Skills
.Work. You
Rest

kql-expert

Community

Master KQL for Sentinel & Azure Monitor.

Software Engineering#query optimization#sentinel#detection rules#kql#azure monitor#kql validation#asim
Authordstreefkerk
Version1.0.0
Installs0

System Documentation

What problem does it solve?

This Skill acts as an expert assistant for writing, optimizing, and validating Kusto Query Language (KQL) queries, ensuring efficient and accurate data analysis in Microsoft Sentinel and Azure Monitor.

Core Features & Use Cases

  • Query Optimization: Identifies and suggests improvements for slow or inefficient KQL queries.
  • Schema Validation: Validates KQL against M365 Defender and Sentinel table schemas.
  • Analytics Rule Development: Assists in creating compliant and effective detection rules.
  • ASIM Normalization: Guides on using ASIM parsers for source-agnostic querying.
  • SPL to KQL Migration: Converts Splunk queries to KQL.
  • Use Case: You have a complex KQL query that is timing out. Use this Skill to analyze it, identify performance bottlenecks, and provide an optimized version.

Quick Start

Use the kql-expert skill to optimize the following KQL query: "SecurityEvent | where TimeGenerated > ago(1h) | join IdentityInfo on Account | where EventID == 4625".

Dependency Matrix

Required Modules

None required

Components

scriptsreferences

💻 Claude Code Installation

Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.

Please help me install this Skill:
Name: kql-expert
Download link: https://github.com/dstreefkerk/claude-skills/archive/main.zip#kql-expert

Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
View Source Repository

Agent Skills Search Helper

Install a tiny helper to your Agent, search and equip skill from 223,000+ vetted skills library on demand.