SC-200: Create queries for Microsoft Sentinel using Kusto Query Language (KQL)

Go to class
Write Review

Free Online Course: SC-200: Create queries for Microsoft Sentinel using Kusto Query Language (KQL) provided by Microsoft Learn is a comprehensive online course, which lasts for 2-3 hours worth of material. The course is taught in English and is free of charge.

Overview
    • Module 1: Construct KQL statements for Microsoft Sentinel
    • Upon completion of this module, the learner will be able to:

      • Construct KQL statements
      • Search log files for security events using KQL
      • Filter searches based on event time, severity, domain, and other relevant data using KQL
    • Module 2: Analyze query results using KQL
    • Upon completion of this module, the learner will be able to:

      • Summarize data using KQL statements
      • Render visualizations using KQL statements
    • Module 3: Build multi-table statements using KQL
    • Upon completion of this module, the learner will be able to:

      • Create queries using unions to view results across multiple tables using KQL
      • Merge two tables with the join operator using KQL
    • Module 4: Work with data in Microsoft Sentinel using Kusto Query Language
    • Upon completion of this module, the learner will be able to:

      • Extract data from unstructured string fields using KQL
      • Extract data from structured string data using KQL
      • Create Functions using KQL

Syllabus
    • Module 1: Construct KQL statements for Microsoft Sentinel
      • Introduction
      • Understand the Kusto Query Language statement structure
      • Use the let statement
      • Use the search operator
      • Use the where operator
      • Use the extend operator
      • Use the order by operator
      • Use the project operators
      • Knowledge check
      • Summary and resources
    • Module 2: Analyze query results using KQL
      • Introduction
      • Use the summarize operator
      • Use the summarize operator to filter results
      • Use the summarize operator to prepare data
      • Use the render operator to create visualizations
      • Knowledge check
      • Summary and resources
    • Module 3: Build multi-table statements using KQL
      • Introduction
      • Use the union operator
      • Use the join operator
      • Knowledge check
      • Summary and resources
    • Module 4: Work with data in Microsoft Sentinel using Kusto Query Language
      • Introduction
      • Extract data from unstructured string fields
      • Extract data from structured string data
      • Integrate external data
      • Create parsers with functions
      • Knowledge check
      • Summary and resources