\documentclass[10pt,a4paper]{article} % Packages \usepackage{fancyhdr} % For header and footer \usepackage{multicol} % Allows multicols in tables \usepackage{tabularx} % Intelligent column widths \usepackage{tabulary} % Used in header and footer \usepackage{hhline} % Border under tables \usepackage{graphicx} % For images \usepackage{xcolor} % For hex colours %\usepackage[utf8x]{inputenc} % For unicode character support \usepackage[T1]{fontenc} % Without this we get weird character replacements \usepackage{colortbl} % For coloured tables \usepackage{setspace} % For line height \usepackage{lastpage} % Needed for total page number \usepackage{seqsplit} % Splits long words. %\usepackage{opensans} % Can't make this work so far. Shame. Would be lovely. \usepackage[normalem]{ulem} % For underlining links % Most of the following are not required for the majority % of cheat sheets but are needed for some symbol support. \usepackage{amsmath} % Symbols \usepackage{MnSymbol} % Symbols \usepackage{wasysym} % Symbols %\usepackage[english,german,french,spanish,italian]{babel} % Languages % Document Info \author{markwoan} \pdfinfo{ /Title (kql.pdf) /Creator (Cheatography) /Author (markwoan) /Subject (kql Cheat Sheet) } % Lengths and widths \addtolength{\textwidth}{6cm} \addtolength{\textheight}{-1cm} \addtolength{\hoffset}{-3cm} \addtolength{\voffset}{-2cm} \setlength{\tabcolsep}{0.2cm} % Space between columns \setlength{\headsep}{-12pt} % Reduce space between header and content \setlength{\headheight}{85pt} % If less, LaTeX automatically increases it \renewcommand{\footrulewidth}{0pt} % Remove footer line \renewcommand{\headrulewidth}{0pt} % Remove header line \renewcommand{\seqinsert}{\ifmmode\allowbreak\else\-\fi} % Hyphens in seqsplit % This two commands together give roughly % the right line height in the tables \renewcommand{\arraystretch}{1.3} \onehalfspacing % Commands \newcommand{\SetRowColor}[1]{\noalign{\gdef\RowColorName{#1}}\rowcolor{\RowColorName}} % Shortcut for row colour \newcommand{\mymulticolumn}[3]{\multicolumn{#1}{>{\columncolor{\RowColorName}}#2}{#3}} % For coloured multi-cols \newcolumntype{x}[1]{>{\raggedright}p{#1}} % New column types for ragged-right paragraph columns \newcommand{\tn}{\tabularnewline} % Required as custom column type in use % Font and Colours \definecolor{HeadBackground}{HTML}{333333} \definecolor{FootBackground}{HTML}{666666} \definecolor{TextColor}{HTML}{333333} \definecolor{DarkBackground}{HTML}{A3A3A3} \definecolor{LightBackground}{HTML}{F3F3F3} \renewcommand{\familydefault}{\sfdefault} \color{TextColor} % Header and Footer \pagestyle{fancy} \fancyhead{} % Set header to blank \fancyfoot{} % Set footer to blank \fancyhead[L]{ \noindent \begin{multicols}{3} \begin{tabulary}{5.8cm}{C} \SetRowColor{DarkBackground} \vspace{-7pt} {\parbox{\dimexpr\textwidth-2\fboxsep\relax}{\noindent \hspace*{-6pt}\includegraphics[width=5.8cm]{/web/www.cheatography.com/public/images/cheatography_logo.pdf}} } \end{tabulary} \columnbreak \begin{tabulary}{11cm}{L} \vspace{-2pt}\large{\bf{\textcolor{DarkBackground}{\textrm{kql Cheat Sheet}}}} \\ \normalsize{by \textcolor{DarkBackground}{markwoan} via \textcolor{DarkBackground}{\uline{cheatography.com/93412/cs/20629/}}} \end{tabulary} \end{multicols}} \fancyfoot[L]{ \footnotesize \noindent \begin{multicols}{3} \begin{tabulary}{5.8cm}{LL} \SetRowColor{FootBackground} \mymulticolumn{2}{p{5.377cm}}{\bf\textcolor{white}{Cheatographer}} \\ \vspace{-2pt}markwoan \\ \uline{cheatography.com/markwoan} \\ \uline{\seqsplit{github}.com/woanware} \end{tabulary} \vfill \columnbreak \begin{tabulary}{5.8cm}{L} \SetRowColor{FootBackground} \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Cheat Sheet}} \\ \vspace{-2pt}Not Yet Published.\\ Updated 2nd October, 2019.\\ Page {\thepage} of \pageref{LastPage}. \end{tabulary} \vfill \columnbreak \begin{tabulary}{5.8cm}{L} \SetRowColor{FootBackground} \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Sponsor}} \\ \SetRowColor{white} \vspace{-5pt} %\includegraphics[width=48px,height=48px]{dave.jpeg} Measure your website readability!\\ www.readability-score.com \end{tabulary} \end{multicols}} \begin{document} \raggedright \raggedcolumns % Set font size to small. Switch to any value % from this page to resize cheat sheet text: % www.emerson.emory.edu/services/latex/latex_169.html \footnotesize % Small font. \begin{tabularx}{17.67cm}{x{8.635 cm} x{8.635 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{17.67cm}}{\bf\textcolor{white}{Search}} \tn % Row 0 \SetRowColor{LightBackground} `Test | search "Fred"` & Searches all columns in the table "Test" for the value "Fred" \tn % Row Count 4 (+ 4) % Row 1 \SetRowColor{white} `Test | search "fred"` & Same as above, since {\bf{search}} is not by default case sensitive \tn % Row Count 8 (+ 4) % Row 2 \SetRowColor{LightBackground} `Test | search \seqsplit{kind=case\_sensitive} "fred"` & Searches all columns in the table "Test" for the value "Fred", now requiring a match on the case \tn % Row Count 13 (+ 5) % Row 3 \SetRowColor{white} `search "fred"` & Searches across all tables for the value "Fred" \tn % Row Count 16 (+ 3) % Row 4 \SetRowColor{LightBackground} `search in (Process, Autoruns) "Fred"` & Searches across the tables "Proc", "Autoruns" for the value "Fred" \tn % Row Count 20 (+ 4) % Row 5 \SetRowColor{white} `Processes | search \seqsplit{ProcName=="explorer.exe`} & Searches the "Processes" table on the column named "ProcName" for a value of "explorer.exe" \tn % Row Count 25 (+ 5) % Row 6 \SetRowColor{LightBackground} `Processes | search ProcName:"svchost` & Searches the "Processes" table on the column named "ProcName" for a value containing "svchost" \tn % Row Count 30 (+ 5) \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{17.67cm}{x{8.635 cm} x{8.635 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{17.67cm}}{\bf\textcolor{white}{Search (cont)}} \tn % Row 7 \SetRowColor{LightBackground} `Processes | search "svchost.exe"` & Searches the "Processes" table for a value containing exactly "svchost.exe" \tn % Row Count 4 (+ 4) % Row 8 \SetRowColor{white} `Processes | search "net*"` & Searches the "Processes" table for a value that contains "net" \tn % Row Count 8 (+ 4) % Row 9 \SetRowColor{LightBackground} `Processes | search * startswith "net"` & Searches the "Processes" table for a value that starts with "net" \tn % Row Count 12 (+ 4) % Row 10 \SetRowColor{white} `Processes | search * endswith "net"` & Searches the "Processes" table for a value that ends with "net" \tn % Row Count 16 (+ 4) % Row 11 \SetRowColor{LightBackground} `Processes | search "Powershell.exe" and " -encodedCommand"` & Searches the "Processes" table for both "Powershell.exe" and "-encodedCommand" \tn % Row Count 20 (+ 4) % Row 12 \SetRowColor{white} `Processes | search * matches regex "{[}A-Z{]}:\textbackslash{}\textbackslash{}\textbackslash{}\textbackslash{}Program\textbackslash{}\textbackslash{}sFiles"` & Searches the "Processes" table for values that match the regex \tn % Row Count 24 (+ 4) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{17.67cm}}{Search operator provides a multi-table/multi-column search experience} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{17.67cm}{x{8.635 cm} x{8.635 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{17.67cm}}{\bf\textcolor{white}{Where}} \tn % Row 0 \SetRowColor{LightBackground} `Processes | where ProcName =="explorer.exe"` & Limits search to the "ProcName" column and a specific value \tn % Row Count 3 (+ 3) % Row 1 \SetRowColor{white} `Processes | where ProcName =="explorer.exe" and \seqsplit{ParentProcName=="Word}.exe"` & Limits search to the "ProcName" and "ParentProcName" columns and specific values for each \tn % Row Count 8 (+ 5) % Row 2 \SetRowColor{LightBackground} `Processes | where ProcName =="explorer.exe" and \seqsplit{ParentProcName=="Word}.exe" and Host=="DESKTOP1"` & Additional "and" operators \tn % Row Count 13 (+ 5) % Row 3 \SetRowColor{white} `Processes | where ProcName =="explorer.exe" and (Host=="DESKTOP1" or Host=="SERVER1"` & "or" operator logic \tn % Row Count 18 (+ 5) % Row 4 \SetRowColor{LightBackground} `Processes | where ProcName =="explorer.exe" | \seqsplit{ParentProcName=="Word}.exe"` & "where" operators stacked, so that each data set is reduced. Used when performing additional operations between each "where" \tn % Row Count 25 (+ 7) % Row 5 \SetRowColor{white} `Processes | where * hasprefix "svchost"` & Has "svchost" at the start of a column value \tn % Row Count 28 (+ 3) % Row 6 \SetRowColor{LightBackground} `Processes | where * hassuffix ".exe"` & Has ".exe" at the end of a column value \tn % Row Count 30 (+ 2) \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{17.67cm}{x{8.635 cm} x{8.635 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{17.67cm}}{\bf\textcolor{white}{Where (cont)}} \tn % Row 7 \SetRowColor{LightBackground} `Processes | where * contains "svchost"` & Has "svchost" some where in a column value \tn % Row Count 3 (+ 3) % Row 8 \SetRowColor{white} `Processes | where CommandLine matches regex "{[}A-Z{]}:\textbackslash{}\textbackslash{}\textbackslash{}\textbackslash{}Program\textbackslash{}\textbackslash{}sFiles" ` & Can use regex for the matching logic \tn % Row Count 7 (+ 4) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{17.67cm}}{Filters a table to the subset of rows that satisfy a predicate.} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{17.67cm}{x{8.635 cm} x{8.635 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{17.67cm}}{\bf\textcolor{white}{Take}} \tn % Row 0 \SetRowColor{LightBackground} `Processes | take 5` & Retrieves 5 rows at random from the "Processes" table \tn % Row Count 3 (+ 3) % Row 1 \SetRowColor{white} `Processes | where \seqsplit{ProcName=="Powershell}.exe" and Host=="DESKTOP1" | take 5` & Combines "where" and "and" operators to retrieve 5 rows at random from the "Processes" table \tn % Row Count 8 (+ 5) % Row 2 \SetRowColor{LightBackground} `Processes | limit 5` & The "limit" operator has the same effect as "take" \tn % Row Count 11 (+ 3) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{17.67cm}}{Return up to the specified number of rows} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{17.67cm}{x{8.635 cm} x{8.635 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{17.67cm}}{\bf\textcolor{white}{Count}} \tn % Row 0 \SetRowColor{LightBackground} `Proc | count` & Returns the count of rows within the "Procs" table \tn % Row Count 3 (+ 3) % Row 1 \SetRowColor{white} `Proc | where \seqsplit{ProcName=="explorer.exe"} | count` & Returns the count of rows within the "Procs" table, limited by the "where" operator \tn % Row Count 8 (+ 5) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{17.67cm}}{Returns the number of records in the input record set} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{17.67cm}{x{8.635 cm} x{8.635 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{17.67cm}}{\bf\textcolor{white}{Format DateTime}} \tn % Row 0 \SetRowColor{LightBackground} \seqsplit{`format\_datetime(datetime(2017-01-29} 09:00:05), 'yy-MM-dd {[}HH:mm:ss{]}'), 'yy-MM-dd {[}HH:mm:ss{]}')` & Returns timestamp as {\bf{17-01-29 {[}09:00:05{]}}} \tn % Row Count 5 (+ 5) % Row 1 \SetRowColor{white} \seqsplit{`format\_datetime(datetime(2017-01-29} 09:00:05), , 'yyyy-M-dd {[}H:mm:ss{]}')` & Returns timestamp as {\bf{2017-1-29 {[}9:00:05{]}}} \tn % Row Count 9 (+ 4) % Row 2 \SetRowColor{LightBackground} \seqsplit{`format\_datetime(datetime(2017-01-29} 09:00:05), 'yy-MM-dd {[}hh:mm:ss tt{]}')` & Returns timestamp as {\bf{17-01-29 {[}09:00:05 AM{]}}} \tn % Row Count 13 (+ 4) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{17.67cm}}{Formats a datetime parameter based on the format pattern parameter} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{17.67cm}{x{8.635 cm} x{8.635 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{17.67cm}}{\bf\textcolor{white}{Between}} \tn % Row 0 \SetRowColor{LightBackground} `Process | where PID between (1 .. 1000)` & Returns the processes that have a PID between 1 and 1000 \tn % Row Count 3 (+ 3) % Row 1 \SetRowColor{white} `Procs | where TimeStarted between \seqsplit{(datetime("2019-10-01} 00:00:00") .. \seqsplit{datetime("2019-10-01} 12:00:00"))` & Returns the processes that started between the two timestamps \tn % Row Count 9 (+ 6) % Row 2 \SetRowColor{LightBackground} `Procs | where PID !between (1 .. 1000)` & Returns the processes that are {\bf{not}} between 1 and 1000 \tn % Row Count 12 (+ 3) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{17.67cm}}{Matches the input that is inside the inclusive range} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{17.67cm}{x{7.2534 cm} x{10.0166 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{17.67cm}}{\bf\textcolor{white}{Endof}} \tn % Row 0 \SetRowColor{LightBackground} `print \seqsplit{endofday(now())`} & Prints the end of day for today \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} `print endofday(now(), 1)` & Prints the end of day for tomorrow \tn % Row Count 4 (+ 2) % Row 2 \SetRowColor{LightBackground} `print endofday(now(), -1)` & Prints the end of day for yesterday \tn % Row Count 6 (+ 2) % Row 3 \SetRowColor{white} `print \seqsplit{endofweek(now())`} & Prints the end of the current week \tn % Row Count 8 (+ 2) % Row 4 \SetRowColor{LightBackground} `print endofweek(now(), 1)` & Prints the end of week for the next week \tn % Row Count 10 (+ 2) % Row 5 \SetRowColor{white} `print endofweek(now(), -1)` & Prints the end of the week for last week \tn % Row Count 12 (+ 2) % Row 6 \SetRowColor{LightBackground} `print \seqsplit{endofmonth(now())`} & Prints the end of the current month \tn % Row Count 14 (+ 2) % Row 7 \SetRowColor{white} `print \seqsplit{endofmonth(now()}, 1)` & Prints the end of the next month \tn % Row Count 16 (+ 2) % Row 8 \SetRowColor{LightBackground} `print \seqsplit{endofmonth(now()}, -1)` & Prints the end of the previous month \tn % Row Count 18 (+ 2) % Row 9 \SetRowColor{white} `print \seqsplit{endofyear(now())`} & Prints the end of the current year \tn % Row Count 20 (+ 2) % Row 10 \SetRowColor{LightBackground} `print endofyear(now(), 1)` & Prints the end of the next year \tn % Row Count 22 (+ 2) % Row 11 \SetRowColor{white} `print endofyear(now(), -1)` & Prints the end of the previous year \tn % Row Count 24 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{17.67cm}}{Returns the end of the day, week, month, year containing the date, shifted by an offset, if provided.} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{17.67cm}{x{7.5988 cm} x{9.6712 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{17.67cm}}{\bf\textcolor{white}{Startof}} \tn % Row 0 \SetRowColor{LightBackground} `print \seqsplit{startofday(now())`} & Prints the start of day for today \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} `print startofday(now(), 1)` & Prints the start of day for tomorrow \tn % Row Count 4 (+ 2) % Row 2 \SetRowColor{LightBackground} `print startofday(now(), -1)` & Prints the start of day for yesterday \tn % Row Count 6 (+ 2) % Row 3 \SetRowColor{white} `print \seqsplit{startofweek(now())`} & Prints the start of the current week \tn % Row Count 8 (+ 2) % Row 4 \SetRowColor{LightBackground} `print \seqsplit{startofweek(now()}, 1)` & Prints the start of week for the next week \tn % Row Count 10 (+ 2) % Row 5 \SetRowColor{white} `print \seqsplit{startofweek(now()}, -1)` & Prints the start of the week for last week \tn % Row Count 12 (+ 2) % Row 6 \SetRowColor{LightBackground} `print \seqsplit{startofmonth(now())`} & Prints the start of the current month \tn % Row Count 14 (+ 2) % Row 7 \SetRowColor{white} `print \seqsplit{startofmonth(now()}, 1)` & Prints the start of the next month \tn % Row Count 16 (+ 2) % Row 8 \SetRowColor{LightBackground} `print \seqsplit{startofmonth(now()}, -1)` & Prints the start of the previous month \tn % Row Count 18 (+ 2) % Row 9 \SetRowColor{white} `print \seqsplit{startofyear(now())`} & Prints the start of the current year \tn % Row Count 20 (+ 2) % Row 10 \SetRowColor{LightBackground} `print \seqsplit{startofyear(now()}, 1)` & Prints the start of the next year \tn % Row Count 22 (+ 2) % Row 11 \SetRowColor{white} `print \seqsplit{startofyear(now()}, -1)` & Prints the start of the previous year \tn % Row Count 24 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{17.67cm}}{Returns the start of the day, week, month, year containing the date, shifted by an offset, if provided.} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{17.67cm}{x{8.635 cm} x{8.635 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{17.67cm}}{\bf\textcolor{white}{Date/Time Calculations}} \tn % Row 0 \SetRowColor{LightBackground} `SecurityEvent | extend TimePast = (now() - TimeGenerated)` & Adds a new column (TimePast) with the duration of time since the event occurred \tn % Row Count 4 (+ 4) % Row 1 \SetRowColor{white} `Process | extend Duration= (EndTime - StartTime) | project PID, FullPath, StartTime , EndTime, Duration` & Adds new column (Duration), that calculates the duration between two timestamps (EndTime, StartTime) \tn % Row Count 10 (+ 6) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{17.67cm}{x{8.635 cm} x{8.635 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{17.67cm}}{\bf\textcolor{white}{Parse}} \tn % Row 0 \SetRowColor{LightBackground} `SecurityEvent | parse Fqbn with {\emph{ "O=" user ", L=" location "," }} | project user, location` & Parses the {\bf{Fqbn}} column into two new columns (User, Location) from column string {\bf{O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\textbackslash{}MICROSOFT ® WINDOWS SCRIPT HOST\textbackslash{}CSCRIPT.EXE\textbackslash{}5.812.10240.16384}} \tn % Row Count 11 (+ 11) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{17.67cm}}{Evaluates a string expression and parses its value into one or more calculated columns.} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{17.67cm}{x{8.635 cm} x{8.635 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{17.67cm}}{\bf\textcolor{white}{Extract}} \tn % Row 0 \SetRowColor{LightBackground} `W3CIISLog | extend Domain = \seqsplit{extract("http://(.*)/"}, 1, FullUrl)` & Creates a new column (Domain), and uses a regex group to extract just the domain from a full URL. Note that the second parameter (1 in this instance), is used to specify which regex group is returned. A value of 0 will return the entire value \tn % Row Count 13 (+ 13) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{17.67cm}}{Get a match for a regular expression from a text string} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{17.67cm}{x{8.635 cm} x{8.635 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{17.67cm}}{\bf\textcolor{white}{Sort/Order}} \tn % Row 0 \SetRowColor{LightBackground} `Procs | project ProcName, PID sort by TimeStarted` & Sorts the data set by the column {\bf{TimeStarted}}. Defaults to {\bf{desc}} \tn % Row Count 4 (+ 4) % Row 1 \SetRowColor{white} `Procs | project ProcName, PID sort by TimeStarted asc` & Sorts the data set by the column {\bf{TimeStarted}} in ascending order \tn % Row Count 8 (+ 4) % Row 2 \SetRowColor{LightBackground} `Procs | project ProcName, PID order by TimeStarted` & Orders the data set by the column {\bf{TimeStarted}} in ascending order. Same functionality as {\bf{sort}} \tn % Row Count 13 (+ 5) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{17.67cm}}{Sort the rows of the input table into order by one or more columns} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{17.67cm}{x{5.8718 cm} x{11.3982 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{17.67cm}}{\bf\textcolor{white}{Print}} \tn % Row 0 \SetRowColor{LightBackground} `print "We love KQL"` & Prints {\bf{We love KQL}} as the result set output \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} `print 10+5` & Prints {\bf{15}} as the result set output \tn % Row Count 4 (+ 2) % Row 2 \SetRowColor{LightBackground} `print 10\textbackslash{}5` & Prints {\bf{2}} as the result set output \tn % Row Count 6 (+ 2) % Row 3 \SetRowColor{white} `print Calc=5+15` & Prints {\bf{20}} as the result set output and names the column as {\bf{Calc}} \tn % Row Count 9 (+ 3) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{17.67cm}}{Outputs single-row with one or more scalar expressions} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{17.67cm}{x{5.181 cm} x{12.089 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{17.67cm}}{\bf\textcolor{white}{Ago}} \tn % Row 0 \SetRowColor{LightBackground} `print ago(1s)` & Prints a timestamp in the past e.g. 1 second. Can use {\bf{d}} = days, {\bf{h}} = hours, {\bf{m}} = minutes, {\bf{s}} = seconds, {\bf{ms}} = milliseconds, {\bf{microsecond}} as is, and {\bf{tick}} = nanosecond \tn % Row Count 7 (+ 7) % Row 1 \SetRowColor{white} `print ago(2m)` & Prints a timestamp in the past e.g. 2 minutes \tn % Row Count 9 (+ 2) % Row 2 \SetRowColor{LightBackground} `print ago(3h)` & Prints a timestamp in the past e.g. 3 hours \tn % Row Count 11 (+ 2) % Row 3 \SetRowColor{white} `print ago(4d)` & Prints a timestamp in the past e.g. 4 days \tn % Row Count 13 (+ 2) % Row 4 \SetRowColor{LightBackground} `print ago(-3d)` & Print a timestamp in the future e.g. today + 3 days \tn % Row Count 15 (+ 2) % Row 5 \SetRowColor{white} `print ago(-12h)` & Print a timestamp in the future e.g. today + 12 hours \tn % Row Count 17 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{17.67cm}}{Subtracts the given timespan from the current UTC clock time} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{17.67cm}{x{8.2896 cm} x{8.9804 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{17.67cm}}{\bf\textcolor{white}{Top}} \tn % Row 0 \SetRowColor{LightBackground} `Procs | top 100 by ProcDuration` & Top returns N rows from the data set, using the {\bf{by}} clause to sort \tn % Row Count 4 (+ 4) % Row 1 \SetRowColor{white} `Procs | top 100 by ProcDuration asc` & Top returns N rows from the data set, using the {\bf{by}} clause to sort, and the {\bf{asc}} clause to sort in ascending values \tn % Row Count 11 (+ 7) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{17.67cm}}{Returns the first N records sorted by the specified columns} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{17.67cm}{x{8.635 cm} x{8.635 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{17.67cm}}{\bf\textcolor{white}{Distinct}} \tn % Row 0 \SetRowColor{LightBackground} `Procs | distinct ProcName` & Returns a uniqued list of {\bf{ProcName}} values \tn % Row Count 3 (+ 3) % Row 1 \SetRowColor{white} `Procs | where \seqsplit{ParentProcName=="Explorer}.exe" | distinct ProcName` & Using {\bf{distinct}} function to limit the results returned \tn % Row Count 7 (+ 4) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{17.67cm}}{Produces a table with the distinct combination of the provided columns of the input table} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{17.67cm}{x{8.635 cm} x{8.635 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{17.67cm}}{\bf\textcolor{white}{Project}} \tn % Row 0 \SetRowColor{LightBackground} `Procs | project PID, ProcName, Host` & Allows reduced column selection (PID, ProcName, Host) \tn % Row Count 3 (+ 3) % Row 1 \SetRowColor{white} `Procs | extend FileSizeKb = FileSizeMB/1000 | project ProcName, FileSizeKb` & Used {\bf{extend}} function to add a new column ({\bf{FileSizeKb}}) using a field not required (FileSizeMb) in output \tn % Row Count 9 (+ 6) % Row 2 \SetRowColor{LightBackground} `Procs | project FileSizeKb = FileSizeMB/1000, ProcName, FileSizeKb` & Used {\bf{project}} to add a new column using a field not required in output, without using {\bf{extend}} \tn % Row Count 14 (+ 5) % Row 3 \SetRowColor{white} `Procs | project-away PID, ParentPID` & Show all columns apart from {\bf{PID}} and {\bf{ParentPID}} using the {\bf{project-away}} function \tn % Row Count 19 (+ 5) % Row 4 \SetRowColor{LightBackground} `Procs | project-rename Computer=Host` & Rename {\bf{Host}} column to {\bf{Computer}} and display the rest of the columns \tn % Row Count 23 (+ 4) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{17.67cm}}{Select (project) the columns to include, rename or drop, and insert new computed columns \newline \newline Select (project-away) what columns in the input to exclude from the output \newline \newline Renames (project-rename) columns in the result output} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{17.67cm}{x{8.635 cm} x{8.635 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{17.67cm}}{\bf\textcolor{white}{Extend}} \tn % Row 0 \SetRowColor{LightBackground} `Procs | extend FileSizeKb = FileSizeMB/1000` & Adds new {\bf{FileSizeKb}} column by dividing existing FileSizeMb column value \tn % Row Count 4 (+ 4) % Row 1 \SetRowColor{white} `Procs | extend FileSizeKb = FileSizeMB/1000, FileSizeB = FileSizeMB/1000000` & Adds new {\bf{FileSizeKb}}, {\bf{FileSizeB}} columns by dividing existing FileSizeMb column value \tn % Row Count 9 (+ 5) % Row 2 \SetRowColor{LightBackground} `Procs | extend FullPath = strcat(FilePath, "\textbackslash{}", FileName)` & Adds new {\bf{FullPath}} column by concatenating strings from two columns (strcat) \tn % Row Count 13 (+ 4) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{17.67cm}}{Create calculated columns and append them to the result set} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{17.67cm}{x{8.635 cm} x{8.635 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{17.67cm}}{\bf\textcolor{white}{Summarize}} \tn % Row 0 \SetRowColor{LightBackground} `Procs | summarize count() by ProcName` & Summarize {\bf{Processes}} table (like SQL group by) the row counts, by {\bf{ProcName}} \tn % Row Count 5 (+ 5) % Row 1 \SetRowColor{white} `Procs | summarize count() by ProcName, Host` & Summarize {\bf{Processes}} table (like SQL group by) the row counts, by {\bf{ProcName}} and {\bf{Host}} \tn % Row Count 10 (+ 5) % Row 2 \SetRowColor{LightBackground} `Procs | summarize ProcCount=count() by ProcName, Host` & Summarize {\bf{Processes}} table (like SQL group by) the row counts (as {\bf{ProcCount}}), by {\bf{ProcName}} and {\bf{Host}} \tn % Row Count 16 (+ 6) % Row 3 \SetRowColor{white} `Procs | summarize Num=count(), \seqsplit{AvgTime=avg(ProcDuration)} by ProcName` & Summarize {\bf{Processes}} table (like SQL group by) the row counts (as {\bf{Num}}), by {\bf{ProcName}} and {\bf{Host}} \tn % Row Count 22 (+ 6) % Row 4 \SetRowColor{LightBackground} `Procs | summarize Num=count(), by ProcName, bin(TimeGenerated, 1d), Host` & Summarize {\bf{Processes}} table (like SQL group by) the row counts (as {\bf{Num}}), by each day (using {\bf{bin}} function which separates into smaller values e.g. days, hours etc), {\bf{ProcName}} and {\bf{Host}} \tn % Row Count 32 (+ 10) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{17.67cm}}{Summarize operator produces a table that aggregates the content of the input table} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \end{document}