A curated list of blogs, videos, tutorials, queries and anything else valuable to help you learn and master KQL and Microsoft Sentinel
Community contributions are most welcome! Check out our contribution guide today and submit a pull request with any adds/removes/changes to content!
- Addicted to KQL
- KQL - The Next Query Language You Need to Learn
- Learning path SC-200: Create queries for Microsoft Sentinel using Kusto Query Language (KQL)
- MustLearnKQL - Video Series
- MustLearnKQL
- Tutorial: Use Kusto queries
- Write your first query with Kusto Query Language
- Built-in threat detection rules
- KQL quick reference
- Kusto Query Language in Microsoft Sentinel
- Microsoft Sentinel Docs
- Query best practices
- Splunk to Kusto Query Language map
- SQL to Kusto cheat sheet
- What's new in Microsoft Sentinel
- Automate Your Microsoft Sentinel Triage Efforts with RiskIQ Threat Intelligence
- Azure Sentinel Webinar: Deep Dive into Azure Sentinel Normalizing Parsers and Normalized Content
- Azure Sentinel webinar: KQL part 1 of 3 - Learn the KQL you need for Azure Sentinel
- Azure Sentinel webinar: KQL part 2 of 3 - KQL hands-on lab exercises
- Azure Sentinel webinar: KQL part 3 of 3 - Optimizing Azure Sentinel KQL queries performance
- Azure Sentinel Webinar: The Information Model: Understanding Normalization in Azure Sentinel
- Become a Notebooks Ninja – Getting Started with Jupyter Notebooks - Microsoft Sentinel Webinar
- Deploy and Monitor Azure Key Vault Honeytokens with Microsoft Sentinel
- Fusion ML Detections for Emerging Threats & Configuration UI
- KQL Framework for Microsoft Sentinel - Empowering You to Become KQL-Savvy
- Latest Innovations for Microsoft's Cloud Native SIEM Recording - Microsoft Sentinel Webinar
- M365 Defender - Kusto query language basics
- M365 Defender - Using Advanced Hunting
- Microsoft Security Insights Podcast - Twitch
- Microsoft Sentinel Content Management
- Microsoft Sentinel in the Field: Part 1 - Managing security content as code
- Microsoft Sentinel in the Field: Part 2 - Learning with the training lab
- Microsoft Sentinel in the Field: Part 3 - Deception in Microsoft Sentinel
- Present and Future of EUBA
- Advanced KQL Framework Workbook - Empowering you to become KQL-savvy
- Defending Critical Infrastructure with the Microsoft Sentinel: IT/OT Threat Monitoring Solution
- Get Hands-On KQL Practice with this Microsoft Sentinel Workbook
- How To Align Your Analytics With Time Windows In Azure Sentinel Using KQL (Kusto Query Language)
- Investigating Suspicious Azure Activity with Microsoft Sentinel
- Learning with the Microsoft Sentinel Training Lab
- Leveraging the Power of KQL in Incident Response
- Log sources and analytics rules coverage workbook
- Microsoft Sentinel – continuous threat monitoring for GitHub
- Using External Data Sources To Enrich Network Logs Using Azure Storage And KQL
- Microsoft Security Community - Youtube
- Microsoft Security Insights - Podcast
- Microsoft Sentinel Blog
- Microsoft Sentinel TechCommunity
Links below are from community sources, websites, and channels.
- Azure Sentinel Lab Series
- AzureFunBytes Episode 64 - Building SOC Efficiency with @Azure Sentinel with @rodtrent
- GrayHat 2020 - Blue Teaming with Kusto Query Language, KQL - Ashwin Patil
- Managing Microsoft Sentinel using GIT repositories
- Setting up your first Azure Sentinel environment in 50 minutes
- Using Azure Sentinel to protect Microsoft Teams
- Microsoft 365 Security eBook
- Microsoft Security Operations Analyst Exam Ref SC-200 Certification Guide
- Microsoft Sentinel in Action
- Azure Sentinel Syslog Workbook
- Collect Security Events in Microsoft Sentinel with the new AMA agent and DCR
- Detecting privilege escalation with Azure AD service principals in Microsoft Sentinel
- How to Use Office 365 Audit Data with Microsoft Sentinel
- Hunting For Anomalies With Time-Series Analysis
- Hunting Log4j with Sentinel
- Keep an eye on your Azure AD guests with Microsoft Sentinel
- KQL Cheat Sheet
- KQLCeption – use KQL to investigate Microsoft Sentinel
- Kusto Make-Series vs Summarize
- Log4j Incident Response
- Microsoft Sentinel – How to Leverage built-in Amazon Web Services S3 Data Connector
- Microsoft Sentinel and the power of functions
- Monitor Microsoft Sentinel Data Connectors using Health Monitoring and Logic App
- Monitoring of GitHub Enterprise with Microsoft Sentinel
- Ollie, your personal Microsoft Sentinel assistant
- Optimize your Microsoft Sentinel pricing
- Set up Microsoft Sentinel as a single pane of glass for Microsoft 365 alerts
- Setting up a bidirectional sync between Sentinel and JIRA
- Tag domain controllers automatically in Defender for Endpoint using KQL, Logic App, and API
- Too much noise in your data? Summarize it!
- What I Have Learned From Doing A Year Of Cloud Forensics In Azure AD
- When does enabling Microsoft Sentinel make sense?
- Azure Cloud & AI Domain Blog
- Cloud, Systems Management, Automation
- FalconForce
- Jeffrey Appel
- Kusto King - Kusto Knight Learning Track
- Learn Sentinel
- Managed Sentinel - Blog
- Microsoft Sentinel this Week
- Sam's Corner
- SecureCloudBlog
- alexverboon/MDATP/tree/master/AdvancedHunting (Advanced Hunting)
- ashwin-patil/blue-teaming-with-kql
- eshlomo1/Azure-Sentinel-4-SecOps
- FalconForceTeam/FalconFriday
- Kaidja/Azure-Sentinel
- marcusbakker/KQL
- reprise99/Sentinel-Queries
- rod-trent/SentinelKQL
- scautomation/Azure-Sentinel-Syslog-Workbook
- wortell/KQL