Learn KQL for Microsoft Sentinel

Welcome to KQL for Microsoft Sentinel.

KQL is a simple query language used across multiple products like

Azure Log Analytics

Microsoft Sentinel

Azure Resource Graph

to read & write structured & unstructured data.

Course Structure

In this course we will focus on leveraging KQL for Microsoft Sentinel.

This will walk you though a basic understanding of KQL

• Quick Start

• Go for a quick result

• Filter for better results

• Leverage the joins

• Summarize for perspective

• Save & Reuse

• Apply the visual

• Build the use case

Each section has subsections for easy understanding of the topics.

A quick start happens with  searching a particular phrase -> projecting  the necessary columns -> extending the additional columns needed.

Now, to get a quick result we do distinct to find unique values -> use count -> get the top for display a limited set of result.

To Filter better result Apply where condition -> Apply TimeGeneated filter

Leverage the joins by learning about different kinds of joins

Summarize for perspective by Summarize -> make_list -> make_set

Once done save & reuse by saving as query or function.

Apply the visual for better visibility.

Start building you use case now with an example.

Outcome at completion

After you successfully complete this course you will be able to build your own KQL query from scratch to end.

Whom is this course for

Either you are new to Microsoft Sentinel , Log Analytics or KQL or you are already working in SOC on a regular basis, this course is for you.