KQL Intermediate

Intermediate 1 day Detection Engineering Incident Response KQL Training Program Microsoft Defender XDR Microsoft Sentinel Threat Hunting

Description

This intermediate-level training builds on the fundamentals of Kusto Query Language (KQL) and focuses on applying KQL in real-world security operations.

Participants learn how to combine multiple data sources, enrich datasets, and design effective triage and detection queries for Microsoft Sentinel and Microsoft Defender XDR.

The course includes hands-on labs, practical exercises, and realistic incident scenarios. Students also learn how to use KQL in workbooks and automation workflows.

By the end of the day, participants are able to create more complex queries and use KQL as an integral part of their daily security operations.

Prerequisites

Completion of the KQL Beginner Training or equivalent practical experience with basic KQL queries.

Participants should be familiar with filtering, aggregation, and basic joins.

Basic knowledge of Microsoft Sentinel or Defender XDR is recommended.

What You Will Learn

After completing this training, participants will be able to:
- Combine multiple datasets using joins and lookups
- Use intermediate KQL operators such as mv-expand, case, and parse_json
- Build basic dashboards using Workbooks
- Integrate KQL results into automation workflows
- Design effective triage queries for security incidents
- Perform basic anomaly detection and baselining
- Use external data sources for enrichment
- Apply best practices for detection query performance and stability

Participants will be able to create maintainable and scalable KQL queries for operational use.

Course Summary
  • Level: Intermediate
  • Duration: 1 day
  • Learning Hours: 13.6 hours
  • Certificate: Awarded on completion
Subjects
Detection Engineering Incident Response KQL Training Program Microsoft Defender XDR Microsoft Sentinel Threat Hunting
Curriculum
Day 1: KQL Intermediate

Instructor-led practical training day with guided demonstrations, hands-on KQL work, operational discussion, and end-of-day checkpoint.

  • From Basic to operational KQL
    Shift from syntax fluency to triage-grade analytical design.
  • Joining datasets with lookup and enrichment patterns
    Use controlled join patterns for multi-source triage workflows.
  • Dynamic fields with mv-expand, case, and parse_json
    Normalize nested telemetry into analyst-friendly attributes.
  • Triage-focused query design
    Build outputs that drive clear analyst decisions and escalation quality.
  • Using KQL in Workbooks for security operations
    Design workbook views that support SOC rhythm and escalation.
  • KQL-driven automation workflows
    Use query outputs to trigger playbooks and response tasks responsibly.
  • Baselines, anomalies, and external enrichment
    Apply practical baseline comparisons and enrichment to reduce false positives.
  • Phishing-click and process-hierarchy capstone lab
    Operational triage workflow combining click evidence, parent-child process analysis, and analyst decisions.
Request Training