A collection of Kusto (KQL) functions that unify security logs behind a consistent, analyst-friendly dialect. IRQL encapsulates query logic in repeatable chunks, hides cluster/database locations and join keys, and projects disparate source schemas into a single, predictable schema. In addition, it represents query logic as their semantic intent via function naming. These functions were created by Saar Ron, John Lambert, and Diana Damenova.

These functions were authored alongside the Lift to Graph functions (Lift_To_Graph, Graph_Render_View, Graph_Fold_By_Property) and are designed to compose with them. Many of the IRQL primitives have a tabular form and a graph-lifted form, so the same logic drives both relational hunts and visual graph investigations.

KQL is a phenomenal tool for analyzing large quantities of data, but queries can get verbose quickly:

A set of Kusto (KQL) functions that transform tabular query results into graph structures — nodes and edges — for visual exploration in Kusto Explorer. Designed for lifting cybersecurity activity logs into graphs to aid in threat hunting and incident investigations. These set of functions were created by Saar Ron, John Lambert, and Diana Damenova.

Security logs are inherently relational: IPs connect to domains, users authenticate to devices, processes spawn other processes. Tabular views flatten these relationships, making it harder to spot patterns. These functions let you take any Kusto query result and, with a simple JSON mapping, project it into a graph you can explore visually with make-graph in the Kusto Explorer desktop app.