Welcome to KQL for Microsoft Sentinel.
KQL is a simple query language used across multiple products like
Azure Log Analytics
Microsoft Sentinel
Azure Resource Graph
to read & write structured & unstructured data.
Course Structure
In this course we will focus on leveraging KQL for Microsoft Sentinel.
This will walk you though a basic understanding of KQL
Each section has subsections for easy understanding of the topics.
A quick start happens with searching a particular phrase -> projecting the necessary columns -> extending the additional columns needed.
Now, to get a quick result we do distinct to find unique values -> use count -> get the top for display a limited set of result.
To Filter better result Apply where condition -> Apply TimeGeneated filter
Leverage the joins by learning about different kinds of joins
Summarize for perspective by Summarize -> make_list -> make_set
Once done save & reuse by saving as query or function.
Apply the visual for better visibility.
Start building you use case now with an example.
Outcome at completion
After you successfully complete this course you will be able to build your own KQL query from scratch to end.
Whom is this course for
Either you are new to Microsoft Sentinel , Log Analytics or KQL or you are already working in SOC on a regular basis, this course is for you.