Bryce Maxheimer

KQL Playground

Open the cheatsheet →

A working KQL engine in your browser. Type queries against pre-loaded sample tables — the same Sentinel-shaped data my Invoke-KqlPS PowerShell module uses for offline practice. Translates KQL to SQLite SQL via a hand-written lexer/parser, executes against sql.js (WASM SQLite). No backend, no signup, no telemetry.

Initializing engine...
Loading sample data...
View translated SQL 



    








What's supported



    Pragmatic subset — the most common ~80% of real SOC queries. Full faithful parity with the PowerShell module is on the roadmap.





Operators


where, project, project-keep, project-away, extend, summarize ... by, count, top N by, take, limit, distinct, order/sort by, let (scalar)



Predicates


==, !=, <, >, <=, >=, contains, !contains, contains_cs, startswith, endswith, has, !has, in (...), !in (...), between (a..b), and, or, not



Functions


ago, now, datetime, bin, tolower, toupper, strlen, strcat, substring, isempty, isnotempty, isnull, isnotnull, iff, tostring, toint, tolong, toreal, todatetime, count, dcount, sum, avg, min, max, countif, sumif



Tables


16 Sentinel-shaped sample tables (DeviceLogonEvents, DeviceProcessEvents, SigninLogs, SecurityEvent, etc.). See the sidebar.



Not yet


join, union, parse, mv-expand, render, materialize, regex matchers (=~, matches regex), advanced time-series operators. The engine throws a clear error if you hit one.