MEAPSA

Construct KQL statements for Microsoft Sentinel

KQL is the query language used to perform analysis on data to create analytics, workbooks, and perform hunting in Microsoft Sentinel. Learn how basic KQL statement structure provides the foundation to build more complex statements.

Security Operations Analyst

Azure

Data Explorer

Log Analytics

Microsoft Sentinel

Module Objectives

Upon completion of this module, the learner will be able to:

Construct KQL statements
Search log files for security events using KQL
Filter searches based on event time, severity, domain, and other relevant data using KQL

Units

Introduction min
Understand the Kusto Query Language statement structure min
Use the search operator min
Use the where operator min
Use the let statement min
Use the extend operator min
Use the order by operator min
Use the project operators min
Knowledge check min
Summary and resources min

Prerequisites

none