Advanced Query allows you to query all of your telemetry data ingested into Samurai XDR using Microsoft's Kusto Query Language (KQL). You can use KQL to perform simple exploration of your data through to sophisticated threat hunting in search of security anomalies and evasive cyber security threats.
In this article we provide an overview of each element of the interface within the Samurai XDR application and its's usage to enable you to maximize your query results.
Navigate to the Advanced Query Interface
- Login to the Samurai XDR application (you will be provided with a secure web link on sign up)
- Click Advanced Query located on the main menu
Figure 1: Advanced Query interface
Advanced Query Panels
Tips Panel
The Tips panel provides some example queries to get you started and a link to Microsoft's Kusto Query Language documentation. You can choose to hide this panel (refer to Advanced Query Interface Options) as you become comfortable with writing queries.
Figure 2: Tips panel
Query Panel
The Query panel is where you write KQL queries. As you construct a query the interface auto-completes, suggesting operators or schema and usage instructions.
Figure 3: Query panel auto-complete example
Click KQL quick reference for a list of operators/functions and their descriptions.
Once you have completed writing your query click Run Query
Figure 4: Run Query
Time Period
Any query you run is based on a time period. Select a relevant time period when constructing a query to display results based on this time period.
If you use a timestamp operator within a query, the Time Period will be overridden and be viewed as 'Set in Query'.
Figure 5: Time period
Dataset
Select from the following datasets in the datalake: Alerts, Events. A tick box will allow you to select either or both when running a query.
Figure 5.1: Dataset
Fields Panel
The Fields panel displays all fields available based on the query. By default we query the events table which displays all fields available from your telemetry, this is divided into Favorite Fields and Other Fields.
Apply a filter to the fields by typing in the Filter window.
Each Field displays a count which represents the hits within the entirety of the query result.
Figure 6: Fields and count
By selecting a Field you can expand on the values within that field. For example, the graphic below highlights the 'dest' field which displays all values with a Count and percentage of total
Figure 7: Field selection showing values
Samurai XDR has default Favorite Fields, however you can update your Favorite Fields by selecting the Field and either select or deselect as a favorite by clicking 
.
Samurai XDR prioritizes processing of Favorite Fields over Other Fields to optimize results and improve efficiency. Therefore activating 'Favorite' on a field will result in the data collection and count being prioritized and returned faster. Conversely, deactivating Favorite on Fields may also increase overall performance of the Favorite section.
Figure 8: Field expansion and Favorites
To simplify query building you have the ability to select one or more values when you expand the field using the "+ - " symbols, this appends the value to include (==) or exclude (!=) from the query.
Figure 9: Add value to query
When you run a query, Samurai XDR prioritizes the fields marked as Favorite to optimize the result and improve efficiency.
Results Overview Panel
Query results are presented in a graphical overview, this may allow you to visually identify patterns or deviations in the results. The graph takes into consideration selected time-period, number of results matching the query and is presented with date/timestamp and total for each bar in the graph. Hovering over any bar in the graph will display the date/timestamp and total results.
Figure 10: Graphical result overview
Due to the way we process your telemetry, if your query includes the current time period there is a slight delay in event data displayed in your results.
The graph is also interactive, by clicking on any bar in the graph or by left click selection and highlighting multiple bars, the Fields and Results Panel are adjusted to display data in the selected time-period. You can also zoom in to specific results by selecting Zoom to Selection.
Figure 11: Single bar chart selection
If you Zoom to Selection you can also quickly step back through previous 'zooms' by clicking Go Back and selecting the relevant time period from the historical time periods captured.
Figure 12: Go back
Additionally you can Zoom out from any result set to view a larger time-period in relation to the active result. The Zoom out increment is based on the time period between the first result and last result and added to the 'from' and 'to' time.
For example: First result at 13:00 and Last result at 14:00, is a 1 hour time difference. If you Zoom out this adjusts the time period 1 hour, therefore , 13:00, updates to 12:00 and 14:00 adjusts to15:00. Increasing the viewed time-period from 1 hour, to 3 hours. The graphic below depicts the Zoom out example further.
Figure 13: Example Go Back history
Tailor the level of detail in your chart diagram using the dynamic Interval adjustment feature. Easily toggle the time-interval for each bar, empowering you to customize the granularity of your visual data representation. Whether you prefer a high-level overview or a more detailed analysis
Figure 14: Results Interval
Results Panel
Individual events are displayed within the results panel which will display up to 2000 results. Within the panel there are various options to search, sort and display specific fields.
Figure 15: Results panel
To optimize user experience and performance Samurai XDR limits the results panel to a maximum of 2000 results. 2000 results could be a subset of a much larger result set based on your query, in these cases we recommend refining your query by adjusting the time period or adding specific filters - after all you would not want to review results which could potentially be in the 10's or 100's of thousands!
Search
Enter your criteria within the Search field to view specifics from your Query result.
Select/hide columns
Click on more options within the panel (
) and select which column Fields you want to display.
Figure 16: Results options
Display results in rows of 15-100
Click on Rows per page and select from 15, 30, 50 (default), 100
Filter and sort column
Highlight the column Field heading and sort or select specific values.
Expand the Result
You can display event data in a vertical view by selecting expand (
).
Filter / Copy based on value
Right click any value in your result will allow you to filter on the value or copy to clipboard.
Figure 17: Value copy and filter
Hide Empty
Using the toggle allows you to auto-hide columns with no value
Figure 18: Hide Empty
Export to CSV
You have the ability to export the results displayed on screen to CSV. This functionality takes into consideration result selections and active filters making it very easy to export specific results.
Figure 19: Export to CSV
Advanced Query Interface Options
Within the interface you can resize any of the panels (e.g Tips, Fields, Results, Query) to optimize your view, this is useful when viewing your query results. Simply click and drag the panel to resize.
The interface has a number of Options available which are outlined in Table 1 below:
Figure 20: Advanced query filter options
| Option | Description |
| Clear Filters | Remove all filters you added to your query from the Fields panel. |
| Clear Query | Remove all queries from the Query panel |
| Hide Available Fields | Hide the Fields panel. If hidden you can select Show Available Fields. |
| Hide Tips | Hide or Show the Tips Panel |
Table 1: Options
What's Next?
If you are new to KQL please refer to Constructing an Advanced Query or for comprehensive documentation refer to Microsoft KQL documentation.