I recently had the opportunity to pick up this book at an online retailer and decided to write a quick review of the book. My current company is a Microsoft Sentinel shop and we utilize KQL quite a bit in our Security Operations Center. Unfortunately, there was a tremendous void in learning material on the subject, so when this book was released, I jumped at the chance to read it.
Who Should Read This Book?
(From Amazon.com) Who should read this book?
This book is for anyone leveraging Microsoft cloud resources such as Azure or Microsoft365 suite of products, including administrators, engineers, architects, and even developers who want to be able to monitor and understand what is happening in their environment and then use those insights to take action to improve the environment. It’s also for information security professionals who can monitor and take action on malicious activity as quickly and efficiently as possible.
Structure of the Book
The structure of the book is typical for a technical book that is geared to teach the reader about KQL. Beginning with a introduction and fundamentals in Chapters 1 and 2, the authors set the stage by orienting the reader to the need to learn KQL, setting up the environment, and performing basic KQL queries in the demo tenant. The authors cover fundamental concepts such as searching and filtering, data manipulation, time operators, and an introduction to the user interface.
By explaining the traditional syntax of a KQL query, the authors successfully set the stage for additional complex queries using the standard format of:
TableName
| filtering data
| aggregating data
| ordering data
| modify column output
Admittedly, the authors note that the first chapters are merely scratching the surface of KQL, and were they right.
The remaining 4 chapters in the book build upon the concepts in the first 2 chapters, with concepts getting progressively more complex. Chapter 3 extends the usability of KQL by introducing variables and KQL Union queries over multiple tables. The chapter also dives into functions, such as the ipv4_is_private() function.
Chapter 4 is focused on Operational Excellence in KQL for IT Operations. The book touches on advanced hunting with KQL, enabling diagnostic settings in Azure, using KQL for Microsoft Intune and Microsoft Defender, as well as touching on best practices for optimizing query performance.
Chapter 5 is dedicated to KQL for cybersecurity–threat hunting and defending systems. The chapter begins with a bevy of reasons why KQL is appropriate for information security tasks:
- Flexibility across various data sources
- Easy pivoting
- Efficiency with big data
- strong aggregation and summation capability
- managing time-based data
- capable at ad hoc digital forensics and investigations
- a wide variety of visualization capabilities
- forgiving query language
- versatility for many situations
The authors frame 6 case studies covering a wide variety of scenarios, ranging from phishing attacks to firewall log parsing to ransomware tactics, techniques, and procedures. They don’t simply throw a series of KQL queries at the reader though. Instead, the authors thoughtfully take the user into the mind of the SOC Analyst, and posit on the approach that the Analyst should take in performing a hunt in KQL. Of course, they do provide KQL sample queries along the explanation, but I never felt compelled to copy-pasta the KQL queries. Instead, I read the approach, understood the methods behind the madness, and was able to follow along in my own hunts.
Chapter 6 builds upon Chapter 5 by providing thorough explanations of advanced cybersecurity KQL use cases and operators. They touch on mv-expand and mv-apply, joins, let, iff(), case(), and coalesce(). In addition, chapter 6 tackles the subject of contributing to the KQL community so that others may leverage thoughtful KQL queries.
Overall Impressions of the Book
Leading with the title of the book, The Definitive Guide to KQL, it was important to me to quickly become oriented with the book and get into the meat and potatoes of it. I was pleasantly surprised in the tone and accessibility of this book and the structure and organization of the material was perfect.
I consider myself a newcomer to KQL, so I read the book from cover to cover. Those of you that have experience in KQL may find the first 2 chapters a little bit light; however, I do think there are operators and functions described that are less frequently used, in which case a review of the material via skimming may be appropriate.
Overall, this book quickly has become a de facto reference for performing KQL queries in Microsoft 365 and Sentinel and I highly recommend it to those that are in Microsoft shops looking for an edge on consuming the mountains of data within your environment. I suspect that there will be an onslaught of similar books i n the KQL space. In fact, a quick search on amazon.com returns a handful of similar books, including one written by one of the authors of The Definitive Guide to KQL. While I have not had the pleasure of reading these other books in comparison to The Definitive Guide to KQL, I cannot imagine a more accessible and comprehensive book on the topic.