This one-day beginner training provides a practical introduction to Kusto Query Language (KQL) within the Microsoft Security ecosystem. Participants learn how to explore, filter, aggregate, and correlate security data in Microsoft Sentinel and Microsoft Defender XDR. The training combines theory with hands-on labs, realistic demos, and guided exercises in a dedicated training environment. By the end of the day, students are able to write effective basic queries for threat hunting, incident investigation, and security analysis. The course is delivered by experienced instructors and focuses on real-world use cases relevant to security analysts and incident responders.
No prior KQL experience is required. Basic familiarity with cybersecurity concepts and Microsoft security tools (such as Sentinel or Defender XDR) is helpful but not mandatory. Participants should be comfortable working with a laptop in a cloud-based training environment.
After completing this training, participants will be able to: Understand the structure of Microsoft security log data Identify and use key KQL tables and fields Write basic KQL queries using filters and time ranges Aggregate data using summarize functions Create simple visualizations Perform basic joins for data enrichment Parse and extract fields from structured and semi-structured data Investigate incidents using KQL queries Participants will have a solid foundation for further development in Intermediate and Advanced KQL training.