Recommended video after watching an official MS course on configuring Log Analytics. Taught enough in 15min to show what the point was for this topic. Nice one.
I'm doing my best to learn things that are on all the job posts I'm going for and I really appreciate the way you explain KQL. Thank you good sir. I have Liked, Subscribed and well here's my comment.
Fantastic video ... I've been an SQL fan for years, you have discovered me a new way to investigate and enjoy through Azure Monitor and its Kusto QL, thank you ...
Wow dude this is so great. Thanks very much for creating this video. :) Such a practical and straightforward example of both Red and Blue team capabilities here. I also really like KQL's function names and setup a lot.
Glad it was helpful! I plan to do a whole bunch of Red Team videos later this fall to help look at Azure more offensively. Stay tuned and make sure you subscribe if you haven't yet.
What type of scope for connection do you need to set to be able to see and query your working database tables? I am having a hard time figuring out how to get KQL to recognize my table names.
Thanks For Your very informative session on KQL,for next week please make an video on how to enable Log Analytics Workspace on Any Azure Resource and how to collect data in to tables
Hi I have an question. I am trying to learn KQL however, I would need to know about the reason behind the failed nodes being rebooted... Any Suggestions on what to do? :(
Thank you very much, sir can you please correct me below query, Q) Find out the list of pipelines which are running more than 40hrs ADFPipelineRun | join kind = inner ( ADFPipelineRun | where Status == "InProgress") on RunId | project TimeGenerated,PipelineName,Start,End,now(),difftime = datetime_diff('hour',now(),Start) | where difftime>40 | order by difftime desc
Hello, Thank you for this video. I wanna ask a question from you. How do you enable the SecurityEvent data? To collect this data, did you use the Azure Arc? I need to collect the SecurityEvent of workstations at the on-premise.
@KnowOps - Is there any tutorial where can I refer the Azure tables? I want to get the listener details of application gateway such as name, created timestamp
I could not get the Perf sample at 12:20 to work. Tried on same demo environment (thanks for url!) and live environment. The first two lines:: Perf | where ObjectName == “System” yields nothing. Perf | project ObjectName | sort by ObjectName asc | distinct ObjectName shows lots of values, but none are “System”. Maybe Microsoft revamped Perf recently? Will need to find a different way to pull Uptime. Great tutorial. Will watch more.
I think these logs are not enabled by default and you need to add perf monitoring logs to your log analytics configuration under Agents configuration > windows peformance counters
Thank you very much. Can you help me with 2 things here. -When we pull this application name i can see only 10,000 by default, but i have around 20011838. How do i pull that? - For the Audit Logs i need to get last 30 who did some changes? Can you help me with that
I need some pointer Could you help me on these two questions? Q.1) How to get raw payload of incident related events using KQL? Q.2) How to get volume of day using API? I am new to Sentinel Thank You
@@KnowOps thanks for your response. For example, how can we mask(obfuscate) any particular coloumn data which is considered has sensitive information while querying in KQL
i dont knoiw why but i dint get SecurityEvent while running query , i am doing it from free account and runnnig 1 win adn 1 lin vm, However perf is working fine In the next video Can you show how we can see these data in the Azure dashboard after we customise it in loganalytics through Kusto queries
Hey Dana, why are you not uploading new vids, been waiting for some new vids. Especially about Advance Threat Hunting using KQL on Microsoft Defender ATP.
I need help in Pulling Data from KQL for those sets of Users who have not Enrolled for Phone sign in.. I have KQL for users who have enrolled for Phone sign in via audit logs.. Please please Please help me on finding KQL query for finding Set of Users who have not Enrolled for Phone sign in.. Plzzzz 🙏
Hi! Everyone Guys, I'm quite new to this language and stuck badly at "partition operator". As my query is returning me error: Query execution has resulted in error (0x80DA0007): Partial query failure: Low memory condition (E_LOW_MEMORY_CONDITION). (message: 'bad allocation', details: ''). and I'm stuck how to solve the issue. If anyone can help me, that will be great.
+Sukant Virkud if you want to reach Dana at work, check out www.auditwolf.com. If you want to ping him personally, check out www.danaepp.com. Both sites have his contact details.
Excellent presentation - both in content and execution. If you do not mind, could you please tone it down a little bit. Don't get me wrong, I enjoyed the video and learn something but felt like you are shouting. My apologies if I being unreasonable and ignore me.
I 💖 KQL. Especially in Log Analytics and Azure Resource graph. How about you? How are you using KQL?
Do you know how I could query the Azure Resource Graph with KQL from within Azure Log Analytics and/or Azure Sentinel UI?
It's helpful. I am looking for good understanding on Join or function queries in KQL. Right now i am finding difficult with them. Any suggestion?
KQL seems to be someone's reason for existence.
Hi, Can you suggest what tools we can use to represent these data in graphs or pie charts like in Power BI ?
Azure newbie here. This FREE vid cleared up the basics of the KQL better than any online training or study guide I've paid for.
I freaking love this guy!! I love the way he explains things and isn't monotoned! This helps me soo much in passing my pass two Azure certs
WOW! I've watched countless videos trying to understand KQL and this is the video that was concise enough to make sense of it all. Thank you, wodie.
Recommended video after watching an official MS course on configuring Log Analytics. Taught enough in 15min to show what the point was for this topic. Nice one.
Great session, thank you for supporting the KQL and security communities!
Very good introduction to KQL. Very good overview in 15 minutes.
We use the same type of glasses. Thank you for the video. Cheers
I'm doing my best to learn things that are on all the job posts I'm going for and I really appreciate the way you explain KQL. Thank you good sir. I have Liked, Subscribed and well here's my comment.
I am screaming with joy!! I just got to know about KQL today from a video I watched on Instagram and decided to learn more. Ahhhh
Fantastic video ... I've been an SQL fan for years, you have discovered me a new way to investigate and enjoy through Azure Monitor and its Kusto QL, thank you ...
Great introduction! Loved the pi chart. KQL is my new go-to on Azure!
Thanks Cody. Ya, KQL is awesome.
Super vidéo 👍
Wow dude this is so great. Thanks very much for creating this video. :) Such a practical and straightforward example of both Red and Blue team capabilities here. I also really like KQL's function names and setup a lot.
Glad it was helpful! I plan to do a whole bunch of Red Team videos later this fall to help look at Azure more offensively. Stay tuned and make sure you subscribe if you haven't yet.
Great video. Thanks
What type of scope for connection do you need to set to be able to see and query your working database tables? I am having a hard time figuring out how to get KQL to recognize my table names.
very, very useful! thank you!
very good video! Thanks!
Very informative!
Thank you Dana!
Thanks, got a fantastic with KQL 👍
Nice one !
Excellent intro. It really helped .
Excellent presentation - both in content and execution. Well done.
Vocês tem cursos de query KQL?
Thanks For Your very informative session on KQL,for next week please make an video on how to enable Log Analytics Workspace on Any Azure Resource and how to collect data in to tables
seems cool, how do you load a table to pickup naming ? don't see option after the | for that, like select ClusterName from KubeNodeInventory ?
Fantastic ! Thank you for putting this together !
Very Interesting, Can you please make video to list out the patticular value is true / false from axurd congratulations?
very nice video
Hi I have an question. I am trying to learn KQL however, I would need to know about the reason behind the failed nodes being rebooted... Any Suggestions on what to do? :(
It was very informative, thanks for this video and key posting more content and KQL
We just started a new channel just for KQL, Ten Minute KQL!
Explanation with right examples. Superb. Looking for more video’s on KQL.
We just started a new channel just for KQL, Ten Minute KQL!
Dana ,is it possible to use KQL in logs generated by azure web apps ?
Very helpful video, its good start for me
Thank you very much, sir can you please correct me below query,
Q) Find out the list of pipelines which are running more than 40hrs
ADFPipelineRun
| join kind = inner (
ADFPipelineRun
| where Status == "InProgress") on RunId
| project TimeGenerated,PipelineName,Start,End,now(),difftime = datetime_diff('hour',now(),Start)
| where difftime>40
| order by difftime desc
Hello, Thank you for this video. I wanna ask a question from you. How do you enable the SecurityEvent data? To collect this data, did you use the Azure Arc? I need to collect the SecurityEvent of workstations at the on-premise.
@KnowOps - Is there any tutorial where can I refer the Azure tables? I want to get the listener details of application gateway such as name, created timestamp
Why have you stopped making videos,loved your content
A big thumps up !! .. your videos are fantastic. Do you also have any course also for Azure or AWS ? would love to learn from it.
Great video. May i know if we can get Azure MFA details using Resource Graph queries?
Hello Sir , How I can use multiple aggregate function Count on resultset of table.
Great presentation !!
I could not get the Perf sample at 12:20 to work. Tried on same demo environment (thanks for url!) and live environment. The first two lines:: Perf | where ObjectName == “System” yields nothing. Perf | project ObjectName | sort by ObjectName asc | distinct ObjectName shows lots of values, but none are “System”. Maybe Microsoft revamped Perf recently? Will need to find a different way to pull Uptime. Great tutorial. Will watch more.
I think these logs are not enabled by default and you need to add perf monitoring logs to your log analytics configuration under Agents configuration > windows peformance counters
Great video Dana on KQL, could you please let me know how to monitor blocking and long running queries in sql dw using KQL?
Thank you very much. Can you help me with 2 things here.
-When we pull this application name i can see only 10,000 by default, but i have around 20011838. How do i pull that?
- For the Audit Logs i need to get last 30 who did some changes? Can you help me with that
I need some pointer
Could you help me on these two questions?
Q.1) How to get raw payload of incident related events using KQL?
Q.2) How to get volume of day using API?
I am new to Sentinel
Thank You
Taking a break after just missing passing AZ 104. Pleasant surprise
Mine does not recognize the "SecuriyEvent" Table !
It is case sensitive so make sure you write it exactly like that and without the speech marks. Works for me
Thank you for the video!
great video! can you do a demonstration about obfuscation in KQL
Great suggestion. Can you give me an example of what you want to see?
@@KnowOps thanks for your response. For example, how can we mask(obfuscate) any particular coloumn data which is considered has sensitive information while querying in KQL
Great channel. Subscribed ! :)
Thanks!
i dont knoiw why but i dint get SecurityEvent while running query , i am doing it from free account and runnnig 1 win adn 1 lin vm, However perf is working fine
In the next video Can you show how we can see these data in the Azure dashboard after we customise it in loganalytics through Kusto queries
Hey Dana, why are you not uploading new vids, been waiting for some new vids. Especially about Advance Threat Hunting using KQL on Microsoft Defender ATP.
We just started a new channel just for KQL, Ten Minute KQL!
Very helpful thanks a lot!!
I need help in Pulling Data from KQL for those sets of Users who have not Enrolled for Phone sign in.. I have KQL for users who have enrolled for Phone sign in via audit logs.. Please please Please help me on finding KQL query for finding Set of Users who have not Enrolled for Phone sign in.. Plzzzz 🙏
We just started a new channel just for KQL, Ten Minute KQL!
Thanks Dana
Hi! Everyone
Guys, I'm quite new to this language and stuck badly at "partition operator". As my query is returning me error: Query execution has resulted in error (0x80DA0007): Partial query failure: Low memory condition (E_LOW_MEMORY_CONDITION). (message: 'bad allocation', details: '').
and I'm stuck how to solve the issue.
If anyone can help me, that will be great.
Best explanation and example 👍.... Do you have any contact details so we can reach.....
+Sukant Virkud if you want to reach Dana at work, check out www.auditwolf.com. If you want to ping him personally, check out www.danaepp.com. Both sites have his contact details.
Along with those avenues you can also follow me on Twitter at @danaepp and DM me. All good options. Appreciate you checking out the episode!
Excellent presentation - both in content and execution. If you do not mind, could you please tone it down a little bit. Don't get me wrong, I enjoyed the video and learn something but felt like you are shouting. My apologies if I being unreasonable and ignore me.
SQL > KQL
Every time I hear KQL pronounced, I think of Krusty the 🤡