook will provide users more examples and detailed use cases to continue their learning. The Azure Log Analytics demo workspace will allow users to practice what they have learned on more real data that is similar to what they see in their workspaces.

Note: The Advanced KQL Framework workbook will need to be deployed in the environment for the button to open the tab to work.

 

Deployment:

 

In the event that the workbook is not available yet in the workbooks gallery, the workbook can be deployed via the following process:

• Find the workbook in the GitHub repository.
• Copy the JSON of the workbook.
• Go to Microsoft Sentinel.
• Go to Workbooks.
• Click 'add workbook'.
• Go into edit mode and enter the advanced editor.
• Paste the copied content and click apply.

 

Things to Note:

• Upon deployment, there may be an issue where the data being pulled in will need to be authorized. To do so:
  • Within the workbook, go into edit mode.
  • Go to the hidden parameters at the top.
  • Click edit under and to the right of the parameters. 
  • Click on JSON and click the pencil icon.
  • Click run query in the window.
  • An error message will appear saying that the content must be trusted, click the 'add as trusted' button that appears.
  • Save the setting and the workbook.
• There are certain operators that cannot be checked, this may result in error. This applies to exercises that use extend, let, or externaldata.
• This is the first release of the workbook. In future releases there will be more content, more exercises, and methods to upload custom exercises that allows users to pick and choose use cases that can help with job specific use cases.
• The demo data provided is hosted within the public Microsoft Sentinel GitHub repository.

Go out and practice KQL today! If there are operators or exercises that you feel should be added to the workbook, please consider submitting feedback via our form.