KQL (Kusto): Advanced Queries

To access material, start machines and answer questions login.

This room is a continuation of the (Kusto): Basic Queries room. However, we will discuss advanced queries, and, as before, we will run as many queries as possible to ensure you are familiar with the different operators and functions for threat analysis. Basic queries provide a good foundation for security analysis in Microsoft Sentinel, but for in-depth threat hunting and incident investigation, advanced knowledge is required.

Prerequisites

It is strongly recommended to have finished the MS Sentinel module
Having completed the (Kusto): Introduction room
Having completed the (Kusto): Basic Queries room

Learning Objectives

How to use the join operator
How to use the union operator
How to use the project operator
How to use the extend operator
How to create parsers and use the parse operator

Answer the questions below

I am ready to go advanced!

Ready to learn Cyber Security?

The KQL (Kusto): Advanced Queries room is only available for premium users. Signup now to access more than 500 free rooms and learn cyber security through a fun, interactive learning environment.

Already have an account? Log in

KQL (Kusto): Advanced Queries

Task 1Introduction

Prerequisites

Learning Objectives

Task 2Using the Join OperatorPremium

Task 3Using the Union OperatorPremium

Task 4Using the Project OperatorPremium

Task 5Using the Extend OperatorPremium

Task 6Using the Parse OperatorPremium

Task 7Lab InstructionsPremium

Task 8Creating KQL ParsersPremium

Task 9Lab-02: DiscoverPremium

Task 10ConclusionPremium

Ready to learn Cyber Security?