If you’re into Microsoft Sentinel I can really recommend you buy the book from Rod Trent called “Must Learn KQL”. Recently bought the paperback and it’s a nice book to have in pocket if you need a swiss knife into KQL.
KQL is a language that will become more- and more important if you’re working from Sentinel and it’s services. Do not hesistate to check out the Github as well, you can even take an assessment after reading the book.
It covers all the important topics on KQL, see here:
- Must Learn KQL Part 1: Tools and Resources
- Must Learn KQL Part 2: Just Above Sea Level
- Must Learn KQL Part 3: Workflow
- Must Learn KQL Part 4: Search for Fun and Profit
- Must Learn KQL Part 5: Turn Search into Workflow
- Must Learn KQL Part 6: Interface Intimacy
- Must Learn KQL Part 7: Schema Talk
- Must Learn KQL Part 8: The Where Operator
- Must Learn KQL Part 9: The Limit/Take Operators
- Must Learn KQL Part 10: The Count Operator
- Must Learn KQL Part 11: The Summarize Operator
- Must Learn KQL Part 12: The Render Operator (with Bin and Time)
- Must Learn KQL Part 13: The Extend Operator
- Must Learn KQL Part 14: The Project Operator
- Must Learn KQL Part 15: The Distinct Operator
- Must Learn KQL Part 16: The Order/Sort and Top Operators
- Must Learn KQL Part 17: The Let Statement
- Must Learn KQL Part 18: The Union Operator
- Must Learn KQL Part 19: The Join Operator
- Must Learn KQL Part 20: Building your first Microsoft Sentinel Analytics Rule
Check the book out here: https://amzn.to/39maJSX
