Pipe

Kusto

Definition

In Kusto Query Language (KQL), a **pipe** (`|`) is used to chain query commands together, passing the results of one operation as the input to the next.

Think of it like an assembly line: each stage takes whatever comes down the conveyor belt, works on it, and passes it along to the next stage.

Basic example:

```sql
SecurityEvent
| where EventID == 4625
| summarize count() by Account
| sort by count_ desc
```

Step-by-step:

1. `SecurityEvent` → Start with the table.
2. `where EventID == 4625` → Filter only failed logon events.
3. `summarize count() by Account` → Count failed logons per account.
4. `sort by count_ desc` → Sort results from highest to lowest count.

Why it’s useful:

* Keeps queries readable and modular — you can add, remove, or rearrange stages without rewriting everything.
* Encourages logical flow, where each step builds on the previous one.
* Makes it easy to debug — run the query up to a certain pipe to see intermediate results.

In investigations, pipes are essential when you need to:

* Filter → aggregate → sort data in sequence.
* Build queries that are easy to share and explain to teammates.
* Apply multiple transformations to a dataset without creating temporary tables.

Real-world example in threat hunting:

```kusto
SigninLogs
| where ResultType != 0
| where IPAddress in (externaldata(badIPs:string)["https://example.com/bad-ips.csv"])
| summarize count() by IPAddress
| sort by count_ desc
```

Here, the pipe flows from filtering → cross-referencing with bad IPs → counting → sorting, giving a clear trail of logic.

Pipe

Definition

Explore More Terms