Azure Sentinel Log Data Analysis and Threat Hunting | KQL Queries for SOC Analysts

Kusto Query Language (KQL) Statements for Log Data Analysis and Threat Hunting

Question

You are a SOC Analyst working at a company that is deploying Azure Sentinel.

You are responsible for performing log data analysis to search for malicious activity, display visualizations, and perform threat hunting.

To query log data, you use the Kusto Query Language (KQL)

Often fields in a table store structured and unstructured string data.

You write KQL statements to extract and manipulate data stored in these fields.

Saving your query as one of the below type will create a virtual table.

Identify it.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: C Option C is correct.

Functions then can be referenced in other KQL statements.

Option A, B and D are incorrect.

Functions define a virtual table.

Reference:

The answer is A. Definition.

When you save a KQL query as a Definition type, it creates a virtual table that contains the results of the query. You can then use this virtual table as a data source in other queries and analysis.

In Azure Sentinel, KQL is used to query data from various sources such as logs from Azure resources, security products, and custom data sources. KQL enables you to extract and manipulate data from these sources using a familiar SQL-like syntax.

When you write a KQL query, you can save it as a Definition type by clicking on the "Save As" button and selecting "Definition" from the dropdown menu. Once saved, the query is converted into a virtual table, which can be used as a data source in other queries.

The other options listed in the question are not correct answers:

B. Module: A KQL module is a collection of related queries that can be reused in other queries.

C. Function: A KQL function is a reusable block of code that performs a specific task, such as parsing data or calculating a value.

D. Logic App: A Logic App is a cloud-based service that provides a way to automate workflows and integrate with various systems and services.

Therefore, the correct answer is A. Definition.