Skip to content

KustoCon 2024

The first inaugural KustoCon was hosted on November 8th, 2024. I have been working with KQL for many years and had been wanting to take my skills to the next level for some time. I just happened to see an announcement pertaining to this event a day before it was going to be hosted and felt quite fortunate to have seen that announcement!

Update

They added recordings for all the sessions! YouTube Playlist here!

What I learned at KustoCon

I work primarily with security products, mainly Sentinel and Defender XDR. On occasion while searching to solutions to a problem I run across functions. I try to use them and unfortunately they show the dreaded red squiggly line error with a message that the function is unavailable...

The function actually works if you hit run though! Apparently the syntax validation for the different KQL editors is not all updated to the latest and greatest you may see in Data Explorer. I am most excited to start working with these functions but I am sure others will be of use.

I also discovered there is a great project to improve your Kusto skills with a story called the Kusto Detection Agency. You are presented a number of cases in which you must figure out how to get the answer by building a KQL query. I have only worked through part of season 1 so far but it does seem more geared to people with a base foundation of KQL.

Best presenter of the show

Henning Rauch, aka Professor Smoke of the Kusto Detection Agency had an incredible presentation I found truly compelling. I have been to a SQL conference or two, and they are usually a snooze fest, but I found Henning's presentation to have the right mix of demonstration, history, and confidence to truly stick with me. I believe he will be a wealth of knowledge for KQL in the coming years!

Would I attend next year?

I would absolutely attend next year, I was only able to attend three sessions with the presentation on in the background due to discovering it on too short notice to clear my schedule. I actually really wanted to attend some more security focused sessions in the afternoon the most, but hopefully recordings will become available at some point.