Sign In
Skills Track

For Security Engineers, Detection Engineers, and Threat Hunters Who Use KQL Daily

Aligned to MITRE ATT&CKSigma rulesMicrosoft KQL reference

KQL for Security Operations

Write the queries that power your detections, hunts, and investigations.

Learn KQL from fundamentals through production detection engineering. Master filtering, aggregation, joins, string parsing, time-series analysis, anomaly detection, and performance optimization — every concept taught with security log examples from Sentinel and Defender XDR. Write detection rules, build threat hunting queries, create operational dashboards, and develop the query fluency that makes you effective in any investigation.

Start Free — No Account Needed See Pricing
What you'll deploy
68 production-grade KQL queries from fundamentals through advanced joins
Reusable query library for SigninLogs, AuditLogs, DeviceEvents, and EmailEvents
Multi-table join patterns for cross-workload investigation and detection
Time-series and anomaly detection queries for behavioral threat hunting
MASTERING KQL — 14 MODULES SigninLogs | where TimeGenerated > ago(24h) | where ResultType == 0 | summarize LoginCount = count(), DistinctIPs = dcount(IPAddress), Countries = make_set(Location) by UserPrincipalName | join kind=leftouter ( IdentityInfo | summarize ... ) on UserPrincipalName | where DistinctIPs > 5 | sort by DistinctIPs desc filter → aggregate → correlate → detect → hunt
View Pricing Take End of Course Exam → 36 CPE Credits

What you'll be able to do

Write production KQL queries for detection, hunting, and investigation
Master aggregation, joins, time-series analysis, and anomaly detection
Build threat hunting queries that find attacker activity in security logs
Create Sentinel workbooks and operational dashboards
Optimize query performance for large-scale security data
Premium tier | 14 modules across 4 phases | 36–40 hours at your own pace | 36 CPE credits | 2 free modules — no account needed | Updated May 2026
Course Agenda View all 16 modules

Who this course is for

“I copy KQL from blog posts and hope it works.” You paste queries into Advanced Hunting, change the time range, and pray. When it returns zero results, you don’t know whether the threat isn’t there or the query is wrong. This course builds the fluency to write queries from scratch and debug them when they fail.

“I need to write detection rules but I can’t get past basic where clauses.” Your Sentinel analytics rules use simple filters. They fire too often or miss too much because you don’t know how to use summarize with time windows, arg_max for deduplication, or series_decompose for anomaly scoring. This course teaches the patterns that production detection rules require.

“I’m moving to Sentinel from Splunk or Elastic and I need to translate my skills.” You know SPL or EQL. You can detect threats in your current SIEM. But KQL has a different data model, different join semantics, and different performance characteristics. This course teaches KQL with the security context you already have.

“My queries time out on large datasets and I don’t know why.” You wrote a join across DeviceProcessEvents and DeviceNetworkEvents and Sentinel killed it at 10 minutes. You don’t know whether the join type, the time window, or the lack of materialize caused the timeout. This course teaches query optimization from the engine level up.

“I want to build threat hunting queries but I don’t know what patterns to look for.” Threat hunting isn’t running pre-built queries. It’s asking questions and writing the KQL to answer them. This course builds the query vocabulary — time-series decomposition, behavioral baselines, graph traversal — that powers hypothesis-driven hunts.

“KQL is the prerequisite for every advanced course and I keep hitting walls.” Detection engineering needs joins and materialized views. Threat hunting needs time-series and anomaly detection. Incident response needs cross-table correlation. This course builds the foundation that every other Microsoft security discipline requires.

Whatever your background — if the subject interests you and you’re willing to put in the work, this course is for you.

Before and after this course

Before

You copy a KQL query from a Microsoft blog, paste it into Advanced Hunting, and get zero results. You don’t know whether the table name changed, the field was renamed, the time range is wrong, or the threat simply isn’t present in your environment.

Your detection rules use simple where clauses with static thresholds. They fire 200 times on Monday morning and zero times on Friday. You can’t write the time-series analysis that would baseline normal and alert on deviation.

An incident requires correlating sign-in data with email activity and endpoint telemetry. You run three separate queries and manually match timestamps in a spreadsheet because you don’t know how to join tables.

Your threat hunting is running community queries from GitHub. When they return nothing, you report “no findings” because you can’t modify the query to fit your environment or write a new one from a hypothesis.

After

You write KQL from scratch. When a query returns zero results, you troubleshoot it: check the table schema, validate field names, test each pipe stage independently. You diagnose the query, not guess.

Your detection rules use make-series with series_decompose_anomalies to baseline behavior and fire on statistical deviation. Monday morning login spikes don’t trigger alerts. Actual anomalies do.

You write a single query that joins SigninLogs, EmailEvents, and DeviceProcessEvents on timestamp and user identity. The cross-workload timeline builds itself. No spreadsheet required.

You form a hypothesis, choose the data source, write the query, interpret the results, and pivot. When the community query doesn’t fit, you rewrite it. When no query exists, you build one from the table schema.

How the course works

Four phases build from single-table queries through production detection engineering. Each phase adds capability on the previous:

Phase 1
Foundations

How KQL processes data, filtering with where, shaping with project and extend, aggregation with summarize, and statistical analysis. Single-table queries that answer specific security questions.

Phase 2
Correlation

Multi-table joins, union, materialize, string parsing with parse and extract, regex patterns, and advanced filtering. Cross-workload queries that correlate identity, email, and endpoint data.

Phase 3
Advanced Analysis

Time-series with make-series, anomaly detection with series_decompose, graph and relationship analysis, behavioral baselines. Queries that find what you didn’t know to look for.

Phase 4
Production

Performance optimization, detection rule engineering, threat hunting methodology, workbooks and dashboards, and the capstone hunting lab. Queries that run reliably at scale in production Sentinel.

What the content looks like

This is a real query from the join and correlation module. An analyst investigating a compromised account needs to see sign-in activity, mailbox rule changes, and endpoint process execution in a single timeline — three tables, one query:

KQL — From Module 4: Cross-Workload Incident Correlation
// Cross-workload timeline: identity + email + endpoint for one user
let targetUser = "t.ashworth@northgate.com";
let window = 24h;
union
    (SigninLogs
    | where TimeGenerated > ago(window)
    | where UserPrincipalName == targetUser
    | project TimeGenerated, Source = "Identity",
        Action = strcat("Sign-in from ", IPAddress),
        Detail = ConditionalAccessStatus),
    (CloudAppEvents
    | where TimeGenerated > ago(window)
    | where AccountObjectId == targetUser
    | where ActionType == "New-InboxRule"
    | project TimeGenerated, Source = "Email",
        Action = "Inbox rule created",
        Detail = tostring(RawEventData.Parameters)),
    (DeviceProcessEvents
    | where TimeGenerated > ago(window)
    | where AccountUpn == targetUser
    | where FileName in ("powershell.exe", "cmd.exe")
    | project TimeGenerated, Source = "Endpoint",
        Action = strcat(FileName, " launched"),
        Detail = ProcessCommandLine)
| sort by TimeGenerated asc

One query, three data sources, one timeline. The sign-in at 09:14 from a new IP, the inbox rule created at 09:17, and the PowerShell execution at 09:22 tell the full story. Every module teaches at this level — real security scenarios where the query technique solves a problem you recognize from your own investigations.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may use scripts, queries, detection rules, templates, and frameworks from this course in your professional work. You may not redistribute course content, share account credentials, or republish course materials.

Fictional environment: All scenarios use the fictional Northgate Engineering environment. Any resemblance to real organizations, incidents, or individuals is coincidental.

Version and changelog

Current version: 1.0  |  Last updated: 2026

2026 — v1.0: Complete course. 14 modules from KQL fundamentals through production detection engineering, threat hunting, and the capstone hunting lab.

This course is actively maintained. Content is updated as the KQL language and Microsoft security data model evolve.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
1scenario
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.