KQL Basics Every SOC Analyst Should Know
Learn the core KQL syntax and query patterns SOC analysts use daily in Microsoft Sentinel and Defender to hunt threats faster.
Kusto Query Language (KQL) is the backbone of threat hunting and alert triage in Microsoft Sentinel and Microsoft Defender. If you're working in a SOC, KQL fluency separates analysts who can quickly answer "what happened here?" from those stuck clicking through dashboards. This isn't a full language reference — it's the practical subset that gets used constantly on shift.
Why KQL Matters in the SOC
KQL is read-only and optimized for querying massive log datasets fast. Sentinel, Defender for Endpoint, Azure Monitor, and Log Analytics all speak it. Once you know it, you can pivot between products with the same mental model: pick a table, filter it down, shape the output. Every investigation — phishing triage, lateral movement hunts, false-positive tuning — starts with a query.
The Pipe Is Everything
KQL queries are built as a pipeline. You start with a table and pass data through a series of operators, each one filtering, transforming, or summarizing the previous result:
SecurityEvent
| where EventID == 4625
| where TimeGenerated > ago(24h)
| summarize FailedLogons = count() by Account, Computer
| sort by FailedLogons desc
Read it top to bottom like a sentence: start with SecurityEvent logs, keep only failed logons (4625), restrict to the last day, count failures per account/computer, then sort. That linear readability is KQL's biggest strength over SQL for ad hoc hunting.
Core Operators to Memorize
- where — your primary filter. Use it early and often to cut data volume before expensive operations.
- project — select and rename specific columns, discarding noise you don't need in the output.
- extend — add computed columns without dropping existing ones, useful for parsing strings or flagging conditions.
- summarize — aggregate data with
count(),sum(),dcount(), ormake_set(), almost always paired withby. - join — correlate across tables, e.g., linking sign-in logs with device inventory to spot unmanaged device logons.
- render — visualize results as a timechart or barchart directly in the query editor, handy for spotting spikes.
Time Filtering Done Right
Always filter on TimeGenerated (or the table's equivalent timestamp column) as early as possible in the pipeline. KQL engines optimize heavily around time-range filters, and putting | where TimeGenerated > ago(7d) near the top instead of the bottom can be the difference between a query that returns in seconds versus one that times out on a busy tenant.```kql SigninLogs | where TimeGenerated > ago(1h) | where ResultType != "0" | where UserPrincipalName has "@yourdomain.com"
## String Matching: has vs contains vs ==
A common mistake is defaulting to `contains` for everything. `has` matches whole terms and uses a term index, making it dramatically faster on large tables. Use `contains` only when you need substring matches inside a word (like a partial domain fragment), and use `==` for exact matches on structured fields like EventID or IPAddress. This one habit noticeably speeds up hunts across high-volume tables like `DeviceNetworkEvents` or `CommonSecurityLog`.```kql
DeviceProcessEvents
| where ProcessCommandLine has "powershell"
| where ProcessCommandLine has_any ("-enc", "-EncodedCommand")
Building Reusable Detection Logic
Once a query proves useful, wrap it as a function with let, or save it as a Sentinel Analytics Rule with scheduled execution. Parameterize thresholds (like failed logon counts) so the same logic scales across tenants or gets tuned without rewriting from scratch. This is how one-off hunting queries evolve into standing detections that page the SOC automatically.
Common Pitfalls
- Forgetting
TimeGeneratedfilters, causing slow, expensive full-table scans. - Using
summarizebeforewhere, which forces the engine to aggregate unfiltered data. - Mismatched column names when joining tables — always check schema with
getschemafirst. - Overusing
contains, which skips indexing benefits and slows down large-scale hunts.
KQL rewards analysts who think in pipelines rather than nested subqueries. Start every investigation with a narrow time window and a specific table, then widen only as needed.
If this gave you a solid foundation, explore the Blue Team and Digital Forensics segments on Korra Studio for more hands-on SOC query walkthroughs and detection-building exercises.
This article was generated with AI assistance and published to the Korra Studio knowledge base.
This is one note from the Korra Studio knowledge base — the platform pairs every topic with 1-to-1 mentoring.
Get started freearrow_forward