KQL Basic

Beginner 1 day Detection Engineering Incident Response KQL Training Program Microsoft Defender XDR Microsoft Sentinel Threat Hunting

Description

This one-day beginner training provides a practical introduction to Kusto Query Language (KQL) within the Microsoft Security ecosystem. Participants learn how to explore, filter, aggregate, and correlate security data in Microsoft Sentinel and Microsoft Defender XDR. The training combines theory with hands-on labs, realistic demos, and guided exercises in a dedicated training environment.

By the end of the day, students are able to write effective basic queries for threat hunting, incident investigation, and security analysis. The course is delivered by experienced instructors and focuses on real-world use cases relevant to security analysts and incident responders.

Prerequisites

No prior KQL experience is required. Basic familiarity with cybersecurity concepts and Microsoft security tools (such as Sentinel or Defender XDR) is helpful but not mandatory.

Participants should be comfortable working with a laptop in a cloud-based training environment.

What You Will Learn

After completing this training, participants will be able to:
- Understand the structure of Microsoft security log data
- Identify and use key KQL tables and fields
- Write basic KQL queries using filters and time ranges
- Aggregate data using summarize functions
- Create simple visualizations
- Perform basic joins for data enrichment
- Parse and extract fields from structured and semi-structured data
- Investigate incidents using KQL queries

Participants will have a solid foundation for further development in Intermediate and Advanced KQL training.

Course Summary
  • Level: Beginner
  • Duration: 1 day
  • Learning Hours: 13.6 hours
  • Certificate: Awarded on completion
Subjects
Detection Engineering Incident Response KQL Training Program Microsoft Defender XDR Microsoft Sentinel Threat Hunting
Curriculum
Day 1: KQL Basic

Instructor-led practical training day with guided demonstrations, hands-on KQL work, operational discussion, and end-of-day checkpoint.

  • Introduction to KQL in Microsoft Security
    Understand where KQL fits in daily SOC operations.
  • Understanding tables, schemas, and event types
    Build confidence navigating high-value Defender and Sentinel tables.
  • Searching and filtering effectively
    Use where clauses and time scoping with investigation discipline.
  • Aggregation and summarization
    Use summarize patterns for triage and anomaly discovery.
  • Visualizing query results with render
    Use lightweight visualizations to spot trends quickly.
  • Joining datasets for investigation context
    Perform practical joins that preserve evidence quality.
  • Parsing and extraction for semi-structured fields
    Extract reliable fields from dynamic and text-rich telemetry.
  • Guided phishing investigation capstone
    Run a full investigation chain from phishing email to endpoint execution evidence.
Request Training