KQL Cheatsheet

A page full of useful KQL queries when you need to look for some quick ideas

Searching

// Search all tables and all data for a keyword. This will look
across everything. It's very useful, but can be intensive
and may even time out. Make sure to squash the time span
to reduce quantity of data.

search *
| where * has "KEYWORD"

SecurityAlert table queries

// Lookup security alerts in the last 5 minutes from 'now' where
alert severity is not informational or low. Basically, display all that
are medium or high severity.

SecurityAlert
| where TimeGenerated >= now(-5m)
| where AlertSeverity !in ("informational", "Low")