A course designed to refresh your KQL learning and help you to boost your application for Sentinel
What you will learn
Learn KQL basics for Microsoft Sentinel
Know the most used operators
Learn to build your first query
Learn to evaluate your KQL results
Description
Welcome to KQL for Microsoft Sentinel.
KQL is a simple query language used across multiple products like
Azure Log Analytics
Microsoft Sentinel
Azure Resource Graph
to read & write structured & unstructured data.
Course Structure
In this course we will focus on leveraging KQLÂ for Microsoft Sentinel.
This will walk you though a basic understanding of KQL
- Quick Start
- Go for a quick result
- Filter for better results
- Leverage the joins
- Summarize for perspective
- Save & Reuse
- Apply the visual
- Build the use case
Each section has subsections for easy understanding of the topics.
A quick start happens with searching a particular phrase -> projecting the necessary columns -> extending the additional columns needed.
Now, to get a quick result we do distinct to find unique values -> use count -> get the top for display a limited set of result.
To Filter better result Apply where condition ->Â Apply TimeGeneated filter
Leverage the joins by learning about different kinds of joins
Summarize for perspective by Summarize ->Â make_list ->Â make_set
Once done save &Â reuse by saving as query or function.
Apply the visual for better visibility.
Start building you use case now with an example.
Outcome at completion
After you successfully complete this course you will be able to build your own KQLÂ query from scratch to end.
Whom is this course for
Either you are new to Microsoft Sentinel , Log Analytics or KQL or you are already working in SOCÂ on a regular basis, this course is for you.
Content
