Documentation & Tools →
Sign In

KQL for Detection and Threat Hunting

Master KQL for Detection and Threat Hunting

Write powerful, efficient KQL queries that turn massive amounts of security data into fast, actionable insights. Master Kusto Query Language to hunt threats, build high-fidelity detections, investigate incidents, and automate response; all inside Microsoft Sentinel, Defender XDR, and Log Analytics.

Preview Course See Pricing
View Pricing Take End of Course Exam → 36 CPE Credits

What you'll be able to do

Write advanced, high-performance KQL queries for threat hunting, detection engineering, and incident response
Optimise KQL queries to run efficiently at enterprise scale with millions of records
Build custom detection rules, analytics rules, and scheduled queries in Microsoft Sentinel
Perform fast, effective threat hunting across Microsoft 365, Entra ID, endpoints, cloud, and security logs
Analyse and correlate data from multiple sources to reconstruct attacker activity and timelines
Create reusable KQL functions, workbooks, and automated playbooks that improve daily SOC operations
SEC201 | Premium tier | 14 modules across 4 phases | 36–40 hours at your own pace | 36 CPE credits | 5 free preview lessons - no account needed | Updated June 2026
Course Agenda View all 16 modules

Course overview

The KQL for Detection and Threat Hunting course is the core training track for Security Engineers, Detection Engineers, and Threat Hunters who use KQL daily. You'll gain hands-on expertise to:

Write advanced KQL queries for threat hunting, detection engineering, and incident investigation
Optimise queries for speed and efficiency at enterprise scale
Build custom detections, analytics rules, and automated playbooks in Microsoft Sentinel
Analyse data across Microsoft 365, Entra ID, endpoints, cloud workloads, and security logs

By the end, you'll have the confidence and fluency to use KQL as a powerful daily tool — dramatically improving your threat detection, hunting speed, and security operations effectiveness.

Who this course is for

You're a Security Engineer, Detection Engineer, or Threat Hunter who uses KQL daily and wants to move from functional to expert level. This course is built for you if you want to:

Write cleaner, faster, and more powerful KQL queries with confidence
Master advanced KQL techniques specifically for security operations and detection engineering
Build high-fidelity detections and hunting queries that actually find real threats
Reduce query runtime and improve your overall efficiency in Microsoft Sentinel and Defender XDR

In short: if you're ready to become the go-to KQL expert on your team and significantly level up your threat detection and hunting capabilities, this course is for you.

What you'll learn

By the end of this KQL for Detection and Threat Hunting course you will be able to:

Master KQL fundamentals and advanced operators for security use cases
Write efficient queries for threat hunting, anomaly detection, and incident investigation
Build and optimise custom detection and analytics rules in Microsoft Sentinel
Analyse and correlate logs across identities, endpoints, email, cloud, and network data
Use advanced KQL features including joins, summarization, time-series analysis, and functions
Create reusable KQL libraries, workbooks, and automation that scale with your organisation

Key course takeaways

Become highly proficient in writing production-grade KQL for real security operations
Build and maintain high-fidelity detections and hunting queries that actually work
Dramatically improve query speed and efficiency at enterprise scale
Develop reusable KQL assets that make you and your team significantly more effective
Master threat hunting and incident investigation using KQL across the Microsoft security stack
Transform from a KQL user into a true KQL power user and detection engineering asset

Things you need to know

What are the prerequisites for this course?

There are no prerequisites. The course teaches KQL from first principles. Familiarity with any query language (SQL, SPL, EQL) will help you move faster, but is not required. Every operator and function is explained at first use with security log examples.

What are the device requirements?

A device with a modern browser. Access to a Microsoft 365 E5 developer tenant (free from Microsoft) or a Sentinel workspace for hands-on query execution. The course walks you through setup in Module 0.

How will the course benefit your career?

KQL is the query language that powers Microsoft Sentinel, Defender XDR, and Log Analytics. Every detection rule, hunting query, investigation pivot, and operational dashboard runs on KQL. This course gives you the fluency to write queries from scratch, debug them when they fail, and optimise them for production scale.

KQL proficiency is a prerequisite for detection engineering, threat hunting, and advanced security operations roles across the Microsoft ecosystem.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may deploy queries, detection rules, and workbooks in your production environment. You may not redistribute course content or share account credentials.

Fictional environment: All scenarios use Northgate Engineering. Any resemblance to real organizations is coincidental.

Version and changelog

Current version: 1.1  |  Last updated: June 2026

June 2026 — v1.1: Course renamed to KQL for Detection and Threat Hunting.

June 2026 — v1.0: Course page restructured. 14 modules from KQL fundamentals through production detection engineering, threat hunting, and the capstone hunting lab.

This course is actively maintained. Content is updated as the KQL language and Microsoft security data model evolve.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
1scenario
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.