This intermediate-level training builds on the fundamentals of Kusto Query Language (KQL) and focuses on applying KQL in real-world security operations.
Participants learn how to combine multiple data sources, enrich datasets, and design effective triage and detection queries for Microsoft Sentinel and Microsoft Defender XDR.
The course includes hands-on labs, practical exercises, and realistic incident scenarios. Students also learn how to use KQL in workbooks and automation workflows.
By the end of the day, participants are able to create more complex queries and use KQL as an integral part of their daily security operations.
Completion of the KQL Beginner Training or equivalent practical experience with basic KQL queries.
Participants should be familiar with filtering, aggregation, and basic joins.
Basic knowledge of Microsoft Sentinel or Defender XDR is recommended.
After completing this training, participants will be able to:
Combine multiple datasets using joins and lookups
Use intermediate KQL operators such as mv-expand, case, and parse_json
Build basic dashboards using Workbooks
Integrate KQL results into automation workflows
Design effective triage queries for security incidents
Perform basic anomaly detection and baselining
Use external data sources for enrichment
Apply best practices for detection query performance and stability
Participants will be able to create maintainable and scalable KQL queries for operational use.