The intent of this series has been to enable you to understand the structure, flow, capability, and simplicity of the KQL query language. Way back in part/chapter 3, I said…
I tell customers all the time that it’s not necessary to be a pro at creating KQL queries. It’s OK not to be a pro on day 1 and still be able to use tools like Microsoft Sentinel to monitor security for the environment. As long as you understand the workflow of the query and can comprehend it line-by-line, you’ll be fine. Because ultimately, the query is unimportant. Seriously. What’s important for our efforts as security folks is the results of the query. The results contain the critical information we need to understand if a threat exists and then – if it does exist – how that threat occurred from compromise to impact.
And that remains the case. I’ll dig much, much deeper into KQL in the Addicted to KQL series, but for our purposes here in the Must Learn KQL series, you should have become comfortable with eyeing a query and understanding it’s intent line-by-line. If you’re just joining us because this part/chapter has the words Microsoft Sentinel and Analytics Rules on it, you’re starting at the wrong spot. I entreat you to jump back to the beginning and ingest this series in the methodical, logical manner it was intended.