Module 2: Advanced KQL for Hunting: Patterns Beyond Fundamentals
Advanced KQL for Hunting: Patterns Beyond Fundamentals
You can write where, summarize, join, and extend. You can filter sign-in logs, aggregate by user, and produce a result set. That KQL proficiency is the prerequisite for this course — and it is not enough for hunting.
Hunting requires KQL patterns that most analysts never use in alert triage or detection engineering. Statistical functions that identify outliers in behavioral data. Time-series operators that detect anomalies over windows of days or weeks. Clustering functions that group results and surface the events that do not fit any pattern. Graph traversal that traces process execution chains across parent-child relationships.
These are not obscure functions. They are the operators that make the campaign modules in TH4–TH13 work. Without them, hunting degrades to manual scanning of large result sets — slow, inconsistent, and dependent on the analyst’s ability to spot patterns by eye. With them, the KQL engine does the statistical and structural heavy lifting, and the analyst focuses on interpreting and acting on the results.
This module teaches each pattern with hunting-specific examples drawn from M365 data. Every query runs against the tables you will use in the campaigns. If you are already comfortable with make-series, series_decompose_anomalies(), autocluster(), and top-nested, skim this module and move to TH3. If those operators are unfamiliar, this module is essential before the campaigns.
Module structure
TH2.1–TH2.4 cover statistical and time-series analysis — the patterns for behavioral baselining and anomaly detection.
TH2.5–TH2.8 cover structural analysis — frequency profiling, clustering, entity investigation, and dynamic field parsing.
TH2.9–TH2.12 cover query architecture — performance optimization, cross-table pivoting, graph semantics, and temporal correlation.
TH2.13–TH2.15 cover operational KQL — reusable functions, advanced aggregation, and anti-patterns that produce false negatives.
Every subsection ends with a hunting-specific exercise. Run each query against your environment. The results are real data — and the patterns you observe build the environmental knowledge (TH0.11) that makes the campaigns effective.