Interrogate logs using basic Kusto Query Language KQL queries

In this guide, you’ll learn how to use Kusto Query Language (KQL) to analyze logs in Azure Log Analytics. Whether you’re preparing for the AZ-400 exam or managing production environments, mastering KQL lets you filter, aggregate, and visualize log data efficiently.

Accessing Azure Log Analytics

Sign in to the Azure portal.
In the search bar, type Log Analytics and select the service.

Choose your workspace and click Logs to launch the query interface.

The image shows a Microsoft Azure Log Analytics workspace interface with options for creating and managing queries. The query history section indicates no queries have been run yet.

All queries run from this Logs hub using KQL.

1. Filtering Security Log Data

Filtering is the foundation of any log investigation. Below are examples querying the SecurityEvent table.

Retrieve the last 24 hours of security events (limit to 10 records):

SecurityEvent
| where TimeGenerated > ago(1d)
| project TimeGenerated, Account, EventID, IpAddress, Computer
| take 10

Filter for failed logon attempts (EventID 4625) over the last 30 days:

SecurityEvent
| where TimeGenerated > ago(30d)
| where EventID == 4625
| project TimeGenerated, Account, EventID, IpAddress, Computer
| take 10

Understanding Event IDs

EventID 4625 indicates an account failed to log on. Use Microsoft’s official Event ID reference to explore other security events.

2. Summarizing Failed Logins by Account

To identify which accounts are targeted most frequently, aggregate and sort failed login counts:

SecurityEvent
| where TimeGenerated > ago(30d)
| where EventID == 4625
| summarize FailedLogins = count() by Account
| order by FailedLogins desc

Key KQL Functions

Function	Description	Example
ago()	Filters records by relative time	`where TimeGenerated > ago(7d)`
project	Selects specific columns	`project TimeGenerated, ResourceGroup`
summarize	Aggregates rows	`summarize count() by OperationName`
order by	Sorts the output	`order by count_ desc`

3. Querying Azure Resource Logs

Azure resource logs, including activity and diagnostic data, are stored in the AzureDiagnostics table.

Fetch the last 7 days of resource operations:

AzureDiagnostics
| where TimeGenerated > ago(7d)
| project TimeGenerated, Resource, ResourceGroup, OperationName, ResultType
| take 10

Filter to only failed operations:

AzureDiagnostics
| where TimeGenerated > ago(7d)
| where ResultType == "Failed"
| project TimeGenerated, Resource, ResourceGroup, OperationName, ResultType
| take 10

4. Switching Between UI and KQL Modes

Azure Log Analytics now offers two query experiences:

Simple Mode: Drag-and-drop interface to select tables, apply filters, and set limits without writing code.
KQL Mode: Full control to write custom queries.

Toggle modes via More analytics settings in the Logs pane.

The image shows a Microsoft Azure Logs interface displaying a table of log entries with various columns like TimeGenerated, Id, Source, and ResultCode. A dropdown menu for adding filters and operators is open, with a cursor pointing to the "Add" button.

Once your query returns data, you can:

Copy a secure link to share the query
Export results to CSV (all rows or displayed columns)
Copy results to the clipboard

Warning

Be cautious when sharing or exporting sensitive log data. Always follow your organization’s data governance policies.

With these techniques, you can:

Filter and project security events
Aggregate and rank failed logins
Query Azure resource diagnostics
Navigate both UI-driven and code-driven analysis
Securely share or export log data

Links and References

Watch Video

Watch video content