SC-200: Create queries for Microsoft Sentinel using Kusto Query Language (KQL)

Upon completion of this module, the learner will be able to:

• Construct KQL statements
• Search log files for security events using KQL
• Filter searches based on event time, severity, domain, and other relevant data using KQL

Upon completion of this module, the learner will be able to:

• Summarize data using KQL statements
• Render visualizations using KQL statements

Upon completion of this module, the learner will be able to:

• Create queries using unions to view results across multiple tables using KQL
• Merge two tables with the join operator using KQL

Upon completion of this module, the learner will be able to:

• Extract data from unstructured string fields using KQL
• Extract data from structured string data using KQL
• Create Functions using KQL

• Introduction
• Understand the Kusto Query Language statement structure
• Use the let statement
• Use the search operator
• Use the where operator
• Use the extend operator
• Use the order by operator
• Use the project operators
• Knowledge check
• Summary and resources

• Introduction
• Use the summarize operator
• Use the summarize operator to filter results
• Use the summarize operator to prepare data
• Use the render operator to create visualizations
• Knowledge check
• Summary and resources

• Introduction
• Use the union operator
• Use the join operator
• Knowledge check
• Summary and resources

• Introduction
• Extract data from unstructured string fields
• Extract data from structured string data
• Integrate external data
• Create parsers with functions
• Knowledge check
• Summary and resources