Learn KQL – Logical Operators
A logical operator is a symbol or word used to connect two or more expressions such that the value of the compound expression produced depends only on that of the original expressions and on the meaning of the operator.
In KQL there are common logical operators include or, and, equality and inequality.
Tips: Due to the behavior of the Boolean null value bool(null), two Boolean null values are neither equal nor non-equal (in other words, bool(null) == bool(null) and bool(null) != bool(null) both yield the value false).
The Logical (binary) Operators
The following operators are part of the Logical operators which are used in KQL.
| Operator name | Syntax | Meaning |
|---|---|---|
| Logical and | and |
Yields true if both operands are true. |
| Logical or | or |
Yields true if one of the operands is true, regardless of the other operand. |
Operator “and” used to specify both filtered values will return in the results. For example, if we take two values that need to provide data on the same result. In order to do this, we can use the “and” operator.
The following query needs to provide information from AzureActivity and with the value from ResourceGroup and ActivityStatusValue.
AzureActivity| where ResourceGroup == “LAB1” and ActivityStatusValue == “Accept”
The Operator OR looks for multiple values and returns the results when one of the filtered values has appeared.
SecurityEvent
| where EventID == 4776
or EventID == 4768
or EventID == 4769
Tip: These logical operators are sometimes referred to as Boolean operators, and sometimes as binary operators. The names are all synonyms.
