KQL Playground
Open the cheatsheet →
A working KQL engine in your browser. Type queries against pre-loaded sample tables - the same Sentinel-shaped data my Invoke-KqlPS PowerShell module uses for offline practice. Translates KQL to SQLite SQL via a hand-written lexer/parser, executes against sql.js (WASM SQLite). No backend, no signup, no telemetry.
The Expanded dataset is built by a PowerShell pipeline whose design borrows from Sean Cruikshank’s Security-Log-Generator: weighted field selection, a sine-wave volume curve, and a tiered filename taxonomy (legit / doppelgänger / double-extension / obvious-malicious). This site adapts those concepts - reimplemented in PowerShell, output as Sentinel/Defender-shaped CSVs, with per-table generators that preserve the small-set storyline rows verbatim and hold noise out of the last hour so practice questions stay deterministic.
KQL editor
Query results
View translated SQL
What's supported
Pragmatic subset - the most common ~80% of real SOC queries.
- Operators
where,project,project-keep,project-away,extend,summarize ... by,count,top N by,take,limit,distinct,order/sort by,let(scalar)- Predicates
==,!=,<,>,<=,>=,contains,!contains,contains_cs,startswith,endswith,has,!has,in (...),!in (...),between (a..b),and,or,not- Functions
ago,now,datetime,bin,tolower,toupper,strlen,strcat,substring,isempty,isnotempty,isnull,isnotnull,iff,tostring,toint,tolong,toreal,todatetime,count,dcount,sum,avg,min,max,countif,sumif- Tables
- 16 Sentinel-shaped sample tables. See the sidebar.
- Not yet
join,union,parse,mv-expand,render,materialize, regex matchers. The engine throws a clear error if you hit one.