Module Summary

What you learned in this module

Section 0.1 — Three Questions You Cannot Answer Without KQL. You worked through three investigation scenarios that exposed the portal's limits: a historical scope query searching j.morrison's full sign-in history for a Tor exit node IP, a cross-table correlation joining a compromised sign-in to inbox rule creation, and a statistical baseline using percentile() to determine whether s.chen's file download volume was anomalous. These three question categories — historical scope, cross-table correlation, and statistical baseline — are the recurring structure behind every investigation where the portal cannot express the question. You saw the raw SigninLogs record for the Tor sign-in and identified the singleFactorAuthentication pattern characteristic of AiTM token replay.

Section 0.2 — The Microsoft Security Data Model. You mapped the two query surfaces — Sentinel Log Analytics and Defender XDR Advanced Hunting — and learned where they overlap and diverge. You traced telemetry from six product families through the ingestion pipeline to queryable rows, understood ingestion latency and its impact on detection rule scheduling, and discovered the difference between analytics-tier and data lake-tier storage. You ran the Usage table discovery query to see which tables in Northgate Engineering's workspace were actively ingesting data and how to interpret volume, recency, and connector health from the results.

Section 0.3 — The Eight Tables You Will Query Every Day. You profiled the eight core tables: SigninLogs for authentication events, DeviceProcessEvents for endpoint execution chains, OfficeActivity for mailbox and collaboration operations, AuditLogs for directory changes, DeviceFileEvents for file operations, DeviceNetworkEvents for endpoint connections, CommonSecurityLog for perimeter telemetry, and SecurityAlert for detection product alerts. You read raw records from SigninLogs and DeviceProcessEvents to identify investigation-relevant fields, and used getschema to discover the full column inventory for any unfamiliar table. You also learned the ninth table — AADNonInteractiveUserSignInLogs — where AiTM token replay evidence appears.

Section 0.4 — Your First Security Query. You wrote a five-line KQL query that investigated a credential spray against Northgate Engineering. You learned the pipeline data-flow model — how each pipe operator accepts, transforms, and emits a tabular dataset. You used the four foundational operators (where, project, sort by, and table reference), interpreted CLI output showing failed authentication counts grouped by user and IP, and adapted the same four-operator pattern to DeviceProcessEvents and OfficeActivity. You learned the critical has versus contains performance distinction and the four common first-query mistakes: case sensitivity, missing time filters, wrong column names, and unquoted string comparisons.

Section 0.5 — What This Course Builds. You mapped the full progression: Phase 1 (Foundation) gives you filtering and aggregation, Phase 2 (Correlation) gives you joins and string parsing for cross-table investigation, Phase 3 (Analysis) gives you time-series baselines and anomaly detection, and Phase 4 (Mastery) applies everything to detection engineering, threat hunting, and operational reporting. You learned how Security Copilot generates approximately correct KQL that requires a human who can read, validate, and fix it — the skill this course builds.

Section 0.6 — Setting Up Your Lab Environment. You chose a lab path (production workspace, Log Analytics demo at aka.ms/LADemo, or M365 developer tenant), ran the verification query against SigninLogs to confirm your environment has data, oriented yourself in the query editor (IntelliSense, time range selector, table browser), and started your query library. You learned that the Azure portal Sentinel experience is being retired in favor of the unified Defender portal, and that the KQL syntax is identical in both environments.

What's next

Module 1 — How KQL Processes Data. You move from using operators to understanding how the Kusto engine evaluates them. The tabular expression model, the execution order of pipe operators, the role of the query plan, and the internal mechanics that determine whether a query finishes in milliseconds or times out after ten minutes. Understanding the engine is what separates an analyst who writes correct queries from one who writes efficient queries, and efficiency determines whether your detection rules can run on a production schedule.