MustLearnKQL - The Extend Operator
A demonstration of how to use the KQL Extend operator and integrate it into your workflow.
Get the Ebook
Get the Paperback
MustLearnKQL Store (all profit goes directly to St. Jude)
KQL Best Practices
Cliffnotes
- Used to create custom views of data to better inform risk
- Allows you to create custom columns in real-time
- This custom data is not stored in the DB, created on the "fly"
- Create calculated columns
- Allows you to create custom columns in real-time
Basic workflow
- What table is the data coming from?
- Use Extend to create a new column with a custom name
- Insert data in the new Column for visualization purposes (not stored)
-
Must Learn KQL Part 20: Your first analytics rule
https://azurecloudai.blog/2022/02/17/must-learn-kql-part-20-building-your-first-microsoft-sentinel-analytics-rule/ -
Must Learn KQL Part 19: The Join Operator
https://azurecloudai.blog/2022/02/14/must-learn-kql-part-19-the-join-operator/ -
Must Learn KQL Part 18: The Union Operator
https://azurecloudai.blog/2022/02/07/must-learn-kql-part-18-the-union-operator/ -
Must Learn KQL Part 17: The Let Statement
https://azurecloudai.blog/2022/02/01/must-learn-kql-part-17-the-let-statement/ -
Must Learn KQL Part 16: The Order/Sort and Top Operators
https://azurecloudai.blog/2022/01/26/must-learn-kql-part-16-the-order-sort-and-top-operators/ -
Must Learn KQL Part 15: The Distinct Operator
https://azurecloudai.blog/2022/01/24/must-learn-kql-part-15-the-distinct-operator/ -
Must Learn KQL Part 14: The Project Operator
https://azurecloudai.blog/2022/01/20/must-learn-kql-part-14-the-project-operator/ -
Must Learn KQL Part 13: The Extend Operator
https://azurecloudai.blog/2022/01/18/must-learn-kql-part-13-the-extend-operator/ -
Must Learn KQL Part 12: The Render Operator (with Bin and Time)
https://azurecloudai.blog/2022/01/10/must-learn-kql-part-12-the-render-operator/ -
Must Learn KQL Part 11: The Summarize Operator
https://azurecloudai.blog/2022/01/05/must-learn-kql-part-11-the-summarize-operator/ -
Must Learn KQL Part 10: The Count Operator
https://azurecloudai.blog/2021/12/14/must-learn-kql-part-10-the-count-operator/ -
Must Learn KQL Part 9: The Limit/Take Operators
https://azurecloudai.blog/2021/12/13/must-learn-kql-part-9-the-limit-and-take-operators/ -
Must Learn KQL Part 8: The Where Operator
https://azurecloudai.blog/2021/12/08/must-learn-kql-part-8-the-where-operator/ -
Must Learn KQL Part 7: Schema Talk
https://azurecloudai.blog/2021/12/07/must-learn-kql-part-7-schema-talk/ -
Must Learn KQL Part 6: Interface Intimacy
https://azurecloudai.blog/2021/12/02/must-learn-kql-part-6-interface-intimacy/ -
Must Learn KQL Part 5: Turn Search into Workflow Posted November 29, 2021
https://azurecloudai.blog/2021/11/29/must-learn-kql-part-5-turn-search-into-workflow/ -
Must Learn KQL Part 4: Search for Fun and Profit Posted November 22, 2021
https://azurecloudai.blog/2021/11/22/must-learn-kql-part-4-search-for-fun-and-profit/ -
Must Learn KQL Part 3: Workflow
https://azurecloudai.blog/2021/11/19/must-learn-kql-part-3-workflow/ -
Must Learn KQL Part 2: Just Above Sea Level
https://azurecloudai.blog/2021/11/18/must-learn-kql-part-2-just-above-sea-level/ -
Must Learn KQL Part 1: Tools and Resources
https://azurecloudai.blog/2021/11/17/must-learn-kql-part-1-tools-and-resources/
Website: www.cyberautomate.io
Twitter: @cyberautomate
https://github.com/cyberautomate