Kusto Query Language (KQL) Cheat Sheet

Updated 2026-04-27

Next Topic: Medallion Architecture Cheat Sheet

Kusto Query Language (KQL) is a read-only query language developed by Microsoft for analyzing large volumes of structured, semi-structured, and unstructured data. Named after oceanographer Jacques Cousteau, it powers Azure Data Explorer, Azure Monitor Logs, Microsoft Sentinel, Microsoft 365 Defender, and Application Insights. KQL is optimized for telemetry, metrics, logs, and time-series analysis, providing powerful operators for aggregation, filtering, visualization, and machine learning directly in the query layer. Unlike SQL, KQL uses a pipe-based syntax that flows data transformations left-to-right, making queries readable and composable. Understanding KQL's tabular operators, scalar functions, graph semantics, and query optimization patterns is essential for security analysts, data engineers, and cloud practitioners working with Microsoft's data analytics ecosystem.

What This Cheat Sheet Covers

This topic spans 26 focused tables and 214 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.

Table 1: Basic Query StructureTable 2: Filtering and ComparisonTable 3: Aggregation FunctionsTable 4: Summarize OperatorTable 5: Conditional Scalar FunctionsTable 6: String FunctionsTable 7: Datetime FunctionsTable 8: Join OperationsTable 9: Union and Set OperationsTable 10: Dynamic Arrays and JSONTable 11: Window FunctionsTable 12: Time Series AnalysisTable 13: Graph SemanticsTable 14: Advanced OperatorsTable 15: Machine Learning PluginsTable 16: VisualizationTable 17: Data TypesTable 18: Conversion FunctionsTable 19: Mathematical FunctionsTable 20: IP and Network FunctionsTable 21: Geospatial FunctionsTable 22: Cross-Database and Cross-Cluster QueriesTable 23: User-Defined FunctionsTable 24: Query Optimization TechniquesTable 25: Common Use CasesTable 26: Common Pitfalls and Gotchas

Table 1: Basic Query Structure

Operator	Example	Description
table name	`SecurityEvent`	Returns all records from a table — the starting point for every KQL query.
pipe \|	`SecurityEvent \| where TimeGenerated > ago(1d)`	• Chains operators together • data flows left-to-right through transformations.
where	`T \| where EventID == 4625`	• Filters rows based on a boolean predicate • always apply early for performance.
project	`T \| project TimeGenerated, Account`	• Selects specific columns to include • reduces output width and improves query speed.
project-away	`T \| project-away TenantId, _ResourceId`	• Excludes specified columns from output • inverse of `project` — keeps all except the listed columns.
project-keep	`T \| project-keep Time*, Computer`	• Keeps specified columns (supports wildcards) • unlike `project`, preserves original column order.
project-rename	`T \| project-rename Device = Computer`	Renames columns without dropping or reordering any other columns.
project-reorder	`T \| project-reorder TimeGenerated, Computer, *`	• Moves specified columns to the front • `` fills in the remaining columns* in original order.

Table 1: Basic Query Structure

Operator	Example	Description
table name	`SecurityEvent`	Returns all records from a table — the starting point for every KQL query.
pipe \|	`SecurityEvent \| where TimeGenerated > ago(1d)`	• Chains operators together • data flows left-to-right through transformations.
where	`T \| where EventID == 4625`	• Filters rows based on a boolean predicate • always apply early for performance.
project	`T \| project TimeGenerated, Account`	• Selects specific columns to include • reduces output width and improves query speed.
project-away	`T \| project-away TenantId, _ResourceId`	• Excludes specified columns from output • inverse of `project` — keeps all except the listed columns.
project-keep	`T \| project-keep Time*, Computer`	• Keeps specified columns (supports wildcards) • unlike `project`, preserves original column order.
project-rename	`T \| project-rename Device = Computer`	Renames columns without dropping or reordering any other columns.
project-reorder	`T \| project-reorder TimeGenerated, Computer, *`	• Moves specified columns to the front • `` fills in the remaining columns* in original order.