explainx.aijoin newsletter3.01k
databasesanalytics-data

KQL (Azure Data Explorer)

by 4r9un

Enhance cybersecurity analytics with KQL for Azure Data Explorer—enabling natural language queries, schema discovery, an

Integrates with Azure Data Explorer to provide intelligent KQL query execution with natural language translation, schema discovery, and error correction for cybersecurity analytics and threat hunting workflows.

github stars

20

GitHubnpm
Natural language to KQL translationBuilt-in error correctionSchema discovery and caching

best for

  • / Cybersecurity analysts doing threat hunting
  • / Security teams analyzing log data
  • / Developers working with Azure Data Explorer
  • / SOC analysts investigating incidents

capabilities

  • / Convert natural language to KQL queries
  • / Execute KQL queries on Azure Data Explorer
  • / Discover database schemas automatically
  • / Correct KQL syntax errors
  • / Cache query results intelligently
  • / Browse Azure Data Explorer clusters

what it does

Converts natural language questions into KQL queries and executes them against Azure Data Explorer for cybersecurity analytics and threat hunting.

about

KQL (Azure Data Explorer) is a community-built MCP server published by 4r9un that provides AI assistants with tools and capabilities via the Model Context Protocol. Enhance cybersecurity analytics with KQL for Azure Data Explorer—enabling natural language queries, schema discovery, an It is categorized under databases, analytics data.

how to install

You can install KQL (Azure Data Explorer) in your AI client of choice. Use the install panel on this page to get one-click setup for Cursor, Claude Desktop, VS Code, and other MCP-compatible clients. This server runs locally on your machine via the stdio transport.

license

MIT

KQL (Azure Data Explorer) is released under the MIT license. This is a permissive open-source license, meaning you can freely use, modify, and distribute the software.

readme

MCP KQL Server

mcp-name: io.github.4R9UN/mcp-kql-server

MseeP.ai Security Assessment Badge

AI-Powered KQL Query Execution with Natural Language to KQL (NL2KQL) Conversion and Execution

A Model Context Protocol (MCP) server that transforms natural language questions into optimized KQL queries with intelligent schema discovery, AI-powered caching, and seamless Azure Data Explorer integration. Simply ask questions in plain English and get instant, accurate KQL queries with context-aware results.

Latest Version: v2.1.0 - Now with schema-only NL2KQL and auto-update detection!

<!-- Badges Section -->

Verified on MseeP MCP Registry PyPI version Python

CI/CD Pipeline codecov Security Rating Code Quality

FastMCP Azure Data Explorer MCP Protocol Maintenance MCP Badge

🎬 Demo

Watch a quick demo of the MCP KQL Server in action:

MCP KQL Server Demo

🆕 What's New in v2.1.0

  • 🎯 Schema-Only NL2KQL: Natural Language to KQL now uses ONLY data from schema memory - no hardcoded values
  • 🔄 Auto-Update Detection: Checks PyPI for new versions at startup with optional auto-install
  • 📋 Clean Logs: Removed Unicode characters for better terminal compatibility
  • ✅ Improved Accuracy: Better column validation against discovered schema

See RELEASE_NOTES.md for full details.

🚀 Features

  • execute_kql_query:

    • Natural Language to KQL: Generate KQL queries from natural language descriptions.
    • Direct KQL Execution: Execute raw KQL queries.
    • Multiple Output Formats: Supports JSON, CSV, and table formats.
    • Live Schema Validation: Ensures query accuracy by using live schema discovery.

  • schema_memory:

    • Schema Discovery: Discover and cache schemas for tables.
    • Database Exploration: List all tables within a database.
    • AI Context: Get AI-driven context for tables.
    • Analysis Reports: Generate reports with visualizations.
    • Cache Management: Clear or refresh the schema cache.
    • Memory Statistics: Get statistics about the memory usage.

📊 MCP Tools Execution Flow

graph TD
    A[👤 User Submits KQL Query] --> B{🔍 Query Validation}
    B -->|❌ Invalid| C[📝 Syntax Error Response]
    B -->|✅ Valid| D[🧠 Load Schema Context]
    
    D --> E{💾 Schema Cache Available?}
    E -->|✅ Yes| F[⚡ Load from Memory]
    E -->|❌ No| G[🔍 Discover Schema]
    
    F --> H[🎯 Execute Query]
    G --> I[💾 Cache Schema + AI Context]
    I --> H
    
    H --> J{🎯 Query Success?}
    J -->|❌ Error| K[🚨 Enhanced Error Message]
    J -->|✅ Success| L[📊 Process Results]
    
    L --> M[🎨 Generate Visualization]
    M --> N[📤 Return Results + Context]
    
    K --> O[💡 AI Suggestions]
    O --> N
    
    style A fill:#4a90e2,stroke:#2c5282,stroke-width:2px,color:#ffffff
    style B fill:#7c7c7c,stroke:#4a4a4a,stroke-width:2px,color:#ffffff
    style C fill:#e74c3c,stroke:#c0392b,stroke-width:2px,color:#ffffff
    style D fill:#8e44ad,stroke:#6a1b99,stroke-width:2px,color:#ffffff
    style E fill:#7c7c7c,stroke:#4a4a4a,stroke-width:2px,color:#ffffff
    style F fill:#27ae60,stroke:#1e8449,stroke-width:2px,color:#ffffff
    style G fill:#f39c12,stroke:#d68910,stroke-width:2px,color:#ffffff
    style H fill:#2980b9,stroke:#1f618d,stroke-width:2px,color:#ffffff
    style I fill:#f39c12,stroke:#d68910,stroke-width:2px,color:#ffffff
    style J fill:#7c7c7c,stroke:#4a4a4a,stroke-width:2px,color:#ffffff
    style K fill:#e74c3c,stroke:#c0392b,stroke-width:2px,color:#ffffff
    style L fill:#27ae60,stroke:#1e8449,stroke-width:2px,color:#ffffff
    style M fill:#8e44ad,stroke:#6a1b99,stroke-width:2px,color:#ffffff
    style N fill:#27ae60,stroke:#1e8449,stroke-width:2px,color:#ffffff
    style O fill:#f39c12,stroke:#d68910,stroke-width:2px,color:#ffffff

Schema Memory Discovery Flow

The kql_schema_memory functionality is now seamlessly integrated into the kql_execute tool. When you run a query, the server automatically discovers and caches the schema for any tables it hasn't seen before. This on-demand process ensures you always have the context you need without any manual steps.

graph TD
    A[👤 User Requests Schema Discovery] --> B[🔗 Connect to Cluster]
    B --> C[📂 Enumerate Databases]
    C --> D[📋 Discover Tables]
    
    D --> E[🔍 Get Table Schemas]
    E --> F[🤖 AI Analysis]
    F --> G[📝 Generate Descriptions]
    
    G --> H[💾 Store in Memory]
    H --> I[📊 Update Statistics]
    I --> J[✅ Return Summary]
    
    style A fill:#4a90e2,stroke:#2c5282,stroke-width:2px,color:#ffffff
    style B fill:#8e44ad,stroke:#6a1b99,stroke-width:2px,color:#ffffff
    style C fill:#f39c12,stroke:#d68910,stroke-width:2px,color:#ffffff
    style D fill:#2980b9,stroke:#1f618d,stroke-width:2px,color:#ffffff
    style E fill:#7c7c7c,stroke:#4a4a4a,stroke-width:2px,color:#ffffff
    style F fill:#e67e22,stroke:#bf6516,stroke-width:2px,color:#ffffff
    style G fill:#8e44ad,stroke:#6a1b99,stroke-width:2px,color:#ffffff
    style H fill:#f39c12,stroke:#d68910,stroke-width:2px,color:#ffffff
    style I fill:#2980b9,stroke:#1f618d,stroke-width:2px,color:#ffffff
    style J fill:#27ae60,stroke:#1e8449,stroke-width:2px,color:#ffffff

📋 Prerequisites

  • Python 3.10 or higher
  • Azure CLI installed and authenticated (az login)
  • Access to Azure Data Explorer cluster(s)

🚀 One-Command Installation

Quick Install (Recommended)

From Source

git clone https://github.com/4R9UN/mcp-kql-server.git && cd mcp-kql-server && pip install -e .

Alternative Installation Methods

pip install mcp-kql-server

That's it! The server automatically:

  • ✅ Sets up memory directories in %APPDATA%\KQL_MCP (Windows) or ~/.local/share/KQL_MCP (Linux/Mac)
  • ✅ Configures optimal defaults for production use
  • ✅ Suppresses verbose Azure SDK logs
  • ✅ No environment variables required

📱 MCP Client Configuration

Claude Desktop

Add to your Claude Desktop MCP settings file (mcp_settings.json):

Location:

  • Windows: %APPDATA%\Claude\mcp_settings.json
  • macOS: ~/Library/Application Support/Claude/mcp_settings.json
  • Linux: ~/.config/Claude/mcp_settings.json
{
  "mcpServers": {
    "mcp-kql-server": {
      "command": "python",
      "args": ["-m", "mcp_kql_server"],
      "env": {}
    }
  }
}

VSCode (with MCP Extension)

Add to your VSCode MCP configuration:

Settings.json location:

  • Windows: %APPDATA%\Code\User\mcp.json
  • macOS: ~/Library/Application Support/Code/User/mcp.json
  • Linux: ~/.config/Code/User/mcp.json
{
 "MCP-kql-server": {
			"command": "python",
			"args": [
				"-m",
				"mcp_kql_server"
			],
			"type": "stdio"
		}
}

Roo-code Or Cline (VS-code Extentions)

Ask or Add to your Roo-code Or Cline MCP settings:

MCP Settings location:

  • All platforms: Through Roo-code extension settings or mcp_settings.json
{
   "MCP-kql-server": {
      "command": "python",
      "args": [
        "-m",
        "mcp_kql_server"
      ],
      "type": "stdio",
      "alwaysAllow": [
      ]
    },
}

Generic MCP Client

For any MCP-compatible application:

# Command to run the server
python -m mcp_kql_server

# Server provides these tools:
# - kql_execute: Execute KQL queries with AI context
# - kql_schema_memory: Discover and cache cluster schemas

🔧 Quick Start

1. Authenticate with Azure (One-time setup)

az login

2. Start the MCP Server (Zero configuration)

python -m mcp_kql_server

The server starts immediately with:

  • 📁 Auto-created memory path: %APPDATA%\KQL_MCP\cluster_memory
  • 🔧 Optimized defaults: No configuration files needed
  • 🔐 Secure setup: Uses your existing Azure CLI credentials

3. Use via MCP Client

The server provides two main tools:

kql_execute - Execute KQL Queries with AI Context

kql_schema_memory - Discover and Cache Cluster Schemas

💡 Usage Examples

Basic Query Execution

Ask your MCP client (like Claude):

"Execute th