This advanced training is designed for experienced KQL users who want to specialize in advanced threat detection, hunting, and analytics.
Participants learn how to build complex detection logic, perform time-series analysis, and design scalable hunting and detection frameworks.
The course focuses on expert-level use of KQL within Microsoft Sentinel and Microsoft Defender XDR, including advanced workbooks, automation scenarios, and detection engineering best practices.
Through an intensive hands-on end-to-end attack scenario, participants apply all learned techniques in a realistic investigation and response workflow.
By the end of the day, participants operate KQL at an expert level and can design advanced detection and hunting solutions.
Completion of the KQL Intermediate Training or extensive hands-on experience with KQL.
Participants should be comfortable building complex queries, using multiple joins, and working with workbooks and detection rules.
Experience in threat hunting, SOC operations, or detection engineering is strongly recommended.
After completing this training, participants will be able to:
Build sequential and behavioral detections using advanced KQL techniques
Apply time-series analysis and anomaly detection functions
Use advanced operators, windowing, and text analysis functions
Design interactive and parameterized workbooks
Build scalable automation workflows for incident response
Apply detection engineering best practices including versioning and tuning
Develop reusable KQL functions and query libraries
Map detections to MITRE ATT&CK techniques
Conduct advanced threat hunting campaigns
Participants will be capable of designing enterprise-grade detection and hunting solutions.