Sign In

K0.1 Three Questions You Cannot Answer Without KQL

1.5-2 hours · Module 0 · Free
Operational Objective
The Portal Ceiling: The Sentinel and Defender XDR portals provide point-and-click investigation tools that handle 70-80% of routine triage. But every SOC analyst hits a moment where the portal cannot answer the question. The investigation stalls — not because the data does not exist, but because the portal interface cannot express the query the analyst needs. KQL breaks through this ceiling. This subsection presents three real security scenarios from Northgate Engineering where the investigation required a query that no portal view, no workbook, and no template rule could provide.
Deliverable: Understanding of the three categories of security questions that require KQL: historical scope, cross-table correlation, and statistical baseline comparison.
Estimated completion: 20 minutes

Question 1: historical scope — “Has this ever happened before?”

Rachel receives a DE4-002 alert: j.morrison authenticated from 185.220.101.42, a Tor exit node. The immediate question is not “is this bad?” — the Tor exit node makes that obvious. The investigation question is: has j.morrison EVER authenticated from this IP before? If yes: this might be a recurring VPN or proxy pattern. If no: this is definitively a new, anomalous event.

The Sentinel portal shows j.morrison’s recent sign-ins — the last 30 days in the default investigation view. But “ever” means the full retention period: 90 days, 180 days, or 2 years depending on the workspace configuration. The portal does not provide a “search all history for this specific IP” button.

1
2
3
4
5
6
7
8

// QUESTION 1: Has j.morrison ever authenticated from this IP?
SigninLogs
| where UserPrincipalName == "j.morrison@northgateeng.com"
| where IPAddress == "185.220.101.42"
| where TimeGenerated > ago(90d)
| project TimeGenerated, IPAddress, ResultType, AppDisplayName, DeviceDetail
// Result: 0 rows = NEVER. This is definitively anomalous.
// Result: N rows = show WHEN and FROM WHAT APP. Pattern or one-off?

This query runs in 12 seconds across 90 days of SigninLogs. The answer is binary and definitive. No portal clicking, no scrolling through pages, no ambiguity. The query answers the question the investigation demands.

Why the portal cannot do this: The portal’s sign-in investigation view filters by USER and shows recent events. It does not provide a combined USER + IP + FULL HISTORY filter. The workbook “Sign-in Analysis” shows aggregated IP statistics but not per-user IP history. Only a direct query against the raw SigninLogs table answers: “Has THIS user EVER authenticated from THIS IP?”

THREE QUESTION CATEGORIES — WHAT KQL UNLOCKSHISTORICAL SCOPE"Has this EVER happened before?"Full-retention searches the portal cannot expressCROSS-TABLE CORRELATION"Did event A cause event B?"Joining data across authentication + email + endpointSTATISTICAL BASELINE"Is this NORMAL for this user?"Percentile analysis, anomaly scoring, trend detection

Figure K0.1 — Three categories of security questions that require KQL. Each category represents a ceiling the portal UI cannot breach.

Question 2: cross-table correlation — “Did event A cause event B?”

NE’s SOC receives two alerts within 40 minutes: DE4-002 (AiTM token theft for j.morrison at 08:14) and DE5-001 (inbox rule creation by j.morrison at 08:47). Individually, each alert has an investigation path. But the CRITICAL question is: are these two events part of the same attack?

The Sentinel incident queue may group them — if the alert grouping rules are configured to correlate by entity. But if they are separate incidents, the analyst must manually determine whether the AiTM token theft LED TO the inbox rule creation. This requires joining two different data sources: SigninLogs (where the token theft occurred) and OfficeActivity (where the inbox rule was created).

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

// QUESTION 2: Did the AiTM token theft lead to the inbox rule?
let aitm_sessions = SigninLogs
    | where UserPrincipalName == "j.morrison@northgateeng.com"
    | where TimeGenerated between (datetime(2026-02-27T08:00) .. datetime(2026-02-27T09:00))
    | where IPAddress == "185.220.101.42"
    | distinct CorrelationId, IPAddress;
OfficeActivity
| where UserId == "j.morrison@northgateeng.com"
| where TimeGenerated between (datetime(2026-02-27T08:00) .. datetime(2026-02-27T09:00))
| where Operation == "New-InboxRule"
| extend ClientIP_clean = tostring(split(ClientIP, ":")[0])
| join kind=inner aitm_sessions on $left.ClientIP_clean == $right.IPAddress
// Result: If the inbox rule was created from the SAME IP as the AiTM session,
// the two events are causally connected. Same attacker, same session.

This query proves CAUSATION, not just correlation. The inbox rule was created from the same IP address as the stolen token — the attacker used the stolen session to create the persistence mechanism. Without this cross-table join, the analyst has two separate alerts and a SUSPICION of connection. With the query, the analyst has PROOF.

Why the portal cannot do this: The Sentinel investigation graph shows entities connected to a single incident. It does not perform cross-incident, cross-table joins. The analyst cannot ask: “show me all OfficeActivity from the same IP as this SigninLogs event” through the portal UI. Only a KQL join connects data across tables.

Question 3: statistical baseline — “Is this normal for this user?”

s.chen downloaded 52 .dwg files from SharePoint in 28 minutes. DE7-002 fires (threshold: 50 files in 30 minutes). Is this an attack or a legitimate project? The alert does not answer the question. The investigation question is: what is s.chen’s NORMAL download volume?

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

// QUESTION 3: What is s.chen's normal download volume?
OfficeActivity
| where UserId == "s.chen@northgateeng.com"
| where Operation == "FileDownloaded"
| where TimeGenerated > ago(90d)
| summarize DailyDownloads = count() by bin(TimeGenerated, 1d)
| summarize
    AvgDaily = round(avg(DailyDownloads), 1),
    P50 = percentile(DailyDownloads, 50),
    P90 = percentile(DailyDownloads, 90),
    P99 = percentile(DailyDownloads, 99),
    MaxDaily = max(DailyDownloads)
// Result: Avg=18, P50=15, P90=35, P99=48, Max=55
// s.chen's 52 downloads today exceeds P99 (48) but is below the
// historical max (55). This is unusual but has happened before.
// Classification: BTP (benign true positive)  project-related spike.

The percentile analysis transforms a binary alert (“above threshold / below threshold”) into a CONTEXTUAL assessment (“this is at the 99th percentile of this user’s historical pattern”). The analyst now knows: 52 downloads is unusual for s.chen but not unprecedented — it happened once before (the 55-download day, likely a previous project deadline). Without this query, the analyst classifies based on gut feel. With it, the analyst classifies based on data.

Why the portal cannot do this: The Sentinel portal shows OfficeActivity events but does not calculate per-user percentile baselines. No workbook provides “show me this user’s download volume compared to their own historical pattern.” Only a KQL summarize with percentile() answers this question.

The pattern: KQL answers questions the portal cannot express

These three questions represent three categories that recur throughout security operations:

Historical scope (Question 1): “Has this entity appeared in our data before, and when?” — requires full-retention searches filtered to specific field combinations that the portal does not support.

Cross-table correlation (Question 2): “Did event A in Table X cause event B in Table Y?” — requires joins between tables that the portal treats as separate data sources.

Statistical baseline (Question 3): “Is this volume/frequency/pattern normal for this entity?” — requires aggregation, percentile calculation, and comparison that the portal’s pre-built views cannot express.

Every module in this course teaches KQL operators that answer these three question categories. By KQ13, the learner can answer ANY security question their investigation demands — not just the questions the portal designers anticipated.

Compliance Myth: "The Sentinel portal provides everything analysts need"

The myth: Microsoft invested billions in the Sentinel and Defender XDR portal UIs. They are designed for security analysts. If the portal cannot answer a question, the question probably does not need answering.

The reality: The portal is designed for the 80% of routine triage that follows predictable patterns. The remaining 20% — the investigations that determine whether an alert is a sophisticated attack or a benign anomaly — requires questions that portal designers could not anticipate. Every environment is different. Every investigation has unique questions. KQL is the tool that answers the questions your specific investigation demands, not the generic questions the portal was designed to handle. The portal is the starting point. KQL is where the real investigation happens.

Try it yourself

Exercise: Identify a question your portal cannot answer

Think about your last 3 security investigations. For each: was there a moment where you wanted to know something specific but the portal could not show you? Write that question down. By the end of this course, you will be able to write the KQL query that answers it.

Check your understanding

An analyst receives an alert for "unusual sign-in from new country" for a user. The portal shows the sign-in occurred from Brazil. The analyst needs to determine: (a) has ANY NE user ever signed in from Brazil before, and (b) did the user access any SharePoint files after this sign-in. Which question categories do (a) and (b) represent?

Answer: (a) is a HISTORICAL SCOPE question — searching the full SigninLogs retention for any UserPrincipalName where Location contains "Brazil". The portal shows individual user history but cannot search ALL users for a specific location. (b) is a CROSS-TABLE CORRELATION question — joining SigninLogs (the Brazil sign-in) with OfficeActivity (SharePoint file access) to determine if the suspicious session led to data access. Both require KQL queries that the portal UI cannot express.

Troubleshooting

“I do not have access to the Sentinel Logs blade.” You need at least the Microsoft Sentinel Reader role or Log Analytics Reader role to run KQL queries. Contact your Azure AD administrator. In Defender XDR, you need access to Advanced Hunting — this is available with Microsoft 365 E5 or Defender for Endpoint P2 licensing.

Operational Artifact — Security Question Categories

Historical scope: “Has [entity] ever [action] before?” Table: single table, full retention, specific field filter KQL pattern: where + where + project

Cross-table correlation: “Did [event A in Table X] cause [event B in Table Y]?” Table: two tables joined by shared entity (IP, UPN, device) KQL pattern: let + join kind=inner on shared field

Statistical baseline: “Is [volume/frequency] normal for [entity]?” Table: single table, aggregation over historical period KQL pattern: summarize + percentile() or avg()

References used in this subsection

  • Detection Engineering DE4-002 (AiTM token theft — the investigation that requires Question 1)
  • Detection Engineering DE7-002 (SharePoint bulk download — the investigation that requires Question 3)
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of Mastering KQL

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
K0.2 The Microsoft Security Data Model →