[Free] Learn Kql For Microsoft Sentinel
A course designed to refresh your KQL learning and help you to boost your application for Sentinel – Free Course
What you’ll learn
- Learn KQL basics for Microsoft Sentinel
- Know the most used operators
- Learn to build your first query
- Learn to evaluate your KQL results
Requirements
- Familiarity of KQL for Microsoft Sentinel
Description
Welcome to KQL for Microsoft Sentinel.
KQL is a simple query language used across multiple products like
Azure Log AnalyticsMicrosoft Sentinel
Azure Resource Graph
to read & write structured & unstructured data.
Course Structure
In this course we will focus on leveraging KQLfor Microsoft Sentinel.
This will walk you though a basic understanding of KQL
-
Quick Start
-
Go for a quick result
-
Filter for better results
-
Leverage the joins
-
Summarize for perspective
-
Save & Reuse
-
Apply the visual
-
Build the use case
Each section has subsections for easy understanding of the topics.
A quick start happens with searching a particular phrase ->projecting the necessary columns ->extending the additional columns needed.
Now, to get a quick result we do distinct to find unique values -> use count -> get the top for display a limited set of result.
To Filter better result Apply where condition ->Apply TimeGeneated filter
Leverage the joins by learning about different kinds of joins
Summarize for perspective by Summarize ->make_list ->make_set
Once done save &reuse by saving as query or function.
Apply the visual for better visibility.
Start building you use case now with an example.
Outcome at completion
After you successfully complete this course you will be able to build your own KQLquery from scratch to end.
Whom is this course for
Either you are new to Microsoft Sentinel , Log Analytics or KQL or you are already working in SOCon a regular basis, this course is for you.
Author(s): Samik Roy
