Valid KQL Operators

Correct Answers: A, C and D.

Option A, C, D are correct.

These operators are regularly used in KQL.

Option B and D are incorrect.

The Summarize operator isn't very useful on its own.

It essentially works like the distinct operator.

Reference:

Kusto Query Language (KQL) is a powerful query language used in Azure Sentinel for searching, analyzing, and visualizing data. KQL is a syntax-based language that is similar to SQL, but with its own unique set of operators.

Out of the options provided, A, D, and C are valid KQL operators in Azure Sentinel. Here's a brief explanation of each operator:

A. Where: The Where operator is used to filter data based on a specific condition. It's similar to the WHERE clause in SQL. For example, you can use the Where operator to filter events based on a specific time range, a specific user, or a specific keyword.

D. Summarize: The Summarize operator is used to aggregate and summarize data based on specific fields. It's similar to the GROUP BY clause in SQL. For example, you can use the Summarize operator to group events by the number of occurrences, the most frequent sources, or the most common keywords.

C. mv-expand: The mv-expand operator is used to expand multi-valued fields into separate rows. It's useful when dealing with fields that contain multiple values, such as a list of IP addresses or a list of user agents. For example, you can use the mv-expand operator to expand a list of IP addresses into separate rows for each IP address.

B. Summarise: The Summarise operator is not a valid KQL operator in Azure Sentinel. The correct spelling is "Summarize" with a "z."

E. mv-contract: The mv-contract operator is not a valid KQL operator in Azure Sentinel. There is no such operator in KQL.

In conclusion, the valid KQL operators in Azure Sentinel out of the options provided are Where, Summarize, and mv-expand.