ฝัง
- เผยแพร่เมื่อ 21 ส.ค. 2024
- RECON YOUR AZURE RESOURCES WITH KUSTO QUERY LANGUAGE (KQL) : ITOps is always dealing with lots of data. From monitoring data and logs to resource metadata, its not uncommon to have to sift through thousands if not millions of records at a time. There is one hidden gem of a tool in Azure that can handle a lot of this, and that’s KQL… the Kusto Query Language.
In this episode of #KnowOps, Dana introduces us to the power of the KQL and shows how to use it with things like Log Analytics, Azure Sentinel and Azure Resource Graph. He even demonstrates a simple way he uses KQL as part of his regular Azure pentest efforts to find potentially vulnerable hosts in seconds when working with clients.
KQL Reference: docs.microsoft...
--
Continue the conversation on social media using the hashtag #knowops. Or join our private LinkedIn group at / 13754782
We 💖 #azops
#azure #itops #knowops
![ไปอยู่ไสมา - ช๊อปเปอร์ โตเกียวมิวสิค [ OFFICIAL MUSIC VIDEO ]](http://i.ytimg.com/vi/sWuVNbRTJbc/mqdefault.jpg)
I 💖 KQL. Especially in Log Analytics and Azure Resource graph. How about you? How are you using KQL?
Do you know how I could query the Azure Resource Graph with KQL from within Azure Log Analytics and/or Azure Sentinel UI?
It's helpful. I am looking for good understanding on Join or function queries in KQL. Right now i am finding difficult with them. Any suggestion?
KQL seems to be someone's reason for existence.
Hi, Can you suggest what tools we can use to represent these data in graphs or pie charts like in Power BI ?
I'm doing my best to learn things that are on all the job posts I'm going for and I really appreciate the way you explain KQL. Thank you good sir. I have Liked, Subscribed and well here's my comment.
Azure newbie here. This FREE vid cleared up the basics of the KQL better than any online training or study guide I've paid for.
Great session, thank you for supporting the KQL and security communities!
I freaking love this guy!! I love the way he explains things and isn't monotoned! This helps me soo much in passing my pass two Azure certs
Very good introduction to KQL. Very good overview in 15 minutes.
We use the same type of glasses. Thank you for the video. Cheers
Nice one !
I am screaming with joy!! I just got to know about KQL today from a video I watched on Instagram and decided to learn more. Ahhhh
Super vidéo 👍
Fantastic video ... I've been an SQL fan for years, you have discovered me a new way to investigate and enjoy through Azure Monitor and its Kusto QL, thank you ...
Great video. Thanks
Great introduction! Loved the pi chart. KQL is my new go-to on Azure!
Thanks Cody. Ya, KQL is awesome.
Wow dude this is so great. Thanks very much for creating this video. :) Such a practical and straightforward example of both Red and Blue team capabilities here. I also really like KQL's function names and setup a lot.
Glad it was helpful! I plan to do a whole bunch of Red Team videos later this fall to help look at Azure more offensively. Stay tuned and make sure you subscribe if you haven't yet.
very good video! Thanks!
very nice video
Taking a break after just missing passing AZ 104. Pleasant surprise
Very informative!
Thank you Dana!
Thanks For Your very informative session on KQL,for next week please make an video on how to enable Log Analytics Workspace on Any Azure Resource and how to collect data in to tables
Thanks, got a fantastic with KQL 👍
Explanation with right examples. Superb. Looking for more video’s on KQL.
We just started a new channel just for KQL, Ten Minute KQL!
Excellent intro. It really helped .
Excellent presentation - both in content and execution. Well done.
Thanks!
Why have you stopped making videos,loved your content
Great presentation !!
very, very useful! thank you!
Fantastic ! Thank you for putting this together !
It was very informative, thanks for this video and key posting more content and KQL
We just started a new channel just for KQL, Ten Minute KQL!
Very helpful video, its good start for me
Thank you for the video!
What type of scope for connection do you need to set to be able to see and query your working database tables? I am having a hard time figuring out how to get KQL to recognize my table names.
Very Interesting, Can you please make video to list out the patticular value is true / false from axurd congratulations?
Great channel. Subscribed ! :)
Thanks Dana
Thank you very much, sir can you please correct me below query,
Q) Find out the list of pipelines which are running more than 40hrs
ADFPipelineRun
| join kind = inner (
ADFPipelineRun
| where Status == "InProgress") on RunId
| project TimeGenerated,PipelineName,Start,End,now(),difftime = datetime_diff('hour',now(),Start)
| where difftime>40
| order by difftime desc
seems cool, how do you load a table to pickup naming ? don't see option after the | for that, like select ClusterName from KubeNodeInventory ?
Very helpful thanks a lot!!
Hi I have an question. I am trying to learn KQL however, I would need to know about the reason behind the failed nodes being rebooted... Any Suggestions on what to do? :(
I need some pointer
Could you help me on these two questions?
Q.1) How to get raw payload of incident related events using KQL?
Q.2) How to get volume of day using API?
I am new to Sentinel
Thank You
A big thumps up !! .. your videos are fantastic. Do you also have any course also for Azure or AWS ? would love to learn from it.
Great video Dana on KQL, could you please let me know how to monitor blocking and long running queries in sql dw using KQL?
Hello, Thank you for this video. I wanna ask a question from you. How do you enable the SecurityEvent data? To collect this data, did you use the Azure Arc? I need to collect the SecurityEvent of workstations at the on-premise.
I could not get the Perf sample at 12:20 to work. Tried on same demo environment (thanks for url!) and live environment. The first two lines:: Perf | where ObjectName == “System” yields nothing. Perf | project ObjectName | sort by ObjectName asc | distinct ObjectName shows lots of values, but none are “System”. Maybe Microsoft revamped Perf recently? Will need to find a different way to pull Uptime. Great tutorial. Will watch more.
I think these logs are not enabled by default and you need to add perf monitoring logs to your log analytics configuration under Agents configuration > windows peformance counters
@KnowOps - Is there any tutorial where can I refer the Azure tables? I want to get the listener details of application gateway such as name, created timestamp
Great video. May i know if we can get Azure MFA details using Resource Graph queries?
Thank you very much. Can you help me with 2 things here.
-When we pull this application name i can see only 10,000 by default, but i have around 20011838. How do i pull that?
- For the Audit Logs i need to get last 30 who did some changes? Can you help me with that
i dont knoiw why but i dint get SecurityEvent while running query , i am doing it from free account and runnnig 1 win adn 1 lin vm, However perf is working fine
In the next video Can you show how we can see these data in the Azure dashboard after we customise it in loganalytics through Kusto queries
great video! can you do a demonstration about obfuscation in KQL
Great suggestion. Can you give me an example of what you want to see?
@@KnowOps thanks for your response. For example, how can we mask(obfuscate) any particular coloumn data which is considered has sensitive information while querying in KQL
Mine does not recognize the "SecuriyEvent" Table !
It is case sensitive so make sure you write it exactly like that and without the speech marks. Works for me
Hey Dana, why are you not uploading new vids, been waiting for some new vids. Especially about Advance Threat Hunting using KQL on Microsoft Defender ATP.
We just started a new channel just for KQL, Ten Minute KQL!
Vocês tem cursos de query KQL?
Hello Sir , How I can use multiple aggregate function Count on resultset of table.
Dana ,is it possible to use KQL in logs generated by azure web apps ?
I need help in Pulling Data from KQL for those sets of Users who have not Enrolled for Phone sign in.. I have KQL for users who have enrolled for Phone sign in via audit logs.. Please please Please help me on finding KQL query for finding Set of Users who have not Enrolled for Phone sign in.. Plzzzz 🙏
We just started a new channel just for KQL, Ten Minute KQL!
Hi! Everyone
Guys, I'm quite new to this language and stuck badly at "partition operator". As my query is returning me error: Query execution has resulted in error (0x80DA0007): Partial query failure: Low memory condition (E_LOW_MEMORY_CONDITION). (message: 'bad allocation', details: '').
and I'm stuck how to solve the issue.
If anyone can help me, that will be great.
Excellent presentation - both in content and execution. If you do not mind, could you please tone it down a little bit. Don't get me wrong, I enjoyed the video and learn something but felt like you are shouting. My apologies if I being unreasonable and ignore me.
Best explanation and example 👍.... Do you have any contact details so we can reach.....
+Sukant Virkud if you want to reach Dana at work, check out www.auditwolf.com. If you want to ping him personally, check out www.danaepp.com. Both sites have his contact details.
Along with those avenues you can also follow me on Twitter at @danaepp and DM me. All good options. Appreciate you checking out the episode!
SQL > KQL
Every time I hear KQL pronounced, I think of Krusty the 🤡