My Games
Account 🔐
Sign Up
Login
Global Leaderboard
Case Vault
Badge Backpack
Blue Team Glossary
Login and start playing
Leaving so soon?
×
You really want to log out? We were having so much fun!
Home
›
Glossary
›
has
Has
Definition
The `has` operator in Kusto Query Language (KQL) checks if a string contains a specific whole term. It’s case-insensitive and only matches complete tokens, not partial words. This makes it useful when you want precise matches without catching similar-but-not-identical words. Basic syntax: ```kusto ColumnName has "term" ``` If a column contains `The quick brown fox`, then: * `has "quick"` → true * `has "Quick"` → true (case-insensitive) * `has "qui"` → false (not a whole word) * `has "foxes"` → false (different word) Example – searching logs for a keyword: ```kusto SecurityEvent | where EventData has "failed" ``` This matches events where the word “failed” appears in `EventData`. It won’t match “failure” or “unfailed.” Example – matching hostnames: ```kusto DnsEvents | where DomainName has "example" ``` Matches domains like `www.example.com` or `example.net` but not `exemplar.com`. **Comparing `has` with `contains`:** In KQL, both `has` and `contains` check if a string includes something you’re looking for, but they behave very differently — and choosing the wrong one can mean missing data or getting a bunch of false positives. `has` looks for **whole terms**. It splits the text into tokens (words separated by spaces, punctuation, etc.) and matches only if your search term is a complete token. It’s case-insensitive by default. Example: If the text is `"failed login attempt"` * `has "login"` → true (it’s a whole word) * `has "log"` → false (it’s only part of the word “login”) `contains` looks for **any substring match**. It doesn’t care if your term is part of another word or token. It’s also case-insensitive by default. Example: If the text is `"failed login attempt"` * `contains "log"` → true (matches inside “login”) * `contains "LOGIN"` → true (case-insensitive) Why this matters in investigations: If you’re looking for the username `"tom"`, * `has "tom"` will match `tom logged in` but not `tommy logged in` * `contains "tom"` will match both `tom` and `tommy` When to use `has`: * You need precision — matching a full token only * You want to avoid matching parts of unrelated words When to use `contains`: * You want flexibility — matching even if the term appears inside another word * You’re searching free-form text where partial matches are valuable Example comparison in KQL: ```kusto print str = "ant bat cat battle" | extend has_bat = str has "bat" | extend contains_bat = str contains "bat" ``` * `has_bat` → true for `"ant bat cat battle"` because “bat” appears as a whole word * `contains_bat` → true as well, but it would also be true if the only match was “battle” Further reading and references: * Microsoft Docs: [https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/has-operator](https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/has-operator) * Practical KQL matching guide: [https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/datatypes-string-operators](https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/datatypes-string-operators) * Kusto string matching deep dive with examples: [https://techcommunity.microsoft.com/t5/azure-data-explorer-blog/string-matching-in-kql/](https://techcommunity.microsoft.com/t5/azure-data-explorer-blog/string-matching-in-kql/)
Explore More Terms
Exploitation
Security-Alerts
Discovery_command
Incident
Threat Hunting
.png)
