Introduction
Kusto Query Language (KQL) is the query language used to perform analysis on data to create Analytics, Workbooks, and perform Hunting in Microsoft Sentinel. Understanding how to work with fields containing structured and unstructured string data with a KQL statement provides the foundation for extracting data used in building detections in Microsoft Sentinel.
You're a Security Operations Analyst working at a company that is implementing Microsoft Sentinel. You're responsible for performing log data analysis to search for malicious activity, display visualizations, and perform threat hunting.
To query log data, you use the Kusto Query Language (KQL). Often fields in a table store structured and unstructured string data. You write KQL statements to extract and manipulate data stored in these fields. A typical scenario is a key-value pair stored in a field, and you need to query the specific value of a key.