KQL

Kusto Query Language (KQL) is Microsoft's query language for telemetry data, used in Microsoft Defender XDR, Microsoft Sentinel, Azure Monitor, Log Analytics, and other Microsoft cloud services. KQL is read-only by design — it's optimised for fast queries over very large log datasets, with operators for filtering (where), projection (project), aggregation (summarize), joining (join), time-series analysis (make-series), and machine-learning-driven anomaly detection. SOC analysts use KQL daily for advanced hunting and detection rule authoring. Syntax is more readable than SQL for log scenarios — the typical query pipes data through a sequence of transformations. The single most useful skill for working with Microsoft's security and observability stack.