Construct KQL statements for Microsoft Sentinel

Module
10 Units

Intermediate

Security Operations Analyst

Microsoft Defender XDR

Azure Data Explorer

Azure Log Analytics

Microsoft Sentinel

Kusto Query Language (KQL) is the query language used to perform analysis on data to create analytics, workbooks, and perform hunting in Microsoft Sentinel. Learn how basic KQL statement structure provides the foundation to build more complex statements.

Learning objectives

Upon completion of this module, the learner is able to:

Construct KQL statements
Search log files for security events using KQL
Filter searches based on event time, severity, domain, and other relevant data using KQL

Prerequisites

None

Introduction min
Understand the Kusto Query Language statement structure min
Use the search operator min
Use the where operator min
Use the let statement min
Use the extend operator min
Use the order by operator min
Use the project operators min
Knowledge check min
Summary and resources min