Developer Cheat Sheets - Quick Reference for Professional Tools

where

Filter rows based on conditions

SecurityEvent | where EventID == 4624

Keywords: where, filter, condition, boolean

project

Select specific columns to display

SecurityEvent | project TimeGenerated, Account, Computer

Keywords: project, select, columns, fields

summarize

Aggregate data and calculate statistics

SecurityEvent | summarize count() by Account

Keywords: summarize, aggregate, count, group

take

Return first N rows

SecurityEvent | take 10

Keywords: take, limit, first, top

sort

Sort results by specified columns

SecurityEvent | sort by TimeGenerated desc

Keywords: sort, order, ascending, descending

extend

Add calculated columns to results

SecurityEvent | extend Hour = datetime_part('hour', TimeGenerated)

Keywords: extend, calculate, add, column

join

Combine data from multiple tables

SecurityEvent | join (Heartbeat) on Computer

Keywords: join, combine, merge, relate

union

Combine rows from multiple tables

union SecurityEvent, Syslog

Keywords: union, combine, merge, append

distinct

Return unique values

SecurityEvent | distinct Computer

Keywords: distinct, unique, deduplicate

count

Count number of rows

SecurityEvent | count

Keywords: count, total, number, rows

ago()

Reference time relative to now

SecurityEvent | where TimeGenerated > ago(1h)

Keywords: ago, time, relative, past

contains

Check if string contains substring

SecurityEvent | where Account contains "admin"

Keywords: contains, substring, search, text

startswith

Check if string starts with prefix

SecurityEvent | where Computer startswith "WEB"

Keywords: startswith, prefix, begins, starts

render

Visualize results as charts

SecurityEvent | summarize count() by bin(TimeGenerated, 1h) | render timechart

Keywords: render, chart, visualize, graph

bin()

Group values into time or numeric bins

SecurityEvent | summarize count() by bin(TimeGenerated, 1h)

Keywords: bin, group, bucket, interval

parse

Extract structured data from unstructured text using patterns

Syslog | parse Message with * "user=" user:string " " *

Keywords: parse, extract, pattern, structured

split

Split string into array based on delimiter

SecurityEvent | extend IPs = split(SrcIP, '.')

Keywords: split, array, delimiter, string

mv-expand

Expand multi-value fields into separate rows

Event | mv-expand Tags | where Tags == "critical"

Keywords: mv-expand, multivalue, expand, array

make-series

Create time series data with regular intervals

Perf | make-series avg(CounterValue) on TimeGenerated step 5m

Keywords: make-series, timeseries, intervals, regular

evaluate

Use advanced analytics functions and plugins

SecurityEvent | evaluate bag_unpack(AdditionalInfo)

Keywords: evaluate, analytics, functions, plugins

materialize

Cache subquery results for better performance

let cached = materialize(SecurityEvent | where TimeGenerated > ago(1h));

Keywords: materialize, cache, performance, subquery

range

Generate sequence of values for testing or calculations

range x from 1 to 10 step 1 | extend y = x * 2

Keywords: range, sequence, generate, testing

datatable

Create inline table with static data

datatable(Name:string, Age:int) ["John", 25, "Jane", 30]

Keywords: datatable, inline, static, create

toscalar

Convert single-value result to scalar for use in expressions

let threshold = toscalar(Perf | summarize avg(CounterValue));

Keywords: toscalar, scalar, convert, single

prev

Access previous row value in ordered results

Perf | sort by TimeGenerated | extend PrevValue = prev(CounterValue)

Keywords: prev, previous, row, ordered

row_cumsum

Calculate cumulative sum over ordered rows

Sales | sort by Date | extend RunningTotal = row_cumsum(Amount)

Keywords: row_cumsum, cumulative, sum, running

Microsoft KQL Cheat Sheet