KQL query environments

  • 6 minutes

Now that you're introduced to KQL, let's see the different query environments where you can use KQL in Microsoft products.

The environments described in this unit are Azure Data Explorer, Synapse Real-Time Analytics in Microsoft Fabric (Preview), Azure Monitor, Microsoft Sentinel, Azure Resource Graph, Microsoft Defender XDR, and Configuration Manager.

Azure Data Explorer

Azure Data Explorer is a fully managed, high-performance, big data analytics platform that makes it easy to analyze high volumes of data in near real-time. The Azure Data Explorer toolbox gives you an end-to-end solution for data ingestion, query, visualization, and management.

Azure Data Explorer makes it simple to extract key insights, spot patterns and trends, and create forecasting models. It uses Machine Learning, and analyzes structured, semi-structured, and unstructured data across time series. Azure Data Explorer is scalable, secure, robust, and enterprise-ready, and is useful for log analytics, time series analytics, IoT, and general-purpose exploratory analytics.

Screenshot of query environment in Azure Data Explorer.

KQL was developed for Azure Data Explorer and can be used in various environments, including the web UI, Kusto CLI, and the desktop app Kusto.Explorer. You can find the full query language documentation set at KQL overview.

For more product information, see What is Azure Data Explorer?

Synapse Real-Time Analytics in Microsoft Fabric (Preview)

Microsoft Fabric is an all-in-one analytics solution for enterprises that covers everything from data movement to data science, near real-time analytics, and business intelligence. It offers a comprehensive suite of services, including a data lake, data engineering, and data integration, all in one place. Real-Time Analytics is a fully managed big data analytics platform optimized for streaming and time-series data. Real-Time Analytics contains what can be thought of as the SaaS version of Azure Data Explorer. Specifically, you can use KQL in KQL Queryset to run queries, view, and customize query results on data from a KQL database. You can also save queries for later use, or share with others to collaborate on data exploration.

Screenshot of query in Real-Time Analytics.

For more information, see Query data in a KQL Queryset.

For more product information, see What is Real-Time Analytics in Fabric?

Azure Monitor

Azure Monitor collects, analyzes, and responds to telemetry from your Azure, multicloud, and on-premises environments to help maximize the availability and performance of your applications and services. Azure Monitor correlates data from multiple sources, including metrics, logs, traces, and changes, and provides a set of tools for analyzing, visualizing, and responding to the data. These tools include insights, alerts, autoscale, and automated artificial intelligence for IT operations (AIOps) capabilities.

The Log Analytics tool in the Azure portal lets you edit and run log queries against data in the Azure Monitor Logs store.

Screenshot of the Azure Monitor Log Analytics user interface for running queries.

Azure Monitor uses the same KQL as Azure Data Explorer, with some minor differences. For reference, see Language differences.

For more product information, see Azure Monitor overview.

Microsoft Sentinel

Microsoft Sentinel is a scalable, cloud-native solution that provides security information and event management (SIEM), and security orchestration, automation, and response (SOAR). Many features in Microsoft Sentinel utilize KQL. Proficiency with KQL is valuable though when using Microsoft Sentinel's hunting search-and-query tools to proactively and reactively hunt for security threats across your organization's data sources. For more information, see Hunt for threats with Microsoft Sentinel.

Screenshot of Microsoft Sentinel threat hunting environment.

But that's just a start. Microsoft Sentinel uses KQL for alerts, workbook visualizations, parsers, and transforming data. Since Microsoft Sentinel is built on top of the Azure Monitor service and uses Azure Monitor's Log Analytics workspaces to store all of its data, Microsoft Sentinel also provides a Logs view for direct table queries to find connections in the data.

For more product information, see What is Microsoft Sentinel?

Azure Resource Graph

Azure Resource Graph is an Azure service designed to extend Azure Resource Management. It allows you to effectively govern your environment, by providing efficient and performant resource exploration with the ability to query at scale across a given set of subscriptions. With Azure Resource Graph, you can access the properties returned by resource providers without needing to make individual calls to each resource provider.

Screenshot of query environment in Azure Resource Graph.

Azure Resource Graph supports a subset of KQL data types, scalar functions, scalar operators, and aggregation functions. Resource Graph supports specific tabular operators, some of which have different behaviors. This behavior is summarized in Supported KQL language elements.

For more product information, see What is Azure Resource Graph?

Microsoft Defender XDR

Microsoft Defender XDR is a unified pre- and post-breach enterprise defense suite that provides integrated protection against sophisticated attacks. It natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications. Your security operations team receives an alert within the Microsoft Defender portal whenever a malicious or suspicious activity or artifact is detected. But, it's not enough to respond to attacks as they occur. For extended, multi-phase attacks such as ransomware, you must proactively search for the evidence of an attack in progress and take action to stop it before it completes.

Screenshot of Microsoft Defender XDR threat hunting environment.

Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats. For more information, see Proactively hunt for threats with advanced hunting in Microsoft Defender XDR.

For more product information, see What is Microsoft Defender XDR?

Configuration Manager

Configuration Manager is part of the Microsoft Intune family of products, which provides a large centralized store of device data that customers use for reporting purposes. CMPivot is an in-console utility that provides access to real-time state of devices in your environment.

Screenshot of query environment in CM Pivot in Configuration Manager.

CMPivot uses a subset of the KQL to search terms, identify trends, analyze patterns, and provide many other data-driven insights. For more information, see CMPivot queries.

For more product information, see What is Configuration Manager?