Agent Foskett Academy • Lesson 31 • Converting Values with tostring()

Converting Values with tostring()

Microsoft security telemetry often contains values that are stored as dynamic data, numbers, arrays or nested fields.
Before those values can be searched, compared, projected or explained clearly, defenders often need to convert them into readable text.

This is where tostring() becomes useful. It allows analysts to convert a value into a string so it can be used cleanly inside an investigation query.

In this Agent Foskett Academy lesson, you will learn how defenders use the KQL tostring() function to convert evidence, work with dynamic fields and make Microsoft Defender XDR and Microsoft Sentinel results easier to understand.

Agent Foskett Academy lesson explaining how to use tostring in KQL investigations
Lesson overview

Learn how tostring() helps defenders convert values into readable text for cleaner KQL investigation results.

Understand tostring()
Convert dynamic evidence
Search values cleanly
🎯 tostring() helps turn complex evidence into readable investigation text.
Use it when dynamic values, split results or extracted fields need to be searched, projected or explained clearly.
Review Lesson 30 →

Why tostring() matters

The iff() function evaluates a condition and returns one value when the condition is true and another value when the condition is false.

This makes it ideal for simple investigation labels where you do not need many categories.

If case() is useful for several possible labels, iff() is useful when the question is simple and direct.
Create simple labelsTurn a true-or-false condition into a readable evidence field that analysts can review quickly.
Flag suspicious activityMark events as suspicious, normal, needs review or already handled based on one clear condition.
Reduce investigation noiseMake large result sets easier to triage by adding simple decision fields to the output.

Investigation scenario

Agent Foskett is reviewing Defender XDR and Sentinel telemetry after a phishing alert, several failed sign-ins and suspicious PowerShell activity were reported.

The analyst does not need a complex scoring model yet. They need simple labels that answer clear investigation questions.

By using iff() with extend, each row can be marked with a useful true-or-false style label before the evidence is reviewed.

Step 1 — Convert a sender domain from an email address

Start by creating a simple label that separates delivered emails from emails that were already handled by protection.
iff-flag-delivered-emails.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
EmailEvents
| where Timestamp > ago(7d)
| extend SenderDomain = tostring(split(SenderFromAddress, "@")[1])
| project Timestamp, SenderFromAddress, SenderDomain, RecipientEmailAddress, Subject, DeliveryAction
| order by Timestamp desc

Step 2 — Convert dynamic identity evidence

Use iff() to create a readable sign-in status from the raw result value in Sentinel sign-in telemetry.
tostring-dynamic-identity-evidence.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
SigninLogs
| where TimeGenerated > ago(7d)
| extend LocationText = tostring(Location)
| project TimeGenerated, UserPrincipalName, IPAddress, LocationText, ResultType, ConditionalAccessStatus
| order by TimeGenerated desc

Step 3 — Convert extracted command-line evidence

tostring() is useful when extracted evidence needs to be treated as text in later query steps.
tostring-commandline-evidence.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| extend CommandText = tostring(ProcessCommandLine)
| where CommandText has_any ("EncodedCommand", "DownloadString", "Invoke-WebRequest")
| project Timestamp, DeviceName, AccountName, FileName, CommandText
| order by Timestamp desc

How tostring() works

The tostring() function takes a value and returns it as text.

Once the value is text, defenders can search it, compare it, display it and reuse it in later parts of the investigation query.
Original valueThe field or expression you want to convert, such as a dynamic property, split result or parsed value.
Converted textThe readable string value returned by tostring(), ready for search, projection or comparison.
Cleaner outputThe converted field can be shown clearly in results and reused in later query steps.

Step 4 — Convert before filtering suspicious values

Use tostring() before filtering when evidence comes from a converted or derived value.
tostring-filter-converted-values.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
EmailEvents
| where Timestamp > ago(30d)
| extend SenderDomain = tostring(split(SenderFromAddress, "@")[1])
| where SenderDomain has_any ("login", "verify", "secure", "account")
| project Timestamp, SenderFromAddress, SenderDomain, RecipientEmailAddress, Subject, DeliveryAction
| order by Timestamp desc

tostring() compared with raw values

Use tostring() for text logicChoose tostring() when you need to search, compare or display a value as readable text.
Keep raw values when suitableIf the field is already clean text, you may not need to convert it before filtering or projecting it.
Convert at the right pointCreate converted fields with extend before using them in later where, project or summarize steps.

Common investigation uses

Email triageConvert sender domains, authentication details and extracted values into text for easier review.
Identity investigationsConvert dynamic sign-in properties, location values and risk details into readable investigation fields.
Endpoint huntingConvert command-line evidence, extracted paths and parsed values into text before filtering.

Common mistakes

Converting everything unnecessarilyUse tostring() when it helps the investigation. Do not add conversions that make the query harder to read.
Forgetting dynamic fieldsSome nested values need conversion before string operators behave the way you expect.
Converting too lateIf a later filter depends on the converted field, create it before the where clause that uses it.

What you learned

tostring() converts valuesYou learned how to turn dynamic, extracted or split values into readable text.
Converted fields are easier to searchYou learned how converted text fields can be filtered with has, contains, startswith and endswith.
Cleaner evidence improves investigationsYou learned how tostring() makes query output easier to explain and reuse.
Next lesson: Converting Values with toint()
Now that you can convert values into text, the next step is learning how to convert values into numbers for counts, comparisons and thresholds.
Back to Academy →

Related Agent Foskett Academy lessons

Adding Conditional Logic with iff() Review how defenders create simple true-or-false labels before converting evidence values.
Classifying Evidence with case() Review how defenders classify evidence before converting and cleaning investigation fields.

Continue learning with Using has_any to Find Suspicious Text, KQL Threat Hunting Guide and Microsoft Security.

Develop IT. Protect IT. GEMXIT PTY LTD | GEMXIT UK LTD

Adding Conditional Logic with iff()

Agent Foskett Academy Lesson 30 teaches defenders how to use the KQL iff() function to create simple true-or-false investigation labels and triage Microsoft security telemetry.

Learn KQL iff() for Microsoft Defender XDR and Sentinel

This lesson explains how iff() supports Microsoft Defender XDR and Microsoft Sentinel investigations by creating readable flags for emails, sign-ins, endpoint commands and other security evidence.