One of the first skills to acquire when learning a SIEM is it’s query language.
Microsoft Sentinel (and many of Microsoft’s tools) use KQL – Kusto Query Language.
If you want to learn more about what KQL is, go here.
This blog is simply a super quick reference for getting started.
- Step #1: Open the lab link below
- Step #2: Watch the 3 tutorials listed below
- Step #3: Practice! 3 kql challenges are provided. One possible solution to these challenges will be provided on another blog page.
Azure Sentinel webinar: Learn the KQL you need for Azure Sentinel (Part 1 of 3)
Azure Sentinel webinar: KQL part 2 of 3 – KQL hands-on lab exercises
Azure Sentinel webinar: KQL part 3 of 3 – Optimizing Azure Sentinel KQL queries performance
KQL Query Challenges
Challenge #1; Create a query that uses a watchlist
Challenge #2: Create a timechart based query
Challenge #3: use mv-expand to view the entities fields
Bonus challenge: use GeoIP to map to country
Simple-Security 