Regarding the difficulty level, I must say that it was just right for me. The material was presented in a way that was challenging enough to keep me engaged but also manageable to grasp. I'm glad to hear that it will get better as the series progresses, and I'm excited to continue learning. Once again, thank you for your dedication to teaching and your willingness to assist learners. I truly appreciate the support and look forward to continuing this journey with your valuable guidance. Once again, thank you for your dedication to teaching and your willingness to assist learners. I truly appreciate the support and look forward to continuing this journey with your valuable guidance.
@Teachjing It s my humble request if could give us a question, like homework after every video, as the interaction will more increase. And you can give the solution in the next video, as it can help. As some people can have different ways of solving it.
@Teachjing Can you create a video in which you create a automation script, in which you get an alert every time the signature is not update in the windows or linux machine, by using powershell and kql.
Hello @Teachjing, All your tutorials are very helpful I know my question might be two years late but the "protectionstatus" table no longer seems to have no sample data work with . I am trying to work with your instructions but the "protectionstatus" table within the database "security and audit " has no sample data so what would you suggest we use as an alternative ?
still kind of confused by the mechanics of max vs arg_max. If I were to include multiple columns w/ Max like: max(TimeGenerated) by DeviceName, ThreatStatus, TypeofProtection, ProtectionStatus would the issue lie with that its is looking for unique records within each of those columns, but since DeviceName is listed first those other columns become superfluous? So while it would include those columns when returning results, it wouldn't actually be querying them since DeviceName came first?
I am little confused with arg_max function still. From what I understood was arg_max will return maximum value for whatever column is in the bracket. For example let's say I have following simple query. This will return single row as result of latest value as we're passing TimeGenerated in brackets to arg_max SecurityEvent | where TimeGenerated > ago(1d) | summarize arg_max(TimeGenerated, *) But when I replace this with following query, it gives me multiple results. SecurityEvent | where TimeGenerated > ago(1d) | summarize arg_max(TimeGenerated, AccountType, Activity) by Account So this is kinda confusing me as it's not giving just maximum value but multiple results. Is it because of what you explained at around @ 16.21 in this video?? So far I am finding your tutorials helpful in understanding KQL better as this is something that has always challenged me within Azure..
Studying for my SC-200 as of current! This has come in so much help, I think I am primarily struggling with the tables and filters, and just understanding the processes, any tips to simplify this or how to learn this any quicker from a non-technical background.
Just imagine water. When you filter the water, the output of that water can be filtered again. This can be chained as many times as you want to get to the output you desire. Water -> remove sand -> remove bacteria -> add bleach -> boil it -> desired water state. In KQL the output of a result can be filtered again by adding another pipe “|”. You can pipe as many times as you want which doesn’t look very nice but still gets the job done 😀 Table | filter by certain time | filter by certain hostname | summarize by event count | desired output One key note to know is you can’t unfilter what you have filtered just like water, but you can move the sequence around. An example is you typically want to summarize at the end. If you do it in the beginning, you may not have the desired result you want.
I just watched the first video and it was explained in a very layman's language that boosted my confidence. Thank you! Would you please share the link if this course is available in Udemy, edx etc.
Can you please explain the rules of brackets "()" and how to use them? Also, can you please elaborate the Time Difference column? Is that showing the difference when the event was generated converting to the local time of the user? Thanks
Sir Can you help me how to use KQL Query in Microsoft Defender for Endpoint. I am fresher so you can help me n send me the resource where I can learn how to use kql in defender
Regarding the difficulty level, I must say that it was just right for me. The material was presented in a way that was challenging enough to keep me engaged but also manageable to grasp. I'm glad to hear that it will get better as the series progresses, and I'm excited to continue learning. Once again, thank you for your dedication to teaching and your willingness to assist learners. I truly appreciate the support and look forward to continuing this journey with your valuable guidance. Once again, thank you for your dedication to teaching and your willingness to assist learners. I truly appreciate the support and look forward to continuing this journey with your valuable guidance.
I am new to KQL and I am loving the pace so far. I look forward to becoming very great at KQL. Thanks a lot
Nice Explanation, Everyone can easily Understand, Your way of explanation is Awesome. Please Do More Videos on KQL
Will do!
@Teachjing It s my humble request if could give us a question, like homework after every video, as the interaction will more increase. And you can give the solution in the next video, as it can help. As some people can have different ways of solving it.
actually you are pretty good pace of teaching
TeachJing you are very inspiring. I've learned a lot so far. Subscribed!!!!
Can’t find ProtectionStatus table under Security and Audit in my sentinel workspace, How to fix it?
The firs one was excellent, this one is even better. Thanks a lot, you're doing a great job.
Nice work. Thanks senpai.
@Teachjing Can you create a video in which you create a automation script, in which you get an alert every time the signature is not update in the windows or linux machine, by using powershell and kql.
Hello @Teachjing, All your tutorials are very helpful I know my question might be two years late but the "protectionstatus" table no longer seems to have no sample data work with . I am trying to work with your instructions but the "protectionstatus" table within the database "security and audit " has no sample data so what would you suggest we use as an alternative ?
still kind of confused by the mechanics of max vs arg_max. If I were to include multiple columns w/ Max like: max(TimeGenerated) by DeviceName, ThreatStatus, TypeofProtection, ProtectionStatus would the issue lie with that its is looking for unique records within each of those columns, but since DeviceName is listed first those other columns become superfluous? So while it would include those columns when returning results, it wouldn't actually be querying them since DeviceName came first?
Very well explained it makes sense :-), is there a possibility to create rules based on 10 must-have rules for KQL as a SOC?
GREAT STUFF.
I am little confused with arg_max function still. From what I understood was arg_max will return maximum value for whatever column is in the bracket. For example let's say I have following simple query. This will return single row as result of latest value as we're passing TimeGenerated in brackets to arg_max
SecurityEvent
| where TimeGenerated > ago(1d)
| summarize arg_max(TimeGenerated, *)
But when I replace this with following query, it gives me multiple results.
SecurityEvent
| where TimeGenerated > ago(1d)
| summarize arg_max(TimeGenerated, AccountType, Activity) by Account
So this is kinda confusing me as it's not giving just maximum value but multiple results. Is it because of what you explained at around @ 16.21 in this video?? So far I am finding your tutorials helpful in understanding KQL better as this is something that has always challenged me within Azure..
Great Video.. I have one doubt... If I summarise any column to get count. How can I add that count value as new coulmn..?
Studying for my SC-200 as of current! This has come in so much help, I think I am primarily struggling with the tables and filters, and just understanding the processes, any tips to simplify this or how to learn this any quicker from a non-technical background.
Just imagine water. When you filter the water, the output of that water can be filtered again. This can be chained as many times as you want to get to the output you desire. Water -> remove sand -> remove bacteria -> add bleach -> boil it -> desired water state.
In KQL the output of a result can be filtered again by adding another pipe “|”. You can pipe as many times as you want which doesn’t look very nice but still gets the job done 😀
Table | filter by certain time | filter by certain hostname | summarize by event count | desired output
One key note to know is you can’t unfilter what you have filtered just like water, but you can move the sequence around. An example is you typically want to summarize at the end. If you do it in the beginning, you may not have the desired result you want.
@@TeachJinghighly appreciate this! Thank you so much for the series and the information!
GOAT!!!
create alerts, use look up file, long query also is good
I just watched the first video and it was explained in a very layman's language that boosted my confidence. Thank you! Would you please share the link if this course is available in Udemy, edx etc.
Azure sentinel learning course
docs.microsoft.com/en-us/learn/paths/security-ops-sentinel/
Pluralsight - KQL from scratch
app.pluralsight.com/id?redirectTo=/library/courses/cd93e668-0426-498c-baa9-fc2157c570f4
Great video, very comprehensive.
Thank you!
To practice this we need events data. Can you advise how to get those events as row data
Can you please explain the rules of brackets "()" and how to use them? Also, can you please elaborate the Time Difference column? Is that showing the difference when the event was generated converting to the local time of the user? Thanks
@teachjing - Is there a date_trunc alternative in KQL? I tried a couple of commands such as datetime_part but it is not working.
Did ya figure this out ?
Sir Can you help me how to use KQL Query in Microsoft Defender for Endpoint. I am fresher so you can help me n send me the resource where I can learn how to use kql in defender
Nice
Really useful 😊
Glad you think so!
Thank you
Your welcome!
How to reach to you?
Twitter or linked in @TeachJing