ACSC Logo
Β© 2026 GEMXIT
GEMXIT Logo
Agent Foskett Academy β€’ Learn KQL β€’ Microsoft Defender XDR

Agent Foskett Academy

KQL is not just query syntax.

It is how investigators ask questions of telemetry.

Inside Microsoft Defender XDR, Microsoft Sentinel, Entra ID and Exchange Online, the logs are constantly telling a story. The challenge is learning how to read that story, narrow the noise and follow the evidence.

Agent Foskett Academy was built to help analysts, engineers, students and defenders learn practical KQL through real-world investigations, Microsoft security telemetry and genuine threat hunting workflows.

This is not about memorising commands. It is about learning how to think like an investigator.

Start Learning KQL Back to Investigation Hub
Agent Foskett Academy learning KQL through Microsoft Defender XDR investigations
Academy overview

Learn how to investigate Microsoft security telemetry using practical KQL examples, Defender XDR hunting, Sentinel investigations and real-world attack scenarios.

Learn practical KQL
Understand Microsoft telemetry
Think like a threat hunter
🧠 KQL is how investigators ask questions of data.
Agent Foskett Academy focuses on practical investigations, Defender XDR hunting and learning how to follow the evidence inside Microsoft telemetry.
Contact GEMXIT β†’

What is Agent Foskett Academy?

Agent Foskett Academy is a practical Microsoft security learning path for people who want to understand KQL, Defender XDR telemetry and real-world threat hunting. The aim is simple: help defenders move from staring at logs to asking better investigation questions.
Built for real investigations The lessons connect KQL syntax to real security questions across email, identity, endpoint and cloud telemetry.
Beginner friendly Start with the basics: tables, filters, timestamps, columns and reading your first KQL query without getting overwhelmed.
Investigator mindset The goal is not only to learn commands. The goal is to understand what the data is trying to tell you.

πŸŽ“ KQL Learning Path

This learning path starts with the fundamentals and builds toward real-world Microsoft Defender XDR and Microsoft Sentinel investigations.
Lesson 1 β€” What is KQL? Learn what Kusto Query Language is, where it is used inside Microsoft security platforms and why it matters for investigations.
Lesson 2 β€” Your First KQL Query Learn how to run your first KQL query, filter telemetry by time and start exploring Microsoft Defender XDR telemetry.
Lesson 3 β€” Understanding Microsoft Security Tables Learn the difference between EmailEvents, UrlClickEvents, DeviceProcessEvents, DeviceNetworkEvents and SigninLogs inside Microsoft Defender XDR.
Lesson 4 β€” Filtering KQL Results Learn how to use where, contains, has, == and time filters to reduce noise and focus on suspicious activity inside Microsoft Defender XDR and Sentinel.
Lesson 5 β€” Choosing Useful Columns Learn how to use project to remove clutter, focus on important evidence and display only the fields that matter during Microsoft security investigations.
Lesson 6 β€” Sorting and Understanding Results Learn how to use order by, desc and asc to sort Microsoft security telemetry and understand investigation timelines more clearly.
Lesson 7 β€” Counting and Grouping with summarize Learn how to use summarize, count() and by to count events, group activity and identify patterns across Microsoft Defender XDR and Sentinel telemetry.
Lesson 8 β€” Finding Time Patterns with bin() Learn how to use bin() in KQL to group Microsoft Defender XDR and Sentinel telemetry into time ranges, helping defenders identify spikes, bursts and suspicious activity patterns.
Lesson 9 β€” Finding Unique Values with distinct Learn how to use distinct in KQL to identify unique users, IP addresses, domains, devices and suspicious values hidden inside Microsoft Defender XDR and Sentinel telemetry.
Lesson 10 β€” Using top to Find High-Volume Activity Learn how to use top in KQL to quickly identify the most active users, devices, IP addresses, senders and suspicious activity across Microsoft Defender XDR and Sentinel telemetry.
Lesson 11 β€” Combining KQL Operators into Investigations Learn how defenders combine where, project, summarize, bin(), distinct, top and order by into practical Microsoft Defender XDR and Sentinel investigation workflows.
Lesson 12 β€” Investigating EmailEvents in Microsoft Defender XDR Learn how to use EmailEvents to investigate senders, recipients, subjects, delivery actions, NetworkMessageId, AuthenticationDetails and suspicious email activity inside Microsoft Defender XDR.
Lesson 13 β€” Investigating UrlClickEvents in Microsoft Defender XDR Learn how to use UrlClickEvents to investigate Safe Links clicks, suspicious URLs, user activity, ThreatTypes and phishing behaviour inside Microsoft Defender XDR.
Lesson 14 β€” Connecting Tables with join Learn how defenders use join to connect users, devices, sign-ins, email events, URL clicks and endpoint activity across multiple Microsoft security tables.
Lesson 15 β€” Building Investigation Timelines with KQL Learn how defenders build clear investigation timelines by ordering events, comparing timestamps and following activity across Microsoft security telemetry.
Lesson 16 β€” Using let Statements to Reuse Evidence Learn how defenders use let statements to create reusable evidence sets, keep KQL queries cleaner and build more structured Microsoft Defender XDR investigations.
Lesson 17 β€” Creating Investigation Parameters Learn how defenders create flexible KQL investigations using reusable parameters for users, devices, IP addresses, domains and time ranges.
Lesson 18 β€” Using in to Search Multiple Indicators Learn how defenders use the in operator to search for multiple users, IP addresses, devices, domains and other indicators across Microsoft Defender XDR and Sentinel telemetry.
Lesson 19 β€” Using has_any to Find Suspicious Text Learn how defenders use has_any to search for multiple suspicious words, domains, commands and indicators inside Microsoft Defender XDR and Sentinel telemetry.
Lesson 20 β€” Using contains_cs for Case-Sensitive Searches Learn how defenders use case-sensitive KQL searches to find exact text matches, suspicious commands, filenames and indicators without creating unnecessary noise.
Lesson 21 β€” Using startswith and endswith Learn how defenders use startswith and endswith to identify suspicious filenames, domains, email addresses, URLs and command-line activity across Microsoft Defender XDR and Sentinel telemetry.
Lesson 22 β€” Using matches regex for Pattern Matching Learn how defenders use matches regex to identify suspicious naming conventions, command-line patterns, file paths, domains, URLs and attacker techniques across Microsoft Defender XDR and Sentinel telemetry.
Lesson 23 β€” Extracting Evidence with parse Learn how defenders use parse to extract usernames, domains, URLs, command-line arguments and structured evidence from Microsoft Defender XDR and Sentinel telemetry.
Lesson 24 β€” Expanding Multi-Value Data with mv-expand Learn how defenders use mv-expand to break apart arrays, lists and dynamic fields, allowing deeper analysis of Microsoft Defender XDR and Sentinel telemetry.
Lesson 25 β€” Working with Dynamic Data using parse_json() Learn how defenders use parse_json() to access nested values, investigate complex Microsoft Defender XDR telemetry and work with structured security data.
Lesson 26 β€” Extracting Evidence with extract() Learn how defenders use extract() with regular expressions to pull IP addresses, domains, ticket numbers, identifiers and hidden indicators from Microsoft Defender XDR and Sentinel telemetry.
Lesson 27 β€” Advanced Multi-Value Investigations with mv-apply Learn how defenders use mv-apply to work with arrays, nested values and multi-value telemetry while keeping investigation context inside Microsoft Defender XDR and Sentinel.

🚧 New lessons coming soon

Agent Foskett Academy will continue expanding into practical Microsoft Defender XDR and Sentinel investigations, helping defenders build real-world KQL investigation skills step by step.
Coming soon β€” Lesson 28: Creating New Evidence Fields with extend Learn how defenders use extend to create calculated fields, enrich evidence and build more powerful Microsoft Defender XDR and Sentinel investigations.

Your first KQL idea

A KQL query usually starts with a table, then narrows the result set using filters. This simple example starts with EmailEvents and asks: show me recent email activity from the last 24 hours.
first-email-events-query.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
EmailEvents
| where Timestamp > ago(24h)
| project Timestamp,
                            SenderFromAddress,
                            RecipientEmailAddress,
                            Subject,
                            DeliveryAction
| order by Timestamp desc
Start with a table EmailEvents tells Defender XDR which email telemetry source you want to investigate.
Filter the time window The where line narrows the query to recent data so you are not searching everything at once.
Project useful columns Project helps you choose only the fields that matter for the investigation.

How to think in KQL

A good KQL query starts with a good investigation question. Before writing anything, ask what you are trying to prove, disprove or understand.
What happened? Start with the event. Was it an email, sign-in, process, URL click, alert or configuration change?
Who or what was involved? Pivot on the user, device, sender, IP address, URL, process name or message ID.
Does the behaviour make sense? The most important question is often not whether something happened, but whether it fits the environment.

Beginner topics coming next

The Academy can grow into a full KQL learning series, with each lesson becoming its own indexable page and linking back into real Agent Foskett investigations.
KQL Foundations What is KQL? β€’ where β€’ project β€’ summarize β€’ order by β€’ contains β€’ has β€’ in β€’ time filters
Microsoft Security Tables EmailEvents β€’ UrlClickEvents β€’ DeviceProcessEvents β€’ DeviceNetworkEvents β€’ SigninLogs β€’ AuditLogs
Investigation Scenarios DMARC failures β€’ suspicious sign-ins β€’ impossible travel β€’ session hijacking β€’ strange processes β€’ risky URL clicks

Learn through real Agent Foskett investigations

Every Academy lesson should connect back to practical investigations. That is what makes the learning useful: syntax connected to real security outcomes.
Email investigations Use KQL to investigate spoofed senders, DMARC failures, delivery actions, suspicious subjects and URL clicks.
Identity investigations Use KQL to review sign-ins, MFA behaviour, session reuse, risky locations and authentication patterns.
Endpoint investigations Use KQL to hunt process execution, suspicious command lines, LOLBins, network connections and device timelines.
The logs already know the story.
Agent Foskett Academy helps investigators learn how to ask the right questions inside Microsoft telemetry.
Continue the investigation

Final thought

KQL becomes powerful when it stops being a language you memorise and becomes a way of thinking.

Start with one question. Choose the right table. Filter the noise. Project the useful fields. Follow the evidence.

That is how investigations begin.

Agent Foskett Academy exists to help defenders learn KQL through real Microsoft security stories.
At GEMXIT We help organisations investigate Microsoft Defender XDR, Microsoft Sentinel, Entra ID, endpoint activity, email threats, KQL hunting and practical security operations workflows.
Agent Foskett mindset The question is not only: β€œCan I write the query?”

It is: β€œWhat question am I asking the data?”

Continue learning with Microsoft Defender KQL Threat Hunting Guide, KQL Threat Hunting in Defender and Sentinel, EmailEvents KQL Guide, KQL Email Spoofing, Microsoft Security, Security Operations and the GEMXIT Security Review.

Develop IT. Protect IT. GEMXIT PTY LTD | GEMXIT UK LTD
ACSC Logo

GEMXIT PTY LTD  |  GEMXIT UK LTD  |  Β© GEMXIT 2026

Agent Foskett Academy

Agent Foskett Academy helps analysts, engineers, students and defenders learn KQL through practical Microsoft Defender XDR, Microsoft Sentinel, Entra ID and Microsoft security investigations.

Learn KQL for Microsoft Defender XDR

GEMXIT provides practical KQL learning content covering EmailEvents, UrlClickEvents, DeviceProcessEvents, DeviceNetworkEvents, SigninLogs, AuditLogs, Microsoft Defender Advanced Hunting and Sentinel investigations.

KQL Threat Hunting Training

Learn how to write KQL queries, understand Microsoft security telemetry, filter investigation data, project useful fields, review suspicious activity and think like a threat hunter.

Agent Foskett Academy Lessons

Agent Foskett Academy includes beginner KQL lessons covering what KQL is, how to run your first KQL query, how to understand Microsoft security tables and how to filter investigation results.