K0.7 Module Summary

Module summary

KQL is not optional for security analysts in Microsoft environments. The portal handles 80% of routine triage. The remaining 20% — the investigations that distinguish a sophisticated attack from a benign anomaly — requires queries that the portal UI cannot express.

Three categories of security questions require KQL: historical scope (has this ever happened before?), cross-table correlation (did event A cause event B?), and statistical baseline comparison (is this normal for this entity?). These question categories recur throughout security operations — every investigation eventually hits one of them.

The Microsoft security data model spans 5 product families feeding into one Sentinel workspace. Eight tables handle 95% of daily investigation queries: SigninLogs, DeviceProcessEvents, OfficeActivity, AuditLogs, DeviceFileEvents, IdentityLogonEvents, CommonSecurityLog, and SecurityAlert. Knowing WHICH table answers WHICH question is the first skill — before any KQL syntax.

Your first query uses 4 operators: table reference, where (filter), project (columns), and sort (ordering). These 4 operators, applied to any table, answer any investigation question at the basic level. Every subsequent module adds operators that make queries more powerful, more precise, and more automated.

The course progresses through 4 phases: Anatomy (tables and filtering), Intermediate (time, strings, joins), Advanced (deep tables, visualisation, investigation patterns), and Mastery (detection, hunting, performance). By K13: you have a library of 50+ production security queries and the skills to build any query your investigation demands.

Next module

K1 takes the 4-operator pattern from K0.4 and teaches the first operator in depth: where. You will learn 12 comparison operators, 6 string operators, and 4 logical connectors — all demonstrated against security investigation scenarios. By the end of K1, you can filter any table to find exactly the events your investigation requires.