1.6 Module Summary

Module 1 Summary

What you learned

The tabular model — every KQL input and output is a table. A count is a table. A summarize is a table. An empty result is a table. Understanding this means you can predict the output shape of any operator chain.

The query pipeline — operators execute sequentially, top to bottom. Each operator consumes the previous operator's table and produces a new table. Operator order affects both results and performance. Filter early to reduce data volume before expensive operations.

Data types — string, datetime, dynamic, bool, int, long, real, timespan, guid. The type determines which operators work on a column. The most common source of incorrect results is type mismatch — comparing a string column to an integer literal.

Type conversion — every to* function returns null on failure. After conversion, check for nulls. Use coalesce() to provide defaults. Use parse_json() to convert string-encoded JSON into queryable dynamic objects.

Null handling — null fails all comparisons, including !=. Any where clause silently excludes rows with null values in the compared column. In security investigations, adversary activity can hide in null fields. Always account for null rates in critical columns.

Key rules from this module

1. Always check column types with getschema before writing comparisons
2. Place where filters as early as possible in the pipeline
3. After type conversion, verify with isnotnull() or isnotempty()
4. When filtering for "not X," always include nulls: where Field != "X" or isempty(Field)
5. Use coalesce() to replace null with meaningful defaults

Practical application

Before proceeding to Module 2, verify your understanding by running these three diagnostic queries:

Query 1: Schema awareness

SigninLogs
| getschema
| where DataType == "System.Object"  // dynamic columns
| project ColumnName

You should be able to identify what data each dynamic column contains without looking it up.

Query 2: Type safety

SigninLogs
| where TimeGenerated > ago(1h)
| take 100
| extend ResultAsInt = toint(ResultType)
| summarize 
    Converted = countif(isnotnull(ResultAsInt)),
    Failed = countif(isnull(ResultAsInt))

If Failed is greater than zero, you have data where toint(ResultType) fails — the exact scenario this module teaches you to handle.

Query 3: Null audit

SigninLogs
| where TimeGenerated > ago(24h)
| summarize 
    Total = count(),
    NullIP = countif(isempty(IPAddress)),
    NullLocation = countif(isempty(tostring(LocationDetails.countryOrRegion))),
    NullUA = countif(isempty(UserAgent))
| extend 
    PctNullIP = round(100.0 * NullIP / Total, 1),
    PctNullLoc = round(100.0 * NullLocation / Total, 1),
    PctNullUA = round(100.0 * NullUA / Total, 1)

Record these null percentages. Every investigation query and detection rule you write against SigninLogs should account for these null rates.