Sign In
Skills Track

For security engineers, detection engineers, and threat hunters who use KQL daily

Aligned to MITRE ATT&CKSigma rulesMicrosoft KQL reference

Mastering KQL for Cybersecurity

Write the queries that power your detections, hunts, and investigations.

Learn KQL from fundamentals through production detection engineering. Master filtering, aggregation, joins, string parsing, time-series analysis, anomaly detection, and performance optimization — every concept taught with security log examples from Sentinel and Defender XDR. Write detection rules, build threat hunting queries, create operational dashboards, and develop the query fluency that makes you effective in any investigation.

Start Free — No Account Needed Need KQL Basics First?
Content last updated: May 2026

Text-based · Persistent labs on your own hardware · 2 free modules available now · 30 CPE credits · Content last updated: May 2026

What you'll deploy
68 production-grade KQL exercises from fundamentals to advanced joins
Reusable query library covering SigninLogs, AuditLogs, DeviceEvents, and EmailEvents
Multi-table join patterns for cross-workload investigation
Rendering and visualization techniques for SOC dashboards
Performance optimization patterns for queries that run in production
Template hunting queries adaptable to any M365 investigation
MASTERING KQL — 14 MODULES SigninLogs | where TimeGenerated > ago(24h) | where ResultType == 0 | summarize LoginCount = count(), DistinctIPs = dcount(IPAddress), Countries = make_set(Location) by UserPrincipalName | join kind=leftouter ( IdentityInfo | summarize ... ) on UserPrincipalName | where DistinctIPs > 5 | sort by DistinctIPs desc filter → aggregate → correlate → detect → hunt
View Pricing Take End of Course Exam → 36 CPE Credits

What you'll be able to do

Write production KQL queries for detection, hunting, and investigation
Master aggregation, joins, time-series analysis, and anomaly detection
Build threat hunting queries that find attacker activity in security logs
Create Sentinel workbooks and operational dashboards
Optimize query performance for large-scale security data

Security-first KQL

Every concept is taught with security log examples. Every exercise uses real investigation and detection scenarios. You learn operators by using them to find attacker activity, detect anomalies, and build production detection rules — not by reading abstract syntax documentation.

Who this course is for

Security analysts who write KQL daily and want to go deeper — understanding why queries behave the way they do, writing more efficient queries, and using advanced operators they have not explored.

Detection engineers who build analytics rules in Sentinel and want more sophisticated detection logic — time-series baselines, correlated multi-condition rules, and performance-optimized queries.

Threat hunters who need advanced query techniques — behavioral analysis, peer group comparison, retroactive IOC sweeps, and attack path reconstruction.

Anyone with a genuine interest in KQL and security data analysis. Whatever your background — whether you're transitioning from another domain, early in your career, or exploring a new direction — if the subject interests you and you're willing to put in the work, this course is for you. Backgrounds vary. Motivation is what matters.

From queries to production detection

The course progression: learn how KQL processes data (Phase 1), master every operator through security scenarios (Phase 2), apply advanced patterns for anomaly detection and graph analysis (Phase 3), then build production detection rules, hunting queries, and operational dashboards (Phase 4). The capstone module requires every skill from the course applied to three complete investigation scenarios.

What this produces

Production-grade KQL queries for investigation, hunting, detection, and reporting across Sentinel and Defender XDR. The query library and writing fluency that underpins every senior role in the Microsoft security stack — the skill that underpins every senior role in the Microsoft security stack.

What you will be able to do

1. Write KQL queries for any investigation scenario — construct, debug, and optimize queries you have never seen before.

2. Build production analytics rules in Sentinel — multi-condition detection logic with entity mapping, time-windowing, and performance optimization.

3. Hunt with advanced KQL patterns — time-series anomaly detection, peer group analysis, graph-based relationship mapping, and retroactive IOC sweeps.

4. Optimize query performance for production-scale environments — understanding the execution engine, partition pruning, and query cost reduction.

5. Build reusable query libraries with user-defined functions, parameterized templates, and modular detection components.

Course at a glance

Modules: 14 across 4 phases

Estimated duration: 20–30 hours (self-paced)

Format: Written content — annotated KQL queries with security log examples, exercises, knowledge checks

Free content: Modules 0–1 — no account required

Paid content: Modules 2–13 — Premium or Team subscription

Typical pace: ~5-10 weeks at 5 hrs/week

Hands-on labs: 6 interactive (browse all →)

MITRE ATT&CK coverage: 32 techniques mapped

Built by Ridgeline Cyber

Ridgeline Cyber Defence builds security operations training grounded in practical and operational experience. The team behind this course runs CSOC operations across on-prem, Splunk, and Microsoft 365 security stacks, Cisco and Palo Alto networks, and managed SOC partnerships.

Experience spans detection engineering, incident response, and DFIR investigation across on-prem, M365, and Linux environments — including leading cyber incident response engagements, deploying security controls and managing Governance, Risk and Compliance operations.

The investigation scenarios in this course are grounded in that operational work. The techniques, decision points, and mistakes are drawn from real investigations, sanitized and adapted for training.

What this course does NOT cover

Deliberate scope boundaries. If any of these is your primary need, the sibling course is the better fit.

Technical requirements

M365 environment: Access to a tenant with Sentinel or Defender XDR advanced hunting. An M365 Developer Tenant (free from developer.microsoft.com) with sample data packs is recommended.

Prerequisite KQL: Working familiarity with basic operators (where, project, summarize, extend). The M365 Security Operations course covers this foundation.

How to get the most from this course

Recommended pace: 1–2 modules per week, 20–30 hours total.

Phases 1–2 are sequential. They build the operator foundation. Phase 3 advanced patterns and Phase 4 mastery modules can be prioritized based on your needs.

Run every query. KQL fluency comes from writing queries, not reading about them. Execute every code block in your own environment.

Support and community

Questions about course content: training@ridgelinecyber.com

Billing and account management: Self-service via your account page or training@ridgelinecyber.com

LinkedIn: Follow Ridgeline Cyber for operational security content and course updates

X: @RidgelineCyber

Course Syllabus

Four phases. Modules 0–1 are free — no account required.

Free Phase 1 — Anatomy of KQL

00
Course Introduction — What this course builds, who it is for, prerequisites, lab setup, and how to assess your starting level.
 01
How KQL Processes Data — The tabular data model, the query pipeline, every data type, type conversion, and null handling. How KQL thinks about data.

Phase 2 — Core Techniques

02
Filtering and Shaping Data — Every where operator, string comparison, datetime filtering, extend patterns, and the project family. The operators in every query, understood at depth.
 03
Aggregation and Statistical Analysis — Every summarize function, time-based grouping with bin, set and list aggregations, ordering, and pivot patterns.
 04
Joining and Correlating Data — All 8 join flavours with the innerunique trap, 5 performance rules, union with schema normalization, lookup enrichment pipelines, 7 cross-table investigation patterns (AiTM, phishing chain, lateral movement, token replay), and materialize/let for progressive investigation.
 05
String Parsing and Data Extraction — parse, extract, regex, parse_json, string functions, URL and email decomposition for phishing analysis, base64 decoding, and building reusable log parsers for CEF, Syslog, and custom formats.
 06
Advanced Filtering and Pattern Matching — mv-expand and mv-apply for dynamic arrays, advanced regex for obfuscation detection, let statements and saved functions, externaldata, IP range functions and CIDR matching, and watchlist-driven detection patterns.

Phase 3 — Advanced Patterns

07
Time-Series Analysis and Anomaly Detection — make-series fundamentals, series_decompose for trend and seasonal analysis, series_decompose_anomalies for automated detection, baseline comparison with peer groups, rate-of-change and jitter analysis for C2 beaconing, and building production anomaly rules.
 08
Graph and Relationship Analysis — Entity relationship modeling, AiTM and ransomware attack path reconstruction, recursive multi-hop queries with scope explosion mitigation, cross-table identity mapping, network graph patterns (beaconing, fan-out, exfiltration ratio), and process tree reconstruction.
 09
Performance Optimization and Scale — Query engine execution pipeline, 10 common anti-patterns with before/after, partition pruning and term indexing deep dive, materialised views and stored function library, shuffle and broadcast join hints, time-series entity pre-filtering, and production query health monitoring.

Phase 4 — Mastery

10
Detection Rule Engineering with KQL — Four-stage investigation-to-detection conversion, scheduled vs NRT rule design, entity mapping with custom properties, six-step threshold tuning methodology, multi-condition correlated detection with temporal and entity correlation, and testing with regression frameworks.
 11
Threat Hunting with KQL — The course's flagship module. Hypothesis-driven methodology with decision trees, MITRE ATT&CK-aligned hunting across 7 techniques, UEBA composite risk scoring, retroactive IOC sweeps, hunt management and ROI measurement, detection-as-code integration, and a 4-exercise mini capstone covering dormant admin abuse, OAuth consent phishing, slow data exfiltration, and lateral movement detection.
 12
Workbooks, Dashboards, and Reporting — Workbook architecture and visualisation selection, cascading parameters and master-detail interaction, SOC operations dashboard with SLA tracking, executive board deck design, detection health monitoring (silent failure detection, MITRE coverage gaps), and automated report generation with Logic Apps.
 13
Capstone — The Hunting Lab — Three complete investigation scenarios requiring every skill from the course: credential spray to BEC (8 investigation questions), ransomware kill chain reconstruction (8 questions), and cloud data exfiltration (8 questions). Reference solutions provided. Self-assessment rubric across 8 criteria.

What you get that you will not find elsewhere

This is not a syntax reference. Syntax references teach operators. This course teaches KQL as a working language for security operations — investigation queries, detection rules, hunting hypotheses, and operational dashboards.

Security-first query design. Every query is built against security data tables — SigninLogs, SecurityEvent, DeviceProcessEvents, EmailEvents. You learn KQL in the context you will use it.

Progressive complexity. From basic filters through multi-table joins, time-series analysis, and advanced anomaly detection. Each module builds on the last.

Where this course fits

KQL is the foundation for everything else in the Microsoft security stack. Detection Engineering, Threat Hunting, Practical IR, and M365 Security Operations all assume KQL fluency. This course builds it.

Recommended learning path: KQL → DE → PT → IR → TH. A learner can start at any course.

The outcome

You start copying queries from documentation. You finish writing your own.

KQL as a working language — not a search bar, but a fluent tool for investigation, detection, hunting, and reporting.

Security-context fluency — queries built against real security data tables, not generic examples.

Production-grade queries — optimized for performance, maintainable, and ready to deploy as analytics rules.

Prerequisites

Required: 1+ years working with log data in a security or IT operations role. Basic KQL familiarity — you can write queries using where, project, summarize, and extend. Access to Sentinel or Defender XDR Advanced Hunting.

Recommended: Experience investigating security alerts where you needed to query log data to answer specific questions.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may use scripts, queries, detection rules, templates, and frameworks from this course in your professional work. You may not redistribute course content, share account credentials, or republish course materials.

Fictional environment: All scenarios use the fictional Northgate Engineering environment. Any resemblance to real organizations, incidents, or individuals is coincidental.

No legal advice: Compliance and regulatory content in this course is educational, not legal advice. Consult qualified legal counsel for obligations in your jurisdiction.

Version and changelog

Current version: 1.0  |  Last updated: 2026

2026 — v1.0: Complete course. KQL for security operations across investigation, detection engineering, and threat hunting.

This course is actively maintained. Content is updated as the security landscape evolves.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
1scenario
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.