The Definitive Guide to KQL: Using Kusto Query Language for Operations, Defending, and Threat Hunting

Morowczynski, Mark, Trent, Rod, Zorich, Matthew

  • 出版商: MicroSoft
  • 出版日期: 2024-05-24
  • 售價: $1,980
  • 貴賓價: 9.5$1,881
  • 語言: 英文
  • 頁數: 480
  • 裝訂: Quality Paper - also called trade paper
  • ISBN: 0138293384
  • ISBN-13: 9780138293383
  • 立即出貨

相關主題

商品描述

Turn the avalanche of raw data from Azure Data Explorer, Azure Monitor, Microsoft Sentinel, and other Microsoft data platforms into actionable intelligence with KQL (Kusto Query Language). Experts in information security and analysis guide you through what it takes to automate your approach to risk assessment and remediation, speeding up detection time while reducing manual work using KQL. This accessible and practical guide--designed for a broad range of people with varying experience in KQL--will quickly make KQL second nature for information security.

Solve real problems with Kusto Query Language-- and build your competitive advantage:

  • Learn the fundamentals of KQL--what it is and where it is used
  • Examine the anatomy of a KQL query
  • Understand why data summation and aggregation is important
  • See examples of data summation, including count, countif, and dcount
  • Learn the benefits of moving from raw data ingestion to a more automated approach for security operations
  • Unlock how to write efficient and effective queries
  • Work with advanced KQL operators, advanced data strings, and multivalued strings
  • Explore KQL for day-to-day admin tasks, performance, and troubleshooting
  • Use KQL across Azure, including app services and function apps
  • Delve into defending and threat hunting using KQL
  • Recognize indicators of compromise and anomaly detection
  • Learn to access and contribute to hunting queries via GitHub and workbooks via Microsoft Entra ID

商品描述(中文翻譯)

將 Azure Data Explorer、Azure Monitor、Microsoft Sentinel 和其他 Microsoft 數據平台的原始數據雪崩轉化為可操作的情報,並使用 KQL(Kusto 查詢語言)進行分析。信息安全和分析專家將指導您自動化風險評估和修復的方法,加快檢測時間,同時減少使用 KQL 的手動工作。這本易於理解且實用的指南適用於各種經驗水平的人,將迅速使 KQL 成為信息安全的第二天性。

使用 Kusto 查詢語言解決真實問題,並建立您的競爭優勢:
- 學習 KQL 的基礎知識,包括其定義和應用場景
- 深入了解 KQL 查詢的結構
- 理解數據總結和聚合的重要性
- 查看數據總結的示例,包括 count、countif 和 dcount
- 學習從原始數據摄取轉向更自動化的安全操作方法的好處
- 掌握撰寫高效和有效查詢的技巧
- 使用高級 KQL 運算符、高級數據字符串和多值字符串
- 探索在日常管理任務、性能和故障排除中使用 KQL 的方法
- 在 Azure 中使用 KQL,包括應用服務和功能應用
- 深入研究使用 KQL 進行防禦和威脅狩獵
- 識別威脅指標和異常檢測
- 學習通過 GitHub 訪問和貢獻狩獵查詢,以及通過 Microsoft Entra ID 使用工作簿。

作者簡介

Mark Morowczynski is a principal product manager on the Security Customer Experience Engineering (CxE) team at Microsoft. He spends most of his time working with customers on their deployments in the Identity and Access Management (IAM) and information security space. He's spoken at various industry events, including Black Hat, Defcon Blue Team Village, Blue Team Con, Microsoft Ignite, and several BSides and SANS Security Summits. He has a BS in computer science, an MS in computer information and network security, and an MBA from DePaul University. He also has a MS in Information Security Engineering from the SANS Technology Institute. He can be found online on Mastodon at @markmorow@infosec.exchange or his website at https: //markmorow.com.

Rod Trent is a senior program manager at Microsoft, focused on cybersecurity and AI. He has spoken at many conferences over the past 30-some years and has written several books, including Must Learn KQL: Essential Learning for the Cloud-focused Data Scientist, and thousands of articles. He is a husband, dad, and first-time grandfather. In his spare time (if such a thing does truly exist), you can regularly find him simultaneously watching Six Million Dollar Man episodes and writing KQL queries. Rod can be found on LinkedIn and X (formerly Twitter) at @rodtrent.

Matthew Zorich was born and raised in Australia and works for the Microsoft GHOST team, which provides threat-hunting oversight to many areas of Microsoft. Before that, he worked for the Microsoft Detection and Response Team (DART) and dealt with some of the most complex and largest-scale cybersecurity compromises on the planet. Before joining Microsoft as a full-time employee, he was a Microsoft MVP, ran a blog focused on Microsoft Sentinel, and contributed hundreds of open-source KQL queries to the community. He is a die-hard sports fan, especially the NBA and cricket.

作者簡介(中文翻譯)

Mark Morowczynski是微軟安全客戶體驗工程團隊的首席產品經理。他大部分時間都在與客戶合作,協助他們在身份和訪問管理(IAM)以及資訊安全領域進行部署。他曾在多個行業活動上發表演講,包括Black Hat、Defcon Blue Team Village、Blue Team Con、Microsoft Ignite以及幾個BSides和SANS Security Summit。他擁有計算機科學學士學位、計算機信息和網絡安全碩士學位,以及德保羅大學的工商管理碩士學位。他還在SANS Technology Institute獲得了信息安全工程碩士學位。您可以在Mastodon的@markmorow@infosec.exchange或他的網站https://markmorow.com上找到他。

Rod Trent是微軟的高級計劃經理,專注於網絡安全和人工智能。在過去的30多年裡,他在許多會議上發表過演講,並撰寫了幾本書,包括《Must Learn KQL: Essential Learning for the Cloud-focused Data Scientist》,還有數千篇文章。他是一位丈夫、父親和第一次當祖父的人。在他的空閒時間(如果真的存在的話),您可以經常看到他同時觀看《六百萬美元人》的劇集並撰寫KQL查詢。您可以在LinkedIn和X(前身為Twitter)上找到Rod,帳號是@rodtrent。

Matthew Zorich在澳大利亞出生和長大,目前在微軟的GHOST團隊工作,該團隊為微軟的多個領域提供威脅狩獵監督。在此之前,他曾在微軟的檢測和響應團隊(DART)工作,處理過一些全球範圍內最複雜和最大規模的網絡安全威脅。在成為微軟的全職員工之前,他是微軟的MVP,運營著一個專注於Microsoft Sentinel的博客,並向社區貢獻了數百個開源KQL查詢。他是一位狂熱的體育迷,尤其喜歡NBA和板球。