KQL reference

Written by

Updated at April 3, 2026

System tables
Expression operators in queries
- Set
- Let
Table operators
Where conditions
Functions
Aggregation functions for summarize

Note

This feature is in the Preview stage. To get access, contact tech support or your account manager.

This section provides a reference for the Kusto Query Language (KQL) subset used in Yandex Cloud Detection and Response.

System tables

YCDR supports the following system tables:

Events: Normalized events in a database or stream.
EVENT_CLASS: Event class names defined in the classifier with the respective field filtering.

Expression operators in queries

Set

Use the set operator to define query parameters.

set rule_name = "SomeRuleName";
set window_step = 35m;
set runtime = "database";

Supported parameters:

Parameter	Type	Description
`rule_name`	string	Rule name to use for runs via an investigation
`window_step`	interval	Time shift for periodic runs via an investigation
`runtime`	string	Run type by `database`

Let

Use the let operator to create table variables.

let someTable = ATiamDetectLeakedCredential | limit 10;

Table operators

Where

The where operator filters data by a condition.

where at_iam_subject_name !contains "test"
where region != "" and 1 != 4 + 2 or x == y

Lookup

The lookup operator joins tables. Only left outer join is supported.

lookup (
    abc.quotas | project lookup_c_group, lookup_srv, limits_list
) on $left.service.service_id == $right.lookup_srv,
   $left.c_group == $right.lookup_c_group

Limitation: During enrichment, use project to specify the required external table fields.

Summarize

The summarize operator aggregates data.

summarize cnt = count(),
            uniq_subjects = dcount(at_iam_subject_id),
            last_event = max(time),
            first_event = min(time),
            sum_logon_type = sum(user_logon_type),
            avg_logon_type = avg(user_logon_type),
            p95_logon_type = percentile(user_logon_type, 95)
by region, bin(time, 1d)

Restrictions:

Default field names (e.g., count_ or etc.) are not supported; specify them explicitly.
List of aggregate functions is limited.

Extend

The extend operator adds calculated columns.

extend use = extract("user=(^ ]+)\s+ip=(?<ip>[0-9.]+)", 1, Message),
          a = 5, b = c

Mv-expand

The mv-expand operator expands arrays into individual rows.

mv-expand grant = grants

Limitation: Only kind = bag and single-column expansion are supported.

Project

The project operator selects and renames columns.

| project event_class = "Alert", time, foundHostid = hostid

Top and Sort

Use the top and sort operators to sort and limit the returned result.

sort by field desc
top 5 by anotherField

Limit

The limit operator limits the number of rows.

limit 10000

Where conditions

Logical operators

Operator	Description
`and`	Logical AND
`or`	Logical OR
`not`	Logical NOT
`()`	Condition grouping

not (ivan >= 1337 or lesha <= 1337)

Comparison operators

Operator	Description
`==`	Equals
`!=`	Not equals
`>`, `<`	Comparing numbers and time values
`>=`, `<=`	Inclusive comparison

Inclusion operators

Operator	Description
`between` / `!between`	Checks whether a value falls within a range.
`in` / `!in`	Checks whether a value belongs to a list.
`has_any` / `!has`	Checks for any of the specified words.
`contains` / `!contains`	Checks for the specified substring (case-insensitive).
`matches regex`	Checks for a match with a regular expression.

time between (ago(60m) .. now())
age in (18, 19, 20)
array.obj has_any ('tesla', 'bmw')
field contains "substring"
file_category@object matches regex "app\.compute\..*"

Functions

Type conversion functions

Function	Description
`tostring()`	Converts to a string.
`toint()`	Converts to an integer.
`todouble()` / `toreal()`	Converts to a non-integer.
`todatetime()`	Converts a string to date and time.
`parse_json()`	Parses a string into JSON

Extraction functions

Function	Description
`extract()`	Extracts a regular expression group from a string.
`external_table()`	Enables referencing an external table.

Time functions

Function	Description
`now()`	Returns the current time.
`ago(1h)`	Returns a time in the past.

Other functions

Function	Description
`isnull()` / `isnotnull()`	Checks for NULL values.
`bag_pack_columns()`	Creates a dynamic JSON object with fields from specified columns.
`case()`	Selects a value based on a condition.

case([predicate, valueIfTrue]+, defaultValue)

Aggregation functions for summarize

Function	Description
`count()`	Counts the total number of rows.
`count_distinct()`	Counts the number of unique values.
`avg()`	Calculates the average value.
`max()`	Returns the maximum value.
`min()`	Returns the minimum value.
`percentile()`	Returns the value for the specified percentile.
`sum()`	Sums up values.
`dcount()`	Counts the number of unique values.
`bin()`	Groups by time windows.

KQL reference

System tablesSystem tables

Expression operators in queriesExpression operators in queries

SetSet

LetLet

Table operatorsTable operators

WhereWhere

LookupLookup

SummarizeSummarize

ExtendExtend

Mv-expandMv-expand

ProjectProject

Top and SortTop and Sort

LimitLimit

Where conditionsWhere conditions

Logical operatorsLogical operators

Comparison operatorsComparison operators

Inclusion operatorsInclusion operators

FunctionsFunctions

Type conversion functionsType conversion functions

Extraction functionsExtraction functions

Time functionsTime functions

Other functionsOther functions

Aggregation functions for summarizeAggregation functions for summarize

Was the article helpful?