SOC Tools · Detection Engineering

KQL Query Builder

Assemble valid KQL for Microsoft Sentinel (Log Analytics) or Defender XDR Advanced Hunting — stage by stage, with the right schema, the right time column, and type-aware operators. Builds queries; never runs them.

Loading schemas… · Client-side only — nothing leaves the browser

Environment

1 Table TableName

2 Time range | where … > ago() on

3 Filters | where

Consecutive OR rows are grouped in parentheses; AND starts a new where clause.

4 Columns | extend · | project

Project columns (empty = all columns)

5 Aggregate | summarize … by on

6 Sort & limit | top · | order by · | take

Generated KQL

Saved queries (this browser only)