KQL Declaration for Parsing External Info into a Virtual Table
Question
You are a SOC Analyst working at a company that is deploying Azure Sentinel.
You are responsible for performing log data analysis to search for malicious activity, display visualizations, and perform threat hunting.
To query log data, you use the Kusto Query Language (KQL)
Often fields in a table store structured and unstructured string data.
You write KQL statements to extract and manipulate data stored in these fields.
Which KQL declaration shall you use parsing external info into a virtual table?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: A.
Option A is correct.
Use the externaldata operator to create a virtual table from an external source.
Option B & D is incorrect.
This function will parse JSON data already imported.
Option C is incorrect.
This function will extract data from a string field using a regular expression.
Reference:
The correct answer to the question is A. externaldata.
In Kusto Query Language (KQL), external data can be used to query data stored outside of Azure Data Explorer, such as in external databases, storage accounts, or web services. The externaldata operator is used to define a virtual table that is populated with data from external sources.
The externaldata operator allows you to specify a data source, such as a URL, file path, or database connection string, and then define the schema of the data that you want to query. You can then join the virtual table created by externaldata with other tables in Azure Sentinel or perform other operations on the data.
parse_json is a KQL operator used to parse JSON-formatted strings into tabular format, while extract is used to extract substrings from strings based on a regular expression pattern. expand is used to expand the values of dynamic columns in a table.
Therefore, in this scenario, if you want to parse external information into a virtual table, you should use the externaldata operator.
