KQL (Azure Data Explorer)▌
by 4r9un
Enhance cybersecurity analytics with KQL for Azure Data Explorer—enabling natural language queries, schema discovery, an
Integrates with Azure Data Explorer to provide intelligent KQL query execution with natural language translation, schema discovery, and error correction for cybersecurity analytics and threat hunting workflows.
Both formats append explainx.ai attribution and the canonical URL for this MCP server listing.
best for
- / Cybersecurity analysts doing threat hunting
- / Security teams analyzing log data
- / Developers working with Azure Data Explorer
- / SOC analysts investigating incidents
capabilities
- / Convert natural language to KQL queries
- / Execute KQL queries on Azure Data Explorer
- / Discover database schemas automatically
- / Correct KQL syntax errors
- / Cache query results intelligently
- / Browse Azure Data Explorer clusters
what it does
Converts natural language questions into KQL queries and executes them against Azure Data Explorer for cybersecurity analytics and threat hunting.
about
KQL (Azure Data Explorer) is a community-built MCP server published by 4r9un that provides AI assistants with tools and capabilities via the Model Context Protocol. Enhance cybersecurity analytics with KQL for Azure Data Explorer—enabling natural language queries, schema discovery, an It is categorized under databases, analytics data.
how to install
You can install KQL (Azure Data Explorer) in your AI client of choice. Use the install panel on this page to get one-click setup for Cursor, Claude Desktop, VS Code, and other MCP-compatible clients. This server runs locally on your machine via the stdio transport.
license
MIT
KQL (Azure Data Explorer) is released under the MIT license. This is a permissive open-source license, meaning you can freely use, modify, and distribute the software.
readme
MCP KQL Server
mcp-name: io.github.4R9UN/mcp-kql-server
AI-Powered KQL Query Execution with Natural Language to KQL (NL2KQL) Conversion and Execution
A Model Context Protocol (MCP) server that transforms natural language questions into optimized KQL queries with intelligent schema discovery, AI-powered caching, and seamless Azure Data Explorer integration. Simply ask questions in plain English and get instant, accurate KQL queries with context-aware results.
Latest Version: v2.1.0 - Now with schema-only NL2KQL and auto-update detection!
<!-- Badges Section -->
🎬 Demo
Watch a quick demo of the MCP KQL Server in action:
🆕 What's New in v2.1.0
- 🎯 Schema-Only NL2KQL: Natural Language to KQL now uses ONLY data from schema memory - no hardcoded values
- 🔄 Auto-Update Detection: Checks PyPI for new versions at startup with optional auto-install
- 📋 Clean Logs: Removed Unicode characters for better terminal compatibility
- ✅ Improved Accuracy: Better column validation against discovered schema
See RELEASE_NOTES.md for full details.
🚀 Features
-
execute_kql_query:- Natural Language to KQL: Generate KQL queries from natural language descriptions.
- Direct KQL Execution: Execute raw KQL queries.
- Multiple Output Formats: Supports JSON, CSV, and table formats.
- Live Schema Validation: Ensures query accuracy by using live schema discovery.
-
schema_memory:- Schema Discovery: Discover and cache schemas for tables.
- Database Exploration: List all tables within a database.
- AI Context: Get AI-driven context for tables.
- Analysis Reports: Generate reports with visualizations.
- Cache Management: Clear or refresh the schema cache.
- Memory Statistics: Get statistics about the memory usage.
📊 MCP Tools Execution Flow
graph TD
A[👤 User Submits KQL Query] --> B{🔍 Query Validation}
B -->|❌ Invalid| C[📝 Syntax Error Response]
B -->|✅ Valid| D[🧠 Load Schema Context]
D --> E{💾 Schema Cache Available?}
E -->|✅ Yes| F[⚡ Load from Memory]
E -->|❌ No| G[🔍 Discover Schema]
F --> H[🎯 Execute Query]
G --> I[💾 Cache Schema + AI Context]
I --> H
H --> J{🎯 Query Success?}
J -->|❌ Error| K[🚨 Enhanced Error Message]
J -->|✅ Success| L[📊 Process Results]
L --> M[🎨 Generate Visualization]
M --> N[📤 Return Results + Context]
K --> O[💡 AI Suggestions]
O --> N
style A fill:#4a90e2,stroke:#2c5282,stroke-width:2px,color:#ffffff
style B fill:#7c7c7c,stroke:#4a4a4a,stroke-width:2px,color:#ffffff
style C fill:#e74c3c,stroke:#c0392b,stroke-width:2px,color:#ffffff
style D fill:#8e44ad,stroke:#6a1b99,stroke-width:2px,color:#ffffff
style E fill:#7c7c7c,stroke:#4a4a4a,stroke-width:2px,color:#ffffff
style F fill:#27ae60,stroke:#1e8449,stroke-width:2px,color:#ffffff
style G fill:#f39c12,stroke:#d68910,stroke-width:2px,color:#ffffff
style H fill:#2980b9,stroke:#1f618d,stroke-width:2px,color:#ffffff
style I fill:#f39c12,stroke:#d68910,stroke-width:2px,color:#ffffff
style J fill:#7c7c7c,stroke:#4a4a4a,stroke-width:2px,color:#ffffff
style K fill:#e74c3c,stroke:#c0392b,stroke-width:2px,color:#ffffff
style L fill:#27ae60,stroke:#1e8449,stroke-width:2px,color:#ffffff
style M fill:#8e44ad,stroke:#6a1b99,stroke-width:2px,color:#ffffff
style N fill:#27ae60,stroke:#1e8449,stroke-width:2px,color:#ffffff
style O fill:#f39c12,stroke:#d68910,stroke-width:2px,color:#ffffff
Schema Memory Discovery Flow
The kql_schema_memory functionality is now seamlessly integrated into the kql_execute tool. When you run a query, the server automatically discovers and caches the schema for any tables it hasn't seen before. This on-demand process ensures you always have the context you need without any manual steps.
graph TD
A[👤 User Requests Schema Discovery] --> B[🔗 Connect to Cluster]
B --> C[📂 Enumerate Databases]
C --> D[📋 Discover Tables]
D --> E[🔍 Get Table Schemas]
E --> F[🤖 AI Analysis]
F --> G[📝 Generate Descriptions]
G --> H[💾 Store in Memory]
H --> I[📊 Update Statistics]
I --> J[✅ Return Summary]
style A fill:#4a90e2,stroke:#2c5282,stroke-width:2px,color:#ffffff
style B fill:#8e44ad,stroke:#6a1b99,stroke-width:2px,color:#ffffff
style C fill:#f39c12,stroke:#d68910,stroke-width:2px,color:#ffffff
style D fill:#2980b9,stroke:#1f618d,stroke-width:2px,color:#ffffff
style E fill:#7c7c7c,stroke:#4a4a4a,stroke-width:2px,color:#ffffff
style F fill:#e67e22,stroke:#bf6516,stroke-width:2px,color:#ffffff
style G fill:#8e44ad,stroke:#6a1b99,stroke-width:2px,color:#ffffff
style H fill:#f39c12,stroke:#d68910,stroke-width:2px,color:#ffffff
style I fill:#2980b9,stroke:#1f618d,stroke-width:2px,color:#ffffff
style J fill:#27ae60,stroke:#1e8449,stroke-width:2px,color:#ffffff
📋 Prerequisites
- Python 3.10 or higher
- Azure CLI installed and authenticated (
az login) - Access to Azure Data Explorer cluster(s)
🚀 One-Command Installation
Quick Install (Recommended)
From Source
git clone https://github.com/4R9UN/mcp-kql-server.git && cd mcp-kql-server && pip install -e .
Alternative Installation Methods
pip install mcp-kql-server
That's it! The server automatically:
- ✅ Sets up memory directories in
%APPDATA%\KQL_MCP(Windows) or~/.local/share/KQL_MCP(Linux/Mac) - ✅ Configures optimal defaults for production use
- ✅ Suppresses verbose Azure SDK logs
- ✅ No environment variables required
📱 MCP Client Configuration
Claude Desktop
Add to your Claude Desktop MCP settings file (mcp_settings.json):
Location:
- Windows:
%APPDATA%\Claude\mcp_settings.json - macOS:
~/Library/Application Support/Claude/mcp_settings.json - Linux:
~/.config/Claude/mcp_settings.json
{
"mcpServers": {
"mcp-kql-server": {
"command": "python",
"args": ["-m", "mcp_kql_server"],
"env": {}
}
}
}
VSCode (with MCP Extension)
Add to your VSCode MCP configuration:
Settings.json location:
- Windows:
%APPDATA%\Code\User\mcp.json - macOS:
~/Library/Application Support/Code/User/mcp.json - Linux:
~/.config/Code/User/mcp.json
{
"MCP-kql-server": {
"command": "python",
"args": [
"-m",
"mcp_kql_server"
],
"type": "stdio"
}
}
Roo-code Or Cline (VS-code Extentions)
Ask or Add to your Roo-code Or Cline MCP settings:
MCP Settings location:
- All platforms: Through Roo-code extension settings or
mcp_settings.json
{
"MCP-kql-server": {
"command": "python",
"args": [
"-m",
"mcp_kql_server"
],
"type": "stdio",
"alwaysAllow": [
]
},
}
Generic MCP Client
For any MCP-compatible application:
# Command to run the server
python -m mcp_kql_server
# Server provides these tools:
# - kql_execute: Execute KQL queries with AI context
# - kql_schema_memory: Discover and cache cluster schemas
🔧 Quick Start
1. Authenticate with Azure (One-time setup)
az login
2. Start the MCP Server (Zero configuration)
python -m mcp_kql_server
The server starts immediately with:
- 📁 Auto-created memory path:
%APPDATA%\KQL_MCP\cluster_memory - 🔧 Optimized defaults: No configuration files needed
- 🔐 Secure setup: Uses your existing Azure CLI credentials
3. Use via MCP Client
The server provides two main tools:
kql_execute- Execute KQL Queries with AI Context
kql_schema_memory- Discover and Cache Cluster Schemas
💡 Usage Examples
Basic Query Execution
Ask your MCP client (like Claude):
"Execute th
FAQ
- What is the KQL (Azure Data Explorer) MCP server?
- KQL (Azure Data Explorer) is a Model Context Protocol (MCP) server profile on explainx.ai. MCP lets AI hosts (e.g. Claude Desktop, Cursor) call tools and resources through a standard interface; this page summarizes categories, install hints, and community ratings.
- How do MCP servers relate to agent skills?
- Skills are reusable instruction packages (often SKILL.md); MCP servers expose live capabilities. Teams frequently combine both—skills for workflows, MCP for APIs and data. See explainx.ai/skills and explainx.ai/mcp-servers for parallel directories.
- How are reviews shown for KQL (Azure Data Explorer)?
- This profile displays 47 aggregated ratings (sample rows for discoverability plus signed-in user reviews). Average score is about 4.6 out of 5—verify behavior in your own environment before production use.
Use Cases▌
Direct Database Queries from AI
Enable Claude to query your database directly using natural language
Example
Ask 'Show me top 10 customers by revenue this month' and get SQL results instantly
Eliminate manual SQL writing for ad-hoc queries, get insights 10x faster
Data Analysis & Reporting
Generate complex reports and analytics without leaving conversation
Example
Analyze sales trends, cohort retention, user behavior patterns conversationally
Democratize data access—non-technical team members can query databases
Schema Exploration
Understand database structure, relationships, and data models
Example
'Explain the user_orders table schema and its relationships'
Onboard engineers faster, explore unfamiliar databases efficiently
Data Validation & Quality Checks
Run data quality queries to catch anomalies and inconsistencies
Example
Find duplicate records, missing values, orphaned foreign keys automatically
Maintain data integrity with less manual SQL work
Implementation Guide▌
Prerequisites
- ›Claude Desktop 0.7.0+ or Cursor with MCP support
- ›Database credentials (read-only recommended for safety)
- ›Network access from Claude client to database
- ›Understanding of database security and access control
Time Estimate
15-30 minutes including configuration and testing
Installation Steps
- 1.Install MCP server: npm install -g @modelcontextprotocol/server-[name]
- 2.Configure database connection in Claude Desktop config (~/.claude/mcp.json)
- 3.Provide connection string: host, port, database, username, password
- 4.Restart Claude Desktop to load MCP server
- 5.Test connection: 'List all tables in database'
- 6.Run simple query: 'Show me 5 rows from users table'
- 7.Verify results and permissions are correct
- 8.Document query patterns for team use
Troubleshooting
- ⚠Connection refused: Check database is running and network accessible
- ⚠Authentication failed: Verify credentials, check user permissions
- ⚠Claude can't see tables: Grant appropriate read permissions to database user
- ⚠Slow queries: Add indexes, limit result set size, use read replicas
- ⚠MCP server not loading: Check config syntax, restart Claude Desktop
Best Practices▌
✓ Do
- +Use read-only database credentials to prevent accidental writes
- +Connect to read replica, not production primary database
- +Set query timeout limits to prevent long-running queries
- +Document database schema and common queries for AI context
- +Monitor query performance and optimize slow queries
- +Use connection pooling for better performance
- +Test with non-production data first
✗ Don't
- −Don't use production write credentials—risk of data corruption
- −Don't query production database during peak traffic hours
- −Don't expose sensitive PII without proper access controls
- −Don't skip query result validation—AI can misinterpret schema
- −Don't allow unlimited result set sizes—set LIMIT clauses
- −Don't share database credentials in plain text config files
💡 Pro Tips
- ★Create database views for common queries to simplify AI access
- ★Add schema comments/descriptions so AI understands column meanings
- ★Use semantic table/column names ('customer_lifetime_value' not 'clv')
- ★Set up query logging to audit what Claude is querying
- ★Create saved query templates for recurring analysis
- ★Combine with data visualization tools for better insights
Technical Details▌
Architecture
MCP server acts as bridge between Claude and database, translating natural language to SQL queries and returning results in structured format.
Protocols
- Model Context Protocol (MCP)
- Database-specific protocols (PostgreSQL, MySQL, MongoDB)
Compatibility
- PostgreSQL
- MySQL
- SQLite
- MongoDB
- Redis
When to Use This▌
✓ Use When
Use for ad-hoc data queries, exploratory analysis, report generation, schema exploration, and democratizing data access. Best for read-heavy analytics workloads.
✗ Avoid When
Avoid for production write operations, mission-critical transactions, real-time OLTP workloads, or when database contains sensitive PII without proper access controls. Use read replicas, not primary.
Integration▌
- →Read replica connection for analytics queries
- →Database view layer to abstract complex joins
- →Query result caching for repeated questions
- →Audit logging of all AI-generated queries
Discussion
Product Hunt–style comments (not star reviews)- No comments yet — start the thread.
List & Promote Your MCP Server
Share your MCP server with the developer community
Ratings
4.6★★★★★47 reviews- ★★★★★Carlos Li· Dec 28, 2024
KQL (Azure Data Explorer) has been reliable for tool-calling workflows; the MCP profile page is a good permalink for internal docs.
- ★★★★★Chaitanya Patil· Dec 20, 2024
Strong directory entry: KQL (Azure Data Explorer) surfaces stars and publisher context so we could sanity-check maintenance before adopting.
- ★★★★★Kwame Chawla· Dec 20, 2024
Useful MCP listing: KQL (Azure Data Explorer) is the kind of server we cite when onboarding engineers to host + tool permissions.
- ★★★★★Evelyn Sanchez· Dec 8, 2024
I recommend KQL (Azure Data Explorer) for teams standardizing on MCP; the explainx.ai page compares cleanly with sibling servers.
- ★★★★★Aarav Lopez· Dec 4, 2024
KQL (Azure Data Explorer) is a well-scoped MCP server in the explainx.ai directory — install snippets and categories matched our Claude Code setup.
- ★★★★★Daniel Park· Dec 4, 2024
KQL (Azure Data Explorer) reduced integration guesswork — categories and install configs on the listing matched the upstream repo.
- ★★★★★Kiara Rao· Nov 27, 2024
We evaluated KQL (Azure Data Explorer) against two servers with overlapping tools; this profile had the clearer scope statement.
- ★★★★★Aanya Gill· Nov 23, 2024
Useful MCP listing: KQL (Azure Data Explorer) is the kind of server we cite when onboarding engineers to host + tool permissions.
- ★★★★★Piyush G· Nov 11, 2024
KQL (Azure Data Explorer) is among the better-indexed MCP projects we tried; the explainx.ai summary tracks the official description.
- ★★★★★Yuki Ramirez· Nov 11, 2024
KQL (Azure Data Explorer) is a well-scoped MCP server in the explainx.ai directory — install snippets and categories matched our Claude Code setup.
showing 1-10 of 47