14 modules from fundamentals to production mastery

Mastering KQL for Cybersecurity is a 14-module deep-dive into the Kusto Query Language for security operations. Every module teaches with real security log tables — SigninLogs, DeviceProcessEvents, OfficeActivity, AuditLogs, EmailEvents — not generic sample data. Every query is production-grade and annotated line by line.

Phase 1 — Anatomy of KQL (free, no account required)

Module 0: Course Introduction — Lab setup, prerequisite assessment, and the demo workspace quick-start that gets you running queries in 30 seconds.

Module 1: How KQL Processes Data (11,666 words) — The tabular data model, the query pipeline, every data type, type conversion, null handling, and the mental model that makes every subsequent module predictable.

Module 2: Filtering and Shaping Data (10,688 words) — Every where operator variant, string comparison (has vs contains and why it matters), datetime filtering, extend patterns, and the project family. The operators in every query, understood at depth.

Module 3: Aggregation and Statistical Analysis (10,063 words) — Every summarize aggregation function, time-based grouping with bin, set and list operations, array_length for threshold detection, ordering with top and sort, and pivot patterns for compliance reporting.

Phase 2 — Intermediate Techniques (paid)

Module 4: Joining and Correlating Data (12,758 words) — All 8 join flavours with the innerunique trap, 5 performance rules, union with schema normalisation, lookup enrichment pipelines, 7 cross-table investigation patterns (AiTM chain, phishing, lateral movement, admin compromise, token replay, supply chain, normalised timeline), and materialize/let for progressive investigation.

Module 5: String Parsing and Data Extraction (10,005 words) — parse operator with multi-stage parsing, extract/extract_all with regex, parse_json for nested dynamic data, string functions (split, replace, base64_decode_tostring for payload analysis), URL and email decomposition for phishing detection, and building reusable log parsers for CEF, Syslog, and ASIM.

Module 6: Advanced Filtering and Pattern Matching (10,000 words) — mv-expand and mv-apply for conditional access policy analysis, advanced regex for obfuscation detection, let statements and saved function libraries, externaldata from GitHub and Azure Blob, IP range functions with CIDR matching, and watchlist-driven detection with tiered risk scoring.

Phase 3 — Advanced Patterns (paid)

Module 7: Time-Series Analysis and Anomaly Detection (10,061 words) — make-series fundamentals with step selection, series_decompose for trend/seasonal/residual separation, series_decompose_anomalies for automated detection with sensitivity tuning, baseline comparison with peer groups and first-seen patterns, rate-of-change detection for credential attack phase transitions, and jitter analysis for C2 beaconing identification.

Module 8: Graph and Relationship Analysis (10,078 words) — Entity relationship modelling, AiTM and ransomware kill chain attack path reconstruction, recursive multi-hop investigation queries with scope explosion mitigation, cross-table identity mapping for hybrid environments, network graph patterns (beaconing, fan-out, fan-in, exfiltration ratio, DNS query analysis), and process tree reconstruction with suspicious parent-child detection.

Module 9: Performance Optimisation and Scale (10,011 words) — Query engine execution pipeline, 10 common anti-patterns with before/after examples and measured improvement, partition pruning and term indexing deep dive, materialised views and stored function library with versioning, shuffle and broadcast join hints for large-scale queries, time-series entity pre-filtering, and production query health monitoring with SentinelHealth.

Phase 4 — Production Mastery (paid)

Module 10: Detection Rule Engineering (10,018 words) — Four-stage investigation-to-detection conversion, scheduled vs NRT rule design with complete NRT restriction list, entity mapping with custom properties, six-step threshold tuning methodology, multi-condition correlated detection with temporal and entity correlation, and detection rule testing with regression frameworks and dry-run deployment.

Module 11: Threat Hunting with KQL (12,895 words) — The course’s flagship module. Hypothesis-driven methodology with decision trees and evolution tracking, MITRE ATT&CK-aligned hunting across 7 techniques with production queries, UEBA composite risk scoring across 4 behavioural dimensions, retroactive IOC sweeps with automated batch processing, hunt management with ROI measurement, detection-as-code integration with 5-step hunting-to-detection conversion, and a 4-exercise mini capstone covering dormant admin abuse, OAuth consent phishing, slow data exfiltration, and lateral movement detection.

Module 12: Workbooks, Dashboards, and Reporting (10,031 words) — Workbook architecture and visualisation selection guide, cascading parameters and master-detail interaction for investigation dashboards, SOC operations dashboard with SLA tracking and alert fatigue metrics, executive board deck design with business language translation, detection health monitoring (silent failure detection, MITRE coverage gaps, automated tuning recommendations), and automated report generation with Logic Apps.

Module 13: Capstone — The Hunting Lab — Three complete investigation scenarios that test every skill from the course: credential spray to business email compromise (8 investigation questions), ransomware kill chain reconstruction (8 questions), and cloud data exfiltration (8 questions). Reference solutions provided. Self-assessment rubric across 8 criteria with scoring guide.

By the numbers

Who this course is for

SOC analysts who write KQL daily for investigation and triage but want to go deeper — understanding why queries behave the way they do, writing more efficient queries, and using advanced operators they have not explored.

Detection engineers who build analytics rules in Sentinel and want to write more sophisticated detection logic — time-series baselines, correlated multi-condition rules, and performance-optimised queries that scale to millions of events.

Threat hunters who need advanced query techniques for proactive hunting — behavioural analysis, peer group comparison, retroactive IOC sweeps, and attack path reconstruction across identity, endpoint, and network telemetry.

Prerequisite: Working familiarity with basic KQL — you can write queries using where, project, summarize, extend, and basic joins. If you are not there yet, start with the KQL fundamentals module in our M365 Security Operations course (free).

What makes this different

Written-first, not video. Every module is text with annotated KQL queries, line-by-line explanation, try-it exercises, and knowledge checks. Text is searchable, referenceable during live incidents, and faster to learn from than watching someone type.

Every query uses real security tables. No generic StormEvents demos. Every example queries SigninLogs, DeviceProcessEvents, OfficeActivity, AuditLogs, EmailEvents, or SecurityAlert — the tables you work with at your job.

Reference-grade depth. Module 4 alone is 12,758 words covering every join flavour, performance implications, and 7 complete cross-table investigation patterns. Module 11 is 12,895 words with a full hunting methodology and 4-exercise mini capstone. This is not a surface overview — it is the reference you keep open during investigations.

Part of a broader platform. Your subscription includes access to 4 other courses — M365 Security Operations, SOC Operations, Claude for Security Professionals, and the Field Guide. KQL is one skill in a complete security operations education.

Start free, upgrade when ready. Phase 1 (Modules 0-3, 45,000+ words) is completely free with no account required. Read the content, run the queries in the demo workspace, and decide if the depth is worth subscribing for.