SIEM

Basic Structure: KQL queries are composed of field:value pairs, with the field representing the data's attribute and the value representing the data you're searching for. For example: event.code:4625

Windows Security Log Event.

Windows Security Log Event ID 4625 - An account failed to log on

KQL supports free text search - allowing you to search for a specific term across multiple fields without specifying a field name for instance "svc-sql1"

Logical Operators: KQL supports logical operators AND, OR, and NOT for constructing more complex queries. Parentheses can be used to group expressions and control the order of evaluation. For example - event.code:4625 AND winlog.event_data.SubStatus:0xC0000072

Comparison Operators: KQL supports various comparison operators such as :, :>, :>=, :<, :<=, and :!. These operators enable you to define precise conditions for matching field values. For instance

Wildcards and Regular Expressions: KQL supports wildcards and regular expressions to search for patterns in field values. - event.code:4625 AND user.name: admin*

PreviousSOC NextWindows Event Logs

Last updated 1 year ago