Have a JSON headache in KQL? Try mv-expand or mv-apply
Explains how to handle JSON arrays in Kusto Query Language (KQL) using mv-expand and mv-apply, focusing on Azure AD Conditional Access policy data.
Matt Zorich is a cybersecurity and cloud security specialist who writes in-depth, practical articles on KQL, Microsoft Sentinel, Azure AD, and security analytics to help teams improve detection and security posture.
8 articles from this blog
Explains how to handle JSON arrays in Kusto Query Language (KQL) using mv-expand and mv-apply, focusing on Azure AD Conditional Access policy data.
A guide to creating data visualizations using KQL in Azure services like Sentinel and Log Analytics, with practical examples.
A security engineer shares key lessons and query patterns learned from a year-long #365daysofKQL challenge, focusing on threat hunting and log analysis.
Explains how to analyze and audit Azure AD Conditional Access policies using Microsoft Sentinel and KQL queries for security insights.
A technical guide comparing agent options (Log Analytics, Azure Monitor, Defender for Identity) for monitoring Active Directory logs in Microsoft Sentinel.
Using KQL queries to analyze Azure AD logs for better tenant management, covering users, service principals, and security.
Explains how to detect malware attacks using behavioral TTPs and kill chain analysis with Microsoft Defender and Sentinel, beyond just IOCs.
A guide to using KQL aggregation functions like count() and dcount() in Microsoft Sentinel/Log Analytics to summarize and analyze security alert data.